I wrote a while back (July, August and then again in September, about the Alliance and Leicester botnet, that served to scam the unwitting out of their banking information. Then of course, there was the MSN phishing from the Sun Network range, and later, spilled onto a botnet when myself and Jonathan, kept getting them shut down.
Now it seems, both the Alliance and Leicester, and the MSN phishing scams, could have been from the same source. Research, with the help of fellow researcher G7w (found on the Web of Trust forums), has shown another fairly new domain involved in MSN phishing, has ties both to a botnet, and to the Alliance and Leicester botnet, courtesy of historical records from Robtex (here and here).
I'm still hunting out all of the IP's involved, but the domains referenced at Robtex, not all of which still resolve, are;
hpObserver results for those still resolving, can be found at;
The owner of hahahohoserver.com, "liu wenge" (Domain Tools shows this name to be associated with 191 domains), appears to have ties to fake meds. Though it should of course be noted, that this could simply be a common name in China. One thing that is clear, is that the registrants of these phishing domains, have ties to the Alliance and Leicester botnet, and as such, a close watch is going to be required for anything new that pops up.
There is of course, one other domain involved here, the-jheenga-dns.com. This domain was created November 25th, and it's WhoIs record;