Original phishing email for egg bank account owners

March 23, 2010 by mxlab 1 Comment

MX Lab intercepted an original, well that’s our opinion on this, phishing email campaign for egg bank account owners.

The email was sent from the spoofed email address Egg Bank Plc <notice@new.egg.com> with the subject “Account notification”.

As always, phishing is about getting personal and confidential information from a user. Once this information is obtained, the data can be used for hacking into bank accounts and so on.

This campaign has a nice attaractive eye catcher with the text “Something for the weekend” and “Two nights for the price of one”. It could catch your attention when you receive it and I could imagine that someone could follow the included link to find out more.

Unfourtunatly, the text continues with: “To ensure your protection….” and this should be moment to start thinking that this isn’t such a good offer after all.

Filed under Phishing Tagged with , , ,

Phishing emails with attached HTML forms instead of embedded URLs

March 13, 2010 by mxlab 1 Comment

MX Lab noticed an increase of phishing emails with an attached HTML form instead of the embedded URLs that directs a user to an online form.

Phishing emails with an embedded URL are subject to certain filters or so called intent analysis techniques. The email can be blocked succesfully when the URL is know as a phishing site.

Phishers will try to avoid these techniques by sending an HTML page as attachment with the email. The provided instructions in the email will make sure that the receiver knows how to handle the phishing attempt. You will get an form to fill in some details once the attached web page is opened in a browser. The data is submitted to an online web site that will handle the request and redirects you further.

Western Union phishing

The phishing email is sent from the spoofed address Western Union customer-support@westernunion.com with the subject “Notice from WesternUnion© : Access to sensitive part of your online account has been suspended(CODE:RX41819S1)”.

The attached file has the name restore.account.html and when opened in a browser you will have a webform that asks for your personal details.

When investigating the HTML code we can see that the CSS, Javascript and images are requested from the official web site of Western Union. The post action of the web form will submit the details to hxxp://elainegohl.biz/restore.php.

PayPal phishing

The message comes from account@ paypall.com – notice the use of a domain with a ‘typo error’ – and this one includes the instructions of opening the attached file to restore access to the account.

The attached file Restore Account.html contains a form that will send the submitted details to hxxp://pisyneluta.com/u.php.

Another PayPal phishing example

Dear PayPal customer,

During our regularly scheduled account maintenance and
verification procedure we have detected a slight error in your
billing information.

This might be due to the following reasons:

1. A recent change in your personal information (ie. change of address, email address)
2. An inability to accurately verify your selected option of payment due to an internal error within our systems.

Please verify your information. To do this we have attached a
form to this email. Please download the form and follow the
instructions on your screen.
NOTE: The form needs to be opened in a modern browser which has
javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3,
Opera 9)

We are requesting this information to verify and protect your
identity. This is in order to prevent the illegal activity of
PayPal accounts.

Please do not reply to this email.

We apologize for any inconvenience this may have
caused. Sincerely, PayPal Security Team.

PayPal Email ID PP836l Email ID PP836

The HTML included with the PayPal phish rendered incorrectly in when opened in a browser. Also, the document was named “Profile Update – PayPal.mth” – notice the .mht type insted of .htm.

Filed under Phishing Tagged with

Facebook subject to campaign that combines phishing and malware

December 8, 2009 by mxlab 2 Comments

MX Lab detected a large new campaign targetting Facebook users. The campaigns combines phishing techniques with the download of malware and a PDF exploit from the web site.

The phishing campaign has the same characteristics of the previous campaign that we have posted:

Facebook account update (part 1)
Facebook account update (part 2)

The message is being sent from the spoofed address “Facebook <update+umxlabvkqxqrig@facebookmail.com>” and has various subjects:

Facebook account update
Facebook update tool
New login system

This is the body of the phishing/malware email:

The included leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/MyAccount.php?ref=520***&email=***@***.com.

The phishing web site contains instructions on how to update your account.

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:

updatetool.exe

* Do not use the same password that you use for other online accounts.
* Your new password must be at least 6 characters in length.
* Use a combination of letters, numbers, and punctuation.
* Passwords are case-sensitive. Remember to check your CAPS lock key.

Old Password:
New Password:
(required) ?
Confirm Password:
(required)

On this page you can see a web page where you need to confirm your old and new password and the download link to the file updatetool.exe that leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/updatetool.exe.

When we have visited the first time the phishing site, an automated download was executed of the file pdf.pdf.

As expected, this PDF contains an exploit. When we submitted the PDF file for examination to Virus Total we got the names EXP/Pidief.FV (Antivir), Exploit.PDF-JS.Gen (BitDefender), Exploit.PDF-JS.Gen (GData), Exploit:Win32/Pdfjsc.CM (Microsoft) and Troj/PDFEx-CD (Sophos).

pdf.pdf:

AV detection rate: 9/40 AV engines did detected the threat
Virus Total permlink and MD5: 93cba9349ecc8fb605c7932be0cdc9c6

Updatetool.exe:

AV detection rate: 6/40 AV engines did detected the threat
Virus Total permlink and MD5: 095fe570f78c322c8e358c656816c200.

