CartaSi: cannot shut down those phish web sites

Phishing operations, including perpetrators, how to report them and get them shut down.

CartaSi: cannot shut down those phish web sites

Postby efa » Tue Apr 28, 2009 9:15 pm

User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: cannot shut down those cartasi phish

Postby meep » Wed Apr 29, 2009 10:34 am

Update:

2 are down now. These below were reported as of 4/29/09 7 pm

hxxp://josephpolansky.com/index.htm
hxxp://www.starnaweb.com.br/lojas/08/nCartasi.php


josephpolansky.com/index.htm
IP: 72.41.199.74

joepolansky [at] yahoo
abuse@ecommerce.com


starnaweb.com.br/lojas/08/nCartasi.php
208.43.100.26
abuse@softlayer.com
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: cannot shut down those cartasi phish

Postby meep » Fri May 01, 2009 2:29 am

Nice, all 404ed or "gone to Atlanta" as an obscurist would say.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: CartaSi: cannot shut down those phish web sites

Postby efa » Fri Jun 05, 2009 3:46 pm

this Kuwait one have no abuse contact, and no NIC for Kuwait.
How do proceed?

hxxp://94.128.2.172/titolari/cartasi/it ... /bonus/pt/
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: CartaSi: cannot shut down those phish web sites

Postby meep » Fri Jun 05, 2009 10:38 pm

best I can find is:

ahozayen.c [at] stc.com.sa

Emailing to see if they will take down.

Code: Select all
inetnum:        94.128.0.0 - 94.128.127.255
netname:        GPRS_NETWORK
descr:          3G allocation , VAS allocation , 2G allocation
country:        KW
admin-c:        AH2832-RIPE
tech-c:         AH2832-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-AS2306
changed:        ahozayen.c@stc.com.sa 20080706
source:         RIPE


I also am locating an upstream provider through a tracert, below is a partial one
Code: Select all
 10  [ 192.205.34.158]  192.205.34.158  8 ms 
 11  [     64.86.9.18]  if-11-0-0.core3.AEQ-Ashburn.as6453.net  27 ms 
 12  [195.219.195.153]  if-11-0-0-903.mcore3.LDN-London.as6453.net  159 ms 
 13  [ 195.219.195.14]  if-4-0.core2.LDN-London.as6453.net  107 ms 
 14  [  195.219.189.6]  ix-8-1.core2.LDN-London.as6453.net  250 ms 
 15  [  78.159.161.10]  tec-sw-ace-Vl200-x-tec-kdc.fastteleco.net  251 ms 
 16  [     94.128.3.2]  94.128.3.2  251 ms 
 17  [    94.128.3.18]  94.128.3.18  250 ms 
 18  [   94.128.2.133]  94.128.2.133  252 ms 
 19  [   94.128.2.172]  94.128.2.172  251 ms 



So from this I got these 2 emails:
abuse [at] oversee.net
abuse [at] as6453.net
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: CartaSi: cannot shut down those phish web sites

Postby meep » Tue Jun 09, 2009 7:39 pm

Oversee.net responded on 6/8/09 and confirmed it was offline

Code: Select all
[oversee.net #47132] Resolved: [PHISHING SITE] 94.128.2.172 - Cartasi Bank - URG...
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: CartaSi: cannot shut down those phish web sites

Postby efa » Thu Jun 25, 2009 2:32 am

thanks!
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: CartaSi: cannot shut down those phish web sites

Postby efa » Thu Sep 17, 2009 6:26 pm

another one registered by tucows that do nothing ...
hxxp://s8625c.com/titolari.cartasi.it/
domain registered uniquely for phishing on 04-Sep-2009
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: CartaSi: cannot shut down those phish web sites

Postby AlphaCentauri » Thu Sep 17, 2009 6:43 pm

Where is CartaSi while all this is going on? It seems like you are single-handedly fighting this battle, when they have the most to lose.

Knujon needs to come out with a top ten list of most "spoofable" targets, naming and shaming the companies that do the least to get spoofed sites shut down. CartaSi and Paypal would belong on a list like that from what I can see.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: CartaSi: cannot shut down those phish web sites

Postby meep » Thu Sep 17, 2009 8:00 pm

s8625c.com [217.73.236.40]

Code: Select all
inetnum:      217.73.232.0 - 217.73.239.255
netname:      ALICOM
descr:        Alicom S.r.l. Network
country:      IT
admin-c:      ON232-RIPE
tech-c:       ON232-RIPE
status:       ASSIGNED PA
notify:       hostmaster@staff.tol.it
mnt-by:       ALICOM-MNT
changed:      hostmaster@staff.tol.it 20041029
source:       RIPE


s8625c.com is clearly a fraudulent domain that should have been shutdown. :?

