CastleCops PIRT Fried Phish Reports

PIRT Fried Phish Reports :: [PIRT#887149] Multiple brands on AS27823 200.58.114.129

downie — Sat, 05 Jul 2008 22:23:59 -0500

Author: downie
Subject: [PIRT#887149] Multiple brands on AS27823 200.58.114.129
Posted: Sun Jul 06, 2008 3:23 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Bank_of_Montreal_Lloyds_TSB_Regions_Bank_Wachovia_Wells_Fargo_Yorkshire_Bank_phish887149.html

Consumed following related reports:

[886330] http://www.infofiesta.com/web/administrator/includes/pcl/update.htm
[887360] http://infofiesta.com/web/components/com_magazine/bmo.php
[887383] http://infofiesta.com/web/html/components/com_poll/index.htm
The URL accesses a Lloyds TSB phishing site, active at the time of investigation.
A page fetch was successful.
There is a WAchovia phish at
http://infofiesta.com/web/html/components/com_poll/index.htm
There is a BMO phish at
http://infofiesta.com/web/components/com_magazine/bmo.php
There is a Wells Fargo phish at
http://www.infofiesta.com/web/administrator/includes/pcl/update.htmChanged status to confirmed phish.IP Converted: 200.58.114.129

dword = 3359273601
hex1 = 0xc83a7281
hex2 = 0xc8.0x3a.0x72.0x81
oct = 0310.072.0162.0201
View CIDR AS27823 Report: http://www.cidr-report.org/cgi-bin/as-report?as=27823

"27823 | AR | lacnic | 2006-05-12 | Dattatec.com" 
Extended information for AS27823:
State/Province:
Country: ar
Responsible Domain: dattatec.com
Abuse Email: marketing@dattatec.com
Yorkshire Bank phish at
http://infofiesta.com/portal/components/com_zoom/lib/home.ybonline.co.uk/index.htmlRegions Bank phish at
http://infofiesta.com/web/editor/Login.htmGenerated and sent email phish alert to respective parties.

Quote:

http://infofiesta.com/portal/includes/Archive/index.php

PIRT Fried Phish Reports :: [PIRT#886918] Lloyds TSB on AS8560 82.165.92.203

downie — Fri, 04 Jul 2008 21:06:53 -0500

Author: downie
Subject: [PIRT#886918] Lloyds TSB on AS8560 82.165.92.203
Posted: Sat Jul 05, 2008 2:06 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Lloyds_TSB_phish886918.html

The URL accesses a Lloyds TSB phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 82.165.92.203

dword = 1386568907
hex1 = 0x52a55ccb
hex2 = 0x52.0xa5.0x5c.0xcb
oct = 0122.0245.0134.0313
View CIDR AS8560 Report: http://www.cidr-report.org/cgi-bin/as-report?as=8560

"8560 | DE | ripencc | 1997-11-26 | ONEANDONE-AS 1&1 Internet AG" 
Extended information for AS8560:
State/Province:
Country: de
Responsible Domain: schlund.net
Abuse Email: abuse@schlund.net
Generated and sent email phish alert to respective parties.

Quote:

http://www.manasturm.com/phpraider/authentication/phpbb2/LloydsTSB/lloydstsb/customer.php?ibc=customer.ibc

PIRT Fried Phish Reports :: [PIRT#886504] Co-operative Bank on AS20115, 71.8.87.140

faith_michele — Fri, 04 Jul 2008 07:10:05 -0500

Author: faith_michele
Subject: [PIRT#886504] Co-operative Bank on AS20115, 71.8.87.140
Posted: Fri Jul 04, 2008 12:10 pm (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Co_operative_Bank_phish886504.html

Changed status to confirmed phish.IP Converted: 71.8.87.140

dword = 1191729036
hex1 = 0x4708578c
hex2 = 0x47.0x8.0x57.0x8c
oct = 0107.010.0127.0214
View CIDR AS20115 Report: http://www.cidr-report.org/cgi-bin/as-report?as=20115

