JoomlaTemplates.me by HostMonster Reviews

www.nagsheadwycombe.com - another Zenith Bank Scam website

Published: Tuesday, 04 November 2014

Hey guys, beware of: http://nagsheadwycombe.com

Here are some screenshots:

1) The Original Email (click image to enlarge)

zen1

2) Email analysis:

a) This link( http://zenithbank.com/Security/Upgrade/confirm.php) in the original email redirected to: http://www.cambridgetonight.com/verify.acc.php - a blank white page.

then from http://www.cambridgetonight.com/verify.acc.php, it redirected to http://nagsheadwycombe.com/zennn/zenn/zen/ze/1/index.html

b) Email's full header:

From "This email address is being protected from spambots. You need JavaScript enabled to view it." Mon Nov 3 17:48:00 2014
X-Apparently-To: [my email address was here] Mon, 03 Nov 2014 17:46:45 +0000
Return-Path: <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Received-SPF: permerror (encountered permanent error during SPF processing of domain of zenithbank.com)
U2VjdXJpdHkgVXBncmFkZS4gRHVlIHRvIFNvZnR3YXJlIHVwZ3JhZGUgb24g
b3VyIGludGVybmV0IEJhbmtpbmcgcGxhdGZvcm0sIFlvdSBhcmUgcmVxdWly
ZWQgdG8gdXBkYXRlIHlvdXIgb25saW5lIHByb2ZpbGUgQ2xpY2sgSGVyZSBU
byBVcGRhdGUgTm93IGh0dHA6Ly96ZW5pdGhiYW5rLmNvbS9TZWN1cml0eS9V
cGdyYWRlL2NvbmZpcm0ucGhwIC4gSWYgeW91IGhhdmUgYW55IAEwAQEBAQN0
ZXh0L3BsYWluAwMwAgN0ZXh0L2h0bWwDAzQ-
X-YMailISG: z1sfaS4WLDvwp6Af9GHvUyY74byGjh6GsLmhMhSKJbS1Y6ev
6galk0CCSGbQexoobaB7RUmDZmYUz8PoufApyl9sHVmONpUTT87YsN5vi2xg
L.NQspNMHrK.JSlpQJTH4jEuYMh9KDsDxzmOeOP42ZWRPW.IWO7OdsEHXH62
.W6pU8qARAq_16r8ke96JYtx46Z1LatrmeziQdUU9JXh0z8s.fQFN8oJDJbc
KrmAqCiDCh4DNf_F2UnIAJ.detfafW2okeVBbanLIFmr3NHgfQU9Bo5yFXlq
Mus81fWG5PoTMfdcCInXnHWbCjV2teheJwhfW7Rrqel2Tcgl.XNG10_E1kco
1PhqWzVI8MEe1zLa3IdZXWMFiFY5wOsDxp2UnpH87k.kp.pQZJFY8tTgjXNL
bhc1WfmA42Ehu81GtiuV9jI_qEZ97WVOhlZcqZ9k1jQdBQ5ad4v_FI4j7ixX
qMcwXF9it9s05zNm1c36dlxje_9UweV7VPFIGMGQnZPIcgX3QNw.UgM_nBT2
FS2NmpgCNqfqjDROfj0XN3JuuENJkxH5k8FW58u9cvt78ETp_3k83phyBO0A
J91j9y_2.vWVsv_GrcW77j6.Os6X9y4KucTi7wvTk_OrRPlFMBfKzjatf44P
lS3IF8fjqSU45RLKt8y0aueWVO.thGwi0CEUR7WNezpSD4PPmjZzia2V73Wd
smSm52vAIGDISyDbNe1iTFbXc9vk.J6GJR.UiM.v92YzLYq0doC.u5VggFDS
O5ojWYWy544Qy_C7sQP5C49Xh7d0mjJC5sZgdixBzTjcxK2nfi_Zw4cIjlnQ
2c02uIYaungeWBmBZExxdufvEc8lHnlU3sv4R082Mu5g6qpUnJCKDQgEbCef
YgXnJH4oifZImg5kM29sn68r6rcByypUj6lMkzyG2o_6a9cpsOERqH_r.5xH
FgNab9dQbgl3hD.5uA1O9TX_Yr0pXsdgsg6QwndVl1qv7LbcmujNKaeuc2qS
gPuyp.qMHmW8MDTcT5yZxWSX44VNWyHFG2N6vNHGt4MqdSq.31vP2w6BcTxh
