by Rudolf Faix
2. July 2015 06:11
After thinking a long time about the purpose of the sites fifty-news.com, multitrendo.com, tempoquiz.com. trastnews.com, vacantsurvey.com, wheresurvey.com, whosurvey.com and the other sites hosted there, I got their purpose. They are only available for phishing the passwords of your payment provider. Especially if you expect a payment and you get a faked email from your payment provider for an account verification you'll will not wait a long time and make this account verification.
Take a look at the "Paypal" email - she is in German language (my account has been made in Austria) - the translation of the important parts gets described afterwards:
Why this email is a phishing email:
- Paypal will never use the email address access@access.com
- The message "... der Zeit Ihrer letzen Anmeldung,Ihr PayPal-Konto ist vorübergehend blockiert" - English: "... since you logged off the last time your PayPal-account is temporary blocked" is known from PayPal. With this you are getting invited to follow the link provided at "Klicken Sie bitte Jetzt Zugriff wiederherstellen" (English: "Click Restore the Access Now"). This link and the button leads to http://kolbe.bz/logins/ - not really to PayPal.
- The same link http://kolbe.bz/logins/ get found at the end of the message where is nothing else written than "Please don't answer to this email we are not reading this email. If you have questions then login to your account and click on contact".
kolbe.bz is an hacked Word Press site - you can see the Word Press logo if you are using http://kolbe.bz/login instead http://kolbe.bz/logins/. If you are using http://kolbe.bz/logins/ then you see a copy of the PayPal page:
kolbe.bz redirects the traffic to serveusers.com. The domain serveusers.com belongs to the hosting provider Network OperationsZZZ ChangeIP located in Miami, USA.
The website gets found at the IP:
|
IP Address |
Country |
Region |
City |
ISP |
|
187.108.192.56 |
Brazil |
Sao Paulo |
Sao Paulo |
Snh Servicos De Internet Ltda. |
The email got sent from the following IP:
|
IP Address |
Country |
Region |
City |
ISP |
|
67.225.220.93 |
United States |
Michigan |
Lansing |
Liquid Web Inc. |
At the moment are the following domains at the same servers available - you should avoid this sites:
- actutrend.com
- deepopros.com
- direxnews.com
- domnovost.com
- driftofnews.com
- enqueteok.com
- espovote.com
- exponovost.com
- fifty-news.com
- formalquiz.com
- fractualites.com
- frenqu.com
- froround.com
- gateopros.com
- globynews.com
- guruopros.com
- innofnews.com
- iorkquest.com
- lifevesti.com
- line-quiz.com
- mail.fractualites.com
- maxopros.com
- multitrendo.com
- news-doc.com
- novvest.com
- ok-quiz.com
- okactualites.com
- okanket.com
- okinterview.com
- onopros.com
- oproska.com
- oprosofnew.com
- peoplesep.com
- personquiz.com
- plusopros.com
- posteok.com
- prevopros.com
- qlorynews.com
- qualyquiz.com
- questbsn.com
- quizinfor.com
- randnov.com
- rugonews.com
- start-surves.com
- start-survey.com
- start-surveys.com
- starts-survey.com
- survey-full.com
- surveysoks.com
- teamopros.com
- tempoquiz.com
- timevesti.com
- timezquest.com
- trastnews.com
- trendonews.com
- unnonews.com
- up-actu.com
- upenqu.com
- vacantsurvey.com
- votescomp.com
- wheresurvey.com
- whosurvey.com
- zeeround.com
Never click on a link in a received email in such a case. Go directly to the site by entering the link manually.