I see two versions. One which appears to use a single IP another which will cycle through 16 or so IPs over a long ttl. For example: 2007-03-22T17:17:39-06:00 (Domain|IP) | TTL | IP | ASN | Prefix | AS Name | Type | business-eb.ibanking-services0020mk.bbt.com.serkft.hk | 43081 | 80.97.64.230 | 6746 | 80.97.64.0/20 | ASTRAL | N | and
2007-03-21T16:40:35-06:00 (Domain|IP) | TTL | IP | ASN | Prefix | AS Name | Type | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 71.204.15.117 | 7725 | 71.204.0.0/18 | Comcast Cable Communications Holdings | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 84.149.100.207 | 3320 | 84.128.0.0/10 | Deutsche Telekom AG | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 157.157.203.156 | 6677 | 157.157.0.0/16 | ICENET-AS1 ICENET Autonomous system | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 212.54.221.151 | 1241 | 212.54.192.0/19 | FORTHNET-GR FORTHnet | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 69.230.188.73 | 7132 | 69.224.0.0/12 | SBC Internet Services | N | 2007-03-21T18:01:38-06:00 (Domain|IP) | TTL | IP | ASN | Prefix | AS Name | Type | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 76.64.63.212 | 577 | 76.64.0.0/16 | Bell Advanced Communications Inc. | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 82.57.146.48 | 3269 | 82.57.0.0/16 | TELECOM ITALIA | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 24.193.146.88 | 12271 | 24.193.128.0/17 | Road Runner | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 68.114.61.12 | 16787 | 68.114.56.0/21 | Charter Communications | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 72.234.121.35 | 36149 | 72.234.0.0/17 | HAWAIIAN-TELCOM | N | 2007-03-21T18:59:18-06:00 (Domain|IP) | TTL | IP | ASN | Prefix | AS Name | Type |Contact mail online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 72.234.121.35 | 36149 | 72.234.0.0/17 | HAWAIIAN-TELCOM | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 75.179.1.43 | 11060 | 75.179.0.0/18 | Road Runner | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 190.142.13.144 | 21826 | 190.142.0.0/19 | Internet Cable Plus C. A. | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 212.139.91.77 | 9105 | 212.139.0.0/16 | TISCALI-BACKBONE Tiscali Intl | N | online.bbt.com.onlineservlet_id9513027.idisap.hk | 1800 | 68.114.61.12 | 16787 | 68.114.56.0/21 | Charter Communications | N | Tom wrote: > I should note that the ones I have looked at have > the same deployment structure just like the > others eg multihomed to 5 dynamic (usually) IPs > with 2 or more zombied machines doing DNS as they > move the active zombies around. Acts like the > same crew to me. > > Tom > > At 4:04 PM -0800 3/22/07, [EMAIL PROTECTED] wrote: >> Yes .. those are the 'full' rockphish and they haven't gone away. >> Unfortunately. But the ones running off the specific HK host and only >> hitting one target bank .. predominantly BB&T .. are the 'subset.' >> >> Both are piranhas! >> >> >> On 22 Mar 2007 at 11:58, Tom wrote: >> >>> Actually they are also hitting Volksbank, usbank, >>> Sparkasse, Westpac, Citibank, PayPal, 5th3rd, >>> usbank, Sparkasse, Westpac according to my DB >>> with Volksbank, usbank, Sparkasse, and Westpac >>> almost as hard as BB&T >>> >>> At 10:40 PM -0800 3/21/07, [EMAIL PROTECTED] wrote: >>> >Both reported. Yes, these are a 'subset' of rockphish hosted by that >>> >'problem' HK registrar. They're darned close to all being BB&T. >>> > >>> > >>> >On 21 Mar 2007 at 20:52, Steve Pirk wrote: >>> > >>> >> Man, they are hitting BB&T hard: >>> >> >>> >> http://business-eb.ibanking-services0020mk.bbt.com.serkft.hk/updat >>> >> e/K1 /sb_login.jsp >>> >> >>> >> -- >>> >> Steve >>> >> panic: can't find / >>> >> >>> >> ---------- Forwarded message ---------- >>> >> Return-Path: <[EMAIL PROTECTED]> >>> >> Received: from 6e524ee55e15461 ([220.93.55.67]) >>> >> by mail.pirk.com (8.13.7/8.12.0.Beta19) with SMTP id >>> >> l2LG7QDL024870 for <[EMAIL PROTECTED]>; Wed, 21 Mar 2007 08:07:27 >>> >> -0800 >>> >> Message-ID: <[EMAIL PROTECTED]> >>> >> From: "Branch Banking & Trust USA '2007" >>> >> <[EMAIL PROTECTED]> >>> >> To: <[EMAIL PROTECTED]> >>> >> Subject: Branch Banking & Trust Cash Manager Online Service >>> >> Upgrade >>> >> ID: >>> >> 604 >>> >> Date: Thu, 22 Mar 2007 01:07:25 +1000 >>> >> MIME-Version: 1.0 >>> >> Content-Type: multipart/related; >>> >> type="multipart/alternative"; >>> >> boundary="----=_NextPart_000_0016_01C76C1E.741FAC80" >>> >> X-Priority: 3 >>> >> X-MSMail-Priority: Normal >>> >> X-Mailer: Microsoft Outlook Express 6.00.2900.2180 >>> >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 >>> >> >>> >> [IMAGE] >>> >> >>> >> Tagereise, so ist immer Ramla gemeint. >>> >> >>> >> Sclave ein ganz neues Hemd und eine neue weißwollene >>> >> Djilaba[75] vor ihm >>> >> >>> >> himmelblau oder rosenrot bei den Eleganten, und ein vorn >>> >> offenen >>> >> >>> >> und machten durch ihre Kleinheit die gewaltige Groesse dieser >>> >> >>> >> selbst der laute Schrei koerperlichen Schmerzes, alle >>> >> Verzerrungen >>> >> >>> >> gegen Frankreich. Von 1795-1813 lebte er im englischen Exil von >>> >> einer >>> >> >>> >> »Nun, dann danken wir dafür!« erwiderten die Ratten und kehrten >>> >> zu den >>> >> >>> >> »Ja, wir braten heute junge Hähne!« versetzte die >>> >> Königstochter. >>> >> >>> >> einen ungeheuren Aufschwung. Die Bevoelkerung stieg von 20 000 >>> >> um >>> >> >>> >> und bei jedem Toast muss das Eingeschenkte ausgetrunken werden. >>> >> >>> >> schöne Gestalt, ihre luftige Klarheit, ihre ganze eigentümliche >>> >> >>> >> durchnäßt, die Füße eiskalt von dem geschmolzenen Schneewasser, >>> >> in dem >>> >> >>> >> Vogel am nächsten Sonntage dem Volke vorzuweisen. Und die Leute >>> >> hörten >>> >> >>> >> nicht viel Freude zu machen; doch liess man uns, auf die >>> >> Fuersprache >>> >> >>> >> sobald es sie nicht mehr wahrnahm, tauchte es bis auf den Grund >>> >> unter, >>> >> >>> >> (Alt-Kairo, früher officiell so unterschieden als abgetrennte >>> >> Stadt vom >>> >> >>> >> zwecklosen Umhertreibens gibt es dort nicht so viel als in >>> >> Pyrmont >>> >> >>> >> An der ersten Mine kletterten wir aus dem Kahne. Eine Menge >> > >> gewoelbter >>> >> >>> >> Nun begann es zu regnen; Tropfen folgte auf Tropfen, bis es ein >>> >> >>> >> Kirchenstuhl, in welchem Karen saß. Ihr Herz war so voller >>> >> Sonnenschein, >>> >> >>> >> durcharbeiten. Und davon müssen wir alles selbst anschaffen, >>> >> was wir zu >>> >> >>> >> wirst die Sache geschickter anstellen als damals,« sagte der >>> >> Rat. Aber >>> > >>> > >>> >_______________________________________________ >>> >phishing mailing list >>> >[email protected] >>> >http://www.whitestar.linuxbox.org/mailman/listinfo/phishing >>> >>> >>> -- >>> >>> Tom Shaw - Chief Engineer, OITC >>> <[EMAIL PROTECTED]>, http://www.oitc.com/ >>> US Phone Numbers: 321-984-3714, >>> 321-729-6258(fax), 321-258-2475(cell/voice >>> mail,pager) >>> Text Paging: http://www.oitc.com/Pager/sendmessage.html >>> AIM/iChat: [EMAIL PROTECTED] >>> Google Talk: [EMAIL PROTECTED] >>> skype: trshaw >>> > > _______________________________________________ phishing mailing list [email protected] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
