Comments on: The case of the mysterious hostname http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/ A blog about and from PhishTank, a collaborative clearinghouse for data about phishing. Thu, 21 Aug 2008 06:41:34 +0000 http://wordpress.org/?v=2.0.4 by: Martin Cleaver http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-15955 Sat, 14 Apr 2007 19:42:47 +0000 http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-15955 It's clear that following IP addresses (hex or otherwise) should be an option in the browser. In general, only developers need to use this. System admins might want to allow a couple of variations. What is for sure is that for the general population, if they've ended up on an IP address there is something weird going on. Let's make the browser check with the user that they really want to address by IP. It’s clear that following IP addresses (hex or otherwise) should be an option in the browser. In general, only developers need to use this. System admins might want to allow a couple of variations.

What is for sure is that for the general population, if they’ve ended up on an IP address there is something weird going on.

Let’s make the browser check with the user that they really want to address by IP.

]]> by: John Nagle http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-9274 Tue, 06 Mar 2007 07:22:37 +0000 http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-9274 There's a related problem. What's a URL for PhishTank purposes? I've been trying a few things. Suppose "www.example.com/bogus.html" is in the PhishTank database. What related URLs will bring up that entry? "www.example.com" won't. "www.example.com/bogus2.html" won't. "www.example.com/bogus2.html?dummy="123456" won't. Try it; pick some URL for a verified phish and make minor mods to it. This suggests that phishers who use a different URL in every e-mail can escape PhishTank. Some thought has to be given to "what's a URL?". This is non-trivial. It's tempting to blacklist the whole domain, but for some domains (hosting sites, mostly) that has too much collateral damage. Ideas? There’s a related problem. What’s a URL for PhishTank purposes? I’ve
been trying a few things.

Suppose “www.example.com/bogus.html” is in the PhishTank database. What related URLs will bring up that entry?

“www.example.com” won’t.
“www.example.com/bogus2.html” won’t.
“www.example.com/bogus2.html?dummy=”123456″ won’t.

Try it; pick some URL for a verified phish and make minor mods to it.
This suggests that phishers who use a different URL in every e-mail can escape PhishTank.

Some thought has to be given to “what’s a URL?”. This is non-trivial. It’s tempting to blacklist the whole domain, but for some domains (hosting sites, mostly) that has too much collateral damage.

Ideas?

]]> by: k8jsl http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-8010 Mon, 26 Feb 2007 10:26:59 +0000 http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-8010 Another very useful tool is on this site http://www.dnsstuff.com/, scroll down to the URL DEOBFUSCATOR, works like a charm, and better yet no math involved Another very useful tool is on this site http://www.dnsstuff.com/, scroll down to the URL DEOBFUSCATOR, works like a charm, and better yet no math involved

]]> by: Sockeye http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-7376 Wed, 21 Feb 2007 23:56:32 +0000 http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-7376 I was initially excited about this site (phishtank.com) but now realize it is a waste of time to post phishes here. If you are like us and only post a few a day, they will all get lost in the 100's of phishes posted (it seems constantly) by users like "funchords", and never get verified. Good concept...bad planning. GB. I was initially excited about this site (phishtank.com) but now realize it is a waste of time to post phishes here.

If you are like us and only post a few a day, they will all get lost in the 100’s of phishes posted (it seems constantly) by users like “funchords”, and never get verified.

Good concept…bad planning.

GB.

]]> by: moike http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-6202 Fri, 16 Feb 2007 01:51:27 +0000 http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-6202 The shortcut? ping {obfuscated IP address} converts it to normal dotted decimal. The shortcut? ping {obfuscated IP address}
converts it to normal dotted decimal.

