There's a fairly substantial phishing run going on at the moment, aimed at capturing Blogger or Google account credentials. The messages have the subject line 'Your Blogger Account' and a brief message urging recipients to click a link to 'update' their account. Recipients who click the link will be prompted to enter their Blogger or Google credentials.

An interesting feature of the run is that the phishers seem to have mass-registered a block of domains in the '.kr', 'or.kr', '.co.kr' and '.ne,kr' spaces. The actual domains registered all begin with the letters 'esu', followed by a single character, and then the top-level or second-level extensions. The phishers then create subdomains of those domains that are designed to look superficially like Google domains. Some examples include:

• www.google.com.esub.kr
• www.google.com.esuk.or.kr
• www.google.com.esut.co.kr
• www.blogger.com.esut.kr
• www.blogger.com.esug.or.kr

These domains are hosted on what appear to be botnet hosts: a host lookup for any of the domains returns a list of 15 or 16 IP addresses, scattered all over the Internet.

It isn't clear why the phishers have chosen to generate names that follow such a predictable pattern, making filtering the abusive messages trivial. Moreover, most of the domains used are now flagged by Google as probable phishing sites.