UPDATE: 0130Hts IST May 25th 2009 Further more about .be domain facebook phishing sites.
0130 Hrs IST, May 23, 2009. More .be sites similar to yesterdays .at site emerge at a new ip. More here
Facebook is currently facing a phishing attack from areps.at and kirgos.at. As per some reports there are some more .at domains that are being used in this attack. Basically they take you to a facebook look alike login page. They even source the css and other resources from the actual facebook site. So these phishing guys are not even using their resources to host the required resources. OpenDNS and Google have already started to block and warn users about areps.at. And the people behind areps.at seem to be pretty quick as well. They have already taken down areps.at. Now its kirgo.at thats taking the traffic. Kirgo.at hasnot been flagged yet by any of the providers to be a phishing site. Google doesn’t warn you about kirgo.at as of 2350 hrs IST on May 21.
The list of sites include fcoder, nutpic and bests [.at], all stationed at the same machine 213.182.197.2.
All the sites hosted on that machine went down all of a sudden at around 0050 hrs IST, may 22nd, 2009.
Sample message that you ll receive in your facebook inbox from one of your contacts
“Check areps.at”
or any other .at site will be listed in there.
Best thing to do is not to click on anyone of the .at site links.
Who.is info for areps.at
domain: areps.at
registrant: AM5009456-NICAT
admin-c: AM5009456-NICAT
tech-c: AM5009456-NICAT
nserver: ns1.everydns.net
nserver: ns2.everydns.net
nserver: ns3.everydns.net
nserver: ns4.everydns.net
changed: 20090515 15:23:47
source: AT-DOMpersonname: Andrey Morov
organization:
street address: Schelkovskiy proezd d.11 korp.1 kv.3
postal code: 105425
city: Moscow
country: Russland
phone: +74956211281
fax-no: +74956211281
e-mail: Email Masking biceps@nameclub.at
nic-hdl: AM5009456-NICAT
changed: 20090515 15:23:43
source: AT-DOMInformation Updated: Thu, 21 May 2009 15:11:33 UTC
AREPS.AT SITE INFORMATION
areps.at Thumbnail
IP: 213.182.197.2
IP Location: Riga, Latvia
Website Status: inactive
who.is info for kirgo.at
domain: kirgo.at
registrant: AK5009489-NICAT
admin-c: AK5009489-NICAT
tech-c: AK5009489-NICAT
nserver: ns1.everydns.net
nserver: ns2.everydns.net
nserver: ns3.everydns.net
nserver: ns4.everydns.net
changed: 20090515 15:25:21
source: AT-DOMpersonname: Alexander Kalinin
organization:
street address: ulitsa Dolskaya d.10 kv.33
postal code: 115569
city: Moskva
country: Russland
phone: +749573431510
fax-no: +749573431510
e-mail: Email Masking blank@bronzemail.net
nic-hdl: AK5009489-NICAT
changed: 20090515 15:25:19
source: AT-DOMInformation Updated: Thu, 21 May 2009 16:46:47 UTC
KIRGO.AT SITE INFORMATION
kirgo.at Thumbnail
IP: 213.182.197.2
IP Location: Riga, Latvia
Website Status: inactive
And the server seems to be based out of Netherlands
who.is info for 213.182.197.2/
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NLReferralServer: whois://whois.ripe.net:43
NetRange: 213.0.0.0 – 213.255.255.255
CIDR: 213.0.0.0/8
NetName: RIPE-213
NetHandle: NET-213-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: SNS-PB.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2009-03-25
UPDATES from the comments on this post.
The following sites have also been found to be circulating. Though the afoi.ru seems to somewhat dissimilar.
* afoi.ru
* areps.at
* bests.at
* bestspace.be
* brunga.at
* kirgo.at
* nutpic.at
* ponbon.im
* sweeter.be
The who.is entries for the .be urls do point to the same old ip as mentioned earlier in the post but in reality they are being hosted at some other ip. 211.95.78.98. The older ip is down and out cold for about 24 hours now. And the .ru one is on completely separate space.