SecurityIntelligence

The Art of the Cyberwar

2011-06-15T19:29:00.001-03:00

The development of new technologies, in catching up with military interests and dependence on existing technology by developed countries, sets up a scenario where the cyber war, or war in cyberspace, is becoming more important.

All countries aware of the risks of such dependence developed defense programs against attacks that could jeopardize critical national infrastructure.

On the other hand, developing countries and major world powers are training computer security experts in various techniques of hacking, cracking, virology, etc.., forming true experts in cyber warfare, called cyberwarriors.

That does not fit anyone doubt that the future wars will not be determined or land or sea or air, but in cyberspace. The soldiers do not carry weapons or shields, but knowledge and deploy applications that war virus, disabling the enemy's critical systems that are technologically dependent.

This is the scenario where the world is moving now, a scenario of technological dependence, where countries with more traditional military strength will be losing ability to war for countries with highly qualified in computer security and cyber techniques.

This essay is intended as a point of reflection and knowledge about cyber warfare, on the present philosophy of Sun Tzu in the Art of War, and adapt their knowledge to technological scenario which we live and live, so we can get a modern compendium: The Art of Cyberwar.

Version in english
Version in spanish

New whitepaper about Carberp Botnet

2011-02-21T08:12:00.001-03:00

Is available a new whitepaper that describes the operation of one of the botnets "wanted" by the security community: Carberp.

The article, called Inside Carberp Botnet and written by Francisco Ruiz, Crimeware Research of MalwareIntelligence, details the different parts of this crimeware, leaving evidence of its full operating mode.

In recent weeks, has returned to Carberp impact due to the revival of several of his former C&C. However, experts believe MalwareIntelligence have concrete evidence that would demonstrate that in fact the original group that was behind the first generation of Carberp is broken, and that some of the new botnets that spread banking trojan Carberp are managed through a modified version of the original.

MalwareIntelligence have a Carberp Working Group, responsible for private research and demand of this particular threat. In the main blog, Ruiz also said that a botnet Carberp private market in a very closed environment, but since a few days ago, the marketing model has been released, giving some details of its current features and costs.

Computer Attacks. Security weaknesses that are commonly exploited

2010-08-31T23:59:00.000-03:00

A computer attack is to exploit any weakness or failure (vulnerability) exists in a program (operating systems and applications on this) in the physical components that make up the information environment, and even in people who use these resources.

The aim is, somehow, get information that can then be used for fraudulent purposes to benefit themselves from the offender. In general the benefit sought is economic in nature, causing a negative effect on the safety critical system, which then directly affects the organization's assets and result in loss of money.

This document provides a quick overview on these weaknesses, combined with possible countermeasures under which you may invoke to prevent effectively the different types of attacks that a system receives daily.

English version | Spanish version

More White papers in MalwareIntelligence web site.

Computer Security or Information Security? What are we talking about?

2010-06-10T05:14:00.000-03:00

Usually receive consultations in which, conceptually speaking, there is a notable confusion about the difference between computer security and information security. Therefore, we will try to clarify the issue in question.

While both issues are complementary and interact constantly in computer systems, the truth is that they have different aims. For one thing, computer security is responsible for protecting computer systems, the latter being understood as a combination of information, computers information and support people who use it. Basically, everything is in a computer environment.

While, Information Security is a much broader process involving not only the protection of information stored in computer systems but also ensures the information without discrimination where it's. In other words, information security goes far beyond its purpose is to safeguard the information, regardless of the means by which circulates or the place where it's stored.

Information is a "significant" assets that can be stored in different ways, in different ways and through different channels, not only can be stored digitally it can also be printed, written on paper in hand.

Not limited to these forms but can also be found in films, recordings, using the spoken language (conversational) and even the memory of people. Besides being able to be transmitted through various means, be they conventional communication channels (analog) or late-generation (digital).

Regardless of the character to take the information, it collects or spreading, should be adequately protected to ensure at all times the confidentiality, integrity and availability of data.

Therefore, the main goal in information security is just a way appropriate to protect the information, preserving a number of basic parameters for the assets (anything that can be measured through a cost) can be considered safe and secure, minimizing potential damage from any eventuality that may impede the normal operation of the organization.

Some words about Information Security

2010-06-06T17:07:00.000-03:00

Organizations are increasingly dependent on their computer networks and a problem affecting them, no matter how small, can compromise the continuity of operations, a situation which inevitably results in economic loss.

An increasing number and complexity of new computer attacks, becoming more specialized skills whose goals are an economic nature for the benefit of the attackers also in the midst of this variety, have been increasing disrespectful actions of privacy.

In addressing the issue on Information Security, a common tendency to scan only the aspects of computer media (backups, maintenance of computers, servers, networks, etc.), All aimed at ensuring that information is available, ignoring other aspects that must be addressed because they keep the same level of criticality, such as confidentiality and integrity of data and services.

