Sindbad~EG File Manager

Return-Path: <takedown-response+70182839@netcraft.com>
Delivered-To: infinitibizsol@server1.infinitibizsol.com
Received: from server1.infinitibizsol.com
	by server1.infinitibizsol.com with LMTP
	id UJgcABcIJmhmWAkAAQ9a8w
	(envelope-from <takedown-response+70182839@netcraft.com>)
	for <infinitibizsol@server1.infinitibizsol.com>; Thu, 15 May 2025 15:28:23 +0000
Return-path: <takedown-response+70182839@netcraft.com>
Envelope-to: support@rksfinancialsolutions.com
Delivery-date: Thu, 15 May 2025 15:28:23 +0000
Received: from mail-1c.netcraft.com ([52.31.138.216]:42593)
	by server1.infinitibizsol.com with esmtps  (TLS1.3) tls TLS_AES_256_GCM_SHA384
	(Exim 4.98.1)
	(envelope-from <takedown-response+70182839@netcraft.com>)
	id 1uFaVQ-00000002ZN2-3qFA
	for support@rksfinancialsolutions.com;
	Thu, 15 May 2025 15:28:22 +0000
Received: from walleye.netcraft.com (unknown [10.9.0.81])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mail-1c.netcraft.com (Postfix) with ESMTPS id AB5AF6B41
	for <support@rksfinancialsolutions.com>; Thu, 15 May 2025 15:27:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
	s=default202405-yu9bqteb95aqcfpg; t=1747322856;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lBRnJJLWtTbZFhKcBU6mqyIp2+5XhRq+Laihf+aHTlE=;
	b=l0Amfwrrapj9FFg72+8VM/PQ0PRIous08TDeHOeNbG938Dfp5BssOE+GuZkW7DqDedu5FQ
	2gtBo/IDUm9K4a/4JFb5btmreGUXgEgI9XWPtHpLySl0I8PCHJP33q7MlKAzhIUCw7ZM9M
	vTT+5pHEh7Zlg+9pHVwcQC/GgLiQ+5UOYFDxGieiPGRXl7nRdPwEcSJID4TaXT/OVYreaJ
	V2E+IuyzvBs5we0zaArW/67mklEBk4a/noL7R4ogxOKBKbBV46EBnMEqHK2PfWWiUCA5gf
	m8u3pWqmAU5bhZNrV/JNTy169ZbDe4UHiHRS8bWCF83TzaC9KDkiTcKDaCgtPw==
Received: by walleye.netcraft.com (Postfix, from userid 507)
	id A377F19D8; Thu, 15 May 2025 15:27:36 +0000 (UTC)
Content-Transfer-Encoding: 8bit
Content-Type: multipart/report; boundary="_----------=_17473228564053624162"; report-type="feedback-report"
MIME-Version: 1.0
Date: Thu, 15 May 2025 15:27:36 +0000
From: Netcraft Takedown Service <takedown-response+70182839@netcraft.com>
Subject: Issue 70182839: Phishing attack at hxxp://rksfinancialsolutions[.]com/ing/
To: support@rksfinancialsolutions.com
Message-Id: <4bbbe876ac98568dabf1feda724424f0@takedown.netcraft.com>
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
X-Spam-Status: No, score=-0.2
X-Spam-Score: -1
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "server1.infinitibizsol.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Hello, We have discovered a phishing attack on your network.
    hxxp://rksfinancialsolutions[.]com/ing/ [162.0.223.40] hxxp://rksfinancialsolutions[.]com/ing/de/mkfile.php?p=login
    [162.0.223.40] 
 Content analysis details:   (-0.2 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
                              Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [52.31.138.216 listed in sa-accredit.habeas.com]
  0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                          [52.31.138.216 listed in sa-trusted.bondedsender.org]
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                             See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URI: netcraft.com]
                             [URI: ing.de]
                             [URI: xarf.org]
  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
                              Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [52.31.138.216 listed in bl.score.senderscore.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                             domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
  0.0 KAM_SHORT              Use of a URL Shortener for very short URL
X-Spam-Flag: NO

This is a multi-part message in MIME format.

