Category Archives: Phishing

Phishing: PayPal Notice of Policy Updates

Be aware, we have logged a lot of phishing emails that are targeting PayPal users on these days. The phishing email message looks like almost identical to the real PayPal message, but the link present in the message redirects the user to an URL shortener service.

pshishing-paypal-notice-of-policy-update

The malicious link present in the email is:

hxxp://lnko.in/bhqr

The user is redirected to these malicious links (in order):

hxxp://107.6.59.96/recordings/misc/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/
hxxp://107.6.59.96/recordings/misc/3d1e2032ae804fac6c085a5f6b7a8b3a/personal/security/95622de1bba96186ae6cc72e1d311c0c

The HTML page of the last malicious link is encrypted:

phishing-paypal-html-page-encrypted

If the JavaScript is enabled in your browser, the HTML page loads correctly:

phishing-paypal-final-url

When the user enters the login details, the form sends the POST data to a script:

phishing-paypal-post-fields

The malicious script is named:

paypal.php

The script is used to collect the login details entered by the user.

This kind of phishing attack can be easily detected because the user can quickly check the address bar of the web browser and notice that the website is not paypal.com (legit) but it is an IP address, plus there is no HTTPS secure connection, and in case the user has JavaScript disabled, the HTML page is blank.

Phishing: Attention ! Votre compte PayPal a ete limite

New phishing email used to spread HTML files with fake PayPal login forms:

Phishing Email

Header details:

Received: from ns3.komvos.gr (ns3.komvos.gr [88.198.65.153])
Received: by ns3.komvos.gr (Postfix, from userid 48)
Subject: Attention ! Votre compte PayPal a été limité !
From: Service Paypal
Date: Mon,  4 Jun 2012 13:00:12 +0300 (EEST)
Content-Disposition: attachment; filename="Informations Compte Paypal .zip"

There is a ZIP file attached:

File: Informations Compte Paypal .zip
Dimensione: 5391 bytes
MD5: 2C573252C917A4E4FFC2138E48B50F2B
SHA1: 28B36A51D9215F143AC449984A27A74D520679B7
SHA256: 5E45F7E1988AE2F1B8721226D88AB7DD9EB8A395FB4C501E145554F49655C8C9
SHA384: EE4D4201B65716A986162D43F289FA695263B9BC3EB839F08F185F2B1A1DEC777C68439D91C068DAA80768712B53D80E
SHA512: BA111FCB751F40837E58F50F76314380E8D52FD97B5E98F7855D813433C8FFCDDD26AF58DEE7894F4BC4D2AF53760268FBE25C650FCDC55B0796F6D316E5147A

The extracted file is a .HTML file:

File: Informations Compte Paypal .html
Dimensione: 22525 bytes
MD5: 0500506DEDA37FBC1A7CD19C22173764
SHA1: AB7F78D2A70460418E858E4783F5D3F5376CF2E2
SHA256: F81D8AAA2996D7FB13320FD6F05C37AA1A1CD7BA7BCD29823B03731ED3A067E2
SHA384: 7EEA087DEEEE72203E81F7F606CDAD90F4F5EB1233A95DC692556AFE6AA5B94426E7B84881101F21BF84730B0E132EE3
SHA512: 0B858A75C10EBDBFC9A6D7CDE4C1AB34199B67A51999AB59E85086182C93EF66C20956BA62E68647C27B91704D5A2D4E2EA68749C77ED39DF4AB1F679245BE18

From this HTML code:

<form action="hxxp:// byrongoldworks .com /mainbody.php" method="post" name="zaz" onsubmit="return verif_formulaire()">

We can see that the sensitive data of the form is sent to:

hxxp:// byrongoldworks .com /mainbody.php

Report from URLVoid:

URLVoid Report for byrongoldworks .com

Phishing: A causa del nostro recente aggiornamento. Verified by Visa

We have logged other phishing emails used to steal details of Visa users:

From - Mon Apr 23 16:04:50 2012
Received: from ser.just3d.tv (unknown [91.227.127.33])
Received: (qmail 23589 invoked by uid 0); 23 Apr 2012 13:21:36 -0000
Received: from unknown (HELO User) (admin@just3d.tv@151.58.16.184)
Reply-To: sicurela@visaltalia.it
From: "verified by visa" verified@visaitalia.com
Subject: A causa del nostro recente aggiornamento.
Date: Mon, 23 Apr 2012 15.21.34 +0200
To: undisclosed-recipients:;

Note from the email header the source of the message:

Received: from ser.just3d.tv (unknown [91.227.127.33])

It has nothing to do with Visa, and note also the emails:

Reply-To: sicurela@visaltalia.it

See the visaltalia.it is a l and not an i.

The message of the email:

Gentile Cliente, 
A causa del nostro recente aggiornamento sui nostri server 
(23/04/2012) e necessario aggiornare il tuo profilo. 
Per una maggiore sicurezza e di accesso, si prega di compilare il 
modulo allegato. 
 
Vi ringraziamo della vostra collaborazione. 
 