"20115 | US | arin | 2001-03-26 | CHARTER-NET-HKY-NC - Charter Communications" 
Extended information for AS20115:
State/Province: nc
Country: us
Responsible Domain: charter.net
Abuse Email: abuse@charter.net

Quote:

http://71.8.87.140/cgi_bin/Launch_cashplus.cgi/

PIRT Fried Phish Reports :: [PIRT#886320] Lloyds TSB on AS8001 70.47.71.139

downie — Fri, 04 Jul 2008 05:52:33 -0500

Author: downie
Subject: [PIRT#886320] Lloyds TSB on AS8001 70.47.71.139
Posted: Fri Jul 04, 2008 10:52 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Lloyds_TSB_phish886320.html

The URL accesses a Lloyds TSB phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 70.47.71.139

dword = 1177503627
hex1 = 0x462f478b
hex2 = 0x46.0x2f.0x47.0x8b
oct = 0106.057.0107.0213
View CIDR AS8001 Report: http://www.cidr-report.org/cgi-bin/as-report?as=8001

"8001 | US | arin | 1996-08-22 | NET-ACCESS-CORP - Net Access Corporation" 
Extended information for AS8001:
State/Province: nj
Country: us
Responsible Domain: nac.net
Abuse Email: abuse@nac.net
Generated and sent email phish alert to respective parties.

Quote:

http://www.paknambooks.com/includes/Archive/index.php

PIRT Fried Phish Reports :: [PIRT#883281] Multiple brands on AS5432 194.78.204.57

downie — Thu, 03 Jul 2008 14:47:20 -0500

Quote:

http://57.204-78-194.adsl-fix.skynet.be/loyds.tsb.update.das23da21ew23r/customer.php?ibc=customer.ibc

PIRT Fried Phish Reports :: [PIRT#883453] HSBC on AS7738 200.164.162.236

downie — Thu, 03 Jul 2008 00:40:07 -0500

Author: downie
Subject: [PIRT#883453] HSBC on AS7738 200.164.162.236
Posted: Thu Jul 03, 2008 5:40 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/HSBC_phish883453.html

Consumed following related reports:

[884586] http://200.164.162.236/personal/hsbc/index.php
The URL accesses an HSBC phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 200.164.162.236

dword = 3366232812
hex1 = 0xc8a4a2ec
hex2 = 0xc8.0xa4.0xa2.0xec
oct = 0310.0244.0242.0354
View CIDR AS7738 Report: http://www.cidr-report.org/cgi-bin/as-report?as=7738

"7738 | BR | lacnic | 1996-12-24 | Telecomunicacoes da Bahia S.A." 
Extended information for AS7738:
State/Province:
Country: br
Responsible Domain: telebahia.net.br
Abuse Email: abuse@telemar.net.br
Generated and sent email phish alert to respective parties.

Quote:

http://200.164.162.236/personal/hsbc/submit.php?cmd=login

PIRT Fried Phish Reports :: [PIRT#884237]PayPal on AS12306, 213.83.63.53

faith_michele — Wed, 02 Jul 2008 05:19:28 -0500

Author: faith_michele
Subject: [PIRT#884237]PayPal on AS12306, 213.83.63.53
Posted: Wed Jul 02, 2008 10:19 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/PayPal_phish884237.html

Changed status to confirmed phish.museo.infoitos.com has address 195.8.78.2 IP Converted: 195.8.78.2

dword = 3272101378
hex1 = 0xc3084e02
hex2 = 0xc3.0x8.0x4e.0x2
oct = 0303.010.0116.02
View CIDR AS8426 Report: http://www.cidr-report.org/cgi-bin/as-report?as=8426

"8426 | GB | ripencc | 1997-08-15 | CLARANET-AS ClaraNET" 
Extended information for AS8426:
State/Province:
Country: uk
Responsible Domain: clara.net
Abuse Email: abuse@clara.net
hsv-echo-plauen.de has address 213.83.63.53 IP Converted: 213.83.63.53

dword = 3579002677
hex1 = 0xd5533f35
hex2 = 0xd5.0x53.0x3f.0x35
oct = 0325.0123.077.065
View CIDR AS12306 Report: http://www.cidr-report.org/cgi-bin/as-report?as=12306

