Hi,
This classical form of scam is now sent to @hotmail.it accounts, here some detail on the e-mail:
Subject: Accredito temporaneamente bloccato
From: accrediti@posteitaliane.it
Content: Ultime da Poste Italiane: Gentile Cliente,
Abbiamo ricevuto una segnalazione di accredito di Euro 100 da UFFICIO POSTALE ROMA 52. L’accredito e’ stato temporaneamente bloccato a causa dell’incongruenza dei suoi dati, potra’ ora verificare i suoi dati e successivamente sara’ accreditato sul suo conto postale
Victim will be prompted to
http://www.nouvelles-alternatives.be/wp-content/conf.php
that contains:
<HTML>
<HEAD>
<META HTTP-EQUIV=”REFRESH” CONTENT=”0; URL=http://osrever.es/intranet/modules/mod_login/bpol/CARTEPRE/“>
</HEAD>
</HTML>
automaticalli redirected to osrever.es that contains another redirect:
<HEAD><!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<body>
</body>
<HTML><TITLE>POSTE</TITLE>
<meta http-equiv=”Refresh” content=”0; URL=index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=”>
</HEAD>
</HTML>
finally user lands here:
As we can see from the Source Code there is a classical structure that ask to the user User and Password, these are the functions:
function ControllaPassword()
{
var f = window.document.frmRegister
if (f.password.value.length > 10 )
{
alert(“La Password non puo’ superare la lunghezza di 10 caratteri.”)
f.password.focus()
return false
}
return true
}
That verifies if the password haa a correct length, and
function ControlloValori()
{
var f = window.document.frmRegister
if (f.login.value==”")
{
alert(“Inserire il nome utente”)
f.login.focus
return false
}
if ( ControllaPassword() == false )
{
return false;
}
return true
}
that collects user and pwd
If credentials are correct user is directed here:
where is asked for CC, CCV2, Scad
Here some info about this Malicious Domain:
| IP Address: |
87.106.195.10      |
| IP Location |
 – Spain – Schlund + Partner Ag |
| Response Code: | 200 |
| Domain Status: | Registered And Active Website |
See you to the next post.. 
