Anatomy of a Domain-Hijacking "Phishing" Scheme  
     
  Recently, NSDCAR's CEO Dianne McMillan received an email message that illustrates perfectly the nefarious methods used by the current crop of "phishing" predators who use social engineering tactics to fool recipients into revealing personally identifiable information, passwords, email addresses, or just to infect computers with malware, as in this case.  
     
  The email message purports to be from "The Nsdcar Team", and even contains a valid link to our website, along with an attachment which contained a generic malware or virus disguised in a compressed "zip" file.  The message even contains a line that assures the recipient that the attachment is virus-free, according to "Nsdcar Antivirus".  There is, of course, no such antivirus product.  Here's the message:  
     
  Dear user diannemcm,

It has come to our attention that your Nsdcar User Profile ( x ) records are out of date. For further details see the attached document.

Thank you for using Nsdcar!
The Nsdcar Support Team






+++ Attachment: No Virus (Clean)
+++ Nsdcar Antivirus - www.nsdcar.com
 
     
  By placing the "see attached document" note in the message, the perpetrator encourages the recipient to open the seemingly virus-free attachment, which infects the recipient's computer immediately, and probably has elements which allow it to spread across a network.  
     
  Upon reading the headers of this email message, I discovered that the return address was "info@nsdcar.com", but the IP address associated with this address traced to an AT&T Internet customer.  Here are the headers, with the offending address in red:  
     
  Microsoft Mail Internet Headers Version 2.0

Received: from nsdcar.com ([216.148.70.131]) by mail.nsdcar.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 17 Jun 2005 11:41:17 -0700

X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0

From: <info@nsdcar.com>

To: <diannemcm@nsdcar.com>

Subject: Notice of account limitation

Date: Fri, 17 Jun 2005 11:41:21 -0700

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0014_BD896E4B.C2E47502"

X-Priority: 3

X-MSMail-Priority: Normal

Return-Path: <info@nsdcar.com>

Message-ID: <SERVERolmRBaYFkuutS0000002b@mail.nsdcar.com>

X-OriginalArrivalTime: 17 Jun 2005 18:41:17.0232 (UTC) FILETIME=[2579AB00:01C5736C]

 
     
  The next step in my little detective saga required the use of a program that looks up IP addresses via the nameservers on the Internet.  These are the repositories that match IP addresses (a computer's "house number", if you will), with the actual computers that bear the address.  Here is the result:  
     
  bay-29-a-131.sfo.dsl.cerfnet.com [216.148.70.131] - host unavailable

---

Domain owner:

Looking for 'cerfnet.com'

Domain zone 'COM' is for commercial purposes

URL for registration of domains: http://www.internic.net/origin.html

Server 'whois.networksolutions.com' reply [2252 bytes in raw data]:

Registrant:

CERFnet (CERF-DOM1)

9805 Scranton Rd, Ste 150

San Diego, CA 92121

US

Domain Name: CERFNET.COM

Administrative Contact:

CERFnet (CA597-ORG) cerf-admin@CERF.NET

PO BOX 919014

SAN DIEGO, CA 92191-9014

US

619-812-5000

Technical Contact:

AT&T Enhanced Network Services (CERF-HM) hostmaster@ATTENS.COM

AT&T Enhanced Network Services

P.O. Box 919014

San Diego, CA 92191

US

858-812-5000 fax: 858-812-3990

Record expires on 01-Aug-2009.

Record created on 02-Aug-1991.

Database last updated on 17-Jun-2005 17:02:33 EDT.

 

 
  As you can see, this traced the offending address to a machine belonging to "cerfnet", and orginally issued to AT&T under their IP address license.  
     
  So, you might think, what's the purpose of all this?  The next step was a call to the abuse hotline at AT&T, followed by sending all of this information to them for investigation.  
     
  Will they catch the criminal?  Perhaps.  More likely they will scrutinize the IP address and shut down the program that's sending the emails, without ever finding the true perpetrator.  But it's enough, in my mind, to have reported the incident and to know that I may have played a part in preventing thousands of additional infections, out there.  
     
  My purpose in reporting these facts here, readers, is to inform you of just how underhanded and sneaky things are getting on the Internet, in the hopes that you'll all learn to be just a little suspicious, especially when a message seems to be offering you help with a "system problem" or an "account discrepancy", or a "password reset", or any of the tricky little phrases these predators come up with, to gain your confidence.  Yes, they're the new con-men of the information age, and they're out to separate you from your money, your data, or your identity.  Be careful out there!