Oldfrog
Special Response Team
Joined: Jun 27, 2004
Posts: 8576
Location: Deep in the Heart of Texas
|
 Posted: Tue Mar 28, 2006 6:27 am Post subject: Fried Phish Mar 28: Chase @ CRNET (CN) |
|
|
Phish Alert
Full Report:  /modules.php?name=Fried_Phish&fp=phish&id=433&in=1
The email hyperlink directs to a Chinese server at IP 218.206.140.248 which does a meta refresh to a second server. The site was active at the time of investigation and both URLs were on the Netcraft blacklist.
View CIDR AS9808 Report: http://www.cidr-report.org/cgi-bin/as-report?as=9808
"9808 | CN | apnic | 2000-01-10 | CMNET-GD Guangdong Mobile Communication Co.Ltd."<br />
The second server at IP 222.37.134.17 enters at /chs/index.html and then refreshes to /chs/myaccounts.php which serves an imitation Chase login screen.
IP 222.37.134.17 is assigned to China Railway Telecommunications Center. Abuse @ crnet_mgr@chinatietong.com
View CIDR AS9394 Report: http://www.cidr-report.org/cgi-bin/as-report?as=9394
"9394 | CN | apnic | 1998-08-27 | CRNET CHINA RAILWAY Internet(CRNET)"<br />
| Quote: | From Mon Mar 27 19:05:58 2006
Received: from gwind.pair.com (gwind.pair.com [209.68.1.157])
by bugsbunny.castlecops.com (8.13.6/8.13.6) with SMTP id k2S05wI7018996
for <>; Mon, 27 Mar 2006 19:05:58 -0500
Received: (qmail 54748 invoked by uid 3333); 28 Mar 2006 00:06:10 -0000
Resent-Message-ID: <>
Delivered-To: notyou-darryl:
X-Envelope-To:
Received: (qmail 12334 invoked from network); 23 Mar 2006 16:43:40 -0000
Received: from mailwash6.pair.com (66.39.2.6)
by gwind.pair.com with SMTP; 23 Mar 2006 16:43:40 -0000
Received: from localhost (localhost [127.0.0.1])
by mailwash6.pair.com (Postfix) with SMTP id 5B020A32CE
for <>; Thu, 23 Mar 2006 11:43:35 -0500 (EST)
X-Virus-Check-By: mailwash6.pair.com
X-Spam-Check-By: ma |
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
