Nice Scam attempt! in Spam, Scam and Phishbusters

Nice Scam attempt! in Spam, Scam and Phishbusters http://www.dslreports.com/forum/r20086554 en Sat, 30 Aug 2008 08:19:57 EDT Sat, 30 Aug 2008 08:19:57 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20428183 SnowyOne :

said by Dude111

:

Well the redirector link is now down

»nwolb.com.606076a398.com/default···ndex.php

We are back to square 0......

No, that's not true.
There's one less redirector on the net.
ps redirectors are not really special at all.]]> http://www.dslreports.com/forum/remark,20428183 Sat, 03 May 2008 22:23:17 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20427836 Dude111 : Well the redirector link is now down

»nwolb.com.606076a398.com/default···ndex.php

We are back to square 0......]]> http://www.dslreports.com/forum/remark,20427836 Sat, 03 May 2008 21:06:08 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20396447 Dennis : Stop the swearing, and stop the yelling.]]> http://www.dslreports.com/forum/remark,20396447 Sun, 27 Apr 2008 19:14:20 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20395774 Insder : Right..But the amount of time it takes to GET those sites taken down is enough time for people to get scammed. The phishers have endless resources..we don't. Either post the redirector or shut the hell up, because you're not really helping anyone. The scams get taken down eventually either way, and our progress is little to none.
--
The one, the only, the Insder. :: Fighting phishing for life.]]> http://www.dslreports.com/forum/remark,20395774 Sun, 27 Apr 2008 16:22:55 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20394931 garys_2k : Stop shouting. The problem is that you're making no long term progress against the phisher's source machine but people here can do so IF you post that redirector. Whack-a-mole isn't going to go anywhere, it's just delaying the inevitable. If we can get to the redirector it CAN be traced back to the command and control box, get it?]]> http://www.dslreports.com/forum/remark,20394931 Sun, 27 Apr 2008 12:43:15 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20394046 Dude111 : IF I POST THE RE-DIRECTOR IT WILL GO DOWN,THEY WILL JUST PUT UP ANOTHER ONE AND WE WONT KNOW ANY NEW SITES THEY PUT UP!!!!!

ITS BETTER CONTACTING THAT HOST THEY ARE WITH AND HAVING ALL SITES POINTED TO THAT LOCATION KILLED!!

YOUR NOT THINKING LOGICALLY......... IM TRYING TO HELP PEOPLE AND KILLING THE MAIN LINK WILL ONLY PUT US IN THE COLD!!]]> http://www.dslreports.com/forum/remark,20394046 Sun, 27 Apr 2008 06:00:09 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20393168 Insder : You're a moron. Please post the redirector link. All you're doing now is playing whack-a-mole, and I guarantee you'll lose (as we don't have an endless amount of cards to use to pay for those phished accounts). While you're at it...submit to the fucking »/phishtrack!
--
The one, the only, the Insder. :: Fighting phishing for life.]]> http://www.dslreports.com/forum/remark,20393168 Sat, 26 Apr 2008 22:22:34 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20386905 Dude111 : Yes but if thats taken down we are back to square 0 (We wont find out any of thier sites until they spam with another link) Its better getting the sites off the redirector and taking them down from there wouldnt you agree?

Contacting that host might be a start also....]]> http://www.dslreports.com/forum/remark,20386905 Fri, 25 Apr 2008 15:57:14 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20386781 MGD : Are you sitting on a redirector link that you are holding, and it is pointing to the new sites as each one is taken down? Or are these new phish mails for each one ? I suspect the former.

said by Dude111

:

They should just give it up!! .......

Why?, it costs them nothing to do this, and they only have bank card data to gain.

They just registered a bunch of domains with prior phish victims cards, and paid for hosting the same way.

They were all hosted by »www.omnis.com/

[att=1][att=2]

If they do have a redirector as the phish link, they can play whack a mole with the host all day long, for free.

Is there a redirector link ?

