phishing poste.it

Phishing operations, including perpetrators, how to report them and get them shut down.

phishing poste.it

Postby efa » Thu Sep 17, 2009 7:15 am

I cannot find the contact address for the host of this:
hxxp:\\www.vermont-it.ru/bancopostaonline.poste.it/bpol/CARTEPRE/index.html
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: phishing poste.it

Postby spamislame » Thu Sep 17, 2009 9:39 am

Code: Select all
REGISTRY WHOIS FOR VERMONT-IT.RU

Domain Search:

Updated: 2 seconds ago
Refresh
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:     VERMONT-IT.RU
type:       CORPORATE
nserver:    ns.vernet.su.
nserver:    ns2.vernet.su.
state:      REGISTERED, DELEGATED
person:     Sergey S Koptsev
phone:      +7 495 5438850
fax-no:     +7 495 5438850
e-mail:     pirat_os@mail.ru
registrar:  RUCENTER-REG-RIPN
created:    2004.07.19
paid-till:  2010.07.19
source:     TC-RIPN

Last updated on 2009.09.17 17:33:20 MSK/MSD

Information Updated: Thu, 17 Sep 2009 13:36:25 UTC


Hosted on IP address: 77.91.199.59:

Code: Select all
inetnum:        77.91.199.0 - 77.91.199.255
netname:        VERMONT-IT
descr:          Vermont-IT Internet Service Provider
country:        RU
admin-c:        DVM43-RIPE
tech-c:         DVM43-RIPE
status:         ASSIGNED PA
remarks:        INFRA-AW
mnt-by:         VERMONT-IT-MNT
changed:        morez@mail.ru 20081003
source:         RIPE

person:         Dmitriy V Morozov
address:        1d-1 Frunze str, 141070 Korolev,
address:        Russian Federation
phone:          +7 495 543 88 50
nic-hdl:        DVM43-RIPE
changed:        ip-box@nic.ru 20070615
source:         RIPE


That appears to be another hijacked 3rd-party server so you may want to contact the hosting company first.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: phishing poste.it

Postby meep » Thu Sep 17, 2009 10:08 am

I reported it to several addresses. It looks like vermont-it.ru is simply compromised. info@vermont-it.ru, morez@mail.ru, abuse@vermont-it.ru
etc.

vermont-it.ru
IP: 77.91.199.59
AS43667

Not familiar with this host at all, but my first thought is it was highjacked, but not so sure now after digging a bit deeper, I see that vermont-it.ru appears to have legit content. I gleaned info@vermont-it.ru from the website.

Also, I reported it to RIPE upstream: AS8615
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: phishing poste.it

Postby meep » Thu Sep 17, 2009 10:39 am

404 :) that was quick, considering how late it is over in Moscow, after 6pm as I post this, I am pleasantly surprised.

Code: Select all
--- 09/17/09 10:39:05 Eastern Daylight Time
--- reading URL hxxp:\\www.vermont-it.ru/bancopostaonline.poste.it/bpol/CARTEPRE/index.html
--- contacting host hXXp:\\www.vermont-it.ru [77.91.199.59] on port 80

HTTP/1.1 404 Not Found
Date: Thu, 17 Sep 2009 14:39:18 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch
Vary: Accept-Encoding
Content-Length: 368
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /bancopostaonline.poste.it/bpol/CARTEPRE/index.html was not found on this server.</p>
<hr>
<address>Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch Server at hXXp://www.vermont-it.ru Port 80</address>
</body></html>


--- connection closed
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: phishing poste.it

Postby spamislame » Thu Sep 17, 2009 11:13 am

meep wrote:404 :) that was quick, considering how late it is over in Moscow, after 6pm as I post this, I am pleasantly surprised.


Nicely done! Just over one hour from when I posted the whois / dns. :)

Good to see.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: phishing poste.it

Postby meep » Thu Sep 17, 2009 11:23 am

I think I automatically get a little suspicious of anything .ru nowadays. :oops:

When I was suring to websites even as recently as 2000, I didn't equate things Russian with spamming / cybercriminality. Now, most anything with .ru that I am not familiar with, I am already suspicious. Same with websites that are Nigerian, Brazilian, Chinese, Korean, Romanian, Turkish, Estonian, Moldavian, etc. :evil:

Even so, most of the originating spam is on US networks. :!:
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: phishing poste.it

Postby efa » Thu Sep 17, 2009 6:30 pm

thank you very much.