It's important to note that the human factor covers over 90% of security and that the remainder consists of the technological aspect. Therefore, overconfidence and lack of awareness are the main problems.

Keep the information protected is equivalent to keeping it safe to threats to its functionality, either corrupt, improperly accessed, removing, and even stealing information.

Therefore, information security is to protect the information of an organization preserving and protecting three basic parameters: confidentiality, integrity and availability.

In the first of which seeks to ensure that only authorized persons have access to information. If the information is confidential should not be disclosed because the loss of confidentiality equivalent to the loss of secrecy. Furthermore, the more valuable the more information should be its degree of confidentiality and the greater the degree of confidentiality, the higher the level of security that must be implemented.

For its part, the integrity of the information ensures that data will not be altered, removed or destroyed by unauthorized entities, preserving completely with the methods used for processing. If the information is altered then it loses integrity.

Instead availability ensures that authorized persons have access to information, and its associated resources whenever they need it. The availability involves not only information but also all the physical and technological structure that allows access, transit and storage to ensure it arrives in a timely manner.

These three key areas form the main column of information security, and constitutes the essential mechanisms to ensure confidence in the business processes so they have the desirable situation for any organization.

"The information security is achieved by implementing a set of controls that include policies, practices, procedures, organizational structures ... depending on what you are trying to protect."

However, every implementation must provide a balance between use and transparent maximum safety, all at a reasonable cost.

Phishing Database IV

2010-03-27T10:56:00.002-03:00

Economically-financial and banking institutions
HSBC (http://www.hsbc.com)
http://210.116.103.118/~kardex/gnuboard4/bbs//hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.restoretherepublic.com/wp-content/bank/images/online.html
http://72.16.130.62/.www.HSBC.co.uk/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.update-hsbc-co-uk.aux3erables.com/www9.hsbc.co.uk/www9.hsbc.co.uk/1/2/HSBCINTEGRATION/CAM10;jsessionid=0000UyzfmbnkvKfK9fLILUpaTgF14et5m1u3IDV_URL=hsbc.MyHSBC_pib/www.hsbc.co.uk/IBlogin.html
http://www.absolute-basketball-chaoten.de/language/008/update/HSBCINTEGRATIONCAM10jsessionid=00001DwpIt0wIyX1arHd6K8mQB6URL=hsbc.MyHSBCpib/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib

VISA (http://www.visa.com)
http://195.140.132.196/~dan12794/visa/master/www.vbv.fr/images/fr/authentication.php

Lloyds TSB (http://www.lloydstsb.com)
http://blog.romanjewelers.com/wp-content/lloydsts/customer.php?ibc=customer.ibc

BMO - Bank of Montreal (www.bmo.com)
http://www.noo.cl/wp-content/uploads/2009/09/update/SA%60Absa/SECURE/update/images/bmo.com/BMO/BMO/BMO/BMO/BMO/BMO/BMO/BMO/bmo/index.htm

Continue reading the original post MalwareIntelligence Blog

Jorge Mieres

myLoader. Base C&C to manage Oficla/Sasfis Botnet

2010-03-07T22:47:00.000-03:00

myLoader a particular purpose Framework developed to manage the activities of a botnet. The data reflected in this report were collected based on the study of the criminal activities of a botnet containing a quantity of more than 210,000 zombies zombies.

We describe the potential threat of this crime through the breakdown of the modules comprising the package that allows the management of the botnet ophicleide / Sasfis. Also presents some information that helps explain his behavior both in propagation strategy as in the processes of infection and prevention to help counteract their actions.

Spanish | English | Author: Jorge Mieres | Malware Intelligence | 2010, March

Phishing database III

2010-02-28T23:50:00.007-03:00

Financial & Banking Institutions
Canada Trusth (http://www.tdcanadatrust.com/)
http://www-tdcanadatrust-com.epage.ru/td-bank-index.html
Citigroup (http://www.citigroup.com)
http://www.alanmetauro.com/home/online.citibank.com/US/JPS/portal/Index.do.htm?F6=1&F7=IB&F21=IB&F22=IB&REQUEST=ClientSignin&LANGUAGE=ENGLISH
CUA - Credit Union Australia (http://www.cua.com.au)
http://www.colconkproducts.com/pub/your-account-is-locked-cua-com-au/
http://173-11-85-81-sfba.hfc.comcastbusiness.net/images/webbanker.cua.com.au/webbanker/CUA/
UniCredit Banca (http://www.unicreditbanca.it)
http://161.58.125.218/uc/index.html
Grupo Banca Carige (http://www.gruppocarige.it/ws/gruppo/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_carige/index.html

