Posteitaliane Mail Fraud

Hi,

This classical form of scam is now sent to @hotmail.it accounts, here some detail on the e-mail:

Subject: Accredito temporaneamente bloccato‏

From: accrediti@posteitaliane.it

Content: Ultime da Poste Italiane:  Gentile Cliente,
Abbiamo ricevuto una segnalazione di accredito di Euro 100 da UFFICIO POSTALE ROMA 52. L’accredito e’ stato temporaneamente bloccato a causa dell’incongruenza dei suoi dati, potra’ ora verificare i suoi dati e successivamente sara’ accreditato sul suo conto postale
 

Victim will be prompted to

http://www.nouvelles-alternatives.be/wp-content/conf.php

that contains:

<HTML>
<HEAD>
<META HTTP-EQUIV=”REFRESH” CONTENT=”0; URL=http://osrever.es/intranet/modules/mod_login/bpol/CARTEPRE/“>
</HEAD>
</HTML>

automaticalli redirected to osrever.es that contains another redirect:

<HEAD><!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<body>
</body>
<HTML><TITLE>POSTE</TITLE>
<meta http-equiv=”Refresh” content=”0; URL=index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=”>
</HEAD>
</HTML>

finally user lands here:

http://osrever.es/intranet/modules/mod_login/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=

As we can see from the Source Code there is a classical structure that ask to the user User and Password, these are the functions:

function ControllaPassword()
{
   var f = window.document.frmRegister

   if (f.password.value.length > 10 )
   {
      alert(“La Password non puo’ superare la lunghezza di 10 caratteri.”)
      f.password.focus()
      return false
   }
   return true
}

That verifies if the password haa a correct length, and

function ControlloValori()
{
    var f = window.document.frmRegister
    if (f.login.value==””)
    {
        alert(“Inserire il nome utente”)
        f.login.focus
        return false
    }

    if ( ControllaPassword() == false )
    {
        return false;
    }

    return true
}

that collects user and pwd

If credentials are correct user is directed here:

http://osrever.es/intranet/modules/mod_login/bpol/CARTEPRE/index.php?MfcISAPICommand=VerifyFPP&UsingSSL=1&login=&pass=

where is asked for CC, CCV2, Scad

Here some info about this Malicious Domain:

IP Address: 87.106.195.10













IP Location Spain
– Spain – Schlund + Partner Ag
Response Code: 200
Domain Status: Registered And Active Website

See you to the next post..🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: