*

Recent Posts

Welcome, Guest. Please login or register.
November 23, 2024, 11:22:47 AM

Login with username, password and session length

Members
  • Total Members: 61
  • Latest: AciDeX
Stats
  • Total Posts: 28505
  • Total Topics: 1915
  • Online Today: 61
  • Online Ever: 569
  • (August 02, 2024, 06:20:39 AM)
Users Online
Users: 0
Guests: 27
Total: 27

Permissions

Author Topic: Phishbank attacks  (Read 5413 times)

0 Members and 2 Guests are viewing this topic.

Offline ZWarrior

  • Administrator
  • Hero Member
  • *****
  • Posts: 7798
  • Karma: 8
  • Shhh! Be wery wery qwiet...
    • View Profile
    • Ambush!
Phishbank attacks
« on: March 23, 2005, 11:50:03 PM »
Greets,
 just a heads up, there is a fairly new phishing message out there that will also try to install malicious software also.

It is called Phishbank, and there are already several variants.

I recieved a valid looking message from PayPal in HTML format.  The Link looked real, and all looked kosher.  But my spidey-sense said otherwise.  So I right clicked and tried to view the source code for the message.  As soon as I did that my virus protection software went ballistic and deleted the text, and alerted me to the virus.

here is a link to some basic info:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39292

Apparently only CA has the new variants that load the software, all the others only have the strict Phishing attempt alone.
--------------------------------
Zoë: Shepard, isn't the Bible kind of specific about killing?
Book: Very specific. It is, however, somewhat fuzzy around the area of kneecaps.

Offline ZWarrior

  • Administrator
  • Hero Member
  • *****
  • Posts: 7798
  • Karma: 8
  • Shhh! Be wery wery qwiet...
    • View Profile
    • Ambush!
Phishbank attacks
« Reply #1 on: March 24, 2005, 12:15:50 AM »
Took a little finagling, but I now have the source for the email.  these guys were pretty sneaky.  They actually do send you to the PayPal website for all the links, but one of them first runs some code from a different website before sending you there.  Very sneaky.

here is the addresses with the http:// disabled in front if anyone wants to get sneaky.  The site must still be up because the virus was still being sent to me. I have also reversed the leading "<" to stop the webpage from hiding the code.


Quote

>FORM action="(http:// removed)rds.yaho&#10;o.com/*(http:// removed)www&#9;.google.com/url" method=get target=_blank>

>INPUT type=hidden value=(http:// removed)rds.yahoo.com/*(http:// removed)82.76.121.28/%6D%61%6E%75%61%6C/webscr/ name=q>

>INPUT style="BORDER-RIGHT: 0px solid; BORDER-TOP: 0px solid; BACKGROUND: none transparent scroll repeat 0% 0%; BORDER-LEFT: 0px solid; COLOR: #000080; BORDER-BOTTOM: 0px solid" type=submit value=(https:// removed)www.paypal.com/cgi-bin/webscr?cmd=_update>

>/FORM>

Notice that the INPUT tags have correct addressing, but the FORM tag sends you to somewhere else entirely.

Nasty that.

[Edited on 3-24-2005 by ZWarrior]
--------------------------------
Zoë: Shepard, isn't the Bible kind of specific about killing?
Book: Very specific. It is, however, somewhat fuzzy around the area of kneecaps.

Offline Mr_Anderson

  • Hero Member
  • *****
  • Posts: 2765
  • Karma: 1
    • View Profile
Phishbank attacks
« Reply #2 on: March 24, 2005, 12:14:29 PM »
Thanks for the update!
Don't fear, the Rocket Master is here!

:RPG:

Offline JollyRoger

  • That's Captain
  • Hero Member
  • *****
  • Posts: 3965
  • Karma: 5
  • I be plundering the interweb for booty.
    • View Profile
Phishbank attacks
« Reply #3 on: March 24, 2005, 12:23:21 PM »
that was was nice most of the time you get sent to a dummy site.
these guys were pretty sneaky. Now I want to smack them around a little. ZW did you get an origin?
No matter how hard you try to push the envelope, remember it's only stationary.

Offline ZWarrior

  • Administrator
  • Hero Member
  • *****
  • Posts: 7798
  • Karma: 8
  • Shhh! Be wery wery qwiet...
    • View Profile
    • Ambush!
Phishbank attacks
« Reply #4 on: March 24, 2005, 12:52:50 PM »
I haven't had a chance to pursue beyond the code above.  It was late and I didn't want to try and wrap my head around the obfuscation, just my pillow.
--------------------------------
Zoë: Shepard, isn't the Bible kind of specific about killing?
Book: Very specific. It is, however, somewhat fuzzy around the area of kneecaps.

Offline JollyRoger

  • That's Captain
  • Hero Member
  • *****
  • Posts: 3965
  • Karma: 5
  • I be plundering the interweb for booty.
    • View Profile
Phishbank attacks
« Reply #5 on: March 24, 2005, 01:45:01 PM »
Dude, you're not suposed to wrap your head aound the pillow, it's suposed to wrap aroud your head! and you think Snauz is backwards Sheesh!
No matter how hard you try to push the envelope, remember it's only stationary.

Offline Mr_Anderson

  • Hero Member
  • *****
  • Posts: 2765
  • Karma: 1
    • View Profile
Phishbank attacks
« Reply #6 on: March 24, 2005, 02:51:55 PM »
Do it eaither way, you'll just end up choking.
Don't fear, the Rocket Master is here!