Grupo Banca Popolare Di Bari

http://www.georgiakoreans.com/bbs/data/bpr/index.html
Banca Cesare Ponti (http://www.gruppocarige.it/grp/bponti/html/ita/index.htm)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_cesare_ponti/index.html
Banca Del Monte Di Luccia (http://www.gruppocarige.it/ws/bmlucca/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_del_monte_di_lucca/index.html
CRS - Cassa di Risparmio di Savona (http://www.gruppocarige.it/ws/carisa/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/cassa_di_risparmio_di_savona/index.html
Cassa di Risparmio di Carrara (http://www.gruppocarige.it/ws/crcarrara/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/cassa_di_risparmio_di_carrara/index.html
Poste Italiane (http://www.poste.it)
http://posteitalianeonlinebpolcarteprestafgfdf.pcriot.com/posteitaliane/bpol/cartepre/formslogin.aspx.php?TYPE=33554433&REALMOID=06-b5208d98-1e41-108b-b247-8392a717ff3e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME
http://www.ynzal.com/catalog/images/bpol/bancoposta/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid
http://www.yelin.ru/wm/bancopostaonline.poste.it/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid
Santander (www.santander.com)
http://slarrauri.com/tusitioweb/demo/BentoBox/modules/Logon.html
ABSA (http://www.absa.co.za)
http://markostoreltd.com/account.log/index.php
HSBC (http://www.hsbc.com)
http://worldviba.org/hboard3/bbs/indexx/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.ss4net.com/flash/IBlogin.html
http://www.tricitypt.com/photos/pediatrics/hsbcsecure/IBlogin.html
http://in2pool.com/Sources/.x/IBlogin.html
http://erethizon.net/pomocne/hibernace/IBlogin.php
http://cs.kku.ac.kr/data/file/alumnus/hsbconline/HSBC/index.php
http://etechsol.pk/cp/IBlogin.html
http://www.fsk-squad.eu/stats/IBlogin.html
http://www.goldenstwarriors.com/boxes/IBlogin.html
http://singaporeluggagestorage.info/modules/foles/kmg/www.hsbc.co.uk/CAM10-jsessionid=000026MQ7KnXUxsKmiYKszFUkGJ12c58ti63.htm

In the domain singaporeluggagestorage.info climbed several packages of phishing through a shell. Besides HSBC phishing pack, found others to CIBS and ING Direct.

ING Direct (http://www.ing.com)
http://singaporeluggagestorage.info/modules/foles/mijn.ing.htm
Lloyds TSB (http://www.lloydstsb.com)
http://cjuckett.com/gallery/include/login/online.lloydstsb.co.uk/online.lloydstsb.co.uk/online.lloydstsb.co.uk/online.lloydstsb.co.uk/customer.ibc/
Wachovia (http://www.wachovia.com)
http://202.111.173.205/.../wachovia/AuthService.php?action=presentLogin&url=https://onlineservices.wachovia.com/NASApp/NavApp/Titanium?action=returnHome
Bank of America (http://www.bankofamerica.com)
http://210.116.103.118/~kardex/gnuboard4/bbs/Languages/
http://ahuarqalliance.com/~ahuarqal/Pringles/www.bankofamerica.com/bofa-update/bofa-update/bofa/
J.P.Morgan (http://www.jpmorgan.com)
http://martindlk.ie/pdf_files/10/c/ch.htm?customerid=&co_partnerId=2&siteid=0&ru=&PageName=login_run&pp=pass&pageType=708XeMWZllWXS3AlBX+VShqAhQRfhgTDrf&co_partnerId=2&siteid=0&ru=&pp=&pageType=708&MfcISAPICommand=ConfirmRegistration&708XeMWZllWXS3AlBXVShqAhQRfhgTDrfQRfhgTDrfA
egg (http://www.egg.com)
http://www.extv.co.kr/data/file/s_tag08/819,00.html
http://www.wrpt.us/fireworks/Egg-Login.htm
InterSwitch (http://www.interswitchng.com)
http://2009_securityupdate1.t35.com/Nigeria_interSwitch.htm
MoneyGram (http://www.moneygram.com)
http://121.11.253.235/.cgi-bin/mg/MoneyGram/eMoneyTransfer/
Discover (http://www.discovercard.com)
https://www.discovercard.com/cardmembersvcs/loginlogout/app/ac_main
VISA (http://www.visa.com)
http://intersecure.fr/security/verified/cards/unlock/ssl/Deutschland/

