I said I'd get back to this, and I am (finally). If you read the
previous article concerning Eveloz, you'll already be familiar with the back story concerning them, so lets continue.
I've been monitoring Eveloz for quite some time now, as they've seemingly decided to be rather open about their provision of a haven for criminals, and things haven't stopped, changed or errr, well gotten anything but worse really.
The latest domain to surface on their network, is
longsignups.net, which is serving as a middle man, for the fake AV crowd. The domains registrar (Alantron BLTD, alantron.com) apparently doesn't want anyone accessing their WhoIs from anywhere except their own site, so although likely faked, the owner is listed as;
Domain name : longsignups.net
Administrator Contact: hidden
Technical Contact: hidden
Billing Contact : hidden
Creation date : 2010-01-08
Expiration date : 2011-01-08
Name Server : ns1.everydns.net
Name Server : ns2.everydns.net
Name : Alexander Kupalo
Address : ul.3-Proletarskaya d.201 kv.1 Slavyansk-na-Kubani Krasnodarskiy krai
Address : Russia 353560
Phone : +7.8612752650
Fax : +7.8612752650
Email : ion@fastermail.ru
Creation Date : 2010-01-08
Not surprisingly, "Alexander Kupalo" is tied to other domains, and other
scams.
The domain is residing at
200.63.46.130, which you'll remember, also housed previous MITMs, such as;
protectcareone.net
roomafterhide.net
safetytripstyle.net
gosafezone.net
And yes, these are still active (the only one not actually redirecting at the time of writing, is roomafterhide.net, it is still resolving to the same IP however). At the time of writing, the redirection locations for the domains are;
URL: http://safetytripstyle.net/redirect/
-> http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
--> http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:48 GMT
Server: Apache/2
Location: http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:53 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
HTTP/1.1 200 OK
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:53 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=74f4f86f3a65002399a5209d5f483c39; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
--------------------------------------------------------------------------------
URL: http://safetytripstyle.net/redirect2/
Can we have the URLs?:
-> http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
--> http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirviit.html
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:48 GMT
Server: Apache/2
Location: http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:05:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: go=1; expires=Wed, 07-Apr-2010 02:05:54 GMT
Location: http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirviit.html
Connection: close
Content-Type: text/html
HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:05:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html
--------------------------------------------------------------------------------
URL: http://safetytripstyle.net/redirect3/
Can we have the URLs?:
-> http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
--> http://1b5f.win-protectionb1.com/a369e336b321/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjY2MjU0
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:50 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:05:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 02:05:55 GMT
Location: http://1b5f.win-protectionb1.com/a369e336b321/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjY2MjU0
Connection: close
Content-Type: text/html
HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:05:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html
--------------------------------------------------------------------------------
URL: http://safetytripstyle.net/redirect4/
Can we have the URLs?:
-> http://188.124.5.138/main.php?land=20&affid=92800
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:51 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=ipamn9au3vavq8lqehaj208du0; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 02:15:56 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 02:05:56 GMT
Server: lighttpd/1.4.22
--------------------------------------------------------------------------------
URL: http://protectcareone.net/redirect/
Can we have the URLs?:
-> http://goscandate.com/?uid=13400
--> http://anticrimeware.jewil.info/?uid=13400
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:52 GMT
Server: Apache/2
Location: http://goscandate.com/?uid=13400
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:57 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://anticrimeware.jewil.info/?uid=13400
HTTP/1.1 404 Not Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:12:57 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=0f7d0f114022917400c4fe83990de05c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
--------------------------------------------------------------------------------
URL: http://protectcareone.net/redirect2/
Can we have the URLs?:
-> http://getamazondiscount.com/go.php?id=2004&key=ff0057594&d=1
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:52 GMT
Server: Apache/2
Location: http://getamazondiscount.com/go.php?id=2004&key=ff0057594&d=1
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 404 Not Found