]]> by: volXPunk http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-5190 Sat, 10 Feb 2007 13:33:12 +0000 http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-5190 "...and others who aren’t as smart as you!" Wow Ich glaub der Rüffel ging auch an mich. Das ist mehr Mathe als ich mir jemals traeumen liess, aber es funktioniert echt, wenigstens um die Community glauben zu machen eine legitime Seite sei ein Phish. Hier stehen viele legitime Seiten zur Abstimmung und einige sind schwer zu erkennen: http://www.phishtank.com/phish_detail.php?phish_id=98035 ( man beachte den user phishtank ) http://www.phishtank.com/phish_detail.php?phish_id=97332 http://www.phishtank.com/phish_detail.php?phish_id=95658 http://www.phishtank.com/phish_detail.php?phish_id=95646 Nur wenn das schwierig war, was werden wir machen wenn die Phisher es noch schwieriger machen z.B. wenn eine URL nicht mehr nur zu einem Server aufloest? I believe i was snubbed here too. This is more math than i've ever dreamed of, but it really works, at least to make the community believe a legit site is a phish. Here are a lot of legit sites to vote on and some are difficult to recognize, but if these were difficult what are we gonna do if the phishers make it even more difficult i.e. if one URL resolves to not only one server? http://www.phishtank.com/phish_detail.php?phish_id=99141 pclinux@terra:~$ host isaacxcapitallxz.us isaacxcapitallxz.us has address 68.142.212.138 isaacxcapitallxz.us has address 68.142.212.139 isaacxcapitallxz.us has address 68.142.212.140 isaacxcapitallxz.us has address 68.142.212.141 isaacxcapitallxz.us has address 68.142.212.117 isaacxcapitallxz.us has address 68.142.212.118 isaacxcapitallxz.us mail is handled by 20 mx1.biz.mail.yahoo.com. isaacxcapitallxz.us mail is handled by 30 mx5.biz.mail.yahoo.com. Nixusers have a clear advantage. I always told myself, i quit, the day the phish is moved to the botnets, but now i feel this game is more exciting than any i have ever played before; including "upl***". Hmm. We don't want any Ads here, do we? :-) “…and others who aren’t as smart as you!”

Wow

Ich glaub der Rüffel ging auch an mich. Das ist mehr Mathe als ich mir jemals traeumen liess, aber es funktioniert echt, wenigstens um die Community glauben zu machen eine legitime Seite sei ein Phish. Hier stehen viele legitime Seiten
zur Abstimmung und einige sind schwer zu erkennen:

http://www.phishtank.com/phish_detail.php?phish_id=98035 ( man beachte den user phishtank )
http://www.phishtank.com/phish_detail.php?phish_id=97332
http://www.phishtank.com/phish_detail.php?phish_id=95658
http://www.phishtank.com/phish_detail.php?phish_id=95646

Nur wenn das schwierig war, was werden wir machen wenn die Phisher es noch schwieriger machen z.B. wenn eine URL nicht
mehr nur zu einem Server aufloest?

I believe i was snubbed here too. This is more math than i’ve ever dreamed of, but it really works, at least to make the community believe a legit site is a phish. Here are a lot of legit sites to vote on and some are difficult to recognize,
but if these were difficult what are we gonna do if the phishers make it even more difficult i.e. if one URL resolves to
not only one server?

http://www.phishtank.com/phish_detail.php?phish_id=99141

pclinux@terra:~$ host isaacxcapitallxz.us
isaacxcapitallxz.us has address 68.142.212.138
isaacxcapitallxz.us has address 68.142.212.139
isaacxcapitallxz.us has address 68.142.212.140
isaacxcapitallxz.us has address 68.142.212.141
isaacxcapitallxz.us has address 68.142.212.117
isaacxcapitallxz.us has address 68.142.212.118
isaacxcapitallxz.us mail is handled by 20 mx1.biz.mail.yahoo.com.
isaacxcapitallxz.us mail is handled by 30 mx5.biz.mail.yahoo.com.