k9Vje9YBdrSSzJoqdw4bQZF9onqcCw6ZfqQRZVsYh1eEZ.CgTY2u6lUG0VxK
s6G0n5Cbvk47KQusvDHTcPHv_F6.CW_v77N5MVxDAmT98ED5O7aiXGhpEejB
tM8lJvyi5P3.cGCWuktaoST1WRrHVE.MwzEYohCT1F8bpUSz4MfC6K.pED3A
0Fcl6MJ_AdG.HgvvBWfqJswevvOhfnvlpL6T2moX4gIJRI7NU7eNImq6AvYt
XKVV.kN7.IF5evjIG1AtP.g05W.5bGpJW.PxkwtRixUwQBc9sj2VdihC80ew
a5clNZBb4GyIyh6fWN6ZNhCMyQpVn9pXGPZ9hN2slIVaV5YZ75p_KXItlBPA
iCcFNOdbhb.sJ64BmhQJejLUp.JEnOsrOEX.Cd5zS0f2_cBAOFd4AdtaADWZ
CyYH9m7n2alwR.fLs6toTwh.BFpuGwAs60JJaGM2RZS0U2b0yQRJaLXsWVfd
W4cfb3gZSQoNfq97Si_6h7xX_Ol8qGqrAj8aqdN0PwNN.GhtOQvnum.jYaKt
uHdem800eeaoTrn7WQCspGPJwyvRMoez0p4A39J3UC9X3bfzfhTYh0Wdgr5A
cGYVm.rzrypLA6g_DZMs5u2Gt_zR93qFPxvT95RO4A9SDYFLU3am7jBrg8vf
rP.j1uO_mJaXyaEsKUu66wLEty8BgIUx6Ayumwvjf0CZDDHLbt8T0lXOC8CZ
PcClZme4KXBUUlI01AIPoyUOURIINkGjJhomWs32Xf0AohyFmURmsJsRC_sV
m_8Hn.csv07eZc.JvK_w4mwdQFwF
X-Originating-IP: [70.43.63.22]
Authentication-Results: mta1694.mail.gq1.yahoo.com from=zenithbank.com; domainkeys=neutral (no sig); from=zenithbank.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO smtp04.atlngahp.sys.nuvox.net) (70.43.63.22)
by mta1694.mail.gq1.yahoo.com with SMTPS; Mon, 03 Nov 2014 17:46:43 +0000
Received: from KMS-ES02.KNAMS.local (70.43.24.66.nw.nuvox.net [70.43.24.66])
by smtp04.atlngahp.sys.nuvox.net (8.13.1/8.13.1) with ESMTP id sA3GN5UV005449
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Mon, 3 Nov 2014 12:46:36 -0500
Message-Id: <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Content-Type: multipart/alternative; boundary="===============0867293096=="
MIME-Version: 1.0
Subject: Validate Your Account Now!!
To: Recipients <This email address is being protected from spambots. You need JavaScript enabled to view it.>
From: "This email address is being protected from spambots. You need JavaScript enabled to view it." <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Mon, 03 Nov 2014 11:48:00 -0600
Content-Length: 4754


3) Screenshots of the scam site (click image to enlarge)

zen2

zen31

None of the links in the lower columns are working, they show a 404-error page. The only part of the site that works is the Internet Banking dropdown(corporate and individual) at the top. Here are the screenshots:

(click image to enlarge)

zen3

and (click image to enlarge)

zen4

4) Domain ownership details:http://nagsheadwycombe.com/

Address lookup
canonical name nagsheadwycombe.com.
aliases
addresses 192.190.80.53
Domain Whois record

Queried whois.internic.net with "dom nagsheadwycombe.com"...

