Alert: Santander phish (aka, when all else fails, fall back on bit.ly - again)

I do despair of the fact the criminals running these, keep going back to old methods - yes they work, but that's irrelevant (and of course, people will always be gullible), going back to old methods means there's no surprises - and I like surprises!

I processed a phish targeting Santander customers a few days ago (led to ~3GB of evidence for not just phishing, but a host of other things too - oh the joys). Already had the server cleaned up and secured as it was re-compromised whilst I was investigating.

In this case, the phish comes with an attachment (letter.html), that contains a link to;

hxxp://bit.ly/GzoQge

This leads to;

hxxp://redirectauth.com/redirect1.php

This then leads to;

hxxp://santander.cgiauthweb.com/santander.co.uk/retail/LOGSUK_NS_ENS/gon.php

You'll not be surprised to learn, both the MITM and the phish, are housed on the same IP;

IP: 93.185.104.27
IP PTR: www17.pipni.cz
ASN: 43541 93.185.96.0/20 VSHOSTING VSHosting s.r.o.

And less surprised to learn, both domains are owned by the same miscreant;

Domain name: CGIAUTHWEB.COM
Name Server: ns.pipni.cz
Name Server: ns2.pipni.cz
Creation Date: 2012.03.15
Expiration Date: 2013.03.15

Status: DELEGATED

Registrant ID: AUVGQVT-RU
Registrant Name: Jonathan Yarrall
Registrant Organization: Jonathan Yarrall
Registrant Street1: 3455 Bellflower Blvd
Registrant City: Long beach
Registrant Postal Code: 90808
Registrant Country: US

Administrative, Technical Contact
Contact ID: AUVGQVT-RU
Contact Name: Jonathan Yarrall
Contact Organization: Jonathan Yarrall
Contact Street1: 3455 Bellflower Blvd
Contact City: Long beach
Contact Postal Code: 90808
Contact Country: US
Contact Phone: +1 562 4294761
Contact E-mail: lilboo2x@gmail.com

Registrar: Regional Network Information Center, JSC dba RU-CENTER