Return-Path: <takedown-response+12141695@netcraft.com>
Delivered-To: info@keylisting.net
Received: from server7.highhosters.com
	by server7.highhosters.com with LMTP
	id 4I5fLFXkhV8vnSkAhhqhxw
	(envelope-from <takedown-response+12141695@netcraft.com>)
	for <info@keylisting.net>; Tue, 13 Oct 2020 19:31:01 +0200
Return-path: <takedown-response+12141695@netcraft.com>
Envelope-to: info@keylisting.net
Delivery-date: Tue, 13 Oct 2020 19:31:01 +0200
Received: from mail2.netcraft.com ([52.31.138.216]:48608)
	by server7.highhosters.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.93)
	(envelope-from <takedown-response+12141695@netcraft.com>)
	id 1kSO8Z-00BSjG-V6
	for info@keylisting.net; Tue, 13 Oct 2020 19:31:01 +0200
Received: from barbel.netcraft.com (ip-10-8-0-252.eu-west-1.compute.internal [10.8.0.252])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail2.netcraft.com (Postfix) with ESMTPS id 885243AF937
	for <info@keylisting.net>; Tue, 13 Oct 2020 18:30:19 +0100 (BST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail2.netcraft.com 885243AF937
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
	s=default; t=1602610219;
	bh=i1wxzmtlvG95AOriKJDYolBoxZ5jNSdjuNoZaIXT6eU=;
	h=Date:From:Subject:To:From;
	b=kT9tE7lVeBBF1C1k27TUF+wtEuJWmc56ZjkJIpJ4f1M8awOO9HyVhsgjLNh1ld2EV
	 UvUCZE2ohp0S+gl8Yhoamh1dOC7dfJaWPTpxAXMoIkftd5AvLhl0ekXyqI+WFQ8r7c
	 RvBV9p12YV3yQHwY43mizNzeBLir4H9cdIiJ15SE=
Received: by barbel.netcraft.com (Postfix, from userid 507)
	id 863563158C6; Tue, 13 Oct 2020 18:30:19 +0100 (BST)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_160261021918985137"
MIME-Version: 1.0
Date: Tue, 13 Oct 2020 18:30:19 +0100
From: Netcraft Takedown Service <takedown-response+12141695@netcraft.com>
Subject: Re: Issue 12141695: phishing attack at hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en
To: info@keylisting.net
Message-Id: <f73afec418f45713ab1e403f44b0bf20@takedown.netcraft.com>
Auto-Submitted: auto-generated
X-Xarf: PLAIN
X-Arf: yes
X-Mailer: MIME::Lite 3.030 (F2.84; T1.38; A2.18; B3.13; Q3.13)
X-Spam-Status: No, score=-0.2
X-Spam-Score: -1
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "server7.highhosters.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Hallo, Sie hosten zur Zeit einen Phishing-Angriff: hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/d5a28f81834b6df2b6db6d3e5e2635c7/
    [144.91.73.250] hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/05a70454516e
    [...] 
 Content analysis details:   (-0.2 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: xarf.org]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
X-Spam-Flag: NO

This is a multi-part message in MIME format.

--_----------=_160261021918985137
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Hallo,

Sie hosten zur Zeit einen Phishing-Angriff:

hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/d5a28f81834b6df2b6db6d3e5e2635c7/ [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/05a70454516ecd9194c293b0e415777f/ [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/654516d1b4df6917094de807156adc14/ [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/05a70454516ecd9194c293b0e415777f/signin.php?country=US-United%20States&lang=en [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/647c722bf90a49140184672e0d3723e3 [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33 [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/d5a28f81834b6df2b6db6d3e5e2635c7/signin.php [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/8d9766a69b764fefc12f56739424d136 [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/654516d1b4df6917094de807156adc14/signin.php?country=IN-India&lang=en [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/ [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/8d9766a69b764fefc12f56739424d136/signin.php?country=GB-United%20Kingdom&lang=en [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/78efce208a5242729d222e7e6e3e565e [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/647c722bf90a49140184672e0d3723e3/signin.php?country=CA-Canada&lang=en [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/78efce208a5242729d222e7e6e3e565e/signin.php [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en [144.91.73.250]

Dieser Angriff nutzt IP-Adress-Beschränkungen, um einige Benutzer (etwa Strafverfolgungsbehörden und Webhoster) daran zu hindern, die Seite sehen zu können. Wenn die Seite offline erscheint, versuchen Sie es bitte mit einem Proxy und/oder überprüfen Sie, ob die Dateien auf dem Server sind, bevor Sie davon ausgehen, dass die Seite tatsächlich offline genommen wurde.
Wir haben Sie zuvor wegen dieses Problems unter 2020-10-13 16:34:03 (UTC) kontaktiert.
Seit unserer letzten Benachrichtigung wurden die folgenden zusätzlichen URL(s) erkannt:

hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/05a70454516ecd9194c293b0e415777f/
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/05a70454516ecd9194c293b0e415777f/signin.php?country=US-United%20States&lang=en
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/647c722bf90a49140184672e0d3723e3
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/647c722bf90a49140184672e0d3723e3/signin.php?country=CA-Canada&lang=en
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/654516d1b4df6917094de807156adc14/
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/654516d1b4df6917094de807156adc14/signin.php?country=IN-India&lang=en
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/78efce208a5242729d222e7e6e3e565e
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/78efce208a5242729d222e7e6e3e565e/signin.php
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/8d9766a69b764fefc12f56739424d136
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/8d9766a69b764fefc12f56739424d136/signin.php?country=GB-United%20Kingdom&lang=en
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/d5a28f81834b6df2b6db6d3e5e2635c7/
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/d5a28f81834b6df2b6db6d3e5e2635c7/signin.php

Wir möchten Sie darauf hinweisen, dass, auch wenn Sie bisher nichts von diesem Angriff gewusst haben, es dennoch in Ihrer Verantwortung liegt, diesen Inhalt so schnell wie möglich zu entfernen.

