MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

16.2.09

Phishing Kit In-the-Wild for cloning websites

One of the most common strategies for phishing attacks lies in the use of cloned websites, ie a false web page very similar to the right by which seeks to steal confidential and financial nature of the people through Internet.

This phishing kit offers just that. This is a set of web pages from popular sites ready to be uploaded to a ghost server and begin to spread (spam) through social engineering-oriented, as it can not be otherwise, to exploit the weaknesses of the weakest link in the security chain: the human factor.

For the moment, and I say for the moment because who distribute this kit probably will expand the range of cloning, the proposed Phishing attacks are:

AOL.com
AIM.com
d2jsp.org
DailyMotion.com
eBay.com
eBuddy
eGold
EverQuest Forum
FaceBook.com
FileFront.com
Gmail.com
Gmail.de
Habbo.de
Habbohotel.com
Hi5.Com
Hotmail
ICQ.com
store.apple.com
Megaupload.com
MetaCafe
MMOCheats.com
Myspace.com
Nexon.net
OGame.de
Oxedion.de
dhl.de (Packstation)
PayPal.com
PhotoBucket.com
RapidShare.com
RapidShare.de
Ripway.com
Siteworld.de
Skype.com
store.steampowered.com
Strato.com
Usenext.com
VanGuard
Windows Live
Yahoo.com
YouTube.com





You see, many of the pages are massively known and widely used.


Each of the folders that contain cloning host, in addition to index.html, plain text file where the recorded information is stored on the victim and a login.php that contains the following code:
? php
header ( 'Location: website');
$ handle = fopen ( "log.txt", "a");
$value) {">foreach ($ _POST as $ variable => $ value) (
fwrite ($ handle, $ variable);
fwrite ($ handle, "=");
fwrite ($ handle, $ value);
fwrite ($ handle, "\ r \ n");
)
fwrite ($ handle, "\ r \ n");
fclose ($ handle);
exit;
?

Where the function header ( 'Location:') contains the information of the site and $ handle = fopen ( "log.txt", "a") opens the text file log.txt in opening mode and writing.

Most of these clones are active so we must be careful when accessing web sites whose services are similar.

On the other hand, clearly shows that the kit was intended to commit fraud, and the fact of being available on the Internet becomes even more dangerous as enhancing the chances of being potential victims of these fraudulent actions.

Related information
Phishing and "stories" in Christmas
Phishing for American Express and tips

Jorge Mieres

0 comentarios:

Post a Comment