"12306 | DE | ripencc | 1999-03-01 | Plus.Line AG IP-Services" 
Extended information for AS12306:
State/Province:
Country: de
Responsible Domain: plusline.de
Abuse Email: abuse@plusline.de
URL: http://museo.infoitos.com//components/com_rwcards/index.html

Redirects to a PayPal phish, URL:
http://hsv-echo-plauen.de/service/accounts/paypal/updates/cgi-bin/login.php?cmd=_login-run

Quote:

http://museo.infoitos.com//components/com_rwcards/index.html

PIRT Fried Phish Reports :: [PIRT#882068] Abbey Bank on AS4694 211.10.17.2

downie — Wed, 02 Jul 2008 03:04:28 -0500

Author: downie
Subject: [PIRT#882068] Abbey Bank on AS4694 211.10.17.2
Posted: Wed Jul 02, 2008 8:04 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Abbey_Bank_phish882068.html

Consumed following related reports:

[882069] http://dragon-labs.jp/class/abbey/index.html
The URL accesses an Abbey Bank phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 211.10.17.2

dword = 3540652290
hex1 = 0xd30a1102
hex2 = 0xd3.0xa.0x11.0x2
oct = 0323.012.021.02
View CIDR AS4694 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4694

"4694 | JP | apnic | 1995-08-30 | IDC SOFTBANK IDC Corp." 
Extended information for AS4694:
State/Province:
Country: jp
Responsible Domain: idc.ad.jp
Abuse Email: postmaster@idc.ad.jp
Generated and sent email phish alert to respective parties.403

Quote:

http://dragon-labs.jp/class/abbey/Logon.php?a=myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare

PIRT Fried Phish Reports :: [PIRT#881940] Lloyds,Hotmail,Postbank on AS25973

downie — Tue, 01 Jul 2008 10:36:17 -0500

Author: downie
Subject: [PIRT#881940] Lloyds,Hotmail,Postbank on AS25973
Posted: Tue Jul 01, 2008 3:36 pm (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Hotmail_Lloyds_TSB_postbank_de_phish881940.html

The URL accesses a Lloyds TSB phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 203.22.204.237

dword = 3407269101
hex1 = 0xcb16cced
hex2 = 0xcb.0x16.0xcc.0xed
oct = 0313.026.0314.0355
View CIDR AS25973 Report: http://www.cidr-report.org/cgi-bin/as-report?as=25973

"25973 | US | arin | 2002-06-11 | MZIMA - Mzima Networks, Inc." 
Extended information for AS25973:
State/Province: ca
Country: us
Responsible Domain: mzima.net
Abuse Email: postmaster@mzima.net
Postbank phish at
http://site-order4.com/sohoadmin/program/modules/site_templates/plugins/update.htmAnother Postbank phish at
http://site-order4.com/sohoadmin/program/modules/site_templates/includes/update.htmWindows Live Hotmail (Spanish) phish at
http://site-order4.com/sohoadmin/program/modules/site_templates/pages/NEWSLETTER-Simple_Borders-Red/live.login.com/by103w.bay103.mail.live.com/mail/ReadMessageLight.aspxAux/Another Lloyds TSB phish at
http://site-order4.com/sohoadmin/program/modules/site_templates/pages/AGRICULTURE-FarmSickle_Autumn-None/loyds.tsb.update.das23da21ew23r/customer.php?ibc=customer.ibcGenerated and sent email phish alert to respective parties.