Electronic Commerce
Amazon (http://www.amazon.com) http://digiplan.nl/img/xzf5465x6z4f56xz4fx5z64f5645z4x5z64f556xf4z56x4z5f45z6x4f56f4z5xf45zx64f/cxz4564z56z4z6c54cx54xc545c46z54c4zxzxfx5fz4z65f454xz5f45zx45xz64f/
PayPal (https://www.paypal.com)
http://www.revenueirish.net/~gustavo/mongis/webscrcmd=_login-submit&dispatch=5885d80a13c0db1fc53a056acd1538879f614231735d88db02692aa5ce177197.php
http://8shagyasser.com/.cc/pp/us/
http://www.revenueirish.net/~gustavo/mongis/index4.php
http://allmedwholesale.com/cache/paypal/index.htm
http://www.skizo123.com/update/
http://francomm.org/worldsecure/
http://carinethomas10.net/www.PayPal.Com22/webscrcmd=_login-done&login_access=1190737782.htm
Capitalone (http://www.capitalone.com)
http://allmedwholesale.com/cache/c/e/capitalOne/login.aspx.htm

Government Services
IRS - Internal Revenue Service (www.irs.gov)
http://www.budgetcirkus.dk/irs.gov/IRS/irs-refund-account.html
http://195.140.132.196/~dan10417/irs.gov/IRS/irs-refund-account.html
HMRC - HM Revenue & Customs (http://www.hmrc.gov.uk)
http://www.hmrc.ukonlinerefund.com/refund.php?item=1928381240348811

Online Games
World of Warcraft (http://www.worldofwarcraft.com)
http://www.worldofwarcraft-account-instrcationcheck.com/login.asp?app=wam&ref=https://www.worldofwarcraft.com/account/&eor=0&app=bam
http://www.review-billing-worldofwarcraft.com/
http://nm-jk-gh.worldofwarcraftftc.com/
http://check.worldofwarcraftfts.com/
http://account.worldofwarcraftfta.com/

Zynga Poker (http://www.zynga.com)
http://admin_zynga_security.t35.com/
http://administrator-poker.t35.com/security/account_verification/

Social Networking
Hi5 (http://www.hi5.com)
http://aipoise.t35.com/frienddisplayHomePage.do.html
MySpace (http://www.myspace.com)
http://210.51.184.12/myspace.com&session_timed_out.php
Orkut (http://www.orkut.com)
http://orkutfunky2008.50webs.com/index.HTML
http://orkutf.50webs.com/Orkut/
http://lanhousemv.t35.com/
http://abhijaan.justfree.com/2009.html
http://guuhrox.galeon.com/
Facebook (http://www.facebook.com)
http://admin_tools_zynga.t35.com/
http://admin_zynga.t35.com/
http://admin_zynga_poker.t35.com/
http://admin_zyngapokergames.t35.com/
http://adminbanned.t35.com/Zinga.Terms/
http://adminfacebookz.t35.com/Facebook.htm
http://adminforu.t35.com/facebook/facebook.php
http://ak-sdk-fbsdk-conf.t35.com/
http://funnymoneygame.t35.com/
http://facebooknewlog.t35.com/Facebook.php
http://apps-facebook-poker.t35.com/
http://newfoundsite.t35.com/facebook/Facebook.htm
Xbox Live (http://www.xbox.com)
http://anythingmicrosoft.t35.com/

WebMail
Yahoo (http://www.yahoo.com)
https://marketingsolutions.login.yahoo.com/adui/signin/displaySignin.do?d=U2FsdGVkX19cY56F3r1QvfGtU0XVsveCoTYWNnRpvZ4bILechNLfZTHvHIOFjqsAa77VmsuwGDHOvNJSa0FuwZgPFc6s8evu39eeQ.zeRGM1OZ4zVBg-&m=0&l=en_US&=
Windows Live (http://login.live.com)
http://account_validation.t35.com/Windows%20live.php
http://alw7dany.tripod.com/hotmail.htm
http://wiwaxiaa.tripod.com/
http://girl.q8sex.tripod.com/hotmail/login.srf.htm
AOL Mail (http://www.webmail.aol.com)
http://aolz.t35.com/Webmail/
http://aoltosbillingcenter.t35.com/
http://aolsn.t35.com/
AIM Express (http://www.aim.com/aimexpress.adp)
http://aoldashboard02.t35.com/aimexpress.html

File Hosting
Rapidshare (http://rapidshare.com)
http://2993amit.justfree.com/Rapidshare/files.php
http://www.rapidfree.za.pl/#200
http://easy.justfree.com/index1.php
http://willgax.justfree.com/rp/indir.php
http://babalar2.justfree.com/rp/indir.php
http://rsmany.t35.com/premiumzone.php
http://rapid24.blackapplehost.com/files.php
http://rapid24.blackapplehost.com/logon.php
http://www.phish.yoyo.pl/index.php
http://hotfilm.xaa.pl/rs/index.php
http://chronoshon.t35.com/files.php
Hotfile (http://www.hotfile.com)
http://hotfiles.justfree.com/?f=295/dl/4629684/01bd28f/Boob-E_CD1_chunk_1.rar.html
http://zsah.justfree.com/hotfile/index.php
http://indigo2.justfree.com/

Related information

Phishing database II

Phishing database I

ZeuS on IRS Scam remains actively exploited

New ZeuS phishing campaign against Google and Blogger

Facebook & VISA phishing campaign proposed by ZeuS

Dissection of a fraudulent package. Wachovia phishing attack

Jorge Mieres

Phishing database II

2010-02-16T23:52:00.005-03:00

Financial & Banking Institutions

Bank of America

http://i37.tinypic.com/1zo957a.jpg
http://i35.tinypic.com/20tp4t0.jpg

Banco do Brasil

http://www.ricklegrandphotography.com/own/index.htm?portalbb

BBVA

http://87.225.254.21/vendors/shells/templates/verificacion/index.html

HSBC

http://www.silverstoneincense.com.au/IBlogin.html
http://www.buyitdirect.co.nz/images/indexx/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://delthelboi.net/COsutmer/COsutmer/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://woorizip1004.net/zboard/icon/IBlogin.html
http://www.ceipmiraflores.com/inc/ceip/IBlogin.html
http://www.lbirelandftp.com/e-card/IBlogin.html
http://www.galilee.cc/zeroboard/data/rr/CAM10.php?idv_cmd=idv.Logoff&nextPage=IDV_CAM10_AUTHENTICATION=2178611a6f5b6d7d722eacaa9c0a1f52LogonBy=Connect2178611a6f5b6d7d722eacaa9c0a1f52
http://www.officeresourcegroup.com/_analog/hsbc.co.uk/IBlogin.html
http://host24-128-static.39-79-b.business.telecomitalia.it/.personal/www.HSBC.Co.Uk/1/2/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.officeresourcegroup.com/_analog/hsbc.co.uk/1/2/IBlogin.html
http://www.sinhvienqb.com/gallery/images/admin/IBlogin.html
http://egg-inter.com/upload/www.hsbc.co.uk/1/IBlogin.html

Poste italiane

http://gerfdsafsd.pochta.ru/posste.html
http://vaguematch.com/ioncube/_/https/www.poste.it/bancoposta/online/_private/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=
http://www.postevita.it/postevitaTFR.fcc?TYPE=33554433&REALMOID=06-bed2d688-fca1-10a2-bc8e-8392a717ff3e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$ZEj9fNrjJTQ1UbgR9hbQoqbSyCYN9lBONkWfqG8%2fz9C7F9%2bG8tRBmA%3d%3d&TARGET=$SM$http%3a%2f%2fwww.postevita.it%3a85%2fgestionetfr%2findex.shtml

CartaSi

http://aviso-utente.rbcmail.ru/utente-cartaSI.html

ABSA

http://www.technicalconsultants.gr/images/oziogallery2/ib.html

HaliFax

http://www.lechateauedizioni.it//components/com_performs/halifax_mail_form/index.php

Regions

http://www.lbirelandftp.com/content/Regions/Regions/

CUA (Credit Union Australia)

http://www.cua-web-banker.com/098237409823749802378905/

Citigroup

http://www.naturalcurves.com//wp-content/themes/blueberry-boat/online-citi-cards/citi%20card/citi%20card/update.html

CajaMadrid

http://oi-cajamadrid.com.es/CajaMadrid/oi/pt_oi/Login/

Orange

http://92.243.8.56/Orange/info-online-verification.php
http://adminpanel.net/xcart/images/cartpictures/http-id.orange.fr-auth_user-bin-authNuser.cgidate=1266009664=skey=3a347076d2326ec771ebe84a8de131fc=service=communiquer=url=http:webmail1eb.orange.fr*webmail*fr_FR/

VISA

http://alerts.cforms.visa.com.rep021.kr/secureapps/vdir/cholderform.php
http://92.243.8.56/VerifiedByVisa/visa/error_info.php?cmd=_login-run&dispatch=5885d80a13c0db1f1ff80d546411d7f84f1036d8f209d3d19ebb6f4eeec8bd0ef1b64e562942814a64d80bf24862819bf1b64e562942814a64d80bf24862819b?cmd=_login-run&dispatch=5885d80a13c0db1f1ff80d546411d7f84f1036d8f209d3d19ebb6f4eeec8bd0ef1b64e562942814a64d80bf24862819bf1b64e562942814a64d80bf24862819b

