SecurityIntelligence is another division of MalwareIntelligence that focuses on aspects related to Information Security. The proposed content related to security issues and aspects relating to the management and administration of an information environment.

February 28, 2010

Phishing database III

Financial & Banking Institutions
Canada Trusth (http://www.tdcanadatrust.com/)
http://www-tdcanadatrust-com.epage.ru/td-bank-index.html
Citigroup (http://www.citigroup.com)
http://www.alanmetauro.com/home/online.citibank.com/US/JPS/portal/Index.do.htm?F6=1&F7=IB&F21=IB&F22=IB&REQUEST=ClientSignin&LANGUAGE=ENGLISH
CUA - Credit Union Australia (http://www.cua.com.au)
http://www.colconkproducts.com/pub/your-account-is-locked-cua-com-au/
http://173-11-85-81-sfba.hfc.comcastbusiness.net/images/webbanker.cua.com.au/webbanker/CUA/
UniCredit Banca (http://www.unicreditbanca.it)
http://161.58.125.218/uc/index.html
Grupo Banca Carige (http://www.gruppocarige.it/ws/gruppo/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_carige/index.html

Grupo Banca Popolare Di Bari
http://www.georgiakoreans.com/bbs/data/bpr/index.html
Banca Cesare Ponti (http://www.gruppocarige.it/grp/bponti/html/ita/index.htm)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_cesare_ponti/index.html
Banca Del Monte Di Luccia (http://www.gruppocarige.it/ws/bmlucca/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_del_monte_di_lucca/index.html
CRS - Cassa di Risparmio di Savona (http://www.gruppocarige.it/ws/carisa/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/cassa_di_risparmio_di_savona/index.html
Cassa di Risparmio di Carrara (http://www.gruppocarige.it/ws/crcarrara/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/cassa_di_risparmio_di_carrara/index.html
Poste Italiane (http://www.poste.it)
http://posteitalianeonlinebpolcarteprestafgfdf.pcriot.com/posteitaliane/bpol/cartepre/formslogin.aspx.php?TYPE=33554433&REALMOID=06-b5208d98-1e41-108b-b247-8392a717ff3e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME
http://www.ynzal.com/catalog/images/bpol/bancoposta/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid
http://www.yelin.ru/wm/bancopostaonline.poste.it/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid
Santander (www.santander.com)
http://slarrauri.com/tusitioweb/demo/BentoBox/modules/Logon.html
ABSA (http://www.absa.co.za)
http://markostoreltd.com/account.log/index.php
HSBC (http://www.hsbc.com)
http://worldviba.org/hboard3/bbs/indexx/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.ss4net.com/flash/IBlogin.html
http://www.tricitypt.com/photos/pediatrics/hsbcsecure/IBlogin.html
http://in2pool.com/Sources/.x/IBlogin.html
http://erethizon.net/pomocne/hibernace/IBlogin.php
http://cs.kku.ac.kr/data/file/alumnus/hsbconline/HSBC/index.php
http://etechsol.pk/cp/IBlogin.html
http://www.fsk-squad.eu/stats/IBlogin.html
http://www.goldenstwarriors.com/boxes/IBlogin.html
http://singaporeluggagestorage.info/modules/foles/kmg/www.hsbc.co.uk/CAM10-jsessionid=000026MQ7KnXUxsKmiYKszFUkGJ12c58ti63.htm

In the domain singaporeluggagestorage.info climbed several packages of phishing through a shell. Besides HSBC phishing pack, found others to CIBS and ING Direct.

