Monday 29 April 2013

Fake carding shops

Nothing new here, just three forums used to scam stupid people like carders.
It's always the same method: advertising via spam and to view the content you must pay a fee.

Our first forum is a phpbb with fake statistic.
• dns: 1 ›› ip: 50.7.199.110 - adresse: FORUMSCC.COM

Forum look's huge:

Users are charged a $0.5 LR fee to view forums:

Fake online users:

Second example, fake carding shop:
• dns: 1 ›› ip: 96.125.170.142 - adresse: MARALIMACLASSIC.COM.BR

The captcha is iframed:

When you complete the name field and click login you are redirected always to register.html

The site index is defaced by a random lammer:

register.html

When you click to register you are redirected on a fake Liberty Reserve page:
• dns: 1 ›› ip: 198.24.144.50 - adresse: SCI.LIBIRTYRESERVES.COM

Another fake site, probably do by the same guys:
Mailer:
Some other files found on the compromised server, cPanel bruteforcer:
Another cPanel bruteforcer:
Ac1db1tch3z x86/x64 Linux kernel exploit (EXP/Linux.Small.AU):

The mail lead here:
• dns: 1 ›› ip: 199.79.62.93 - adresse: ZCB.CO.IN
And when you click on register...
• dns: 1 ›› ip: 50.28.73.7 - adresse: SCII.LIBERTYERESERVE.COM

PHP stuff can be found here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2410&p=19111#p19111
EXP/Linux.Small.AU here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2697#p19112

2 comments:

  1. complementing xilibox, some hackers station having fun because email accounts and lr these scammers have been hacked, and he cocerteza website owner forumscc.com, mtfucker scammer,

    ReplyDelete
  2. this website forumscc.com and vulnerable to DOS attacks and SQLinjection, verify,,
    http://prntscr.com/12rehb
    http://prntscr.com/12rgrz

    ReplyDelete