A new case of MSN Identity Theft let-people-laugh

September 16, 2009

Redirection to my second blog:

http://evilcodecave.blogspot.com/2009/09/new-case-of-msn-identity-theft-let.html

Leave a Comment » | Uncategorized | Tagged: , , , , , , , | Permalink
Posted by evilcodecave

PDF Reader 2009 – Fraud-Scam

May 24, 2009

Hi,

Scam over software mantains high its trend, this time the software used is PDF Reader 2009, the message is the following:

+———————————————————————————–

PDF Reader 2009 – New Version for Windows
The latest PDF Reader: Open, Edit & Create PDF Files

Activation Code: 9462

http://bulletinqrelease.com/re.php?lnk=1203489724

Included in this package:

OpenOffice Suite – Get things done more quickly and improve your work efficiency.

-Open, edit and view all PDF files.
-Enhanced performance with faster loading and zooming.
-Collect your data and combine it into a high quality document.

Activation Code: 9462

http://bulletinqrelease.com/re.php?lnk=1203489724

Download the complete Office solution today and also receive free updates and 24/7 customer support.

“Since the 90′s, PDF has become the standard file format for document exchange.” – Adobe

Activation Code: 9462

http://bulletinqrelease.com/re.php?lnk=1203489724

Thank you for choosing us, the worldwide leader in PDF Reader Solutions.

Best Regards,

Michael Daniels
PDF Reader 2009
You will not get anymore of our emails if you go here

http://bulletinqrelease.com/

or write to:

Plaza Neptuno, local #7
Via ricardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama
+———————————————————————————–

The true PDF Reader 2009 can be free downloaded, in this case user is asked for an activation code and next prompted to a Special Offers page, where victim can chose some benefits at payment, money transaction is accoplished with Credit Card.

As usual in these frauds, money is stolen and no service is given.

Here some inspections about the domain:

ICANN Registrar: ENOM, INC.
Created: 2009-05-20
Expires: 2010-05-20
Updated: 2009-05-20

Server Data

IP Address: 67.209.131.18 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location United States – Nevada – Las Vegas – Acampana
Response Code: 200
Domain name: bulletinqrelease.com

Registrant Contact:
WhoisGuard
WhoisGuard Protected ()

4 Comments | (In)Security | Tagged: , , , , , , , , | Permalink
Posted by evilcodecave

MSN Credentials Theft nustuff4u.com

December 6, 2008

Hi,

My MSN-honeypot catched in these moments another classical MSN Credentials theft.

The system used is the classical Offline Message sent by an already compromised contact.

Here the message:

___________________________

Xxx scrive:
Xxx check out these awesome pics from the awesome party LOL   http://Yyy.nustuff4u.com

__________________________

nustuff4u.com presents a classical form that asks for

MSN E-Mail

MSN Password

and as usual the already see (please refer to my previous MSN releated blog posts) a disclaimer..

Now let’s investigate a bit on this domain..

ICANN Registrar: ENOM, INC.
Created: 2008-12-04
Expires: 2009-12-04
Updated: 2008-12-04
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 151,962 domains)

IP Address: 202.64.61.208 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Ta_kung_pao

And finally we can see that is Whois Protected
Domain name: nustuff4u.com

Registrant Contact:
WhoisGuard
WhoisGuard Protected ()

3 Comments | (In)Security | Tagged: , , , , | Permalink
Posted by evilcodecave

Scam From Russia

November 28, 2008

Hello,

long time not posting due to my busy real life..

Today we will identify another kind of scam/fraud mail system from Russia..

The first mail was this:

Subject: hello from kara

Do not ignore me please,
I found your email somewhere and now decided to write you.
Let me know if you do not mind. If you want I can send you some pictures of me.
I am a nice pretty girl. Don’t reply to this email.
Email me direclty at dkara {{}} officialsup.com

My reply was

Hello,

yes I’m intersted..

and after many days (kara first contact 2 Nov., Dariya reply 28 Nov.)

here the text of the mail:

Dariya <sladka@myup2you.com>

—————–

Hello my friend
I am so happy to see that you have decided to reply,I see it is very
short letter.It is all right because you are astonished to get my
letter. I know that you’re probably surprised to get my message. I got your email somewhere on the website. I don’t remember which one it was.
I want you to know that I have only good intentions and I have not any secrets.
The thing is that I will work in your country for three months or so and I would like to meet a nice man to fall in love  or just be closest friends.
I don’t want to live in Russia because I have not any chances  here,it is hardly possible to explain from first time but
I want you to know my plans.I will work in  any shop, bar or restaurant the agency that i am going through will suggest
me some locations. It will be my choice in the end as to what option to go for.
So I will have a simple work till I improve my English. And I can  choose any town of your area,agency will only help me
to get a visa and all travel documents + some suggested placed to work in. My best friend last year met the man from
the USA when she worked
there for three months, too. She had two jobs. From morning till 4 pm  she worked in amusement park and after
it she worked as a waitress in some bar till midnight. She was very  tired of course but made very good money there.
It is special programm for young people who wants to work abroad and I  think it is the right way for me ,I am lost here,and I think that I
look pretty enough to find a better place .I want to repeat the same  way,it is only my chance to meet a nice man.I want to work in USA or in Europe or any
nice country. I am full of plans and different dreams and I want to share my life with good man because I’m also full of love
and tenderness,I know that I am not so beautiful like Hollywood Princess but I do hope to meet my Prince and
I am sure he will be not be disappoined to meet me in the real life! This is why I am going to go through the same way.
Well,I will close this letter and I do hope to get your reply.
I will leave russia in two weeks or so (I can’t tell you everything  exactly right now) and I would like to be sure that I
have the man who waits for me there. I will work all day and I want to  find a man to spend all free time together to get
to know each other better.if you have any interest to meet me I will be more than happy to meet you too.
I will tell you all details about me and my life if you like my pictures and want to meet me!  please send picture of you too!!!
Now I write you from my personal mailbox, please write me back here and here only. I will be checking it often.
Kiss you ,Dariya (this is my name)!

—————–

Ehehe the Bolded parts that I’ve signed clearly indicates the presence of a fraud, let analyse it deeper:

1) The thing is that I will work in your country for three months or so and I would like to meet a nice man to fall in love  or just be closest friends.

“Three months” is a well engineered phrase cause usually countryes allows you for a period of 3 months, the initial scope is to meet a man remember this, and really strange “your country” could be every country, obviously by not specifing it this mail is universally reusable ;)

2) And I can  choose any town of your area,agency will only help me
to get a visa and all travel documents + some suggested placed to work in

here appears the necessity of a work, the old Deception Trick of “I’m a lonely nice girl” and to this basilar necessity appears the necessity to have a VISA Card..eheheh

3) I will leave russia in two weeks or so (I can’t tell you everything  exactly right now) and I would like to be sure that I have the man who waits for me there.

really unstable, you start from russia ( can’t tell you everything  exactly ) and you said that you don’t have secrets..but to equilibrate the phrase inserted (great Social Engineering operation) the Time Component ( right now ) so reader is silently driven to believe that this is releated to a time organization, but suddenly after girl knows that she will leave Russia in 2 weeks, a really nice S.E. operation, cause is not a big time to way and reader see the Actuality and the Determination :)

What to say, I’ll reply to this mail and I’ll mantain you updated =)

6 Comments | (In)Security | Tagged: , , , , , , , , | Permalink
Posted by evilcodecave

Fake Download Open Office 2009 – Credit Card Fraud

October 12, 2008

Hi,

This morning I’ve discovered another funny Fraud attempt, based on a fake membership to Download Open Office 2009. This is the mail that I’ve received:

—————————————————————–

Open Office Suite 2009

Open, Create & Edit Your Files
Download Office Suite 2009??Here
Edit Word, Excel & Power Point files- 100% MS Office Compatible.

Office Solutions

Read and write PDF files just like Adobe.
Here’s how to download Open Office 2009:
1. Go to: Download Page
2. Download Open Office 2009
3. Receive access immediately
This software package is the best way to edit your documents.
Publish all of your documents online in the HTML format.
Thank you for choosing us, the worldwide leader in Open Office 2009.
For More Information Visit our Website
Thank You,

David Matthews

If you want to stop receiving mail, please go to:

http://daily–new-product.org/

or you may contact us at the following address:

Plaza Neptuno, local #7
Via ricardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama

—————————————————————–

Republica de Panama? and OpenOffice?..that really strange you don’t !?!?

but let see this ‘great offer’..by clicking on the link reported into mail we are suddenly prompted to:

http://67.214.168.130/openoffice/index.asp?aff=001&camp=openoffice_espd&kbid=1587&sub=oo_espd&pop=1

and also this as you should understand sounds strange.. OpenOffice Website that is based upon an IP..

A classical well designed fake page, now let’s click on download, and as we can see we are asked for Membership, after filling email and Name/Surname fields appears the core of the Scam, the Membership to Be Activated needs a Credit Card Payment ;)

After accepting we are infront off a classical phishing form that contains:

  • Name
  • Surname
  • Location
  • PostalCode
  • E-Mail
  • Cc Number
  • CcV2
  • Scad

Here you can see the screenshot:

After clicking system “validates” you transaction and the fraud is successfully completed :)

Here some information about the used IP

IP Information for 67.214.168.130

IP Location: United States United States South Bend Colostore.com
IP Address: 67.214.168.130
Blacklist Status: Clear

Whois Record

OrgName:    Colostore.com
OrgID:      KCA-7
Address:    1805 South Michigan Street
City:       South Bend
StateProv:  IN
PostalCode: 46613
Country:    US

ReferralServer: rwhois://rwhois.colostore.com:4321/

NetRange:   67.214.160.0 - 67.214.191.255
CIDR:       67.214.160.0/19
OriginAS:   AS12260
NetName:    COLOSTORE-COM
NetHandle:  NET-67-214-160-0-1
Parent:     NET-67-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.COLOSTORE.COM
NameServer: NS2.COLOSTORE.COM
Comment:    http://www.colostore.com
RegDate:    2007-09-28
Updated:    2008-07-21

See you to the next post.. :)

8 Comments | (In)Security | Tagged: , , , , , , , , | Permalink
Posted by evilcodecave

Bank UBI Fraud – Phishing Domain

September 28, 2008

Hi,

The following blog entry is the result of a research accomplished by Me and Emdel from Playhack that received the mail and with me wrote the paper.

The scam email is the following:

_________________________________________________

GENTILE CLIENTE DI _BANCA UBI,_ Il Servizio Tecnico di Banca UBI Online sta eseguendo un aggiornamento programmato del software bancario al fine di migliorare la qualita dei servizi bancari. Le chiediamo di avviare la procedura di conferma dei dati del Cliente. A questo scopo, La preghiamo di cliccare sul link che Lei trovera alla fine di questo messaggio. CLICCA QUI PER CONFERMARE [1] Ci scusiamo per ogni eventuale disturbo, e La ringraziamo per la collaborazione. &copy Gruppo UBI Banca 2008 Links:

_________________________________________________

Which contains the following link:

It is clearly a phising site this url: http://79.165.218.183/login.php In fact there is not a secure connection so loved by the banks, and the url is mainly a ip address. Looking at the browser bar we can see a redirection:

This last URL give us the following reply:

HTTP/1.1 302 Found

Date: Sun, 28 Sep 2008 12:53:17 GMT

Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c

X-Powered-By: PHP/5.2.0-8+etch10

location: http://quiubi-line.com/hd/login.do.php

Content-Length: 0

Connection: close

Content-Type: text/html; charset=WINDOWS-1251

Dissection

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//IT” “http://www.w3.org/TR/html4/loose.dtd”&gt;

<html><head><title>Gruppo UBI Banca – Qui UBI – LOGIN</title>

<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>

<meta http-equiv=”CONTENT-LANGUAGE” content=”Italian”>

<meta http-equiv=”Expires” content=”Dom, 01 Gen 2006 11:56:50 GMT”>

<meta http-equiv=”Pragma” content=”no-cache”>

<meta http-equiv=”Cache-Control” content=”no-cache”>

<meta name=”keywords” content=”">

<meta name=”description” content=”Build Fase 4.40.00 – 30.01.2008 – Blocchi CI”>

<link rel=”stylesheet” href=”login.do_files/bpu.css” type=”text/css”>

<link rel=”shortcut icon” href=”https://www.quiubi.it/hb/favicon.ico“>

Here Starts the fraud:

<h2 title=”Benvenuto in Qui UBI Home Banking”>

<span>Benvenuto in Qui UBI Home Banking!<br>

Qui UBI è un mondo di servizi di Internet Banking che ti permette di avere la tua banca sempre a portata di mano.

</span>

</h2>

CreditCard Number:

<form name=”LoginForm” method=”post” action=”login.do.php?ref=1201716373577” onSubmit=”javascript:checkAndSubmitLogin();” style=”display: inline;”>

<div class=”txt-form-home”>Codice cliente

<label for=”field1″ style=”display: none;”>Codice cliente</label>

</div>

<input name=”codice” tabindex=”1″ value=”" onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field1″ class=”campiform szInpHome” type=”text”>

SecurityCode

<div class=”txt-form-home”>Codice sicurezza (password)

<label for=”field2″ style=”display: none;”>Codice sicurezza</label></div>

<input name=”password” tabindex=”2″ value=”" onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field2″ class=”campiform szInpHome” type=”password“>

<br>

PIN:

<div class=”txt-form-home”>PIN Dispositivo

<label for=”label” style=”display: none;”>Codice sicurezza</label></div><input name=”pin” tabindex=”2″ value=”" onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field3″ class=”campiform szInpHome” type=”password“>

If we compile correctly the form the Credentials are Stolen and  victim redirected to the True UBI Bank Website.

