Author Topic: Intesa Sanpaolo CC info stealing  (Read 8825 times)

0 Members and 1 Guest are viewing this topic.

July 26, 2009, 09:59:37 am
Read 8825 times

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
comes with email spam

Code: [Select]
From - Sun Jul 26 10:59:37 2009
X-Account-Key: account2
X-UIDL: AC9z+FcAAD+aSmtwXgFfLw4toqo
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
X-Apparently-To: ********* via 87.248.115.47; Sat, 25 Jul 2009 13:51:41 -0700
X-YMailISG: bDl9LncWLDvN3KXmzxJFoFOHflPbVlqR0Cl.nSqW08HBYXD3j4IHdzH_jvJwPmE6qHdfVu6nTdWPtaEjcvx2bSZWYoxG3PIjVic16nPLNRkzbnAVyqTJOV.rgb9O.wJHU33i4pGEuQiaGcfWBxKZOk5t8lE36rGb1cd36TKXu535SW9aAHul79VEss7K9ZhykaVCS5W5PB8_OqbgbHliXlU8rctgovynAnXJ34lpJrw1BogAivSvmJUAbjF6kndY8Oo4GQQwgzfbmUal4qhcAYmeNrorj1vDzJGeYiAgTC5bUvNGPYC4zUUsUHSJvNMWbd3eb5.KEXt7z5fM3DtEKMtUtsKoUVlPmdbvPg30ncIuUhrhadHl1MR4iOAOq5GXj29eU1icCBdR7GwiV3drYGGLbs6bUjtUfZg_r07wtEmwDrEoKl1CPC3eHtuOF1qPDa2L8u5r0jSl8Tr3jRktI0xJrq5EP8Ja76pA7Hqe3TMH5AT4l.ApJ4HwhfXNC5DVu9yJ3bpssok24dG1CBztJcv5g_yCfNpvOErmaaxg
X-Originating-IP: [85.18.95.71]
Authentication-Results: mta125.mail.re2.yahoo.com  from=monetaonline.it; domainkeys=neutral (no sig); from=monetaonline.it; dkim=neutral (no  sig)
Received: from 85.18.95.71  (EHLO aa011msr.fastwebnet.it) (85.18.95.71)
  by mta125.mail.re2.yahoo.com with SMTP; Sat, 25 Jul 2009 13:51:34 -0700
Received: from User (79.39.194.81) by aa011msr.fastwebnet.it (8.5.016.6) (authenticated as marco_rosai@fastwebnet.it)
        id 4A53146002411C95; Sat, 25 Jul 2009 22:51:33 +0200
Message-ID: <4A53146002411C95@> (added by postmaster@aa011msr.fastwebnet.it)
From: "Moneta Online"<servizi@monetaonline.it>
Subject: La password de la sua carta Flash
Date: Sat, 25 Jul 2009 23:48:02 +0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081

marco_rosai@fastwebnet.it i think is a compromised mail account Outlook Express 6.00 as X-Mailer could give an hint :P

87.248.115.47 seems to be a known mail server http://www.projecthoneypot.org/ip_87.248.115.47

Code: [Select]
La password de la sua carta Flash e stata inserita piu di tre volte.
Per proteggere la sua carta abbiamo sospenso il acceso.
Per recuperare il acceso prego di entrare
<http://www.umhcservices.com/mo/www.monetaonline.it/layout/03069/pop/dispores_card_01.html>
e completare la pagina di attivazione.


Grazie ancora per aver scelto i servizi on-line di carta FLASH.
I migliori saluti.

© Intesa Sanpaolo 2009

Servizio Clienti IntesaSanPaolo

Code: [Select]
http://www.umhcservices.com/mo/www.monetaonline.it/layout/03069/pop/dispores_card_01.html
i think umhcservices.com has been somehow compromised ::)

a nice information inside page source:
Code: [Select]
<!-- Mirrored from www.monetaonline.it/layout/03069/pop/dispores_card_01.asp by HTTrack Website Copier/3.x [XR&CO'2008], Mon, 13 Apr 2009 23:59:34 GMT -->
i think also the author is a script-kiddie or someone with no particular care in what he's doing since in the page we can find:

Code: [Select]
La funzione \"Numero della virtual card\" sarà attivata entro il 28 dicembre 2000
wich means "The function "number of virtual card" will be activated before 28th December 2000" so no modifications has been done to the page since mirroring.

i've already sent a mail to technical and administrative contact of the domain.

best regards
ocean

July 30, 2009, 05:48:38 pm
Reply #1

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
another one
Code: [Select]
http://frankmin.com/60loc.htmthis time a redirect to
Code: [Select]
http://83.170.85.196/inex/www.monetaonline.it/layout/03069/pop/dispores_card_01.html
strange... spammed the same day the other page has been removed...
and this two websites uses a similar contact form, i'm investigating more on this "connection".

regards
ocean

July 30, 2009, 09:36:41 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Just an FYI, since the X-Mailer can be faked, it shouldn't be trusted as being real ;)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 30, 2009, 09:52:53 pm
Reply #3

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
yeah thanks i forgot about that and was just thinking to the classic outlook/mail worm ;D

August 01, 2009, 01:52:39 am
Reply #4

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
Code: [Select]
http://www.andrewgraham-yooll.com.ar/test.php3redirects to the same of the other post
Code: [Select]
http://83.170.85.196/inex/www.monetaonline.it/layout/03069/pop/dispores_card_01.html

August 01, 2009, 01:59:18 am
Reply #5

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Thats 404'ing for me?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 01, 2009, 03:08:43 pm
Reply #6

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
for me is working, checked right now

August 09, 2009, 07:30:38 am
Reply #7

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
Code: [Select]
http://opellove.com/html/modules/Forums/images/avatarsredirect always to the same webserver
 ;D

August 09, 2009, 07:48:56 am
Reply #8

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've reported the phish to uk2.net, who actually host it, and have also reported the fact that the number for them in their IP whois, is invalid;

http://hosts-file.net/?s=83.170.85.196

I've tried reporting this to them before and never received a response, so will follow it up with a phone call tomorrow (they're closed today apparently) if no response is received (sent via their ticket system and via e-mail), and report back.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 17, 2009, 10:09:49 am
Reply #9

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab

August 17, 2009, 10:16:26 am
Reply #10

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Sadly, the latter of those is a residential line, and it's in Taiwan, so going to be difficult to get taken down. Your best bet is to send the info to first-team AT cert.org.tw
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net