Recent Posts

Recent Blog Posts

The PhishLabs Blog

Even the smartest phishers make mistakes

Posted by John LaCour on Nov 6, '08

The most problematic phishers are those that uses rock-style tactics to implement their scams. By using a combination of fast-flux botnets, reverse proxies, and registering a myriad number of domain names, their scams are likely to stay alive 50% longer or more than regular phishing attacks. Clearly they’re more advanced that the ankle-biters that use free phishing kits and free web space like geocities.

Today I started seeing reports of a PayPal phishing attack using using the URL (line wrapped for readability):

http://secure.paypal.com.session

-id99464376173882452045040350355179058532566734394749600500
117946024993835998207694.ssl89.ru

The only problem is that it’s impossible to resolve this hostname. If you look carefully, you’ll see the label that starts ‘session-’ following by a bunch of numbers is 91 characters long. That is longer than the maximum of 63 allowed by RFC 2181.

The phishers never notice this themselves because their nameservers have wild-card entries that allow any hostnames and sub-domains to resolve (assuming the query get to their servers).

Topics: Phishing

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Posts by Topic

see all