Clicky
Last visit was: Sat Jul 05, 2014 12:23 pm
It is currently Sat Jul 05, 2014 12:23 pm

[Solved] Western Union Phishing


All times are UTC - 5 hours [ DST ]


 [ 4 posts ] 
Author Message
 PostPosted: Fri Feb 05, 2010 9:55 am   
Spam Muncher
User avatar

Joined: Tue Jan 02, 2007 11:04 am
Posts: 842
The phishing is still active. I have contacted by e-mail the registrar Arsys.es/Nicline.com, the host adam.es and ixole.es, and the registrant Joan Sanchez Guardia by e-mail.
Code:
Registrar:     ARSYS INTERNET, S.L. D/B/A NICLINE.COM
Status:        ok
Dates:         Created 06-jul-2000   Updated 01-mar-2008  Expires 06-jul-2014
DNS Servers:   DNS19.SERVIDORESDNS.NET  DNS20.SERVIDORESDNS.NET 
I was referred to whois.nicline.com; I'm looking it up there.

Domain name: igrafic.com
Registrant:
      Joan Sanchez Guardia  (SROW-673116)
   [email protected]
   roger de flor, 71
   Granollers   BARCELONA
   08400   ES
   +34 932477716   fax: +34 93247771
Administrative contact:
   Ixole Activa SL   (SRCO-1534422)
   [email protected]
   Mallorca 272 4 4.
   Barcelona   BARCELONA
   08037   ES
   +34 902023236   fax: +34 902023191
Technical contact:
   Ixole Activa SL   (SRCO-1534423)
   [email protected]
   Mallorca 272 4  4.
   Barcelona   BARCELONA
   08037   ES
   +34 902023236   fax:+34 902023191
Domain servers in listed order:
   dns19.servidoresdns.net  217.76.128.137
   dns20.servidoresdns.net  217.76.129.137
Created:       06 Jul 2000 07:44:22:000   UTC
Expires:       06 Jul 2014 07:44:22:000   UTC
Last updated:  01 Mar 2008 18:21:12:150   UTC

Quote:
From - Thu Feb 04 22:45:32 2010
X-Account-Key: account4
X-UIDL: 1179582987.62522
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys: $label1
X-MSK: Off
Return-Path: <[email protected]>
Received: from mwinf2812.orange.fr (mwinf2812 [10.232.15.40])
by mwinb7503 with LMTPA;
Thu, 04 Feb 2010 22:44:34 +0100
X-Sieve: CMU Sieve 2.3
X-Bcc: xxxxxxxxxxx
Received: from smtp28.orange.fr (localhost [127.0.0.1])
by mwinf2812.orange.fr (SMTP Server) with ESMTP id 8F4411C00088
for <[email protected]>; Thu, 4 Feb 2010 22:44:34 +0100 (CET)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2812.orange.fr (SMTP Server) with ESMTP id 84A981C00092
for <[email protected]>; Thu, 4 Feb 2010 22:44:34 +0100 (CET)
Received: from specenviro.com (mail.specenviro.com [12.68.236.122])
by mwinf2812.orange.fr (SMTP Server) with ESMTP id 3F0421C00088
for <xxxxxxxxxxxxxxxx>; Thu, 4 Feb 2010 22:44:34 +0100 (CET)
X-ME-UUID: [email protected]
Received: from User ([74.169.3.60] RDNS failed) by specenviro.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 4 Feb 2010 15:44:28 -0600
From: "Western Union"<[email protected]>
Subject: *** SPAM ***Dear Valued Customer, your account has been limited
Date: Thu, 4 Feb 2010 16:43:57 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <[email protected]>
X-OriginalArrivalTime: 04 Feb 2010 21:44:29.0230 (UTC) FILETIME=[3A9234E0:01CAA5E3]
To: undisclosed-recipients:;
X-me-spamlevel: high
X-me-spamrating: 95.000000
X-me-spamcause: OK, (500)(1000)gggruggvucftvghtrhhoucdtuddrvdeltddrvddtgddtgeduiecuteggodetufdouefnucfrrhhofhhilhgvmecuoffgnecuuegrihhlohhuthemuceftddtnecuogetvdeijedqtdduucdlhedttddm
X-Text-Classification: personnel
X-POPFile-Link: http://127.0.0.1:8080/jump_to_message?view=7716