ING Direct (http://www.ing.com)
http://singaporeluggagestorage.info/modules/foles/mijn.ing.htm
Lloyds TSB (http://www.lloydstsb.com)
http://cjuckett.com/gallery/include/login/online.lloydstsb.co.uk/online.lloydstsb.co.uk/online.lloydstsb.co.uk/online.lloydstsb.co.uk/customer.ibc/
Wachovia (http://www.wachovia.com)
http://202.111.173.205/.../wachovia/AuthService.php?action=presentLogin&url=https://onlineservices.wachovia.com/NASApp/NavApp/Titanium?action=returnHome
Bank of America (http://www.bankofamerica.com)
http://210.116.103.118/~kardex/gnuboard4/bbs/Languages/
http://ahuarqalliance.com/~ahuarqal/Pringles/www.bankofamerica.com/bofa-update/bofa-update/bofa/
J.P.Morgan (http://www.jpmorgan.com)
http://martindlk.ie/pdf_files/10/c/ch.htm?customerid=&co_partnerId=2&siteid=0&ru=&PageName=login_run&pp=pass&pageType=708XeMWZllWXS3AlBX+VShqAhQRfhgTDrf&co_partnerId=2&siteid=0&ru=&pp=&pageType=708&MfcISAPICommand=ConfirmRegistration&708XeMWZllWXS3AlBXVShqAhQRfhgTDrfQRfhgTDrfA
egg (http://www.egg.com)
http://www.extv.co.kr/data/file/s_tag08/819,00.html
http://www.wrpt.us/fireworks/Egg-Login.htm
InterSwitch (http://www.interswitchng.com)
http://2009_securityupdate1.t35.com/Nigeria_interSwitch.htm
MoneyGram (http://www.moneygram.com)
http://121.11.253.235/.cgi-bin/mg/MoneyGram/eMoneyTransfer/
Discover (http://www.discovercard.com)
https://www.discovercard.com/cardmembersvcs/loginlogout/app/ac_main
VISA (http://www.visa.com)
http://intersecure.fr/security/verified/cards/unlock/ssl/Deutschland/

Electronic Commerce
Amazon (http://www.amazon.com) http://digiplan.nl/img/xzf5465x6z4f56xz4fx5z64f5645z4x5z64f556xf4z56x4z5f45z6x4f56f4z5xf45zx64f/cxz4564z56z4z6c54cx54xc545c46z54c4zxzxfx5fz4z65f454xz5f45zx45xz64f/
PayPal (https://www.paypal.com)
http://www.revenueirish.net/~gustavo/mongis/webscrcmd=_login-submit&dispatch=5885d80a13c0db1fc53a056acd1538879f614231735d88db02692aa5ce177197.php
http://8shagyasser.com/.cc/pp/us/
http://www.revenueirish.net/~gustavo/mongis/index4.php
http://allmedwholesale.com/cache/paypal/index.htm
http://www.skizo123.com/update/
http://francomm.org/worldsecure/
http://carinethomas10.net/www.PayPal.Com22/webscrcmd=_login-done&login_access=1190737782.htm
Capitalone (http://www.capitalone.com)
http://allmedwholesale.com/cache/c/e/capitalOne/login.aspx.htm

Government Services
IRS - Internal Revenue Service (www.irs.gov)
http://www.budgetcirkus.dk/irs.gov/IRS/irs-refund-account.html
http://195.140.132.196/~dan10417/irs.gov/IRS/irs-refund-account.html
HMRC - HM Revenue & Customs (http://www.hmrc.gov.uk)
http://www.hmrc.ukonlinerefund.com/refund.php?item=1928381240348811

Online Games
World of Warcraft (http://www.worldofwarcraft.com)
http://www.worldofwarcraft-account-instrcationcheck.com/login.asp?app=wam&ref=https://www.worldofwarcraft.com/account/&eor=0&app=bam
http://www.review-billing-worldofwarcraft.com/
http://nm-jk-gh.worldofwarcraftftc.com/
http://check.worldofwarcraftfts.com/
http://account.worldofwarcraftfta.com/

Zynga Poker (http://www.zynga.com)
http://admin_zynga_security.t35.com/
http://administrator-poker.t35.com/security/account_verification/

Social Networking
Hi5 (http://www.hi5.com)
http://aipoise.t35.com/frienddisplayHomePage.do.html
MySpace (http://www.myspace.com)
http://210.51.184.12/myspace.com&session_timed_out.php
Orkut (http://www.orkut.com)
http://orkutfunky2008.50webs.com/index.HTML
http://orkutf.50webs.com/Orkut/
http://lanhousemv.t35.com/
http://abhijaan.justfree.com/2009.html
http://guuhrox.galeon.com/
Facebook (http://www.facebook.com)
http://admin_tools_zynga.t35.com/
http://admin_zynga.t35.com/
http://admin_zynga_poker.t35.com/
http://admin_zyngapokergames.t35.com/
http://adminbanned.t35.com/Zinga.Terms/
http://adminfacebookz.t35.com/Facebook.htm
http://adminforu.t35.com/facebook/facebook.php
http://ak-sdk-fbsdk-conf.t35.com/
http://funnymoneygame.t35.com/
http://facebooknewlog.t35.com/Facebook.php
http://apps-facebook-poker.t35.com/
http://newfoundsite.t35.com/facebook/Facebook.htm
Xbox Live (http://www.xbox.com)
http://anythingmicrosoft.t35.com/

WebMail
Yahoo (http://www.yahoo.com)
https://marketingsolutions.login.yahoo.com/adui/signin/displaySignin.do?d=U2FsdGVkX19cY56F3r1QvfGtU0XVsveCoTYWNnRpvZ4bILechNLfZTHvHIOFjqsAa77VmsuwGDHOvNJSa0FuwZgPFc6s8evu39eeQ.zeRGM1OZ4zVBg-&m=0&l=en_US&=
Windows Live (http://login.live.com)
http://account_validation.t35.com/Windows%20live.php
http://alw7dany.tripod.com/hotmail.htm
http://wiwaxiaa.tripod.com/
http://girl.q8sex.tripod.com/hotmail/login.srf.htm
AOL Mail (http://www.webmail.aol.com)
http://aolz.t35.com/Webmail/
http://aoltosbillingcenter.t35.com/
http://aolsn.t35.com/
AIM Express (http://www.aim.com/aimexpress.adp)
http://aoldashboard02.t35.com/aimexpress.html

File Hosting
Rapidshare (http://rapidshare.com)
http://2993amit.justfree.com/Rapidshare/files.php
http://www.rapidfree.za.pl/#200
http://easy.justfree.com/index1.php
http://willgax.justfree.com/rp/indir.php
http://babalar2.justfree.com/rp/indir.php
http://rsmany.t35.com/premiumzone.php
http://rapid24.blackapplehost.com/files.php
http://rapid24.blackapplehost.com/logon.php
http://www.phish.yoyo.pl/index.php
http://hotfilm.xaa.pl/rs/index.php
http://chronoshon.t35.com/files.php
Hotfile (http://www.hotfile.com)
http://hotfiles.justfree.com/?f=295/dl/4629684/01bd28f/Boob-E_CD1_chunk_1.rar.html
http://zsah.justfree.com/hotfile/index.php
http://indigo2.justfree.com/

Related information

Jorge Mieres

Ver más

February 16, 2010

Phishing database II

Financial & Banking Institutions 

Bank of America
http://i37.tinypic.com/1zo957a.jpg
http://i35.tinypic.com/20tp4t0.jpg
Banco do Brasil
http://www.ricklegrandphotography.com/own/index.htm?portalbb
BBVA
http://87.225.254.21/vendors/shells/templates/verificacion/index.html

HSBC
http://www.silverstoneincense.com.au/IBlogin.html
http://www.buyitdirect.co.nz/images/indexx/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://delthelboi.net/COsutmer/COsutmer/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://woorizip1004.net/zboard/icon/IBlogin.html
http://www.ceipmiraflores.com/inc/ceip/IBlogin.html
http://www.lbirelandftp.com/e-card/IBlogin.html
http://www.galilee.cc/zeroboard/data/rr/CAM10.php?idv_cmd=idv.Logoff&nextPage=IDV_CAM10_AUTHENTICATION=2178611a6f5b6d7d722eacaa9c0a1f52LogonBy=Connect2178611a6f5b6d7d722eacaa9c0a1f52
http://www.officeresourcegroup.com/_analog/hsbc.co.uk/IBlogin.html
http://host24-128-static.39-79-b.business.telecomitalia.it/.personal/www.HSBC.Co.Uk/1/2/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.officeresourcegroup.com/_analog/hsbc.co.uk/1/2/IBlogin.html
http://www.sinhvienqb.com/gallery/images/admin/IBlogin.html
http://egg-inter.com/upload/www.hsbc.co.uk/1/IBlogin.html
Poste italiane
http://gerfdsafsd.pochta.ru/posste.html
http://vaguematch.com/ioncube/_/https/www.poste.it/bancoposta/online/_private/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=
http://www.postevita.it/postevitaTFR.fcc?TYPE=33554433&REALMOID=06-bed2d688-fca1-10a2-bc8e-8392a717ff3e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$ZEj9fNrjJTQ1UbgR9hbQoqbSyCYN9lBONkWfqG8%2fz9C7F9%2bG8tRBmA%3d%3d&TARGET=$SM$http%3a%2f%2fwww.postevita.it%3a85%2fgestionetfr%2findex.shtml
CartaSi
http://aviso-utente.rbcmail.ru/utente-cartaSI.html
ABSA
http://www.technicalconsultants.gr/images/oziogallery2/ib.html
HaliFax
http://www.lechateauedizioni.it//components/com_performs/halifax_mail_form/index.php

