Recently, an unscrupulous individual was trying to setup a fake copy of one of our customers for what was likely a phishing scheme on a server located in Netherlands. Upon examining the whois record, there was a contact listed as the admin with an address and phone number. Upon calling the number the individual that answered the phone of course knew nothing about the person that registered the website. Other entries appeared to indicate that Yahoo was involved in the hosting. However, in order to actually connect to the website, the DNS records are registered with name servers that are usually from the webhost provider. Below is a screen shot of the Whois results (with some of the information removed). [more]
After querying the name server’s DNS for citibo.com, it was clear that these servers were pointing back to a server named hosting1-nl.santrex.net. Santrex.net showed to have hosting servers located in Netherlands. A trouble ticket was created for abuse on the santrex.net website, and a few hours later, the webhost provider suspended the account. While we were still waiting for the FBI to get back with us, it was really helpful to contact the webhost provider, and get the website taken down.