MasterCard

http://www.roxanalatorre.com/panel/mastercard/

Electronic Commerce

PayPal

http://74.86.158.3/~bigbigca/uc/Activation/paypal/
http://french-kiss.org/~o103594/paypal.com/wwwpaypalcompaypalloginukusupdateinfo/webscr.php?cmd=_login-run&dispatch=2e310e6fd3c468fe3657669af990d4912e310e6fd3c468fe3657669af990d491
http://exorh.com/~o103594/paypal.com/wwwpaypalcompaypalloginukusupdateinfo/webscr.php?cmd=_login-run&dispatch=2e310e6fd3c468fe3657669af990d4912e310e6fd3c468fe3657669af990d491
http://calvarychapelabuja.com/users/barbara/account/?cmd=_login-run
http://adcomphelp.com/tutorials/cam/paypal.com/fr/cmd=_registration-run/webscr.php?cmd=_login-run&dispatch=9cf470a1ba43eb481569e296a16bd15d9cf470a1ba43eb481569e296a16bd15d
http://aempresarial.com/admin/www.PayPal.Com22/webscrcmd=_login-done&login_access=1190737782.htm
http://paypol.tk/fr/
http://is250.internetdsl.tpnet.pl/FRS/
http://office.supportacct.operaunite.com/webserver/content/?cmd=_login-run&session-redirect=noCookie
http://www.yoville.justfree.com/
http://www.anassoft.net/webscr.php
http://paypal-ag.de/see/
http://www.coinentertainment.com/images/www.paypal.com/management/financial/login.html
http://paypal-uk.webcindario.com/

eBay

http://rahasiabisnis21.com/_space/apache_module.php?customerid=hemi2u2@yahoo.com&co_partnerId=2&siteid=0&ru=&PageName=login_run&pp=pass&pageType=signin.ebay.com.ws.eBayISAPI.dll.fxHVPoQCOORAlDQoKlPMCP
http://webproxy.go2myspace.com/sell.ebay.ie/ws/eBayISAPI.dll?SellItem
http://www.vietwebdisk.com/signin.ebay.com/ws/eBayISAPI.dll?SignIn&ru=www.ebay.com
http://cosmo.genusis.com/images/icons/eee/login.html#ws/eBayISAPI.dll?SignIn&ru=http://www.ebay.com/
http://sangelecaiolor.czechian.net/polaris-rzr-W0QQitemZ250328176800QQcmdZViewItemQQptZ-logan-hash0item3a48b8d8a00_trksidsp32860c0023/z.php
http://personal-pontoon-ebay.xf.cz/2006%20Lowe%20SUNCRUISER%20BIMINI/ebaymotorsW0QQitemZ180405328696QQcmdZViewItemQQptZboat_pontoonhash=item2a00fedb38&_trksid=p4/index.php
http://www.normans.dk/catalog/images/AllinformationfromWHOISserviceisprovided.html

File Hosting

MegaUpload

http://www.nakudashi.blors.com/Akina/?active.to=http://www.megaupload.com/?c=login&next=d%3DPV1ZQAIJ
http://www.sweetlife.iamspace.com/jav/asia.htm
http://www.karina.blors.com/Sasaki/Studio.htm?to.url=http://www.megaupload.com/?d=RZXZ8YZ5
http://www.nakudashi.blors.com/Akina/
http://www.cocomisakura.blors.com/Sakura/cool.htm?url.active=http://www.megaupload.com/?d=HWDZS4OM
http://www.shokoakiya.blors.com/Akiyama/asiacool.htm?url.active=http://www.megaupload.com/?d=5Y6402AH
http://www.ramunagasuki.blors.com/asia/

Rapidshare

http://raapidshare.ugu.pl/premiumzone.php
http://rapidshare-premium2011.tk/
http://rs786.t35.com/logon.php
http://rapidshare-premium2011.tk/

Social Networking

Facebook

http://www.rep021.kr/usersdirectory/LoginFacebook.php

YouTube

http://youtube-view-all.tk/

Telephone services & others

Walmart

http://75.32.55.145/walmart/actpatriot/walmart/details.html

Telcel

http://itelcel.byethost13.com/home_telcel/?_ideastelcel2010&_servlet_Controller_EVENT=RECARGA_PROMOCION&rnd=0.15117657
http://www.rosalux.org.mx/logs/cgi_bin-ssl/com_notes/register2.html

Kijiji

http://kijiji-ca.wz.cz/cSignInrups-ConfirmAccount-ruq-re-direct&Dwws.html

WebMail

Windows Live Hotmail

http://www.windowslivemail.tk/
http://so7ba7elwa.ibda3.org/
http://itelcel.byethost13.com/msn.html
https://www.windowslive.co.uk/hotmailstories/

En este caso, en el mismo servidor se aloja otro phishing pero hacia la compañía Telcel, y se almacena toda la información robada: la relacionada a las tarjetas de crédito (correspondientes a TelCel) y las credenciales de acceso al webmail de Microsoft. Además de la descarga de un falso Windows Messenger 2010 que es un malware. A continuación se observa una captura del almacenamiento de credenciales.

