Sunday, April 30, 2006

Paypay scam site from Russia - nnov.ru - KIS.RU

Got another Phisherman" today. Seems my PAypal account is in danger! OOOH!
I set the link to spoof@paypal.com and pasted the URL into phishfighting.com.

Phony PayPal URL points to:
http://a.citron.nnov.ru/~test/%20/.paypal.com/link.php



Here is the full headers from the bogus email:

X-Apparently-To: mrlinuxhead@yahoo.com via 68.142.207.121; Sun, 30 Apr 2006 05:03:13 -0700
X-YahooFilteredBulk: 61.78.62.237
X-Originating-IP: [61.78.62.237]
Return-Path:
Authentication-Results: mta222.mail.mud.yahoo.com from=paypal.com; domainkeys=neutral (no sig)
Received: from 61.78.62.237 (EHLO localhost.localdomain) (61.78.62.237) by mta222.mail.mud.yahoo.com with SMTP; Sun, 30 Apr 2006 05:03:13 -0700
Received: from localhost.localdomain (dbslow [127.0.0.1]) by localhost.localdomain (8.13.1/8.13.1) with ESMTP id k3UBugDJ006814 for ; Sun, 30 Apr 2006 20:56:42 +0900
Received: (from mysql@localhost) by localhost.localdomain (8.13.1/8.13.1/Submit) id k3UBugwh006813; Sun, 30 Apr 2006 20:56:42 +0900
Date: Sun, 30 Apr 2006 20:56:42 +0900
Message-Id: <200604301156.k3ubugwh006813@localhost.localdomain>
To: mrlinuxhead@yahoo.com
Subject: Restore Your Account Access - mrlinuxhead@yahoo.com (Routing Code: C840-L1581-Q120-1937)
From: "PayPal Security Service" Add to Address BookAdd to Address Book Add Mobile Alert
Content-Type: multipart/alternative; boundary="msg_boundary_0000-03"
Content-Length: 1653


Dear mrlinuxhead@yahoo.com,

It has come to our attention that your PayPal® account information needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.


However, failure to update your records will result in account suspension.
Please update your records on or before May 03, 2006.

Once you have updated your account records, your PayPal® session will not be
interrupted and will continue as normal.

To update your PayPal® records click on the following link:
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/restrictedaccounts.asp



Thank You.
PayPal® UPDATE TEAM

Accounts Management As outlined in our User Agreement, PayPal® will
periodically send you information about site changes and enhancements.

Visit our Privacy Policy and User Agreement if you have any questions.
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside

Email header points to this box as the SMTP server

IP address: 61.78.62.237
Reverse DNS: [No reverse DNS entry per ns1.siidc.net.]
Reverse DNS authenticity: [Unknown]
ASN: 4766
ASN Name: KIXS-AS-KR (Korea Telecom)
IP range connectivity: 5
Registrar (per ASN): APNIC
Country (per IP registrar): KR [Korea-KR]
Country Currency: KRW [Korea (South) Won]
Country IP Range: 61.72.0.0 to 61.79.255.255
Country fraud profile: Normal
City (per outside source): Seoul, Kyonggi-Do
Private (internal) IP? No
IP address registrar: whois.apnic.net
Known Proxy? No


This is where the phoney PayPal site is located

195.98.59.34 PTR record: a.citron.nnov.ru. [TTL 86400s] [A=195.98.59.34]


WHOIS - NNOV.RU

domain: NNOV.RU
type: GEOGRAPHICAL
descr: Public geographical domain
descr: for Nizhny Novgorod region
descr: supported by Agenstvo Delovoj Svjazi, Ltd.
nserver: ns.kis.ru.
nserver: ns.nnov.ru. 195.98.32.114
nserver: ns1.cityline.ru.
nserver: ns1.kis.ru.
nserver: ns2.kis.ru.
state: REGISTERED, DELEGATED
org: "Agenstvo Delovoj Svjazi", Ltd
phone: +7 8312 777777
fax-no: +7 8312 777771
e-mail: agency@bca.ru
registrar: RIPN-REG-RIPN
created: 1996.10.23
paid-till: 2006.11.01
source: TC-RIPN


domain: NNOV.RU
type: GEOGRAPHICAL
descr: Public geographical domain
descr: for Nizhny Novgorod region
descr: supported by Agenstvo Delovoj Svjazi, Ltd.
admin-o: ADSL-ORG-RIPN
nserver: ns.kis.ru.
nserver: ns.nnov.ru. 195.98.32.114
nserver: ns1.cityline.ru.
nserver: ns1.kis.ru.
nserver: ns2.kis.ru.
created: 1996.10.23
state: Delegated till 2007.03.01
changed: 2003.10.07
mnt-by: ADSL-MNT-RIPN
source: RIPN

org: "Agenstvo Delovoj Svjazi", Ltd
nic-hdl: ADSL-ORG-RIPN
admin-c: DM59-RIPE
admin-c: ZOV3-RIPN
bill-c: DM59-RIPE
bill-c: DV15-RIPE
bill-c: AS14618-RIPE
bill-c: ZOV3-RIPN
phone: +7 8312 777777
fax-no: +7 8312 777771
e-mail: agency@bca.ru
changed: 2004.10.06
mnt-by: ADSL-MNT-RIPN
source: RIPN

person: OLGA V ZAHRYAPINA
nic-hdl: ZOV3-RIPN
phone: +7 8312 777777
e-mail: olya@bca.ru
changed: 2004.10.06
mnt-by: ADSL-MNT-RIPN
source: RIPN

Last updated on 2006.04.12 04:43:49 MSK/MSD

DNS entries for nnov.ru

nnov.ru. A IN 86400 195.98.32.114
nnov.ru. NS IN 86400 ns.nnov.ru.
nnov.ru. NS IN 86400 ns.kis.ru.
nnov.ru. NS IN 86400 ns1.kis.ru.
nnov.ru. NS IN 86400 ns2.kis.ru.
nnov.ru. NS IN 86400 ns1.cityline.ru.
ns.nnov.ru. A IN 86400 195.98.32.114
ns.kis.ru. A IN 44456 195.98.32.193
ns1.kis.ru. A IN 44456 195.98.32.200
ns2.kis.ru. A IN 56534 195.98.51.60
ns1.cityline.ru. A IN 217645 195.46.160.1

IP Info on nnov.ru

IP address: 195.98.32.114
Reverse DNS: nnov.kis.ru.
Reverse DNS authenticity: [Verified]
ASN: 8371
ASN Name: KIS-ADS (Commercial Information Networks)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): RU [Russian Federation]
Country Currency: RUR [Russia Rubles]
Country IP Range: 195.98.32.0 to 195.98.63.255
Country fraud profile: High
City (per outside source): New Westminster, British Columbia
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No


KIS.RU

domain: KIS.RU
type: CORPORATE
nserver: ns.kis.ru. 195.98.32.193
nserver: ns1.kis.ru. 195.98.32.200
nserver: ns2.kis.ru. 195.98.51.60
state: REGISTERED, DELEGATED
org: "Agenstvo Delovoj Svjazi", Ltd
phone: +7 8312 777777
fax-no: +7 8312 777771
e-mail: www@bca.ru
registrar: RUCENTER-REG-RIPN
created: 1996.09.14
paid-till: 2006.10.01
source: TC-RIPN

So it seems that this NNOV.RU is aucually a sub-domain of KIS.RU

Some body email this clown and tell him to shut it down ??

www@bca.ru
olya@bca.ru

0 Comments:

Post a Comment

<< Home