MGD

]]> http://www.dslreports.com/forum/remark,20386781 Fri, 25 Apr 2008 15:39:40 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20386319 Dude111 : They should just give it up!!

NEW LINK: »abebale.com/www.nwolb.com/defaul···gin.html]]> http://www.dslreports.com/forum/remark,20386319 Fri, 25 Apr 2008 14:17:08 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20386225 SatManWorkin : Looks like the word is already out on that page Norton Flags it! :D

]]> http://www.dslreports.com/forum/remark,20386225 Fri, 25 Apr 2008 14:04:49 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20386108 Dude111 : Seems like when 1 goes down they slap another up,How is this possible so fast??

NEW LINK: »abtemanail.com/www.nwolb.com/def···gin.html]]> http://www.dslreports.com/forum/remark,20386108 Fri, 25 Apr 2008 13:48:27 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20383823 Dude111 : Down already :D

New link: »nakeplest.co.uk/default.aspxrefe···gin.html]]> http://www.dslreports.com/forum/remark,20383823 Fri, 25 Apr 2008 02:40:32 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20383534 MGD : Help stop it, submit the entire email to -----> »/phishtrack or if unable, post the email headers and redact your personal info.

MGD]]> http://www.dslreports.com/forum/remark,20383534 Fri, 25 Apr 2008 00:50:10 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20383380 Dude111 : Still at it!!!

»nwalobi.com/default.aspxrefereri···gin.html

Unreal (Yhey dont seem to give up)]]> http://www.dslreports.com/forum/remark,20383380 Fri, 25 Apr 2008 00:07:58 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20290090 SnowyOne : Over several thousand dismantled phish I've never seen that type of code being hosted with the phish. It must have been the phisher checking his logs & seeing your IP multiple times in the data stash & then manually mounting the attack against it.
Nothing really exciting like that ever happens to me, you lucky dog! :)

EDIT to add: I might as well use the space to dispell that widely held belief. Filling garbage data into a phish does not have any negative effect on the phisher. :(]]> http://www.dslreports.com/forum/remark,20290090 Sat, 05 Apr 2008 23:41:04 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20289987 Doctor Four :

said by SnowyOne

:

At one point in time that was an effective hassle for the phisher. Nowadays there are scripts that will strip out the garbage in 5MB's of data in about 3 seconds.
Truth be known, when people fill in garbage data today at a phish they are more likely to be wasting their own time more than the phishers time. Actually it's not even more likely, it's absolutely positive.
I do like your way of thinking though! :)

Not only that, but I think some of the botnet hosted ones may
have defensive countermeasures. A few weeks ago, I did this
about a dozen times with a Franklin Bank one, then went to
report it to Phishtracker. I then closed Firefox, and
within a few minutes, my modem lit up solid (or rather
blinking very fast) with unsolicited traffic. I couldn't
even get Google, my home page, to load. It sure seemed to
me like I was being DDoS'd, but I simply power cycled my
modem and got a new IP address. When I checked it in
Phishtracker a few minutes later, it was already dead.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
]]> http://www.dslreports.com/forum/remark,20289987 Sat, 05 Apr 2008 23:12:10 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20286197 SnowyOne : At one point in time that was an effective hassle for the phisher. Nowadays there are scripts that will strip out the garbage in 5MB's of data in about 3 seconds.
Truth be known, when people fill in garbage data today at a phish they are more likely to be wasting their own time more than the phishers time. Actually it's not even more likely, it's absolutely positive.
I do like your way of thinking though! :)]]> http://www.dslreports.com/forum/remark,20286197 Sat, 05 Apr 2008 03:41:08 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20286156 voogru : You know, it might be worth it to setup an army of bots to go to phishing sites and submit fake but realistic looking data.

