CartaSi: cannot shut down those phish web sites

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

Tucows answered me to write to [email protected] that was already in CC in my 14/9 email. No action

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

very frustrating, efa. :!:

Will it take TuCows another week or two?

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

Subject: Re: [Inquiry=26711] Re: Phishing CartaSi using domain 's8625c.com'
Date: Mon, 21 Sep 2009 09:44:15 +0200
From: <efa>
To: [email protected]
CC: Tucows Compliance <[email protected]>

Tucows Customer Support ha scritto:
> When replying, type your text above this line.
> ----------------------------------------------

are you joking?
[email protected] was in CC also the first complaint on 14 september!
opensrs.org are inactive, the phish domain is still up today on 21.

Please shutdown this phish domain
efa
...

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

I reported it, too.

let's see if it is online next week, still.

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

lame, emailed and it is still up .... maybe in October at this rate.

Code:

--- 09/22/09 12:49:38 Eastern Daylight Time
--- reading URL s8625c.com/titolari.cartasi.it/
--- contacting host s8625c.com [217.73.236.40] on port 80

HTTP/1.1 200 OK
Content-Length: 38501
Content-Type: text/html
Content-Location: http://s8625c.com/titolari.cartasi.it/Index.htm
Last-Modified: Thu, 17 Sep 2009 08:31:42 GMT
Accept-Ranges: bytes
ETag: "346b94487137ca1:3a90"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
Date: Tue, 22 Sep 2009 16:47:48 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0044)https://titolari.cartasi.it/portal/server.pt -->
<HTML><HEAD><TITLE>Home Page</TITLE>

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

I filled the form at:
http://reports.internic.net/cgi/registr ... report.cgi
with Item "Registrar Customer Service"

Form text:

Domain: s8625c.com
Real Registrar Name: TUCOWS INC.

I wrote a complaint to Tucows on 14 september, because the domain:
s8625c.com
was registered uniquely for phishing on 04-sep-2009
as show by spamvertized link:
hxxp://s8625c.com/titolari.cartasi.it/

Tucows answered to write to '[email protected]' that was already in CC in my 4 september mail.
The domain is still active today 22 september, seems Tucows do not act immediately on the phisher.

Please ask for domain suspension.

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

OK, will try to report it and then update this thread as soon as I can, efa.

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

To: [email protected], [email protected]
Subject: Phishing CartaSi using domain "cartasi-log.com"

Dear Registrar:RANGER REGISTRATION (MADEIRA) LLC.
I have received a phish email, that contain a link to:

hxxp://cartasi-log.com/login/

The link is a fake page of the Italian Credit Card 'Cartasi':

https://titolari.cartasi.it/portal/server.pt

The domain is registered uniquely for phishing on:10-may-2010
Please suspend immediately the domain "cartasi-log.com"
Removal instructions are at this link:
http://www.spamtrackers.eu/wiki/index.p ... rar_Advice

Regards, efa

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

still live as of 6/1/10. I am reporting to [email protected]

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

Both Firefox and IE refuse to let me get past the login page.

roberto7888 · **Joined:** Tue Jan 02, 2007 11:04 am **Posts:** 842

meep wrote:

still live as of 6/1/10. I am reporting to [email protected]

use these e-mails for ICANN Registrar : RANGER REGISTRATION (MADEIRA) LLC. : [email protected], [email protected], [email protected], [email protected],
[email protected], [email protected]

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

Thanks, Roberto, for the reseller registrar finds. Good digging.

Well, it is now 6/2/10 and this is still active:

cartasi-log.com [96.9.51.205]

Code:

--- 06/02/10 08:13:59 Central Daylight Time
--- reading URL cartasi-log.com/login/
--- contacting host cartasi-log.com [96.9.51.205] on port 80

HTTP/1.1 200 OK
Date: Wed, 02 Jun 2010 13:14:01 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Sat, 20 Dec 2008 05:30:20 GMT
ETag: "2818c71-86d1-45e73b8b59300"
Accept-Ranges: bytes
Content-Length: 34513
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0044)https://titolari.cartasi.it/portal/server.pt -->
<HTML><HEAD><TITLE>Home Page</TITLE> ...

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

cartasi-log.com/login/ is still online as of 6/4/10, but I don't want to test it to see if it works since phishing sites, even fraudulent domains can harbor malware.

Code:

--- 06/04/10 10:12:07 Central Daylight Time
--- reading URL cartasi-log.com/login/
--- contacting host cartasi-log.com [96.9.51.205] on port 80

HTTP/1.1 200 OK
Date: Fri, 04 Jun 2010 15:12:11 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Sat, 20 Dec 2008 05:30:20 GMT
ETag: "2818c71-86d1-45e73b8b59300"
Accept-Ranges: bytes
Content-Length: 34513
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0044)https://titolari.cartasi.it/portal/server.pt -->
<HTML><HEAD><TITLE>Home Page</TITLE>
<META http-equiv=Content-Type content="text/html; charset=utf-8"><LINK lang=it 
href="index_files/mainstyle-titolari-it.css" type=text/css 
rel=StyleSheet></LINK>

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

9 Jun, the domain "cartasi-log.com" is still active.

The contacts:
[email protected]
[email protected]
[email protected]
[email protected]
answer with a "Delivery Status Notification Recipient Unknown (state 17)"

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

roberto7888 wrote:

meep wrote:

still live as of 6/1/10. I am reporting to [email protected]

use these e-mails for ICANN Registrar : RANGER REGISTRATION (MADEIRA) LLC. : [email protected], [email protected], [email protected], [email protected],
[email protected], [email protected]

As reported by efa -
postmaster, info, abuse and support do not exist.
I got a "Recipient Unknown (state 14)." for all but the addresses admin and legal

InBoxRevenge KS Forum

CartaSi: cannot shut down those phish web sites

Who is online