A little while ago, I posted about a phish scam in which someone had placed multiple fake PayPal and bank sites on one server in order to trick people into handing over their bank account information. This particular type of scam is quite common, of course; I get a couple dozen a week in my email box these days.

It’s rare to see one computer hosting multiple different fake sites, and rarer still to see them hosted for an extended period of time. Usually, the way it works is that hackers break into a poorly secured Web server (for example, in today’s crop of phish emails there’s a fake PayPal page that’s on a Web site running an outdated, insecure WordPress install, and a fake Abbey Bank page running on a hacked Web site that’s using an old, unpatched copy of the Joomla content management software.)

The fake PayPal and bank sites I discovered a couple of weeks ago were running on a server belonging to an ISP called a2b2.com, which at the time I believed wasn’t actually a corrupt ISP, but rather a single clueless individual. The ISP a2b2.com is located in Great Britain and seems to be run by just one person.

A day after I posted about that site, I received an email from the guy who runs that ISP, telling me that the server had been taken offline and the fake bank and PayPal sites were gone.

I thought that was the end of it. I was wrong.

We’re about to get technical here!