Date: Tue, 06 Apr 2010 02:05:57 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1
--------------------------------------------------------------------------------
URL: http://protectcareone.net/redirect3/
Can we have the URLs?:
-> http://vimeotheroad.com/?pid=283s01&sid=2a15a0
--> http://db6cf0.win-protectionb1.com/a17af011/?gtyh=aXA9MjA0LjE%3DLTkyLjU1MXAwZD0yODNzMSZ0aW1lPTEyN2k1Jjk4NjA0
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:53 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?pid=283s01&sid=2a15a0
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:05:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 02:05:57 GMT
Location: http://db6cf0.win-protectionb1.com/a17af011/?gtyh=aXA9MjA0LjE%3DLTkyLjU1MXAwZD0yODNzMSZ0aW1lPTEyN2k1Jjk4NjA0
Connection: close
Content-Type: text/html
HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:05:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html
--------------------------------------------------------------------------------
URL: http://protectcareone.net/redirect4/
Can we have the URLs?:
-> http://188.124.5.138/main.php?land=20&affid=92800
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:53 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=gjlcg9vk43kmpgu0glsnc7fum6; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 02:15:58 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 02:05:58 GMT
Server: lighttpd/1.4.22
--------------------------------------------------------------------------------
URL: http://roomafterhide.net/redirect/
Can we have the URLs?:
[NO REDIRECTION]
HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1
--------------------------------------------------------------------------------
URL: http://roomafterhide.net/redirect2/
Can we have the URLs?:
[NO REDIRECTION]
HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1
--------------------------------------------------------------------------------
URL: http://roomafterhide.net/redirect3/
Can we have the URLs?:
[NO REDIRECTION]
HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1
--------------------------------------------------------------------------------
URL: http://roomafterhide.net/redirect4/
Can we have the URLs?:
[NO REDIRECTION]
HTTP/1.1 404 Not Found
Date: Mon, 05 Apr 2010 19:08:24 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1
--------------------------------------------------------------------------------
URL: http://longsignups.net/redirect/
Can we have the URLs?:
-gt; http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
--gt; http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:56 GMT
Server: Apache/2
Location: http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:13:01 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://anticrimeware.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
HTTP/1.1 200 OK
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 04:13:01 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=257e774dbc872bc7e3c105778204b312; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
--------------------------------------------------------------------------------
URL: http://longsignups.net/redirect2/
Can we have the URLs?:
-gt; http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
--gt; http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirvior.html
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:56 GMT
Server: Apache/2
Location: http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:06:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: go=1; expires=Wed, 07-Apr-2010 02:06:01 GMT
Location: http://insight-scanner7.com/content1/axxt/ckmrtmtoou/ramxirvior.html
Connection: close
Content-Type: text/html
HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:06:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html
--------------------------------------------------------------------------------
URL: http://longsignups.net/redirect3/
Can we have the URLs?:
-gt; http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
--gt; http://e1219d2.win-protectionb1.com/a874059bb71/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjYyMjY0
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:57 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 02:06:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 02:06:02 GMT
Location: http://e1219d2.win-protectionb1.com/a874059bb71/?gtyh=aXA9MjA0LjEwLjk5LSU1MXAwZD0yODMmdGltZT0xMjdpNjYyMjY0
Connection: close
Content-Type: text/html
HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 02:06:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html
--------------------------------------------------------------------------------
URL: http://longsignups.net/redirect4/
Can we have the URLs?:
-gt; http://188.124.5.138/main.php?land=20&affid=92800
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 19:02:58 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=jbkjdcviqd77upb10tsvdekkp6; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 02:16:03 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 02:06:03 GMT
Server: lighttpd/1.4.22
--------------------------------------------------------------------------------
URL: http://gosafezone.net/redirect/
Can we have the URLs?:
-gt; http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
--gt; http://safety.com.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:09 GMT
