FW: Need some help: IDEAS, Inc.
One of our incident handlers at the SANS Internet Storm Center has been trying to chase down the bogus Katrina assistance web sites. Below is a note of frustration he sent internally to us this morning. I asked if I could cross-post over to NANOG to see if any of you could assist. Thanks in advance! Marc ++++++++++++++++++++++++++++++++++++++++++++++++++++++ Marcus H. Sachs, P.E. KJ4WA : marc@sans.org Director, SANS Internet Storm Center : isc.sans.org Washington D.C. USA (EDT, GMT-4) : +1 703 707 9293 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ -----Original Message----- Sent: Saturday, September 03, 2005 9:32 AM Subject: Need some help: IDEAS, Inc. Morning all: Last night, I pulled a new copy of the .com and .net zone files down and did another grep for "katrina" domains. Obviously, there are now more... In the process of checking and cross-referencing, I found that our friends "IDEAS, Inc" are a little more "involved" than we originally thought: http://www.hurricanekatrinarelief.com http://www.hurricanekatrinapics.com http://www.hurricanekatrinaneworleans.com http://www.hurricanekatrinaflooding.com http://www.hurricanekatrinainfo.com http://www.hurricanekatrinamap.com http://www.hurricanekatrinanews.com http://www.hurricanekatrinapath.com http://www.hurricanekatrinaphoto.com http://www.hurricanekatrinaphotos.com http://www.hurricanekatrinarelieffund.com http://www.hurricanekatrinatracking.com http://www.hurricanekatrinaupdate.com http://www.hurricanekatrinavideos.com http://www.katrinadamage.com http://www.katrinapics.com http://www.katrinavideos.com http://www.neworleanshurricanekatrina.com ...and those are just the 18 I was able to find. Right now, there are two weak points to this particular house of cards. 1) The first site listed, "http://www.hurricanekatrinarelief.com" is what drives all of the others. Each of the other sites, loads the first one in an IFRAME. That makes it easy for the bastards to update them all. This site is hosted by Interland. Their final word on shutting these scumballs down until they could prove they were legitimate was: "We have been advised by our legal department that the local authorities should be contacted. The local authorities can submit a subpoena to our legal department. We will be glad to comply to such a request." ie. "We have no balls. Go away". 2) All of the other sites are hosted at the IP address 206.251.184.10. Immediate upstream is "datasync.net/.com" and they are located in (of course...) Louisiana. I've emailed them numerous times, and tried to call ("all circuits are busy..."), but they're probably running in lights-out mode right now. The IDEAS, Inc. scum MUST die, but I'm all out of ideas at this point... the only other possibility that I can think of it to take them out at the DNS level. All of the "slave" sites at 206.251.184.10 use DirectNIC for their DNS... Anyone got sway with them? Frankly, gang, I'm at my wits end on this one...
On Sat, 3 Sep 2005, Marcus H. Sachs wrote:
Right now, there are two weak points to this particular house of cards.
1) The first site listed, "http://www.hurricanekatrinarelief.com" is what drives all of the others. Each of the other sites, loads the first one in an IFRAME. That makes it easy for the bastards to update them all. This site is hosted by Interland. Their final word on shutting these scumballs down until they could prove they were legitimate was:
"We have been advised by our legal department that the local authorities should be contacted. The local authorities can submit a subpoena to our legal department. We will be glad to comply to such a request."
ie. "We have no balls. Go away".
Or "We are aiding and abetting". But that may be a little too paranoid, even for me. :-P
2) All of the other sites are hosted at the IP address 206.251.184.10.
That's one of DirectNIC's domain redirectors. Which makes sense, because:
All of the "slave" sites at 206.251.184.10 use DirectNIC for their DNS...
-- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On Sat, 3 Sep 2005 11:00:03 -0400 "Marcus H. Sachs" <marc@sachsfamily.net> wrote:
The IDEAS, Inc. scum MUST die, but I'm all out of ideas at this point... the only other possibility that I can think of it to take them out at the DNS level. All of the "slave" sites at 206.251.184.10 use DirectNIC for their DNS... Anyone got sway with them?
Relayed to DirectNIC staff via IRC. They are dealing with it. Instead of just dropping the redirection service and making it go to some invalid page, they are going to redirect all the sites to the official Red Cross site. ;) ~reed -- Reed Loden - <reed@reedloden.com>
Thanks very much Reed!!! Great solution by the way. Marc SANS ISC marc@sans.org -----Original Message----- From: Reed Loden [mailto:reed@reedloden.com] Sent: Saturday, September 03, 2005 3:05 PM To: Marcus H. Sachs Cc: nanog@merit.edu; handlers@sans.org Subject: Re: FW: Need some help: IDEAS, Inc. On Sat, 3 Sep 2005 11:00:03 -0400 "Marcus H. Sachs" <marc@sachsfamily.net> wrote:
The IDEAS, Inc. scum MUST die, but I'm all out of ideas at this point... the only other possibility that I can think of it to take them out at the DNS level. All of the "slave" sites at 206.251.184.10 use DirectNIC for their DNS... Anyone got sway with them?
Relayed to DirectNIC staff via IRC. They are dealing with it. Instead of just dropping the redirection service and making it go to some invalid page, they are going to redirect all the sites to the official Red Cross site. ;) ~reed -- Reed Loden - <reed@reedloden.com>
this is NOT a good solution, since a successful phish attack in this case would look exactly like the official red cross web site. plz put up an informative 404 page and no pointers to any phish-worthy sites. marc@sachsfamily.net ("Marcus H. Sachs") writes:
Thanks very much Reed!!! Great solution by the way.
Marc SANS ISC marc@sans.org
-----Original Message----- From: Reed Loden [mailto:reed@reedloden.com] Sent: Saturday, September 03, 2005 3:05 PM To: Marcus H. Sachs Cc: nanog@merit.edu; handlers@sans.org Subject: Re: FW: Need some help: IDEAS, Inc.
On Sat, 3 Sep 2005 11:00:03 -0400 "Marcus H. Sachs" <marc@sachsfamily.net> wrote:
The IDEAS, Inc. scum MUST die, but I'm all out of ideas at this point... the only other possibility that I can think of it to take them out at the DNS level. All of the "slave" sites at 206.251.184.10 use DirectNIC for their DNS... Anyone got sway with them?
Relayed to DirectNIC staff via IRC. They are dealing with it.
Instead of just dropping the redirection service and making it go to some invalid page, they are going to redirect all the sites to the official Red Cross site. ;)
~reed
-- Reed Loden - <reed@reedloden.com>
-- Paul Vixie
On 03 Sep 2005 23:28:55 +0000 Paul Vixie <vixie@vix.com> wrote:
this is NOT a good solution, since a successful phish attack in this case would look exactly like the official red cross web site. plz put up an informative 404 page and no pointers to any phish-worthy sites.
Earlier, I was informed by the DirectNIC admins that they had rethought their solution. For now, the domains have been put on registrar hold/lock and will not resolve to anything. This stops the problem of the scamming without causing any residual issues. Of course, law enforcement needs to step in and take care of the idiots themselves so they do not continue to try to steal people's money. ~reed -- Reed Loden - <reed@reedloden.com>
participants (4)
-
Marcus H. Sachs
-
Paul Vixie
-
Reed Loden
-
Todd Vierling