Domain Name: NAGSHEADWYCOMBE.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS1.FRESHWEBSERVER.COM
Name Server: NS2.FRESHWEBSERVER.COM
Status: clientTransferProhibited
Updated Date: 21-jul-2014
Creation Date: 19-jul-2014
Expiration Date: 19-jul-2015

>>> Last update of whois database: Tue, 04 Nov 2014 10:24:21 GMT <<<

Queried whois.enom.com with "nagsheadwycombe.com"...

Domain Name: NAGSHEADWYCOMBE.COM
Registry Domain ID: 1867510682_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: www.enom.com
Updated Date: 2014-07-18 21:03:18Z
Creation Date: 2014-07-19 04:03:00Z
Registrar Registration Expiration Date: 2015-07-19 04:03:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Registrar Abuse Contact Phone: +1.4252982646
Reseller: NAMECHEAP.COM
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Registry Admin ID:
Admin Name: WHOISGUARD PROTECTED
Admin Organization: WHOISGUARD, INC.
Admin Street: P.O. BOX 0823-03411
Admin City: PANAMA
Admin State/Province: PANAMA
Admin Postal Code: 00000
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Registry Tech ID:
Tech Name: WHOISGUARD PROTECTED
Tech Organization: WHOISGUARD, INC.
Tech Street: P.O. BOX 0823-03411
Tech City: PANAMA
Tech State/Province: PANAMA
Tech Postal Code: 00000
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Name Server: NS1.FRESHWEBSERVER.COM
Name Server: NS2.FRESHWEBSERVER.COM
DNSSEC: unSigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-07-18 21:03:18Z

Network Whois record

Queried whois.arin.net with "n 192.190.80.53"...

NetRange: 192.190.80.0 - 192.190.87.255
CIDR: 192.190.80.0/21
NetName: PRIVATE-8
NetHandle: NET-192-190-80-0-1
Parent: NET192 (NET-192-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: PrivateSystems Networks (KNOWN-1)
RegDate: 2013-03-07
Updated: 2013-03-07
Ref: http://whois.arin.net/rest/net/NET-192-190-80-0-1

OrgName: PrivateSystems Networks
OrgId: KNOWN-1
Address: 1379 Dilworthtown Crossing
Address: Suite 214
City: West Chester
StateProv: PA
PostalCode: 19382
Country: US
RegDate: 2008-01-04
Updated: 2012-07-27
Ref: http://whois.arin.net/rest/org/KNOWN-1

OrgNOCHandle: NOC2915-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-866-332-9894
OrgNOCEmail: This email address is being protected from spambots. You need JavaScript enabled to view it.
OrgNOCRef: http://whois.arin.net/rest/poc/NOC2915-ARIN

OrgAbuseHandle: PNA44-ARIN
OrgAbuseName: PrivateSystems Networks Abuse
OrgAbusePhone: +1-866-332-9894
OrgAbuseEmail: This email address is being protected from spambots. You need JavaScript enabled to view it.
OrgAbuseRef: http://whois.arin.net/rest/poc/PNA44-ARIN

OrgTechHandle: NOC2915-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-866-332-9894
OrgTechEmail: This email address is being protected from spambots. You need JavaScript enabled to view it.
OrgTechRef: http://whois.arin.net/rest/poc/NOC2915-ARIN

5) Domain ownership details:http://cambridgetonight.com

Address lookup
canonical name cambridgetonight.com.
aliases
addresses 173.0.129.50
Domain Whois record

Queried whois.internic.net with "dom cambridgetonight.com"...

