CastleCops® [PIRT#957776] Rockphish on VCXEERO.COM, KJONIX.COM

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

[PIRT#957776] Rockphish on VCXEERO.COM, KJONIX.COM

All -> FavForums -> PIRT Fried Phish Reports

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

s0tet

PIRT Handler

Joined: May 21, 2005
Posts: 2945

Posted: Sat Sep 13, 2008 2:04 pm Post subject: [PIRT#957776] Rockphish on VCXEERO.COM, KJONIX.COM

Phish Alert

Full Report: CastleCops Link /Colonial_Bank_Rock_Phish_phish957776.html

Consumed following related reports:

[957777] http://colonialbank.webbiz.wirebiz.globalupdate.servletdologin.DKYp5LEgUN8GXZF.carehtmlclient.privatelogin.vcxeero.com/security.htm?/sessionervlet/memberverify/OSL.htm?LOB=7115795861&refer=Yp5LEgUN8GXZFDq
[957990] http://colonialbank.webbiz.wirebiz.globalupdate.renewmirror.20PyNzdUstMOFX5.comreportid.sessionervlet.vcxeero.com/security.htm?/services/privatelogin/OSL.htm?LOB=5767850720&refer=PyNzdUstMOFX5Mu
[957991] http://colonialbank.webbiz.wirebiz.globalupdate.renewmirror.20PyNzdUstMOFX5.comreportid.sessionervlet.vcxeero.com/security.htm?/services/privatelogin/OSL.htm?LOB=3D5767850720&refer=3DPyNzdUstMOFX5Mu
[958006] http://colonialbank.webbiz.wirebiz.globalupdate.comreportid.Jd8PIkHzbzwQTIh.certificateUpdate.securitychallenge.vcxeero.com/security.htm?/onlineupdate/privatelogin/OSL.htm?LOB=3D2684617240&refer=3D8PIkHzbzwQTIh7y
[958180] http://colonialbank.webbiz.wirebiz.globalupdate.selfservice.vokjtSep6g9Bwa0.sessionervlet.exacttrget.vcxeero.com/ColonialAutomaticUpgrade2008.exe
[958181] http://colonialbank.webbiz.wirebiz.globalupdate.selfservice.vokjtSep6g9Bwa0.sessionervlet.exacttrget.vcxeero.com/security.htm?/selfservice/sitesurvey/OSL.htm?LOB=0580977040&refer=kjtSep6g9Bwa0Lz
[958198] http://colonialbank.webbiz.wirebiz.globalupdate.communitypage.allCeeVqH1qsQB7.linkbrowse.renewmirror.vcxeero.com/ColonialAutomaticUpgrade2008.exe
[958199] http://colonialbank.webbiz.wirebiz.globalupdate.communitypage.allCeeVqH1qsQB7.linkbrowse.renewmirror.vcxeero.com/security.htm?/siteminderagent/communitypage/OSL.htm?LOB=7700169880&refer=lCeeVqH1qsQB7IR
[958222] http://colonialbank.webbiz.wirebiz.globalupdate.servletdologin.CeL5vSwAp8P8So2.productsremote.certificateUpdate.vcxeero.com/ColonialAutomaticUpgrade2008.exe
[958223] http://colonialbank.webbiz.wirebiz.globalupdate.servletdologin.CeL5vSwAp8P8So2.productsremote.certificateUpdate.vcxeero.com/security.htm?/privatelogin/renewmirror/OSL.htm?LOB=8103450952&refer=L5vSwAp8P8So2b7
Changed status to confirmed phish.IP Converted: 83.103.179.112

dword = 1399305072
hex1 = 0x5367b370
hex2 = 0x53.0x67.0xb3.0x70
oct = 0123.0147.0263.0160
View CIDR AS6746 Report: http://www.cidr-report.org/cgi-bin/as-report?as=6746

"6746 | RO | ripencc | 1996-08-21 | ASTRAL ASTRAL Telecom SA, Romania"<br />
Extended information for AS6746:
State/Province:
Country: ro
Responsible Domain: astral.ro
Abuse Email: abuse@astral.ro
The Colonial Bank URL accesses a phishing site hosted on a bot net.
There is also a malware download, exe file on this botnet phishing site.

IP addresses 125.234.88.79, 195.3.151.214, 217.132.20.8, 58.9.100.144, 81.105.111.77, 82.39.107.80, 83.103.179.112, 84.108.15.11, 84.109.106.10, 84.20.231.134, 84.236.116.10, 84.58.181.148, 85.181.24.63, 86.100.97.110, 86.121.138.40, 86.126.206.36, 86.70.139.35, 87.226.70.101, 87.69.85.21, 87.70.120.232 were active at Sat, 13 Sep 2008 13:32:42 +0000 (GMT).
Nameservers
NS1.KJONIX.COM [93.186.171.94] response 125.234.88.79, 195.3.151.214, 217.132.20.8, 58.9.100.144, 81.105.111.77, 82.39.107.80, 83.103.179.112, 84.108.15.11, 84.109.106.10, 84.20.231.134, 84.236.116.10, 84.58.181.148, 85.181.24.63, 86.100.97.110, 86.121.138.40, 86.126.206.36, 86.70.139.35, 87.226.70.101, 87.69.85.21, 87.70.120.232 in 141 mSec
were active at the same time
=================================
REGISTRAR bizcn.com:
Domains VCXEERO.COM, KJONIX.COM have been registered with bizcn.com for fraudulent purposes.
They are part of a network of phishing sites hosted on a bot net.
Please suspend these domains immediately to prevent further criminal activity.
Please also check for any domains registered using the same (stolen) identity and credit card details, or the same email address.
=================================
IP Converted: 125.234.88.79

dword = 2112510031
hex1 = 0x7dea584f
hex2 = 0x7d.0xea.0x58.0x4f
oct = 0175.0352.0130.0117
View CIDR AS7552 Report: http://www.cidr-report.org/cgi-bin/as-report?as=7552

"7552 | VN | apnic | 2002-10-08 | VIETEL-AS-AP Vietel Corporation"<br />
Extended information for AS7552:
State/Province:
Country: vn
Responsible Domain: vnnic.net.vn
Abuse Email: postmaster@vnnic.net.vn

Quote:

http://colonialbank.webbiz.wirebiz.globalupdate.servletdologin.DKYp5LEgUN8GXZF.carehtmlclient.privatelogin.vcxeero.com/ColonialAutomaticUpgrade2008.exe

	All -> FavForums -> PIRT Fried Phish Reports	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 109ppm 0.196s (0.037s) Making cybercriminals unhappy since 2002*