Quote:

http://site-order4.com/sohoadmin/program/modules/site_templates/unzip/customer.php?ibc=customer.ibc

PIRT Fried Phish Reports :: [PIRT#882750] Halifax on AS16276, 91.121.120.104

faith_michele — Mon, 30 Jun 2008 18:42:46 -0500

Author: faith_michele
Subject: [PIRT#882750] Halifax on AS16276, 91.121.120.104
Posted: Mon Jun 30, 2008 11:42 pm (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Halifax_phish882750.html

Changed status to confirmed phish.IP Converted: 91.121.120.104

dword = 1534687336
hex1 = 0x5b797868
hex2 = 0x5b.0x79.0x78.0x68
oct = 0133.0171.0170.0150
View CIDR AS16276 Report: http://www.cidr-report.org/cgi-bin/as-report?as=16276

"16276 | FR | ripencc | 2001-02-15 | OVH OVH" 
Extended information for AS16276:
State/Province:
Country:
Responsible Domain: ovh.net
Abuse Email: abuse@ovh.net

Quote:

http://www.aurumweb.com/lang/en/http:/_mem_bin/formslogin.asp/index.php

PIRT Fried Phish Reports :: [PIRT#876450] Bank of America on AS35732 195.62.28.110

downie — Mon, 30 Jun 2008 07:00:27 -0500

Author: downie
Subject: [PIRT#876450] Bank of America on AS35732 195.62.28.110
Posted: Mon Jun 30, 2008 12:00 pm (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Bank_of_America_phish876450.html

Consumed following related reports:

[876015] http://www.halftimetalk.net/forum/retail/www.bankofamerica.com/
The URL accesses a Bank of America phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 195.62.28.110

dword = 3275627630
hex1 = 0xc33e1c6e
hex2 = 0xc3.0x3e.0x1c.0x6e
oct = 0303.076.034.0156
View CIDR AS35732 Report: http://www.cidr-report.org/cgi-bin/as-report?as=35732

"35732 | GB | ripencc | 2005-10-13 | UKWEBHOSTING-AS UK Webhosting Ltd - Autonomous System" 
Extended information for AS35732:
State/Province:
Country: uk
Responsible Domain: ebws.co.uk
Abuse Email: adam@ebws.co.uk
Generated and sent email phish alert to respective parties.

Quote:

http://www.halftimetalk.net/forum/retail/www.bankofamerica.com/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin

PIRT Fried Phish Reports :: [PIRT#875428] BofA,Wells on AS25973 203.22.204.160

downie — Mon, 30 Jun 2008 03:55:51 -0500

Author: downie
Subject: [PIRT#875428] BofA,Wells on AS25973 203.22.204.160
Posted: Mon Jun 30, 2008 8:55 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Bank_of_America_Wells_Fargo_phish875428.html

Consumed following related reports:

[875433] http://fwcerie.org/oldsite/includes/db/www.bankofamerica.com/signon.php?section=3Dsigninpage&update=3D&cookiecheck=3Dyes&destination=3Dnba/signin
[875631] http://fwcerie.org/oldsite/includes/db/www.bankofamerica.com/signon.php?sec
The URL accesses a Bank of America phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 203.22.204.160

dword = 3407269024
hex1 = 0xcb16cca0
hex2 = 0xcb.0x16.0xcc.0xa0
oct = 0313.026.0314.0240
View CIDR AS25973 Report: http://www.cidr-report.org/cgi-bin/as-report?as=25973

"25973 | US | arin | 2002-06-11 | MZIMA - Mzima Networks, Inc." 
Extended information for AS25973:
State/Province: ca
Country: us
Responsible Domain: mzima.net
Abuse Email: postmaster@mzima.net
Wells Fargo phish at
http://www.fwcerie.org/skins/simplicity/images/www.wellsfargo.com/Generated and sent email phish alert to respective parties.

Quote:

http://fwcerie.org/oldsite/includes/db/www.bankofamerica.com/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin

PIRT Fried Phish Reports :: [PIRT#878750] Chase,Moneybookers on AS17547 203.211.129.9

downie — Mon, 30 Jun 2008 00:51:23 -0500

Author: downie
Subject: [PIRT#878750] Chase,Moneybookers on AS17547 203.211.129.9
Posted: Mon Jun 30, 2008 5:51 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Chase_Moneybookers_com_phish878750.html

Consumed following related reports:

[876729] http://lvps-12909.patong.com/%20/chaseonline.chase.com/colappmgr/colportal/
The URL accesses a Chase phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 203.211.129.9

dword = 3419635977
hex1 = 0xcbd38109
hex2 = 0xcb.0xd3.0x81.0x9
oct = 0313.0323.0201.011
View CIDR AS17547 Report: http://www.cidr-report.org/cgi-bin/as-report?as=17547

"17547 | SG | apnic | 2000-12-29 | QALA-SG-AP QALA Singapore Pte Ltd" 
Extended information for AS17547:
State/Province:
Country: sg
Responsible Domain: qala.com.sg
Abuse Email: abuse@qala.com.sg
Moneybookers phish at
http://lvps-12909.patong.com/%20%20/www.moneybookers.com/app/login.html

Quote:

http://lvps-12909.patong.com/%20/chaseonline.chase.com/colappmgr/colportal/prospect.php?_nfpb=login&_pageLabel=page_logonform

PIRT Fried Phish Reports :: [PIRT#878078] Multiple brands on AS27823 200.58.112.166

downie — Sun, 29 Jun 2008 01:21:08 -0500

Author: downie
Subject: [PIRT#878078] Multiple brands on AS27823 200.58.112.166
Posted: Sun Jun 29, 2008 6:21 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/HSBC_Lloyds_TSB_NatWest_Royal_Bank_of_Scotland_Wells_Fargo_phish878078.html

Consumed following related reports:

[873441] http://www.mejoresdar.com.ar/mambots/content/geshi/
[874253] http://www.mejoresdar.com.ar/includes/Archive/index.php
[877327] http://www.mejoresdar.com.ar/editor/index.htm
[879638] http://www.mejoresdar.com.ar/includes/cgi.php
Changed status to confirmed phish.There are Natwest phish at
http://www.mejoresdar.com.ar/components/com_zoom/lib/www.nwolb.com/index.php
http://www.mejoresdar.com.ar/log/default.php
There are Lloyds TSB phish at
http://www.mejoresdar.com.ar/log/default.php
http://www.mejoresdar.com.ar/includes/Archive/index.php
There is a HSBC phish at
http://www.mejoresdar.com.ar/mambots/content/geshi/
There is a Wells Fargo phish at
http://www.mejoresdar.com.ar/editor/index.htm
There is a Royal Bank of Scotland phish at
http://www.mejoresdar.com.ar/includes/cgi.php
All active at the time of investigation.IP Converted: 200.58.112.166

dword = 3359273126
hex1 = 0xc83a70a6
hex2 = 0xc8.0x3a.0x70.0xa6
oct = 0310.072.0160.0246
View CIDR AS27823 Report: http://www.cidr-report.org/cgi-bin/as-report?as=27823

"27823 | AR | lacnic | 2006-05-12 | Dattatec.com" 
Extended information for AS27823:
State/Province:
Country: ar
Responsible Domain: dattatec.com
Abuse Email: marketing@dattatec.com
Generated and sent email phish alert to respective parties.

Quote:

http://www.mejoresdar.com.ar/components/com_zoom/lib/www.nwolb.com/index.php

PIRT Fried Phish Reports :: [PIRT#881077] eBay on europrous.com

moike — Sat, 28 Jun 2008 20:10:27 -0500

Author: moike
Subject: [PIRT#881077] eBay on europrous.com
Posted: Sun Jun 29, 2008 1:10 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/eBay_phish881077.html

Changed status to confirmed phish.Phish was active at time of investigation as a fake eBay login pageIP Converted: 74.53.81.178

dword = 1245008306
hex1 = 0x4a3551b2
hex2 = 0x4a.0x35.0x51.0xb2
oct = 0112.065.0121.0262
View CIDR AS21844 Report: http://www.cidr-report.org/cgi-bin/as-report?as=21844

"21844 | US | arin | 2001-06-29 | THEPLANET-AS - ThePlanet.com Internet Services, Inc." 
Extended information for AS21844:
State/Province: tx
Country: us
Responsible Domain: theplanet.com
Abuse Email: abuse@theplanet.com
IP Converted: 203.194.244.200

dword = 3418551496
hex1 = 0xcbc2f4c8
hex2 = 0xcb.0xc2.0xf4.0xc8
oct = 0313.0302.0364.0310
View CIDR AS9729 Report: http://www.cidr-report.org/cgi-bin/as-report?as=9729

"9729 | HK | apnic | 1999-11-08 | IS-AP iAdvantage Limited" 
Extended information for AS9729:
State/Province:
Country: hk
Responsible Domain: iadvantage.net
Abuse Email: abuse@iadvantage.net
Host IAdvantage: The page at http://203.194.244.200/phpmyadmin/lang/malayisoi.php is an unsecured mailer form. Please restrict use of this form by using the referrer field.

