RE: [DNS] NOT DNS Similar scam!

RE: [DNS] NOT DNS Similar scam!

From: Andrew Duck <news§news.echo-host.net>
Date: Tue, 18 Mar 2003 19:02:29 +1100
John,

You must first be able to prove they are a scam. Usually people will
contact you regarding such issues if they believe something is out of
place, such as the CBA issue last night. I received a contact from a
client almost immediately saying that he/she believed there was
something amiss with the email she had received. Upon forwarding myself
the headers I was able to use the excellent whois tools provided by
APNIC, ARIN and RIPE to determine where the user was connecting from or
through. 

This is always a good start, especially in the case of emails, because
you can usually have them blocked much quicker if you can find where
they are originating for. Of course this doesn't cover those who know
how to spoof believable message headers, but that is a topic for another
discussion sometime.

With the case of the internet webpages being completely scammed, as has
happened at least 3 times in the past 96 hours that I am aware of it is
again very useful to find out who owns the ip block. Once you get
contact details for the block owner you could directly call the NOC
involved and have the server shutdown. But it would be handy if you
could provide them some solid proof as to why you are requesting to have
an account or entire server shutdown.

The page thefts are getting much more realistic and with the case of the
IP, every link besides the login form all pointed to the correct
information back on the CBA web servers (this included all <IMG> tags on
the site). Usually the easiest way in this case to determine a
fraudulent interface is a different action in the <FORM> tag. In the
case of the CBA the supposed "login" script was even coded in a
different language to the authentic interface. In some cases this may
not apply... Use your common sense. 

Once you believe that you have enough information to prove that the site
is aiding fraudulent activity then the best course of action is to
contact the Network Operations Centre and present your information to
them. This will usually see them comply extremely quickly with your
request to ensure that they are not liable for any continued use of the
fraudulent interface.

This should be as far as you need to go in relation to stopping the act.
Dependant on your position and what it is you are trying to stop.

Next you must alert the appropriate authorities to the actions that have
occurred (some believe this should be done before you attempt to have
the machine brought down, in case they are able to catch the offender in
the act... However, this should be decided on a case by case basis, and
if red handed is worth 1000 more credit card numbers being stolen and
published on the internet... I will leave you to decide that one on
yourself). Depending on the act and the countries which have been
affected you could contact any of the following..

FBI
CERT (AusCERT in Australia... Dependant on the actions)
Federal Police
NOCs (Datacentres) involved in hosting the fraud
... And the business which has had its interface scammed.. They like to
know these things  :)

-----

Watching the responses made by businesses lately in regards to these
issues I do believe they are too slow alerting their clients to the
"attack" which is in progress. It is going to be better in 99% of
clients eyes that they know not to login to anything related to the
company for a little while than having to ring them up in 3 days when
they find out someone in Brazil just maxed out their credit card.
Consumer awareness needs to be heightened in regards to these types of
fraud.

Well there is a brief kind of outline... Don't know if you agree with it
or not. Happy to discuss alternative methods. If you have any further
questions don't hesitate to ask.

Regards,

Andrew.


-----Original Message-----
From: John Thomson [mailto:john&#167;hep10.com] 
Sent: Tuesday, 18 March 2003 6:28 PM
To: dns&#167;lists.auda.org.au
Subject: RE: [DNS] NOT DNS Similar scam!


Hi Andrew

I am quite happy to help out shutting down these types of scams but have
no
idea to go about doing it. Can you please provide a basic outline to
help
the challenged like myself take action against the unscrupulous? That
way
others on the list can help direct positive pressure against the people
running these scams.

Thanks

John
www.hep10.com


-----Original Message-----
From: Andrew Duck [mailto:news&#167;news.echo-host.net]
Sent: Tuesday, 18 March 2003 4:01 PM
To: dns&#167;lists.auda.org.au
Subject: RE: [DNS] NOT DNS Similar scam! RE: [DNS] RE: Is this from
Melbourne IT or just a scam?


You are correct David. I have dealt with three of these within 96 hours.
I ended up giving up on the CBA and made the calls myself to have the
server shutdown which was serving the fake CBA pages. Luckily that email
started fairly late last night so it was possible to get it shutdown
before a majority of people read the message.

I dealt with one regarding AOL the day before yesterday. It was somewhat
quicker to disable, however the appropriate Computer Crimes and Abuse
agencies were still contacted.

I notice that the Melbourne IT scam does not seem to have been shutdown?
Why is there such a delay in response? I am happy to go the extra steps
and have this scam shutdown if no one else has the time...

Regards,

Andrew.

-----Original Message-----
From: David Uzzell [mailto:support&#167;saintspc.com.au]
Sent: Tuesday, 18 March 2003 4:47 PM
To: dns&#167;lists.auda.org.au
Subject: [DNS] NOT DNS Similar scam! RE: [DNS] RE: Is this from
Melbourne IT or just a scam?


Just thought I would let everyone know last night/today must have been
the day for it!

Got an email from admins&#167;commenwealthbank.com today about new security
features etc.

