[nsp-sec] sms vishing

Smith, Donald Donald.Smith at qwest.com
Fri Mar 14 19:24:43 EDT 2008 

There is a LARGE sms phishing incident going on right now.
Lawrence Baldwin has been assisting in getting data and malware.
And provided some information already.
 
He collected a smsphishing kit from one of the compromised machines involved in this attack.
 
There are several elements of this sms vishing.
They begin by compromising vulnerable horde servers.
They use those horde servers to bruteforce pop accounts and passwords.
There is a privilege escalation exploit to get them root and a root kit tool to hide their processes and files.
 
It includes a bruteforce password guesser called popprober.
They use those compromised accounts and passwords to access valid email servers.
There is a perl tool that sends the actual sms message to the valid email servers via popmail.
 
Given that they included the popprober with this I suspect they bruteforce new pop accounts every time they break into a vulnerable horde server. But I am not sure how often they generate new lists?
 
I have attached a list of ips with asn's for vulnerable accounts.
 
I have a list of accounts that have been compromised.
I am not sure how to handle the actual list of accounts and passwords yet.
Some of the accounts are abuse accounts and the password is abuse:(
Another common username/password pair is sales,sales.
 
The list is only 18k I guess I could just post it to the list.
They are hitting SEVERAL smtp to sms gateways including verizion's, qwest's, and sprints.
The vishing is all bank related and includes several banks and credit unions.
 
 
donald.smith at qwest.com giac


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pop.ips.asn
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080314/f07549ee/attachment-0001.ksh>

More information about the nsp-security mailing list