Friday, April 07, 2006

Another "Phisherman" today - Matt Ashby

Another email showed up today from a ebay member " prescreened". The text of the message follows:
Question from prescreened
About This Member
prescreened( 5792)
Positive Feedback: 100%
Member Since: Apr-14-99
Location: OH, United States
Registered On: www.ebay.com

Hey ,
I'll send you the money today.When will you send the package ?

Thanks !

Respond to this question in My Messages.
Respond Now

prescreened
Thank you for using eBay!
http://www.ebay.com/

Real url of the ebay.com link is: http://www.steveariss.com/%20/Index.html

Lets see who this poor sucker is. He may be hacked...
Interesting this box has no HTTP server running, just port 8080, SSH, and FTP. Hmm.

WHOIS information reports that domain belongs to:
Registrant:
Steve Ariss
42 Lakefield Road
Brampton, ON L7A 1W5
CA

Domain name: STEVEARISS.COM

Administrative Contact:
Ariss, Steve steveariss@rogers.com
42 Lakefield Road
Brampton, ON L7A 1W5
CA
416 508-8245
Technical Contact:
Ariss, Steve steveariss@rogers.com
42 Lakefield Road
Brampton, ON L7A 1W5
CA
416 508-8245


Registrar of Record: easyDNS Technologies, Inc.

Resolves to 69.194.147.254

Reverse DNS: cpe000393086bfa-cm000f9f7f15b6.cpe.net.cable.rogers.com.
Reverse DNS authenticity: [Verified]
ASN: 812
ASN Name: ROGERS-CABLE
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): CA [Canada]
Country Currency: CAD [Canada Dollars]
Country IP Range: 69.192.0.0 to 69.199.255.255
Country fraud profile: Normal
City (per outside source): Mississauga, Ontario
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No

OK so far got the entry point.
But the scam just starts here. Phishermen are getting sneaky nowdays.
That web site redirects the victim to a server in the UK:

Redirects to: http://www.domainsnipe.co.uk/.ebay/aw-cgi/index.html



This is the REAL web site the phisherman is running the scam on:

Domain name: domainsnipe.co.uk

Registrant:
Matt Ashby

Registrant type:
UK Individual

Registrant's address:
Smallands Hall Farm
Spring Lane
Hatfield Peverel
CM3 2JW
GB

Registrant's agent:
Internet Assist Ltd [Tag = INTERNET-ASSIST]
URL: http://www.i-a.co.uk

Relevant dates:
Registered on: 08-Dec-2005
Renewal date: 08-Dec-2007

Registration status:
Registered until renewal date.

Name servers:
ns1.i-a.co.uk
ns2.i-a.co.uk

IP address: 217.151.101.69
Reverse DNS: rack5.i-a.co.uk.
Reverse DNS authenticity: [Verified]
ASN: 21055
ASN Name: WEBTAPESTRY-AS (Axamba Limited T/As Web Tapestry)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): GB [United Kingdom]
Country Currency: GBP [United Kingdom Pounds]
Country IP Range: 217.151.96.0 to 217.151.111.255
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No

Looks the the server is in Manchester, England, I will email the ISP to take this down.

So I report it to eBay and pop the REAL URL in Phishfighter.com

Just another takedown of a bad guy. Fight the good fight.

4 Comments:

Anonymous Steve Ariss said...

Just wanna say - you ROCK sir

Keep it up!

And another comment, more about society...Something that drives me absolutely nuts about people is how easily they'll point fingers with out actual facts. I know spam is annoying, but don't respond to it threatening the sender unless you are SURE that is where the message originated from...do a little investigation like Mr. Linux Head here...I mean really, If I was trying to steal your eBay account, and was smart enough to initiate such a scheme...would I leave such an obvious trail back to myself?

I don't think so...

Please save your angry words for the real idiot...I'm getting sick of apologizing for HIM...

Steve Ariss
(The guy who runs the server that was hacked into)

10:18 AM  
Blogger James Baker said...

I just came across your blog and wanted to
drop you, Blogger, a note telling you how impressed I was with
the information you have posted here.
If you have a moment, please visit my site:
domain names center
It covers domain names center related contents.
I send you warm regards and wish you continued success.

1:51 AM  
Blogger James Baker said...

I just came across your blog and wanted to
drop you, Blogger, a note telling you how impressed I was with
the information you have posted here.
If you have a moment, please visit my site:
domain names center
It covers domain names center related contents.
I send you warm regards and wish you continued success.

1:51 AM  
Blogger ASHBY said...

'Steve Ariss said...
Just wanna say - you ROCK sir'

humm, This is an interesting article as most of it is untrue.

Mr. Linux head never contacted the so called server that was hacked into, as it was incorrect.

Mr. Linux head has no facitiy to contact himself and wildly post information without any real research. This is lasy journalism at it's best

2:14 AM  

Post a Comment

<< Home