WebsiteWelcome = pwned by phishing criminals

Phishing operations, including perpetrators, how to report them and get them shut down.

WebsiteWelcome = pwned by phishing criminals

Postby spamislame » Wed May 04, 2016 12:44 pm

A quick note to see if I'm the only one noticing this.

Since 2014, about twice a month I receive phishing spam which always links to a website hosted on IP addresses operated by the HostGator subsidiary "Websitewelcome.com"

Today's example, another fake "Mystery Shopper" phishing site. Spammed using an initial redirect:

http://telemenu.com.br/exports.php

That's on IP address 192.185.214.93.

That page does a meta-refresh redirect to:

http://hopskipdecorate.com/index2.html

Which posts its form to:

http://hopskipdecorate.com/jonez.php

That domain is hosted on this IP:

192.185.155.125

This is the first websitewelcome phishing takeover for May 2016 that I've seen. For April there were 7. For each month prior to that there have been around 4 or 5.

Websitewelcome's website has zero information and lists an abuse email address that from my own experience does absolutely nothing with the messages it receives (abuse@websitewelcome.com)

I've spent the past three years attempting to get Hostgator's abuse team on board with taking *any* action whatsoever regarding these repeated hacks into their servers, but have seen absolutely no action on their part.

At this point my assumption is they just flat-out don't care, and will never take any action. What does it take to get a hosting company in front of an org. like the FTC for this kind of lax attitude towards the theft of personal data?

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: WebsiteWelcome = pwned by phishing criminals

Postby spamislame » Fri May 06, 2016 10:42 am

Another:

Fake Yahoo Mail phishing site:

http://aauplayers.com/virus/mail7.php

Hosted on WebsiteWelcome IP: 192.185.141.116

I'm pretty sure their entire IP space is owned by phishing criminals. Predominantly from Ukraine, selling their hacked server access to Nigerians who operate the phishing sites.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: WebsiteWelcome = pwned by phishing criminals

Postby Red Dwarf » Sat May 07, 2016 11:25 pm

spamislame wrote:A quick note to see if I'm the only one noticing this.

Since 2014, about twice a month I receive phishing spam which always links to a website hosted on IP addresses operated by the HostGator subsidiary "Websitewelcome.com"

Today's example, another fake "Mystery Shopper" phishing site. Spammed using an initial redirect:

http://telemenu.com.br/exports.php

That's on IP address 192.185.214.93.

That page does a meta-refresh redirect to:

http://hopskipdecorate.com/index2.html

Which posts its form to:

http://hopskipdecorate.com/jonez.php

That domain is hosted on this IP:

192.185.155.125

This is the first websitewelcome phishing takeover for May 2016 that I've seen. For April there were 7. For each month prior to that there have been around 4 or 5.

Websitewelcome's website has zero information and lists an abuse email address that from my own experience does absolutely nothing with the messages it receives (abuse@websitewelcome.com)

I've spent the past three years attempting to get Hostgator's abuse team on board with taking *any* action whatsoever regarding these repeated hacks into their servers, but have seen absolutely no action on their part.

At this point my assumption is they just flat-out don't care, and will never take any action. What does it take to get a hosting company in front of an org. like the FTC for this kind of lax attitude towards the theft of personal data?

SiL


telemenu.com.br/exports.php
>> You cannot connect to the server

HOPSKIPDECORATE.COM
Name Server: NS1233.WEBSITEWELCOME.COM
Name Server: NS1234.WEBSITEWELCOME.COM

HOPSKIPDECORATE.COM >> http://hopskipdecorate.com/cgi-sys/suspendedpage.cgi Suspended
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: WebsiteWelcome = pwned by phishing criminals

Postby Red Dwarf » Sat May 07, 2016 11:26 pm

spamislame wrote:Another:

Fake Yahoo Mail phishing site:

http://aauplayers.com/virus/mail7.php

Hosted on WebsiteWelcome IP: 192.185.141.116

I'm pretty sure their entire IP space is owned by phishing criminals. Predominantly from Ukraine, selling their hacked server access to Nigerians who operate the phishing sites.

SiL


>> ERROR 404 - PAGE NOT FOUND
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: WebsiteWelcome = pwned by phishing criminals

Postby AlphaCentauri » Sat May 14, 2016 11:00 pm

One problem with phish is you never know when the host is being unresponsive vs. the host is cooperating with the FBI to retrieve the drop file before shutting the site down.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: WebsiteWelcome = pwned by phishing criminals

Postby spamislame » Thu Sep 22, 2016 2:57 pm

I have a pretty great update about this hosting company.

As mentioned, they are colocated or part-owned by Hostgator.

Since over a year ago I've engaged in a campaign where I did the following:

  • report any phishing site to them via email
  • cc the legal department of the entity being spoofed (paypal, wells fargo, etc.)
  • cc the abuse department of that entity

In none of these cases would I ever hear back from anybody.

Way back in January I opened a security report regarding websitewelcome and hostgator.com with the FTC. I never heard a single word back about it, which is normal for that kind of report.

I started numerous support chat sessions with hostgator all of which led nowhere. Their abuse team clearly was not taking this seriously.

But I think the FTC may have contacted them, because:

In only the past three days I started seeing brand new spamming of phishing sites hosted on websitewelcome sites which had all been hacked.

I reported all of them.

WITHIN THE HOUR - often less than that - the sites were being taken down. with responses from Hostgator security directly.

Somebody has had a "come to Jesus" meeting with somebody because so far this week I've gotten 4 of these sites shut down.

It isn't stopping the phishing spam (yet) but it's got to be having some kind of effect.

These are bottom-feeder phishing operations which are not very sophisticated at all. Broke criminals looking for a quick buck. But it's better than letting the sites stay live.

It's refreshing so I thought I would share.

SiL / iks / concerned citizen
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am


Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest