INGDiba German Phishing website, not blocked by Avast

Blacklisted by ESET: hxxps://www.virustotal.com/en/url/f4c5b1af2d3095f2a627ea41ede5b295bce8a138224eaf6e7a2e7b4d2623d42e/analysis/1398175992/
1 suspicious file by Quettra: hxxp://quttera.com/detailed_report/b.ing-forward.com
Website is spread via a spam Mail which is attached as screenshot.

I think this is something for polonus to take a look at.

url is listed at PhishTank … so those using OpenDNS is protected

It wasnt in PhishTank a few minutes ago, just got added.

I got this spam mail today in GMail, and i dont have anything to do with INGDiba at all.

URL is blocked by Kasperskys Heuristic analysis as Phishing Website.

Bitdefender is now detecting it too.

Website seems to be down now.

Hi Steven Winderlich,

IP being on an abused and misused server at Cloudflare → http://support.clean-mx.com/clean-mx/viruses.php?ns2=greg.ns.cloudflare.com&sort=email%20asc&response=alive

Also clear on detetcion is Sucuri’s: http://sitecheck.sucuri.net/results/www.b.ing-forward.com
See: http://toolbar.netcraft.com/site_report?url=http://www.b.ing-forward.com risk rating 10/10 all red!
Everything fine here: http://dnscheck.pingdom.com/?domain=ing-forward.com&timestamp=1398287558&view=1
But errors and delegation problems starting for the subdomain: http://dnscheck.pingdom.com/?domain=b.ing-forward.com&timestamp=1398287657&view=1
Not enough nameserver information was found to test the zone b.ing-forward.com, but an IP address lookup succeeded in spite of that.
Looks like a zone-forward attack took place there ;D

Code: 302, htxp://tr.im (a conditional redirect found)

Redirect to external server! (using trim url shortener)

See: http://fetch.scritch.org/%2Bfetch/?url=b.ing-forward.com&useragent=Fetch+useragent&accept_encoding=

Malicious as given here: hxtp://b.ing-forward.com redirects to htxp://tr.im

DrWeb;s URL checker flags it.
htxp://tr.im is in Dr.Web malicious sites list!

Checking: htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js
File size: 7485 bytes
File MD5: 1dd6654ed7e60462d63b8e9409d23283

htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js - archive JS-HTML

htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_1[17a][4d] - Ok
htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_2[722][43] - Ok
htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_3[1855][2a3] - Ok
htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_4[1b21][203] - Ok
htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js - Ok *

Checking: htxp://tr.im
Engine version: 7.0.9.4080
Total virus-finding records: 5141003
File size: 7817 bytes
File MD5: 6be4d3b17491d0fdadf701622da6fea5

htxp://tr.im - archive JS-HTML

htxp://tr.im/JSTAG_1[17a][4d] - Ok
htxp://tr.im/JSTAG_2[722][43] - Ok
htxp://tr.im/JSTAG_3[19a4][2a3] - Ok
ht\xp://tr.im/JSTAG_4[1c70][200] - Ok
htxp://tr.im - Ok

  • could have been abused by ET DROP Spamhaus DROP Listed Traffic Inbound group 13 and/or ET RBN Known Russian Business Network IP group 76

pol

URL is still not blocked by Avast.

3/51 on Virustotal now.

Already submitted to Avast, and its ticketed now with normal priority.

Now blocked by CRDF: https://www.virustotal.com/en/url/f4c5b1af2d3095f2a627ea41ede5b295bce8a138224eaf6e7a2e7b4d2623d42e/analysis/1398346711/