phishing and nslookup versus dig

Just this morning I got a phishing email targeting USAA customers:

Dear USAA Customer,

We would like to inform you that we have released a new version of USAA Confirmation Form. This form is required to be completed by all USAA customers. Please use the button below in order to access the form:

Access USAA Confrmation Form

hank you,

USAA

And yes, it had the typical phishing spelling errors. But what was interesting to me was the link from the “Access USAA…” text, which went to http://www.usaa.com.1l1ji.com/<more stuff>. Just for grins, I did an nslookup on 1ji.com, and got back:

Non-authoritative answer:
Name:    1ji.com
Address: 216.239.36.21
Name:    1ji.com
Address: 216.239.32.21
Name:    1ji.com
Address: 216.239.34.21
Name:    1ji.com
Address: 216.239.38.21

All four of those IP addresses are for Google in Mountain View, at least according to IP2Location. But when I did a dig, I got:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12038
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;1j1.com.            IN    A

;; AUTHORITY SECTION:
1j1.com.        10800    IN    SOA    ns.dreger.de. admin.dreger.de. 2009021802 28800 7200 604800 86400

dreger.de is in Berlin, but there wasn’t much more information. Wish I understood better when there are differences betweeen nslookup and dig. I googled a bit on “10800 iIN SOA” but didn’t get any good hits.

Regardless, when I tried to visit the site to see what happened, Firefox conveniently blocked it:

FireFox Blocks Phishing Site

FireFox Blocks Phishing Site

Advertisements

5 Responses to phishing and nslookup versus dig

  1. IT Dept says:

    Thanks….I just received this as well and wasn’t sure if it was phishing or not.

  2. Troy says:

    Does anyone know of the results of clicking on the link? I did accidentally – web page opened and immediately went to “page cannot be displayed.”

    Thanks

  3. kkrugler says:

    @Troy – I’d clicked through the Firefox warning alert (above), and you go to a site that looks like USAA, which has a form with a bunch of fields to fill in.

  4. elizabeth macleod says:

    Did you inform USAA of this?

  5. kkrugler says:

    @Elizabeth – yes, but they knew about it already.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: