Last visit was: Sat Jul 05, 2014 1:30 pm
It is currently Sat Jul 05, 2014 1:30 pm

phishing poste.it


All times are UTC - 5 hours [ DST ]


 [ 15 posts ] 
Author Message
 PostPosted: Thu Sep 17, 2009 7:15 am   
Spammer Exterminator

Joined: Wed May 02, 2007 8:59 pm
Posts: 1055
I cannot find the contact address for the host of this:
hxxp:\\www.vermont-it.ru/bancopostaonline.poste.it/bpol/CARTEPRE/index.html


Top
 Profile  
 PostPosted: Thu Sep 17, 2009 9:39 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Code:
REGISTRY WHOIS FOR VERMONT-IT.RU

Domain Search:

Updated: 2 seconds ago
Refresh
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:     VERMONT-IT.RU
type:       CORPORATE
nserver:    ns.vernet.su.
nserver:    ns2.vernet.su.
state:      REGISTERED, DELEGATED
person:     Sergey S Koptsev
phone:      +7 495 5438850
fax-no:     +7 495 5438850
e-mail:     [email protected]
registrar:  RUCENTER-REG-RIPN
created:    2004.07.19
paid-till:  2010.07.19
source:     TC-RIPN

Last updated on 2009.09.17 17:33:20 MSK/MSD

Information Updated: Thu, 17 Sep 2009 13:36:25 UTC


Hosted on IP address: 77.91.199.59:

Code:
inetnum:        77.91.199.0 - 77.91.199.255
netname:        VERMONT-IT
descr:          Vermont-IT Internet Service Provider
country:        RU
admin-c:        DVM43-RIPE
tech-c:         DVM43-RIPE
status:         ASSIGNED PA
remarks:        INFRA-AW
mnt-by:         VERMONT-IT-MNT
changed:        [email protected] 20081003
source:         RIPE

person:         Dmitriy V Morozov
address:        1d-1 Frunze str, 141070 Korolev,
address:        Russian Federation
phone:          +7 495 543 88 50
nic-hdl:        DVM43-RIPE
changed:        [email protected] 20070615
source:         RIPE


That appears to be another hijacked 3rd-party server so you may want to contact the hosting company first.

SiL


Top
 Profile  
 PostPosted: Thu Sep 17, 2009 10:08 am   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
I reported it to several addresses. It looks like vermont-it.ru is simply compromised. [email protected], [email protected], [email protected]
etc.

vermont-it.ru
IP: 77.91.199.59
AS43667

Not familiar with this host at all, but my first thought is it was highjacked, but not so sure now after digging a bit deeper, I see that vermont-it.ru appears to have legit content. I gleaned [email protected] from the website.

Also, I reported it to RIPE upstream: AS8615


Top
 Profile  
 PostPosted: Thu Sep 17, 2009 10:39 am   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
404 :) that was quick, considering how late it is over in Moscow, after 6pm as I post this, I am pleasantly surprised.

Code:
--- 09/17/09 10:39:05 Eastern Daylight Time
--- reading URL hxxp:\\www.vermont-it.ru/bancopostaonline.poste.it/bpol/CARTEPRE/index.html
--- contacting host hXXp:\\www.vermont-it.ru [77.91.199.59] on port 80

HTTP/1.1 404 Not Found
Date: Thu, 17 Sep 2009 14:39:18 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch
Vary: Accept-Encoding
Content-Length: 368
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /bancopostaonline.poste.it/bpol/CARTEPRE/index.html was not found on this server.</p>
<hr>
<address>Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch Server at hXXp://www.vermont-it.ru Port 80</address>
</body></html>


--- connection closed


Top
 Profile  
 PostPosted: Thu Sep 17, 2009 11:13 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
meep wrote:
404 :) that was quick, considering how late it is over in Moscow, after 6pm as I post this, I am pleasantly surprised.


Nicely done! Just over one hour from when I posted the whois / dns. :)

Good to see.

SiL


Top
 Profile  
 PostPosted: Thu Sep 17, 2009 11:23 am   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
I think I automatically get a little suspicious of anything .ru nowadays. :oops:

When I was suring to websites even as recently as 2000, I didn't equate things Russian with spamming / cybercriminality. Now, most anything with .ru that I am not familiar with, I am already suspicious. Same with websites that are Nigerian, Brazilian, Chinese, Korean, Romanian, Turkish, Estonian, Moldavian, etc. :evil:

Even so, most of the originating spam is on US networks. :!:


Top
 Profile  
 PostPosted: Thu Sep 17, 2009 6:30 pm   
Spammer Exterminator

Joined: Wed May 02, 2007 8:59 pm
Posts: 1055
thank you very much.

