aitisfoul.com Phishing

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

Hello I'm New here! Joined: 14 Aug 2008 Posts: 3

Just received this email pointing to a fake bank to verify account info. Here is the website:

http://www.aitisfoul.com/images/dert.htm

The email and WHOIS info are below.

Igor

Quote:

Delivered-To: [email protected]
Received: by 10.180.218.11 with SMTP id q11cs128099bkg;
Wed, 20 Aug 2008 08:50:55 -0700 (PDT)
Received: by 10.100.41.8 with SMTP id o8mr363213ano.11.1219247454474;
Wed, 20 Aug 2008 08:50:54 -0700 (PDT)
Return-Path: <[email protected]>
Received: from tut.by (focus.tutby.com [86.57.250.18])
by mx.google.com with ESMTP id 29si3094099wrl.9.2008.08.20.08.50.53;
Wed, 20 Aug 2008 08:50:54 -0700 (PDT)
Received-SPF: fail (google.com: domain of [email protected] does not designate 86.57.250.18 as permitted sender) client-ip=86.57.250.18;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of [email protected] does not designate 86.57.250.18 as permitted sender) [email protected]
Received: by tut.by (CommuniGate Pro PIPE 4.3. Cool

with PIPE id 2729278; Wed, 20 Aug 2008 18:46:34 +0300
To: [email protected]
Subject: YOU HAVE 1 IMPORTANT MESSAGE FROM BANK OF ABBEY .
From: BANK OF ABBEY . <[email protected]>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-Mailer: CommuniGate Pro CLI mailer
Date: Wed, 20 Aug 2008 18:46:34 +0300
Message-ID: <[email protected]>

<html>
<head>
</head>
<table width="780" border="0" cellpadding="0" cellspacing="0">
<tr><td><img

src="
http://abbey.com/CsAppsExp/Abbey/Internet/Abbey/img/home_top_1.gif"></td>

</table>

<table
width="75%" border="0"
cellspacing="0" cellpadding="0">
</tr>
 Dear

Customer,

Bank of Abbeyl has been receiving

complaints from our customers for unauthorised use of the Abbey

Online accounts.
As a result we are making an extra security check on all of our

Customers account
in order to protect their information from theft and

fraud. Due to this, you are
requested to follow the provided steps and confirm your Online

Banking
details for the safety of your Accounts. 
<a rel="nofollow"

target="_blank" href="
http://www.aitisfoul.com/images/dert.htm""http://pc-speaker.com//zboard/popup_images/dert.htm">Please

Click Here To Start</a> .
 However, Failure to do so may result in temporary

account
suspension. Please understand that this is a security measure
intended to help protect you and your account. We apologize for

any
inconvenience. 
Thanks for your
co-operation. 


Fraud Prevention Unit Legal
Advisor Bank of Abbey.
<hr SIZE="1">
</tr>
Accounts Management As outlined in our
User
Agreement, Bank of Abbey(R) will periodically send you

information about
site
changes and enhancements. 
Please do not reply to this e-mail. Mail
sent to this address cannot be
answered.

--------------------------------------------------------------

Quote:

WHOIS information for: aitisfoul.com:

Address lookupcanonical name aitisfoul.com.
aliases
addresses 67.15.234.135

Domain Whois record

Queried whois.internic.net with "dom aitisfoul.com"...
Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: AITISFOUL.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: ITEEXNS1.HEBERJAHIZ.COM
Name Server: ITEEXNS2.HEBERJAHIZ.COM
Status: clientTransferProhibited
Updated Date: 07-nov-2007
Creation Date: 07-nov-2007
Expiration Date: 07-nov-2008

>>> Last update of whois database: Wed, 20 Aug 2008 12:10:53 EDT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Queried whois.enom.com with "aitisfoul.com"...
=-=-=-=
Visit AboutUs.org for more information about aitisfoul.com
<a href="http://www.aboutus.org/aitisfoul.com">AboutUs: aitisfoul.com</a>

Registration Service Provided By: Iteex
Contact: [email protected]
Visit: http://www.goagadir.com

Domain name: aitisfoul.com

Registrant Contact:
Iteex
afago lhou

BP8631
AGADIR, 80000
MA

Administrative Contact:
Iteex
afago lhou ([email protected])
+21261339511
Fax: 028238562
BP8631
AGADIR, 80000
MA

Technical Contact:
Iteex
afago lhou ([email protected])
+21261339511
Fax: 028238562
BP8631
AGADIR, 80000
MA

Status: Locked

Name Servers:
iteexns1.heberjahiz.com
iteexns2.heberjahiz.com

Creation date: 07 Nov 2007 17:42:56
Expiration date: 07 Nov 2008 17:42:56
=-=-=-=
The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about or
related to a domain name registration record. We make this information
available "as is," and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data to: (1)
enable high volume, automated, electronic processes that stress or load
this whois database system providing you this information; or (2) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic
mail, or by telephone. The compilation, repackaging, dissemination or
other use of this data is expressly prohibited without prior written
consent from us.

