-
Posts
-
Hello,
We have discovered a phishing attack located on your network:
hxxps://demo3.cloudwp[.]dev/trial-3850xw14/Oppdater/manage/id/index.php [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-3850xw14/Oppdater/manage/wait/index.php [151.139.128.10]Please see the attached files for further evidence.
This attack targets our customer, FINN, website URL http://www.finn.no/.
Would it be possible to have the fraudulent content, and any other associated fraudulent content, taken down as soon as you are able to?
Additionally, please keep the fraudulent content safe so that our customer and law enforcement agencies can investigate this incident further once the site is offline.
More information about the detected issue is provided at https://incident.netcraft.com/230cbc356f1c/
Many thanks,
Netcraft
Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 38693070This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
Hi Netcraft Reporter,
We’re sorry to hear you’re dealing with this issue for our Cloud-Wp Services. We have an abuse hotline that you can reach out to report this concern and have it eradicated.
After doing so we will reach back out to you directly with any updates. I hope this helps, please let us know if you have any other questions for us.
Thank you
Hi there,
That abuse form does not seem to allow submission of the form. Are you able to investigate?
Also, I would like to bulk escalate several URLs that are being used for phishing, would this be possible?
Kind regards,
Netcraft.Hello,
We can definitely report this on your behalf, if you’re having trouble with the abuse hotline. Rest assured our team will handle this issue for you. You can enter all Cloud WordPress URLs you suspect into the thread and we will address them promptly.
Thank you.
Thank you.
Could you action this case?
hxxps://demo2.cloudwp[.]dev/trial-zyz94ttz/CA/mi-cuenta/acceso/es/clients/cc.php?verification#_ [151.139.128.10]
hxxps://demo2.cloudwp[.]dev/trial-zyz94ttz/CA/mi-cuenta/acceso/es/clients/app.php [151.139.128.10]
hxxps://demo2.cloudwp[.]dev/trial-8utz80u9/wp-content/avis/clients/login.php [151.139.128.10]
hxxps://demo2.cloudwp[.]dev/trial-15u06u99/wp-includes/avis/clients/login.php [151.139.128.10]
hxxp://demo2.cloudwp[.]dev/trial-15u06u99/wp-content/avis/clients/login.php [151.139.128.10]
hxxps://demo2.cloudwp[.]dev/trial-x7x701t5/Te/mi-cuenta/acceso/es/clients/app.php?verification [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-478t50xt/sa/ [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-478t50xt/sa/phone.php [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-478t50xt/sa/loading.php?id=3 [151.139.128.10]
hxxp://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/ [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/loading.php?id=1 [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/phone.php [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/sms.php [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/loading.php?id=1 [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/?utm_medium=marketing&_branch_referrer=H4sIAAAAAAAAA8soKSkottLXT05MTMysSNRLLCjQy8nMy9Z3BnGdEvOyAV4e4roiAAAA&_branch_match_id=1112279138968836057 [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/phone.php [151.139.128.10]
hxxp://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/?_branch_match_id=1030816195158739595&utm_medium=marketing&_branch_referrer=H4sIAAAAAAAAA8soKSkottLXT05MTMysSNRLLCjQy8nMy9Z3BnGdEvOyAV4e4roiAAAA [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-0615445y/wp-content/plugins/sal/ [151.139.128.10]
hxxp://demo3.cloudwp[.]dev/trial-0615445y/wp-content/plugins/sal/ [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-0615445y/wp-content/plugins/sal/loading.php?id=1 [151.139.128.10]Thank you, we are still seeing these URLs as active and the abuse form is not working. Can you escalate their removal? Full list can be found here: https://incident.netcraft.com/71ad31632950/
Kind regards,
Netcraft.Thanks for the list Netcraft Reporter. I’ll get these over to our webmasters asap. We’re also working to restore functionality to the abuse form. We apologize for the inconvenience.
Hi there,
Can you provide an update on this case?
We are still seeing a large amount of active URLs.
Kind regards,
Netcraft.Hi Netcraft,
I finally heard back from our webmasters on this matter. I was informed that the https://demo3.cloudwp.dev/ is now managed by InMotion Hosting.
You should report your case using the following links for direct correspondence:
https://central.inmotionhosting.com/wordpress/
https://www.inmotionhosting.com/legal/general-notice/I hope this helps.
- The topic ‘Phishing incident on BoldGrid CloudWP’ is closed to new replies.