Filed under Phishing, Viruses Tagged with , , , ,

MySpace subject to phishing campaign

November 10, 2009 by mxlab 1 Comment

Social networks are often subject to phishing and today MySpace is the target. MX Lab intercepted some messages from MySpace <message-*********@message.myspace.com> – where * stands for random letter and number combination. The from address is obviously spoofed.

The body of the email:

Dear MySpace user!

Please be informed that you are required to update your MySpace account.

Please update your MySpace account by clicking here:

hxxp://accounts.myspace.com.iuuuujef.co.uk/msp/index.php?fuseaction=update&code=5A3TCE-JA3T2OSOJ1-AT2LKB0WNLB0-SMSWSGFPGEL97-0JHN4840QT&email=****@*******.co.uk

If you’re unable to click on the link above, copy and paste it into your browser’s address bar.

————————-

At MySpace we care about your privacy. This email is never sent unsolicited.

If you think you’ve received this email in error, or if you have any questions or concerns regarding your privacy, please contact us at:

privacy@myspace.com

MySpace, Inc.
8391 Beverly Blvd. #349
Los Angeles, CA 90048
USA

©2003-2009 MySpace.com. All Rights Reserved.

The domains included are fast-flux domains to avoid Intent Analysis. The domain in this case is registered with the following details:

Domain name:

         iuuuujef.co.uk

     Registrant:
         Joe Tentpeg

     Registrant type:
         Non-UK Individual

     Registrant's address:
         5556 Butt hole Court
         Bum diddle
         66545
         Belgium

     Registrar:
         Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
         URL: http://www.123-reg.co.uk

     Relevant dates:
         Registered on: 09-Nov-2009
         Renewal date:  09-Nov-2011
         Last updated:  10-Nov-2009

     Registration status:
         Registration request being processed.

     Name servers:
         No name servers listed.

     WHOIS lookup made at 11:19:48 10-Nov-2009

When we performed WHOIS lookups for other domains involved we noticed some irregularities. The registrant name is different each time but the address doesn’t fit at all. The zip code doesn’t match the country because the zip codes in Belgium are based on 4 numbers. We can assume that the registrant did used different details for registration in order to avoid detection by the registrar.

Filed under Phishing Tagged with ,

PayPal phishing in attachments

November 9, 2009 by mxlab 2 Comments

Yesterday MX Lab reported regarding a phishing email that has no URL but instead an attached HTML document with a web form included. Since then we see more similar cases and also PayPal is subject to this technique. The senders address shows us “www.paypal.com” <service@paypal.com> but this is spoofed. The email was sent from 69.128.90.226, an IP address in the US, pointing to mail.dandlequipment.com.

The body of the email:

To make sure everything is in order,please download the PayPal Security Account Verification and fill in all the required data for verfication.

The actual webpage:

The webform makes a POST to hxxp://0xD5.0xC3.0xDF.0xA9/paypalverification.php/.

Filed under Phishing Tagged with , ,

Phish of Banca Agricola Popolare di Ragusa has no URL but is in an attachment

November 8, 2009 by mxlab 2 Comments

In almost every phish email there is an URL leading to the phishingsite where you are asked for a login, password and other personal information. With the latest phish targeting Banca Agricola Popolare di Ragusa the URL is not inside the email but there is an attachment in HTML format. The goal of this trick is to avoid filters that detect phishing based on Intent Analysis.

Contents of the email:

Gentile Cliente,

Un nuovo documento di rendicontazione a sua disposizione.
Per consultarlo e salvarlo sul suo PC entro un anno da oggi, visitando l’area Estratto conto e documentazione dei suoi Servizi via internet.
Per l’assistenza ai Servizi via internet pui contattare il numero verde 800 010 257, gratuito anche da cellulare.

Cordiali saluti.
Banca Agricola Popolare di Ragusa


Questo e un messaggio automatico.
Per disabilitare il servizio puograve utilizzare la funzione Modifica abilitazioni (Comunicazioni Estratto conto e documentazione).
Prima di stampare, pensa all’ambiente ** Think about the environment before printing

When opening the novembre 2009.hml document we got the following screenshot in the browser.

The webform submits the details to hxxp://67.214.177.8/passo1.php and redirects you afterwards to the official login page of the bank.

Filed under Phishing Tagged with

Email regarding Facebook account update is a phish

October 30, 2009 by mxlab 6 Comments

After a virus campaign, MX Lab now also intercepts a phishing campaign targetting Facebook users.

The From address is obviously fake and not related to Facebook in any way. This email in particular was directing users to the phishing site hxxp://www.facebook.com.saxzask.me.uk/globaldirectory/LoginFacebook.php?ref=******&email=info@****.com. Unfourtunalty, this host was already down when visiting so we didn’t had the chance to investigate it further but we’ll keep an eye on new ones.

Filed under Phishing Tagged with , ,

Paypal phishing: take online survey and receive money

October 23, 2009 by mxlab 1 Comment

MX Lab is intercepting phishing messages that target PayPal users. The email comes from the spoofed address
“Pay Pal.Inc” <Account0909Sur@pay.com> with the subject “Confirm refund request – Identity Verification”.

