Phishing with multiple victims

An inquisitive mind will always wonder what is going on in the background. Well today I was going through my spam folder and open the first Nationwide Phishing attempt in the pile, most recent too. After following the link http://www.nationwideuser.co.uk/redirect.html it redirected me to another link http://jaki-dacosta.co.uk/olb2.nationet.com/index.html. (WARNING: PLEASE DO NOT USE THESE LINKS IF YOU ARE NOT SURE OF THEIR INTENT. THERE ARE NO ACTUAL BANK LINKS HERE, THESE ARE MALICIOUS PHISHING WEBPAGES)

 

To someone who is used to Phishing attempts their first reaction would be to report the whole URL and go on with work as usual. The interesting thing about this webpage is that it is a user’s webpage http://jaki-dacosta.co.uk I guess owned by Jaki DaCosta.

 

In order to verify this I conducted a simple DNS query (WHOIS) at www.dnsstuff.com and the results for jaki-dacosta.co.uk:

 

Domain name:
        jaki-dacosta.co.uk
     Registrant:
        Jaki DaCosta
     Registrant type:
        UK Individual
     Registrant's address:
        The registrant is a non-trading individual who has opted to have their
        address omitted from the WHOIS service.
     Registrant's agent:
        Pipex Communications UK Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
        URL: http://www.123-reg.co.uk
     Relevant dates:
        Registered on: 07-Nov-2005
        Renewal date:  07-Nov-2007
 
  
and for nationwideuser.co.uk
 
Domain name:
        nationwideuser.co.uk
     Registrant:
        Edward Kincaid
     Registrant type:
        Not supplied
     Registrant's address:
        po box 5058
        Douglasville
        Douglasville
        30134
        US
     Registrant's agent:
        Claranet Limited [Tag = CLARANET]
        URL: http://www.clara.net
     Relevant dates:
        Registered on: 28-Jul-2006
        Renewal date:  28-Jul-2008
     Registration status:
        Registration request being processed.
     Name servers:
        ns1.clara.net
        ns2.clara.net

  

The Phishing address was registered recently (i.e. 28-Jul-2006) where by Jaki DaCosta’s webpage has been registered slightly longer (i.e. 07-Nov-2005).

 

All this analysis is nothing new and anyone can think of it and do checks. On the other hand what I do want to point out is that a victim, if I may categorise it as that, has had her webserver being used to host a Phishing website – look at the redirected URL, the Phishing webpage is in a subfolder. If the Phishing filters are put it to action by the different vendors in the market then this webserver will not be accessible to the public or it will be flagged as a Phishing site, which it might not be.

 

An ending note to all this, we keep seen more and more sophisticated attacks. I believe that just throwing more technological solutions will not solve the problem with Phishing, what is required is public awareness.

 

Links used:

 

Jaki DaCosta  http://jaki-dacosta.co.uk

DNS Stuff – www.dnsstuff.com

This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Phishing with multiple victims

  1. Anthony says:

    Public awareness is the key factor to most of our current security problems. Have a read through of Keven Mitnick’s “The Art of Deception” and you can clearly see that no amount of spending on hardware/software solutions will really fix the problems. The key factor is to gear the public and developers to be more security aware. Seeing PHP includes as the 3rd most popular security vulnerbility is rather disturbing.

Leave a Reply

Your email address will not be published. Required fields are marked *