Domain Name: CAMBRIDGETONIGHT.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS3.URETOPIAHOSTING.NET
Name Server: NS4.URETOPIAHOSTING.NET
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 12-nov-2013
Creation Date: 11-nov-2004
Expiration Date: 11-nov-2014

>>> Last update of whois database: Tue, 04 Nov 2014 10:48:51 GMT <<<

Queried whois.godaddy.com with "cambridgetonight.com"...

Domain Name: CAMBRIDGETONIGHT.COM
Registry Domain ID: 134857300_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2013-11-12 08:03:53
Creation Date: 2004-11-11 17:54:30
Registrar Registration Expiration Date: 2014-11-11 17:54:30
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Rob Powell
Registrant Organization: Uretopia Ltd
Registrant Street: PO Box 173
Registrant City: Gravesend
Registrant State/Province: Kent
Registrant Postal Code: DA12 1LL
Registrant Country: United Kingdom
Registrant Phone: 2081333091
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Registry Admin ID:
Admin Name: Rob Powell
Admin Organization: Uretopia Ltd
Admin Street: PO Box 173
Admin City: Gravesend
Admin State/Province: Kent
Admin Postal Code: DA12 1LL
Admin Country: United Kingdom
Admin Phone: 2081333091
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Registry Tech ID:
Tech Name: Rob Powell
Tech Organization: Uretopia Ltd
Tech Street: PO Box 173
Tech City: Gravesend
Tech State/Province: Kent
Tech Postal Code: DA12 1LL
Tech Country: United Kingdom
Tech Phone: 2081333091
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Name Server: NS4.URETOPIAHOSTING.NET
Name Server: NS3.URETOPIAHOSTING.NET
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-11-04T10:00:00Z

Network Whois record

Queried whois.arin.net with "n ! NET-173-0-128-0-2"...

NetRange: 173.0.128.0 - 173.0.143.255
CIDR: 173.0.128.0/20
NetName: APYLI-AS
NetHandle: NET-173-0-128-0-2
Parent: APYLINC (NET-173-0-128-0-1)
NetType: Reallocated
OriginAS: AS53628
Organization: Apyl Inc (APYLI-1)
RegDate: 2010-11-04
Updated: 2010-11-04
Ref: http://whois.arin.net/rest/net/NET-173-0-128-0-2

OrgName: Apyl Inc
OrgId: APYLI-1
Address: 1517 E Hillcrest Street
City: Orlando
StateProv: FL
PostalCode: 32803
Country: US
RegDate: 2010-06-14
Updated: 2012-06-26
Ref: http://whois.arin.net/rest/org/APYLI-1

OrgNOCHandle: IPADM619-ARIN
OrgNOCName: IPADMIN
OrgNOCPhone: +1-254-235-9357
OrgNOCEmail: This email address is being protected from spambots. You need JavaScript enabled to view it.
OrgNOCRef: http://whois.arin.net/rest/poc/IPADM619-ARIN

OrgAbuseHandle: NETWO3814-ARIN
OrgAbuseName: Network Abuse
OrgAbusePhone: +1-941-876-6175
OrgAbuseEmail: This email address is being protected from spambots. You need JavaScript enabled to view it.
OrgAbuseRef: http://whois.arin.net/rest/poc/NETWO3814-ARIN

OrgTechHandle: IPADM619-ARIN
OrgTechName: IPADMIN
OrgTechPhone: +1-254-235-9357
OrgTechEmail: This email address is being protected from spambots. You need JavaScript enabled to view it.
OrgTechRef: http://whois.arin.net/rest/poc/IPADM619-ARIN

RTechHandle: YASHK-ARIN
RTechName: Yash, Kumar
RTechPhone: +1-941-876-6175
RTechEmail: This email address is being protected from spambots. You need JavaScript enabled to view it.
RTechRef: http://whois.arin.net/rest/poc/YASHK-ARIN

6) root of http://nagsheadwycombe.com/

zen6

Add comment


Security code
Refresh