API tools faq
paste
rsanch

Rackspace-Themed Phishing Sites

rsanch
May 5th, 2019
208
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.51 KB | None | 0 0
raw download clone embed print report
  1. On May 5, 2019, the server resolving to IP address 69.12.87.130 (AS8100 - QuadraNet Enterprises LLC) hosted 15 phishing pages disguised as Rackspace webmail login sites with at least one site containing an open directory. A common pattern observed is the URL directory structure of ~hjkggjgj/rk/Rackspace/.
  2.  
  3.  
  4. Rackspace-Themed Phishing Sites (All active as of 05/05/2019)
  5.  
  6. http://vietnam-fo4mgarena.com/~hjkggjgj/rk/Rackspace/Rackspace_files
  7. http://vainqueur.in/~hjkggjgj/rk/Rackspace/Rackspace.html
  8. http://traoquafo4mgarena.com/~hjkggjgj/rk/Rackspace/Rackspace_files/
  9. http://tanta-shopping.com/~hjkggjgj/rk/Rackspace/Rackspace.html
  10. http://onlineaccounting.com.my/~hjkggjgj/rk/Rackspace/Rackspace.html
  11. http://mail.ilhamas.name/~hjkggjgj/rk/Rackspace/Rackspace.html
  12. http://mail.napthettl3d.com/~hjkggjgj/rk/Rackspace/Rackspace.html
  13. http://mail.pubgandroid.info/~hjkggjgj/rk/Rackspace/Rackspace.html
  14. http://nesaralaw.us/~hjkggjgj/rk/Rackspace/Rackspace.html
  15. http://mail.yelmor.com/~hjkggjgj/rk/Rackspace/Rackspace.html
  16. http://mail.article-emporium.ca/~hjkggjgj/rk/Rackspace/Rackspace.html
  17. http://mark-library.tk/~hjkggjgj/rk/Rackspace/Rackspace.html
  18. http://livingdelight.se/~hjkggjgj/rk/Rackspace/Rackspace.html
  19. http://mail.wsyy.info/~hjkggjgj/rk/Rackspace/Rackspace.html
  20. http://mail.dronesale.me/~hjkggjgj/rk/Rackspace/Rackspace.html
  21.  
  22. Malicious Sites
  23.  
  24. vietnam-fo4mgarena.com
  25. vainqueur.in
  26. traoquafo4mgarena.com
  27. tanta-shopping.com
  28. onlineaccounting.com.my
  29. mail.ilhamas.name
  30. mail.napthettl3d.com
  31. mail.pubgandroid.info
  32. nesaralaw.us
  33. mail.yelmor.com
  34. mail.article-emporium.ca
  35. mark-library.tk
  36. livingdelight.se
  37. mail.wsyy.info
  38. mail.dronesale.me
  39.  
  40.  
  41. Basic Details on Malicious Domains
  42.  
  43. vietnam-fo4mgarena.com
  44. Registered on November 28, 2018 with Registrar 1&1 using a domain privacy protection service.
  45.  
  46. vainqueur.in
  47. Registered on January 23, 2011 and is associated with Registrant Uday Bhanu P of Registrant Organization Vainqueur Corporate Services who uses registrant email uday.6207@gmail.com.
  48. Current SOA record: ns4.varahosting.com -> uday.6207@gmail.com
  49. Historical SOA record: ns1.varahosting.com -> uday.6207@gmail.com
  50.  
  51. mail.ilhamas.name
  52. ilhamas.name was registered on May 14, 2018 and is associated with Registrant Ilham Andika who used registrant email ilhamas.name@gmail.com.
  53. Current SOA record: ns9.nspops.com -> indteamhost@gmail.com
  54. Historical SOA record: nashville1.viewen.com -> viewenindia.gmail.com
  55.  
  56. mail.napthettl3d.com
  57. napthettl3d.com was registered on September 26, 2018 with Registrar NameCheap using a domain privacy protection service.
  58. Historical SOA record: ns1.dedicatedcpanel.com -> hostkarle@gmail.com
  59.  
  60. mail.pubgandroid.info
  61. pubgandroid.info was registered on August 24, 2018 with Registrar GoDaddy using a domain privacy protection service. Interesting note, Registrant State/Province listed as Uttar Pradesh (State in northern India).
  62. Historical SOA record: ns5.nspops.com -> nspops.server@gmail.com
  63.  
  64. mail.article-emporium.ca
  65. article-emporium.ca was registered on December 17, 2016 with Registrar NameCheap using a domain privacy protection service. Historical records from January 24, 2018 identified previous owner as Dany Carter from 123 Queen St W,ON who uses registrant email hero1245@hotmail.com.
  66. Historical SOA record: ns5.nspops.com -> nspops.server@gmail.com
  67.  
  68. mail.dronesale.me
  69. dronesale.me was registered on October 27, 2018 with Registrar NameCheap using a domain privacy protection service.
  70. Current SOA record: ns5.nspops.com -> kucingsenja@yahoo.com
  71.  
  72. onlineaccounting.com.my
  73. Registered on March 11, 2013 using a domain privacy protection service.
  74.  
  75. nesaralaw.us
  76. Registered on January 11, 2019 and is associated with Registrant Gina Courtade who used Registrant Email blogyugo@gmail.com.
  77.  
  78. mail.yelmor.com
  79. yelmor.com was registered on June 2, 2016 with Registrar Shanghai Meicheng Tech and is associated with Registrant Email yumingyinsibaohu@cndns.com.
  80.  
  81. mark-library.tk
  82. Possibly available for sale https://whois.marcaria.com/en/Result?SearchDomain=mark-library.tk
  83.  
  84. livingdelight.se
  85. Registered on March 16, 2017 with Registrar Loopia Ab using a domain privacy protection service.
  86.  
  87. mail.wsyy.info
  88. wsyy.info was registered on April 15, 2013 with Registrar Crazy Domains by Registrant Ni Cai Cai using Registrant Email joiay@foxmail.com and Admin/Technical Emails mengxia220220@gmail.com.
  89.  
  90.  
  91. References
  92. https://twitter.com/rpsanch
  93. https://urlscan.io/search/#ip%3A%2269.12.87.130%22
  94. https://www.virustotal.com/#/ip-address/69.12.87.130
  95. https://whois.marcaria.com/en/Result?SearchDomain=mark-library.tk
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!