Internet Weather Report

Navigating the Digital Storm

77.90.141.0/24: A Suspected Stolen Prefix Used for Ongoing QuickBooks Callback Phishing

·

77.90.141.0/24 is a suspected stolen or misappropriated BGP prefix currently being used for QuickBooks callback phishing and abusive email delivery. In the phishing samples reviewed for this report, three separate emails were sent directly from hosts inside 77.90.141.0/24. Those messages impersonated Intuit and QuickBooks, used the same callback phishing template, and were still active as of 13 Mar 2026 PT.

This post focuses only on direct evidence tied to 77.90.141.0/24. Nine phishing emails were reviewed in total. Three were directly linked to this prefix. Six others were sent from different IP space and are not attributed here to 77.90.141.0/24.

77.90.141.0/24 routing and RIPE data

The RIPE data reviewed for this report identifies the prefix as:

  • inetnum: 77.90.141.0 – 77.90.141.255
  • netname: SUBALLOC-CONTRUST
  • country: DE
  • status: SUB-ALLOCATED PA
  • responsible organisation: K&K Kommunikationssysteme GmbH
  • abuse contact: alex.kontrast.eu@gmail.com

The same RIPE data shows a route object for 77.90.141.0/24 with origin AS396073. The route object was created on 11 Oct 2025 UTC. The inetnum object for the current /24 record was created on 12 Oct 2025 UTC.

The routing-history view reviewed for this prefix shows older visibility, a long quiet period after 2019, and later reappearance under multiple origin ASNs, including AS62425, AS208485, and AS396073. That is not what normal, stable, long-term stewardship of a customer prefix looks like. It looks like a questionable custody trail followed by active abuse.

For that reason, the most accurate description here is not a classic short-lived BGP hijack. The better description is a suspected stolen prefix, a likely misappropriated prefix, or a quietly taken-over netblock that is now being used for phishing operations.

Direct phishing evidence from 77.90.141.0/24

Three QuickBooks phishing emails in the reviewed set were sent directly from IPs inside 77.90.141.0/24.

1) 26 Feb 2026 PT

  • Subject: Your QuickBooks Subscription is due for renewal [redacted]
  • Display identity: notification@quickbooks.intuit.com
  • Return-path: info@qbmarketpro.biz
  • Source host: server7.hgranticsy.com
  • Source IP: 77.90.141.39

2) 6 Mar 2026 PT

  • Subject: Your QuickBooks subscription is due for renewal [redacted]
  • Display identity: Intuit inc
  • Return-path: info@freshledas.com
  • Source host: server6.freshledas.com
  • Source IP: 77.90.141.9

3) 13 Mar 2026 PT

  • Subject: Your QuickBooks subscription is due for renewal. [redacted]
  • Display identity: notification@intuit.com
  • Return-path: info@enlito.info
  • Source host: server4.enlito.info
  • Source IP: 77.90.141.11

These were not random lookalike spam messages. These were structured Intuit and QuickBooks impersonation emails delivered from three separate IPs inside the same /24 over a short time period.

This was callback phishing, not ordinary click phishing

The QuickBooks lure in these emails was designed to push the recipient into a phone-based scam workflow. The messages claimed there was a QuickBooks subscription renewal problem, payment issue, or billing failure and instructed the recipient to call a toll-free number for assistance.

The repeated callback number in the three emails was:

+1 (803) 210-4380

That makes this a callback phishing campaign. The goal is not just to get a click. The goal is to get the target on the phone with the operator.

That matters because callback phishing often targets businesses, accounting staff, finance personnel, and users who are more likely to trust a billing problem than a generic credential theft page.

Shared fingerprints across the three emails

The three emails sent from 77.90.141.0/24 shared multiple technical fingerprints that tie them together as one operation or one reusable phishing kit.

Observed shared traits:

  • same QuickBooks subscription renewal lure
  • same callback number: +1 (803) 210-4380
  • same mailer fingerprint: X-Mailer: Smart_Send_4_4_2
  • same Message-ID host pattern: @WIN-KEJVO9CLD80
  • same pair of inline image attachments: 1.png and 2.png
  • same overall wording and structure, with only minor date changes

This is a strong cluster, not three unrelated messages.

Why these messages are more dangerous than average junk spam

These messages were built to look polished and familiar. They used Intuit and QuickBooks branding, billing language, renewal language, and a support-style phone workflow. The text was cleaner than low-grade commodity phishing. The senders also rotated throwaway domains while keeping the same lure, the same phone number, and the same mailer artifacts.

Two of the three messages authenticated cleanly for the attacker-controlled sender domains using SPF, DKIM, and DMARC. The third soft-failed SPF but still passed DKIM and DMARC. That does not make the emails legitimate. It means the phishing operator controlled the sender domains well enough to pass basic email checks for its own infrastructure.

That is a higher-effort operation than the usual low-quality phish.

Why 77.90.141.0/24 should be treated as hostile

The case against 77.90.141.0/24 does not rest on one bad domain or one isolated email. The evidence chain is broader:

  • questionable routing and custody history for the BGP prefix
  • new RIPE route and inetnum records appearing in Oct 2025
  • later visibility under multiple origin ASNs
  • active QuickBooks callback phishing sent directly from multiple IPs in the /24
  • shared infrastructure fingerprints across the phishing emails

Taken together, the observed behavior is consistent with abuse-tolerant infrastructure and phishing delivery. Whether the best label is suspected stolen prefix, misappropriated prefix, or quietly taken-over netblock, the operational conclusion is the same: traffic originating from 77.90.141.0/24 should be treated as high risk.

Indicators

Prefix and ASN

  • 77.90.141.0/24
  • AS396073
  • historical origins observed in supplied routing history: AS62425, AS208485, AS396073

Observed phishing source IPs

  • 77.90.141.39
  • 77.90.141.9
  • 77.90.141.11

Observed source hosts

  • server7.hgranticsy.com
  • server6.freshledas.com
  • server4.enlito.info

Observed sender domains

  • qbmarketpro.biz
  • freshledas.com
  • enlito.info

Phishing theme

  • QuickBooks subscription renewal
  • QuickBooks billing problem
  • Intuit impersonation
  • callback phishing

Reused callback number

  • +1 (803) 210-4380

Shared mailer artifact

  • Smart_Send_4_4_2

Bottom line

77.90.141.0/24 is a suspected stolen or misappropriated prefix that is actively being used for QuickBooks callback phishing. Based on the phishing samples reviewed for this report, this was not a one-off event. The same infrastructure delivered multiple near-identical Intuit and QuickBooks lures from multiple IPs inside the same /24 between 26 Feb 2026 PT and 13 Mar 2026 PT.

That is enough to classify 77.90.141.0/24 as phishing infrastructure.

¶¶¶¶¶

/ / / / / / /

¶¶¶¶¶

¶¶¶¶¶

Leave a Reply

Discover more from Internet Weather Report

Subscribe now to keep reading and get access to the full archive.

Continue reading