:RPG:

Offline JollyRoger

  • That's Captain
  • Hero Member
  • *****
  • Posts: 3965
  • Karma: 5
  • I be plundering the interweb for booty.
    • View Profile
Phishbank attacks
« Reply #7 on: March 24, 2005, 03:06:13 PM »
what you don't use a pillow?
No matter how hard you try to push the envelope, remember it's only stationary.

Offline Mr_Anderson

  • Hero Member
  • *****
  • Posts: 2765
  • Karma: 1
    • View Profile
Phishbank attacks
« Reply #8 on: March 24, 2005, 03:07:51 PM »
I do use a pillow, it's just I don't wrap it around my head.
Don't fear, the Rocket Master is here!

:RPG:

Offline JollyRoger

  • That's Captain
  • Hero Member
  • *****
  • Posts: 3965
  • Karma: 5
  • I be plundering the interweb for booty.
    • View Profile
Phishbank attacks
« Reply #9 on: March 24, 2005, 03:09:27 PM »
:lol:lol you should try, you might get a more restful sleep :D
No matter how hard you try to push the envelope, remember it's only stationary.

Offline Mr_Anderson

  • Hero Member
  • *****
  • Posts: 2765
  • Karma: 1
    • View Profile
Phishbank attacks
« Reply #10 on: March 24, 2005, 03:12:58 PM »
Who needs sleep?

Drink more bawls!
:beer: :beer: :beer:
Don't fear, the Rocket Master is here!

:RPG:

Offline ZWarrior

  • Administrator
  • Hero Member
  • *****
  • Posts: 7798
  • Karma: 8
  • Shhh! Be wery wery qwiet...
    • View Profile
    • Ambush!
Phishbank attacks
« Reply #11 on: March 24, 2005, 03:27:33 PM »
*Looks at Anderson, looks at Jolly, shakes his head and walks away*

*sigh*
--------------------------------
Zoë: Shepard, isn't the Bible kind of specific about killing?
Book: Very specific. It is, however, somewhat fuzzy around the area of kneecaps.

Offline Mr_Anderson

  • Hero Member
  • *****
  • Posts: 2765
  • Karma: 1
    • View Profile
Phishbank attacks
« Reply #12 on: March 24, 2005, 03:28:23 PM »
...
Don't fear, the Rocket Master is here!

:RPG:

Offline JollyRoger

  • That's Captain
  • Hero Member
  • *****
  • Posts: 3965
  • Karma: 5
  • I be plundering the interweb for booty.
    • View Profile
Phishbank attacks
« Reply #13 on: March 24, 2005, 03:29:07 PM »
:D
No matter how hard you try to push the envelope, remember it's only stationary.

Offline Mr_Anderson

  • Hero Member
  • *****
  • Posts: 2765
  • Karma: 1
    • View Profile
Phishbank attacks
« Reply #14 on: March 24, 2005, 03:29:35 PM »
:drool:
Don't fear, the Rocket Master is here!

:RPG:

Offline Wolverine of Ambush!

  • 88 Members
  • Hero Member
  • *****
  • Posts: 1350
  • Karma: -1
  • Ker-schnick!
    • View Profile
Phishbank attacks
« Reply #15 on: March 30, 2005, 12:55:22 PM »
I had a guy that sits next to me that gets several 'phish' emails everyday... WOW!  it's everywhere.:touched;
Class is in Session.  Get ready to be schooled! :hat:

Offline Mr_Anderson

  • Hero Member
  • *****
  • Posts: 2765
  • Karma: 1
    • View Profile
Phishbank attacks
« Reply #16 on: March 30, 2005, 01:21:25 PM »
Ouch....
Don't fear, the Rocket Master is here!

:RPG:

Offline Wolverine of Ambush!

  • 88 Members
  • Hero Member
  • *****
  • Posts: 1350
  • Karma: -1
  • Ker-schnick!
    • View Profile
Phishbank attacks
« Reply #17 on: March 30, 2005, 02:43:59 PM »
he gets like 100 or so everyday....:drummer:
Class is in Session.  Get ready to be schooled! :hat:

Offline JollyRoger

  • That's Captain
  • Hero Member
  • *****
  • Posts: 3965
  • Karma: 5
  • I be plundering the interweb for booty.
    • View Profile
Phishbank attacks
« Reply #18 on: March 30, 2005, 02:45:20 PM »
someone needs to start deploying his spam filters.
No matter how hard you try to push the envelope, remember it's only stationary.

Offline Wolverine of Ambush!

  • 88 Members
  • Hero Member
  • *****
  • Posts: 1350
  • Karma: -1
  • Ker-schnick!
    • View Profile
Phishbank attacks
« Reply #19 on: March 30, 2005, 02:45:41 PM »
I don't get them.... ???????
Class is in Session.  Get ready to be schooled! :hat:

Offline JollyRoger

  • That's Captain
  • Hero Member
  • *****
  • Posts: 3965
  • Karma: 5
  • I be plundering the interweb for booty.
    • View Profile
Phishbank attacks
« Reply #20 on: March 30, 2005, 02:56:37 PM »
nor do I, Me thinks your buddy at work needs to set up his spam filters
No matter how hard you try to push the envelope, remember it's only stationary.

Offline Mr_Anderson

  • Hero Member
  • *****
  • Posts: 2765
  • Karma: 1
    • View Profile
Phishbank attacks
« Reply #21 on: March 30, 2005, 03:28:23 PM »
Yea, I get tons of spam for some weird reason.  I have to basically filter everything.
Don't fear, the Rocket Master is here!

:RPG: