Return-Path: <takedown-response+12141695@netcraft.com>
Delivered-To: info@keylisting.net
Received: from server7.highhosters.com
	by server7.highhosters.com with LMTP
	id cMokN8tUhl8ngC8Ahhqhxw
	(envelope-from <takedown-response+12141695@netcraft.com>)
	for <info@keylisting.net>; Wed, 14 Oct 2020 03:30:51 +0200
Return-path: <takedown-response+12141695@netcraft.com>
Envelope-to: info@keylisting.net
Delivery-date: Wed, 14 Oct 2020 03:30:51 +0200
Received: from mail2.netcraft.com ([52.31.138.216]:50812)
	by server7.highhosters.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.93)
	(envelope-from <takedown-response+12141695@netcraft.com>)
	id 1kSVcv-00D66p-Bd
	for info@keylisting.net; Wed, 14 Oct 2020 03:30:51 +0200
Received: from barbel.netcraft.com (ip-10-8-0-252.eu-west-1.compute.internal [10.8.0.252])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail2.netcraft.com (Postfix) with ESMTPS id 909EB3CF7CD
	for <info@keylisting.net>; Wed, 14 Oct 2020 02:30:08 +0100 (BST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail2.netcraft.com 909EB3CF7CD
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
	s=default; t=1602639008;
	bh=yIef0kvVf0XrV8IOcKPL7NCf/+UF6GQ0iPG6Rg5HMn8=;
	h=Date:From:Subject:To:From;
	b=Xe5lbGZEuPvpX9qczQd9rQzp0acxHf9ReaqsgmN84EycsJ4MRQpBnMrrFcF3IpZZC
	 wFIT1otI4g2k8n6pSPGXxf4MhCXwJcg6lyr4UDZeZFR5HvVDrjlaDVxC4N5unoTro+
	 PP/VLf1cTMAOfhEUnjJY14skE+Ib4oNBgevDL1+8=
Received: by barbel.netcraft.com (Postfix, from userid 507)
	id 9040B319FC9; Wed, 14 Oct 2020 02:30:08 +0100 (BST)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_16026390082846880"
MIME-Version: 1.0
Date: Wed, 14 Oct 2020 02:30:08 +0100
From: Netcraft Takedown Service <takedown-response+12141695@netcraft.com>
Subject: Re: Issue 12141695: phishing attack at hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en
To: info@keylisting.net
Message-Id: <4069c0009737e9a0f6c661e018d9d6a9@takedown.netcraft.com>
Auto-Submitted: auto-generated
X-Xarf: PLAIN
X-Arf: yes
X-Mailer: MIME::Lite 3.030 (F2.84; T1.38; A2.18; B3.13; Q3.13)
X-Spam-Status: No, score=2.3
X-Spam-Score: 23
X-Spam-Bar: ++
X-Ham-Report: Spam detection software, running on the system "server7.highhosters.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Hallo, Sie hosten zur Zeit einen Phishing-Angriff: hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID
    [144.91.73.250] hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID/app/index
    [144.91.73.250] hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID/app/logi
    [...] 
 Content analysis details:   (2.3 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: xarf.org]
  2.5 URIBL_DBL_ABUSE_PHISH  Contains an abused phishing URL listed in
                             the Spamhaus DBL blocklist
                             [URIs: keylisting.net]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
X-Spam-Flag: NO

This is a multi-part message in MIME format.

--_----------=_16026390082846880
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Hallo,

Sie hosten zur Zeit einen Phishing-Angriff:

hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID [144.91.73.250]
hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID/app/index [144.91.73.250]
hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID/app/login [144.91.73.250]
hxxps://keylisting[.]net/wp-includes/pomo/Y65950ID/ [144.91.73.250]
hxxps://keylisting[.]net/wp-includes/pomo/Y65950ID/app/login [144.91.73.250]

