techblog 

Recently we have seen a marked increase in the number of .uk domain names being used for phishing purposes. One phishing syndicate seems to be particularly prolific. They register 40-60 domains at a time to run phishing sites.

Real individuals with genuine addresses were listed as the registrant and administrative contact. Based on past activity, it would appear that the registrant listed is the victim of identity theft.

Please make sure you have malware protection installed before you investigate one of these sites. These are highly sophisticated phishing sites and have been known to embed malware in them.

They are targeting more than just banking information. For example, we have seen them phish for accounts of a well known online auction service. They set up a site that checked in with this auction service to ensure the victim has entered valid username and password. If a valid user and password are entered, it will log the victim into the real auction service. The phishing victim would have no idea that they did not visit a legitimate log-in page for the online auction service.

They do not target domains with keywords that you may expect to see with phishing. Here is a sample list of domains that have been used:
loltech.co.uk
loltech.me.uk
loltech1.co.uk
loltech1.me.uk
loltech2.co.uk
loltech2.me.uk
loltech3.co.uk
loltech3.me.uk
modeisp.co.uk
modeisp.me.uk
modeisp.org.uk

The only pattern we have been able to identify to help you establish whether this group is attempting to register a domain with your company is the IP addresses behind the name servers. During registration, they will provide their own name server to host the domain on. The host name used will be random, but the host will resolve to one of the following four IP addresses:
81.16.131.40
88.16.131.40
200.72.139.67
202.44.71.149

We have been advised that these IP address will eventually change, but may be used for up to 3 months.