Banca Popolare di Milano Fraud

May 7, 2009

Hi,

here a recent attempt of fraud, this morning I’ve received the following mail:

—————

Subject: Ottimizzazione Piattaforma Tecnica Populare di Milano Gentile Cliente, Desiderosi di evitare il possibili tentativi di frode on-line, Banca Populare di Milano, e in corso per ottimizzare la piattaforma tecnica di servizio Banca Populare Online tra il 5 maggio 2009 al 10 maggio 2009. Per evitare eventuali perdite di dati si prega di compilare il modulo ” Forma di aggiornamento dati di contatto in relazione alla Banca ” che si trova sul nostro sito web o in allegato alla presente e-mail. Ci scusiamo per gli eventuali disagi causati. http://www.bpmbanking.it.servizibmp.com/pub/xol/homePriv.do.php?tabId=nav_pub_xol_home Grazie per la comprensione, Populare di Milano Sanpaolo Online _____________________________________________________________________________________ Frodi online ANNUALE FARE MIGLIAIA DI VITTIME – Non essere uno di loro! Banca Popolare di Milano Societа Cooperativa a r.l. – P.IVA 00715120150 – Gruppo Bipiemme

————-

First of all the email presents a recurrent error, the term ‘populare’ that seems inspired by spanish/brazilian tongue.

The second suspicious thing is the URL: http://www.bpmbanking.it.servizibmp.com/pub/xol/homePriv.do.php?tabId=nav_pub_xol_home

servizibmp.com sounds strange, so let’s inspect this domain..

Registry Data
ICANN Registrar:     MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Created:     2009-05-07
Expires:     2010-05-07
Updated:     2009-05-07
Registrar Status:     clientTransferProhibited
Name Server:     YNS1.YAHOO.COM (has 2,399,082 domains)
Name Server:     YNS2.YAHOO.COM (has 2,399,082 domains)
Whois Server:     whois.melbourneit.comServer Data
IP Address:     216.39.62.190 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location     United States – California – Sunnyvale – Altavista Company
Response Code:     200
Domain Status:     Registered And Active Website

As you can understand an Italian Banking Service that is located in California – Sunnyvale and powered by Altavista Company it’s REALLY strange 🙂

the final demostration that this is a fraud comes out the inspection of real server of bpm,www.bpmbanking.it that is placed in Italy.

By browsing http://servizibmp.com we are suddenly prompted into a directory list that contains the following entries:

pub/

tmp/

in pub we have:

/pub/xol/

complete.php

go.php

homePriv.do.php

inserti.php

These are fake php pages used to catch victims informations.

See you to the next post 🙂


Fake Download Open Office 2009 – Credit Card Fraud

October 12, 2008

Hi,

This morning I’ve discovered another funny Fraud attempt, based on a fake membership to Download Open Office 2009. This is the mail that I’ve received:

—————————————————————–

Open Office Suite 2009

Open, Create & Edit Your Files
Download Office Suite 2009??Here
Edit Word, Excel & Power Point files- 100% MS Office Compatible.

Office Solutions

Read and write PDF files just like Adobe.
Here’s how to download Open Office 2009:
1. Go to: Download Page
2. Download Open Office 2009
3. Receive access immediately
This software package is the best way to edit your documents.
Publish all of your documents online in the HTML format.
Thank you for choosing us, the worldwide leader in Open Office 2009.
For More Information Visit our Website
Thank You,

David Matthews

If you want to stop receiving mail, please go to:
http://daily–new-product.org/
or you may contact us at the following address:

Plaza Neptuno, local #7
Via ricardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama

—————————————————————–

Republica de Panama? and OpenOffice?..that really strange you don’t !?!?

but let see this ‘great offer’..by clicking on the link reported into mail we are suddenly prompted to:

http://67.214.168.130/openoffice/index.asp?aff=001&camp=openoffice_espd&kbid=1587&sub=oo_espd&pop=1

and also this as you should understand sounds strange.. OpenOffice Website that is based upon an IP..