We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002
Network Whois record

Queried whois.arin.net with "!NET-67-15-234-0-1"...
OrgName: Arcanes Technologies - Heberjahiz
OrgID: ATH-8
Address: 11 Zerktouni street, Building Tarfaya
Address: 9th floor - number 23
City: Casablanca
StateProv: N/A
PostalCode: 20150
Country: MA

NetRange: 67.15.234.0 - 67.15.234.255
CIDR: 67.15.234.0/24
NetName: EVRY-266
NetHandle: NET-67-15-234-0-1
Parent: NET-67-15-0-0-1
NetType: Reassigned
Comment:
RegDate: 2006-12-18
Updated: 2006-12-18

RTechHandle: ARI28-ARIN
RTechName: RIADI, Amine
RTechPhone: +212-22491944
RTechEmail: [email protected]

OrgTechHandle: ARI28-ARIN
OrgTechName: RIADI, Amine
OrgTechPhone: +212-22491944
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2008-08-19 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
DNS recordsname class type data time to live
aitisfoul.com IN MX preference: 0
exchange: aitisfoul.com
14400s (04:00:00)
aitisfoul.com IN SOA server: iteexns1.heberjahiz.com
email: afago.goagadir.com
serial: 2007110701
refresh: 86400
retry: 7200
expire: 3600000
minimum ttl: 86400
86400s (1.00:00:00)
aitisfoul.com IN NS iteexns2.heberjahiz.com 86400s (1.00:00:00)
aitisfoul.com IN NS iteexns1.heberjahiz.com 86400s (1.00:00:00)
aitisfoul.com IN A 67.15.234.135 14400s (04:00:00)
135.234.15.67.in-addr.arpa IN PTR vps1418.heberjahiz.com 7200s (02:00:00)

Traceroute

Tracing route to aitisfoul.com [67.15.234.135]...hop rtt rtt rtt ip address fully qualified domain name
1 1 0 1 70.84.211.97 61.d3.5446.static.theplanet.com
2 0 0 0 70.84.160.162 vl2.dsr02.dllstx5.theplanet.com
3 0 0 0 70.85.127.109 po52.dsr02.dllstx3.theplanet.com
4 0 0 0 70.87.253.29 et5-2.ibr04.dllstx3.theplanet.com
5 5 5 4 70.87.253.54 et1-1.ibr02.hstntx1.theplanet.com
6 5 5 5 70.87.253.58 et1-3.ibr02.hstntx2.theplanet.com
7 6 5 5 74.55.252.210 d2.fc.374a.static.theplanet.com
8 5 5 5 67.15.212.225 serveur14.heberjahiz.com
9 6 5 6 67.15.234.135 vps1418.heberjahiz.com

Trace complete
Service scanFTP - 21 220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 16:11. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
220 Logout.
SMTP - 25 Error: TimedOut
HTTP - 80 Error: TimedOut
POP3 - 110 +OK Hello there.
IMAP - 143 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information.

Updated subject. TS

Not quite a Newb Joined: 14 Jul 2005 Posts: 41

Hi, Igor.

This is a phishing site - we don't normally mess with these, since the spoofed entities can and deal with them more effectively.

The site has been marked as a forged site in firefox.

If you forward the email to the folks at Abbey - [email protected] they'll get it sorted.

edit: If you would like to learn how to kill fake sites used in AFF, let us know, and we'll get you started.

Chuck Norris Joined: 11 Jun 2007 Posts: 1369

It has also been reported and marked as a phishing site by Netcraft.

The page should be down before too long.

A good place to report phishing emails with headers and the phishing URL is Castle Cops. They compile reports about these phishing URLs and emails and send complaints to the hosters (and other parties, such as the legitimate bank):

http://www.castlecops.com/pirt

Hello I'm New here! Joined: 14 Aug 2008 Posts: 3

Thanks a lot. I will remember that for next time.