Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

From the mailbag -

Published: 2005-02-20
Last Updated: 2005-02-21 00:31:10 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
There was a "trend" report from reader Eduardo Cruz (Thanks Eduardo!) the other day responding to the "Phishing Name Server" Diary entry (link below) that Johannes wrote. Eduardo's report describes a narrowing phishing "attack window" (in his e-mail next I added the bold emphasis) ......

"Hi there, Glad finally someone found more information about this issue. Im a security consultant from a Spanish security services (S21sec company, here in Spain we suffer in a weekly basis phishing attacks to a quite variety of our bank customers.

The attacks seem to be coordinated in such kind of an automatic procedure, a
server is hacked in order to store the fake pages requesting for pin and
codes, some doomed "0wned" PCs are used to send massive emails impersonating the attacked Bank entity only embedding a clickable image in the email so text filters are avoided. They only open the attack window for a few hours then proceeding to a total removal of the infrastructures used for the attack.

Yesterday (as usual) we got another attack to a bank called "Banesto", they
have used a machine in the same network u guys are reporting that malicious
DNS server is at, the machine was, we have scanned the machine
and there are lots of services, it is probably re-"0wned" by attackers, the
attack was performed using a dedicated web server installed at the port 5080
(using SHS web server, a tiny Russian freely downloadable web server for

I have attached an image capture of the phishing page done this morning
allocated in the web server, they posted the information to a php script
called send.php and then performing a redirect to the real page of the bank.

As i mentioned early, this it is now a normal situation for us here in Spain since we get phishing attacks done in the same exact way in a weekly basis (sometimes three times to three different bank entities in a week for
example like last week).

Thanks for the attention and for the superb service u guys do for the community.

Eduardo Cruz."

"phish or cut bait"

So how does one minimize the effect of the ever expanding number of regional targets of phishing scams utilizing such a narrow window of attack? You can phish... Some defen$ive effort$, particularly the recently announced Phi$h Report Network, that do not detail how they react to, validate and shutdown phishing attack systems that have a window of a few hours, could take a step & tell potential "Senders" and potential customers what the SLA _is_ for it's $15,000 service. I'm a firm believer in customer education about phishing ( ; ^ ) ... or you can cut bait. Absent having resources allocated to adopt available solutions that protect both customers and businesses from phishing losses, consider vertically integrating phishing attack Incident Response in your SLA's, including procedures and follow-up procedures, and have in-house policy, procedures, follow-up procedures and job descriptions that don't fall short of what is needed here. And practice makes perfect, or as perfect as you can get in times like this.

Related and Recent Handlers items;

Phishing Name server

Steps to Beat Phishing

6 Simple Steps to Beat Phishing.

"fish or cut bait" - an american colloquialism;

Chris Brenton, discussing defending websites, said it best, blackhole the offending domains.


Examining e-mail and malware that explicitly point to systems participating in phishing and malware related Internet attacks, then publishing the information publically and _NOT_ actively and explicitly assisting in taking those publically identified systems down is a troubling practice. If you're a vendor or service provider already explicitly trying to shut down attacking systems please post us a note letting us know POC (point of contact in this context) info and what you're following up on, or consider the benefit of posting the information on your website along with your "public" analysis. And for those vendors who participate in taking attacking systems down but haven't published the information yet, Thanks for your efforts!

Nullsoft SHOUTcast v1.9.4 has had Linux and Win32 format string Remote Exploits released.

Patrick Nolan

Assist Thanks! to Daniel Weseman, Michael Haisley, Tony Carothers, and the folks that made anonymous contributions.
0 comment(s)
Diary Archives