[Solved] Western Union Phishing

Phishing operations, including perpetrators, how to report them and get them shut down.

[Solved] Western Union Phishing

Postby roberto7888 » Fri Feb 05, 2010 9:55 am

The phishing is still active. I have contacted by e-mail the registrar Arsys.es/Nicline.com, the host adam.es and ixole.es, and the registrant Joan Sanchez Guardia by e-mail.
Code: Select all
Registrar:     ARSYS INTERNET, S.L. D/B/A NICLINE.COM
Status:        ok
Dates:         Created 06-jul-2000   Updated 01-mar-2008  Expires 06-jul-2014
DNS Servers:   DNS19.SERVIDORESDNS.NET  DNS20.SERVIDORESDNS.NET 
I was referred to whois.nicline.com; I'm looking it up there.

Domain name: igrafic.com
Registrant:
      Joan Sanchez Guardia  (SROW-673116)
   jsanchez@ibernet.com
   roger de flor, 71
   Granollers   BARCELONA
   08400   ES
   +34 932477716   fax: +34 93247771
Administrative contact:
   Ixole Activa SL   (SRCO-1534422)
   ixole@ixole.es
   Mallorca 272 4 4.
   Barcelona   BARCELONA
   08037   ES
   +34 902023236   fax: +34 902023191
Technical contact:
   Ixole Activa SL   (SRCO-1534423)
   ixole@ixole.es
   Mallorca 272 4  4.
   Barcelona   BARCELONA
   08037   ES
   +34 902023236   fax:+34 902023191
Domain servers in listed order:
   dns19.servidoresdns.net  217.76.128.137
   dns20.servidoresdns.net  217.76.129.137
Created:       06 Jul 2000 07:44:22:000   UTC
Expires:       06 Jul 2014 07:44:22:000   UTC
Last updated:  01 Mar 2008 18:21:12:150   UTC

From - Thu Feb 04 22:45:32 2010
X-Account-Key: account4
X-UIDL: 1179582987.62522
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys: $label1
X-MSK: Off
Return-Path: <westernunionresponse@westernunion.com>
Received: from mwinf2812.orange.fr (mwinf2812 [10.232.15.40])
by mwinb7503 with LMTPA;
Thu, 04 Feb 2010 22:44:34 +0100
X-Sieve: CMU Sieve 2.3
X-Bcc: xxxxxxxxxxx
Received: from smtp28.orange.fr (localhost [127.0.0.1])
by mwinf2812.orange.fr (SMTP Server) with ESMTP id 8F4411C00088
for <cv1000000000000000112503636@back75-mail01-02.me-wanadoo.net>; Thu, 4 Feb 2010 22:44:34 +0100 (CET)
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf2812.orange.fr (SMTP Server) with ESMTP id 84A981C00092
for <cv1000000000000000112503636@back75-mail01-02.me-wanadoo.net>; Thu, 4 Feb 2010 22:44:34 +0100 (CET)
Received: from specenviro.com (mail.specenviro.com [12.68.236.122])
by mwinf2812.orange.fr (SMTP Server) with ESMTP id 3F0421C00088
for <xxxxxxxxxxxxxxxx>; Thu, 4 Feb 2010 22:44:34 +0100 (CET)
X-ME-UUID: 20100204214434258.3F0421C00088@mwinf2812.orange.fr
Received: from User ([74.169.3.60] RDNS failed) by specenviro.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 4 Feb 2010 15:44:28 -0600
From: "Western Union"<westernunionresponse@westernunion.com>
Subject: *** SPAM ***Dear Valued Customer, your account has been limited
Date: Thu, 4 Feb 2010 16:43:57 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <SEMAILTMQQFSUIMFfb6000017ec@specenviro.com>
X-OriginalArrivalTime: 04 Feb 2010 21:44:29.0230 (UTC) FILETIME=[3A9234E0:01CAA5E3]
To: undisclosed-recipients:;
X-me-spamlevel: high
X-me-spamrating: 95.000000
X-me-spamcause: OK, (500)(1000)gggruggvucftvghtrhhoucdtuddrvdeltddrvddtgddtgeduiecuteggodetufdouefnucfrrhhofhhilhgvmecuoffgnecuuegrihhlohhuthemuceftddtnecuogetvdeijedqtdduucdlhedttddm
X-Text-Classification: personnel
X-POPFile-Link: http://127.0.0.1:8080/jump_to_message?view=7716


<html>
<head>
<title>Untitled</title>
<meta content="Evrsoft First Page" name="GENERATOR">
</head>
<body>
<p><span><font face="Arial" size="2">Dear Valued Customer,<br>
<br></span></p>
<p>This is an official notification from Western Union. Your account access has been limited due to a login attempt failure. We will need to confirm your Credit Card CVV from your profile.</p>
<p>To continue <a href="http://www.igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm">click here</a> and remove the limitation.If not, your account with us will be suspended and deleted.<br>
<br>
Visit us to:<br>
&nbsp;&nbsp;* Send money<br>
&nbsp;&nbsp;* Check the status of your order<br>
&nbsp;&nbsp;* Search for Agent locations worldwide<br>
&nbsp;&nbsp;* Learn about other Western Union services</span><br>
<br>
We are continually improving our Web site to better serve you. Be sure to check back with us often as we add exciting new services to meet your financial needs.<br>
<br>
If you have questions or need assistance, our customer service team</span> is here to help. Email us at <a href="http://www.igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm">customerservice@westernunion.com</span></a> <br>
<br>
Be sure to remember and protect your new User Name and Password. You will need your new User Name and Password next time you sign in to our site.</p>
<p>Thank you for using Western Union!<br></p> <p>------------------------------------------------------------------------------------------------------------------------------<br>
DO NOT REPLY TO THIS EMAIL. IF YOU HAVE QUESTIONS PLEASE <a href="http://www.igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm">CONTACT US</a></font></p>