I remember Tucows does shutdown domains, but they would change their contact email addresses. Honestly, I haven't reported fraud domains to them in a while, so please tell us, which Tucows email contact address are you using?

Code: Select all
   Domain Name: S8625C.COM
   Registrar: TUCOWS INC.
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net
   Name Server: NS7W.TOL.IT
   Name Server: NS8W.TOL.IT
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 04-sep-2009
   Creation Date: 04-sep-2009
   Expiration Date: 04-sep-2010


If Tucows isn't responsive, how about the people who run the nameserver?
Contact Page on website: http://www.tol.it/contatti.php

Code: Select all
Domain:             tol.it
Status:             ACTIVE
Created:            1998-11-13 00:00:00
Last Update:        2009-06-26 00:02:22
Expire Date:        2010-06-10

Registrant
  Name:             Alicom srl
  ContactID:        ALIC25-ITNIC
  Address:          Via Pietro Nenni 294
                    San Giovanni Teatino
                    66020
                    CH
                    IT
  Created:          2007-03-01 10:34:40
  Last Update:      2008-06-26 17:50:02

Admin Contact
  Name:             Omero Narducci
  ContactID:        ON60-ITNIC
  Address:          Via Pietro Nenni 294
                    San Giovanni Teatino
                    66020
                    CH
                    IT
  Created:          2004-06-09 00:00:00
  Last Update:      2007-03-01 07:39:03

Technical Contacts
  Name:             Alicom Domain Registration Staff
  ContactID:        ADRS1-ITNIC
  Address:          VIA P. NENNI, 294
                    San Giovanni Teatino
                    66020
                    CH
                    IT
  Created:          2007-02-16 00:00:00
  Last Update:      2009-09-03 15:04:49

  Name:             Alicom Technical Management Staff
  ContactID:        ATMS1-ITNIC
  Organization:     Alicom s.r.l.
  Address:          VIA P. NENNI, 294
                    Sambuceto
                    66020
                    CH
                    IT
  Created:          2005-03-04 00:00:00
  Last Update:      2009-08-24 15:29:55

Registrar
  Organization:     Alicom s.r.l.
  Name:             ALICOM-MNT

Nameservers
  dns.tol.it
  dns2.tol.it
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: CartaSi: cannot shut down those phish web sites

Postby efa » Fri Sep 18, 2009 2:20 am

I wrote to:
compliance@opensrs.org
abuse@abuse.tucows.com
two times, on 14/9 and yesterday, no action
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: CartaSi: cannot shut down those phish web sites

Postby efa » Fri Sep 18, 2009 2:24 am

AlphaCentauri wrote:Where is CartaSi while all this is going on? It seems like you are single-handedly fighting this battle, when they have the most to lose.

I do not know why I got so much cartasi phish email, but my mission becomed to shut all down ;-))
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: CartaSi: cannot shut down those phish web sites

Postby spamislame » Fri Sep 18, 2009 11:27 am

When I visit s8625c.com I get a "Domain Default Page", not a phishing website.

?

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: CartaSi: cannot shut down those phish web sites

Postby meep » Fri Sep 18, 2009 12:09 pm

Hi efa,

I will try my contacts at TuCows. Obviously someone is asleep over there.

Hey, SiL

That phish is still active on the subdir

hxxp://s8625c.com/titolari.cartasi.it/

Code: Select all
--- 09/18/09 12:07:45 Eastern Daylight Time
--- reading URL s8625c.com/titolari.cartasi.it/
--- contacting host s8625c.com [217.73.236.40] on port 80

HTTP/1.1 200 OK
Content-Length: 38501
Content-Type: text/html
Content-Location: http://s8625c.com/titolari.cartasi.it/Index.htm
Last-Modified: Thu, 17 Sep 2009 08:31:42 GMT
Accept-Ranges: bytes
ETag: "346b94487137ca1:3a90"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
Date: Fri, 18 Sep 2009 16:05:54 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0044)https://titolari.cartasi.it/portal/server.pt -->
<HTML><HEAD><TITLE>Home Page</TITLE>
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: CartaSi: cannot shut down those phish web sites

Postby spamislame » Fri Sep 18, 2009 2:08 pm

Aha. Thanks Meep. Sorry for missing that.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Next

Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest

cron