These days they do EDF+CAF and back with Carrefour.
EDF: http://www.phishtank.com/phish_detail.php?phish_id=1720045 > 2/33
Dumped pages: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2431#p18023
Mechanism is interesting on this one
It extract a zip file inside a a freslhy created dir and write EDF customer IP on Vcounter.txt
Seem the bad guys tested it to see if everything work :)
(CF: Access logs of http://www.xylibox.com/2013/01/phish-bankfraudphpmailerphpshell.html)
The bad guys leaved Backdoor.PHP.WebShell.BD (WSO 2.4) as usual:
And some others craps...
For CAF and Carrefour they have not used Hijacked servers (just for redirect).
The CAF mail is just a big failure:
Bank customers reply to phishing e-mail:
A new tool appeared, phishers will be probably interested.
Also i got an interesting mail:
I concider myself as borderline, i re-break theses servers with my real IP to get the malicious stuff.
I leave files untouched, including hackers files, sometime i probably make more shit than them on log files, i don't edit thems to hide my IP.
I never got sued for hacking a compromised machine and i hope that will not happen.