</body>
</html>



[/quote]
Last edited by roberto7888 on Fri Feb 05, 2010 2:35 pm, edited 3 times in total.
User avatar
roberto7888
Spam Muncher
 
Posts: 842
Joined: Tue Jan 02, 2007 11:04 am

Re: [Solved] Wester Union Phishing

Postby roberto7888 » Fri Feb 05, 2010 10:05 am

I have an answer from the registrar Arsys.es/Nicline.com. The IP 212.36.65.107 is from Adam.es.
See there:
http://whois.domaintools.com/212.36.65.107
http://legacytools.dnsstuff.com/tools/t ... ainterator
From: abuse@arsys.es
Subject: Re: [Phishing Of Western Union] Removal request: igrafic.com

Hello,
the address to which igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm
refer not have access because the ip address is 212.36.65.107 outside our range.
Regards,
Arsys.es Administrator
================================


Code: Select all
WHOIS - 212.36.65.107

inetnum:        212.36.65.0 - 212.36.65.255
netname:        ADAM
descr:          ADAM
country:        ES
admin-c:        JV284-RIPE
admin-c:        AM5386-RIPE
tech-c:         JV284-RIPE
tech-c:         AM5386-RIPE
tech-c:         FP1656-RIPE
tech-c:         RPR11-RIPE
status:         ASSIGNED PA
mnt-by:         OGIC-MNT
changed:        alfonso.masana@adam.es  20080527
source:         RIPE

person:         Alfonso Masana
e-mail:         alfonso.masana@adam.es
address:        OGIC INFORMATICA S.L ( ADAM )
address:        Travessera de Gr�cia 342
address:        08025 BARCELONA ( SPAIN )
phone:          +0034 934465005
phone:          +0034 934465004
mnt-by:         OGIC-MNT
changed:        alfonso.masana@adam.es 20100202
nic-hdl:        AM5386-RIPE
source:         RIPE

person:         Joan Ventura
address:        OGIC INFORMATICA S.L ( ADAM)
address:        C/ Travessera de Gracia, 342
address:        08025 Barcelona
e-mail:         joan.ventura@adam.es
phone:          +0034 934465005
nic-hdl:        JV284-RIPE
changed:        alfonso.masana@adam.es 20100202
mnt-by:         OGIC-MNT
source:         RIPE

person:         Ferran Pons
address:        OGIC INFORMATICA S.L ( ADAM )
e-mail:         ferran.pons@adam.es
address:        Travessera de Gr�cia 342
address:        08025 BARCELONA ( SPAIN )
phone:          +0034 934465005
phone:          +0034 934465004
mnt-by:         OGIC-MNT
changed:        alfonso.masana@adam.es  20080527
nic-hdl:        FP1656-RIPE
source:         RIPE

person:         Raul Ponseti Rodriguez
address:        OGIC INFORMATICA S.L
e-mail:         raul.ponseti@adam.es
address:        C/ Travessera de Gracia, 342
address:        08025 Barcelona
phone:          +0034 934465005
nic-hdl:        RPR11-RIPE
changed:        alfonso.masana@adam.es 20080527
mnt-by:         OGIC-MNT
source:         RIPE

% Information related to '212.36.64.0/19AS15699'

route:          212.36.64.0/19
descr:          ADAM Internet Network
origin:         AS15699
mnt-by:         OGIC-MNT
changed:        alfonso.masana@adam.es 20100127
notify:         alfonso.masana@adam.es
source:         RIPE

Last edited by roberto7888 on Fri Feb 05, 2010 2:36 pm, edited 1 time in total.
User avatar
roberto7888
Spam Muncher
 
Posts: 842
Joined: Tue Jan 02, 2007 11:04 am

Re: [Still Active] Western Union Phishing

Postby meep » Fri Feb 05, 2010 11:45 am

This must have been disabled just a bit ago as I get a 403 error when visiting the phishing site: (igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm)
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: [Solved] Western Union Phishing

Postby roberto7888 » Fri Feb 05, 2010 2:37 pm

meep wrote:This must have been disabled just a bit ago as I get a 403 error when visiting the phishing site: (igrafic.com/flip/.WUCOMWEB/signInActiondo/methodsave/countryCode/US/index.htm)

Thanks Meep. The link has been disabled. I get a 403 error when visiting the phishing site.
User avatar
roberto7888
Spam Muncher
 
Posts: 842
Joined: Tue Jan 02, 2007 11:04 am


Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest