CartaSi: cannot shut down those phish web sites

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

I cannot shut down those phishing web sites:
hxxp://210.196.146.170/manual/.cartasi/index.htm
hxxp://josephpolansky.com/index.htm
hxxp://masmediauk.com/Joomla/administra ... t28th2003/
hxxp://www.starnaweb.com.br/lojas/08/nCartasi.php

are the phish web site of italian credit card cartasi.it

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

Update:

2 are down now. These below were reported as of 4/29/09 7 pm

hxxp://josephpolansky.com/index.htm
hxxp://www.starnaweb.com.br/lojas/08/nCartasi.php

josephpolansky.com/index.htm
IP: 72.41.199.74

joepolansky [at] yahoo
[email protected]

starnaweb.com.br/lojas/08/nCartasi.php
208.43.100.26
[email protected]

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

Nice, all 404ed or "gone to Atlanta" as an obscurist would say.

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

this Kuwait one have no abuse contact, and no NIC for Kuwait.
How do proceed?

hxxp://94.128.2.172/titolari/cartasi/it ... /bonus/pt/

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

best I can find is:

ahozayen.c [at] stc.com.sa

Emailing to see if they will take down.

Code:

inetnum: 94.128.0.0 - 94.128.127.255
netname: GPRS_NETWORK
descr: 3G allocation , VAS allocation , 2G allocation
country: KW
admin-c: AH2832-RIPE
tech-c: AH2832-RIPE
status: ASSIGNED PA
mnt-by: MNT-AS2306
changed: [email protected] 20080706
source: RIPE

I also am locating an upstream provider through a tracert, below is a partial one

Code:

 10  [ 192.205.34.158]  192.205.34.158  8 ms  
 11  [     64.86.9.18]  if-11-0-0.core3.AEQ-Ashburn.as6453.net  27 ms  
 12  [195.219.195.153]  if-11-0-0-903.mcore3.LDN-London.as6453.net  159 ms  
 13  [ 195.219.195.14]  if-4-0.core2.LDN-London.as6453.net  107 ms  
 14  [  195.219.189.6]  ix-8-1.core2.LDN-London.as6453.net  250 ms  
 15  [  78.159.161.10]  tec-sw-ace-Vl200-x-tec-kdc.fastteleco.net  251 ms  
 16  [     94.128.3.2]  94.128.3.2  251 ms  
 17  [    94.128.3.18]  94.128.3.18  250 ms  
 18  [   94.128.2.133]  94.128.2.133  252 ms  
 19  [   94.128.2.172]  94.128.2.172  251 ms  

So from this I got these 2 emails:
abuse [at] oversee.net
abuse [at] as6453.net

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

Oversee.net responded on 6/8/09 and confirmed it was offline

Code:

[oversee.net #47132] Resolved: [PHISHING SITE] 94.128.2.172 - Cartasi Bank - URG... 

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

thanks!

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

another one registered by tucows that do nothing ...
hxxp://s8625c.com/titolari.cartasi.it/
domain registered uniquely for phishing on 04-Sep-2009

AlphaCentauri · **Joined:** Thu Mar 01, 2007 3:01 am **Posts:** 5915

Where is CartaSi while all this is going on? It seems like you are single-handedly fighting this battle, when they have the most to lose.

Knujon needs to come out with a top ten list of most "spoofable" targets, naming and shaming the companies that do the least to get spoofed sites shut down. CartaSi and Paypal would belong on a list like that from what I can see.

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

s8625c.com [217.73.236.40]

Code:

inetnum: 217.73.232.0 - 217.73.239.255
netname: ALICOM
descr: Alicom S.r.l. Network
country: IT
admin-c: ON232-RIPE
tech-c: ON232-RIPE
status: ASSIGNED PA
notify: [email protected]
mnt-by: ALICOM-MNT
changed: [email protected] 20041029
source: RIPE

s8625c.com is clearly a fraudulent domain that should have been shutdown.

