FW: Need some help: IDEAS, Inc.

Marc · September 3, 2005, 3:00pm

One of our incident handlers at the SANS Internet Storm Center has been
trying to chase down the bogus Katrina assistance web sites. Below is a
note of frustration he sent internally to us this morning. I asked if I
could cross-post over to NANOG to see if any of you could assist.

Thanks in advance!

Marc

Todd_Vierling · September 3, 2005, 4:58pm

Right now, there are two weak points to this particular house of cards.

1) The first site listed, "http://www.hurricanekatrinarelief.com" is what
drives all of the others. Each of the other sites, loads the first one in
an IFRAME. That makes it easy for the bastards to update them all. This
site is hosted by Interland. Their final word on shutting these scumballs
down until they could prove they were legitimate was:

"We have been advised by our legal department that the local authorities
should be contacted. The local authorities can submit a subpoena to our
legal department. We will be glad to comply to such a request."

ie. "We have no balls. Go away".

Or "We are aiding and abetting". But that may be a little too paranoid,
even for me.

2) All of the other sites are hosted at the IP address 206.251.184.10.

That's one of DirectNIC's domain redirectors. Which makes sense, because:

Reed_Loden · September 3, 2005, 7:04pm

Relayed to DirectNIC staff via IRC. They are dealing with it.

Instead of just dropping the redirection service and making it go to some
invalid page, they are going to redirect all the sites to the official Red
Cross site.

~reed

Marc · September 3, 2005, 10:33pm

Thanks very much Reed!!! Great solution by the way.

Marc
SANS ISC
marc@sans.org

Paul_A_Vixie4 · September 3, 2005, 11:28pm

this is NOT a good solution, since a successful phish attack in this case
would look exactly like the official red cross web site. plz put up an
informative 404 page and no pointers to any phish-worthy sites.

marc@sachsfamily.net ("Marcus H. Sachs") writes:

Reed_Loden · September 4, 2005, 1:00am

Earlier, I was informed by the DirectNIC admins that they had rethought
their solution. For now, the domains have been put on registrar hold/lock
and will not resolve to anything. This stops the problem of the scamming
without causing any residual issues.

Of course, law enforcement needs to step in and take care of the idiots
themselves so they do not continue to try to steal people's money.

~reed