[nsp-sec] Phishing html form @ AS 11388

RuthAnne Bevier ruthanne at caltech.edu
Wed May 19 13:58:27 EDT 2010 

FYI, there is at least one other form hosted on a freehostia.com
server that is actively being used for credential phishing as of
this morning (most of our users got spammed with one of the usual
"re-validate your mailbox" type scams referencing this URL):

  hxxp://admins.host.freehostia.com/use/boxmail/form1.html

I tried sending my complaint to the abuse contact for 66.40.52.166,
dhswip2 at propersupport.com -- no reply yet.

     --RuthAnne

On Wed, May 19, 2010 at 09:19:27AM -0400, Gabriel Iovino wrote:
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greetings,
> 
> There is a credential phishing form here:
> 
> > hxxp://kp26354.freehostia.com/phpformgenerator/use/kp/form1.html
> 
> You can see the passwords for this form here:
> 
> > hxxp://kp26354.freehostia.com/phpformgenerator/use/kp/admin/data.dat
> 
> I filed a online complaint at freehostia and got this initial response:
> 
> > Hello,
> > 
> > This is not a phishing. I've checked the form. It's like a developer's test. It's not related to any of the popular email providers.
> > 
> > Best Regards,
> > Peter
> > Support at Freehostia.com
> > http://www.freehostia.com 
> 
> I replied trying to make my case and got this response:
> 
> > Hello,
> > 
> > As I mentioned earlier it doesn't like a phishing site.
> > 
> > Best Regards,
> > Peter
> > Support at Freehostia.com
> > http://www.freehostia.com 
> 
> Does anyone here have a contact that can take this down?
> 
> Additional details:
> 
> > dig kp26354.freehostia.com +short
> > 66.40.52.184
> 
> > whois -h whois.cymru.com 66.40.52.184
> > AS      | IP               | AS Name
> > 11388   | 66.40.52.184     | MAXIM - Peer 1 Dedicated Hosting
> 
> hxxp://kp26354.freehostia.com/phpformgenerator/use/kp/form1.html was an
> iframe within hxxp://updates09876.9hz.com/
> 
> hxxp://updates09876.9hz.com/ is seen within this phishing email:
> 
> > To: "noreply at admin.com" <noreply at admin.com>
> > Date: Tue, 18 May 2010 10:45:18 -0500
> > Subject:
> > Thread-Index: AQHK9qEdqXS6jHjXVU2un4XQ0dKrdw==
> > Message-ID: <6C8FF2EC1F977944A0E2BA13AAF5C115856349DA19 at CITPXMB001V.uwcx.net>
> > Accept-Language: en-US
> > Content-Language: en-US
> > X-MS-Has-Attach:
> > X-MS-TNEF-Correlator:
> > acceptlanguage: en-US
> > Content-Type: multipart/alternative;
> > 	boundary="_000_6C8FF2EC1F977944A0E2BA13AAF5C115856349DA19CITPXMB001Vuw_"
> > MIME-Version: 1.0
> > 
> > --_000_6C8FF2EC1F977944A0E2BA13AAF5C115856349DA19CITPXMB001Vuw_
> > Content-Type: text/plain; charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> > 
> > Your MailBox Has Exceeded It Quota/Limit As Set By Your Administrator And y=
> > ou May Not Be Able To Receive Or Send New Mails Until You Re-Validate . To =
> > Re-Validate CLICK HERE<hxxp://updates09876.9hz.com/>
> > 
> > --_000_6C8FF2EC1F977944A0E2BA13AAF5C115856349DA19CITPXMB001Vuw_
> > Content-Type: text/html; charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> > 
> > <html dir=3D"ltr"><head>
> > <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
> > 1">
> > <style id=3D"owaTempEditStyle"></style><style title=3D"owaParaStyle"><!--P =
> > {
> > 	MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
> > }
> > --></style>
> > </head>
> > <body ocsi=3D"x">
> > <div style=3D"FONT-SIZE: 13px; COLOR: #000000; DIRECTION: ltr; FONT-FAMILY:=
> >  Tahoma">
> > <div></div>
> > <div dir=3D"ltr"><font face=3D"Tahoma" color=3D"#000000" size=3D"2">Your Ma=
> > ilBox Has Exceeded It Quota/Limit As Set By Your Administrator And you May =
> > Not Be Able To Receive Or Send New Mails Until You Re-Validate . To Re-Vali=
> > date
> > <a href=3D"hxxp://updates09876.9hz.com/">CLICK HERE</a></font></div>
> > </div>
> > </body>
> > </html>
> > 
> > --_000_6C8FF2EC1F977944A0E2BA13AAF5C115856349DA19CITPXMB001Vuw_--
> 
> Thanks!
> 
> Gabe
> 
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkvz5V8ACgkQwqygxIz+pTuaqACgg4bA99qjPb0PavEMr9i4hnws
> O6AAoL8d8SbyPUduDEKJH7bIsLbyvjGW
> =3yPC
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 
RuthAnne Bevier
Information Security
California Institute of Technology   
626-395-2671
ruthanne at caltech.edu

More information about the nsp-security mailing list