Hello all! I hope this might be a suitable forum for this kind of problem.

Yesterday night, my company (Tailor Store) was alerted by a clever non-customer that she suspected a phishing attack. She was not a customer of our, but had still received an e-mail which seemed to come from us.

The e-mail was written entirely in Swedish and was a byte-for-byte copy of one of our old newsletters, directed at our Swedish market, but with the links changed to a Belgian server (from www.yourmailinglistprovider.com). The e-mail is sent according to all legitimate rules from this mailing service according to the e-mail headers, but not from our usual sender. It was sent from marketing@tailoronlinestore.com. The IP address behind the web server at tailoronlinestore dot com is originated in Russia, runs the Russian web server software nginx and the domain itself is registered at nic.ru. The domain was registered on the 27th of September.

A whois search names John Terry, 1729 Park Way, London, H38LA92, GB at phone +1 800 3892039 (US free-of-charge number I believe?) and dit4free@yahoo.com as the man behind this site. What?? We thought? The captain of the English national squad?! With an american phone and anonymous e-mail from yahoo?

Upon searching more on this John Terry, 1729 Park Way, it seems he has also registered domains related to Adobe PDF Reader and Skype (a Swedish IP telephony firm) during the last week and dispatched loads of e-mails using this yourmailinglistprovider. In these cases the links goes to the Russian servers, where you are prompted to accept a download of an Windows exe file.

However, in the attack targeted at us, the links does a plain HTTP 302 redirect to our Swedish domain (www.tailorstore.se). Also, the Russian server does just the same, a simple HTTP 302 redirect to our Swedish site. No download prompt at all. We have tried multiple spoofed User Agent strings with known vulnerabilities (IE 6 and IE 7's), but it is the same result.

As this Russian John Terry-lookalike copied our newsletter word by word, all images are loaded from our server, and in our access logs we can tell that during the last two days this old newsletter has been "read" at least 1800 times. (We have 1800 request for the e-mail heading image, of course a lot of e-mail clients don't load images per default, so we can't tell the exact figure.)

I guess there is pretty much nothing we can do about this attack, except maybe press charges. Though we're not entirely optimistic over the Russian authorities ability to deal with such a case anyway. But I still thought I should share this with world. Maybe someone has an opinion on matters that will help
us or someone else. Has anyone noticed other sites being attack by this John Terry? (It could be in our interest to contact these for a joint defense.)

Just that I was mailed by them this morning. The mail looks like this:

ADOBE PDF READER SOFTWARE UPGRADE NOTIFICATION

This is to remind that a new version of Adobe Acrobat Reader with enhanced features for viewing, creating, editing, printing and internet-sharing PDF documents has been released.

To upgrade your application:

+ Go to http://www.adobe-pdf-software.com
+ Get your options, download and upgrade.

Thanks and best regards,
John Brian
Adobe Acrobat Reader Support

Copy rights Adobe 2010 © All rights reserved
1125 Marrinbird Rd | Merryton | CA | 96223 | USA

Unsubscribe from this mailing list

A few things about the mail were suspicious to me, but the whois really gave it all away.

Domain name: ADOBE-PDF-SOFTWARE.COM
Name Server: ns3.nic.ru
Name Server: ns4.nic.ru
Name Server: ns8.nic.ru
Creation Date: 2010.10.10
Expiration Date: 2011.10.10

Status: DELEGATED

Registrant ID: ZA5XXWT-RU
Registrant Name: John Terry
Registrant Organization: John Terry
Registrant Street1: 1729 Park Way
Registrant City: London
Registrant Postal Code: H38LA92
Registrant Country: GB

Administrative, Technical Contact
Contact ID: ZA5XXWT-RU
Contact Name: John Terry
Contact Organization: John Terry
Contact Street1: 1729 Park Way
Contact City: London
Contact Postal Code: H38LA92
Contact Country: GB
Contact Phone: +1 800 3892039
Contact E-mail: dit4free@yahoo.com

Registrar: Regional Network Information Center, JSC dba RU-CENTER

I received the Adobe Upgrade email this morning.
I suspect the Whois address is non-existant. Cetainly the postal code is invalid (also incorrect construction for the UK)

Hello guys,
I recommend you to contact the support team at nic.ru and ask them to stop delegating the dangerous domains. nic.ru is one of the old domain registrators in Russia, they care about their reputation, so I think they should react properly.