[anti-abuse-wg] Conspiracy for the practice of organized crime with phishing

An impressive tangle of hostnames, owners and ISPs to practice crimes - sending of phishing to steal bank account passwords and credit card. In fact we are talking of conspiracy to include crimes. The purpose of this confusion of hostnames, owners and ISPs is to hide the responsibles or at least dilute responsibilities. One thing is certain, there are no useful innocent in this story. All are practicing crime. Everybody know that are conspiring and committing crime.

Spam sender IP address 192.185.176.127: br94.hostgator.com.br (hostname) - Websitewelcome.com (ISP)
Spam URL IP 62.75.209.235: euve82972.serverprofi24.com (hostname) - Plusserver AG (ISP)
br94.hostgator.com.br ==> jessica.ns.cloudflare.com ==> domain conversaafiada.com.br ==> owner Paulo Henrique dos Santos Amorim Resolve Host: 174.37.202.36-static.reverse.softlayer.com – Softlayer Indonésia.

It is a phishing, supposedly sent by Bradesco Bank, to steal data and passwords of bank account and credit card.

FROM SPAMCOP
Routing details for 192.185.176.127
Cached whois for 192.185.176.127 : ipadmin at websitewelcome.com 
Using abuse net on ipadmin at websitewelcome.com 
abuse net websitewelcome.com = abuse at websitewelcome.com, abuse at softlayer.com 
Using best contacts abuse at websitewelcome.com abuse at softlayer.com
Resolving link obfuscation

http:// 62.75.209.235/ servidor_privado/ k.php

Tracking link: http:// 62.75.209.235/ servidor_privado/ k.php



Routing details for 62.75.209.235
Cached whois for 62.75.209.235 : abuse at plusserver.de abuse at ip-pool.com
Using abuse net on abuse at plusserver.de
abuse net plusserver.de = auftrag at nic.telekom.de, abuse at plusserver.de, abuse at he.net, abuse at server4you.de, abuse at eu.level3.net
Using abuse net on abuse at ip-pool.com
abuse net ip-pool.com = abuse at plusserver.de, abuse at ip-pool.com
Using best contacts abuse at plusserver.de auftrag at nic.telekom.de abuse at he.net abuse at server4you.de abuse at eu.level3.net abuse at ip-pool.com
Reports disabled for abuse at server4you.de

The spammers and the criminals are filling the coffers of ISPs and Registrar while trying to rob us. Certainly they can irritate us every day.

Marilson

HEADER
Delivered-To: marilson.mapa at gmail.com
Received: by 10.103.43.68 with SMTP id r65csp1519399vsr;
        Mon, 28 Sep 2015 13:02:42 -0700 (PDT)
X-Received: by 10.182.109.170 with SMTP id ht10mr11697889obb.62.1443470562509;
        Mon, 28 Sep 2015 13:02:42 -0700 (PDT)
Return-Path: <fabri062 at br94.hostgator.com.br>
Received: from br94.hostgator.com.br (br94.hostgator.com.br. [192.185.176.127])
        by mx.google.com with ESMTPS id ht3si9152167obb.9.2015.09.28.13.02.42
        for <marilson.mapa at gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 28 Sep 2015 13:02:42 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of fabri062 at br94.hostgator.com.br designates 192.185.176.127 as permitted sender) client-ip=192.185.176.127;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of fabri062 at br94.hostgator.com.br designates 192.185.176.127 as permitted sender) smtp.mailfrom=fabri062 at br94.hostgator.com.br;
       dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
Received: from fabri062 by br94.hostgator.com.br with local (Exim 4.85)
    (envelope-from <fabri062 at br94.hostgator.com.br>)
    id 1ZgedF-0007CU-UL
    for marilson.mapa at gmail.com; Mon, 28 Sep 2015 17:02:42 -0300
To: marilson.mapa at gmail.com
Subject: Comunicado importante. (96649)
X-PHP-Script: caravelasmodapraia.com/Br.php for 177.138.30.17
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
X-Mailer: Microsoft Office Outlook, Build 17.551210
Content-Transfer-encoding: 8bit
From: marilson.mapa at gmail.com
Reply-To: marilson.mapa at gmail.com
X-Mailer: iGMail [www.ig.com.br]
X-Originating-Email: marilson.mapa at gmail.com
X-Sender: marilson.mapa at gmail.com
X-iGspam-global: Unsure, spamicity=0.570081 - pe=5.74e-01 - pf=0.574081 - pg=0.574081
Message-Id: <E1ZgedF-0007CU-UL at br94.hostgator.com.br>
Date: Mon, 28 Sep 2015 17:02:41 -0300
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - br94.hostgator.com.br
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [1091 32007] / [47 12]
X-AntiAbuse: Sender Address Domain - br94.hostgator.com.br
X-BWhitelist: no
X-Source-IP: 
X-Exim-ID: 1ZgedF-0007CU-UL
X-Source: /opt/php53/bin/php-cgi
X-Source-Args: /opt/php53/bin/php-cgi /home/fabri062/public_html/caravelasmodapraia.com/Br.php 
X-Source-Dir: fabricadebiquinis.com.br:/public_html/caravelasmodapraia.com
X-Source-Sender: 
X-Source-Auth: fabri062
X-Email-Count: 5
X-Source-Cap: ZmFicmkwNjI7ZmFicmkwNjI

TEXT – hiperlink removed – URL: http:// 62.75.209.235/ servidor_privado/ k.php

From: marilson.mapa at gmail.com 
Sent: Monday, September 28, 2015 5:02 PM
To: marilson.mapa at gmail.com 
Subject: Comunicado importante. (96649)


      Prezado(a) Cliente,

      O motivo pelo qual estamos entrando em contato, é para informar que seu cartão chave de sergurança tabela Bradesco encontra-se expirado, pedimos que você acesse nosso portal e ative-o.

      Caso a reativação de sua conta não seja realizada, será cobrado um valor de R$ 85,70 referente ao envio de um novo cartão de sergurança. 

      Para ativar o cartão chave clique aqui



     
    Comunicado importante. 
     

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20151003/e2116722/attachment.html>