On Friday, August 5, 2005, 12:25:25 PM, Catherine Hampton wrote:
In today's spamtrap take, I got a phish targeting eBay that contained a link to the following IP:
66.135.192.124
The link was inside a JavaScript and looked, at first and second glance, like a link to a phish site. As a habit, I do an rDNS on all IPs, however, before listing them. That's fortunate, in this case -- that IP resolves as hp-core.ebay.com. Yes, a genuine eBay IP pointing to a genuine eBay server, one that has nothing to do with the phish, of course.
The actual phish link in this spam was:
http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bsda6gwcv7zfcage...
It appeared well down the spam, after not one, but two, decoy links to the eBay IP above.
By the way, I'm not listing doje.de as a Phish Domain either. It's a Chinese language web site (yes, at a German national domain, probably something for expatriates), and the format of the URL suggests that the phisher exploited an insecure web BBS package. This is one where blocking on the URL is the appropriate approach. <sigh>
Posted because I'm seeing quite a few phishes with this sort of decoy information/links lately. :/ Phishers are clearly trying to poison the blocklisting process. We have to be careful.
A good cautionary tale to be careful about analyzing these.
Pretty sneaky of the phishers to have plausible looking decoys like that. Or maybe the legitimate ebay message they copied had phishy looking links originally.
Jeff C. -- Don't harm innocent bystanders.