February 1st, 2006, 05:49 AM
This came to my inbox today (I've removed my e-mail login name). I think this must be a phishing attempt.
1) I don't remember having a PayPal account. If I did at one time, I haven't used it in three years.
2) Per the PayPal site, they would have used my real name if this was a valid email.
Look at the link I'm supposed to click. Does that look suspicious to you?
For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
(Romans 6:23, WEB)
February 1st, 2006, 06:28 AM
The SamSpade Whois shows:
Server Used: [ whois.godaddy.com ]
futurecis.futurecis.com = [ 18.104.22.168 ]
Registered through: GoDaddy.com
Domain Name: FUTURECIS.COM
Domain servers in listed order:
For complete domain details go to:
The IP Whois shows:
Server Used: [ whois.nic.ad.jp ]
22.214.171.124 = [ 077M31.oasis.mediatti.net ]
[ JPNIC database provides information regarding IP address and ASN. Its use ]
[ is restricted to network administration purposes. For further information ]
[ use 'whois -h whois.nic.ad.jp help'. To only display English output ]
[ add '/e' at the end of command e.g. 'whois -h whois.nic.ad.jp xxx/e'. ]
a. [Network Number] 126.96.36.199/22
b. [Network Name] MEDIATTI-MBC
g. [Organization] Mediatti Communications Inc.
m. [Administrative Contact] LS032JP
n. [Technical Contact] LS032JP
p. [Nameserver] vs0002.shi.kvh.ne.jp
p. [Nameserver] ns2.kvh.ne.jp
[Assigned Date] 2005/01/16
[Last Update] 2005/01/16 22: 20: 03(JST)
Less Specific Info.
Mediatti Communications Inc.
More Specific Info.
Supposedly in Japan. The Domain is registered via GoDaddy.com. http://futurecis.futurecis.com/.web/ seems to be a compromised server. However, there doesn't seem to be any files beyond the login.php and two text files under the .web folder. It may be that the text files contain the ips of systems it links to. Some of those ips are in Thailand, some in India. The .web folder has this structure:
Index of /.web
Name Last modified Size Description
[DIR] Parent Directory 31-Jan-2006 21:18 -
[TXT] bune.txt 31-Jan-2006 14:38 1k
[ ] login.php 31-Jan-2006 14:39 2k
[TXT] naspa.txt 01-Feb-2006 10:51 1k
Apache/1.3.17 Server at futurecis.futurecis.com Port 80
If you click on the link, the login.php uses the IP numbers in the support txt files to forward you to another system, like:
Oh, yeah, to answer your question, YES it is a Phising expedition.
June 20th, 2006, 05:16 PM
In regards to this thread, I would like to send you my sincerest apologies. Futurecis.com is my domain. I assure you that Future CIS is a legit company and should not have allowed this to happen. The issue has been resolved.
This particular incident took place on one of our servers that had been compromised by an outside source. Due to extended leave that I was on, I was unaware of it until it was too late. The issue has been fixed and will not happen again. Please accept our sincerest apologies. For further information or questions, please visit us at www.futurecis.com or you can email me at Webmaster@FutureCIS.com. Thank you.