I'm interested in this case.
I had already wrote to the email recovered in whois report on domain.
But in whois on host IP, I cannot find a contact address.
Where you find it?


Top
 Profile  
 PostPosted: Thu Sep 17, 2009 7:44 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Quote:
But in whois on host IP, I cannot find a contact address.


I used domainwhitepages.com by entering the domain and then check domain whois record, DNS records and network whois record. At the bottom you see the RIPE information under network whois record (IP ownership). Only, [email protected] was listed under networks as a plausible abuse /technical address for the hoster. [email protected] - was taken from the website and [email protected] was just a guess. You can use this for ISPs as well. Most Security /Abuse issues are directed to [email protected] ISP domain.

I did overlook the domain contact under domain WHOIS: I should have added: [email protected] as a contact, but did not in my report.

Code:
domain:     VERMONT-IT.RU
type:       CORPORATE
nserver:    ns.vernet.su.
nserver:    ns2.vernet.su.
state:      REGISTERED, DELEGATED
person:     Sergey S Koptsev
phone:      +7 495 5438850
fax-no:     +7 495 5438850
e-mail:     [email protected]
registrar:  RUCENTER-REG-RIPN
created:    2004.07.19
paid-till:  2010.07.19
source:     TC-RIPN


Sometimes you don't even see that much, so you try to contact their upstream provider if a lot of the information is not clear for contacting.

I hope this makes sense. Sometimes when you dig deeper, you try contacts for the name servers. Above the nameserver is vernet.su. I could try to find that email address if I couldn't find the ones listed earlier.


Top
 Profile  
 PostPosted: Thu Sep 17, 2009 9:51 pm   
Spammer Obliterator
User avatar

Joined: Fri Jun 15, 2007 7:05 pm
Posts: 2261
meep wrote:
When I was suring to websites even as recently as 2000

That's not that recently. About the same amount of time before that the World Wide Web didn't even exist :wink:.

_________________
Arf, she said


Top
 Profile  
 PostPosted: Fri Sep 18, 2009 2:31 am   
Spammer Exterminator

Joined: Wed May 02, 2007 8:59 pm
Posts: 1055
meep wrote:
I used domainwhitepages.com by entering the domain and then check domain whois record, DNS records and network whois record. At the bottom you see the RIPE information under network whois record (IP ownership). Only, [email protected] was listed under networks as a plausible abuse /technical address for the hoster.

I thounght that email present in "changed:" field like [email protected] was not for contact. thanks


Top
 Profile  
 PostPosted: Fri Sep 18, 2009 7:59 am   
Spammer Exterminator

Joined: Wed May 02, 2007 8:59 pm
Posts: 1055
Here another one, please someone report it again with me:

Oggetto: Phishing Poste.it using domain 'S3-POSTE.NET'
Data: Fri, 18 Sep 2009 13:52:19 +0200
Da: efa
A: [email protected], Policy <[email protected]>, network-abuse <[email protected]>

Dear Registrar and Host,
I have received another phish email, that contain a link to:

hxxp:\\s3-poste.net/bpol/CARTEPRE/login.html
registered by: MELBOURNE IT
resolves to 98.136.92.79
registered to: Yahoo! Inc.

domain: s3-poste.net redirect to:
hxxp:\\61.135.204.86/icons/www.poste.it/personale/index.php?logon=myposte
registered to: China Unicom

The link is a fake page of the Italian Bank 'Poste.it'

The domain 'S3-POSTE.NET' is registered uniquely for phishing on:18-sep-2009
Please suspend immediately the domain 'S3-POSTE.NET'

NOTE: This domain was previous registered by: MELBOURNE IT
on 15-sep-2009
that suspended it with HOLD only on 16-sep-2009
Now the domain in re-registered and used again by phisher!

