Return-Path: <takedown-response+12141695@netcraft.com>
Delivered-To: keylisti@server7.highhosters.com
Received: from server7.highhosters.com
	by server7.highhosters.com with LMTP
	id cSFNI+HYhV/ZJSkAhhqhxw
	(envelope-from <takedown-response+12141695@netcraft.com>)
	for <keylisti@server7.highhosters.com>; Tue, 13 Oct 2020 18:42:09 +0200
Return-path: <takedown-response+12141695@netcraft.com>
Envelope-to: webmaster@keylisting.net
Delivery-date: Tue, 13 Oct 2020 18:42:09 +0200
Received: from mail2.netcraft.com ([52.31.138.216]:35073)
	by server7.highhosters.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.93)
	(envelope-from <takedown-response+12141695@netcraft.com>)
	id 1kSNNH-00BJTS-P3
	for webmaster@keylisting.net; Tue, 13 Oct 2020 18:42:09 +0200
Received: from barbel.netcraft.com (ip-10-8-0-252.eu-west-1.compute.internal [10.8.0.252])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail2.netcraft.com (Postfix) with ESMTPS id 2A0DA3440B8
	for <webmaster@keylisting.net>; Tue, 13 Oct 2020 17:34:03 +0100 (BST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail2.netcraft.com 2A0DA3440B8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
	s=default; t=1602606843;
	bh=Kilgcy6eMWOSFbMFjvOErg+kl/VVI4sOOqTloQCdIXc=;
	h=Date:From:Subject:To:From;
	b=vhATDvfuOwX95MplknY47EJl6/SoA0tJD0Ycl9ru1hYIqzUAF3tY+xeWwUpWYanS6
	 VNXYTEWdTVq2MVouylBN3KvjjHuwc5Oe6dISJ42CEhTwnW8rqqDnFPNYdfTvWyp46Z
	 +5tT7F71/++jt96LAoAH64fjRqTl3+rqNNAv/Brw=
Received: by barbel.netcraft.com (Postfix, from userid 507)
	id 27B2A321D00; Tue, 13 Oct 2020 17:34:03 +0100 (BST)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_160260684325128222"
MIME-Version: 1.0
Date: Tue, 13 Oct 2020 17:34:03 +0100
From: Netcraft Takedown Service <takedown-response+12141695@netcraft.com>
Subject: Issue 12141695: phishing attack at hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en
To: webmaster@keylisting.net
Message-Id: <db64e1f4733642abd5718405e8968699@takedown.netcraft.com>
Auto-Submitted: auto-generated
X-Xarf: PLAIN
X-Arf: yes
X-Mailer: MIME::Lite 3.030 (F2.84; T1.38; A2.18; B3.13; Q3.13)
X-Spam-Status: No, score=-0.2
X-Spam-Score: -1
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "server7.highhosters.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Hallo, Sie hosten zur Zeit einen Phishing-Angriff: hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en
    [144.91.73.250] 
 Content analysis details:   (-0.2 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: netcraft.com]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
X-Spam-Flag: NO

This is a multi-part message in MIME format.

--_----------=_160260684325128222
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Hallo,

Sie hosten zur Zeit einen Phishing-Angriff:

hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en [144.91.73.250]

Wir möchten Sie darauf hinweisen, dass, auch wenn Sie bisher nichts von diesem Angriff gewusst haben, es dennoch in Ihrer Verantwortung liegt, diesen Inhalt so schnell wie möglich zu entfernen.

Dieser Angriff zielt auf einen unserer Kunden, Netflix, ab. Die echte Website unseres Kunden ist auf https://www.netflix.com/ zu finden.

Bitte löschen Sie diesen und jeden damit verbundenen betrügerischen Inhalt so bald wie möglich.

Darüber hinaus senden Sie bitte eine E-Mail mit dem betrügerischen Inhalt an records@netflix.com, damit unser Kunde und die Strafverfolgungsbehörden diesen Vorfall weiter untersuchen können.

Weitere Informationen finden Sie unter https://incident.netcraft.com/f981432fa50e/

Mit freundlichen Grüßen,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 12141695

Um Aktualisierungen über diesen Angriff zu erhalten, antworten Sie bitte auf diese E-Mail. Bitte beachten Sie: Antworten auf diese Adresse werden zwar protokolliert, aber nicht immer gelesen. Wenn Sie mehr Unterstützung benötigen, oder glauben, Sie haben diese E-Mail irrtümlich erhalten, kontaktieren Sie bitte: takedown@netcraft.com.

Diese E-Mail kann mit X-ARF-Tools geparsed werden. Weitere Informationen über X-ARF-Tools finden Sie unter http://www.xarf.org/
-------------------
Hello,

We have discovered a phishing attack located on your network:

hxxps://keylisting[.]net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en [144.91.73.250]

You may not have been aware of this attack, however, you are still responsible for removing it.

This attack targets our customer, Netflix, website URL https://www.netflix.com/.

Please remove this fraudulent content, and any other associated fraudulent content, as soon as possible.

Additionally, please send any files associated with the fraudulent content to records@netflix.com so that our customer and law enforcement agencies can investigate the incident further.

More information about the detected issue is provided at https://incident.netcraft.com/f981432fa50e/

Kind regards,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 12141695

To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: takedown@netcraft.com.

This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_160260684325128222
Content-Disposition: attachment; filename="report.txt"
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=utf-8; name="report.txt"; name="report.txt"

---
Attachment: none
Category: fraud
Date: 2020-10-13T16:33:36+00:00
Domain: keylisting.net
Port: 443
Report-ID: takedown-response+12141695@netcraft.com
Report-Type: phishing
Reported-From: takedown@netcraft.com
Schema-URL: http://www.xarf.org/schema/fraud_0.1.4.json
Service: https
Source: https://keylisting.net/account/netlfx/com/Login/Moncompte/Paiement/26408ffa703a72e8ac0117e74ad46f33/signin.php?country=IN-India&lang=en
Source-Type: uri
User-Agent: Netcraft Takedown

--_----------=_160260684325128222--