Quote:

http://europrous.com/Sing%20In.html

PIRT Fried Phish Reports :: [PIRT#881081] eBay on AS1659 / 163.30.99.1

moike — Sat, 28 Jun 2008 18:58:45 -0500

Author: moike
Subject: [PIRT#881081] eBay on AS1659 / 163.30.99.1
Posted: Sat Jun 28, 2008 11:58 pm (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/eBay_phish881081.html

Phish was active at time of investigation as a fake eBay siteChanged status to confirmed phish.IP Converted: 163.30.99.1

dword = 2736677633
hex1 = 0xa31e6301
hex2 = 0xa3.0x1e.0x63.0x1
oct = 0243.036.0143.01
View CIDR AS1659 Report: http://www.cidr-report.org/cgi-bin/as-report?as=1659

"1659 | TW | apnic | 2002-08-01 | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center" 
Extended information for AS1659:
State/Province:
Country: tw
Responsible Domain: moe.edu.tw
Abuse Email: abuse@moe.edu.tw

Quote:

http://163.30.99.1/~Charlie/ws.signin/ISAPI.dll-SignIn&ru=http3A2F2F2F&_trksid=m37/

PIRT Fried Phish Reports :: [PIRT#880370] BofA on AS4323 216.120.234.169

downie — Sat, 28 Jun 2008 15:54:04 -0500

Author: downie
Subject: [PIRT#880370] BofA on AS4323 216.120.234.169
Posted: Sat Jun 28, 2008 8:54 pm (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Bank_of_America_phish880370.html

The URL accesses a Bnak of America phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 216.120.234.169

dword = 3631803049
hex1 = 0xd878eaa9
hex2 = 0xd8.0x78.0xea.0xa9
oct = 0330.0170.0352.0251
There is another BoA phish at
http://theunderwater.net/MyAdder/db/bankofamerica/do.php?cmd=SignInView CIDR AS4323 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4323

"4323 | US | arin | 1995-02-01 | TWTC - Time Warner Telecom, Inc." 
Extended information for AS4323:
State/Province: co
Country: us
Responsible Domain: twtelecom.net
Abuse Email: abuse@twtelecom.net
Generated and sent email phish alert to respective parties.all 404

Quote:

http://theunderwater.net/MyAdder/logs/www/bankofamerica.com/signon.php

PIRT Fried Phish Reports :: [PIRT#880269] BoA,UBA on AS9848 211.115.217.77

downie — Sat, 28 Jun 2008 09:19:33 -0500

Author: downie
Subject: [PIRT#880269] BoA,UBA on AS9848 211.115.217.77
Posted: Sat Jun 28, 2008 2:19 pm (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Bank_of_America_UBA_phish880269.html

Consumed following related reports:

[880270] http://anaclan.ygosu.com/bbs/data/publicity_page1/BankofAmerica.Com/index.html
The URL accesses a Bank of America phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 211.115.217.77

dword = 3547584845
hex1 = 0xd373d94d
hex2 = 0xd3.0x73.0xd9.0x4d
oct = 0323.0163.0331.0115
View CIDR AS9848 Report: http://www.cidr-report.org/cgi-bin/as-report?as=9848

"9848 | KR | apnic | 2000-02-04 | GNGAS Enterprise Networks" 
Extended information for AS9848:
State/Province:
Country: kr
Responsible Domain: gngidc.net
Abuse Email: network@epnetworks.co.kr
Another BoA phish at
http://anaclan.ygosu.com/bbs/data/publicity_page1/www/bankofamerica/latestupdate/UBA phish at
http://anaclan.ygosu.com/bbs/data/ubagroup.com/personal/personal.html**************
UBA: Please advise of a suitable email address for reporting phishing sites.
***************Generated and sent email phish alert to respective parties.

Quote:

http://anaclan.ygosu.com/bbs/data/publicity_page1/BankofAmerica.Com/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin

PIRT Fried Phish Reports :: [PIRT#877961] BoA on AS30496 65.99.221.194

downie — Sat, 28 Jun 2008 06:53:16 -0500

Author: downie
Subject: [PIRT#877961] BoA on AS30496 65.99.221.194
Posted: Sat Jun 28, 2008 11:53 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Bank_of_America_phish877961.html

The URL accesses a Bank of America phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 65.99.221.194

dword = 1097063874
hex1 = 0x4163ddc2
hex2 = 0x41.0x63.0xdd.0xc2
oct = 0101.0143.0335.0302
***********************************
ENOM:
Domain boacheckers.com has been registered through slhost.com for phishing fraud against Bank of America.
Please suspend boacheckers.com urgently to prevent further criminal use.
Please check for domains registered using the same (stolen) identity and credit-card details, ot the same email address.
*****************************View CIDR AS30496 Report: http://www.cidr-report.org/cgi-bin/as-report?as=30496

"30496 | US | arin | 2003-10-21 | COLO4 - Colo4Dallas LP" 
Extended information for AS30496:
State/Province: tx
Country: us
Responsible Domain: colo4dallas.com
Abuse Email: postmaster@colo4dallas.com
Generated and sent email phish alert to respective parties.

Quote:

http://boacheckers.com/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin

PIRT Fried Phish Reports :: [PIRT#871551] Bank of America on AS35549 213.147.122.213

downie — Sat, 28 Jun 2008 06:04:32 -0500

Author: downie
Subject: [PIRT#871551] Bank of America on AS35549 213.147.122.213
Posted: Sat Jun 28, 2008 11:04 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Bank_of_America_phish871551.html

Changed status to confirmed phish.The URL accesses a Bank of America phishing site, active at the time of investigation.
A page fetch was successful.IP Converted: 213.147.122.213

dword = 3583212245
hex1 = 0xd5937ad5
hex2 = 0xd5.0x93.0x7a.0xd5
oct = 0325.0223.0172.0325
View CIDR AS35549 Report: http://www.cidr-report.org/cgi-bin/as-report?as=35549

"35549 | HR | ripencc | 2005-09-02 | METRONET-AS Metronet telekomunikacije d.d." 
Extended information for AS35549:
State/Province:
Country: hr
Responsible Domain: metronet.hr
Abuse Email: aljosa.pavelin@metronet.hr
Generated and sent email phish alert to respective parties.

Quote:

http://www.reval.hr/media/onlineeast1.BofA/EnrollmentStateAndProductSelectorControl_files/termsandconditions.htm

PIRT Fried Phish Reports :: [PIRT#878692] Halifax on gallerynews.gr / AS3009

s0tet — Fri, 27 Jun 2008 13:59:03 -0500

Author: s0tet
Subject: [PIRT#878692] Halifax on gallerynews.gr / AS3009
Posted: Fri Jun 27, 2008 6:59 pm (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Halifax_phish878692.html

Changed status to confirmed phish.IP Converted: 64.34.199.156

dword = 1076021148
hex1 = 0x4022c79c
hex2 = 0x40.0x22.0xc7.0x9c
oct = 0100.042.0307.0234
View CIDR AS30099 Report: http://www.cidr-report.org/cgi-bin/as-report?as=30099

"30099 | US | arin | 2003-07-21 | SB-2 - ServerBeach" 
Extended information for AS30099:
State/Province: tx
Country: us
Responsible Domain: serverbeach.com
Abuse Email: abuse@serverbeach.com
reoccurring phishing site, looks like file manager is compromised.