Nixusers have a clear advantage. I always told myself, i quit, the day the phish is moved to the botnets, but now i feel
this game is more exciting than any i have ever played before; including “upl***”. Hmm. We don’t want any Ads here,
do we? :-)

]]> by: funchords http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-5137 Sat, 10 Feb 2007 07:10:34 +0000 http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-5137 I don't cater for the virtual hosts (although some of them can be addressed by IP while using ~accountname in the path part of a URL). I'm not suggesting this as a solution to any problem, other than understanding that all of these different-looking examples are simply IP addresses. Not so funny story, though, about virtual hosts. A shared-server webhost was the unfortunate recipient of Phish Site, right off the root directory of the webserver. The phishing site was http://(ip address withheld)/cgi_bin/webscr/update.php. I sent the admin a note, telling him of the site. The response: Unfortunitely there is nothing we can do with the information provided and since there is 200+ domains hosted on that specific server it would take us days to identify the site. If you are able to find a domain name for the site please send us back an email and it will be taken care of ASAP. Regards, (Host) Support sales@(Host) OH SURE! We'll just sit by and let people get ripped off because you don't know how to control your server. I suggested that he call someone with a clue, or unplug it, but that leaving it online was unacceptable. I don’t cater for the virtual hosts (although some of them can be addressed by IP while using ~accountname in the path part of a URL). I’m not suggesting this as a solution to any problem, other than understanding that all of these different-looking examples are simply IP addresses.

Not so funny story, though, about virtual hosts.

A shared-server webhost was the unfortunate recipient of Phish Site, right off the root directory of the webserver. The phishing site was http://(ip address withheld)/cgi_bin/webscr/update.php. I sent the admin a note, telling him of the site.

The response:
Unfortunitely there is nothing we can do with the information provided
and since there is 200+ domains hosted on that specific server it
would take us days to identify the site.

If you are able to find a domain name for the site please send us back
an email and it will be taken care of ASAP.

Regards,
(Host) Support
sales@(Host)

OH SURE! We’ll just sit by and let people get ripped off because you don’t know how to control your server. I suggested that he call someone with a clue, or unplug it, but that leaving it online was unacceptable.

]]> by: DougieLawson http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-5040 Fri, 09 Feb 2007 21:23:38 +0000 http://www.phishtank.com/blog/2007/02/09/the-case-of-the-mysterious-hostname/#comment-5040 How do you cater for the virtual hosts? See http://httpd.apache.org/docs/2.0/vhosts/ If you visit my server http://194.105.mmm.nn, http://194-105-mmm-nn.myisp.co.xx or you visit http://www.swiftys.foo.xx you'll arrive on the SuSE 9.3 Linux box that runs under the desk in the office behind my garage. What you won't get is the same content. That's because my Apache server has more than one virtual host defined in the httpd.conf file. In the case of your examples 1. http://66.135.40.79/ 2. http://1116153935/ 3. http://0x42.0207.10319/ 4. http://0102.8857679/ 5. http://66.8857679/ http://www.phishtank.com doesn't use that feature so you arrive at the same page. The same may not be true of the site you arrive on from a link in a phishing email. As with most scams, security exposures, id theft and internet fraud once we develop a technique to combat the scammer/phisher/fraudster they will change their methods to utilise the latest "new" gizmo. For example, look how much spam email, currently, has embedded GIF graphics. The spam then morphed into animated GIF graphics with a random first frame. [Note: if you want to send an image to me use JPG or PNG else you'll be filtered.] How do you cater for the virtual hosts? See http://httpd.apache.org/docs/2.0/vhosts/

If you visit my server http://194.105.mmm.nn, http://194-105-mmm-nn.myisp.co.xx or you visit http://www.swiftys.foo.xx you’ll arrive on the SuSE 9.3 Linux box that runs under the desk in the office behind my garage. What you won’t get is the same content.

That’s because my Apache server has more than one virtual host defined in the httpd.conf file.

In the case of your examples
1. http://66.135.40.79/
2. http://1116153935/
3. http://0×42.0207.10319/
4. http://0102.8857679/
5. http://66.8857679/

http://www.phishtank.com doesn’t use that feature so you arrive at the same page. The same may not be true of the site you arrive on from a link in a phishing email.

As with most scams, security exposures, id theft and internet fraud once we develop a technique to combat the scammer/phisher/fraudster they will change their methods to utilise the latest “new” gizmo. For example, look how much spam email, currently, has embedded GIF graphics. The spam then morphed into animated GIF graphics with a random first frame. [Note: if you want to send an image to me use JPG or PNG else you’ll be filtered.]

]]>