Note the “@” sign in the target url in the mail below, which means that the server is dodif4f.mail333.com, and that barclays.co.uk:ac=Plgu66G0byxP9N8fDxcC is a username known to that server. dodif4f.mail333.com currently resolves to a server hosted in Moscow.
Date: Sun, 26 Oct 2003 17:44:48 +0000
Subject: Barclays E-mail Verification: firstname.lastname@example.org
Dear Barclays Bank Member,
This email was sent by the Barclays server to verify your e-mail
address. You must complete this process by clicking on the link
below and entering in the small window your Barclays Membership
number, passcode and memorable word.
This is done for your protection — because some of
our members no longer have access to their email addresses and
we must verify it.
To verify your e-mail address and access your bank account,
click on the link below. If nothing happens when you click on the
link (or if you use AOL), copy and paste the link into
the address bar of your web browser.
Thank you for using Barclays!
This automatic email sent to: email@example.com
Do not reply to this email.
The hosting location of sites involved in financial scams varies considerably. It it is quite common to find carding and phishing sites hosted in the former Iron curtain countries. However, it is also common for fraudsters to rent dedicated servers at well known US hosting locations using stolen credit cards, run ascam until the server is detected and shut down, and then start again with a new dedicated server in another location. Recently, Brian McWilliams described a scenario whereby very large numbers of Windows machines are used as a black economy caching system for criminal sites, to mask the destination of the ultimate server.
Dedicated server companies are usually prompt in taking servers offline as soon as a report of this type is received, but connectivity providers either seem less willing to deny routing to hosting locations hosting fraud operations, or perhaps receive less information about the problems. Telia, the leading Swedish telco is still providing routing for the Russian hosting location of the fraudulent site over a week after the attack started.
% traceroute dodif4f.mail333.com
traceroute to hosting.mail333.com (188.8.131.52), 64 hops max, 44 byte packets
1 treenwood (184.108.40.206) 2.105 ms 3.277 ms 3.133 ms
2 a4-1-0.287.ac-4.msl.as5388.net (220.127.116.11)
3 ge1-0.5.pbr-1.msl.as5388.net (18.104.22.168)
4 22.214.171.124 (126.96.36.199)
5 London-i2.telia.net (188.8.131.52)
6 ldn-bb2-pos5-2-0.telia.net (184.108.40.206)
7 kbn-bb2-pos3-1-0.telia.net (220.127.116.11)
8 s-bb2-pos7-0-0.telia.net (18.104.22.168)
9 s-b3-pos4-0.telia.net (22.214.171.124)
10 mtu-intel2-100352-s-b3.c.telia.net (126.96.36.199)
11 M9-FeX.core.mtu.ru (188.8.131.52)
12 Rbk-m9-MTUInform-GW.mtu.ru (184.108.40.206)
Through the content Netcraft retrieves during the Web Server Survey, Netcraft can alert banks to domain names or page content that may form part of attempts to deceive, and through our application testing services, can audit banks own web applications for design errors and erroneous functionality.