Michael Jackson Phishing Scam, featuring Comodo

Be on the lookout folks. Not only are the malthors using Michaels name to infect the living hell out of you, but it also seems, they're using his name to try and scam as much money as possible out of you. The bad guys in this case, are Digital Target Marketing (digitaltargetmarketing.com - 67.192.83.139), who are responsible for my receiving this;

memorabilia of Michael Jackson

Remember the king of pop with this limited lithograph <http://rdfpl.deckbond.com/djpzw/rkhdvbpf/>

Please Load Images <http://rdfpl.deckbond.com/djpzw/rkhdvbpf/>

________________________________

Please Load Images <http://ndfw.deckbond.com/lsrp/zwrkhsc/bpk/>

Which of course, leads you through;

http://rdfpl.deckbond.com/djpzw/rkhdvbpf/
http://www.online-processingcenter.com/MTAyNjh8MjYzN3wzNjgwNjh8djI=/r?a=2xactuk-071509%7E%7E450%7E%7Etest%7E%7E&p=2637&t=1
https://www.dpbird.com/click.track?CID=101881&AFID=55971&ADID=211389&SID=1227733787
https://www.freemjlitho.com/?mid=581614&a=55971&s=1227733787

You can see the Comodo certificate for freemjlitho.com both in the screenshot top left, and here

Which serves up:



Fill in your details here, and you're taken to:



Say yes to this, and you're taken to:



You get the idea ........ once they're finished trying to get you to buy everything and anything, you finally reach the payment confirmation page. Oh and don't worry, they know you won't change your mind, which is why there's no "Yes, I really am sure I want you to help yourself to my credit card funds!" option.

Registrant:
Telebrands Corp.
79 Two Bridges Road
Fairfield, New Jersey 07004
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FREEMJLITHO.COM
Created on: 10-Jul-09
Expires on: 10-Jul-10
Last Updated on: 10-Jul-09

Administrative Contact:
Corp., Telebrands ekrueger@telebrands.com
79 Two Bridges Road
Fairfield, New Jersey 07004
United States
(973) 244-5521 Fax --

Technical Contact:
Corp., Telebrands ekrueger@telebrands.com
79 Two Bridges Road
Fairfield, New Jersey 07004
United States
(973) 244-5521 Fax --

Domain servers in listed order:
NS.RACKSPACE.COM
NS2.RACKSPACE.COM

WhoIs server: whois.godaddy.com

But wait, we're not done quite yet. If we go back and load the deckbond.com root (vURL Results), we see a link that takes us to a URL on bestwhole.com, which eventually leads us to;

https://secure.subscriptionmarketinginc.com/wealthtools/new_offer4/index.php?sub=669&sub1=1227755047&sub2=

And yeppers folks, this is another phishing scam.



Domains involved:

deckbond.com - 209.51.140.94
rdfpl.deckbond.com - 209.51.140.94
ndfw.deckbond.com - 209.51.140.94
online-processingcenter.com - 209.90.119.12
dpbird.com - 67.208.135.148
freemjlitho.com - 72.3.187.150
bestwhole.com - 209.90.119.51 (Previously at: 72.32.107.97 - AmcoreRewards.com)
subscriptionmarketinginc.com - 69.93.15.212
secure.subscriptionmarketinginc.com - 69.93.15.212
digitaltargetmarketing.com - 67.192.83.139

I'm actually rather disappointed with this particular one, not just because they're using Michaels name to try and scam vulnerable fans, but also because, as a fan myself, I'd have loved a copy of the stuff they're "selling". Bleedin figures.