Active Phishing Website Ex South Korea: Last Wish of This Year is eBay Accounts - Part 2
TOKYO (MacHouse) - As we reported a while ago, an organized cyber criminal group circulated a spam message hopefully to reach eBay users. The title of the spam message is Question from eBay member Regarding Item #1611385693. (See Screenshot 01.)
 Screenshot 01 - Source: MacHouse |
 Screenshot 02 - Source: eBay |
 Screenshot 03 - Source: 211.232.22.23 |
Clicking on the hyperlink shown at the bottom of the phishing message, I was redirected to a website shown in Screenshot 02. That’s not a phishing website, is it? It is the genuine eBay website. So the phishing website has already been removed? No. It’s still there. (Screenshot 03 shows the eBay log in page of the phishing website.) It appears that the phishing website records the IP addresses of visitors and probably referrers as well. So if you visit the phishing website a few times, you will be eventually redirected to the genuine eBay website.
 Screenshot 04 - Source: MacHouse |
 Screenshot 05 - Source: PT. Phintraco Securities |
 Screenshot 06 - Source: MacHouse |
Let’s find out where the unwanted message originates from. Screenshot 04 shows the HTML source code of the phishing message. The header shows that the immediate sender of the phishing message to our junk-specific Hotmail account is phintracosecurities.com. The web sever hosting the website of Indonesia’s PT. Phintraco Securities is correctly recorded as 202.169.37.60. (Screenshot 03 shows the index page of PT. Phintraco Securities’s website.) The server location is Indonesia. And the organization seems to use the SMTP mail server of smtp2.biz.net.id, which is accessible with the HTTP protocol. And it’s traced to the IP address of 117.102.98.3. Furthermore, the header indicates that the true origin of the phishing message is the IP address of 71.113.71.203. According to ARIN, it’s an IP address used by Verizon Internet Services, Inc. (See Screenshot 06.)
 Screenshot 07 - Source: MacHouse |
 Screenshot 08 - Source: NexG |
By the way, where is the phishing website hosted? According to APNIC, the IP address of 211.232.22.23 seems to be traced to an organization in Seoul, South Korea. (See Screenshot 07.) It appears that this IP address is used by an organization running the website at the domain of nexg.net. (Screenshot 08 shows the index page of NexG.)
Click on the button to watch a short documentation video. 
Click on the button to watch more documentation videos.
Related stories:
Active Phishing Website Ex South Korea: Last Wish of This Year is eBay Accounts - Part 1
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
Leave a Reply
You are prohibited from posting comments merely to advertise your website. Please read Rules and About This Blog at the top menu bar for more information.
Because of spam-comment criminals, we are forced to manually moderate every comment that you may post. Your comment will appear only after we review and then approve it. It will take us several hours at most to review it.
Please note that all one-sentence comments will be automatically rejected as an anti-spam measure.