Friday 8 March 2013

Liberty Reserve phishing

Since some days i receive Liberty reserve (a Costa Rica-based payment processor) phishings, i usually don't see LR phishs.

no_reply@libertyreseve.com
Recevied yesterday, 13.3.7 (07/03/13)
 Leading on a legit liberty reserve payement page
https://sci.libertyreserve.com/?lr_acc=U2909099

And today, leading on phishing, still same sender:
no_reply@libertyreseve.com

The hyperlink lead to 64.32.10.171 who lead on libretyeserve.com (204.188.221.238)
http://libretyeserve.com/start.php
http://libretyeserve.com/a.php
http://libretyeserve.com/logipin.php
http://libretyeserve.com/welcome.php
http://libretyeserve.com/start.php
http://libretyeserve.com/captcha.php
http://libretyeserve.com/transfer.php
http://libretyeserve.com/index_old.php
http://libretyeserve.com/curl.php
http://libretyeserve.com/cookies/
http://libretyeserve.com/temp/
http://libretyeserve.com/logs/
https://www.virustotal.com/fr/url/729a0778a90efa48b4508661cd1fad4c140e7ee9ded8c5a56f89f3b6c754212b/analysis/1362751719/

64.32.10.171 ~
http://64.32.10.171/index1.php
http://64.32.10.171/config.php
http://64.32.10.171/js/core.js
http://64.32.10.171/logs/welcome_lpin.html
http://64.32.10.171/templates/welcome.html
http://64.32.10.171/templates/transfer.html
http://64.32.10.171/templates/login.html
http://64.32.10.171/templates/success.html
http://64.32.10.171/templates/cancel.html
http://64.32.10.171/templates/purpose.html
http://64.32.10.171/templates/index_old.html
http://64.32.10.171/templates/confirm.html
http://64.32.10.171/en/
https://www.virustotal.com/fr/url/3d50e4b5072439be2f4537825a99014dbfa75d8c980c1abdcb664cee58a7ae2e/analysis/1362751808/
Beware, they are not yet detected by Google Safe Browsing and shit's

Also, I currently work on a huge project who take all my attention for the moment (that the reason of my inactivity here)
i'll be back in ~1 week.



4 comments:

  1. Find mail from second screenshot on gmail's spam folder

    ReplyDelete
  2. Please don't leave ! We will miss you !

    ReplyDelete
  3. Xylitol, we want more cracking/unpacking videos! They are very instructive!

    ReplyDelete
  4. yes, that is very interesting script phishing lr,

    ReplyDelete