phishing and nslookup versus dig

Just this morning I got a phishing email targeting USAA customers:

Dear USAA Customer,

We would like to inform you that we have released a new version of USAA Confirmation Form. This form is required to be completed by all USAA customers. Please use the button below in order to access the form:

Access USAA Confrmation Form

hank you,


And yes, it had the typical phishing spelling errors. But what was interesting to me was the link from the “Access USAA…” text, which went to<more stuff>. Just for grins, I did an nslookup on, and got back:

Non-authoritative answer:

All four of those IP addresses are for Google in Mountain View, at least according to IP2Location. But when I did a dig, I got:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12038
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;            IN    A

;; AUTHORITY SECTION:        10800    IN    SOA 2009021802 28800 7200 604800 86400 is in Berlin, but there wasn’t much more information. Wish I understood better when there are differences betweeen nslookup and dig. I googled a bit on “10800 iIN SOA” but didn’t get any good hits.

Regardless, when I tried to visit the site to see what happened, Firefox conveniently blocked it:

FireFox Blocks Phishing Site

FireFox Blocks Phishing Site

5 Responses to phishing and nslookup versus dig

  1. IT Dept says:

    Thanks….I just received this as well and wasn’t sure if it was phishing or not.

  2. Troy says:

    Does anyone know of the results of clicking on the link? I did accidentally – web page opened and immediately went to “page cannot be displayed.”


  3. kkrugler says:

    @Troy – I’d clicked through the Firefox warning alert (above), and you go to a site that looks like USAA, which has a form with a bunch of fields to fill in.

  4. elizabeth macleod says:

    Did you inform USAA of this?

  5. kkrugler says:

    @Elizabeth – yes, but they knew about it already.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: