Warning: Phishing Website Targeting Chase Manhattan Bank Customers Active (2) - Possible Polish and Chinese Connections
TOKYO (MacHouse) - More than 18 hours ago, an organized cyber criminal group sent out a phishing message targeting JP Morgan Chase Manhattan Bank. The message possibly originates from Poland.
Junk like other bank-related phishing messages, this phishing message urges the recipient to provide account information by clicking on a given link. The scam website is still running at the domain of update34.com. It is possibly hosted in Canada.
 Screenshot 01 - Source: MacHouse |
 Screenshot 02 - Source: MacHouse |
 Screenshot 03 - Source: Whois.Net |
The source code of the phishing message contains little information that we want to gather about its origin and the identity of the organized cyber crime group. A key to tracing the origin of the message is the time zone in which it was sent out. It’s +02:00, which is the time zone of Central and Eastern Europe.
Furthermore, the message seems to have been passed from golem.centruma.net. Its IP location is correctly stated. So it’s from Poland. A strange aspect is that golem.centruma.net is still traceable, again, to Poland although the domain of centruma.net itself expired last month. More specially, if you trace the IP address of 83.17.31.2, which is indicated in the source code of the phishing message, the final node name is golem.centruma.net. In the meantime, the domain itself has expired, so it is currently maintained by OnlineNIC (onlinenic.net). Actually, it is possible that a Polish individual or company is a domain reseller behind the domain registration for centruma.net.
 Screenshot 04 - Source: update34.com |
 Screenshot 05 - Source: Whois.Net |
 Screenshot 06 - Source: Bell Canada |
As we mentioned earlier, the phishing website is still active. It is hosted at the domain of update34.com. (See Screenshot 04.) Interestingly, this domain is brand-new. It was registered as of June 24, 2008. (See Screenshot 05.) More interestingly, only Japan, China, Russia and some pacific island nations were under June 24 when the domain was registered. Other areas including Europe and North America were still under June 23. Where is registrant’s address? It’s in China. Take a look at contact e-mail address. qq.com is traced to a popular Chinese portal called QQ.COM.
Where is the web server of the phishing website? Honestly, we are not very sure. The IP location of the website hosted at the domain of update34.com is 65.95.119.71. This IP address belongs to Bell Canada (bell.ca). According to Bell Canada, they offer free webspace to Bell Sympatico users. Since allowed monthly bandwidth is only 25 MB, it is hard to imagine that the phishing website is hosted here.
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Warning: Phishing Website Targeting Chase Manhattan Bank Customers Active (1)
Phishing Mail Involving JP Morgan Chase, Corner Equity Investors and Milwaukee First Korean United Methodist Church
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
Leave a Reply
You are prohibited from posting comments merely to advertise your website. Please read Rules and About This Blog at the top menu bar for more information.
Because of spam-comment criminals, we are forced to manually moderate every comment that you may post. Your comment will appear only after we review and then approve it. It will take us several hours at most to review it.
Please note that all one-sentence comments will be automatically rejected as an anti-spam measure.