--_----------=_17473228564053624162
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Hello,

We have discovered a phishing attack on your network.

hxxp://rksfinancialsolutions[.]com/ing/ [162.0.223.40]
hxxp://rksfinancialsolutions[.]com/ing/de/mkfile.php?p=login [162.0.223.40]

It is possible that this attack is being restricted so it is only visible from certain countries. Before deciding that the attack has been resolved please confirm it cannot be viewed from the following countries:
Belgium
Germany

You may not have been aware of this attack, however, you are still responsible for removing it.

This attack targets our customer, ING Germany, website URL https://www.ing.de/.

Please remove this fraudulent content, and any other associated fraudulent content, as soon as possible.

Additionally, please keep the fraudulent content safe so that our customer and law enforcement agencies can investigate this incident further once the site is offline.

More information about the detected issue is provided at https://incident.netcraft.com/027f515200bd/

NEW: A beta version of our next generation incident reports is available at https://beta.incident.netcraft.com/reports/iqvads55rguwd6i2uuls55
See https://beta.incident.netcraft.com/about for more details including API support. Please contact incident-feedback@netcraft.com with any feedback or for more information.

Kind regards,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 70183051

To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: support@netcraft.com.

This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_17473228564053624162
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Thu, 15 May 2025 15:27:36 +0000

Feedback-Type: xarf
User-Agent: Netcraft
Version: 1
--_----------=_17473228564053624162
Content-Disposition: attachment; filename="xarf.json"
Content-Transfer-Encoding: base64
Content-Type: application/json; charset=utf-8; name="xarf.json"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Thu, 15 May 2025 15:27:36 +0000

eyJSZXBvcnRlckluZm8iOnsiUmVwb3J0ZXJPcmdFbWFpbCI6InRha2Vkb3duLXJlc3BvbnNlKzcw
MTgyODM5QG5ldGNyYWZ0LmNvbSIsIlJlcG9ydGVyT3JnIjoiTmV0Y3JhZnQiLCJSZXBvcnRlck9y
Z0RvbWFpbiI6Im5ldGNyYWZ0LmNvbSJ9LCJSZXBvcnQiOnsiUmVwb3J0VHlwZSI6IlBoaXNoaW5n
IiwiRmlyc3RTZWVuIjoiMjAyNS0wNS0xNVQxNTowNjo0OVoiLCJSZXBvcnRDbGFzcyI6IkNvbnRl
bnQiLCJEYXRlIjoiMjAyNS0wNS0xNVQxNToxOTo1OVoiLCJSZXBvcnRlckNhc2VJRCI6IjcwMTgz
MDUxIiwiUmVwb3J0ZXJOb3RlcyI6IlNlZSBodHRwczovL2luY2lkZW50Lm5ldGNyYWZ0LmNvbS8w
MjdmNTE1MjAwYmQvIGZvciBtb3JlIGluZm9ybWF0aW9uIiwiU291cmNlVXJsIjoiaHR0cDovL3Jr
c2ZpbmFuY2lhbHNvbHV0aW9ucy5jb20vaW5nLyIsIlNvdXJjZUlwIjoiMTYyLjAuMjIzLjQwIn0s
Ik9uQmVoYWxmT2YiOnsiQ29tcGxhaW5hbnRPcmdFbWFpbCI6InRha2Vkb3duLXJlc3BvbnNlKzcw
MTgyODM5QG5ldGNyYWZ0LmNvbSIsIkNvbXBsYWluYW50T3JnIjoiSU5HIEdlcm1hbnkiLCJDb21w
bGFpbmFudE9yZ0RvbWFpbiI6Ind3dy5pbmcuZGUifSwiRGlzY2xvc3VyZSI6dHJ1ZSwiVmVyc2lv
biI6IjEifQ==

--_----------=_17473228564053624162--