PDF Reader 2009 – Fraud-Scam

May 24, 2009

Hi,

Scam over software mantains high its trend, this time the software used is PDF Reader 2009, the message is the following:

+———————————————————————————–

PDF Reader 2009 – New Version for Windows
The latest PDF Reader: Open, Edit & Create PDF Files

Activation Code: 9462

http://bulletinqrelease.com/re.php?lnk=1203489724

Included in this package:

OpenOffice Suite – Get things done more quickly and improve your work efficiency.

-Open, edit and view all PDF files.
-Enhanced performance with faster loading and zooming.
-Collect your data and combine it into a high quality document.

Activation Code: 9462

http://bulletinqrelease.com/re.php?lnk=1203489724

Download the complete Office solution today and also receive free updates and 24/7 customer support.

“Since the 90′s, PDF has become the standard file format for document exchange.” – Adobe

Activation Code: 9462

http://bulletinqrelease.com/re.php?lnk=1203489724

Thank you for choosing us, the worldwide leader in PDF Reader Solutions.

Best Regards,

Michael Daniels
PDF Reader 2009
You will not get anymore of our emails if you go here

http://bulletinqrelease.com/

or write to:

Plaza Neptuno, local #7
Via ricardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama

+———————————————————————————–

The true PDF Reader 2009 can be free downloaded, in this case user is asked for an activation code and next prompted to a Special Offers page, where victim can chose some benefits at payment, money transaction is accoplished with Credit Card.

As usual in these frauds, money is stolen and no service is given.

Here some inspections about the domain:

ICANN Registrar: ENOM, INC.
Created: 2009-05-20
Expires: 2010-05-20
Updated: 2009-05-20

Server Data

IP Address: 67.209.131.18 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location United States – Nevada – Las Vegas – Acampana
Response Code: 200
Domain name: bulletinqrelease.com

Registrant Contact:
WhoisGuard
WhoisGuard Protected ()


Banca Popolare di Milano Fraud

May 7, 2009

Hi,

here a recent attempt of fraud, this morning I’ve received the following mail:

—————

Subject: Ottimizzazione Piattaforma Tecnica Populare di Milano Gentile Cliente, Desiderosi di evitare il possibili tentativi di frode on-line, Banca Populare di Milano, e in corso per ottimizzare la piattaforma tecnica di servizio Banca Populare Online tra il 5 maggio 2009 al 10 maggio 2009. Per evitare eventuali perdite di dati si prega di compilare il modulo ” Forma di aggiornamento dati di contatto in relazione alla Banca ” che si trova sul nostro sito web o in allegato alla presente e-mail. Ci scusiamo per gli eventuali disagi causati. http://www.bpmbanking.it.servizibmp.com/pub/xol/homePriv.do.php?tabId=nav_pub_xol_home Grazie per la comprensione, Populare di Milano Sanpaolo Online _____________________________________________________________________________________ Frodi online ANNUALE FARE MIGLIAIA DI VITTIME – Non essere uno di loro! Banca Popolare di Milano Societа Cooperativa a r.l. – P.IVA 00715120150 – Gruppo Bipiemme

————-

First of all the email presents a recurrent error, the term ‘populare’ that seems inspired by spanish/brazilian tongue.

The second suspicious thing is the URL: http://www.bpmbanking.it.servizibmp.com/pub/xol/homePriv.do.php?tabId=nav_pub_xol_home

servizibmp.com sounds strange, so let’s inspect this domain..

Registry Data
ICANN Registrar:     MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Created:     2009-05-07
Expires:     2010-05-07
Updated:     2009-05-07
Registrar Status:     clientTransferProhibited
Name Server:     YNS1.YAHOO.COM (has 2,399,082 domains)
Name Server:     YNS2.YAHOO.COM (has 2,399,082 domains)
Whois Server:     whois.melbourneit.comServer Data
IP Address:     216.39.62.190 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location     United States – California – Sunnyvale – Altavista Company
Response Code:     200
Domain Status:     Registered And Active Website

As you can understand an Italian Banking Service that is located in California – Sunnyvale and powered by Altavista Company it’s REALLY strange :)

the final demostration that this is a fraud comes out the inspection of real server of bpm,www.bpmbanking.it that is placed in Italy.

By browsing http://servizibmp.com we are suddenly prompted into a directory list that contains the following entries:

pub/

tmp/

in pub we have:

/pub/xol/

complete.php

go.php

homePriv.do.php

inserti.php

These are fake php pages used to catch victims informations.

See you to the next post :)


EventPairs Reversing – EventPairHandle as Anti-Dbg Trick

May 6, 2009

Hi,

I’ve published

EventPairs Reversing – EventPairHandle as Anti-Dbg Trick

The paper is here:

http://evilcry.netsons.org/tuts/EventPairsHandle.pdf

Have a nice read :)

Giuseppe ‘Evilcry’ Bonfa’


Follow

Get every new post delivered to your Inbox.