CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer PIRT Squad

Fried Phish(TM)

Phishing Incident Reporting and Termination (PIRT) Squad(SM)

A global phishing termination and intelligence system operated by CastleCops. Become a PIRT Squad terminator by reporting phish today!

[ How-To / FAQ ]

Fried Phish -> Confirmed Phish | Terminated Phish


status: terminated

HTTP Response
20 Oct, 2008
18:20:04		HTTP/1.1 502 Proxy Error
ID984533 (termination link)
TitleAbbey Bank, Rock Phish
Entry
PIRT Squad
Reporter		Submitted anonymously thru the web, or sent to pirt (at) castlecops (dot) com.
Timestamp05 Oct, 2008 @ 18:27:11
Topic ID227268 - Read/respond to PIRT commentary.
Handler Note:
08 Oct, 2008
17:47:41		s0tet: Consumed following related reports:

[984534] http://www9.abbey.com.4stream.tw/CentralLogonWeb/Confirm?config=25kcnkwcyyD
[987538] http://ww9.nwolb.com.cmdid046730.4stream.tw/details/confirmpage.aspx?srv=26edyhzedLafDlczytbczyOkhOvp
Handler Note:
08 Oct, 2008
17:59:22		s0tet: The URL accesses a phishing site hosted on a bot net.
IP addresses 118.91.53.128, 189.32.51.125, 200.109.132.40, 213.134.38.73, 24.14.134.142, 24.15.33.3, 24.216.177.93, 65.25.97.106, 66.140.72.234, 67.174.94.127, 67.209.72.220, 68.62.230.232, 68.80.246.19, 71.84.127.132, 76.11.220.229, 76.27.213.215, 76.87.141.146, 79.181.196.5, 82.42.189.145, 85.59.51.79, 86.131.240.7, 91.117.246.87, 97.87.136.93, 98.14.118.181, 98.25.5.221, 99.171.162.183, 99.227.250.122 were active at Wed, 08 Oct 2008 17:49:48 +0000 (GMT).
Nameservers
NS1.4STREAM.TW [62.219.252.109] response 200.109.132.40, 24.14.134.142, 24.216.177.93, 65.25.97.106, 66.140.72.234, 67.174.94.127, 68.62.230.232, 76.11.220.229, 76.87.141.146, 79.181.196.5, 82.42.189.145, 86.131.240.7, 91.117.246.87, 97.87.136.93, 99.227.250.122 in 230 mSec
NS2.4STREAM.TW [68.197.137.239] response 118.91.53.128, 189.32.51.125, 213.134.38.73, 24.15.33.3, 67.174.94.127, 67.209.72.220, 68.62.230.232, 68.80.246.19, 71.84.127.132, 76.27.213.215, 85.59.51.79, 86.131.240.7, 98.14.118.181, 98.25.5.221, 99.171.162.183 in 95 mSec
NS3.4STREAM.TW [69.119.119.178] response 118.91.53.128, 189.32.51.125, 213.134.38.73, 24.15.33.3, 67.174.94.127, 67.209.72.220, 68.62.230.232, 68.80.246.19, 71.84.127.132, 76.27.213.215, 85.59.51.79, 86.131.240.7, 98.14.118.181, 98.25.5.221, 99.171.162.183 in 74 mSec
were active at the same time
=================================
REGISTRAR Twnic.net]:
Domain 4STREAM.TW has been registered with for fraudulent purposes.
It is part of a network of phishing sites hosted on a bot net.
Please suspend this domain immediately to prevent further criminal activity.
Please also check for any domains registered using the same (stolen) identity and credit card details, or the same email address.
=================================
NAMESERVER HOST BEZEQINT.NET:
Nameserver
NS1.4STREAM.TW [62.219.252.109] - response 230 mSec
has been set up on your network to serve addresses for this phishing domain and others.
No legitimate domains use this nameserver.
Please shut it down urgently.
Please close the customer's account.
If possible please also be alert for anyone setting up other nameservers on your network for this domain.
=================================
Handler Note:
08 Oct, 2008
18:08:46		s0tet: View CIDR AS20001 Report: http://www.cidr-report.org/cgi-bin/as-report?as=20001

"20001 | US | arin | 2001-03-13 | ROADRUNNER-WEST - Road Runner HoldCo LLC"

Handler Note:
08 Oct, 2008
18:08:47		s0tet: Extended information for AS20001:
State/Province: va
Country: us
Responsible Domain: rr.com
Abuse Email: abuse@rr.com
Handler Note:
08 Oct, 2008
18:09:25		s0tet: View CIDR AS11796 Report: http://www.cidr-report.org/cgi-bin/as-report?as=11796

"11796 | US | arin | 1998-12-22 | AIRSTREAMCOMM-NET - Airstream Communications, LLC"

Handler Note:
08 Oct, 2008
18:09:26		s0tet: Extended information for AS11796:
State/Province: wi
Country: us
Responsible Domain: airstreamcomm.net
Abuse Email: abuse@airstreamcomm.net
Handler Note:
08 Oct, 2008
18:12:09		s0tet: View CIDR AS16787 Report: http://www.cidr-report.org/cgi-bin/as-report?as=16787

"16787 | US | arin | 2002-08-22 | CHARTER-16787 - Charter Communications"

Handler Note:
08 Oct, 2008
18:12:09		s0tet: Extended information for AS16787:
State/Province: mo
Country: us
Responsible Domain: charter.net
Abuse Email: abuse@charter.net
Handler Note:
08 Oct, 2008
18:12:34		s0tet: Generated and sent email phish alert to respective parties.
Fetched URLs
Slaves984534, 987538,

Report for at 08 Oct, 2008 @ 17:47:41

fetched page

at 08 Oct, 2008 @ 17:50:02
MD5 Fingerprint: d41d8cd98f00b204e9800998ecf8427e
SHA1 Fingerprint: da39a3ee5e6b4b0d3255bfef95601890afd80709
Version 1.0
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
141ppm 0.234s (0.118s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer