[nsp-sec] Phishing html form @ AS 11388

Gabriel Iovino giovino at ren-isac.net
Wed May 19 09:19:27 EDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

There is a credential phishing form here:

> hxxp://kp26354.freehostia.com/phpformgenerator/use/kp/form1.html

You can see the passwords for this form here:

> hxxp://kp26354.freehostia.com/phpformgenerator/use/kp/admin/data.dat

I filed a online complaint at freehostia and got this initial response:

> Hello,
> 
> This is not a phishing. I've checked the form. It's like a developer's test. It's not related to any of the popular email providers.
> 
> Best Regards,
> Peter
> Support at Freehostia.com
> http://www.freehostia.com 

I replied trying to make my case and got this response:

> Hello,
> 
> As I mentioned earlier it doesn't like a phishing site.
> 
> Best Regards,
> Peter
> Support at Freehostia.com
> http://www.freehostia.com 

Does anyone here have a contact that can take this down?

Additional details:

> dig kp26354.freehostia.com +short
> 66.40.52.184

> whois -h whois.cymru.com 66.40.52.184
> AS      | IP               | AS Name
> 11388   | 66.40.52.184     | MAXIM - Peer 1 Dedicated Hosting

hxxp://kp26354.freehostia.com/phpformgenerator/use/kp/form1.html was an
iframe within hxxp://updates09876.9hz.com/

hxxp://updates09876.9hz.com/ is seen within this phishing email:

> To: "noreply at admin.com" <noreply at admin.com>
> Date: Tue, 18 May 2010 10:45:18 -0500
> Subject:
> Thread-Index: AQHK9qEdqXS6jHjXVU2un4XQ0dKrdw==
> Message-ID: <6C8FF2EC1F977944A0E2BA13AAF5C115856349DA19 at CITPXMB001V.uwcx.net>
> Accept-Language: en-US
> Content-Language: en-US
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> acceptlanguage: en-US
> Content-Type: multipart/alternative;
> 	boundary="_000_6C8FF2EC1F977944A0E2BA13AAF5C115856349DA19CITPXMB001Vuw_"
> MIME-Version: 1.0
> 
> --_000_6C8FF2EC1F977944A0E2BA13AAF5C115856349DA19CITPXMB001Vuw_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> Your MailBox Has Exceeded It Quota/Limit As Set By Your Administrator And y=
> ou May Not Be Able To Receive Or Send New Mails Until You Re-Validate . To =
> Re-Validate CLICK HERE<hxxp://updates09876.9hz.com/>
> 
> --_000_6C8FF2EC1F977944A0E2BA13AAF5C115856349DA19CITPXMB001Vuw_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> <html dir=3D"ltr"><head>
> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
> 1">
> <style id=3D"owaTempEditStyle"></style><style title=3D"owaParaStyle"><!--P =
> {
> 	MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
> }
> --></style>
> </head>
> <body ocsi=3D"x">
> <div style=3D"FONT-SIZE: 13px; COLOR: #000000; DIRECTION: ltr; FONT-FAMILY:=
>  Tahoma">
> <div></div>
> <div dir=3D"ltr"><font face=3D"Tahoma" color=3D"#000000" size=3D"2">Your Ma=
> ilBox Has Exceeded It Quota/Limit As Set By Your Administrator And you May =
> Not Be Able To Receive Or Send New Mails Until You Re-Validate . To Re-Vali=
> date
> <a href=3D"hxxp://updates09876.9hz.com/">CLICK HERE</a></font></div>
> </div>
> </body>
> </html>
> 
> --_000_6C8FF2EC1F977944A0E2BA13AAF5C115856349DA19CITPXMB001Vuw_--

Thanks!

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvz5V8ACgkQwqygxIz+pTuaqACgg4bA99qjPb0PavEMr9i4hnws
O6AAoL8d8SbyPUduDEKJH7bIsLbyvjGW
=3yPC
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list