Copyright Visa Europe 2012. Tutti i diritti riservati

There is also an attached file named visaitalia.html:

File: visaitalia.html
Size: 20015 bytes
MD5: 2C76E9F667E78C8C32C09DBE1129969E
SHA1: 0A30FFC20AC311AF2831086D4B181E0F23483399
SHA256: 1757C6A066E61F1B3E9782570712641FC734E1C6ACCD1DA329F3B10B164136CC
SHA384: BD80E5B8A83A3C00D72B6367421AE85CC6A1FF8981F43D0D6784B52D0AAE58B22DD74293BD8735C8B0E4331C8CCCDA02
SHA512: 4B82AC139180E6B19C58A553456BBE30CE155E22A695E300115CAC5C8BDB3F84A024CCDF104E280162B0C44AF1495C850CA3565533DE62EC6F14EF7754295A30

The attached file contains the form used to send the typed details to a remote link. Listed below there are few malicious links extracted from the HTML attached file:

hxxp:// leonidasvancouver .com /admin/plm/plm.html
hxxp:// rottenfish .de /vbv/plm_files/Logo-Mastercard_Secure_Code.gif
hxxp:// rottenfish .de /vbv/plm_files/fin_VerifiedByVisa_186x79.gif
hxxp:// rottenfish .de /vbv/run.php

The malicious websites are classified as detected in URLVoid:

http://www.urlvoid.com/scan/rottenfish .de/
http://www.urlvoid.com/scan/leonidasvancouver .com/

Phishing: Votre carte bancaire est suspendue

Another email containing malicious URL used for phishing attack against MasterCard and Visa users:

Return-Path: <services@security.com>
Received: from mailrtr1.deltacom.net (mailvip.deltacom.net [72.243.252.244])
Received: from User ([66.0.110.18]) by mailrtr1.deltacom.net (MOS 4.1.10-GA)
From: "visaeurope"<services@security.com>
Subject: Votre carte bancaire est suspendue
Date: Sun, 7 Aug 2011 00:12:08 -0500
To: undisclosed-recipients:;

Email message:

Bonjour clients de visa carte,
 
Votre carte bancaire est suspendue, parce que nous avons rencontre un probleme sur votre diagramme.
Nous avons determine qu'une personne doit peut-etre utiliser votre diagramme sans votre autorisation.
Pour votre protection, nous avons suspendu votre compte bancaire a travers votre carte de credit. Pour soulever cette suspension,
 
Cliquer ici
et suivre le procede indique pour mettre a jour votre compte par la carte de credit.

Malicious URL:

hxxp:// jinwonyc.startlogic. com/vbv/visaeurope.fr/europ-pay/visaeurope/securite/login.aspx/

URLVoid Analysis:

http://www.urlvoid.com/scan/jinwonyc.startlogic.com

Phishing: New Unpaid Item Message from jxavier14: #14027471062

Phishing attack against eBay users:

Return-Path: <aw-confirm@mail.aby.fr>
Received: from mail.ktmtalk.com (mail.ktmtalk.com [173.74.246.25])
Received: from User [98.175.62.124] by mail.ktmtalk.com with ESMTP
Reply-To: <aw-confirm@mail.aby.fr>
From: "eBay Member jxavier14"<aw-confirm@mail.aby.fr>
Subject: New Unpaid Item Message from jxavier14: #14027471062 -- response required
Date: Sat, 6 Aug 2011 06:34:47 -0500
To: undisclosed-recipients:;

Email message:

Dear member,
 
eBay member charly1 has left you a message regarding item #14020078062
 
View the dispute thread to respond.

The malicious URL points to:

hxxp:// newcastlelimo .net/ebay-fr/eBayISAPI.dll.htm

Image of the phishing page:

Image

Note that the connection is NOT secure and does not use SSL (HTTPS)…

URLVoid Analysis:

http://www.urlvoid.com/scan/newcastlelimo.net
This entry was posted in Phishing and tagged , , , on by .

Phishing: Your Paypal Account Will Be Limited

New phishing email related to PayPal accounts:

Return-Path: <servviice@paybal.com>
Received: from WIN-ATAF5I4OOP1 (unknown [96.44.188.43])
Received: from User ([127.0.0.1]) by WIN-ATAF5I4OOP1
From: "Paypal"<servviice@paybal.com>
Subject: Your Paypal Account Will Be Limited
Date: Tue, 17 May 2011 18:38:40 -0700
To: undisclosed-recipients:;

Message:

Image

Note that the email come from:

From: "Paypal"<servviice@paybal.com>

The domain paybal.com is parked!

Malicious URL that redirects to the phishing PayPal login page:

hxxp://www.doncastersc.vic.edu .au/calendar/paypal.secure.update.service/paypal.secure.login/safe.login.process/language&id=en/80a13c0db1f1ff80d546411d7f8a8350c132bc41e0934c/us/webscr.php?cmd=_login-run&dispatch=3885d80a13c0db1f1ff80d546411d7f8a8350c132bc0

URLVoid domain analysis:

http://www.urlvoid.com/scan/paybal.com
http://www.urlvoid.com/scan/doncastersc.vic.edu.au