You can check the location of the sites using nslookup in DOS prompt.

You can also find out more domain hiding behind the ip address eg. 218.22.100.110 by doing a reverse ip check at

http://www.domaintools.com/reverse-ip/

Domaintools.com is a tool to check for number of domains in a particular ip address. However, the free version gives you only a few of the domains in that ip address.

If a victim falls for the phishing attempt, the scammer utilizes the information obtained in the following order;

(Taken from http://www.dslreports.com/forum/remark,17745425)


With respect to the BOA phsihes submitted to phishtrack I can tell you that over 95% of the BOA phishes that are forensically audited, are tracked back to Romanian phishers.

It appears to be one of their current favorites, much as Chase Bank was 6 to 9 months ago.

In fact in multiple instances a specific routine has been repeatedly observed with the phishers that have been shadowed. Within an hour or two of being phished the phisher takes the victim data which is usually in the format of :
quote:

========================================
Fri Jan 12, 2007 4:32 pm
User:
Pass:
Account state:
-----------------------------------
First name:
Last name:
Address1:
Address2:
City:
State:
Zipcode:
Phone:
SSN:
Mother:
Driver\'s license:
DOB:
Cardnumber:
Expiry Date:
CVV:
Visa COD:
IP:
========================================

and first goes to peoplefinders.com and purchases a background check on the victim using their card info. Next they head over to westernunion.com and set up an account in the victim\'s name and card data. They then start making cash wire transfers with the card in increments of between $800 and $1,400 either directly to Romania, or via a drop at other EU countries. At the completion of each WU online transfer the Phisher is required to call an 800 number to validate the transaction.

Armed with the victim\'s phished data and the background check from peoplefinders.com they call the number via Skype, and easily pass the vetting process by answering all the questions correctly. So far the record for the fastest time from completing the online transfer application until someone walks in to a Western Union office and picks up the money has been 8 minutes. In that particular case the money was picked up in Amsterdam, Holland.

During the WU process they will register the victim\'s card in the "Verified by Visa" program with a password that they supply. ..Rinse and repeat.

Once the cash generating ability of the card has been burned up, the phisher can then exploit the BOA account log in credentials and will make online check transfers to US drops or mules. They also have the victim\'s complete identity so further exploitation of the data can then be done to maximize the return from the data.

MGD


Phish sites are taken down as quickly as they are setup. However, having an active phish site for just a few hours will claim many victims which is why there are many anti-phishing sites setup to get them closed down soonest possible.

These are sites that you can submit any phishing emails that you have received.

Some of the more popular ones are;

http://www.dslreports.com/phishtrack - Phish tracker

http://www.castlecops.com/pirt - Phishing Incident Reporting and Termination (PIRT) Squad

• What is phishing?
• Checking and reporting phish attempts

Main Page