Tom to me: > >By the time you posted, the target site had been "defaced". > > > >I was looking at it about an hour earlier and it had already been > >defaced then. I'm guessing that either the phisher installed and left > >an open "PHP shell" (or similar) as part of his compromise/hack/phish > >kit or the site had some other obvious access method which someone > >p*ssed at the phish attempt took upon themselves to use to "fix" the > >phishing site. Not common, but not entirely uncommon either... > > Well as of 0700 EST it was phishing Flagstar Bank. ...
...again. So it is. > ... What is > interesting is that the server is configured to serve up .3gp files > as text/html. The site currently frames the real phishing site at: > > http://ambalalfamily.info/forum/images/admine/e/.htacces/index.htm Half wish I'd made a screenshot or saved the defaced site. Presumably the "do gooder" who took to the earlier phishing site didn't actually fix the problem at the base of the phishing compromise and the phisher simply reclaimed the site and re-installed his kit... Regards, Nick FitzGerald _______________________________________________ phishing mailing list [email protected] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