<html>
<head>
<title>Untitled</title>
<meta content="Evrsoft First Page" name="GENERATOR">
</head>
<body>
<p><span><font face="Arial" size="2">Dear Valued Customer,<br>
<br></span></p>
<p>This is an official notification from Western Union. Your account access has been limited due to a login attempt failure. We will need to confirm your Credit Card CVV from your profile.</p>
<p>To continue <a href="http://www.igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm">click here</a> and remove the limitation.If not, your account with us will be suspended and deleted.<br>
<br>
Visit us to:<br>
  * Send money<br>
  * Check the status of your order<br>
  * Search for Agent locations worldwide<br>
  * Learn about other Western Union services</span><br>
<br>
We are continually improving our Web site to better serve you. Be sure to check back with us often as we add exciting new services to meet your financial needs.<br>
<br>
If you have questions or need assistance, our customer service team</span> is here to help. Email us at <a href="http://www.igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm">[email protected]</span></a> <br>
<br>
Be sure to remember and protect your new User Name and Password. You will need your new User Name and Password next time you sign in to our site.</p>
<p>Thank you for using Western Union!<br></p> <p>------------------------------------------------------------------------------------------------------------------------------<br>
DO NOT REPLY TO THIS EMAIL. IF YOU HAVE QUESTIONS PLEASE <a href="http://www.igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm">CONTACT US</a></font></p>

</body>
</html>



[/quote]


Last edited by roberto7888 on Fri Feb 05, 2010 2:35 pm, edited 3 times in total.

Top
 Profile  
 PostPosted: Fri Feb 05, 2010 10:05 am   
Spam Muncher
User avatar

Joined: Tue Jan 02, 2007 11:04 am
Posts: 842
I have an answer from the registrar Arsys.es/Nicline.com. The IP 212.36.65.107 is from Adam.es.
See there:
http://whois.domaintools.com/212.36.65.107
http://legacytools.dnsstuff.com/tools/t ... ainterator
Quote:
From: [email protected]
Subject: Re: [Phishing Of Western Union] Removal request: igrafic.com

Hello,
the address to which igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm
refer not have access because the ip address is 212.36.65.107 outside our range.
Regards,
Arsys.es Administrator
================================


Code:
WHOIS - 212.36.65.107

inetnum:        212.36.65.0 - 212.36.65.255
netname:        ADAM
descr:          ADAM
country:        ES
admin-c:        JV284-RIPE
admin-c:        AM5386-RIPE
tech-c:         JV284-RIPE
tech-c:         AM5386-RIPE
tech-c:         FP1656-RIPE
tech-c:         RPR11-RIPE
status:         ASSIGNED PA
mnt-by:         OGIC-MNT
changed:        [email protected]  20080527
source:         RIPE

person:         Alfonso Masana
e-mail:         [email protected]
address:        OGIC INFORMATICA S.L ( ADAM )
address:        Travessera de Gr�cia 342
address:        08025 BARCELONA ( SPAIN )
phone:          +0034 934465005
phone:          +0034 934465004
mnt-by:         OGIC-MNT
changed:        [email protected] 20100202
nic-hdl:        AM5386-RIPE
source:         RIPE

person:         Joan Ventura
address:        OGIC INFORMATICA S.L ( ADAM)
address:        C/ Travessera de Gracia, 342
address:        08025 Barcelona
e-mail:         [email protected]
phone:          +0034 934465005
nic-hdl:        JV284-RIPE
changed:        [email protected] 20100202
mnt-by:         OGIC-MNT
source:         RIPE

person:         Ferran Pons
address:        OGIC INFORMATICA S.L ( ADAM )
e-mail:         [email protected]
address:        Travessera de Gr�cia 342
address:        08025 BARCELONA ( SPAIN )
phone:          +0034 934465005
phone:          +0034 934465004
mnt-by:         OGIC-MNT
changed:        [email protected]  20080527
nic-hdl:        FP1656-RIPE
source:         RIPE

person:         Raul Ponseti Rodriguez
address:        OGIC INFORMATICA S.L
e-mail:         [email protected]
address:        C/ Travessera de Gracia, 342
address:        08025 Barcelona
phone:          +0034 934465005
nic-hdl:        RPR11-RIPE
changed:        [email protected] 20080527
mnt-by:         OGIC-MNT
source:         RIPE

% Information related to '212.36.64.0/19AS15699'

route:          212.36.64.0/19
descr:          ADAM Internet Network
origin:         AS15699
mnt-by:         OGIC-MNT
changed:        [email protected] 20100127
notify:         [email protected]
source:         RIPE



Last edited by roberto7888 on Fri Feb 05, 2010 2:36 pm, edited 1 time in total.

Top
 Profile  
 PostPosted: Fri Feb 05, 2010 11:45 am   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
This must have been disabled just a bit ago as I get a 403 error when visiting the phishing site: (igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm)


Top
 Profile  
 PostPosted: Fri Feb 05, 2010 2:37 pm   
Spam Muncher
User avatar

Joined: Tue Jan 02, 2007 11:04 am
Posts: 842
meep wrote:
This must have been disabled just a bit ago as I get a 403 error when visiting the phishing site: (igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm)

Thanks Meep. The link has been disabled. I get a 403 error when visiting the phishing site.


Top
 Profile  
 [ 4 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008