and the list goes on and on
many different pages with different phish
seems the same technique
also for variants in .eu domain
more research coming soon
In February, 925 phishes (6% of valid phishes that month) used an IP address (i.e. http://188.8.131.52) and 15,602 (or 94%) used a domain name (i.e. http://example.com).
In phishtank you will find one hacked subaccount after another that is being used for phishing.
altervista.org or those two Ip adresses 184.108.40.206 and 220.127.116.11
The thing that always surprises me when I look at code from phished pages from banks and so on is how many times those images are loaded directly from the server of the instution itself.
I can't believe they don't have the money to buy a system that would monitor such links and alert if someone is loading images directly from their logon page. There is even quite cheap anti-leeching software that is being used by professional designers and photobanks to stop most forms of leeching.
And even with iframes you can stop this kind of incoming connections to your page on your application-defense, which I suppose you may have as a bank.
You would oblige the phishers to hack into sites or to crosslink and this would leave more traces and would make it easier to handicap those sites (by focusing on the sites where are the images rather than the phished sites themselves if those were too difficult to bring down immediately).
You can also try the other technique and hide an image in an image or on the page after the logon so that you are only alerted once you have a real phishsite or operation.
Another way is to let people choose several pictures they can choose from a database as double authentification. You will have to close down the access to this database to one particular loginpage. There is no way a phisher can have exactly the same database of pix and symbols a bank has - especially if users can chose and upload one of for example 3 themselves.
THis can't be the final solution, but the more difficult it may become to set up a phish site, the better.
If we take the same phish example one step further we will see why banks and others make it sometimes simple for phishers, confusing for customers and very difficult for the ITsecurity people around here.
So we have parted from the phishsite to the normal site of the bank of Scotland and we have arrived at
but the main site of the bank is http://www.rbs.co.uk/
and there are other links on the site (if you got a question - which you may have if you are participating or being defrauded by a phish operation)
this is a lot of sites not to be confused - it is also not clear that all transactions will only go through one site and through no other - if that is the case. But this would be the best scenario to track what is happening and who is trying to defraud your customers and you (because in most of the cases you will have to pay compensation).
This is on the phishsite - for example the one from smsonweb.be