Hello,

My office has received a phishing email "from" SmithBarney. The link points to 69.22.45.131:87/s.

I went to SamSpade.org and found that 87 is the port the link would use if followed, and then I searched for info on port 87 and found that it's for "any private terminal link" but that it doesn't appear to be a commonly-used port. I don't know what the "/s" is for.

What I can determine about the main part of the address is that it is a user at mindspring.com and the organization is EarthLink (does EarthLink own Mindspring? I don't understand the connection.

Two name servers show up: itchy.mindspring.net and scratchy.mindspring.net, and an abuse email address of abuse@abuse.earthlink.net is provided.

How much of this info is valid? Should we forward the phish to the abuse email?

I've been following phishing news for several months, and haven't really seen any advice on how to report phishers, except for using the NetCraft toolbar, but we don't use MSIE, so don't use the toolbar (too bad it isn't compatible with other browsers).

By all means forward it to the abuse address. the more of these reports that they get the more inclined they will be to take action.

The IP address appears to be part of the pool of addresses for Earthlink cable subscribers out of their Houson facility. The /s at the end of the URL simply points to the SmithBarney page. I have seen a number of these with different codes for different institutions.

Happily, that is already in the Netcraft data base.

Nice job of analysis, btw.

_________________
MS MVP Security 2006-2008

Thanks! We've forwarded the email. Oddly enough, when we clicked on forward, we got an error message, and we had to forward by clicking "reply" and then changing the "to".

I should have mentioned earlier, whenever forwarding an email to an abuse address for any reason it is best to send it as an attachment. This will preserve all the header information intact. In this case it probably won't matter as the part that they are interested in will be the hyperlink in the body.

_________________
MS MVP Security 2006-2008

Oh. Oops. Oh well.

This is only the 2nd phish we've received here, but I'm sure we'll get others sooner or later, so next time I'll know to send as an attachment.

While at home I don't receive phishes through my domain, I've been getting them through my Yahoo account since before they were called phishing (I remember the first one I ever saw purported to come from Microsoft), so have seen a lot of them, and so far haven't been fooled by any of them, though I know others who have been victimized.

Lately I've been reading about pharming, which I think is really scary because they seem to be nearly impossible to detect until it's too late...

In addition to reporting to the abuse contact for the target URL I typically examine the email headers to find the source of the email. Once that IP address is known you can backtrack to find an abuse contact for that IP range as well.

_________________
MS MVP Security 2006-2008

A quick route to good reporting and a real timesaver is to use a free spamcop.net account.

You just copy and paste the source of the e-mail into their report form, it parses the header attempting to detect forgeries and identify the folks needing notification, you select/deselect where the reports are going and add a comment if you wish and then send the report.

It also adds to the spamcop.net blacklist which will help others filter out spam from the same source.

I'm getting hooked on RSS feeds and the Sage reader for FireFox! Try these:

http://www.theregister.co.uk/2005/01/31/pharming/

Fraudsters and mischief makers are developing more insidious techniques for tricking users into visiting bogus websites. Rather than using spam to con prospective victims into clicking their way to illicit sites - so called phishing attacks - internet ne'er-do-wells are using DNS poisoning or domain hijacks to redirect users to dodgy urls.

The trick - dubbed pharming - is potentially more sinister than phishing because it avoids the need to coax users into responding to junk email alerts. The attacks also occur across a broader front, potentially misdirecting all email and web traffic away from victims. Gerhard Eschelbeck, CTO of Qualys, cited the recent hijack of New York ISP Panix as typical of the type of threat that might emerge. Eschelbeck reckons the use of redirection attacks remains largely the domain of mischief makers. Other security commentators ascribe darker motives. "Pharming is a next-generation phishing attack," Scott Chasin, CTO of MX Logic, told Government Computer News.

http://www.eweek.com/article2/0,1759,1758874,00.asp

Like most people do, I sometimes enter personal information online. I do this when I go to Web sites. The most extensive information goes to e-stores where I want to shop. And also like most people, I count on Amazon.com or wherever I'm shopping to answer when I type in their URL and press the enter key. I believe I am entering information in the "right" place and so far, as best I can tell, it always has been.

Not so fast, warns my friend Scott Chasin, CTO at MX Logic, a Denver-based messaging and anti-spam company. Scott has identified a new threat that he's calling "pharming." If the current method is "Phishing for dummies" (because the victims ought to know better), Scott's new threat is "Pharming for geniuses" because most victims—even smart ones—might have no idea that they were being scammed. At least not until it's too late.


not this one

http://www.sciam.com/article.cfm?articleID=0003CA37-5C57-114B-9C5783414B7F0000

Farming, one of the world's oldest practices has suddenly found itself entangled with modern medicine. Imagine this: at your child's appointment for a routine vaccination, the doctor proffers a banana genetically engineered to contain the vaccine and says, “Have her eat this and call me in the morning.” Though still farfetched, the scenario is getting closer to reality, with the first batch of plant-made medicines--created by genetically modifying crops such as corn, soy, canola and even fruits such as tomatoes and bananas to produce disease-fighting drugs and vaccines--now in early clinical testing

Splicing foreign genes into plants is nothing new--biologists have been doing it for about 25 years. Using the technology to produce protein-based medicine could revolutionize the drug industry, proponents say. Plants are inherently safer than current methods of using animal cell cultures, which carry a risk of spreading animal pathogens; plants also provide a much cheaper means of production. But fears that these “pharma crops” will contaminate the food supply are casting shadows on the promise of the technology.

Stan that last part sound like one of the sciecnce papers I've posted for the Folding@Home team......

My FeedReader picked up the same article. I'm glad you reported the Pharming piece. Some of this stuff has me feeling so out of the loop. I have different programs that provide different informations, but often I am lost as to what the information means.

Kind of like a Microsoft error code.

_________________

I got much of my info from the eWeek link Stan posted, but hadn't seen the Register article, which was very good, too.

And I wouldn't want to get started talking about GE pharming, as I could go on for HOURS...

So one form of pharming being carried out by low-life scum and the other being one of the greatest advancements by mankind?

Well, the low-life scum I could certainly agree with...

Here's more on (low-life scum) pharming:

APlusWebMaster wrote:
"Some phishers are using portable executable files that actually run on the user's machine rather than just put a link in an e-mail. They're using viruses on your machine, which get there a number of different ways, that are fairly sophisticated. They don't do anything until you go to a known banking or credit card or retailing site that's listed in the virus, and then they either replace the site with their own [fake] version or capture keystrokes and transmit them to the criminals."

This is an excellent definition of "pharming", whereby the user doesn't have to do anything specific to become a victim, except to have an unidentified (and seemingly benign) virus running in the background on their computer.

Viruses self-replicate by infecting other files. Strictly speaking malware as described here, are trojans.

A trojan may use a virus agent to access a system but won't infect other files, the intention being to stay hidden except to carry out surreptitious actions to compromise a security measure.