I'm interested in this case.
I had already wrote to the email recovered in whois report on domain.
But in whois on host IP, I cannot find a contact address.
Where you find it?
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: phishing poste.it

Postby meep » Thu Sep 17, 2009 7:44 pm

But in whois on host IP, I cannot find a contact address.


I used domainwhitepages.com by entering the domain and then check domain whois record, DNS records and network whois record. At the bottom you see the RIPE information under network whois record (IP ownership). Only, morez@mail.ru was listed under networks as a plausible abuse /technical address for the hoster. info@vermont-it.ru - was taken from the website and abuse@vermont-it.ru was just a guess. You can use this for ISPs as well. Most Security /Abuse issues are directed to abuse@ ISP domain.

I did overlook the domain contact under domain WHOIS: I should have added: pirat_os@mail.ru as a contact, but did not in my report.

Code: Select all
domain:     VERMONT-IT.RU
type:       CORPORATE
nserver:    ns.vernet.su.
nserver:    ns2.vernet.su.
state:      REGISTERED, DELEGATED
person:     Sergey S Koptsev
phone:      +7 495 5438850
fax-no:     +7 495 5438850
e-mail:     pirat_os@mail.ru
registrar:  RUCENTER-REG-RIPN
created:    2004.07.19
paid-till:  2010.07.19
source:     TC-RIPN


Sometimes you don't even see that much, so you try to contact their upstream provider if a lot of the information is not clear for contacting.

I hope this makes sense. Sometimes when you dig deeper, you try contacts for the name servers. Above the nameserver is vernet.su. I could try to find that email address if I couldn't find the ones listed earlier.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: phishing poste.it

Postby Nodus » Thu Sep 17, 2009 9:51 pm

meep wrote:When I was suring to websites even as recently as 2000

That's not that recently. About the same amount of time before that the World Wide Web didn't even exist :wink:.
Arf, she said
User avatar
Nodus
Spammer Obliterator
 
Posts: 2287
Joined: Fri Jun 15, 2007 7:05 pm

Re: phishing poste.it

Postby efa » Fri Sep 18, 2009 2:31 am

meep wrote:I used domainwhitepages.com by entering the domain and then check domain whois record, DNS records and network whois record. At the bottom you see the RIPE information under network whois record (IP ownership). Only, morez@mail.ru was listed under networks as a plausible abuse /technical address for the hoster.

I thounght that email present in "changed:" field like morez@mail.ru was not for contact. thanks
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: phishing poste.it

Postby efa » Fri Sep 18, 2009 7:59 am

Here another one, please someone report it again with me:

Oggetto: Phishing Poste.it using domain 'S3-POSTE.NET'
Data: Fri, 18 Sep 2009 13:52:19 +0200
Da: efa
A: abuse@chinaunicom.cn, Policy <policy@melbourneit.com.au>, network-abuse <network-abuse@cc.yahoo-inc.com>

Dear Registrar and Host,
I have received another phish email, that contain a link to:

hxxp:\\s3-poste.net/bpol/CARTEPRE/login.html
registered by: MELBOURNE IT
resolves to 98.136.92.79
registered to: Yahoo! Inc.

domain: s3-poste.net redirect to:
hxxp:\\61.135.204.86/icons/www.poste.it/personale/index.php?logon=myposte
registered to: China Unicom

The link is a fake page of the Italian Bank 'Poste.it'

The domain 'S3-POSTE.NET' is registered uniquely for phishing on:18-sep-2009
Please suspend immediately the domain 'S3-POSTE.NET'

NOTE: This domain was previous registered by: MELBOURNE IT
on 15-sep-2009
that suspended it with HOLD only on 16-sep-2009
Now the domain in re-registered and used again by phisher!

IT'S NECESSARY to follow all the instructions reported in the link below
to suspend a domain and be sure the phisher cannot reuse it.
In particular all following four status MUST be applied:
ClientHold
ClientUpdateProhibited
ClientDeleteProhibited
ClientTransferProhibited

Detailed removal instructions are at this link:
http://www.spamtrackers.eu/wiki/index.p ... rar_Advice

The host '61.135.204.86' is cracked!
delete immediately these phishing pages

Regards, efa
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: phishing poste.it

Postby spamislame » Fri Sep 18, 2009 11:11 am

While you're at it:

http://s3-poste.net/

Redirects to:

http://61.135.204.86/icons/www.poste.it ... on=myposte

Code: Select all
WHOIS - 61.135.204.86

Location: China [City: Beijing, Beijing]

ARIN says that this IP belongs to APNIC; I'm looking it up there.