Dieser Angriff zielt auf einen unserer Kunden, Netflix, ab. Die echte Website unseres Kunden ist auf https://www.netflix.com/ zu finden.

Bitte löschen Sie diesen und jeden damit verbundenen betrügerischen Inhalt so bald wie möglich.

Darüber hinaus senden Sie bitte eine E-Mail mit dem betrügerischen Inhalt an records@netflix.com, damit unser Kunde und die Strafverfolgungsbehörden diesen Vorfall weiter untersuchen können.

Weitere Informationen finden Sie unter https://incident.netcraft.com/f981432fa50e/

Mit freundlichen Grüßen,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 12141695

Um Aktualisierungen über diesen Angriff zu erhalten, antworten Sie bitte auf diese E-Mail. Bitte beachten Sie: Antworten auf diese Adresse werden zwar protokolliert, aber nicht immer gelesen. Wenn Sie mehr Unterstützung benötigen, oder glauben, Sie haben diese E-Mail irrtümlich erhalten, kontaktieren Sie bitte: takedown@netcraft.com.

Diese E-Mail kann mit X-ARF-Tools geparsed werden. Weitere Informationen über X-ARF-Tools finden Sie unter http://www.xarf.org/
-------------------
Hello,

We have discovered a phishing attack located on your network:

hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/d5a28f81834b6df2b6db6d3e5e2635c7/ [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/05a70454516ecd9194c293b0e415777f/ [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/654516d1b4df6917094de807156adc14/ [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/05a70454516ecd9194c293b0e415777f/signin.php?country=US-United%20States&lang=en [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/647c722bf90a49140184672e0d3723e3 [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33 [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/d5a28f81834b6df2b6db6d3e5e2635c7/signin.php [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/8d9766a69b764fefc12f56739424d136 [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/654516d1b4df6917094de807156adc14/signin.php?country=IN-India&lang=en [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/ [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/8d9766a69b764fefc12f56739424d136/signin.php?country=GB-United%20Kingdom&lang=en [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/78efce208a5242729d222e7e6e3e565e [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/647c722bf90a49140184672e0d3723e3/signin.php?country=CA-Canada&lang=en [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/78efce208a5242729d222e7e6e3e565e/signin.php [144.91.73.250]
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en [144.91.73.250]

This attack is using IP address restrictions to prevent some users, such as law enforcement agencies and hosting companies, from seeing the attack. If the attack appears to be offline, please try to view the attack using a proxy and/or see if the files are physically on the server before assuming the attack has been taken offline.
We previously contacted you about this issue on 2020-10-13 16:34:03 (UTC).
Since our last notification, the following additional URL(s) have been detected:

hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/05a70454516ecd9194c293b0e415777f/
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/05a70454516ecd9194c293b0e415777f/signin.php?country=US-United%20States&lang=en
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/647c722bf90a49140184672e0d3723e3
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/647c722bf90a49140184672e0d3723e3/signin.php?country=CA-Canada&lang=en
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/654516d1b4df6917094de807156adc14/
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/654516d1b4df6917094de807156adc14/signin.php?country=IN-India&lang=en
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/78efce208a5242729d222e7e6e3e565e
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/78efce208a5242729d222e7e6e3e565e/signin.php
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/8d9766a69b764fefc12f56739424d136
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/8d9766a69b764fefc12f56739424d136/signin.php?country=GB-United%20Kingdom&lang=en
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/d5a28f81834b6df2b6db6d3e5e2635c7/
hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/d5a28f81834b6df2b6db6d3e5e2635c7/signin.php

You may not have been aware of this attack, however, you are still responsible for removing it.

This attack targets our customer, Netflix, website URL https://www.netflix.com/.

Please remove this fraudulent content, and any other associated fraudulent content, as soon as possible.

Additionally, please send any files associated with the fraudulent content to records@netflix.com so that our customer and law enforcement agencies can investigate the incident further.

More information about the detected issue is provided at https://incident.netcraft.com/f981432fa50e/

Kind regards,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 12141695

To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: takedown@netcraft.com.

This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_160261021918985137
Content-Disposition: attachment; filename="report.txt"
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=utf-8; name="report.txt"; name="report.txt"

---
Attachment: none
Category: fraud
Date: 2020-10-13T17:06:39+00:00
Domain: keylisting.net
Port: 443
Report-ID: takedown-response+12141695@netcraft.com
Report-Type: phishing
Reported-From: takedown@netcraft.com
Schema-URL: http://www.xarf.org/schema/fraud_0.1.4.json
Service: https
Source: https://keylisting.net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en
Source-Type: uri
User-Agent: Netcraft Takedown

--_----------=_160261021918985137--

