Bank Phishing / UK Government

Post Reply
User avatar
spectre
Posts: 4017
Joined: Sun May 03, 2009 10:43 pm

Bank Phishing / UK Government

Post by spectre » Fri Aug 07, 2009 7:04 pm

Email just received:
'Dear Sir/Madam,
For security reasons, you must update your account to protect your bank account from disable.
Please Click Here to complete your account update. Click here
then click to your bank logo to start the
validation process.
United KingdomGovernment.'

Email is from IP - 65.36.253.19 - mail.doostang.biz . It directs to hxxp://www.manwarbros.com/info.unitedkingdom.g ... index.html

On this site there are links to fake sites for Abbey, Barclays, Cahoot, Halifax, HSBC, Nationwide, Smile, Yorkshire & RSB Banks
hxxp://banks.unitedkingdom.gov.uk.idealenterprises.net
EG hxxp://banks.unitedkingdom.gov.uk.idealenterprises.net/cahoot/index.htm/servlet.php?com=aquarius.security.authentication.servlet.LoginEntryServlet
hxxp://banks.unitedkingdom.gov.uk.idealenterprises.net/abbey/index.htm/Logon.php?a=myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare
hxxp://banks.unitedkingdom.gov.uk.idealenterprises.net/barclays.co.uk/index.html/
hxxp://banks.unitedkingdom.gov.uk.idealenterprises.net/cahoot/index.htm/servlet.php?com=aquarius.security.authentication.servlet.LoginEntryServlet
hxxp://banks.unitedkingdom.gov.uk.idealenterprises.net/halifax/halifax.html

User avatar
MysteryFCM
Posts: 2486
Joined: Mon Jul 14, 2008 4:47 pm

....

Post by MysteryFCM » Fri Aug 07, 2009 8:12 pm

Also available directly from the PD, for example;

hxxp://www.idealenterprises.net/banks.unitedki ... stomer.ibc

both domains are owned by someone in Pakistan, so no way in hell I'm phoning them (phone bill is sky high already as it is, lol), and hosted by SoftLayer, which is known for criminal activity.

http://hosts-file.net/?s=idealenterprises.net&wn=1
http://hosts-file.net/?s=manwarbros.com&wn=1

Server IP: 174.37.54.20

http://hosts-file.net/?s=174.37.54.20&view=matches

Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net

User avatar
spectre
Posts: 4017
Joined: Sun May 03, 2009 10:43 pm

Thanks.

Post by spectre » Fri Aug 07, 2009 8:36 pm

[red]
banks.unitedkingdom.gov.uk.idealenterprises.net
idealenterprises.net
manwarbros.com
174.37.54.20[/red]

User avatar
MysteryFCM
Posts: 2486
Joined: Mon Jul 14, 2008 4:47 pm

FYI

Post by MysteryFCM » Fri Aug 07, 2009 8:44 pm

Those hosted at idealenterprises.net are now offline (they were taken offline whilst I was blogging it), with the following still being online as of 2 seconds ago;

manwarbros.com/info.unitedkingdom.gov.uk/updatebankaccountinfo/index.html

Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net

User avatar
c۞g
Posts: 10927
Joined: Mon Jan 05, 2009 4:02 am

in the beginning

Post by c۞g » Fri Aug 07, 2009 10:00 pm

In the beginning there was ideal.com.pk (203.124.43.53) which currently displays PHPInfo() output. whois
System = Windows NT HOST04 5.2 build 3790
Build Date = Nov 8 2007 23:18:08
Configure Command = cscript /nologo configure.js "--enable-snapshot-build" "--with-gd=shared"
Server API = CGI/FastCGI
Virtual Directory Support = enabled
Configuration File (php.ini) Path = C:\WINDOWS
Loaded Configuration File = C:\Program Files\PHP\php.ini

LOL

ideal.com.pk turned into idealentp.com (174.37.54.20) which is a duplicate site of: idealenterprises.net (174.37.54.20) - it seems they transferred the hosting from Islamabad, Pakistan to Texas, USA

idealenterprises.net uses Google for their MX records (mail server)
  • 10 aspmx.l.google.com
  • 20 alt1.aspmx.l.google.com
  • 30 aspmx2.googlemail.com
manwarbros.com (174.37.54.20) has the same Registrant as idealenterprises.net; idealentp.com is registered with PrivacyProtect.org

manwarbros.com is also LISTED IN BLACKLIST!
multi.surbl.org

manwarbros.com also PHISHes for PayPal info on this URL (now "down") that is listed with SafeBrowsing:
[cite]paypal.fr.cgi-bin.login-run.webscr.update.bank.france.manwarbros.com[/cite]

Both IP's 203.124.43.53 and 174.37.54.20 are shared with several domains, some legitimate, some not so legitimate.

[red]ideal.com.pk
mail.ideal.com.pk
idealentp.com
calender.idealentp.com
ftp.idealentp.com
localhost.idealentp.com
mail.idealentp.com
idealenterprises.net
cpanel.idealenterprises.net
default._domainkey.idealenterprises.net
default._domainkey.mail.idealenterprises.net
email.idealenterprises.net
ftp.idealenterprises.net
localhost.idealenterprises.net
uk.idealenterprises.net
gov.uk.idealenterprises.net
unitedkingdom.gov.uk.idealenterprises.net
banks.unitedkingdom.gov.uk.idealenterprises.net
webdisk.idealenterprises.net
webmail.idealenterprises.net
whm.idealenterprises.net
manwarbros.com
cpanel.manwarbros.com
ftp.manwarbros.com
localhost.manwarbros.com
mail.manwarbros.com
france.manwarbros.com
bank.france.manwarbros.com
webscr.update.bank.france.manwarbros.com
login-run.webscr.update.bank.france.manwarbros.com
cgi-bin.login-run.webscr.update.bank.france.manwarbros.com
fr.cgi-bin.login-run.webscr.update.bank.france.manwarbros.com
paypal.fr.cgi-bin.login-run.webscr.update.bank.france.manwarbros.com
uk.manwarbros.com
gov.uk.manwarbros.com
unitedkingdom.gov.uk.manwarbros.com
info.unitedkingdom.gov.uk.manwarbros.com
webdisk.manwarbros.com
webmail.manwarbros.com
whm.manwarbros.com[/red]

@ Shazza
Nice find Sharon, thank you. :-)
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
- G7W

User avatar
Xp54321
Posts: 535
Joined: Sun Oct 05, 2008 3:14 am

Done

Post by Xp54321 » Sat Aug 08, 2009 4:33 am

Rated and commented all.

Thanks.

:-)

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 1 guest