Such a thing would spam the phish sites with so much garbage that they would have a hard time finding the real data.]]> http://www.dslreports.com/forum/remark,20286156 Sat, 05 Apr 2008 03:10:36 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20183187 MGD : You're obviously on their mailing list. Appears to be the same phishpak as the previous one »natwast.biz/natwest/updateurnatw···natwest/ except this time they are on bluehost »network-tools.com/default.asp?pr···wast.biz

Submit the entire phishmail to »/phishtrack so that SnowyOne

and scott1527

can take a look at it. There may be some valuable data in the headers, that could match an existing profile.

Also the link will be shared in real time with block lists, which will reduce the potential victim pool.

MGD]]> http://www.dslreports.com/forum/remark,20183187 Tue, 18 Mar 2008 03:13:31 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20182928 Dude111 : These idiots dont seem to give up!!

New link: »natwast.biz/natwest/updateurnatw···aspx.htm]]> http://www.dslreports.com/forum/remark,20182928 Tue, 18 Mar 2008 01:17:32 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20101086 Dude111 : I cant believe they wouldnt take a site down IMMEDIATLEY when they get a report!!!!!

This doesnt make sense to me!

And that email address listed above (moonbear@chinagirlson.net) is probably where all the data is emailed to.......]]> http://www.dslreports.com/forum/remark,20101086 Mon, 03 Mar 2008 15:45:37 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20100174 Kibbles : It look like Pipex does have a decent AUP.

»www.pipex.co.uk/legal/aup.php

»www.iwf.org.uk/]]> http://www.dslreports.com/forum/remark,20100174 Mon, 03 Mar 2008 13:17:39 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20100070 MGD :

said by Dude111

:

....... I hope they quickly act on your report!

Not very likely, which is why I initially went via the "support" route. I was able to get a reply from the support staff within the hour. However, they will not do anything about it:

quote:
Response (Greg D) - 03 Mar. 2008 04:54
Dear MGD,

Thank you for your support request.

All abuse notifications must go to abuse[at]pipex.net.

All notifications sent to other addresses will be ignored.

Of course the notice sent to pipex abuse has not been acted upon in over 12 hours. I am also sure they must have received prior complaints from that phish mailing. You posted this back on 02/29, so this phish site is at least into its fourth day of uptime. That makes it a very successful phish run for the phisher. Most of the data comes in the first 24 to 48 hours of uptime.

The issue for the unresponsive Pipex is, that if the scenario that this is a phisher's carded account is correct, he will keep coming back. They are essentially providing phish hosting services for free.

While I knew that support would respond a lot quicker than abuse, I thought that they would intervene since it was such an obvious fraud issue.

Many good hosting companies have a "shoot on sight" policy for phishing. Not only is that effective in removing them quickly, it also acts as a deterrent to keep phishers away from their network.

Obviously Webfusion / Pipex are clueless in that respect. In fact Webfusion does not list any information about abuse reporting on their contact page: »www.webfusion.co.uk/contact.php

MGD]]> http://www.dslreports.com/forum/remark,20100070 Mon, 03 Mar 2008 13:00:53 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20099789 Dude111 : Yes i found all those directories but i couldnt find the LOG files for entered data.... (Must be stored somewhere else)

I hope they quickly act on your report!]]> http://www.dslreports.com/forum/remark,20099789 Mon, 03 Mar 2008 12:11:06 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20097926 MGD :

said by Kibbles

:

Is wvps212-241-210-148.vps the actual account/website the scammer has hosted by webfusion...if so can they be reported for fraud..then again they more than likely are using a stolen credit card?

Yes it is either as removed

and nwrickert

suggested, or as you stated purchased hosting using a previous phish victim's card and personal data.

If the later then the phisher opted for the 2.0 plus plan or the pro plan here: »www.webfusion.co.uk/virtual-private-servers/ I can tell it is either of those two Virtual Private Hosting (VPS) Plans running on IP 212.241.210.148. A quick audit reveals that the machine is named VPS 342830, and is one of the above two plans, because it is running Win2k3 server:

[att=1]

Also has FTP running and Remote Terminal Services. Not sure of the significance of the sendmail_from moonbear@chinagirlson.net

[att=2]

as that domain was never set up on that IP or hosting service. However it was infiltrated by Turkish hackers: »www.google.com/search?hl=en&q=@c···lson.net

said by Dude111

:

Is anyone filling out thier info?.....

ergo, the suggestion to submit to »/phishtrack, as the focus will be on taking it down, plus it will be picked up by block lists.

said by Dude111

:

......I have tried searching for the files (log files of entered data) but i cant find it,it must be emailing the data off server.......

