Phishing domains worth blocking...Host1plus-cloud-server abuse!

Viruses and worms
1

Coming to an online theater online soon: icsvalidation.su etc.
Wants an example for Suricata Emerging Threats IDS alert for “ET DNS Query for .su TLD (Soviet Union) Often Malware Related”.
See: http://urlquery.net/report.php?id=1473034336331

See: https://virustotal.com/en/url/8fd10da1257e7dcd274974807caf829a782a97c2af9070f3410c159576c50709/analysis/1473137658/
[2] https://virustotal.com/en/ip-address/154.16.205.3/information/

IP 154.16.205.3 Info creditsgo to T.S. & Erik van Straten

Also see: https://virustotal.com/en/url/8fd10da1257e7dcd274974807caf829a782a97c2af9070f3410c159576c50709/analysis/1473137658/

polonus

Update: Site is hosted as Hostname = IP for AS.MAROSNET, Moscow. in Los Angelos for netblockowner DIEXDNS INFRASTRUCTURE IN RUSSIA via registrar=R01-REG-FID (transferred) re: → https://zeustracker.abuse.ch/monitor.php?registrar=R01-REG-FID
MySQL authenticated site - dns.freedns.review OpenSSH 5:3 (protocol 0.2) JSON (JSON is vuln. and not suitable for private data communication) - possible line of abuse credit card abuse.

D

2

Update:

The phishing mails are now seen actively launched through a phising campaign mainly directed at the Netherlands: e.g. https://www.fraudehelpdesk.nl/vragen-meldingen-cpt/nepmail-omloop-uit-naam-van-ics-validatie/

various IDS alerts for it here: http://urlquery.net/report.php?id=1473425258579

Has also been seen to appear here- list: https://techhelplist.com/53-pastes

Has all signs of a RBN domain, ergo a CRIME-ONLY phishing domain.

Damian aka polonus

3

Similar phishing from that same IP, but for another theater: http://urlquery.net/report.php?id=1473565080981
See: http://fetch.scritch.org/%2Bfetch/?url=www.us-bankofamerica.com%2F&useragent=Fetch+useragent&accept_encoding=
And here: https://www.h3xed.com/web-and-internet/scam-text-message-from-855-254-9217-us-bankofamerica-com

Latest redirects here and is phishing: http://urlquery.net/report.php?id=1475096990810 , see: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fww17.us-bankofamerica.com%2F

Listed here, which list is updated daily: http://phishing.mailscanner.info/phishing.bad.sites.conf

polonus