And some traps who have do all the magic... i've phished the phisher.
Some phishing pages on a compromised server:
The guys behind these fishs is know as 'Tonix', here is a screenshot of his mail adress:
The server was hacked due to a vulnerability with 'lang_wmps' the hacker have uploaded a well know backdoor: WSO
After re-hacking the compromised server and changing the pass of the backdoor we got the mail adress:
firstname.lastname@example.org... let's have a look now:
On the 'sent mail' folder there is mails of 2012 with phished datas.
The case of Phyllis Stevens, datas phished the 14 april 2013:
Phyllis Stevens credit card used to buy a server the 15 april 2013:
Tonix leaved several trace of him, example here testing his phishing page:
Same IP found on access log who connect to the backdoor:
18.104.22.168 is a ExpressVPN IP:
And of course, Tonix use/carded this service:
SQL injection used:
22.214.171.124 is a VPS IP and the user-agent on access logs tell us that he used Havij to exploit the SQL vulnerability:
Tonix have access to several compromised VPS, some even warn you:
He have also some compromised POS:
Brute force attack on another compromised server:
Bank Of America phishing:
The phishing kit used for Bank Of America is even backdoored, did Tonix know that ?
Paypal and Bank Of America phishings can be downloaded here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2431&start=10#p19028
The attacker (126.96.36.199) according to log files used the edit template feature of Joomla to upload a backdoor.
Also seem someone tryed to find a phishing kit archive, here is what i've found inside the log file: http://pastebin.com/XWx8DXuZ
Tonix seem Albanian and have did several orders with his real identity.
I've found various SMS in Albanian with his phone number, most of messages are about chilling with friends.
On another email the phone number is the same for shipping information of 'Faton':
He have do many sites related to Juventus, like grandejuve.com
A whois give us an ytahoo adress 'rodrigue123456789' registered by Tonix.
On another order, same shipping information:
Although one order seem not carded:
Seems like he's been doing phishing/carding since 2011:
Visual map based on shipping details:
Faton selling stuff, the phone number is the same for carded stuff.
I got the confirmation that it's him on facebook via his twitter profile
After searching a whois, the email is registered to Toni and registrant details make me think he carded the domain.
Anyway with everything here i'm not going to give his details to authority, but he should take care and leave the business, carding and phishing is definitely not for him.