Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
| Nice Scam attempt!
In one of my throw away email accounts i got this message with this link to "update my bank info" 
»wvps212-241-211-79.vps.webfusion···cure.php
Notice how you can enter ANYTHING and click next (I entered all bogus data )
Sadly though,there are people that do fall for these things and its sad.......
Here is the real site for this bank 
»https://www.nwolb.com/default.aspx?refer···01:00:47 |
|
removed
I'm the bobblehead
Premium,VIP
join:2002-02-08
Houston, TX
clubs: | Just your run of the mill phishing site... |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | reply to Dude111
You can submit these to »/phishtrack |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
| reply to removed
said by removed :
Just your run of the mill phishing site..
Yes..... Isnt it amazing how they all look the same?? (You can spot them a mile away ) |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
 ·RoadRunner Cable
 ·AT&T Yahoo
| reply to Dude111
If you use Firefox, it includes a phishing filter. If you
click on "help" on the top menu, there's an item named
"report web forgery". You'll have to enter some captcha in
order to continue, but you may have saved a less savvy
Firefox user from being scammed.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
Kibbles
Premium
join:1999-07-31
Mission Viejo, CA | reply to Dude111
Is wvps212-241-210-148.vps the actual account/website the scammer has hosted by webfusion...if so can they be reported for fraud..then again they more than likely are using a stolen credit card? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| Yes, the actual website is at wvps212-241-211-79.vps.webfusion.co.uk. However, the owner of that computer may not even be aware of the problem. The computer has been trojanized, and the installed malware is running the phish page.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12 |
|
removed
I'm the bobblehead
Premium,VIP
join:2002-02-08
Houston, TX
clubs:
| reply to Kibbles
said by Kibbles  :Is wvps212-241-210-148.vps the actual account/website the scammer has hosted by webfusion...if so can they be reported for fraud..then again they more than likely are using a stolen credit card? My personal experience is that 90% of these scams are simply being uploaded via insecure scripts. The server's administrator and the ISP have no idea that this is being done ... this is why it helps to submit phishing attempts to the phishtracker and services such as SpamCop. |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
edit:
March 2nd, @10:08AM
| reply to Dude111
Is anyone filling out thier info?
We must do exactly what they want and fill out every line (I just hope they like thier entries) 
I have tried searching for the files (log files of entered data) but i cant find it,it must be emailing the data off server....... |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to Kibbles
said by Kibbles :Is wvps212-241-210-148.vps the actual account/website the scammer has hosted by webfusion...if so can they be reported for fraud..then again they more than likely are using a stolen credit card? Yes it is either as removed and nwrickert suggested, or as you stated purchased hosting using a previous phish victim's card and personal data.
If the later then the phisher opted for the 2.0 plus plan or the pro plan here: »www.webfusion.co.uk/virtual-private-servers/ I can tell it is either of those two Virtual Private Hosting (VPS) Plans running on IP 212.241.210.148. A quick audit reveals that the machine is named VPS 342830, and is one of the above two plans, because it is running Win2k3 server:
Also has FTP running and Remote Terminal Services. Not sure of the significance of the sendmail_from moonbear@chinagirlson.net
as that domain was never set up on that IP or hosting service. However it was infiltrated by Turkish hackers: »www.google.com/search?hl=en&q=@c···lson.net
said by Dude111 :Is anyone filling out thier info?..... ergo, the suggestion to submit to »/phishtrack, as the focus will be on taking it down, plus it will be picked up by block lists.
said by Dude111 :......I have tried searching for the files (log files of entered data) but i cant find it,it must be emailing the data off server....... Yes, it is emailing the data. loginfinish.do.php dated 02/29 contains the email address where the data is being sent.
The rest of the phish files are here:
Heads up sent to Webfusion.co.uk via the account support panel:
MGD |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
edit:
March 3rd, @12:11PM
| reply to Dude111
Yes i found all those directories but i couldnt find the LOG files for entered data.... (Must be stored somewhere else)
I hope they quickly act on your report! |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
edit:
March 3rd, @01:03PM
| said by Dude111 :....... I hope they quickly act on your report! Not very likely, which is why I initially went via the "support" route. I was able to get a reply from the support staff within the hour. However, they will not do anything about it:
quote:
Response (Greg D) - 03 Mar. 2008 04:54
Dear MGD,
Thank you for your support request.
All abuse notifications must go to abuse[at]pipex.net.
All notifications sent to other addresses will be ignored.
Of course the notice sent to pipex abuse has not been acted upon in over 12 hours. I am also sure they must have received prior complaints from that phish mailing. You posted this back on 02/29, so this phish site is at least into its fourth day of uptime. That makes it a very successful phish run for the phisher. Most of the data comes in the first 24 to 48 hours of uptime.
The issue for the unresponsive Pipex is, that if the scenario that this is a phisher's carded account is correct, he will keep coming back. They are essentially providing phish hosting services for free.
While I knew that support would respond a lot quicker than abuse, I thought that they would intervene since it was such an obvious fraud issue.
Many good hosting companies have a "shoot on sight" policy for phishing. Not only is that effective in removing them quickly, it also acts as a deterrent to keep phishers away from their network.
Obviously Webfusion / Pipex are clueless in that respect. In fact Webfusion does not list any information about abuse reporting on their contact page: »www.webfusion.co.uk/contact.php
MGD |
|
Kibbles
Premium
join:1999-07-31
Mission Viejo, CA | It look like Pipex does have a decent AUP.
»www.pipex.co.uk/legal/aup.php
»www.iwf.org.uk/ |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
edit:
March 3rd, @03:46PM
| reply to Dude111
I cant believe they wouldnt take a site down IMMEDIATLEY when they get a report!!!!!
This doesnt make sense to me!
And that email address listed above (moonbear@chinagirlson.net) is probably where all the data is emailed to....... |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
edit:
March 18th, @01:24AM
|  reply to Dude111
These idiots dont seem to give up!!
New link: »natwast.biz/natwest/updateurnatw···aspx.htm |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
edit:
March 18th, @03:15AM
| You're obviously on their mailing list. Appears to be the same phishpak as the previous one »natwast.biz/natwest/updateurnatw···natwest/ except this time they are on bluehost »network-tools.com/default.asp?pr···wast.biz
Submit the entire phishmail to »/phishtrack so that SnowyOne and scott1527 can take a look at it. There may be some valuable data in the headers, that could match an existing profile.
Also the link will be shared in real time with block lists, which will reduce the potential victim pool.
MGD |
|
voogru
join:2001-07-22 | You know, it might be worth it to setup an army of bots to go to phishing sites and submit fake but realistic looking data.
Such a thing would spam the phish sites with so much garbage that they would have a hard time finding the real data. |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·Clearwire Wireless
·RoadRunner Cable
| At one point in time that was an effective hassle for the phisher. Nowadays there are scripts that will strip out the garbage in 5MB's of data in about 3 seconds.
Truth be known, when people fill in garbage data today at a phish they are more likely to be wasting their own time more than the phishers time. Actually it's not even more likely, it's absolutely positive.
I do like your way of thinking though! |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
·RoadRunner Cable
·AT&T Yahoo
| said by SnowyOne :At one point in time that was an effective hassle for the phisher. Nowadays there are scripts that will strip out the garbage in 5MB's of data in about 3 seconds. Truth be known, when people fill in garbage data today at a phish they are more likely to be wasting their own time more than the phishers time. Actually it's not even more likely, it's absolutely positive. I do like your way of thinking though! Not only that, but I think some of the botnet hosted ones may
have defensive countermeasures. A few weeks ago, I did this
about a dozen times with a Franklin Bank one, then went to
report it to Phishtracker. I then closed Firefox, and
within a few minutes, my modem lit up solid (or rather
blinking very fast) with unsolicited traffic. I couldn't
even get Google, my home page, to load. It sure seemed to
me like I was being DDoS'd, but I simply power cycled my
modem and got a new IP address. When I checked it in
Phishtracker a few minutes later, it was already dead.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·Clearwire Wireless
·RoadRunner Cable
edit:
April 5th, @11:46PM
| Over several thousand dismantled phish I've never seen that type of code being hosted with the phish. It must have been the phisher checking his logs & seeing your IP multiple times in the data stash & then manually mounting the attack against it.
Nothing really exciting like that ever happens to me, you lucky dog!
EDIT to add: I might as well use the space to dispell that widely held belief. Filling garbage data into a phish does not have any negative effect on the phisher.  |
|
