Discussion:
New Phishing domain "alert.window-alert-k.com" not recognized by anyone - somehow connected to akamai.net
(too old to reply)
Virus G_u_y
2015-05-16 14:23:35 UTC
Permalink
Raw Message
A co-worker opened IE on a win-7 machine a few days ago and typed what
she thought was "google.ca" into the browser location bar. It's highly
likely that she mistyped one of the characters or added an additional
character. When she hit enter, the browser displayed this site:

alert.window-alert-k.com/index-BB.html?isp=X

NOTE: The above URL (minus the ?isp= part) contains an irritating
script that will make it impossible to dismiss the webpage or close the
browser, unless, perhaps, your browser has scripts disabled by default.

A screen capture that I'm looking at now gives a partial readout for
what "X" is - and it's the name of our ISP.

Using wget to download a copy of the html file and submitting it to VT
gives NO hits.

A google search for "alert.window-alert-k.com" (using quotes) gives no
hits at all. Apparently nobody has ever mentioned that domain in any
web-document, blog, forum, etc.

And can someone explain the whois info for this domain?

===============
207.86.215.16 is from United States (US) in region North America
207.86.215.58 is from United States (US) in region North America
Input: alert.window-alert-k.com
canonical name: a19.dscg10.akamai.net
aliases:
alert.window-alert-k.com
e486604de5138bebb11e-7f2f4917eda52660ed02fa0bcc2904c5.r17.cf3.rackcdn.com
a17.rackcdn.com
a17.rackcdn.com.mdc.edgesuite.net

Registered Domain: akamai.net

Domain Name: AKAMAI.NET
Registrar: TUCOWS DOMAINS INC.
=================

Why does a whois query for alert.window-alert-k.com turn into a whois
query for akamai.net ?

nslookup for alert.window-alert-k.com returns:

FQDN a19.dscg10.akamai.net
207.34.231.16
207.34.231.18

NetRange: 207.34.192.0 - 207.34.255.255
CIDR: 207.34.192.0/18
NetName: TELUS-207-34-192-0
OrgName: TELUS Communications Inc.
City: Burnaby
StateProv: BC
Beauregard T. Shagnasty
2015-05-16 17:38:11 UTC
Permalink
Raw Message
Post by Virus G_u_y
Why does a whois query for alert.window-alert-k.com turn into a whois
query for akamai.net ?
Probably because you executed a whois for a *sub*-domain, and whois tools
do not list those. My result for the above yields:

No match for "ALERT.WINDOW-ALERT-K.COM".

A whois for the domain itself (via registrar enom.com) does not list an
owner, but does say it was created yesterday, 15 May 2015. I'd be
suspicious.

Perhaps your beloved Windows 98 isn't working correctly.
--
-bts
-This space for rent, but the price is high
SPD
2015-05-18 06:27:01 UTC
Permalink
Raw Message
I got - (enom hosts spammers)
Window-Alert-K.com - Window Alert K Whois Report
This full website whois and analysis report on Window-Alert-K.com was ran on
May, 18, 2015.

Registrar
ENOM, INC.

Whois Server
whois.enom.com

Referral URL
http://www.enom.com

Status
clientTransferProhibited
http://www.icann.org/epp#clientTransferProhibited

Contact Email


Creation Date
05/15/2015

Updated Date
05/15/2015

Expiration Date
05/15/2016

Registrant
WHOISGUARD PROTECTED
WHOISGUARD, INC.
P.O. BOX 0823-03411
PANAMA, PANAMA 00000
PANAMA
Telephone: 5078365503
Fax: 5117057182
Email:

Administrative Contact
WHOISGUARD PROTECTED
WHOISGUARD, INC.
P.O. BOX 0823-03411
PANAMA, PANAMA 00000
PANAMA
Telephone: 5078365503
Fax: 5117057182
Email:

Technical Contact
WHOISGUARD PROTECTED
WHOISGUARD, INC.
P.O. BOX 0823-03411
PANAMA, PANAMA 00000
PANAMA
Telephone: 5078365503
Fax: 5117057182
Email:

Nameservers
DNS1.REGISTRAR-SERVERS.COM
DNS2.REGISTRAR-SERVERS.COM
DNS3.REGISTRAR-SERVERS.COM
DNS4.REGISTRAR-SERVERS.COM
DNS5.REGISTRAR-SERVERS.COM

2. And this, from a reverse ip
Window-Alert-K IP:
23.15.9.43
Window-Alert-K server location:
Cambridge in United States
Window-Alert-K ISP:
Akamai Technologies

3. with a reverse ip whois
23.15.9.43 Whois Report
This is the full research report for 23.15.9.43, which is an IP address.

Whois Server
whois.arin.net

Status
ALLOCATED

Contact Email


Registrant
Akamai Technologies, Inc.
8 Cambridge Center
Cambridge, MA 02142
UNITED STATES

Administrative Contact
Hannigan, Martin
Telephone: 16174442535
Email:

Technical Contact
Zipkin, Justin Schecter, Steven Jay Hannigan, Martin
Telephone: 16174449713 16172747134 16174442535
Email:

So, back to akamai. Call the contact listed above and ask him.
Post by Virus G_u_y
A co-worker opened IE on a win-7 machine a few days ago and typed what
she thought was "google.ca" into the browser location bar. It's highly
likely that she mistyped one of the characters or added an additional
alert.window-alert-k.com/index-BB.html?isp=X
NOTE: The above URL (minus the ?isp= part) contains an irritating
script that will make it impossible to dismiss the webpage or close the
browser, unless, perhaps, your browser has scripts disabled by default.
A screen capture that I'm looking at now gives a partial readout for
what "X" is - and it's the name of our ISP.
Using wget to download a copy of the html file and submitting it to VT
gives NO hits.
A google search for "alert.window-alert-k.com" (using quotes) gives no
hits at all. Apparently nobody has ever mentioned that domain in any
web-document, blog, forum, etc.
And can someone explain the whois info for this domain?
===============
207.86.215.16 is from United States (US) in region North America
207.86.215.58 is from United States (US) in region North America
Input: alert.window-alert-k.com
canonical name: a19.dscg10.akamai.net
alert.window-alert-k.com
e486604de5138bebb11e-7f2f4917eda52660ed02fa0bcc2904c5.r17.cf3.rackcdn.com
a17.rackcdn.com
a17.rackcdn.com.mdc.edgesuite.net
Registered Domain: akamai.net
Domain Name: AKAMAI.NET
Registrar: TUCOWS DOMAINS INC.
=================
Why does a whois query for alert.window-alert-k.com turn into a whois
query for akamai.net ?
FQDN a19.dscg10.akamai.net
207.34.231.16
207.34.231.18
NetRange: 207.34.192.0 - 207.34.255.255
CIDR: 207.34.192.0/18
NetName: TELUS-207-34-192-0
OrgName: TELUS Communications Inc.
City: Burnaby
StateProv: BC
begin 666 ef506443ea5422a610ebf60b9888b6562ab7233e4a2705087f0a016344d070ae9f60f9a3bdb834e178715b2de65d4332b7b8354f48591f8f.dat
MB5!.1PT*&@H````-24A$4@```;D````-! ,```#&***@W,````&U!,5$7___\`
M``"_O[]?7U^?GY\?'Q_?W]\_/S]_?W\X5P?L```"ZTE$051(B>U5P4[<,! =
MNTZR1[ML6(Z1*LHU%-IS]K!P325*KT$5I<>PK2J.016%S^[,&]N[<*VJ<L#9
MV=@S;YYG[+%#]-)>VC]J+LS_PML>A:X\G),)P8O0ZG,?^YTP)QN%,.#M`L:B
M%[$A--";71(,?>TI89]()YC<MZ$'GIL)BT&$]FOA"EMQ!-,MV:Z/V.DV3/;Z
MK*?310\=.,4_K@+[@:>N`E$Q6%\U2R****@O:&RYYXWK-^RZ?OR`N\JVHJA
M[(&W9Z*GLO.4L*)7+C#[B-'^&U*<-&]'\K/1KNW:B%N.PQM#)L<F=AD4C?-V
MLJH%YXS]]SOL-?L!5U\P>X$Y#OC?0PJLYFS"C%31QD;Z?F?T+7H6R0[XV:\8
M[196].#RF@$PL=]N9Z=/-="5^J<XN"2X5NA<5RC9BQ/$K7XZ+S\EV,0/N)U[
M'F-ES$^N)@\Q%#&A9MQ;VMBXFJ0P6Z-CT;/8[_<=\,6E8FB#U;F$2W1UQ,3^
MT:)1O$3I1I$B+7:.@]^&:V?]>F2L3_;R?3V8E)UPPE_72O3 S><I.WK(>Z>L
M!^IA90&CC7AM9$U#&'7\`)D-=@+^4C(IX\8I-NVO<C.?8&*_W*-.\=SDS''&
M.3O_)+N;/42?[?1MY(JM]:3$G7B:W>YNSLZDLQ(KXEC7Y23B?:Z?K;&!,%,/
M_#),F[),V./$I1K!Q+[M);O,+&>GV50F/:[,HYWV4>7R7S'$>@;GK$DSYLK$
MV#36OQJ6.3L[\AI+P'SR76,HV:K?+MXMFIWH130[_JWM" P;-***@RO>)&NY
M/4BYSVD"KAK3W&VZ-9 ]XHA[>%=/V[>*N7&C:WG??S!&.5O<*LPE?L!A?A<^
M->6UW/H$H157B6OEYNY8*-G*0XQQ*#!FO8B3LP.\"8(A?"TBEO61RRL?[G!P
MT]VB`9XCBG.O<.,;_>(@#NEW7XAN/T[YBW 1FD)L[$]7\B6 ***@JS4*GU9
AD,TS;RZ<_>\0GFO[`P+IB&T#M6V4`````$E%3D2N0F""
`
end

begin 666 da407686de007dc88312ec6dae36945829a45c89985309b0.dat
MB5!.1PT*&@H````-24A$4@```)H````/! ,```#N>LO4````&U!,5$7___\`
M``"_O[\?'Q\_/S_?W]^?GY]?7U]_?W_Z]1(Y```!%$E$050XC=62,4_#0 R%
M[4KIK793HHZM&%A;L3 "`HDQ)_$#<@H2:Y96'>&?X^=<@ !"***@GT;O['+\[
MZX[HG"-I,^***@ETQ*NY?*?_U)UB+R03BF>VJ%X^^CCL[BDL(Z\6J7'>5B1)
MG#.KF'H.\UG>;"A;"M>=\WY1;JZR]X:.Q3NMVH,X?TLDE3CG>>?J.=-AL\<Z
MT8%>,_<J>U25GO6.MC86>P<.-W!^(E?DH(.;^)=K/MT0-W4TMSAVLT[!^:5V
M10XZN%W\=EOWG2ZL2W0Z<LN<BUM7Y*#N]F"=6I?HM'=CZY#S*;3+**&,JBP"
MKJ)2%9USFZU-/8<Y\G +N[V?`OA?=V(<J6Q.NAM?H3*QX SC`PTK*P5=\^Y3
,`````$E%3D2N0F""
`
end

begin 666 da407686de007dc88312ec6dae36945869cb23977db611bfc5851ae760e229d49ff0d72a55d07cbeda407686de007dc88312ec6dae36945829a45c89985309b0.dat
MB5!.1PT*&@H````-24A$4@````$````!`0,````EVU;*`````U!,5$7___^G
EQ!O(````"DE$050(F6-@`````@`!]'%DI@````!)14Y$KD)@@@``
`
end

Loading...