In today's spamtrap take, I got a phish targeting eBay that contained a link to the following IP:

66.135.192.124

The link was inside a JavaScript and looked, at first and second glance, like a link to a phish site. As a habit, I do an rDNS on all IPs, however, before listing them. That's fortunate, in this case -- that IP resolves as hp-core.ebay.com. Yes, a genuine eBay IP pointing to a genuine eBay server, one that has nothing to do with the phish, of course.

The actual phish link in this spam was:

http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bs da6gwcv7zfcageName=BayISAPI.dll/

It appeared well down the spam, after not one, but two, decoy links to the eBay IP above.

I have seen a few likes this with many real links and only one very obscure (in both construction AND in location) phish link.

Just this week, I found a Dun & Bradstreet phish, disguised as a D & B SPAM -- they made it look like D&B was spamming customers or potential customers. One's first thought might be "damn spam", and that is a very sneaky psychological trick for those who after a moment's reflection realize that they might actually be interested in the D&B "Product".

For those who follow this mental path (to product interest) the idea of PHISH might well be long gone by this point.

Method: Phish hidden as Spam hiding as "Important business site"

Surely this would cut down on the success ratio IF no one knew about Phish, but as awareness grows this will catch a percentage of people who would NOT normally click on a phish.

Herb Martin, MCT, MCSD, MCSE, MVP HerbM@LearnQuick.Com http://LearnQuick.Com 512 388 7339 -or- 1 800 MCSE PRO Accelerated MCSE in a Week Seminars

-----Original Message----- From: discuss-bounces@lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Catherine Hampton Sent: Friday, August 05, 2005 2:25 PM To: Jeff Chan; SURBL Discussion list Subject: [SURBL-Discuss] Why you should check Phish IPs first :/

In today's spamtrap take, I got a phish targeting eBay that contained a link to the following IP:

66.135.192.124

The link was inside a JavaScript and looked, at first and second glance, like a link to a phish site. As a habit, I do an rDNS on all IPs, however, before listing them. That's fortunate, in this case -- that IP resolves as hp-core.ebay.com. Yes, a genuine eBay IP pointing to a genuine eBay server, one that has nothing to do with the phish, of course.

The actual phish link in this spam was:

http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bs da6gwcv7zfcageName=BayISAPI.dll/

It appeared well down the spam, after not one, but two, decoy links to the eBay IP above.

By the way, I'm not listing doje.de as a Phish Domain either. It's a Chinese language web site (yes, at a German national domain, probably something for expatriates), and the format of the URL suggests that the phisher exploited an insecure web BBS package. This is one where blocking on the URL is the appropriate approach. <sigh>

Posted because I'm seeing quite a few phishes with this sort of decoy information/links lately. :/ Phishers are clearly trying to poison the blocklisting process. We have to be careful.

-- Catherine Hampton ariel@spambouncer.org The SpamBouncer * http://www.spambouncer.org/ Personal Home Page * http://www.devsite.org/ _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

Definitely an interesting tactic to imitate D & B.

I agree, which was what stood out about the sneakyness.

Basic pitch (with possible user reactions in parens):

Mail from D&B (Oh, that could be important to my busines) Recent activity on your credit rating (Oh my, is this for real? That's scary) (Wait a minute -- I haven't done any 'credit' stuff -- this could be a PHISH or FRAUD!) We at D&B want to sell you a service to watch over this... (Oh, it's really D&B and they are trying to SELL me something.)

The phish possibility is likely forgotten; Final reactions:

(Complaint to D&B about spam; delete or investigate the purchase;

Only in the latter case does the phish get a shot, but that jui-jutsu (or close up magician's trick of misdirection) is very powerful psychologically.

-- Herb Martin