Quote:

http://www.gallerynews.gr/filemanager/userfiles/mathimata%20zwgrafikhs/arxiki/index.php

PIRT Fried Phish Reports :: [PIRT#879702] Abbey,Wells,BoA,Orange AS9758 211.172.232.90

downie — Thu, 26 Jun 2008 23:20:00 -0500

Author: downie
Subject: [PIRT#879702] Abbey,Wells,BoA,Orange AS9758 211.172.232.90
Posted: Fri Jun 27, 2008 4:20 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/Abbey_Bank_Bank_of_America_Orange_Wells_Fargo_phish879702.html

The URL accesses a Wachovia phishing site, active at the time of investigation.
A page fetch was successful.Changed status to confirmed phish.IP Converted: 211.172.232.90

dword = 3551324250
hex1 = 0xd3ace85a
hex2 = 0xd3.0xac.0xe8.0x5a
oct = 0323.0254.0350.0132
View CIDR AS9758 Report: http://www.cidr-report.org/cgi-bin/as-report?as=9758

"9758 | KR | apnic | 1999-12-10 | HANNET-AS Serverbank" 
Extended information for AS9758:
State/Province:
Country: kr
Responsible Domain: e-serverbank.com
Abuse Email: abuse@e-serverbank.com
Wells Fargo phish at
http://aum.co.kr/in/wells/Another Wells Fargo phish at
http://aum.co.kr/rest/Abbey Bank phish at
http://www.aum.co.kr/run/submit.php?cmd=validateOrange phish at
http://www.aum.co.kr/log/images/bit/online/index.htmGenerated and sent email phish alert to respective parties.

Quote:

http://aum.co.kr/tty/bofa/

PIRT Fried Phish Reports :: [PIRT#879681] PayPal on tbschool.com

moike — Thu, 26 Jun 2008 20:38:02 -0500

Author: moike
Subject: [PIRT#879681] PayPal on tbschool.com
Posted: Fri Jun 27, 2008 1:38 am (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/PayPal_phish879681.html

Phish was active at time of investigation as a fake PayPal siteChanged status to confirmed phish.IP Converted: 207.58.149.84

dword = 3476723028
hex1 = 0xcf3a9554
hex2 = 0xcf.0x3a.0x95.0x54
oct = 0317.072.0225.0124
View CIDR AS25847 Report: http://www.cidr-report.org/cgi-bin/as-report?as=25847

"25847 | US | arin | 2002-05-17 | SERVINT - ServInt Corporation" 
Extended information for AS25847:
State/Province: va
Country: us
Responsible Domain: servint.net
Abuse Email: admin@servint.com

Quote:

http://tbschool.com/images-match/paypal.com.au/https/cgi-bin/webscrcmd=_login-run/webscrcmd=_account-run/updates-paypal/confirm-paypal/index.htm

PIRT Fried Phish Reports :: [PIRT#879671] Wells Fargo on www.muetos.com

moike — Thu, 26 Jun 2008 19:18:20 -0500

Quote:

http://www.muetos.com/media/www.wellsfargo.com/Wellsfargo.com.htm

PIRT Fried Phish Reports :: [PIRT#879444] Citibank on AS3269 / 88.42.218.125

moike — Thu, 26 Jun 2008 18:57:37 -0500

Author: moike
Subject: [PIRT#879444] Citibank on AS3269 / 88.42.218.125
Posted: Thu Jun 26, 2008 11:57 pm (GMT 0)

Phish Alert

Full Report: http://www.castlecops.com/CitiBank_phish879444.html

Consumed following related reports:

[879289] http://88.42.218.125/www.citibank.com/survey/survey.html?ssl=3D1
Changed status to confirmed phish.IP Converted: 88.42.218.125

dword = 1479203453
hex1 = 0x582ada7d
hex2 = 0x58.0x2a.0xda.0x7d
oct = 0130.052.0332.0175
View CIDR AS3269 Report: http://www.cidr-report.org/cgi-bin/as-report?as=3269

"3269 | EU | ripencc | 1994-11-14 | ASN-IBSNAZ TELECOM ITALIA" 
Extended information for AS3269:
State/Province:
Country: it
Responsible Domain: interbusiness.it
Abuse Email: abuse@interbusiness.it

Quote:

http://88.42.218.125/www.citibank.com/survey/survey.html?ssl=1