...

person:       sun ying
address:      fu xing men nei da jie 97, Xicheng District
address:      Beijing 100800
country:      CN
phone:        +86-10-66030657
fax-no:       +86-10-66078815
e-mail:       hostmast@publicf.bta.net.cn
nic-hdl:      SY21-AP
mnt-by:       MAINT-CNCGROUP-BJ
changed:      suny@publicf.bta.net.cn 19980824
changed:      hm-changed@apnic.net 20060717
changed:      hostmast@publicf.bta.net.cn  20090630
source:       APNIC


SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: phishing poste.it

Postby efa » Fri Sep 18, 2009 2:07 pm

I got another whois report for 61.135.204.86:
Code: Select all
$ whois 61.135.204.86
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      61.135.0.0 - 61.135.255.255
netname:      UNICOM-BJ
descr:        China Unicom Beijing province network
descr:        China Unicom
country:      CN
admin-c:      CH1302-AP
tech-c:       SY21-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CNCGROUP-BJ
mnt-routes:   MAINT-CNCGROUP-RR
status:       ALLOCATED PORTABLE
changed:      hm-changed@apnic.net 20031112
changed:      hm-changed@apnic.net 20040927
changed:      hm-changed@apnic.net 20050112
changed:      hm-changed@apnic.net 20060124
changed:      hm-changed@apnic.net 20090507
changed:      hm-changed@apnic.net 20090508
source:       APNIC

person:       ChinaUnicom Hostmaster
nic-hdl:      CH1302-AP
e-mail:       abuse@chinaunicom.cn
address:      No.21,Jin-Rong Street
address:      Beijing,100140
address:      P.R.China
phone:        +86-10-66259940
fax-no:       +86-10-66259764
country:      CN
changed:      abuse@chinaunicom.cn 20090408
mnt-by:       MAINT-CNCGROUP
source:       APNIC

person:       sun ying
address:      fu xing men nei da jie 97, Xicheng District
address:      Beijing 100800
country:      CN
phone:        +86-10-66030657
fax-no:       +86-10-66078815
e-mail:       hostmast@publicf.bta.net.cn
nic-hdl:      SY21-AP
mnt-by:       MAINT-CNCGROUP-BJ
changed:      suny@publicf.bta.net.cn 19980824
changed:      hm-changed@apnic.net 20060717
changed:      hostmast@publicf.bta.net.cn  20090630
source:       APNIC


so I wrote to abuse@chinaunicom.cn, no action.
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Re: phishing poste.it

Postby meep » Fri Sep 18, 2009 2:24 pm

China Unicom blows (that is English slang for they need to get rid of their spam). :( Just take a look at Spamhaus SBLs like this one:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL78734
Code: Select all
Ref: SBL78734

61.135.204.86/32 is listed on the Spamhaus Block List (SBL)

17-Sep-2009 14:54 GMT | SR08

phish site

URL observed in phish spams:

http://61.135.204.86/icons/www.poste.it/personale/index.php?logon=myposte

Compromised server.


Spamhaus has this network under the name:cnc-group-bj
I think they are AS9800 (network identification) - I get confused with which Chinese Hosts, ISPs, are what sometimes.

Chinese Networks (very helpful) for research if unsure:
http://www.cymru.com/BGP/incon_asn_list.html
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: phishing poste.it

Postby meep » Tue Sep 22, 2009 12:49 pm

Maybe this phish will get pulled in November. Still up as of Tues 9/22/09 after being reported a few times.

Code: Select all
--- 09/22/09 12:51:06 Eastern Daylight Time
--- reading URL http://61.135.204.86/icons/www.poste.it/personale/index.php?logon=myposte
--- contacting host [61.135.204.86] on port 80

HTTP/1.1 200 OK
Date: Tue, 22 Sep 2009 16:23:45 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

1fd0
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="it"><head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1 ">

<meta name="Author" content="Poste Italiane S.p.A.">
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm


Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest

cron