Blog for hpHosts, and whatever else I feel like writing about ....

Friday 7 August 2009

idealenterprises.net and SoftLayer in multiple bank phishing scams

Multiple banks customers are being targetted by a phishing scam hosted on SoftLayer's IP space (see left), with the domains themselves being registered to a chap in Pakistan (atleast it's not China this time I suppose).

The server itself is located at 174.37.54.20 (174.37.54.20-static.reverse.softlayer.com), which is the same IP that earlier this year, was found to be the host of malware.

The domains are both owned by the same chap, Hunain ahmed, which is apparently the owner of Ideal Enterprises. Research shows the domain was previously used for the company, so it's likely that the domains have simply been hacked, and their being owned by the same company is a coincidence, but I'm a skeptical bugger, so am not convinced.

manwarbros.com itself, was earlier today, found to be the host of a PayPal phishing scam according to PhishTank. The PayPal scam however, is now returning a 404.

You can see in the following screenshot (thanks to their leaving the directory open for browsing - woops), the banks being targetted.


As you can see from the screenshot, the banks targetted are;

1. Abbey National
2. Barclays
3. Cahoot
4. Halifax
5. HSBC
6. Lloyds TSB
7. Natwest
8. Royal Bank of Scotland
9. Smile
10. Yorkshire Bank

A check as of two seconds ago (was going to take some lovely screenshots for you), shows they're all now showing as offline (including the above directory listing), with idealenterprise.net's homepage being restored, but I've gotten a screenshot of one of them for you;



The page in the screenshot top right is still there, showing whilst they've cleaned up one of them, they've evidently missed the other.

Kudos to Shazza at the MyWot forums for the head up.

No comments: