Since I don't have a PayPal account, it didn't take a great deal of intellectual prowess to figure out that it was a "phish" email--an email designed to trick the credulous and unwary into going to a phony site and handing over their PayPal password. I get about a half-dozen of them a day, and I fired off emails to the appropriate Web hosts and forgot about it.
Next day, I got another phish asking me to validate my Bank of America account information. I don't have an account with Bank of America, naturally. Again, a standard phish.
The only weird part was that the phony Bank of America site was hosted on the same Web server as the phony PayPal site. Fired off another email to the ISP hosting the fake sites and forgot it.
And got another phish email. And another, and another after that, and another after that. All advertising phony Web sites hosted on the same server.
"Huh," I thought. "This is weird."
The phish emails keep rolling in. I got four of them today. All of them advertising various phony sites hosted on the same server.
The server is at http://18.104.22.168/~hewar/. If you go there (which I don't recommend), you'll see that it is an open server directory. Right now, as I type this, it has three phish sites living on it--a phony Bank of America page and two phony PayPal pages in French.
It's also got a bunch of other stuff living there:
If you go to the directory called "bankofamerica.com" you end up at a phony Bank of America site. The "fr" and "paypal.fr" directories each contain a phony copy of the PayPal signin page. The file you see called "france2009.zip" contains everything the budding criminal needs to set up his own phony PayPal page on a hacked Web server.
There are two other files there, called "x.php" and "foxMailer.php". Each of those is a bulk spamming program. You connect to the server, upload a list of email addresses, upload a spam message, and press "go" and off it goes, sending the spam email to all the addresses.
Now, it's pretty clear that this server at 22.214.171.124 is entirely 100% owned and operated by a group of criminals who are in the spam and theft business. They send out spam from this server, and they host phony sites on this server which are designed to steal banking information.
The server is hosted by a British ISP called a2b2.com. The ISP a2b2.com is in turn a subsidiary of an outfit called vaserv.com. The a2b2.com Web site advertises cheap Web hosting, and the parent company vaserv.com offers cheap Web hosting and cheap VPS hosting.
My first impulse was that a2b2.com is a dirty, corrupt ISP, knowingly hosting Web sites for organized crime. You see them popping up from time to time, McColo, Calpop, and other unethical businesses which profit from hosting Web sites for criminals and quietly looking the other way.
But I've been taking a look at a2b2.com and vaserv.com more closely, and I don't think they're corrupt--I just think they're clueless.
Or perhaps I should say, I think he's clueless.
As near as I can tell, both of these ISPs are owned and run by just one guy. The whois information for both ISPs lists the contact as a guy named "Russell Foster." The parent company at vaserv.com has a WordPress blog, which hasn't been updated in months, whose posts are signed "Rus". This place very much gives the impression of a hobby business whose owner doesn't pay very close attention; the lights are on, but nobody's home.
Hell, even the security on the official WordPress blog sucks.
So this guy is hosting Web sites for organized crime, and far from profiting by it, I don't even think he knows about it. For that matter, I don't even think he reads his email!
Unfortunately, the upstream from a2b2/vaserv is the Italian outfit Tiscali, which is listed in the "I" section of the dictionary under "incompetent." Tiscali is so slow to act against spammers and abusers of their network that they've actually ended up on spam blacklists; as near as I can tell, the only way to get the folks at Tiscali to take action of any sort is to fuck the CEO's daughter on the CEO's desk. During a business meeting.
So it seems that the criminals responsible for these phish sites have found a perfect storm of incompetence and fail, which effectively means they can host their sites on servers in the UK with impunity. The people responsible for these phish sites are so confident that they haven't even bothered to cover their tracks or secure their Web servers.
This is the dirty secret of Web hosting, and it's an example of where Libertarian laissez-faire ideals fail. There is little incentive for ISPs to take action against malware, frauds, spammers, and phish sites on their networks, and financial incentive for them not to. An abuse person who is doing his job costs his employer money, and as the example of iPower Web shows, hosting such sites, and playing fast and loose with its customer's Web site security, doesn't actually seem to cost an ISP any business.