Note the “@” sign in the target url in the mail below, which means that the server is dodif4f.mail333.com, and that barclays.co.uk:ac=Plgu66G0byxP9N8fDxcC is a username known to that server. dodif4f.mail333.com currently resolves to a server hosted in Moscow.

Date: Sun, 26 Oct 2003 17:44:48 +0000

Subject: Barclays E-mail Verification: vlee@netcraft.co.uk

To: Vlee 

Reply-To: Verification 

Sender: Verification 

Dear Barclays Bank Member,

This email was sent by the Barclays server to verify your e-mail

address. You must complete this process by clicking on the link

below and entering in the small window your Barclays Membership

number, passcode and memorable word.

This is done for your protection — because some of

our members no longer have access to their email addresses and

we must verify it.

To verify your e-mail address and access your bank account,

click on the link below. If nothing happens when you click on the

link (or if you use AOL), copy and paste the link into

the address bar of your web browser.

http://barclays.co.uk:ac=Plgu66G0byxP9N8fDxcC@dodif4f.mail333.com/?Kjd17eKiBorrKIW

——————————————–

Thank you for using Barclays!

——————————————–

This automatic email sent to: vlee@netcraft.co.uk

Do not reply to this email.

The hosting location of sites involved in financial scams varies considerably. It it is quite common to find carding and phishing sites hosted in the former Iron curtain countries. However, it is also common for fraudsters to rent dedicated servers at well known US hosting locations using stolen credit cards, run ascam until the server is detected and shut down, and then start again with a new dedicated server in another location. Recently, Brian McWilliams described a scenario whereby very large numbers of Windows machines are used as a black economy caching system for criminal sites, to mask the destination of the ultimate server.

Dedicated server companies are usually prompt in taking servers offline as soon as a report of this type is received, but connectivity providers either seem less willing to deny routing to hosting locations hosting fraud operations, or perhaps receive less information about the problems. Telia, the leading Swedish telco is still providing routing for the Russian hosting location of the fraudulent site over a week after the attack started.

% traceroute dodif4f.mail333.com

traceroute to hosting.mail333.com (80.68.244.65), 64 hops max, 44 byte packets

1  treenwood (195.92.95.1)  2.105 ms  3.277 ms  3.133 ms

2  a4-1-0.287.ac-4.msl.as5388.net (195.92.79.213)

3  ge1-0.5.pbr-1.msl.as5388.net (195.92.196.5)

4  195.92.55.141 (195.92.55.141)

5  London-i2.telia.net (195.66.224.48)

6  ldn-bb2-pos5-2-0.telia.net (213.248.65.101)

7  kbn-bb2-pos3-1-0.telia.net (213.248.64.133)

8  s-bb2-pos7-0-0.telia.net (213.248.65.30)

9  s-b3-pos4-0.telia.net (213.248.66.10)

10  mtu-intel2-100352-s-b3.c.telia.net (213.248.101.62)

11  M9-FeX.core.mtu.ru (195.34.53.26)

12  Rbk-m9-MTUInform-GW.mtu.ru (195.34.36.14)

Through the content Netcraft retrieves during the Web Server Survey, Netcraft can alert banks to domain names or page content that may form part of attempts to deceive, and through our application testing services, can audit banks own web applications for design errors and erroneous functionality.