Monday 22 April 2013

Phish a phisher

Everything started from a simple phishing mail as usual...
And some traps who have do all the magic... i've phished the phisher.

Some phishing pages on a compromised server:

The guys behind these fishs is know as 'Tonix', here is a screenshot of his mail adress:
Here, Tonix test his fake paypal template, the link lead on a phishing redirector.

The server was hacked due to a vulnerability with 'lang_wmps' the hacker have uploaded a well know backdoor: WSO

Paypal Phishing:

After re-hacking the compromised server and changing the pass of the backdoor we got the mail adress: let's have a look now:
256 mails (without mails inside the junk folder and deleted folder) this email is used only for his phishing activities.

On the 'sent mail' folder there is mails of 2012 with phished datas.

The case of Phyllis Stevens, datas phished the 14 april 2013:

Phyllis Stevens credit card used to buy a server the 15 april 2013:

Tonix leaved several trace of him, example here testing his phishing page:

Same IP found on access log who connect to the backdoor: is a ExpressVPN IP:

And of course, Tonix use/carded this service:

On another compromissed server, you can clearly see another IP exploiting and login.

SQL injection used: is a VPS IP and the user-agent on access logs tell us that he used Havij to exploit the SQL vulnerability:
The phishing spam is also sent from this machine.
Having fun with metasploit and the good MS12-020
not worked here but i should do that more often on carded vps :)

Tonix have access to several compromised VPS, some even warn you:

He have also some compromised POS:

Brute force attack on another compromised server:
Failed exploitation for a plugin who don't exist:

Bank Of America phishing:

The phishing kit used for Bank Of America is even backdoored, did Tonix know that ?
 And also $remote = $_POST['REMOTE_ADDR'];
Paypal and Bank Of America phishings can be downloaded here:

The attacker ( according to log files used the edit template feature of Joomla to upload a backdoor.
Also seem someone tryed to find a phishing kit archive, here is what i've found inside the log file:

Another example:

Tonix seem Albanian and have did several orders with his real identity.
I've found various SMS in Albanian with his phone number, most of messages are about chilling with friends.

On another email the phone number is the same for shipping information of 'Faton':
Tonix is a big fan of Juventus, some of his passwords are even related to this club.
He have do many sites related to Juventus, like
A whois give us an ytahoo adress 'rodrigue123456789' registered by Tonix.

On another order, same shipping information:
Beats by dr.dre registration to 'faton':
DHL tracking for a product:
Apple store carding:
Order to Arben (a friend of him?):
Another order to Arben:
Failed order to Adnan:

Although one order seem not carded:

Seems like he's been doing phishing/carding since 2011:

Visual map based on shipping details:

Faton selling stuff, the phone number is the same for carded stuff.

Facebook profile:

I got the confirmation that it's him on facebook via his twitter profile
Same head, same interest in Juventus, same location but the website link have not the same gTLD.
After searching a whois, the email is registered to Toni and registrant details make me think he carded the domain.
He even carded a domain for a member of his family

Anyway with everything here i'm not going to give his details to authority, but he should take care and leave the business, carding and phishing is definitely not for him.


  1. Awesome work there Steven. More! :-)

  2. you pwnd that guy WAY TO HARD

  3. too much pwnage for ********!

  4. He deserves to get punished. People like him cause trouble for so many people. He is lucky because I would send his data to he police to ensure this guy will learn his lection.

  5. Franchement à ta place j'aurais disclo le tout.

  6. Hey Steven, i love your research and work
    I notice you use irc, may i know it to chat more :)

    If anything you can contact me here

  7. Lol, Nice work :P

  8. >:p haha tu l'as ruiné! GG

  9. How did you get access to his email?

  10. according to the map hes in kosovo, not albania

  11. wow xyli you friggin rock.

  12. So let me get this straight, you are not gonna report this guy, you are just going to pray/hope that he stops scamming innocent people, right?

    1. @fd to continue what you said: well...that's stupid if you think he's gonna stop... :|

  13. DAFUQ !!!! .... ;) w

  14. Hehe, thank you for your time Steven. I had his ip and other evil stuff on our server. I was too busy cleaning the shit, so I bow to you for you effort in gaining the needed information, to bring him to justice.

    The sad thing is that I think that the albanian justice department won't do anything against him.

    We should punish him in making his life a bit harder when ever he joins the web :)

  15. Knowing how things work around here (the Balkans) I wish you post his real name because I doubt he will get any other punishment. Make him famous :)

  16. Nice work, but you should report this cunt.

  17. Seriously, there's no way this guy is going to stop. He'll change his tactics, operate a little more securely, and be a bit more careful. Turn him in.

  18. It is great work... Phishers should know that , there are others also who could do this.. Noone is ace....

  19. Great job sleuthing. IMHO you need to report him. He wont stop until he's caught. For you to go this far without reporting him seems like a wasted effort... although fun :)

  20. Its easy to find out the real details of this guy from Xyli's details, so any one of us could report him.


  22. Great job! I am not the best person online but your work really inspires, keep it up.

  23. Belle démonstration. J'adore ton blog, c'est vraiment passionnant.

    Nice Démo. I love your blog, it s very exciting.

  24. wow dis is so extreme..owning...nice1. :D honestly me too do bad your really good..weldone..

  25. Глупав шиптар...

  26. How can you figure out who is trying to fuck me with the paypal western union scam? He thinks everything is good and I don't know what he is trying to do. I have all the emails and his emails. It started from an ad on Kijiji and I have everything from the beginning. THE REAL ANONYMOUS PLEASE HELP ME!!!!