Phish flood
         

<p>There's a fairly substantial phishing run going on at the moment, aimed at capturing Blogger or Google account credentials. The messages have the subject line 'Your Blogger Account' and a brief message urging recipients to click a link to 'update' their account. Recipients who click the link will be prompted to enter their Blogger or Google credentials.</p>

<p>An interesting feature of the run is that the phishers seem to have mass-registered a block of domains in the '.kr', 'or.kr', '.co.kr' and '.ne,kr' spaces. The actual domains registered all begin with the letters 'esu', followed by a single character, and then the top-level or second-level extensions. The phishers then create subdomains of those domains that are designed to look superficially like Google domains. Some examples include:</p>

<ul>
<li>www.google.com.esub.kr</li>
<li>www.google.com.esuk.or.kr</li>
<li>www.google.com.esut.co.kr </li>
<li>www.blogger.com.esut.kr</li>
<li>www.blogger.com.esug.or.kr</li>
</ul>

<p>These domains are hosted on what appear to be botnet hosts: a host lookup for any of the domains returns a list of 15 or 16 IP addresses, scattered all over the Internet.</p>

<p>It isn't clear why the phishers have chosen to generate names that follow such a predictable pattern, making filtering the abusive messages trivial. Moreover, most of the domains used are now flagged by Google as probable phishing sites.</p>
         

http://www.spamnation.info/blog/archives/2010/02/blogger-phishing-run.html