Posts

Showing posts from April, 2012

CartaSi phishing email part 2/2

Image
Behind this phishing emails there are several people or just one guy ? What i think is that there is only one guy because if you check the title of this script you see the write assembled by ME,  if it was a team should be written Assembled by XYZ team. Where is he from ? His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy. I was wrong in the previous article saying that the pisher hacked the webstie because was defaced by FERID23 from anti-armenia.org. I suppose that at the end of September 2011 this phisher found it, uploaded a shell and created several folders in this order: d3b (postepay information stealer) stf   (cartasi, uk paypal, banca intesa, it paypal, postepay, VISA) pastote  (cartasi, paypal, VISA, bancopostaclick) Taking a look to pastote folder we see that he uses a

Poste Italiane phishing emails 2

Image
In this hours a "new" phishing attack is targetting Poste Italiane and his service called Postepay. In the previous article regarding poste italiane phishing email the phiser to convince the victim to send their account details said that they won a bonus of 250 euro. This time he chose another way that is more credible (in my opinion). The title says we detected irregular activity on your Poste Italiane account  and the content proceed for your protection you must download the attachment and fill the form. If you ignore this email your account will be temporarily suspended . The sender is support@update.com When you open the attachment you get this page with a central form ready to be filled with postepay account details (Username, Password, Credit Card Number, Expiration Date, Security Code). In this file he haven't tried to obfuscated the form code as he did last time, so the address of the server where the data will be sent is easily visible. Th

ARP/DNS Spoofing Steal Facebook Password (LAN Environment)

Image
In this video i'll show you how an attacker can steal user credentials of every site (in this case will be facebook) in a LAN environment. First of all we use SET to clone the current facebook home page and setup a server listening on port 80 with that copy. Next step is to discover potential victims mapping our network. There are tons of ways to do this through nmap, hping,  ping command, but this time i used the linux command arp-scan   with the following syntax: After mapping the network i used a great tool called netcmd   to perform an arp spoofing  attack to redirect traffic through the attacker. Last step is to perform a dns spoofing attack so all request sent by the victim to facebook.com will be redirected to the attacker. To do this we need to use ettercap and modify /usr/share/ettercap/etter.dns adding this two lines . After lunched ettercap we have just to wait for the victim to login into his facebook account. Enjoy the video.

CartaSi phising email part 1/2

Image
CartaSi is a credit/charge card and can be used in Italy and abroad. The 31st of March i received an email from CartaSi_Informa@cartasi.it . It is a classic phishing email and it says to download the attachment in order to unlock your account. One strange thing are the two cyrillic words at the end, maybe this text has been translated from russian/ucrainan by someone because there aren't mistakes and they forgot the two letters. Why they haven't better controlled before sending ? The italian missing letters are è  and ù that are with accent, so maybe this is a fail encoding by hotmail or the software that they used to send the email. By the way phishers have used a creadible domain name (cartasi.it), which is the original. The attachment to download has name "CartaSi Secure Department" and if you open with a browser will look like this: Here it is the original. Opening the attachment with a text editor we can see where the stolen data will be re

Poste Italiane phishing emails

Image
Poste italiane is the government-owned postal service of Italy and spammers use phishing techniques to trick people to send their credentials of online accounts and credit cards. The first of april i received an email from bancoposta@bpolbpol.com with this content. Basically it says that i have been selected to get a bonus of 250 euro and in order to complete the operation i must download the attachment. First of all we see that the domain of the sender is neither poste.it or postepay.it, this is kinda strange to be a legitimate email. I was curious to know the type of site behind the domain so i navigate to that url and i get a white screen with a blue write "website under construction". Maybe we can get more information checking throgh  http://whois.domaintools.com  who registered that domain. Few details: Record created: 2/7/2011 Record expires: 2/7/2012. Registration service provider: Aruba S.p.A.  Others details are omitted, because contains ow