the mail was of course spoofed, here is the header:
ok, so let's check the real sender host first:Return-Path: <anonymous@v26248.1blu.de>
X-Original-To: b_b@cyber-samurai.de
Delivered-To: b_b@cyber-samurai.de
X-policyd-weight: using cached result; rate: -7.33
X-Greylist: delayed 716 seconds by postgrey-1.31 at server2.rustytub.com; Fri, 07 Oct 2011 23:05:00 CEST
Received: from v26248.1blu.de (v26248.1blu.de [88.84.131.218])
by server2.rustytub.com (Postfix) with ESMTP id 608A3B2BEAA
for <b_b@xxxxxxxx>; Fri, 7 Oct 2011 23:05:00 +0200 (CEST)
Received: (qmail 19790 invoked by uid 30); 7 Oct 2011 22:51:50 +0200
Date: 7 Oct 2011 22:51:50 +0200
Message-ID: <20111007205150.19786.qmail@v26248.1blu.de>
To: b_b@cyber-samurai.de
Subject: Ihr Amazon.de Konto wurde gesperrt! [07.10.2011]
From: <secure@amazon.de>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
88.84.131.218 leads to diskreti.de, a pretty crappy online shop for condoms, most likely abandoned and never updated. so the installed xtcommerce platform is surely totally insecure and the site was pwnd through it.canonical name v26248.1blu.de.
aliases
addresses 88.84.131.218
next, let's check the link that is shown in the email:
looks kinda valid, even https, eh? but we all know a displayed link doesn't have to link to the displayed location, right? so let's check where the link really leads to:
=https%3A%2F%2Fwww.amazon.de
wwwx.us it is, let's look it up:http://wwwx.us/?www.amazon.de/ap/signin ... .return_to
=https%3A%2F%2Fwww.amazon.de
ok, now the IP:canonical name wwwx.us.
aliases
addresses 111.90.139.72
Domain Name: WWWX.US
Domain ID: D34045646-US
Sponsoring Registrar: INTERNET.BS.CORP
Sponsoring Registrar IANA ID: 814
Registrar URL (registration services): http://www.internet.bs" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;
Domain Status: clientTransferProhibited
Registrant ID: INTEGEDX46SH18AB
Registrant Name: Private Registration
Registrant Organization: wwwx.us
Registrant Address1: Rm.804, Sino Centre., Nathan Road
Registrant City: Kln Hong Kong
Registrant Postal Code: 582-592
Registrant Country: Hong Kong
Registrant Country Code: HK
Malaysia, eh? amazon must have outsourced.inetnum: 111.90.128.0 - 111.90.159.255
netname: PIRADIUS-NET
descr: PIRADIUS NET
country: MY
now let's have a look at the wwwx.us site:
the "amazon" part is inside a frame, so let's see where the frame source is located:
leads to bella-italia-web.de, so let's have a look at that site too, it's also an xtcommerce site, crappy, outdated, abandoned, pwnd.
the fake amazon login is located here:
I had no time yet to investigate this further, but I am sure on both sites you will find the usual php backdoors....I will report both sites to the network host during the day, but I am pretty sure nothing will be done until monday, so feel free to check.