WHOIS Information

Now it is time to dive into whois information to understand the real origin of this weird website:

Query sull’IP 79.165.218.183
Name Resolution: host-79-165-218-183.qwerty.ru

inetnum: 79.165.208.0 – 79.165.223.255
netname: Neo-CNT
descr: BRAS E-320-29 DHCP-pool
descr: Russian Central Telegraph, Moscow
country: RU
admin-c: VYK9-RIPE
admin-c: AAP43-RIPE
tech-c: VYK9-RIPE
status: ASSIGNED PA
mnt-by: CNT-MNT
source: RIPE # Filtered

person: Victor Y. Kovalenko
address: Central Telegraph
address: 7, Tverskaya st.
address: 103375, Moscow, Russia
remarks: phone: +7 095 2924959
phone: +7 495 2924959
e-mail: vikov@cnt.ru
nic-hdl: VYK9-RIPE
remarks: Network Administrator
source: RIPE # Filtered
remarks: modified for Russian phone area changes

person: Alexey A Petrov
address: 7, Tverskaya st.,
address: Central Telegraph, Moscow,
address: 125375, Russia
remarks: phone: +7 095 504 4449
phone: +7 495 504 4449
remarks: fax-no: +7 095 201 9319
fax-no: +7 495 201 9319
e-mail: apetrov@cnt.ru
nic-hdl: AAP43-RIPE
remarks: Network Administrator
source: RIPE # Filtered
remarks: modified for Russian phone area changes

route: 79.164.0.0/15
descr: CNT-network BLOCK
origin: AS8615
mnt-by: CNT-MNT
source: RIPE # Filtered

It is from Russia! This year a lot of attacks, frauds and other kind of illicit actions were born in ex URSS and sometimes there is the RBN shadow.

Summing up the url steps:

An image can clarify the main fake features of the Russian website:

http://evilcodecave.files.wordpress.com/2008/09/bank_ubi1.jpg

Written by Giuseppe ‘Evilcry’ Bonfa’ and Emdel

2 Comments | (In)Security | Tagged: , , , , , , | Permalink
Posted by evilcodecave

Banca di Roma Fraud

March 1, 2008

Hi,

Today my Mail-HoneyPot catched a new Fraud, that comes from Japan.

A classical tentive of Bank Fraud, the affected bank is Unicredit Banca di Roma, this is the mail that I’ve received

————————————————————

Gentile CLIENTE,

Nell’ambito di un progetto di verifica dei data anagrafici forniti durante la sottoscrizione dei
servizi di Banca di Roma e stata riscontrata una incongruenza relativa ai dati anagrafici in
oggetto da Lei forniti all momento della sottoscrizione contrattuale.

L’inserimento dei dati alterati puo constituire motivo di interruzione del servizio secondo gli
art. 135 e 137/c da Lei accenttati al momento della sottoscrizione , oltre a constituire reato
penalmente perseguibile secondo il C.P.P. ar. 415 del 2001 relativo alla legge contro il
riciclaggio e la transparenza dei dati forniti in auto certificazione.

Per ovviare al problema e necessaria la verificata e l’aggiornamento dei dati relativi
all’anagrafica dell’Intestatario dei servizi bancari.

Effetuare l’aggiornamento dei dati cliccando sul seguente collegamento sicuro:

Accendi a collegamento sicuro >>

Cordiali Saluti !

| © Banca di Roma S.P.A 2008 Partita Iva 01114601306

————————————————————-

The mail claims an incongruence into Account, so the victim is inducted to reconfirm his Account.

There is a link, for Secure Access, that points at http://www.rwell.co.jp/{Censored}.htm that obviously does not use any form of Secure Connection, suddenly we are redirected to http://oakadaa1.easyvserver.net/roma/{CENSORED}.html that emulates perfectly the Banca di Roma home page.

As usual there is an UserId and Password field to compile, let’s check the source code to know checks perfomed by the attacker..

———————————

if(signupFORM.userid.value == “”){
alert(“Non avete completato il UserID”);return false;
}

if(signupFORM.password.value == “”){
alert(“Non avete completato il Password”);return false;
}

if(signupFORM.userid.value.length <7){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI”);return false;

}

if(signupFORM.userid.value.length >7){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI”);return false;

}

if((signupFORM.password.value.length <6)){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI “);
return false;
}

———————————————–

The function, accepts only numbers for both fields, Userid should be minimum 7 digits long, and password 6.

After clicking here we are driven to the second page..

Where we’re asked for Security Card Id, and Coordinates of Security Card (64 fields), let’s see what are the rules of insertion..

——————————-

if(signupFORM.email.value.length <6){
alert(“Il Numero della Tessera di Sicurezza non e corretto.”);return false;}

—————————–

Card Id, is a 6 digit long number, and .64 Input Boxes of Coordinates, expects 2 digit long value.

After compiling that, the information are completely stolen, and we’re automatically redirected to Real Banca di Roma.

…another stupid classical Bank Fraud..

See you to the next post.. :)

Leave a Comment » | (In)Security, TechLife | Tagged: , , , | Permalink
Posted by evilcodecave

Follow

Get every new post delivered to your Inbox.