dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
50

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to Worried

Premium Member

to Worried

Re: [Phish] Ebay phishers are getting smarter

said by Worried :

I do have up to date Webroot antivirus, but was wondering if I should get my computer checked out?

The only way to be sure is to go through the motions at DSLR's Security Cleanup forum located here.
»Security Cleanup

My opinion is that the site was setup or hacked too act as a typical eBay phish, not a malware server.
Everything points that way.
A newly registered domain name with possibly fraudulent domain registration, eBay phish content, possible Romanian involvement all point towards just another eBay phish rather than malware installations.

It was registered on Nov 20, 2012 with the following whois
"Registrant:
Valentin Mihai Foarcea
Tacoescu #27
Dragasani, N/A 245700
RO
Domain name: VALI-LEAKS.COM
Administrative Contact:
Mihai Foarcea, Valentin vali.foarcea@gmail.com
Tacoescu #27
Dragasani, N/A 245700
RO
+1.4073323605x1
Technical Contact:
Administrator, System hostmaster@lunarpages.com
1360 N. Hancock St.
Anaheim, CA 92807
US
+1.7145218150
Registrar of Record: TUCOWS, INC.
Record last updated on 20-Nov-2012.
Record expires on 20-Nov-2013.
Record created on 20-Nov-2012.
Registrar Domain Name Help Center:
»tucowsdomains.com
Domain servers in listed order:
NS1.VALI-LEAKS.COM 64.50.180.41
NS2.VALI-LEAKS.COM 64.50.180.42"
said by Worried :

What happened to you?

Not really directed at me but I did visit the site while it was still up & didn't notice anything related to malware.

Worried
@shawcable.net

Worried

Anon

So are most phishing sites not associated with key logger malware?
Am I (hopefully) worrying over nothing?

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Worried :

So are most phishing sites not associated with key logger malware?

The short answer is yes, most phishing sites are not associated with malware.
There’s a lot behind that but briefly, the miscreants behind phish sites & malware servers usually engage in one or the other type of activity with little crossover.
Serving phish content & malware simultaneously on the same URL is something seen very rarely & when it is seen is the result of 2 unrelated miscreants hacking the same server around the same time with each doing their own thing independent of each other. I don't believe that happened here.
The activity in this thread indicates this phish was well organized & executed by a professional engaged in phish activity.
Toss in a probable Romanian connection & it becomes more convincing that phish was the order for the day because Romanians involved in cybercrime are overwhelmingly involved with phish content vs malware content although they do exist.
said by Worried :

Am I (hopefully) worrying over nothing?

I wouldn't take it to the point of not worrying about anything but worrying about having a KL or some other driveby installed via this event are slim to nonexistent, IMO