Thursday 14 February 2013

You're valentine is a carder

Small research done on severals compromissed RDP (and compromissed machines include a Medical one)

Mail extractor:
https://www.virustotal.com/file/24f48f4934872185983e7966bcfad309efee598c6b26f474929c2d9c3c341825/analysis/1360598076/

Mass mailer:
https://www.virustotal.com/file/d04c0af99334244e070e65d07d329b1fbb13d19aeffff25a89ffb989ff9569f3/analysis/1360597550/
Who come form
gicutzu.byethost33.com/vnc/ams1.zip
gicutzu.byethost33.com/vnc/ams.zip

Mailing:

Message body:
This is HTML source of message you composed. Do not modify here.</COMMENT>
To modify this message press HTML Messages Editor button.</COMMENT>
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY bgcolor=#FFFFFF leftmargin=5 topmargin=5 rightmargin=5 bottommargin=5>
<FONT size=2 color=#000000 face="Arial">
<DIV>
 DEAR SIR/MADAM</DIV>
<DIV>
 </DIV>
<DIV>
My name is Mercy Johnson am 75yrs old of age and I stay in white river</DIV>
<DIV>
New York City,USA.I am a good merchant, I have several industrial</DIV>
<DIV>
companies and good share in various banks in the world. I spend all my</DIV>
<DIV>
life on investment and corporate business. All the way I lost my</DIV>
<DIV>
husband and two beautiful kids in fatal accident that occurred in</DIV>
<DIV>
November 5th 2003.</DIV>
<DIV>
 </DIV>
<DIV>
I am a very greedy woman with all cost I dont know much and care about</DIV>
<DIV>
people, since when I have an experience of my families death, its</DIV>
<DIV>
difficult to sleep and give rest, later in the year 2004 February I</DIV>
<DIV>
was sent a letter of medical check up, as my personal doctor testify</DIV>
<DIV>
that I have a lung cancer, which can easily take off my life soon.</DIV>
<DIV>
 </DIV>
<DIV>
I found it uneasy to survive myself, because a lot f investment cannot</DIV>
<DIV>
be run and manage by me again. I quickly call up a pastor/prophet to</DIV>
<DIV>
give me positive thinking on this solution as my adviser. He minister</DIV>
<DIV>
to me to share my properties ,wealth, to motherless baby/orphanage</DIV>
<DIV>
homes/people that need money for survivor both student that need money</DIV>
<DIV>
for schooling, business woman and man for their investment and for</DIV>
<DIV>
future rising.</DIV>
<DIV>
 </DIV>
<DIV>
So therefore I am writing this letter to people who are really in need</DIV>
<DIV>
of help from me both student in college to contact me urgently, so</DIV>
<DIV>
that I can make an available preparation on that.</DIV>
<DIV>
 </DIV>
<DIV>
Especially women of the day, who are divorced by their husband, who</DIV>
<DIV>
cannot survive the mist of feeding their self, please contact me and</DIV>
<DIV>
stop weeping. Probably let me now what you really need the money for</DIV>
<DIV>
and if you can still help me to distribute money to nearest orphanage</DIV>
<DIV>
homes near your town. Now am so much with God, am now born again. May</DIV>
<DIV>
the lord bless you as you reach me, please to remind you, dont belongs</DIV>
<DIV>
to scammers or any act of fraud lent on internet. I will give more</DIV>
<DIV>
information to you as I await your response immediately.</DIV>
<DIV>
 </DIV>
<DIV>
Best Regards,</DIV>
<DIV>
Mrs. Mercy Johnson.</DIV>
</FONT>
</BODY></HTML>

GroundLabs.Card.Recon.v1.14.7-Lz0:
https://www.virustotal.com/fr/file/ce449ea544f8d524648d429faa1ae68b7572501cf21997d31c6b467f55e8600d/analysis/1360597849/
Legit signed application but carders use it to find credit cards.

Win32/Spy.POSCardStealer.A:
https://www.virustotal.com/file/af35e64fac9c73bbaa5e8658cc5d8f3057a89e745fd8d9ffa2ef224209138dc2/analysis/1360596995/
https://www.virustotal.com/file/180ed8d4e9d5ebdc7f7179b4cacc73ed0804e7c720d9710fcc20454a5ba163cb/analysis/1360596997/

Win32/Spy.POSCardStealer.C:

Carding tentative:
Also found that on the history:
https://travelsim.bg/checkout_final.php?OrderID=2422&Message=Success.+%2800%29
kentus555@gmail.com

firefox history for another rdp:
"yancymagnus@gmail.com"


AutoComplete feature of browser says "markfenton46" for validshop and "samx" as captcha

Craiglist mailer:
https://www.virustotal.com/fr/file/5408075078177c45bfca318d6291c078beb1eb0f6c8dd6fb1a3f007b2e280fff/analysis/1360711350/

Phishing:

RDP scanner:
https://www.virustotal.com/file/d53fb2aa459eb50e3d16f17835db3246e3016389cfa63c126263e24fa18729e7/analysis/1360711410/

Game server:

VNC scanner:
https://www.virustotal.com/file/835dd84eed9acff7056ded87d9672d725b915924323b5981737bd2ed5162efb4/analysis/1360711486/

After this first try, i've installed a keylogger to monitor carders activities.
Logs:



Screenshots took by the keylogger:














• dns: 2 ›› ip: 98.139.135.21 - adresse: WEIGHT-LOSS-RESOURCE.COM

Libery reserve on clipboard:

They download pictures of womens and creat fake dating profiles to contact people saying always the same things:


"koksjulian":
"SabensSandraDarleneF":

Registering a fake profile on 'POF'

"Hello my name is brotney" (fail)

Yahoo login:

Svetlana case:


Fake accounts on various dating sites, downloading a picture of a girl for "lavaplace":

Creating a fake profile:

Looking for people on "Zoosk":

And more and more:



Contacting a guys on "lavaplace":


And more and more, without forgiving to tell them a "happy valentines day":

Searching for more people:

Sending the same message to people:

Let's do some spam also:

Mail:

Some guys look surprised by the age difference:
---

Received messages on yahoo:

I don't talk about that here but compromised machines was also used alot for buy stuff with stolen credit cards according to my logs: LCD monitor, plane tickets... and some other shit's (i've not really looked what they have do with stolen money)
If you are part of the good force and interested by a copy of logs, drop me a mail.



Happy Valentine's Day.

2 comments:

  1. Interesting post as always! I find some RDP machines as well but most are honeypots so I can't investigate anything and write anything... Which username/password combination did you use?

    ReplyDelete
  2. I also support the statement that Card Recon is a legit application. I work in an IT security team and we use it to make sure our systems don't store credit cards. Its downloadable from http://www.groundlabs.com/software/card-recon/cardholder-data-discovery
    Its a shame the bad guys also got their hands on it because its a great tool for us good guys.

    ReplyDelete