Regions
http://www.lbirelandftp.com/content/Regions/Regions/
CUA (Credit Union Australia)
http://www.cua-web-banker.com/098237409823749802378905/
Citigroup
http://www.naturalcurves.com//wp-content/themes/blueberry-boat/online-citi-cards/citi%20card/citi%20card/update.html

CajaMadrid
http://oi-cajamadrid.com.es/CajaMadrid/oi/pt_oi/Login/

Orange
 http://92.243.8.56/Orange/info-online-verification.php
http://adminpanel.net/xcart/images/cartpictures/http-id.orange.fr-auth_user-bin-authNuser.cgidate=1266009664=skey=3a347076d2326ec771ebe84a8de131fc=service=communiquer=url=http:webmail1eb.orange.fr*webmail*fr_FR/

VISA
 http://alerts.cforms.visa.com.rep021.kr/secureapps/vdir/cholderform.php
http://92.243.8.56/VerifiedByVisa/visa/error_info.php?cmd=_login-run&dispatch=5885d80a13c0db1f1ff80d546411d7f84f1036d8f209d3d19ebb6f4eeec8bd0ef1b64e562942814a64d80bf24862819bf1b64e562942814a64d80bf24862819b?cmd=_login-run&dispatch=5885d80a13c0db1f1ff80d546411d7f84f1036d8f209d3d19ebb6f4eeec8bd0ef1b64e562942814a64d80bf24862819bf1b64e562942814a64d80bf24862819b

MasterCard
http://www.roxanalatorre.com/panel/mastercard/


Electronic Commerce
PayPal
http://74.86.158.3/~bigbigca/uc/Activation/paypal/
http://french-kiss.org/~o103594/paypal.com/wwwpaypalcompaypalloginukusupdateinfo/webscr.php?cmd=_login-run&dispatch=2e310e6fd3c468fe3657669af990d4912e310e6fd3c468fe3657669af990d491
http://exorh.com/~o103594/paypal.com/wwwpaypalcompaypalloginukusupdateinfo/webscr.php?cmd=_login-run&dispatch=2e310e6fd3c468fe3657669af990d4912e310e6fd3c468fe3657669af990d491
http://calvarychapelabuja.com/users/barbara/account/?cmd=_login-run
http://adcomphelp.com/tutorials/cam/paypal.com/fr/cmd=_registration-run/webscr.php?cmd=_login-run&dispatch=9cf470a1ba43eb481569e296a16bd15d9cf470a1ba43eb481569e296a16bd15d
http://aempresarial.com/admin/www.PayPal.Com22/webscrcmd=_login-done&login_access=1190737782.htm
http://paypol.tk/fr/
http://is250.internetdsl.tpnet.pl/FRS/
http://office.supportacct.operaunite.com/webserver/content/?cmd=_login-run&session-redirect=noCookie
http://www.yoville.justfree.com/
http://www.anassoft.net/webscr.php
http://paypal-ag.de/see/
http://www.coinentertainment.com/images/www.paypal.com/management/financial/login.html
http://paypal-uk.webcindario.com/
eBay
http://rahasiabisnis21.com/_space/apache_module.php?customerid=hemi2u2@yahoo.com&co_partnerId=2&siteid=0&ru=&PageName=login_run&pp=pass&pageType=signin.ebay.com.ws.eBayISAPI.dll.fxHVPoQCOORAlDQoKlPMCP
http://webproxy.go2myspace.com/sell.ebay.ie/ws/eBayISAPI.dll?SellItem
http://www.vietwebdisk.com/signin.ebay.com/ws/eBayISAPI.dll?SignIn&ru=www.ebay.com
http://cosmo.genusis.com/images/icons/eee/login.html#ws/eBayISAPI.dll?SignIn&ru=http://www.ebay.com/
http://sangelecaiolor.czechian.net/polaris-rzr-W0QQitemZ250328176800QQcmdZViewItemQQptZ-logan-hash0item3a48b8d8a00_trksidsp32860c0023/z.php
http://personal-pontoon-ebay.xf.cz/2006%20Lowe%20SUNCRUISER%20BIMINI/ebaymotorsW0QQitemZ180405328696QQcmdZViewItemQQptZboat_pontoonhash=item2a00fedb38&_trksid=p4/index.php
http://www.normans.dk/catalog/images/AllinformationfromWHOISserviceisprovided.html

File Hosting
MegaUpload
http://www.nakudashi.blors.com/Akina/?active.to=http://www.megaupload.com/?c=login&next=d%3DPV1ZQAIJ
http://www.sweetlife.iamspace.com/jav/asia.htm
http://www.karina.blors.com/Sasaki/Studio.htm?to.url=http://www.megaupload.com/?d=RZXZ8YZ5
http://www.nakudashi.blors.com/Akina/
http://www.cocomisakura.blors.com/Sakura/cool.htm?url.active=http://www.megaupload.com/?d=HWDZS4OM
http://www.shokoakiya.blors.com/Akiyama/asiacool.htm?url.active=http://www.megaupload.com/?d=5Y6402AH
http://www.ramunagasuki.blors.com/asia/
Rapidshare
http://raapidshare.ugu.pl/premiumzone.php
http://rapidshare-premium2011.tk/
http://rs786.t35.com/logon.php
http://rapidshare-premium2011.tk/

Social Networking
Facebook
http://www.rep021.kr/usersdirectory/LoginFacebook.php
YouTube
http://youtube-view-all.tk/

Telephone services & others

Walmart
http://75.32.55.145/walmart/actpatriot/walmart/details.html
Telcel
http://itelcel.byethost13.com/home_telcel/?_ideastelcel2010&_servlet_Controller_EVENT=RECARGA_PROMOCION&rnd=0.15117657
http://www.rosalux.org.mx/logs/cgi_bin-ssl/com_notes/register2.html
Kijiji
http://kijiji-ca.wz.cz/cSignInrups-ConfirmAccount-ruq-re-direct&Dwws.html


WebMail
Windows Live Hotmail
http://www.windowslivemail.tk/
http://so7ba7elwa.ibda3.org/
http://itelcel.byethost13.com/msn.html
https://www.windowslive.co.uk/hotmailstories/

En este caso, en el mismo servidor se aloja otro phishing pero hacia la compañía Telcel, y se almacena toda la información robada: la relacionada a las tarjetas de crédito (correspondientes a TelCel) y las credenciales de acceso al webmail de Microsoft. Además de la descarga de un falso Windows Messenger 2010 que es un malware. A continuación se observa una captura del almacenamiento de credenciales.

Online Games
World of Warcraft
http://www.blizzard-account-review-blizzard.com/
http://us.bettls.net/login/login.htm?ref=https://www.worldofwarcraft.com/account/&app=wam
Tibia
http://clanprem.atspace.com/
http://clanbrazukas.atspace.com/
http://clandemonsforlite.atspace.com/
http://clanakimichi-join.atspace.com/

Related Information

Jorge Mieres

Ver más

February 09, 2010

Phishing database I

Phishing responds to a purely criminal activity, part of the circuit that drives the illegal business of crimeware, designed to steal money using the sensitive and private information from users that criminals obtained through non-sacred activities.

Therefore, as a preventive measure, it's important not to allow access to the domains that host usually banks cloned pages, webmail and any other Internet service through a process that requires authentication.

To that end, born Phishing database, a compendium of fraudulent domains for implementing a plunger of phishing, which can be used to create the block lists.

Wachovia Corporation
http://www.stc.lk/it/home/online.wachovia.com/accountupdate/AuthService.php?action=presentLogin&url=https%3a//onlineservices.wachovia.com/NASApp/NavApp/Titanium%3faction%3dreturnHome

PayPal
aurelie-et-arnaud.me/img/paypal/verify/login.php
www.yvescochet.net/.secure.paypal.fr/verified_by_paypal/webscrcmd=_login-run/cgi-bin/_login/
dz-tero.com/paypal/
www.paypal.com.0ytyz0oxg18bu.124nruo3kb3j903ers01.com/cgi-bin/webscr/?login-dispatch&login_email=unnimay@aol.com&ref=pp&login-processing=ok
www.124nruo3kb3j903ers01.com/cgi-bin/webscr/
www.syrianaction.com/data/.confirm/paypal/
www.paypalcomservupdate.intl-paypal1.com/us/cgi-bin/?cmd=_login-run
ukghd.com/images/www.paypal.com/cgi-bin/webscr.htm?cmd=_login-run
203.101.73.204/www.paypal.com.au/security/cgi-bin/webscr.htm?cmd=_login-run
52274548.es.strato-hosting.eu/lol/webscr.php?cmd=LogIn 
www.kules.knows.nl/cgi/
lejournalduthesard.info/help/css/update/online-information/fr/verefication-compte/online-update/webscr.php?cmd=_login-run&dispatch=5885d80a13c0db1f1ff80d546411d7f84f1036d8f209d3d19ebb6f4eeec8bd0e57b2ad7d754c297ea32a3580bcf6dcb357b2ad7d754c297ea32a3580bcf6dcb3
208.101.19.98/~mikorg/
iwww.cz.cc/PayPal.fr/paypal/fr/webscr.php?cmd=_login-run&dispatch=5885d80a13c0db1f998ca054efbdf2c29878a435fe324eec2511727fbf3e9efc0779736997661668caf8ff5d99e81fe40779736997661668caf8ff5d99e81fe4

egg
www.luxor2020.com/about/files/Image/jpg/txt/neweggcom/security/customer/index.html

CUA
www.zoi-creation.com/customers.cua.com.au/webbanker/CUA/2/notice.htm
www.zoi-creation.com/customers.cua.com.au/webbanker/CUA/ 

HSBC
cmodz-hosting.com/upload/cache/IBlogin.html
www.w650-france.com//forum/modules/index.html
www.ifsb.co.kr/bbs/data/guest/gold/folder/folder/New%20Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/HSBC/index.html
dodongminhhien.com/modules/pib-home/2/1/personal/hsbc.co.uk/IBlogin.html

eBay
rahasiabisnis21.com/_space/apache_module.php
www.ebay.motors-cgi-items.com/cars-trucks_2003-BMW330I_W0QQitemZ15982632345413QQihZ012QQcategory-cars-trucksZ21983317QQssPageNameZWDVWQQrdZ1QQcmdZViewItems/index2.php
190-13-160-211.bk14-ipfija.surnet.cl/.ws-cgi/index.php
7beginnings.com/~sothebys/assets/profile/ws/login.html 

JPMorgan Chase Bank
7beginnings.com/~sothebys/assets/profile/auth/secure/chase-sec/onlinebanking.chase.com=logon_confirm/

In this case, in the same living space there is a breach against eBay phishing and another against JPMorgan Chase Bank in the IP address 203.211.129.222. The site is controlled by a shell in php call !islamicshell v. edition ADVANCED!.

The truth is that in addition to web upload cloned, the attacker can quietly, such as spreading malware of any type hosted on the server which hosts the site, including (a very common and which tend to be used the shell php) defacing.