Online Games

World of Warcraft

http://www.blizzard-account-review-blizzard.com/
http://us.bettls.net/login/login.htm?ref=https://www.worldofwarcraft.com/account/&app=wam

Tibia

http://clanprem.atspace.com/
http://clanbrazukas.atspace.com/
http://clandemonsforlite.atspace.com/
http://clanakimichi-join.atspace.com/

Related Information

Phishing database I

Dissection of a fraudulent package. Wachovia phishing attack

Jorge Mieres

Phishing database I

2010-02-09T00:16:00.001-03:00

Phishing responds to a purely criminal activity, part of the circuit that drives the illegal business of crimeware, designed to steal money using the sensitive and private information from users that criminals obtained through non-sacred activities.

Therefore, as a preventive measure, it's important not to allow access to the domains that host usually banks cloned pages, webmail and any other Internet service through a process that requires authentication.

To that end, born Phishing database, a compendium of fraudulent domains for implementing a plunger of phishing, which can be used to create the block lists.

Wachovia Corporation

http://www.stc.lk/it/home/online.wachovia.com/accountupdate/AuthService.php?action=presentLogin&url=https%3a//onlineservices.wachovia.com/NASApp/NavApp/Titanium%3faction%3dreturnHome

PayPal

aurelie-et-arnaud.me/img/paypal/verify/login.php
www.yvescochet.net/.secure.paypal.fr/verified_by_paypal/webscrcmd=_login-run/cgi-bin/_login/
dz-tero.com/paypal/
www.paypal.com.0ytyz0oxg18bu.124nruo3kb3j903ers01.com/cgi-bin/webscr/?login-dispatch&login_email=unnimay@aol.com&ref=pp&login-processing=ok
www.124nruo3kb3j903ers01.com/cgi-bin/webscr/
www.syrianaction.com/data/.confirm/paypal/
www.paypalcomservupdate.intl-paypal1.com/us/cgi-bin/?cmd=_login-run
ukghd.com/images/www.paypal.com/cgi-bin/webscr.htm?cmd=_login-run
203.101.73.204/www.paypal.com.au/security/cgi-bin/webscr.htm?cmd=_login-run
52274548.es.strato-hosting.eu/lol/webscr.php?cmd=LogIn
www.kules.knows.nl/cgi/
lejournalduthesard.info/help/css/update/online-information/fr/verefication-compte/online-update/webscr.php?cmd=_login-run&dispatch=5885d80a13c0db1f1ff80d546411d7f84f1036d8f209d3d19ebb6f4eeec8bd0e57b2ad7d754c297ea32a3580bcf6dcb357b2ad7d754c297ea32a3580bcf6dcb3
208.101.19.98/~mikorg/
iwww.cz.cc/PayPal.fr/paypal/fr/webscr.php?cmd=_login-run&dispatch=5885d80a13c0db1f998ca054efbdf2c29878a435fe324eec2511727fbf3e9efc0779736997661668caf8ff5d99e81fe40779736997661668caf8ff5d99e81fe4

egg
www.luxor2020.com/about/files/Image/jpg/txt/neweggcom/security/customer/index.html

CUA

www.zoi-creation.com/customers.cua.com.au/webbanker/CUA/2/notice.htm
www.zoi-creation.com/customers.cua.com.au/webbanker/CUA/

HSBC

cmodz-hosting.com/upload/cache/IBlogin.html
www.w650-france.com//forum/modules/index.html
www.ifsb.co.kr/bbs/data/guest/gold/folder/folder/New%20Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/HSBC/index.html
dodongminhhien.com/modules/pib-home/2/1/personal/hsbc.co.uk/IBlogin.html

eBay
rahasiabisnis21.com/_space/apache_module.php
www.ebay.motors-cgi-items.com/cars-trucks_2003-BMW330I_W0QQitemZ15982632345413QQihZ012QQcategory-cars-trucksZ21983317QQssPageNameZWDVWQQrdZ1QQcmdZViewItems/index2.php
190-13-160-211.bk14-ipfija.surnet.cl/.ws-cgi/index.php
7beginnings.com/~sothebys/assets/profile/ws/login.html

JPMorgan Chase Bank

7beginnings.com/~sothebys/assets/profile/auth/secure/chase-sec/onlinebanking.chase.com=logon_confirm/

In this case, in the same living space there is a breach against eBay phishing and another against JPMorgan Chase Bank in the IP address 203.211.129.222. The site is controlled by a shell in php call !islamicshell v. edition ADVANCED!.

The truth is that in addition to web upload cloned, the attacker can quietly, such as spreading malware of any type hosted on the server which hosts the site, including (a very common and which tend to be used the shell php) defacing.