The contents of the email:

Dear client,PayPal

CONGRATULATIONS!

You have been chosen by the Online Department to take part in our survey.
In return we will credit $99.0 to your account – Just for your time!

SERVICE: PayPal .Inc Online®
EXPIRATION: October – 29 – 2009

hxxp://www.developmentalfun.com/attachments/paypal.eu/index.php

2009 PayPal ® All Rights Reserved

MEOEXQPRKZJCHFGZMHONBBPUQDRLGHPYOORBYS

Following the link brings you to the phishing site with a similar interface to the original PayPal site.

Notice that the phishing site is hosted on a non PayPal domainn, has no HTTPS connection. When filling in a fake login and password I go to the page hxxp://www.developmentalfun.com/attachments/paypal.eu/login.php with the known PayPal progress bar and get a redirect to hxxp://www.developmentalfun.com/attachments/paypal.eu/Revalidate.htm?cmd_submitaccess0023044.submit=data_refund. This is where I need to fill in personal details for the refund. Yeah, right.

When filling in the form with fake data I receive the page hxxp://www.developmentalfun.com/attachments/paypal.eu/thankyou.html?RXZlbnQyIE9jdDI3RXZlbnQyIE9jdDI3 and get a redirect to the official PayPal web site. There is no check wether my social security number, credit card number and CVV2 is valid.

If you have used your real login, password and other details you are screwed by now. At this point the people behind the phishing site now know your details and can go into your PayPal account and get what they need. So it’s not recommended to do such things as I just did.

The navigation at the top doesn’t point to PayPal but to hxxxp://216.104.169.200/login/webscr.html but I got an Internal Server Error. The web site itself is hosted on the server listening to the IP 64.49.206.169. Now the web site http://www.developmentalfun.com/ is a valid one so this hosting account seems to be hacked and is hosting the phishing pages.

Filed under Phishing Tagged with , , ,

Google Adwords subject to phishing

October 1, 2009 by mxlab 2 Comments

Today, Google Adwords is subject to a phishing campaign. MX Lab intercepted several messages stating that there is an issue with your Google Adwords account.

The message appears to be coming from Adwords@google.com but this address is spoofed. The orgin is from User localhost (127.0.0.1) with the connection IP 128.175.13.92 and listens to the host name copland.udel.edu in the US. Since the messages are coming from one source it is very likely that this computer is part of a botnet

When following the URL hxxp://www.google-bx.com/accounts/signin.html, we do not recommend this, you will be taken to the phishing w eb site that looks very similar to the original Adwords web site.

The diffferences are marked with the red arrow and some explanation. Let’s take a look at the phishing web site.

Let’s take a look at the original web site

When visiting the root of the web site we get a “Fedora Core Test Page” so they are hosting this from the subfolder /accounts/.

When filling in some dummy login and password the form will request the page login.php and we are redirected to the original Google Adwords web site. If we had filled in our real accounts we would be a phishing victim by now.

The domain google-bx.com is registered by MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE with the following details:

Domain Name.......... google-bx.com
  Creation Date........ 2009-10-01
  Registration Date.... 2009-10-01
  Expiry Date.......... 2010-10-01
  Organisation Name.... denis rogers
  Organisation Address. 22th fireball ave
  Organisation Address.
  Organisation Address. new york city
  Organisation Address. 74836
  Organisation Address. NY
  Organisation Address. UNITED STATES

Admin Name........... denis rogers
  Admin Address........ 22th fireball ave
  Admin Address........
  Admin Address........ new york city
  Admin Address........ 74836
  Admin Address........ NY
  Admin Address........ UNITED STATES
  Admin Email.......... little_magic_0001@verizon.net
  Admin Phone.......... +1.8917288100
  Admin Fax............ 

Tech Name............ denis rogers
  Tech Address......... 22th fireball ave
  Tech Address.........
  Tech Address......... new york city
  Tech Address......... 74836
  Tech Address......... NY
  Tech Address......... UNITED STATES
  Tech Email........... little_magic_0001@verizon.net
  Tech Phone........... +1.8917288100
  Tech Fax.............
  Name Server.......... rns1.google-bx.com
  Name Server.......... rns2.google-bx.com

The malicious site is hosted on 201.11.70.175. According to an IP WHOIS this IP is from Brasil Telecom.

Filed under Phishing Tagged with , , ,

New Paypal phish contains fake order and payment details to mislead receiver

September 27, 2009 by mxlab Leave a Comment

At MX Lab we intercept quite often very good phishing emails. This newest PayPal phishing email came to our attention because it contains a false order and payment transaction in order to mislead the intented receiver.

The intented receiver will open such a message and notice that a payment has been done towards, in this case, the account robertoelectronics for $440. Of course, the receiver will try to stop this transaction and use the Dispute Transaction link further down below.

Here is where the phishing starts. The URL points to a site hosted on a server with IP address hxxp://201.116.109.181/www.paypal.com/us/webscr.html?cmd=_login-run.

Be aware that with such messages you should be extra carefull. Take a look at the senders from address but more important where the URLs are leading to.

Filed under Phishing Tagged with , ,

Older posts