Phishing campaign aimed at players Zynga
Zynga is a virtual game developer that has a wide repertoire of games in flash, allowing fun with them even through some social networks like Facebook, MySpace and Tagged, among others.
Recently Zynga image is being used as a phishing campaign animation using as cover some of the games that the company offers.
Recently Zynga image is being used as a phishing campaign animation using as cover some of the games that the company offers.
claimpokerbonus.t35.com/zynga_poker/
claimpokerbonus.t35.com/zynga%20bonus/login_failed.php
claimpokerbonus.t35.com/zynga%20poker/login_failed.php
claimpokerbonus.t35.com/zynga/chip_bonus/login_failed.php
claimpokerbonus.t35.com/zynga_bonus/login_failed.php
claimpokerbonus.t35.com/zynga/poker_chips/login_failed.php
claimpokerbonus.t35.com/zynga/poker_bonus/login_failed.php
claimpokerbonus.t35.com/zynga/claim_poker/login_failed.php
claimpokerbonus.t35.com/zynga/chips_bonus/login_failed.php
claimpokerbonus.t35.com/games_bonuschips/zynga_bonus/login_failed.htm
claimpokerbonus.t35.com/games_bonuschips/claim_bonus/login_failed.htm
claimpokerbonus.t35.com/games_bonuschips/login_failed.htm
claimpokerbonus.t35.com/poker-bonus/login_failed.htm
claimpokerbonus.t35.com/poker_chipclaim/login_failed.htm
claimpokerbonus.t35.com/zynga-dailygift/login_failed.htm
claimpokerbonus.t35.com/zynga-game-bonus/login_failed.htm
claimpokerbonus.t35.com/game_lottery/login_failed.htm
claimpokerbonus.t35.com/game_bonus/login_failed.htm
claimpokerbonus.t35.com/claim_poker/login_failed.php
claimpokerbonus.t35.com/claim%20poker/login-failed.html
claimpokerbonus.t35.com/claim%20bonus/login-failed.html
claimpokerbonus.t35.com/Bonus/login_failed.php
claimpokerbonus.t35.com/Bonus/games/login_failed.php
claimpokerbonus.t35.com/Bonus/claim_poker/login_failed.php
claimpokerbonus.t35.com/Bonus/claim_chips/login_failed.php
The structure of each folder containing the files used during the process comprises files Fraud login_failed.php, logs.php, search.php, succes.html and two files with the .txt file in which data are recorded stolen in clear text.
The file succes.html is called from logs.php file and contains two exploits for the vulnerabilities described in CVE-2008-2463 (Office Snapshot Viewer) and CVE-2008-0015 (MsVidCtl Overflow).
On the other hand, contains a Drive-by-Download through an iframe tag that redirects to Trenz.pl/rc/pdf.php? spl=pdf_ie2 from where you download a pdf file detected for 50% of the antivirus engines offered by the VirusTotal service, and whose md5 is 47ea66b43e25169e6bb256e000a16ffd. In addition, download the file load.exe (c2a41abc43dd0bcf98ae07315eb4c6f6). In this case, detected by 90%.
Both files are located In-the-Wild and part of a pack known as exploit version 1.2: Eleonore Exploit Pack.
On the other hand, contains a Drive-by-Download through an iframe tag that redirects to Trenz.pl/rc/pdf.php? spl=pdf_ie2 from where you download a pdf file detected for 50% of the antivirus engines offered by the VirusTotal service, and whose md5 is 47ea66b43e25169e6bb256e000a16ffd. In addition, download the file load.exe (c2a41abc43dd0bcf98ae07315eb4c6f6). In this case, detected by 90%.
Both files are located In-the-Wild and part of a pack known as exploit version 1.2: Eleonore Exploit Pack.
InformaciĆ³n relacionada
Phishing database III
Jorge Mieres
0 comentarios:
Post a Comment