[nsp-sec] URL redirecting to phishing form at AS36351
Gabriel Iovino
giovino at ren-isac.net
Mon Nov 23 08:36:33 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
Over the weekend I sent an email to <abuse at referer.us,
webmaster at referer.us> about a URL at their site redirecting to a
Phishing HTML form.
See their response here:
http://referer.wordpress.com/2009/11/22/ren-isac-notification-url-redirecting-to-a-phishing-web-page/
> dig referer.us +short
> 67.228.161.238
> whois -h whois.cymru.com 67.228.161.238
> AS | IP | AS Name
> 36351 | 67.228.161.238 | SOFTLAYER - SoftLayer Technologies Inc.
Can anyone help get this taken offline?
Here is the full email I sent their abuse address:
> Greetings,
>
> The following URL on your network has been identified as redirecting to
> a Phishing webpage:
>
> !!Warning these URL(s) may contain live malware!!
>
> [url]hxxp://referer.us/1/UdBiS3
>
> Path to this URL was seen via these links:
>
> 1. hxxp://vn27.9hz.com/
> 2. hxxp://referer.us/1/UdBiS3
> 3. hxxp://planetchiltern.com/phpformgenerator/use/striker/form1.html
>
> Here is the Phishing email with full mail headers:
>
>> > Return-Path: <bintsann at staff.pccu.edu.tw>
>> > Received: from relays.pccu.edu.tw (relays.pccu.edu.tw [140.137.16.12])
>> > by smtp.xxx.edu (8.14.3/8.14.3) with ESMTP id nAKNEtMW017993
>> > for <xxx at xxx.xxx.edu>; Fri, 20 Nov 2009 15:14:56 -0800
>> > Received: from faculty.pccu.edu.tw (faculty.pccu.edu.tw [140.137.16.1])
>> > by relays.pccu.edu.tw (Postfix) with ESMTP id 915E81CAD80;
>> > Sat, 21 Nov 2009 07:14:50 +0800 (CST)
>> > From: "bintsann" <bintsann at staff.pccu.edu.tw>
>> > Reply-To: webmaster.team0 at live.com
>> > Subject: System Administrator
>> > Date: Sat, 21 Nov 2009 07:14:50 +0800
>> > Message-Id: <20091120231450.M94072 at staff.pccu.edu.tw>
>> > X-Mailer: OpenWebMail 2.53
>> > X-OriginatingIP: 213.255.218.244 (bintsann)
>> > MIME-Version: 1.0
>> > Content-Type: text/plain;
>> > charset=big5
>> > To: undisclosed-recipients:;
>> > Content-Transfer-Encoding: quoted-printable
>> > X-MIME-Autoconverted: from 8bit to quoted-printable by smtp.xxx.edu id nAKNEuee018002
>> >
>> > Your mailbox has exceeded the storage limit which is 20GB as set by your=20
>> > administrator; you are currently running on 20.9GB,
>> >
>> > You may not be able to send or receive new mail until you re-validate you=
>> > r=20
>> > mailbox.
>> >
>> > To re-validate your mailbox please click the link below:
>> >
>> > hxxp://vn27.9hz.com/
>> >
>> > If the link above doesn=A1=A6t work please copy and paste the link below =
>> > to your=20
>> > browser window
>> >
>> > hxxp://vn27.9hz.com/
>> >
>> > Thanks Bintsann Staff, =20
>> > System Administrator
>
> Should you feel you've received this report in error, please let us know.
>
> On behalf of the REN-ISAC Team,
>
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x
Thank you!
Gabe
- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksKj+EACgkQwqygxIz+pTvU8gCfaK991QLXDoJOxPz0m8YwcLOc
M3oAn1JY3z1MCrLKLXS8+lppHU9KHi8Q
=v0kp
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list