The links and login screen look exactly the same and the actual Netbank
login screen.

I wonder how many people gave away there details??

These are everywere and into everything.

Regards
David Uzzell
Technical Sales Consultant
Saints PC Pty Ltd T/as Diversified Data
Ph 1300 36 55 70 or (02) 9533 7388
Fax (02) 8211 5112
Mobile 0427 36 55 70
www.diversified.com.au
************************************************************************

Confidentiality Note: This e-mail is sent to and intended for use by the
named addressees only.  It contains confidential information. If you
receive this e-mail in error, please telephone  Saints PC Pty Ltd T/as
Diversified Data on +612 9533 7388, and then delete this message
immediately. Further, you should not re-transmit, copy, store, or reveal
the contents of this message to any third party.

************************************************************************


-----Original Message-----
From: dns-return-3654-support=saintspc.com.au&#167;lists.auda.org.au
[mailto:dns-return-3654-support=saintspc.com.au&#167;lists.auda.org.au] On
Behalf Of Bruce Tonkin
Sent: Tuesday, 18 March 2003 4:17 PM
To: dns&#167;lists.auda.org.au
Subject: RE: [DNS] RE: Is this from Melbourne IT or just a scam?

Hello All,

Just confirming what most have already worked out - it is a scam.

Internet fraud is a growing problem internationally.  Unfortunately well
known companies tend to attract the scammers.  We have taken action
against such activities in the past, and of course we are taking action
against this latest problem.

Melbourne IT has been made aware since this morning that unsolicited
notices are being sent from the email address noreply&#167;melbourneit.com.au
to
registrants in which the entity sending the notices:

1. Claims to be Melbourne IT

2. Claims that the registrant's domain name is due for renewal; and

3. Asks the registrant to access the online facility and make payment to
renew the domain name at, for example,
http://www.melbourneit.com.au:renew.cgi&#167;80.47.222.225?XXXXX.COM (Note
that the URL appears to be changing).

The entity sending these notices has no association with Melbourne IT.
The notices appear to be intended to mislead and deceive the registrants
in order to obtain their credit card details.

Melbourne IT is pursuing this matter down a number of avenues to try to
ensure that the online facility is rendered inoperable. Melbourne IT has
also reported the matter to the relevant police authorities.

Melbourne IT has put up a consumer alert located at
http://www.melbourneit.com.au/renewalpayments.html.

Regards,
Bruce Tonkin

(currently at the IETF meeting in San Franciso taking advantage of the
excellent wireless network!)





>
>
> -----Original Message-----
> From: Melbourne IT [mailto:noreply&#167;melbourneit.com.au]
> Sent: Monday, 17 March 2003 2:51 PM
> To: XXXXXXXXXXXXXXXXXXXX
> Subject: Renewal Notice (ABBOTSFORDCO.COM)
>
> Dear Customer,
>
> PLEASE NOTE: You may have registered your domain name through a
> Melbourne IT partner such as Yahoo!, MSN or your other Internet
> Service Provider.
> However payment for renewals must be made directly to Melbourne IT.
>
> Your domain name ABBOTSFORDCO.COM is due for renewal.
>
> If you renew your domain for more than one year you save. $35/year for

> 1 year $30/year for 2+ years
>
> Please submit your payment online at:
>
> http://www.melbourneit.com.au:renew.cgi&#167;80.47.222.225?ABBOTSFORDCO.COM
>
> Please note that if you fail to renew your domain promptly it is
> subject
>
> to deletion and will become inactive.
>
> Renewal Department
> Melbourne IT
>
>
>
> ------------------------------------------------------------------
> ---------
> List policy, unsubscribing and archives =>
http://www.auda.org.au/list/dns/
Please do not retransmit articles on this list without permission of the
author, further information at the above URL.  (373 subscribers.)





------------------------------------------------------------------------
---
List policy, unsubscribing and archives =>
http://www.auda.org.au/list/dns/
Please do not retransmit articles on this list without permission of the

author, further information at the above URL.  (373 subscribers.)




------------------------------------------------------------------------
---
List policy, unsubscribing and archives =>
http://www.auda.org.au/list/dns/
Please do not retransmit articles on this list without permission of the

author, further information at the above URL.  (373 subscribers.)


------------------------------------------------------------------------
---
List policy, unsubscribing and archives =>
http://www.auda.org.au/list/dns/
Please do not retransmit articles on this list without permission of the

author, further information at the above URL.  (373 subscribers.)




------------------------------------------------------------------------
---
List policy, unsubscribing and archives =>
http://www.auda.org.au/list/dns/
Please do not retransmit articles on this list without permission of the
author, further information at the above URL.  (373 subscribers.)



------------------------------------------------------------------------
---
List policy, unsubscribing and archives =>
http://www.auda.org.au/list/dns/
Please do not retransmit articles on this list without permission of the

author, further information at the above URL.  (373 subscribers.)
Received on Fri Oct 03 2003 - 00:00:00 UTC

This archive was generated by hypermail 2.3.0 : Sat Sep 09 2017 - 22:00:06 UTC