A classical well designed fake page, now let’s click on download, and as we can see we are asked for Membership, after filling email and Name/Surname fields appears the core of the Scam, the Membership to Be Activated needs a Credit Card Payment 😉

After accepting we are infront off a classical phishing form that contains:

  • Name
  • Surname
  • Location
  • PostalCode
  • E-Mail
  • Cc Number
  • CcV2
  • Scad

Here you can see the screenshot:

After clicking system “validates” you transaction and the fraud is successfully completed 🙂

Here some information about the used IP

IP Information for 67.214.168.130

IP Location: United States United States South Bend Colostore.com
IP Address: 67.214.168.130
Blacklist Status: Clear

Whois Record

OrgName:    Colostore.com
OrgID:      KCA-7
Address:    1805 South Michigan Street
City:       South Bend
StateProv:  IN
PostalCode: 46613
Country:    US

ReferralServer: rwhois://rwhois.colostore.com:4321/

NetRange:   67.214.160.0 – 67.214.191.255
CIDR:       67.214.160.0/19
OriginAS:   AS12260
NetName:    COLOSTORE-COM
NetHandle:  NET-67-214-160-0-1
Parent:     NET-67-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.COLOSTORE.COM
NameServer: NS2.COLOSTORE.COM
Comment:    http://www.colostore.com
RegDate:    2007-09-28
Updated:    2008-07-21

See you to the next post.. 🙂


Bank UBI Fraud – Phishing Domain

September 28, 2008

Hi,

The following blog entry is the result of a research accomplished by Me and Emdel from Playhack that received the mail and with me wrote the paper.

The scam email is the following:

_________________________________________________

GENTILE CLIENTE DI _BANCA UBI,_ Il Servizio Tecnico di Banca UBI Online sta eseguendo un aggiornamento programmato del software bancario al fine di migliorare la qualita dei servizi bancari. Le chiediamo di avviare la procedura di conferma dei dati del Cliente. A questo scopo, La preghiamo di cliccare sul link che Lei trovera alla fine di questo messaggio. CLICCA QUI PER CONFERMARE [1] Ci scusiamo per ogni eventuale disturbo, e La ringraziamo per la collaborazione. &copy Gruppo UBI Banca 2008 Links:

_________________________________________________

Which contains the following link:

It is clearly a phising site this url: http://79.165.218.183/login.php In fact there is not a secure connection so loved by the banks, and the url is mainly a ip address. Looking at the browser bar we can see a redirection:

This last URL give us the following reply:

HTTP/1.1 302 Found

Date: Sun, 28 Sep 2008 12:53:17 GMT

Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c

X-Powered-By: PHP/5.2.0-8+etch10

location: http://quiubi-line.com/hd/login.do.php

Content-Length: 0

Connection: close

Content-Type: text/html; charset=WINDOWS-1251

Dissection

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//IT” “http://www.w3.org/TR/html4/loose.dtd”&gt;

<html><head><title>Gruppo UBI Banca – Qui UBI – LOGIN</title>

<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>

<meta http-equiv=”CONTENT-LANGUAGE” content=”Italian”>

<meta http-equiv=”Expires” content=”Dom, 01 Gen 2006 11:56:50 GMT”>

<meta http-equiv=”Pragma” content=”no-cache”>

<meta http-equiv=”Cache-Control” content=”no-cache”>

<meta name=”keywords” content=””>

<meta name=”description” content=”Build Fase 4.40.00 – 30.01.2008 – Blocchi CI”>

<link rel=”stylesheet” href=”login.do_files/bpu.css” type=”text/css”>

<link rel=”shortcut icon” href=”https://www.quiubi.it/hb/favicon.ico“>

Here Starts the fraud:

<h2 title=”Benvenuto in Qui UBI Home Banking”>

<span>Benvenuto in Qui UBI Home Banking!<br>

Qui UBI è un mondo di servizi di Internet Banking che ti permette di avere la tua banca sempre a portata di mano.

</span>

</h2>

CreditCard Number:

<form name=”LoginForm” method=”post” action=”login.do.php?ref=1201716373577” onSubmit=”javascript:checkAndSubmitLogin();” style=”display: inline;”>

<div class=”txt-form-home”>Codice cliente

<label for=”field1″ style=”display: none;”>Codice cliente</label>

</div>

<input name=”codice” tabindex=”1″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field1″ class=”campiform szInpHome” type=”text”>

SecurityCode

<div class=”txt-form-home”>Codice sicurezza (password)

<label for=”field2″ style=”display: none;”>Codice sicurezza</label></div>

<input name=”password” tabindex=”2″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field2″ class=”campiform szInpHome” type=”password“>

<br>

PIN:

<div class=”txt-form-home”>PIN Dispositivo

<label for=”label” style=”display: none;”>Codice sicurezza</label></div><input name=”pin” tabindex=”2″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field3″ class=”campiform szInpHome” type=”password“>

If we compile correctly the form the Credentials are Stolen and  victim redirected to the True UBI Bank Website.

WHOIS Information

Now it is time to dive into whois information to understand the real origin of this weird website:

Query sull’IP 79.165.218.183
Name Resolution:
host-79-165-218-183.qwerty.ru

inetnum: 79.165.208.0 – 79.165.223.255
netname: Neo-CNT
descr: BRAS E-320-29 DHCP-pool
descr: Russian Central Telegraph, Moscow
country: RU
admin-c: VYK9-RIPE
admin-c: AAP43-RIPE
tech-c: VYK9-RIPE
status: ASSIGNED PA
mnt-by: CNT-MNT
source: RIPE # Filtered

person: Victor Y. Kovalenko
address: Central Telegraph
address: 7, Tverskaya st.
address: 103375, Moscow, Russia
remarks: phone: +7 095 2924959
phone: +7 495 2924959
e-mail: vikov@cnt.ru
nic-hdl: VYK9-RIPE
remarks: Network Administrator
source: RIPE # Filtered
remarks: modified for Russian phone area changes

person: Alexey A Petrov
address: 7, Tverskaya st.,
address: Central Telegraph, Moscow,
address: 125375, Russia
remarks: phone: +7 095 504 4449
phone: +7 495 504 4449
remarks: fax-no: +7 095 201 9319
fax-no: +7 495 201 9319
e-mail: apetrov@cnt.ru
nic-hdl: AAP43-RIPE
remarks: Network Administrator
source: RIPE # Filtered
remarks: modified for Russian phone area changes

route: 79.164.0.0/15
descr: CNT-network BLOCK
origin: AS8615
mnt-by: CNT-MNT
source: RIPE # Filtered

It is from Russia! This year a lot of attacks, frauds and other kind of illicit actions were born in ex URSS and sometimes there is the RBN shadow.

Summing up the url steps:

An image can clarify the main fake features of the Russian website:

Written by Giuseppe ‘Evilcry’ Bonfa’ and Emdel


[Malware] The Phishing Storm of 2008

December 30, 2007

Caution the following post contains explicit malware content, be careful!!!!

As every end of year Web registers a significative incrase of Malware attacks over various fronts, in particular WebSite Phishing Frauds, File Infection and New Rootkits.

This information can be verified by consulting http://www.antiphishing.org/

Obviously 90% of Frauds comes from fake Websitesin topic with the current Holidays, such as Christmas Gifts, E-Card / Postcard Online services. In the last days for example I’ve founded two phishing E-Card WebSites:

familypostcards2008.com

uhavepostcard.com

Let’s lookup the first WebSite:

———————————

Domain name:             UHAVEPOSTCARD.COM
Name Server:             ns.uhavepostcard.com 74.66.92.4
Name Server:             ns10.uhavepostcard.com 193.150.206.29
Name Server:             ns11.uhavepostcard.com 24.151.246.25
Name Server:             ns12.uhavepostcard.com 78.60.126.188
Name Server:             ns13.uhavepostcard.com 78.60.126.188
Name Server:             ns2.uhavepostcard.com 71.11.228.181
Name Server:             ns3.uhavepostcard.com 76.236.158.155
Name Server:             ns4.uhavepostcard.com 76.226.91.98
Name Server:             ns5.uhavepostcard.com 68.45.61.150
Name Server:             ns6.uhavepostcard.com 65.35.110.50
Name Server:             ns7.uhavepostcard.com 67.58.159.109
Name Server:             ns8.uhavepostcard.com 70.92.107.11
Name Server:             ns9.uhavepostcard.com 12.216.86.166
Creation Date:           2007.12.23
Updated Date:            2007.12.24
Expiration Date:         2008.12.23
---------------------------------
Domain name:             FAMILYPOSTCARDS2008.COM
Name Server:             ns.familypostcards2008.com 71.130.195.9
Name Server:             ns10.familypostcards2008.com 86.137.196.186
Name Server:             ns11.familypostcards2008.com 78.60.126.188
Name Server:             ns12.familypostcards2008.com 76.174.52.123
Name Server:             ns13.familypostcards2008.com 71.230.66.163
Name Server:             ns2.familypostcards2008.com 76.205.135.226
Name Server:             ns3.familypostcards2008.com 75.9.137.204
Name Server:             ns4.familypostcards2008.com 76.206.232.36
Name Server:             ns5.familypostcards2008.com 98.201.54.7
Name Server:             ns6.familypostcards2008.com 69.247.162.86
Name Server:             ns7.familypostcards2008.com 74.161.36.118
Name Server:             ns8.familypostcards2008.com 12.217.82.249
Name Server:             ns9.familypostcards2008.com 193.150.206.29
Creation Date:           2007.12.29
Updated Date:            2007.12.29
Expiration Date:         2008.12.29

———————————

Its truly curious that these domains comes from Los Angeles and are created only for these hollidays 🙂

The spreaded malware is always the same but in different forms:

  • happy_2008.exe
  • Happy2008.exe
  • stripshow.exe
  • happynewyear2008.exe

So pay attention to these Postcard sites.. 😉

Regard,

Evilcry