I think you’re referring to my statement: “Hopefully AMEX/Vodafone can pinpoint the user account and person hosting this phishing attack.” I did not mean to imply that this would reveal the phisher — instead it would likely reveal the Vodafone user whose account/server was running the phishing attack so that it could be taken down.

The whois confirmed that this domain was in fact owned by Vodafone, and by its structure looks like it could be a static IP assigned to one their customers. In all likelihood the Vodafone user was hacked and not aware that their server was being used for this attack.

Our main discovery and our reason for writing this post was that the phisher used a url shortener that leaked thousands of potential victims IPs — an unusual occurance to my knowledge.