[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: Even more elusive phishes ... and SpamCop missed 'em

J G anon at coks.net
Sat Aug 13 08:37:15 EDT 2005 

On 8/12/2005 3:25 PM George Langford, Sc.D. scribbled:

> This morning I LART'ed a bunch of folks about this phish:
> http://www.spamcop.net/sc?id=z795535919zae2ec8dd5c434f95e3cae21de4945dbez
> and then this afternoon I got another, with the same URL:
> http://www.spamcop.net/sc?id=z795623485zef6253f4225790672d6703da7e6758e1z
> 
> Both of these contained a twisted URL if I ever saw one:
> http://www.google.de/url?sa=U&start=4&q=http://218.158.9.7/webmail/java/index.php
> 
> Spamcop resolutely refused to notify Google.de about this URL
> (as did I, as Google as nothing to do with the phishing site).
> 
> But I did get hysterical about this tagalong URL:
> http://218.158.9.7/webmail/java/index.php
> Which is where the real code is (still).
> 
> When I TraceRT'ed the IP address (218.158.9.7), I got evidence
> of a redirect to svr135.datacom.co.kr (218.54.195.135) so I sent
> my LART's to: abuse at svr135.datacom.co.kr, postmaster at svr135.datacom.co.kr,
> spamcop at kisa.or.kr, spoof at millersmiles.co.uk, and spam at uce.gov.
> That list was based in part on this result from CompleteWhoIs:
> 
>>[OTHER (whois.abuse.net) whois information for SVR135.DATACOM.CO.KR ]
>>[whois.abuse.net]
>>abuse at svr135.datacom.co.kr (for kr)
>>postmaster at svr135.datacom.co.kr (for kr)
>>spamcop at kisa.or.kr (for kr)
> 
> 
> This afternoon I got another, seemingly identical phish,
> but now the TraceRT goes this way: traceroute to 218.158.9.7 ...
> which is a wholly different pathway.  Not even close.
> 
> However, EasyWhoIs and WhoIs.SC tell me to look here:
> 
>>remarks:      http://whois.nida.or.kr/english/index.html
> 
> Where I find for 218.158.9.7:
> 
>>IPv4 Address       : 218.158.9.0-218.158.9.255
>>Network Name       : KORNET-EXPRESS2003297921
>>Connect ISP Name   : KORNET
>>Connect Date       : 20031204
>>Registration Date  : 20040115
>>... snippage ...
>>[ Admin Contact Information]
>>Name               : sujin nam
>>Org Name           : ubangjeongbokisul
>>State              : TAEGU
>>Address            : jeonsansil ubangraendeu ho 0011 beonji 0302 duryou2dong dalseoku
>>Zip Code           : 704-062
>>Phone              : +82-53-740-9196
>>E-Mail             : bluerose at kt.co.kr
>>... snippage ...
>>If the above contacts are not reachable, please see the following 
>>ISP contacts for further information or network abuse.
>>[ ISP IPv4 Admin Contact Information ]
>>Name               : IP Administrator
>>Phone              : +82-2-3674-5708
>>Fax                : +82-2-747-8701
>>E-Mail             : ip at ns.kornet.net
> 
> 
> amenex
> 

forward that to spoof at ebay.com as well. if you still have it and haven't
done so already...

More information about the SpamCop-List mailing list