Server: Apache/2
Location: http://goscandate.com/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 05:33:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
location: http://safety.com.jewil.info/?data=MigHWF5yDVUgETFIU6Rtbzdd8x9KMFBwb01vAlh7UyVyUyOxpUHX3gPSaD4AMfk%3D
HTTP/1.1 200 OK
Server: nginx/0.8.28
Date: Tue, 06 Apr 2010 05:33:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=34940ba021b2c4b01d0eabf4ac403e91; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
--------------------------------------------------------------------------------
URL: http://gosafezone.net/redirect2/
Can we have the URLs?:
-gt; http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
--gt; http://insight-scanner8.com/content1/axxt/ckmrtmtoou/ramxiatumt.html
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:09 GMT
Server: Apache/2
Location: http://getamazondiscount.com/?id=2004&k=6c00ebfb0&d=1
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 03:26:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: go=1; expires=Wed, 07-Apr-2010 03:26:14 GMT
Location: http://insight-scanner8.com/content1/axxt/ckmrtmtoou/ramxiatumt.html
Connection: close
Content-Type: text/html
HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 03:26:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html
--------------------------------------------------------------------------------
URL: http://gosafezone.net/redirect3/
Can we have the URLs?:
-gt; http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
--gt; http://ed9c.win-protectiont1.com/a48d5651/?gtyh=aXA9MjA0LjEwLjk0LSM1MnAwZD0yODMmdGltZT0xMjdpNjY2Mjc0
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:11 GMT
Server: Apache/2
Location: http://vimeotheroad.com/?mid=283&code=2a15a0&d=1
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 03:26:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Set-Cookie: red=1; expires=Wed, 07-Apr-2010 03:26:16 GMT
Location: http://ed9c.win-protectiont1.com/a48d5651/?gtyh=aXA9MjA0LjEwLjk0LSM1MnAwZD0yODMmdGltZT0xMjdpNjY2Mjc0
Connection: close
Content-Type: text/html
HTTP/1.1 200 OK
Date: Tue, 06 Apr 2010 03:26:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Connection: close
Content-Type: text/html
--------------------------------------------------------------------------------
URL: http://gosafezone.net/redirect4/
Can we have the URLs?:
-gt; http://188.124.5.138/main.php?land=20&affid=92800
HTTP/1.1 302 Found
Date: Mon, 05 Apr 2010 20:23:12 GMT
Server: Apache/2
Location: http://188.124.5.138/main.php?land=20&affid=92800
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=sh0bcvrotsdvbl6ucjucud15p4; path=/
Set-Cookie: mc=92800; expires=Tue, 06-Apr-2010 03:36:17 GMT
Set-Cookie: sts=92800%7C9%7C928%7C00%7C1%7CUS%7C1%7C6%7C8%7C1%7C194%7C0%7C1%7C%7C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, must-revalidate
Content-type: text/html
Connection: close
Date: Tue, 06 Apr 2010 03:26:17 GMT
Server: lighttpd/1.4.22
Looking over this /24, there appears to be only 1 IP (200.63.46.108) that's actually housing legit websites. The rest are either malware related or phishing related. One rather interesting phishing domain is
beverified.org, which claims to, well let's see what they say shall we;
"Beverified.org is the premier free age verification service used by safe adults in the area"Age verification? Really? How is this done then? Well actually it isn't (as if you were surprised). All it actually does, is submit your information to;
https://securejoinsite.com/join.php
Note: Accessing join.php directly results in an error stating invalid input parameters. You can view what it actually contains using the following URL;
http://securejoinsite.com/join.php?act=el3122.&siteid=elx_fbook&tnum=839&iframe=yA site with no homepage, and registered to a company that evidently can't decide where they are (address is Cyprus, but telephone number has a +44 (UK) dialing code).
Registration Service Provided By: NEOTIKA CAPITAL LTD
Contact: +44.2076917819
Domain Name: SECUREJOINSITE.COM
Registrant:
Neotika Capital Ltd
Constantinos Ellinas (legal@neotikacapitalltd.com)
Flat/Office 2, 8 Georgiou Seferi
Nicosia
Nicosia,1076
CY
Tel. +044.2076917819
Creation Date: 05-May-2009
Expiration Date: 05-May-2011
Domain servers in listed order:
dns2.allnetservers.net
dns1.allnetservers.net
dns2.allnetservers.net resides at
208.94.64.126 (AS36529 208.94.64.0/24 RACKCO). RACKCO also has several other /24's and based on the sites hosted there, all of them need blackholed.
A little further digging, showed a plethora of similar phishing sites housed at;
209.44.111.0/24 - AS10929 Netelligent
69.60.198.0/24 - AS11696 Simlab Bell Atlantic Global Networks Madison, NJ
206.223.183.0/24 - AS21949 BEANFIELD-AS Beanfield Technologies inc. 77 Mowat Ave. Toronto, ON M6K3E3
64.38.198.0/24 - AS19181 CWIE Cavecreek Wholesale Internet Exchange, LLC
64.154.5.0/24 - AS19181 CWIE Cavecreek Wholesale Internet Exchange, LLC
Getting back to Eveloz however, I've tried numerous times to reach both themselves, and their upstreams, and to date, no response has been received, so personally, I'm still recommending they be blackholed.
References:Crimeware friendly ISP's: Eveloz (AS27716, 200.63.40.0/21, 200.63.48.0/23, 190.5.224.0/22)
http://hphosts.blogspot.com/2009/12/crimeware-friendly-isps-eveloz-as27716.html