German Paypal phish domain redirect

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

domain name redirect: kontonummer22222222222222222222.com
IP: 88.208.252.196

(redirect reported)
inetnum: 88.208.252.0 - 88.208.253.255
netname: FASTHOSTS-UK-NETWORK
AS15418

destination was (content disabled as I post this)

Quote:

URL=hxxp://my-account-kontonumer.com/Bank/paypal3.de/paypal.com/de/.9d4f47e6389393e534a5e8a8f2/cgi-bin/webscrcmd=_login-run&dispatch=5885d80a13c0db1f8e263663d3faee8dc60d77e6184470d51976060a4ab6ee74.php>

Nice fake WHOIS:

Code:

Domain Name: KONTONUMMER22222222222222222222.COM
Registrar: TUCOWS.COM CO.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Name Server: NS1.LIVEDNS.CO.UK
Name Server: NS2.LIVEDNS.CO.UK
Name Server: NS3.LIVEDNS.CO.UK
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 07-jul-2011
Creation Date: 07-jul-2011
Expiration Date: 07-jul-2012

>>> Last update of whois database: Thu, 07 Jul 2011 14:10:19 UTC <<<

Queried whois.tucows.com with "kontonummer22222222222222222222.com"...

Registrant:
Rudolf Ammer
M??gelegasse 5
london, Borders W11 2BQ
GB

Domain name: KONTONUMMER22222222222222222222.COM

Administrative Contact:
Ammer, Rudolf [email protected]
M??gelegasse 5
london, Borders W11 2BQ
GB
+44.069919441911
Technical Contact:
Ammer, Rudolf [email protected]
M??gelegasse 5
london, Borders W11 2BQ
GB
+44.069919441911

Registration Service Provider:
Fasthosts Internet Limited, [email protected]
+44.8708883600
+44.8708883760 (fax)
http://www.Fasthosts.co.uk

Registrar of Record: TUCOWS, INC.
Record last updated on 07-Jul-2011.
Record expires on 07-Jul-2012.
Record created on 07-Jul-2011.

Registrar Domain Name Help Center:
http://tucowsdomains.com

Domain servers in listed order:
NS2.LIVEDNS.CO.UK
NS3.LIVEDNS.CO.UK
NS1.LIVEDNS.CO.UK

Partial headers:

Code:

History Display mode: Brief headers — Full headers
# Thu Jul 07 06:00:41 2011 [email protected] -
Resent-Date: Thu, 7 Jul 2011 07:00:32 -0400 (EDT)
MIME-Version: 1.0
Content-Type: xxxxx
Message-ID: xxx
X-MS-Tnef-Correlator:
Received: from xxx; Thu, 7 Jul 2011 07:00:32 -0400 (EDT)
Received: from xxx; Thu, 7 Jul 2011 04:00:04 -0700
X-Source-Ip: [75.148.247.105]
Delivered-To: xx
Resent-From: xx
Subject: Warnung! Zur Zeit haben Sie nur begrenzten Zugang zu Ihrem Pay - Pay Konto [CDXFO0014]
Return-Path: xx
X-Original-To: xxx
Date: Thu, 7 Jul 2011 11:00:25 +0000
X-Spam: exempt
Thread-Topic: Warnung! Zur Zeit haben Sie nur begrenzten Zugang zu Ihrem Pay - Pay Konto [CDXFO0014]
xxx
To: xxxx
From: PayPal <[email protected]>
Content-Length: 0
content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: iso-8859-1
Content-Length: 528
Download (untitled) [text/plain 528b]

Body:

Liebe User PayPal,
Ungewöhnliche Kontobewegungen haben es notwendig gemacht Ihr Konto einzugrenzen bis zusätzliche Informationen zur Überprüfung gesammelt werden.

Zur Zeit haben Sie nur begrenzten Zugang zu Ihrem Pay Pal Konto. Wir bitten Sie daher die von uns angeforderten Kontodaten zu enrneuern.

Bitte klicken Sie hier »<hxxp://kontonummer22222222222222222222.com>

Copyright © 1999-2011 PayPal. All rights reserved
PayPal Germany Pty Limited
ABN 93 111 195 389 (AFSL 304962)

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

my-account-kontonumer.com has been suspended by its domain registrar TUCOWS.COM
Status: clientHold

Unfortunately, TUCOWS has not (yet?) suspended kontonummer22222222222222222222.com
and the scam may simply alter its redirection to target another fraudulent site.

Benzyl · **Posted:** Thu Jul 07, 2011 11:37 am

Since phishing operations now mostly use an initial redirection site to direct victims to the payload I have noticed often in the last few months that the payload will change two or three times in as many days before the initially spammed site is shut down. The ever popular PHISH in the form of an HTML attachment will sometimes be a stub that redirects to a proper site although that allows less scope for varying the target.

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

Benzyl wrote:

Since phishing operations now mostly use an initial redirection site to direct victims to the payload I have noticed often in the last few months that the payload will change two or three times in as many days before the initially spammed site is shut down. ...

Yes, Benzyl, I have seen this pattern over the years as well, even with fraudulent domain purchases. More often, however, as you mention the redirects destination pages change on hacked webpages. I have looked at phishing scams on a regular basis since about 2003, and some of the tactics have changed, but the phishing problem still persists quite regularly with spammers.

InBoxRevenge KS Forum

German Paypal phish domain redirect

Inspiring websites

Who is online