I remember Tucows does shutdown domains, but they would change their contact email addresses. Honestly, I haven't reported fraud domains to them in a while, so please tell us, which Tucows email contact address are you using?

Code:

   Domain Name: S8625C.COM
   Registrar: TUCOWS INC.
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net
   Name Server: NS7W.TOL.IT
   Name Server: NS8W.TOL.IT
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 04-sep-2009
   Creation Date: 04-sep-2009
   Expiration Date: 04-sep-2010

If Tucows isn't responsive, how about the people who run the nameserver?
Contact Page on website: http://www.tol.it/contatti.php

Code:

Domain:             tol.it
Status:             ACTIVE
Created:            1998-11-13 00:00:00
Last Update:        2009-06-26 00:02:22
Expire Date:        2010-06-10

Registrant
  Name:             Alicom srl
  ContactID:        ALIC25-ITNIC
  Address:          Via Pietro Nenni 294
                    San Giovanni Teatino
                    66020
                    CH
                    IT
  Created:          2007-03-01 10:34:40
  Last Update:      2008-06-26 17:50:02

Admin Contact
  Name:             Omero Narducci
  ContactID:        ON60-ITNIC
  Address:          Via Pietro Nenni 294
                    San Giovanni Teatino
                    66020
                    CH
                    IT
  Created:          2004-06-09 00:00:00
  Last Update:      2007-03-01 07:39:03

Technical Contacts
  Name:             Alicom Domain Registration Staff
  ContactID:        ADRS1-ITNIC
  Address:          VIA P. NENNI, 294
                    San Giovanni Teatino
                    66020
                    CH
                    IT
  Created:          2007-02-16 00:00:00
  Last Update:      2009-09-03 15:04:49

  Name:             Alicom Technical Management Staff
  ContactID:        ATMS1-ITNIC
  Organization:     Alicom s.r.l.
  Address:          VIA P. NENNI, 294
                    Sambuceto
                    66020
                    CH
                    IT
  Created:          2005-03-04 00:00:00
  Last Update:      2009-08-24 15:29:55

Registrar
  Organization:     Alicom s.r.l.
  Name:             ALICOM-MNT

Nameservers
  dns.tol.it
  dns2.tol.it

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

I wrote to:
[email protected]
[email protected]
two times, on 14/9 and yesterday, no action

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

AlphaCentauri wrote:

Where is CartaSi while all this is going on? It seems like you are single-handedly fighting this battle, when they have the most to lose.

I do not know why I got so much cartasi phish email, but my mission becomed to shut all down ;-)

)

spamislame · **Joined:** Tue May 09, 2006 9:18 am **Posts:** 5022

When I visit s8625c.com I get a "Domain Default Page", not a phishing website.

?

SiL

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

Hi efa,

I will try my contacts at TuCows. Obviously someone is asleep over there.

Hey, SiL

That phish is still active on the subdir

hxxp://s8625c.com/titolari.cartasi.it/

Code:

--- 09/18/09 12:07:45 Eastern Daylight Time
--- reading URL s8625c.com/titolari.cartasi.it/
--- contacting host s8625c.com [217.73.236.40] on port 80

HTTP/1.1 200 OK
Content-Length: 38501
Content-Type: text/html
Content-Location: http://s8625c.com/titolari.cartasi.it/Index.htm
Last-Modified: Thu, 17 Sep 2009 08:31:42 GMT
Accept-Ranges: bytes
ETag: "346b94487137ca1:3a90"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
Date: Fri, 18 Sep 2009 16:05:54 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0044)https://titolari.cartasi.it/portal/server.pt -->
<HTML><HEAD><TITLE>Home Page</TITLE>

spamislame · **Joined:** Tue May 09, 2006 9:18 am **Posts:** 5022

Aha. Thanks Meep. Sorry for missing that.

SiL

InBoxRevenge KS Forum

CartaSi: cannot shut down those phish web sites

Who is online