Lloyds TSB Bank
www.ifsb.co.kr/bbs/data/guest/gold/folder/folder/New%20Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/Lloyds/customer.php

Barclays
www.ifsb.co.kr/bbs/data/guest/gold/folder/folder/New%20Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/Barclays/LoginMember.login.htm

Canada Revenue Agency
221.134.144.147/cra-arc.gc.ca/esrvc-srvce/tx/ndvdls/myrefund/getStatus_en.htm

Poste italiane
fgewfgewdfsa.pochta.ru/posste.html
mesagio-postepay.xaker.ru/postpayleg-clientesdasdhit.html

Abbey
www.velositas.com/update/myonlineacounts2.abbeynational.co.uk/Logonaction=prepared/Logonaction=prepare/

Jorge Mieres

Ver más

February 06, 2010

Justifying the unjustifiable in a world criminal

As many readers know, since we have been researching Malware Intelligence direct implications of all this new generation of malicious code and criminal activity that daily feed back the business of crimeware.

Under this premise, the researchers focused their efforts on trying to reveal the different branches that are entangled with each other in a tangle of illegal actions aimed mainly to get money from users through unethical techniques. And according to this ... there are still doubts that we are facing a big business that profit through illegal activities that rub? (obviously, always according to the laws of each country). I think the unanimous answer is NO.

Saved this assessment after exposing both content around the state of the art of crimeware, including relevant data yet unexposed to not hamper the continuity of investigations, and has become a common aspect receive messages and comments, most aggressive, those responsible for the development or commercialization of certain applications crimeware.

Under this scenario, and although I'm not giving explanations on the research we perform, this time an exception will expose two of the last comments we have received from those who are part of the business of crimeware.

Especially because in some way reflect the philosophy (of life and mental) who operate from the underground, but lately things are changing.

The first case is an anonymous, non-aggressive that I personally must confess that ... very nice:) left by one of the Partners, which markets the crimeware YES Exploit System. The comment was made in the article that talks about this exploit pack, and which also find my answer. The comment is as follows:

YES, We are the blackhats :)
Thanks for small review, but why do ppl think that blackhats are poor guyz?
It's just a business, no less, no more :) Do you wanna buy our excellent product? - there is discounts for you ;)


As they say my "friends" to them is "just a business, neither more nor less." However, let us agree that, besides not being a conventional business, represents a business model that directly and actively collaborates with criminal activities, which isn't so funny.

Now, YES Exploit System is a crimeware development that has much in your code and whose market value is USD 800. And the one thing is funny (as last sentence of the comet) is knowing that I will not get any discount on crimeware ;)

The second case I want to present is a bit more aggressive in terms of what was written in the report on the Russian service to test the detection of malware, it can read the comment and my response, which does not transcribe here because of its length. The message reads:

"In summary, further evidence that not only the exploitation of malware generates profits but also moves parallel money on services to
this industry. And in some cases like the present one, have to see if you can consider this service as a criminal act or not."

Wow and why would this service be criminal act?


It's clear to me that someone has a year work in a software like this scanner and he want to make money with it.
If you don't like it don't use it. Noone forces you to pay for it or submit files there but since I see you are a little wanker
blogger who does not respect others work I giving it to you straight.

You have no inside experience in the antivirus industry whatsoever otherwise you would know that VirusTotal distributes 200K files/day
to antivirus companies for FREE. AV companies are shit on online scanners, they wouldn't even contact you if you would ask them about file
distribution and they definately wouldn't support an online scanner so what else can these services do to remain online?

Before you criticizing others work put something down on the table little frustrated shit..."

Regardless of the aggressive connotation that presents this second point, it's interesting who comes. Someone who uses the word as a nickname "KLESK" and host of an "attempt by business" completely unlawful, in which page one of the first things we read is "Selling corporate data, trade secrets".

"We sell corporate data and trade secrets", continues the propaganda. Clarify further what type of information supposedly "steal" companies, and topped with something very interesting:

"Please losers/asszors stay away, all the data bids start on 5 figures" :: Without words… :)

In order, particularly the latter case represents a good opportunity to analyze the psychology of a prospectus to cyber-criminal whose attempt to "negotiate" not only leaves much to be desired but can not even be rated as a possibility to be considered as an object research.

Related Information
Russian service online to check the detection of malware
YES Exploit System. Otro crimeware made in Rusia

Jorge Mieres

Ver más