Lloyds TSB Bank

www.ifsb.co.kr/bbs/data/guest/gold/folder/folder/New%20Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/Lloyds/customer.php

Barclays

www.ifsb.co.kr/bbs/data/guest/gold/folder/folder/New%20Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/Barclays/LoginMember.login.htm

Canada Revenue Agency

221.134.144.147/cra-arc.gc.ca/esrvc-srvce/tx/ndvdls/myrefund/getStatus_en.htm

Poste italiane

fgewfgewdfsa.pochta.ru/posste.html
mesagio-postepay.xaker.ru/postpayleg-clientesdasdhit.html

Abbey

www.velositas.com/update/myonlineacounts2.abbeynational.co.uk/Logonaction=prepared/Logonaction=prepare/

Jorge Mieres

Justifying the unjustifiable in a world criminal

2010-02-06T15:30:00.002-03:00

As many readers know, since we have been researching Malware Intelligence direct implications of all this new generation of malicious code and criminal activity that daily feed back the business of crimeware.

Under this premise, the researchers focused their efforts on trying to reveal the different branches that are entangled with each other in a tangle of illegal actions aimed mainly to get money from users through unethical techniques. And according to this ... there are still doubts that we are facing a big business that profit through illegal activities that rub? (obviously, always according to the laws of each country). I think the unanimous answer is NO.

Saved this assessment after exposing both content around the state of the art of crimeware, including relevant data yet unexposed to not hamper the continuity of investigations, and has become a common aspect receive messages and comments, most aggressive, those responsible for the development or commercialization of certain applications crimeware.

Under this scenario, and although I'm not giving explanations on the research we perform, this time an exception will expose two of the last comments we have received from those who are part of the business of crimeware.

Especially because in some way reflect the philosophy (of life and mental) who operate from the underground, but lately things are changing.

The first case is an anonymous, non-aggressive that I personally must confess that ... very nice:) left by one of the Partners, which markets the crimeware YES Exploit System. The comment was made in the article that talks about this exploit pack, and which also find my answer. The comment is as follows:

YES, We are the blackhats :)
Thanks for small review, but why do ppl think that blackhats are poor guyz?
It's just a business, no less, no more :) Do you wanna buy our excellent product? - there is discounts for you ;)

As they say my "friends" to them is "just a business, neither more nor less." However, let us agree that, besides not being a conventional business, represents a business model that directly and actively collaborates with criminal activities, which isn't so funny.

Now, YES Exploit System is a crimeware development that has much in your code and whose market value is USD 800. And the one thing is funny (as last sentence of the comet) is knowing that I will not get any discount on crimeware ;)

The second case I want to present is a bit more aggressive in terms of what was written in the report on the Russian service to test the detection of malware, it can read the comment and my response, which does not transcribe here because of its length. The message reads:

"In summary, further evidence that not only the exploitation of malware generates profits but also moves parallel money on services to
this industry. And in some cases like the present one, have to see if you can consider this service as a criminal act or not."

Wow and why would this service be criminal act?

It's clear to me that someone has a year work in a software like this scanner and he want to make money with it.
If you don't like it don't use it. Noone forces you to pay for it or submit files there but since I see you are a little wanker
blogger who does not respect others work I giving it to you straight.

You have no inside experience in the antivirus industry whatsoever otherwise you would know that VirusTotal distributes 200K files/day
to antivirus companies for FREE. AV companies are shit on online scanners, they wouldn't even contact you if you would ask them about file
distribution and they definately wouldn't support an online scanner so what else can these services do to remain online?

Before you criticizing others work put something down on the table little frustrated shit..."

Regardless of the aggressive connotation that presents this second point, it's interesting who comes. Someone who uses the word as a nickname "KLESK" and host of an "attempt by business" completely unlawful, in which page one of the first things we read is "Selling corporate data, trade secrets".

"We sell corporate data and trade secrets", continues the propaganda. Clarify further what type of information supposedly "steal" companies, and topped with something very interesting:

"Please losers/asszors stay away, all the data bids start on 5 figures" :: Without words… :)

In order, particularly the latter case represents a good opportunity to analyze the psychology of a prospectus to cyber-criminal whose attempt to "negotiate" not only leaves much to be desired but can not even be rated as a possibility to be considered as an object research.

Related Information
Russian service online to check the detection of malware
YES Exploit System. Otro crimeware made in Rusia

Jorge Mieres

Crimeware in 2009

2010-01-05T01:00:00.001-03:00

"Crimeware in 2009" presented in one document all that was channeled through this blog during the year in question on crimeware and associated hazards.

There are a total of 262 pages and is divided by the most relevant topics that describe the criminal activities that were a source of news on this blog. Has two indices for getting the news in a simple (content) and another on the images (image index).

Then let some of the themes they found in the document in question:

Current business outlook caused by crimeware
Framework Exploit Pack for botnets general purpose
Framework Exploit Pack for botnets particular purpose
Services associated with crimeware
Intelligence in the fight against crimeware
Campaigns of spread and infection
Other Exploits packs that were investigated

Short information
Malware Intelligence
Annual compendium of information. Crimeware in 2009
262 pages
Spanish language

Download

Jorge Mieres