All abuse reports we received in reverse order:

  1. Status: redirect changed to abuser website.

    CloudFlare received a phishing report regarding:
    
    hda.me
    
    Below is the report we received:
    
    Reporter's Name: George Olivetti
    Reporter's Email Address: soc@phishlabs.com
    Reported URLs:
            https://hda.me/f426f
    Logs or Evidence of Abuse: [PL-402515] Phishing redirect hosted on hda.me
    
    Our company investigates computer crime incidents on behalf of banks and other companies.
    
    A phishing redirect page was found to be operating on your network and targeting Apple customers:
    
    
    https://hda.me/f426f
    
    
    104.28.2.217, 104.28.3.217 
    
    We kindly request that you disable or remove the phishing redirect file as soon as possible.
    
    Thank you for your assistance,
    
    George Olivetti
    PhishLabs Security Operations
    soc@phishlabs.com
    +1.202.386.6001
    http://www.phishlabs.com
    Comments: [PL-402515] Phishing redirect hosted on hda.me
    
    Our company investigates computer crime incidents on behalf of banks and other companies.
    
    A phishing redirect page was found to be operating on your network and targeting Apple customers:
    
    
    https://hda.me/f426f
    
    
    104.28.2.217, 104.28.3.217 
    
    We kindly request that you disable or remove the phishing redirect file as soon as possible.
    
    Thank you for your assistance,
    
    George Olivetti
    PhishLabs Security Operations
    soc@phishlabs.com
    +1.202.386.6001
    http://www.phishlabs.com
    
    
    We have provided the name of your hosting provider to the reporter. Additionally, we have forwarded this complaint to your hosting provider. We have also restricted access to the phishing-related content until it has been removed.
    
    Regards,
    
    CloudFlare Abuse
    
  2. Status: redirect changed to abuser website.

    CloudFlare received a phishing report regarding:
    
    hda.me
    
    Below is the report we received:
    
    Reporter's Name: Luis P
    Reporter's Email Address: soc@phishlabs.com
    Reported URLs:
            https://hda.me/6754c
    Logs or Evidence of Abuse: [PL-400858] Phishing redirect hosted on hda.me/6754c
    
    
    Our company investigates computer crime incidents on behalf of banks and other companies.
    
    A phishing redirect page was found to be operating on your network and targeting Apple customers:
    
    
    https://hda.me/6754c
    
    
    104.28.2.217, 104.28.3.217 
    
    We kindly request that you disable or remove the phishing redirect file as soon as possible.
    
    Thank you for your assistance,
    
    Luis P
    PhishLabs Security Operations
    soc@phishlabs.com
    +1.202.386.6001
    http://www.phishlabs.com
    
    
    We have provided the name of your hosting provider to the reporter. Additionally, we have forwarded this complaint to your hosting provider. We have also restricted access to the phishing-related content until it has been removed.
    
    Regards,
    
    CloudFlare Abuse
    
  3. Status: redirect infinite now. We restored to much older db backup. Downtime, provider terminated account, more info here.

    CloudFlare received a phishing report regarding:
    
    hda.me
    
    Below is the report we received:
    
    Reporter's Name: thomas.m.perreault@irs.gov 
    Reporter's Email Address: thomas.m.perreault@irs.gov
    Reported URLs:
            https://hda.me/3a1e2
    Logs or Evidence of Abuse: Dear Abuse Team,
    
    Your company is hosting a redirect that is being advertised in an 
    Internal Revenue Service (IRS) phishing scheme. When victims 
    browse to your site, they are redirected to another site that 
    is impersonating the IRS.
    
    The site is located at: 
    ASN: 13335 
    IP: 104.28.3.217 
    Defanged URL: hxxps://hda[.]me/3a1e2
    
    We are asking for your assistance removing this fraudulent content as 
    quickly as possible and to take the following responses in conjunction 
    with your policies.
    
    Secure Your Site 
    ---------------- 
    Your site was likely the victim of a compromise and steps should be 
    taken to secure your server and the content that it is providing. 
    Please see below for some actions that you may want to implement.
    
    Help Educate Consumers 
    ---------------------- 
    Please see below for instructions if you would like to assist 
    in helping to educate consumers about online fraud.
    
    Help Our Investigation 
    ---------------------- 
    As part of our job, we track and analyze phishing information that over 
    time may lead to the identification and legal action against these 
    phishers. By providing to us any files used in the phish and any relevant 
    logs, you would be assisting us in our efforts. 
    Please email files, logs or any other relevant information to: submits@ofdp.irs.gov
    
    Additional information regarding this site appears below.
    
    If you have any questions, or require further information, 
    please feel free to call me at 1-202-556-2616.
    
    Regards,
    
    Thomas Perreault 
    202-552-1226 (Fax) 
    Online Fraud Detection and Prevention (OFDP) 
    Internal Revenue Service 
    United States Department of the Treasury
    
    --------------------------------------------------------------------------
    
    Securing Your Site  Additional Information 
    ------------------------------------------- 
    Your site was likely the victim of a compromise and steps should be 
    taken to secure your server and the content that it is providing.
    
    Some actions that you may want to take include: 
    - Inspect relevant logs and audit trails. 
    - Inspect recently created/modified user accounts and files (including 
    hidden files/directories). Phishers generally leave backdoor/shells that 
    enable them access back into the server/site if not removed. 
    - Ensure files/directories have the appropriate privileges/permissions. 
    e.g., web files/directories generally should not be world writable. 
    - Ensure web applications have latest security patches and are securely 
    configured (including changing default login credentials).
    
    Ongoing monitoring is also strongly suggested, as most phishing sites 
    return in a few hours to days if the site is not fully secured. 
    For more information see the document from APWG titled: 
    What to Do if Your Website Has Been Hacked by Phishers 
    http://www.apwg.com/reports/APWG_WTD_HackedWebsite.pdf
    
    Help Educate Consumers  Additional Information 
    ----------------------------------------------- 
    As part of this action, we request that you redirect all traffic going 
    to this URL to the following website: 
    http://phish-education.apwg.org/r/ 
    so that consumers will be educated about phishing if they try to access 
    this page. Information about implementing a redirect to this page can be 
    found here: 
    http://education.apwg.org/r/how_to.html
    
    ---------------------------------------------------------------------------------------------------------------------- 
    U.S. Department of the Treasury 
    Internal Revenue Service 
    Online Fraud Detection & Prevention 
    IRS PHISHING SITE Summary 
    ---------------------------------------------------------------------------------------------------------------------- 
    Date Entered: 2016-07-06 
    Time Entered: 10:44:23 
    OFDP Handler: Thomas Perreault <thomas.m.perreault@irs.gov> 
    Phone Number: 202-556-2616 
    ---------------------------------------------------------------------------------------------------------------------- 
    URL INFORMATION:
    
    ASN: 13335 
    Host IP: 104.28.3.217 
    Country: United States 
    ISP: CLOUDFLARENET - CloudFlare, Inc., US
    
    Host PTR: 104.28.3.217 
    Protocol: https 
    Host: hda[.]me 
    Path: /3a1e2 
    Published URL: hxxps://hda[.]me/3a1e2 
    ---------------------------------------------------------------------------------------------------------------------- 
    ----------------------------------------------------------------------------------------------------------------------
    
    
    We have provided the name of your hosting provider to the reporter. Additionally, we have forwarded this complaint to your hosting provider. We have also restricted access to the phishing-related content until it has been removed.
    
    Regards,
    
    CloudFlare Abuse