Yes, it is emailing the data. loginfinish.do.php dated 02/29 contains the email address where the data is being sent.

[att=3]

The rest of the phish files are here:

[att=4]

Heads up sent to Webfusion.co.uk via the account support panel:

[att=5]

MGD

]]> http://www.dslreports.com/forum/remark,20097926 Sun, 02 Mar 2008 23:46:00 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20093981 Dude111 : Is anyone filling out thier info?

We must do exactly what they want and fill out every line (I just hope they like thier entries)

I have tried searching for the files (log files of entered data) but i cant find it,it must be emailing the data off server.......]]> http://www.dslreports.com/forum/remark,20093981 Sun, 02 Mar 2008 10:08:23 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20091590 removed :

said by Kibbles

:

Is wvps212-241-210-148.vps the actual account/website the scammer has hosted by webfusion...if so can they be reported for fraud..then again they more than likely are using a stolen credit card?

My personal experience is that 90% of these scams are simply being uploaded via insecure scripts. The server's administrator and the ISP have no idea that this is being done ... this is why it helps to submit phishing attempts to the phishtracker and services such as SpamCop. :)]]> http://www.dslreports.com/forum/remark,20091590 Sat, 01 Mar 2008 19:33:10 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20091418 nwrickert : Yes, the actual website is at wvps212-241-211-79.vps.webfusion.co.uk. However, the owner of that computer may not even be aware of the problem. The computer has been trojanized, and the installed malware is running the phish page.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.12]]> http://www.dslreports.com/forum/remark,20091418 Sat, 01 Mar 2008 18:54:01 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20091015 Kibbles : Is wvps212-241-210-148.vps the actual account/website the scammer has hosted by webfusion...if so can they be reported for fraud..then again they more than likely are using a stolen credit card?]]> http://www.dslreports.com/forum/remark,20091015 Sat, 01 Mar 2008 17:16:03 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20089146 Doctor Four : If you use Firefox, it includes a phishing filter. If you
click on "help" on the top menu, there's an item named
"report web forgery". You'll have to enter some captcha in
order to continue, but you may have saved a less savvy
Firefox user from being scammed.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
]]> http://www.dslreports.com/forum/remark,20089146 Sat, 01 Mar 2008 10:50:04 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20087565 Dude111 :

said by removed :
Just your run of the mill phishing site..

Yes..... Isnt it amazing how they all look the same?? (You can spot them a mile away :D)]]> http://www.dslreports.com/forum/remark,20087565 Fri, 29 Feb 2008 23:23:08 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20087509 nwrickert : You can submit these to »/phishtrack]]> http://www.dslreports.com/forum/remark,20087509 Fri, 29 Feb 2008 23:13:26 EDT Re: Nice Scam attempt! http://www.dslreports.com/forum/remark,20087501 removed : Just your run of the mill phishing site...]]> http://www.dslreports.com/forum/remark,20087501 Fri, 29 Feb 2008 23:11:43 EDT Nice Scam attempt! http://www.dslreports.com/forum/remark,20086554 Dude111 : In one of my throw away email accounts i got this message with this link to "update my bank info" :D

»wvps212-241-211-79.vps.webfusion···cure.php

Notice how you can enter ANYTHING and click next (I entered all bogus data :D)

Sadly though,there are people that do fall for these things and its sad.......

Here is the real site for this bank :)

»https://www.nwolb.com/default.aspx?refer···01:00:47]]> http://www.dslreports.com/forum/remark,20086554 Fri, 29 Feb 2008 20:10:54 EDT