[Previous entry: "Generics in .NET 2.0."] [Next entry: "Book Review: "Writing Secure Code" by Michael Howard and David LeBlanc"]

12/19/2004: "Run anti spam software at all times or you may get phished"

I have received this interesting email with Smith Barney/Citi Group logo:

Dear Smith Barney customer,
The technical services of the Smith Barney are carrying out a planned software upgrade.
We earnestly ask you to visit the following link to start the procedure of confirmation of customer's data.

There are a few interesting things about this email:
1. The mail server (83.27.113.233) is in Polland and the phishing web server (195.239.79.166) is in Samara, Russia.
2. The email is written in broken English. The mail server is listed as a spam source with spamhaus.org
3. Phishing Server url 195.239.79.166 is masked by a JavaScript window that make it look like the server IP address is actually https://www.smithbarney.com/cgi-bin/login/confirm.cgi

Trace Route on the phishing server gives Samara, Russia

21 651 ms 260 ms 260 ms mks-gw.Samara.gldn.net [195.239.79.166]
22 391 ms 521 ms 370 ms TERMS [195.239.144.10]

Phishing web server (195.239.144.10 ) info:


inetnum: 195.239.144.0 - 195.239.144.15
netname: JFCSAMARA
descr: Samara JFC Ethernet segment
descr: connected by Sovam Teleport
country: RU
admin-c: SI135-RIPE
tech-c: SI135-RIPE
status: ASSIGNED PA
mnt-by: AS3216-MNT
changed: iga@sovam.com 20030707
source: RIPE

route: 195.239.0.0/16
descr: Sovam Teleport allocated block
origin: AS3216
notify: noc@sovam.com
mnt-by: AS3216-MNT
changed: iga@sovam.com 19971215
source: RIPE

person: Serg Ivanov
address: 24-1-159 , Koroliova str.
address: Russia, Saint-Petersburg
phone: +7 812 1086998
fax-no: +7 812 5425278
e-mail: isatec@jazz.spb.ru
nic-hdl: SI135-RIPE
notify: isatec@jazz.spb.ru
mnt-by: RADIO-MSU-MNT
changed: lavrov@radio-msu.net 19990914
source: RIPE