thelistdata.com and data-centers-online.com spam emails

A very big number of italian users have reported us similar spam emails that come from two websites:

thelistdata.com

Homepage screenshot:

Image

data-centers-online.com

Homepage screenshot:

Image

From the screenshots of their homepage, we can see these websites do not have a real homepage, just this make us think that they are scam. In the emails there are various links, and one link says that if we cant see the message in the HTML format, we should click in a specific link:

hxxp://data-centers-online.com/sending/stats.php?k=b50df751b5378c2a8da74fa9cdf9b5bb561df25238224dadb5d40f24b06147d8ceff829bcacbcf926988f3c733cae54edfda15ef8432a27d8a5eaa31efac020f

The above long URL points to another URL:

hxxp://62.75.223.200/html/wind-18-form/

With IPVoid we see the IP address is detected as suspicious:

Report 2011-04-14 18:21:37 (GMT 1)
IP Address 62.75.223.200
IP Hostname static-ip-62-75-223-200.inaddr.intergenia.de
IP Country DE
Detections 2 / 26 (8 %)
Status SUSPICIOUS

Here is a screenshot of the web page:

Image

The form POST data is redirected to the same index.php page:

<form method="post" action="/html/wind-18-form/index.php">

Now to note there is also that in the suspicious web page:

hxxp://62.75.223.200/html/wind-18-form/

There is no SSL connection, we should insert sensitive data and it should be recommended to have SSL enabled (https://), the page is located in a suspicious URL, we can see an IP address is used as main host, this is pretty suspicious, moreover there is no footer or reference to any company associated to that web page… We would recommend to never click in links that come from these two (scam?) websites.

The headers of few emails are as follow:

Received: from data-centers-online.com (unknown [174.142.87.163])
Received: by data-centers-online.com (Postfix, from userid 502)
Subject: =?UTF-8?B?Vm9kYWZvbmU6IE1haSB1biBwcmV6em8gY29zaScgYmFzc28h?=
From: Vodafone Partner <vodafonepartner@thelistdata.com> 
Reply-To: noreply@thelistdata.com
Received: from data-centers-online.com (unknown [174.142.87.163])
Received: by data-centers-online.com (Postfix, from userid 502)
Subject: =?UTF-8?B?U3VwZXIgUHJvbW96aW9uZSBCbGFja2JlcnJ5ISBQYXNzYSBhIFdpbmQh?=
From: WIND Partner <partnerofwind@thelistdata.com> 
Reply-To: partnerofwind@thelistdata.com

A quick scan with URLVoid:

Report 2011-04-14 18:52:33 (GMT 1)
Website thelistdata.com
Domain Hash 7bdd635133ba0ada9cd2c3abb1913973
IP Address 212.95.58.66 [SCAN]
IP Hostname thelistdata.com
IP Country BY (Belarus)
AS Number 28753
AS Name LEASEWEB-DE Leaseweb Germany GmbH (previously…
Detections 2 / 22 (9 %)
Status SUSPICIOUS

Report 2011-04-14 18:57:15 (GMT 1)
Website data-centers-online.com
Domain Hash 7e1a88e9395413f7434fd38aad992eeb
IP Address 174.142.87.163 [SCAN]
IP Hostname cl-t217-290cl.privatedns.com
IP Country CA (Canada)
AS Number 32613
AS Name IWEB-AS – iWeb Technologies Inc.
Detections 2 / 22 (9 %)
Status SUSPICIOUS