pretty "good" amazon phishing job

Fight back! So don't expect to find lame "fake login screens" or similar stuff here.
Post Reply
User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

pretty "good" amazon phishing job

Post by bad_brain »

got an email last night "from amazon", telling me my account was locked because is was "maybe abused by someone else" and I have to click a link to log in and verify myself there.
the mail was of course spoofed, here is the header:
Return-Path: <anonymous@v26248.1blu.de>
X-Original-To: b_b@cyber-samurai.de
Delivered-To: b_b@cyber-samurai.de
X-policyd-weight: using cached result; rate: -7.33
X-Greylist: delayed 716 seconds by postgrey-1.31 at server2.rustytub.com; Fri, 07 Oct 2011 23:05:00 CEST
Received: from v26248.1blu.de (v26248.1blu.de [88.84.131.218])
by server2.rustytub.com (Postfix) with ESMTP id 608A3B2BEAA
for <b_b@xxxxxxxx>; Fri, 7 Oct 2011 23:05:00 +0200 (CEST)
Received: (qmail 19790 invoked by uid 30); 7 Oct 2011 22:51:50 +0200
Date: 7 Oct 2011 22:51:50 +0200
Message-ID: <20111007205150.19786.qmail@v26248.1blu.de>
To: b_b@cyber-samurai.de
Subject: Ihr Amazon.de Konto wurde gesperrt! [07.10.2011]
From: <secure@amazon.de>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
ok, so let's check the real sender host first:
canonical name v26248.1blu.de.
aliases
addresses 88.84.131.218
88.84.131.218 leads to diskreti.de, a pretty crappy online shop for condoms, most likely abandoned and never updated. so the installed xtcommerce platform is surely totally insecure and the site was pwnd through it.

next, let's check the link that is shown in the email:

=https%3A%2F%2Fwww.amazon.de
looks kinda valid, even https, eh? but we all know a displayed link doesn't have to link to the displayed location, right? so let's check where the link really leads to:
wwwx.us it is, let's look it up:
canonical name wwwx.us.
aliases
addresses 111.90.139.72

Domain Name: WWWX.US
Domain ID: D34045646-US
Sponsoring Registrar: INTERNET.BS.CORP
Sponsoring Registrar IANA ID: 814
Registrar URL (registration services): http://www.internet.bs" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;
Domain Status: clientTransferProhibited
Registrant ID: INTEGEDX46SH18AB
Registrant Name: Private Registration
Registrant Organization: wwwx.us
Registrant Address1: Rm.804, Sino Centre., Nathan Road
Registrant City: Kln Hong Kong
Registrant Postal Code: 582-592
Registrant Country: Hong Kong
Registrant Country Code: HK
ok, now the IP:
inetnum: 111.90.128.0 - 111.90.159.255
netname: PIRADIUS-NET
descr: PIRADIUS NET
country: MY
Malaysia, eh? amazon must have outsourced. :lol:

now let's have a look at the wwwx.us site:
Image

the "amazon" part is inside a frame, so let's see where the frame source is located:
Image
leads to bella-italia-web.de, so let's have a look at that site too, it's also an xtcommerce site, crappy, outdated, abandoned, pwnd.
the fake amazon login is located here:
I had no time yet to investigate this further, but I am sure on both sites you will find the usual php backdoors....I will report both sites to the network host during the day, but I am pretty sure nothing will be done until monday, so feel free to check.
Image

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Re: pretty "good" amazon phishing job

Post by ayu »

Nice work! :D

I'll put them under some "stress" and see if we can save some poor souls account info ^^
"The best place to hide a tree, is in a forest"

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Re: pretty "good" amazon phishing job

Post by bad_brain »

best go for the wwwx.us one, I've just sent abuse reports for the 2 german ones...^^
Image

User avatar
bergmann
On the way to fame!
On the way to fame!
Posts: 36
Joined: 01 Apr 2010, 16:00
14

Re: pretty "good" amazon phishing job

Post by bergmann »

ha ha you are just so cool mr b_b , nice work

bubzuru
.net coder
.net coder
Posts: 700
Joined: 17 Apr 2007, 16:00
16
Contact:

Re: pretty "good" amazon phishing job

Post by bubzuru »

DoS is not cool buddy. oj knock em down :-99
[img]http://www.slackware.com/~msimons/slackware/grfx/shared/greymtlSW.jpg[/img]

Post Reply