Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #75908
    Netcraft Reporter
    Guest

    Hello,

    We have discovered a phishing attack located on your network:

    hxxps://demo3.cloudwp[.]dev/trial-3850xw14/Oppdater/manage/id/index.php [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-3850xw14/Oppdater/manage/wait/index.php [151.139.128.10]

    Please see the attached files for further evidence.

    This attack targets our customer, FINN, website URL http://www.finn.no/.

    Would it be possible to have the fraudulent content, and any other associated fraudulent content, taken down as soon as you are able to?

    Additionally, please keep the fraudulent content safe so that our customer and law enforcement agencies can investigate this incident further once the site is offline.

    More information about the detected issue is provided at https://incident.netcraft.com/230cbc356f1c/

    Many thanks,

    Netcraft

    Phone: +44(0)1225 447500
    Fax: +44(0)1225 448600
    Netcraft Issue Number: 38693070

    This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.

    #75924
    Brandon C
    Keymaster

    Hi Netcraft Reporter,

    We’re sorry to hear you’re dealing with this issue for our Cloud-Wp Services. We have an abuse hotline that you can reach out to report this concern and have it eradicated.

    After doing so we will reach back out to you directly with any updates. I hope this helps, please let us know if you have any other questions for us.

    Thank you

    #76021
    Netcraft Reporter
    Guest

    Hi there,

    That abuse form does not seem to allow submission of the form. Are you able to investigate?

    Also, I would like to bulk escalate several URLs that are being used for phishing, would this be possible?

    Kind regards,
    Netcraft.

    #76048
    Brandon C
    Keymaster

    Hello,

    We can definitely report this on your behalf, if you’re having trouble with the abuse hotline. Rest assured our team will handle this issue for you. You can enter all Cloud WordPress URLs you suspect into the thread and we will address them promptly.

    Thank you.

    #76292
    Netcraft
    Guest

    Thank you.

    Could you action this case?

    hxxps://demo2.cloudwp[.]dev/trial-zyz94ttz/CA/mi-cuenta/acceso/es/clients/cc.php?verification#_ [151.139.128.10]
    hxxps://demo2.cloudwp[.]dev/trial-zyz94ttz/CA/mi-cuenta/acceso/es/clients/app.php [151.139.128.10]
    hxxps://demo2.cloudwp[.]dev/trial-8utz80u9/wp-content/avis/clients/login.php [151.139.128.10]
    hxxps://demo2.cloudwp[.]dev/trial-15u06u99/wp-includes/avis/clients/login.php [151.139.128.10]
    hxxp://demo2.cloudwp[.]dev/trial-15u06u99/wp-content/avis/clients/login.php [151.139.128.10]
    hxxps://demo2.cloudwp[.]dev/trial-x7x701t5/Te/mi-cuenta/acceso/es/clients/app.php?verification [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-478t50xt/sa/ [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-478t50xt/sa/phone.php [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-478t50xt/sa/loading.php?id=3 [151.139.128.10]
    hxxp://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/ [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/loading.php?id=1 [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/phone.php [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/sms.php [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/loading.php?id=1 [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/?utm_medium=marketing&_branch_referrer=H4sIAAAAAAAAA8soKSkottLXT05MTMysSNRLLCjQy8nMy9Z3BnGdEvOyAV4e4roiAAAA&_branch_match_id=1112279138968836057 [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/phone.php [151.139.128.10]
    hxxp://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/?_branch_match_id=1030816195158739595&utm_medium=marketing&_branch_referrer=H4sIAAAAAAAAA8soKSkottLXT05MTMysSNRLLCjQy8nMy9Z3BnGdEvOyAV4e4roiAAAA [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-0615445y/wp-content/plugins/sal/ [151.139.128.10]
    hxxp://demo3.cloudwp[.]dev/trial-0615445y/wp-content/plugins/sal/ [151.139.128.10]
    hxxps://demo3.cloudwp[.]dev/trial-0615445y/wp-content/plugins/sal/loading.php?id=1 [151.139.128.10]

    #76441
    Brandon C
    Keymaster

    Thank you NetCraft,

    I will submit these reported cases on your behave.

    #77123
    Netcraft Reporter
    Guest

    Thank you, we are still seeing these URLs as active and the abuse form is not working. Can you escalate their removal? Full list can be found here: https://incident.netcraft.com/71ad31632950/

    Kind regards,
    Netcraft.

    #77135
    Brandon C
    Keymaster

    Thanks for the list Netcraft Reporter. I’ll get these over to our webmasters asap. We’re also working to restore functionality to the abuse form. We apologize for the inconvenience.

    #77924
    Netcraft Reporter
    Guest

    Hi there,

    Can you provide an update on this case?

    We are still seeing a large amount of active URLs.

    Kind regards,
    Netcraft.

    #77960
    Brandon C
    Keymaster

    Hi Netcraft,

    I finally heard back from our webmasters on this matter. I was informed that the https://demo3.cloudwp.dev/ is now managed by InMotion Hosting.

    You should report your case using the following links for direct correspondence:
    https://central.inmotionhosting.com/wordpress/
    https://www.inmotionhosting.com/legal/general-notice/

    I hope this helps.

Viewing 10 posts - 1 through 10 (of 10 total)
  • The topic ‘Phishing incident on BoldGrid CloudWP’ is closed to new replies.