Clicky
Last visit was: Sat Jul 05, 2014 1:31 pm
It is currently Sat Jul 05, 2014 1:31 pm

German Paypal phish domain redirect


All times are UTC - 5 hours [ DST ]


 [ 4 posts ] 
Author Message
 PostPosted: Thu Jul 07, 2011 10:30 am   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
domain name redirect: kontonummer22222222222222222222.com
IP: 88.208.252.196

(redirect reported)
inetnum: 88.208.252.0 - 88.208.253.255
netname: FASTHOSTS-UK-NETWORK
AS15418

destination was (content disabled as I post this)
Quote:
URL=hxxp://my-account-kontonumer.com/Bank/paypal3.de/paypal.com/de/.9d4f47e6389393e534a5e8a8f2/cgi-bin/webscrcmd=_login-run&dispatch=5885d80a13c0db1f8e263663d3faee8dc60d77e6184470d51976060a4ab6ee74.php>


Nice fake WHOIS:
Code:
   Domain Name: KONTONUMMER22222222222222222222.COM
   Registrar: TUCOWS.COM CO.
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net
   Name Server: NS1.LIVEDNS.CO.UK
   Name Server: NS2.LIVEDNS.CO.UK
   Name Server: NS3.LIVEDNS.CO.UK
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 07-jul-2011
   Creation Date: 07-jul-2011
   Expiration Date: 07-jul-2012

>>> Last update of whois database: Thu, 07 Jul 2011 14:10:19 UTC <<<

Queried whois.tucows.com with "kontonummer22222222222222222222.com"...

Registrant:
 Rudolf Ammer
 M??gelegasse 5
 london, Borders W11 2BQ
 GB

 Domain name: KONTONUMMER22222222222222222222.COM


 Administrative Contact:
    Ammer, Rudolf  [email protected]
    M??gelegasse 5
    london, Borders W11 2BQ
    GB
    +44.069919441911
 Technical Contact:
    Ammer, Rudolf  [email protected]
    M??gelegasse 5
    london, Borders W11 2BQ
    GB
    +44.069919441911


 Registration Service Provider:
    Fasthosts Internet Limited, [email protected]
    +44.8708883600
    +44.8708883760 (fax)
    http://www.Fasthosts.co.uk



 Registrar of Record: TUCOWS, INC.
 Record last updated on 07-Jul-2011.
 Record expires on 07-Jul-2012.
 Record created on 07-Jul-2011.

 Registrar Domain Name Help Center:
    http://tucowsdomains.com

 Domain servers in listed order:
    NS2.LIVEDNS.CO.UK   
    NS3.LIVEDNS.CO.UK   
    NS1.LIVEDNS.CO.UK   


Partial headers:

Code:
History  Display mode:  Brief headers — Full headers
#      Thu Jul 07 06:00:41 2011    [email protected] -    
Resent-Date:    Thu, 7 Jul 2011 07:00:32 -0400 (EDT)
MIME-Version:    1.0
Content-Type:    xxxxx
Message-ID:    xxx
X-MS-Tnef-Correlator:    
Received:    from xxx; Thu, 7 Jul 2011 07:00:32 -0400 (EDT)
Received:    from xxx; Thu, 7 Jul 2011 04:00:04 -0700
X-Source-Ip:    [75.148.247.105]
Delivered-To:    xx
Resent-From:    xx
Subject:    Warnung! Zur Zeit haben Sie nur begrenzten Zugang zu Ihrem Pay - Pay Konto [CDXFO0014]
Return-Path:    xx
X-Original-To:    xxx
Date:    Thu, 7 Jul 2011 11:00:25 +0000
X-Spam:    exempt
Thread-Topic:    Warnung! Zur Zeit haben Sie nur begrenzten Zugang zu Ihrem Pay - Pay Konto [CDXFO0014]
xxx
To:    xxxx
From:    PayPal <[email protected]>
Content-Length:    0
content-type:    text/plain; charset="utf-8"
Content-Transfer-Encoding:    quoted-printable
X-RT-Original-Encoding:    iso-8859-1
Content-Length:    528
Download (untitled) [text/plain 528b]


Body:

Liebe User PayPal,
Ungewöhnliche Kontobewegungen haben es notwendig gemacht Ihr Konto einzugrenzen bis zusätzliche Informationen zur Überprüfung gesammelt werden.

Zur Zeit haben Sie nur begrenzten Zugang zu Ihrem Pay Pal Konto. Wir bitten Sie daher die von uns angeforderten Kontodaten zu enrneuern.




Bitte klicken Sie hier »<hxxp://kontonummer22222222222222222222.com>

Copyright © 1999-2011 PayPal. All rights reserved
PayPal Germany Pty Limited
ABN 93 111 195 389 (AFSL 304962)


Top
 Profile  
 PostPosted: Thu Jul 07, 2011 10:35 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
my-account-kontonumer.com has been suspended by its domain registrar TUCOWS.COM
Status: clientHold

Unfortunately, TUCOWS has not (yet?) suspended kontonummer22222222222222222222.com
and the scam may simply alter its redirection to target another fraudulent site.


Top
 Profile  
 PostPosted: Thu Jul 07, 2011 11:37 am   
Spam Muncher
User avatar

Joined: Wed Jan 03, 2007 10:19 am
Posts: 890
Location: North Britain
Since phishing operations now mostly use an initial redirection site to direct victims to the payload I have noticed often in the last few months that the payload will change two or three times in as many days before the initially spammed site is shut down. The ever popular PHISH in the form of an HTML attachment will sometimes be a stub that redirects to a proper site although that allows less scope for varying the target.

_________________
Ruffian antics are a wrench in society's gears


Top
 Profile  
 PostPosted: Thu Jul 07, 2011 12:19 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Benzyl wrote:
Since phishing operations now mostly use an initial redirection site to direct victims to the payload I have noticed often in the last few months that the payload will change two or three times in as many days before the initially spammed site is shut down. ...


Yes, Benzyl, I have seen this pattern over the years as well, even with fraudulent domain purchases. More often, however, as you mention the redirects destination pages change on hacked webpages. I have looked at phishing scams on a regular basis since about 2003, and some of the tactics have changed, but the phishing problem still persists quite regularly with spammers.


Top
 Profile  
 [ 4 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008