DC2NET Links

Yesterday night, my company (Tailor Store) was alerted by a clever non-customer that she suspected a phishing attack. She was not a customer of our, but had still received an e-mail which seemed to come from us.

The e-mail was written entirely in Swedish and was a byte-for-byte copy of one of our old newsletters, directed at our Swedish market, but with the links changed to a Belgian server (from www.yourmailinglistprovider.com). The e-mail is sent according to all legitimate rules from this mailing service according to the e-mail headers, but not from our usual sender. It was sent from marketing@tailoronlinestore.com. The IP address behind the web server at tailoronlinestore dot com is originated in Russia, runs the Russian web server software nginx and the domain itself is registered at nic.ru. The domain was registered on the 27th of September.

A whois search names John Terry, 1729 Park Way, London, H38LA92, GB at phone +1 800 3892039 (US free-of-charge number I believe?) and dit4free@yahoo.com as the man behind this site. What?? We thought? The captain of the English national squad?! With an american phone and anonymous e-mail from yahoo? :rolleyes:

Upon searching more on this John Terry, 1729 Park Way, it seems he has also registered domains related to Adobe PDF Reader and Skype (a Swedish IP telephony firm) during the last week and dispatched loads of e-mails using this yourmailinglistprovider. In these cases the links goes to the Russian servers, where you are prompted to accept a download of an Windows exe file.

However, in the attack targeted at us, the links does a plain HTTP 302 redirect to our Swedish domain (www.tailorstore.se). Also, the Russian server does just the same, a simple HTTP 302 redirect to our Swedish site. No download prompt at all. We have tried multiple spoofed User Agent strings with known vulnerabilities (IE 6 and IE 7′s), but it is the same result.

As this Russian John Terry-lookalike copied our newsletter word by word, all images are loaded from our server, and in our access logs we can tell that during the last two days this old newsletter has been "read" at least 1800 times. (We have 1800 request for the e-mail heading image, of course a lot of e-mail clients don’t load images per default, so we can’t tell the exact figure.)

I guess there is pretty much nothing we can do about this attack, except maybe press charges. Though we’re not entirely optimistic over the Russian authorities ability to deal with such a case anyway. But I still thought I should share this with world. Maybe someone has an opinion on matters that will help
us or someone else. Has anyone noticed other sites being attack by this John Terry? (It could be in our interest to contact these for a joint defense.)