Dieser Angriff nutzt IP-Adress-Beschränkungen, um einige Benutzer (etwa Strafverfolgungsbehörden und Webhoster) daran zu hindern, die Seite sehen zu können. Wenn die Seite offline erscheint, versuchen Sie es bitte mit einem Proxy und/oder überprüfen Sie, ob die Dateien auf dem Server sind, bevor Sie davon ausgehen, dass die Seite tatsächlich offline genommen wurde.
Wir haben Sie zuvor wegen dieses Problems unter 2020-10-13 17:30:19 (UTC) kontaktiert.
Seit unserer letzten Benachrichtigung wurden die folgenden zusätzlichen URL(s) erkannt:

hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID
hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID/app/index
hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID/app/login

Wir möchten Sie darauf hinweisen, dass, auch wenn Sie bisher nichts von diesem Angriff gewusst haben, es dennoch in Ihrer Verantwortung liegt, diesen Inhalt so schnell wie möglich zu entfernen.

Dieser Angriff zielt auf einen unserer Kunden, Netflix, ab. Die echte Website unseres Kunden ist auf https://www.netflix.com/ zu finden.

Bitte löschen Sie diesen und jeden damit verbundenen betrügerischen Inhalt so bald wie möglich.

Darüber hinaus senden Sie bitte eine E-Mail mit dem betrügerischen Inhalt an records@netflix.com, damit unser Kunde und die Strafverfolgungsbehörden diesen Vorfall weiter untersuchen können.

Weitere Informationen finden Sie unter https://incident.netcraft.com/edb1b2c5792b/

Mit freundlichen Grüßen,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 12141695

Um Aktualisierungen über diesen Angriff zu erhalten, antworten Sie bitte auf diese E-Mail. Bitte beachten Sie: Antworten auf diese Adresse werden zwar protokolliert, aber nicht immer gelesen. Wenn Sie mehr Unterstützung benötigen, oder glauben, Sie haben diese E-Mail irrtümlich erhalten, kontaktieren Sie bitte: takedown@netcraft.com.

Diese E-Mail kann mit X-ARF-Tools geparsed werden. Weitere Informationen über X-ARF-Tools finden Sie unter http://www.xarf.org/
-------------------
Hello,

We have discovered a phishing attack located on your network:

hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID [144.91.73.250]
hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID/app/index [144.91.73.250]
hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID/app/login [144.91.73.250]
hxxps://keylisting[.]net/wp-includes/pomo/Y65950ID/ [144.91.73.250]
hxxps://keylisting[.]net/wp-includes/pomo/Y65950ID/app/login [144.91.73.250]

This attack is using IP address restrictions to prevent some users, such as law enforcement agencies and hosting companies, from seeing the attack. If the attack appears to be offline, please try to view the attack using a proxy and/or see if the files are physically on the server before assuming the attack has been taken offline.
We previously contacted you about this issue on 2020-10-13 17:30:19 (UTC).
Since our last notification, the following additional URL(s) have been detected:

hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID
hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID/app/index
hxxp://keylisting[.]net/wp-includes/pomo/Y65950ID/app/login

You may not have been aware of this attack, however, you are still responsible for removing it.

This attack targets our customer, Netflix, website URL https://www.netflix.com/.

Please remove this fraudulent content, and any other associated fraudulent content, as soon as possible.

Additionally, please send any files associated with the fraudulent content to records@netflix.com so that our customer and law enforcement agencies can investigate the incident further.

More information about the detected issue is provided at https://incident.netcraft.com/edb1b2c5792b/

Kind regards,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 12141695

To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: takedown@netcraft.com.

This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_16026390082846880
Content-Disposition: attachment; filename="report.txt"
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=utf-8; name="report.txt"; name="report.txt"

---
Attachment: none
Category: fraud
Date: 2020-10-13T23:07:41+00:00
Domain: keylisting.net
Port: 443
Report-ID: takedown-response+12141695@netcraft.com
Report-Type: phishing
Reported-From: takedown@netcraft.com
Schema-URL: http://www.xarf.org/schema/fraud_0.1.4.json
Service: https
Source: https://keylisting.net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en
Source-Type: uri
User-Agent: Netcraft Takedown

--_----------=_16026390082846880--

