Intesa Sanpaolo CC info stealing

[ocean]

comes with email spam

Code: [Select]

From - Sun Jul 26 10:59:37 2009
X-Account-Key: account2
X-UIDL: AC9z+FcAAD+aSmtwXgFfLw4toqo
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
X-Apparently-To: ********* via 87.248.115.47; Sat, 25 Jul 2009 13:51:41 -0700
X-YMailISG: bDl9LncWLDvN3KXmzxJFoFOHflPbVlqR0Cl.nSqW08HBYXD3j4IHdzH_jvJwPmE6qHdfVu6nTdWPtaEjcvx2bSZWYoxG3PIjVic16nPLNRkzbnAVyqTJOV.rgb9O.wJHU33i4pGEuQiaGcfWBxKZOk5t8lE36rGb1cd36TKXu535SW9aAHul79VEss7K9ZhykaVCS5W5PB8_OqbgbHliXlU8rctgovynAnXJ34lpJrw1BogAivSvmJUAbjF6kndY8Oo4GQQwgzfbmUal4qhcAYmeNrorj1vDzJGeYiAgTC5bUvNGPYC4zUUsUHSJvNMWbd3eb5.KEXt7z5fM3DtEKMtUtsKoUVlPmdbvPg30ncIuUhrhadHl1MR4iOAOq5GXj29eU1icCBdR7GwiV3drYGGLbs6bUjtUfZg_r07wtEmwDrEoKl1CPC3eHtuOF1qPDa2L8u5r0jSl8Tr3jRktI0xJrq5EP8Ja76pA7Hqe3TMH5AT4l.ApJ4HwhfXNC5DVu9yJ3bpssok24dG1CBztJcv5g_yCfNpvOErmaaxg
X-Originating-IP: [85.18.95.71]
Authentication-Results: mta125.mail.re2.yahoo.com  from=monetaonline.it; domainkeys=neutral (no sig); from=monetaonline.it; dkim=neutral (no  sig)
Received: from 85.18.95.71  (EHLO aa011msr.fastwebnet.it) (85.18.95.71)
  by mta125.mail.re2.yahoo.com with SMTP; Sat, 25 Jul 2009 13:51:34 -0700
Received: from User (79.39.194.81) by aa011msr.fastwebnet.it (8.5.016.6) (authenticated as marco_rosai@fastwebnet.it)
        id 4A53146002411C95; Sat, 25 Jul 2009 22:51:33 +0200
Message-ID: <4A53146002411C95@> (added by postmaster@aa011msr.fastwebnet.it)
From: "Moneta Online"<servizi@monetaonline.it>
Subject: La password de la sua carta Flash
Date: Sat, 25 Jul 2009 23:48:02 +0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
marco_rosai@fastwebnet.it i think is a compromised mail account Outlook Express 6.00 as X-Mailer could give an hint

87.248.115.47 seems to be a known mail server http://www.projecthoneypot.org/ip_87.248.115.47

Code: [Select]

La password de la sua carta Flash e stata inserita piu di tre volte.
Per proteggere la sua carta abbiamo sospenso il acceso.
Per recuperare il acceso prego di entrare
<http://www.umhcservices.com/mo/www.monetaonline.it/layout/03069/pop/dispores_card_01.html>
e completare la pagina di attivazione.


Grazie ancora per aver scelto i servizi on-line di carta FLASH.
I migliori saluti.

© Intesa Sanpaolo 2009

Servizio Clienti IntesaSanPaolo

Code: [Select]

http://www.umhcservices.com/mo/www.monetaonline.it/layout/03069/pop/dispores_card_01.html
i think umhcservices.com has been somehow compromised

a nice information inside page source:

Code: [Select]

<!-- Mirrored from www.monetaonline.it/layout/03069/pop/dispores_card_01.asp by HTTrack Website Copier/3.x [XR&CO'2008], Mon, 13 Apr 2009 23:59:34 GMT -->
i think also the author is a script-kiddie or someone with no particular care in what he's doing since in the page we can find:

Code: [Select]

La funzione \"Numero della virtual card\" sarà attivata entro il 28 dicembre 2000
wich means "The function "number of virtual card" will be activated before 28th December 2000" so no modifications has been done to the page since mirroring.

i've already sent a mail to technical and administrative contact of the domain.

best regards
ocean

[ocean]

another one

Code: [Select]

http://frankmin.com/60loc.htmthis time a redirect to

Code: [Select]

http://83.170.85.196/inex/www.monetaonline.it/layout/03069/pop/dispores_card_01.html
strange... spammed the same day the other page has been removed...
and this two websites uses a similar contact form, i'm investigating more on this "connection".

regards
ocean

[MysteryFCM]

Just an FYI, since the X-Mailer can be faked, it shouldn't be trusted as being real

[ocean]

yeah thanks i forgot about that and was just thinking to the classic outlook/mail worm

[ocean]

Code: [Select]

http://www.andrewgraham-yooll.com.ar/test.php3redirects to the same of the other post

Code: [Select]

http://83.170.85.196/inex/www.monetaonline.it/layout/03069/pop/dispores_card_01.html

[MysteryFCM]

Thats 404'ing for me?

[ocean]

for me is working, checked right now

[ocean]

Code: [Select]

http://opellove.com/html/modules/Forums/images/avatarsredirect always to the same webserver
 

[MysteryFCM]

I've reported the phish to uk2.net, who actually host it, and have also reported the fact that the number for them in their IP whois, is invalid;

http://hosts-file.net/?s=83.170.85.196

I've tried reporting this to them before and never received a response, so will follow it up with a phone call tomorrow (they're closed today apparently) if no response is received (sent via their ticket system and via e-mail), and report back.

[ocean]

thanks MysteryFCM, really good work

another one:

http://host188.190-30-65.telecom.net.ar/appserv/README-cn.php

redirects to

http://211.74.48.156/appserv/www.paypal.com/index.htm

regards
ocean

[MysteryFCM]

Sadly, the latter of those is a residential line, and it's in Taiwan, so going to be difficult to get taken down. Your best bet is to send the info to first-team AT cert.org.tw