HelioHost Posted January 21, 2020 Posted January 21, 2020 Username: N/A, Server: N/A, Main Domain: N/A During an investigation of fraud, we discovered a compromised website (www.=idsma2store.heliohost.org) that is being used to attack our client and thei=r customers. In addition to the website owner, we have addressed this report to the resp=onsible authoritative providers who have the ability to disable the malicio=us content in question. Based on your relationship to the content in questi=on, please see our specific request below. This threat has been active for at least 0.1 hours. hXXps://www.idsma2store.heliohost.org/US/b323b0adf3/indexhXXps://www.idsma2store.heliohost.org/US/b323b0adf3/bill.phphXXps://www.idsma2store.heliohost.org/US/b323b0adf3/process.phphXXps://www.idsma2store.heliohost.org/US/b323b0adf3/process2.phphXXps://www.idsma2store.heliohost.org/US/b323b0adf3/done.phphXXps://www.idsma2store.heliohost.org/US/81562a48de/index?dispatch=3Da5bd24=e6e7343ad2cd337656bfb02e9ehXXps://www.idsma2store.heliohost.org/US/b323b0adf3/index?dispatch=3Dab6e90=fe5e601c84406fa5c42090c971hXXps://www.idsma2store.heliohost.org/US/b323b0adf3/card.php First detection of malicious activity: 01-21-2020 03:58:34 UTCMost recent observation of malicious activity: 01-21-2020 04:05:31 UTCAssociated IP Addresses:65.19.141.67 =3D=3D=3D HOSTING PROVIDER =3D=3D=3DIf you agree that this is malicious, we kindly request that you take steps =to have the content removed as soon as possible. It is highly likely that =the intruder who set up this phishing content has also left additional frau=dulent material on this server such as illegitimate access points. =3D=3D=3D WEBSITE OWNER =3D=3D=3DWe recommend taking the following actions to secure the web site and preven=t the attackers from returning: - Update your web applications including CMS, blog, ecommerce, and othe=r applications (and all add-on modules/components/plugins). - Search all of your web directories for suspicious files as attackers =commonly leave backdoors. - Scan the computer from which you login to your web hosting control pa=nel or ftp server with anti-virus software. - Change your web hosting provider if this is an ongoing issue. If your provider has disabled your account because of this incident, you mu=st coordinate a resolution with them directly as PhishLabs has no control o=ver this aspect. If we have contacted you in error, or if there is a better way for us to re=port this incident, please let us know so that we may continue our investig=ation. We are grateful for your assistance. Kind regards, Pravin SinghPhishLabs Security Operations12023866001Available 24/7 [PL-1488180]
Recommended Posts