IT'S NECESSARY to follow all the instructions reported in the link below
to suspend a domain and be sure the phisher cannot reuse it.
In particular all following four status MUST be applied:
ClientHold
ClientUpdateProhibited
ClientDeleteProhibited
ClientTransferProhibited

Detailed removal instructions are at this link:
http://www.spamtrackers.eu/wiki/index.p ... rar_Advice

The host '61.135.204.86' is cracked!
delete immediately these phishing pages

Regards, efa


Top
 Profile  
 PostPosted: Fri Sep 18, 2009 11:11 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
While you're at it:

http://s3-poste.net/

Redirects to:

http://61.135.204.86/icons/www.poste.it ... on=myposte

Code:
WHOIS - 61.135.204.86

Location: China [City: Beijing, Beijing]

ARIN says that this IP belongs to APNIC; I'm looking it up there.

...

person:       sun ying
address:      fu xing men nei da jie 97, Xicheng District
address:      Beijing 100800
country:      CN
phone:        +86-10-66030657
fax-no:       +86-10-66078815
e-mail:       [email protected]
nic-hdl:      SY21-AP
mnt-by:       MAINT-CNCGROUP-BJ
changed:      [email protected] 19980824
changed:      [email protected] 20060717
changed:      [email protected]  20090630
source:       APNIC


SiL


Top
 Profile  
 PostPosted: Fri Sep 18, 2009 2:07 pm   
Spammer Exterminator

Joined: Wed May 02, 2007 8:59 pm
Posts: 1055
I got another whois report for 61.135.204.86:
Code:
$ whois 61.135.204.86
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      61.135.0.0 - 61.135.255.255
netname:      UNICOM-BJ
descr:        China Unicom Beijing province network
descr:        China Unicom
country:      CN
admin-c:      CH1302-AP
tech-c:       SY21-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CNCGROUP-BJ
mnt-routes:   MAINT-CNCGROUP-RR
status:       ALLOCATED PORTABLE
changed:      [email protected] 20031112
changed:      [email protected] 20040927
changed:      [email protected] 20050112
changed:      [email protected] 20060124
changed:      [email protected] 20090507
changed:      [email protected] 20090508
source:       APNIC

person:       ChinaUnicom Hostmaster
nic-hdl:      CH1302-AP
e-mail:       [email protected]
address:      No.21,Jin-Rong Street
address:      Beijing,100140
address:      P.R.China
phone:        +86-10-66259940
fax-no:       +86-10-66259764
country:      CN
changed:      [email protected] 20090408
mnt-by:       MAINT-CNCGROUP
source:       APNIC

person:       sun ying
address:      fu xing men nei da jie 97, Xicheng District
address:      Beijing 100800
country:      CN
phone:        +86-10-66030657
fax-no:       +86-10-66078815
e-mail:       [email protected]
nic-hdl:      SY21-AP
mnt-by:       MAINT-CNCGROUP-BJ
changed:      [email protected] 19980824
changed:      [email protected] 20060717
changed:      [email protected]  20090630
source:       APNIC


so I wrote to [email protected], no action.


Top
 Profile  
 PostPosted: Fri Sep 18, 2009 2:24 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
China Unicom blows (that is English slang for they need to get rid of their spam). :( Just take a look at Spamhaus SBLs like this one:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL78734
Code:
Ref: SBL78734

61.135.204.86/32 is listed on the Spamhaus Block List (SBL)

17-Sep-2009 14:54 GMT | SR08

phish site

URL observed in phish spams:

http://61.135.204.86/icons/www.poste.it/personale/index.php?logon=myposte

Compromised server.


Spamhaus has this network under the name:cnc-group-bj
I think they are AS9800 (network identification) - I get confused with which Chinese Hosts, ISPs, are what sometimes.

Chinese Networks (very helpful) for research if unsure:
http://www.cymru.com/BGP/incon_asn_list.html


Top
 Profile  
 PostPosted: Tue Sep 22, 2009 12:49 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Maybe this phish will get pulled in November. Still up as of Tues 9/22/09 after being reported a few times.

Code:
--- 09/22/09 12:51:06 Eastern Daylight Time
--- reading URL http://61.135.204.86/icons/www.poste.it/personale/index.php?logon=myposte
--- contacting host [61.135.204.86] on port 80

HTTP/1.1 200 OK
Date: Tue, 22 Sep 2009 16:23:45 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

1fd0
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="it"><head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1 ">

<meta name="Author" content="Poste Italiane S.p.A.">


Top
 Profile  
 [ 15 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008