[SGVLUG] Social engineering done right...

Erik Espinoza erik.espinoza at gmail.com
Thu Mar 16 10:50:49 PST 2006


> The link went to a ".org" site, which (at one point in the past...) was
> a bit more difficult to get unless you could reasonably "prove" you
> weren't a commercial venture (though, come to think of it, we got

I got a .org in the mid nineties without having to prove anything.
Perhaps really early on .org required proof, but I don't recall it.

> Nslookups show that "www" goes to 64.151.106.92, while "www2" goes to
> 64.151.106.108 (and reports itself as "aloha.postcards.org") -- while
> this is a class-A network, it is possible that an ISP has sublet these,
> but even still -- 92 & 108 are relatively close, almost too close to
> support the claim that "postcards.org" has no control over the evil
> clone site.  It sounds like the folks that run postcards.org could use a
> security guru to lock down the errant server...

Class A networks don't really exist for all but major isps, with the
advent of CIDR. This is part of a partial Class B assigned to
ServePath:

NetRange:   64.151.64.0 - 64.151.127.255
CIDR:       64.151.64.0/18
Comment:    http://www.servepath.com/

Seems to me that there are probably three possibilities, in order of
probability:

1) The owner of postcards.org is doing this scam
2) The system that hosts postcards.org is compromised and someone
thought it'd be a good way to scam people
3) An insider @ ServePath configured the domain/system this way with
or without permission.

The only way to know for sure would be to trace whose getting paid
from the spyware.

Erik


More information about the SGVLUG mailing list