German Paypal phish domain redirect

Phishing operations, including perpetrators, how to report them and get them shut down.

German Paypal phish domain redirect

Postby meep » Thu Jul 07, 2011 10:30 am

domain name redirect: kontonummer22222222222222222222.com
IP: 88.208.252.196

(redirect reported)
inetnum: 88.208.252.0 - 88.208.253.255
netname: FASTHOSTS-UK-NETWORK
AS15418

destination was (content disabled as I post this)
URL=hxxp://my-account-kontonumer.com/Bank/paypal3.de/paypal.com/de/.9d4f47e6389393e534a5e8a8f2/cgi-bin/webscrcmd=_login-run&dispatch=5885d80a13c0db1f8e263663d3faee8dc60d77e6184470d51976060a4ab6ee74.php>


Nice fake WHOIS:
Code: Select all
   Domain Name: KONTONUMMER22222222222222222222.COM
   Registrar: TUCOWS.COM CO.
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net
   Name Server: NS1.LIVEDNS.CO.UK
   Name Server: NS2.LIVEDNS.CO.UK
   Name Server: NS3.LIVEDNS.CO.UK
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 07-jul-2011
   Creation Date: 07-jul-2011
   Expiration Date: 07-jul-2012

>>> Last update of whois database: Thu, 07 Jul 2011 14:10:19 UTC <<<

Queried whois.tucows.com with "kontonummer22222222222222222222.com"...

Registrant:
 Rudolf Ammer
 M??gelegasse 5
 london, Borders W11 2BQ
 GB

 Domain name: KONTONUMMER22222222222222222222.COM


 Administrative Contact:
    Ammer, Rudolf  c.r.ammer@aon.at
    M??gelegasse 5
    london, Borders W11 2BQ
    GB
    +44.069919441911
 Technical Contact:
    Ammer, Rudolf  c.r.ammer@aon.at
    M??gelegasse 5
    london, Borders W11 2BQ
    GB
    +44.069919441911


 Registration Service Provider:
    Fasthosts Internet Limited, domains@fasthosts.co.uk
    +44.8708883600
    +44.8708883760 (fax)
    http://www.Fasthosts.co.uk



 Registrar of Record: TUCOWS, INC.
 Record last updated on 07-Jul-2011.
 Record expires on 07-Jul-2012.
 Record created on 07-Jul-2011.

 Registrar Domain Name Help Center:
    http://tucowsdomains.com

 Domain servers in listed order:
    NS2.LIVEDNS.CO.UK   
    NS3.LIVEDNS.CO.UK   
    NS1.LIVEDNS.CO.UK   


Partial headers:

Code: Select all
History  Display mode:  Brief headers — Full headers
#      Thu Jul 07 06:00:41 2011    no.reply@paypal-de.de -    
Resent-Date:    Thu, 7 Jul 2011 07:00:32 -0400 (EDT)
MIME-Version:    1.0
Content-Type:    xxxxx
Message-ID:    xxx
X-MS-Tnef-Correlator:    
Received:    from xxx; Thu, 7 Jul 2011 07:00:32 -0400 (EDT)
Received:    from xxx; Thu, 7 Jul 2011 04:00:04 -0700
X-Source-Ip:    [75.148.247.105]
Delivered-To:    xx
Resent-From:    xx
Subject:    Warnung! Zur Zeit haben Sie nur begrenzten Zugang zu Ihrem Pay - Pay Konto [CDXFO0014]
Return-Path:    xx
X-Original-To:    xxx
Date:    Thu, 7 Jul 2011 11:00:25 +0000
X-Spam:    exempt
Thread-Topic:    Warnung! Zur Zeit haben Sie nur begrenzten Zugang zu Ihrem Pay - Pay Konto [CDXFO0014]
xxx
To:    xxxx
From:    PayPal <no.reply@paypal-de.de>
Content-Length:    0
content-type:    text/plain; charset="utf-8"
Content-Transfer-Encoding:    quoted-printable
X-RT-Original-Encoding:    iso-8859-1
Content-Length:    528
Download (untitled) [text/plain 528b]


Body:

Liebe User PayPal,
Ungewöhnliche Kontobewegungen haben es notwendig gemacht Ihr Konto einzugrenzen bis zusätzliche Informationen zur Überprüfung gesammelt werden.

Zur Zeit haben Sie nur begrenzten Zugang zu Ihrem Pay Pal Konto. Wir bitten Sie daher die von uns angeforderten Kontodaten zu enrneuern.




Bitte klicken Sie hier »<hxxp://kontonummer22222222222222222222.com>

Copyright © 1999-2011 PayPal. All rights reserved
PayPal Germany Pty Limited
ABN 93 111 195 389 (AFSL 304962)
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: German Paypal phish domain redirect

Postby NotBuyingIt » Thu Jul 07, 2011 10:35 am

my-account-kontonumer.com has been suspended by its domain registrar TUCOWS.COM
Status: clientHold

Unfortunately, TUCOWS has not (yet?) suspended kontonummer22222222222222222222.com
and the scam may simply alter its redirection to target another fraudulent site.
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: German Paypal phish domain redirect

Postby Benzyl » Thu Jul 07, 2011 11:37 am

Since phishing operations now mostly use an initial redirection site to direct victims to the payload I have noticed often in the last few months that the payload will change two or three times in as many days before the initially spammed site is shut down. The ever popular PHISH in the form of an HTML attachment will sometimes be a stub that redirects to a proper site although that allows less scope for varying the target.
Ruffian antics are a wrench in society's gears
User avatar
Benzyl
Spam Muncher
 
Posts: 889
Joined: Wed Jan 03, 2007 10:19 am
Location: North Britain

Re: German Paypal phish domain redirect

Postby meep » Thu Jul 07, 2011 12:19 pm

Benzyl wrote:Since phishing operations now mostly use an initial redirection site to direct victims to the payload I have noticed often in the last few months that the payload will change two or three times in as many days before the initially spammed site is shut down. ...


Yes, Benzyl, I have seen this pattern over the years as well, even with fraudulent domain purchases. More often, however, as you mention the redirects destination pages change on hacked webpages. I have looked at phishing scams on a regular basis since about 2003, and some of the tactics have changed, but the phishing problem still persists quite regularly with spammers.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm


Return to Phishers

Who is online

Users browsing this forum: Baidu [Spider] and 1 guest

cron