Home

Asprox - Phish domains in April 2009

April 15, 2009 - 22:45 — Rune

First a screenshot from the phish site at
h||p://ww4.visa.com.82siddefault.com/creditcards/security/confirm
(Click on it for a bigger one)

Phish page on the Asprox botnet April 2009

And here is a screenshot of the location bar from the screenshot above:

Location bar of phish page on the Asprox botnet April 2009

It contains the domain name 82siddefault.com.

Then I substituted 82siddefault.com with advabnr.com:

Location bar of phish page - advabnr - on the Asprox botnet April 2009

Click on the image above for a screenshot of the full page, using advabnr.com.

advabnr.com is an "oldie, but goodie" from last years sql-injections.
You could insert other Asprox related domains in the link to see too:
etyj.ru, 63mode.me, vjhdo.com, pbtgr.ru

Other new domains (registered lately) used actively in the phishing on the botnet right now:
62ftpmsg.com, 91tcp-check.com, 96ini-lan.com, route-access92.net and token-html18.com.
Most likely there are others.

Related, but dead right now: 48rdirjava.com and 28sslput-search.com.

Thanks to phishtank.com (joewein), robtex.com and bfk.de.