Archive

Archive for the ‘Phishing’ Category

EuroSoft 2011

The EuroSoft spamming is up and kicking through email and in any writable pages in the web.

Around this time last year, I’ve spotted this activity through Skype but the difference this year is that the spam trend uses shortened URL. Safari recognises some of the website and displays warning message “Suspected phishing site”, however not everything just like this site “http://best-mac-software.com/”.

So be careful and pay attention, you’ll never know you are already dealing with a typosquatted and fraudulent websites.

iPhone Users Vulnerable to URL Spoofing Attack

As I was reading my RSS feeds, I just noticed that Aviv Raff disclosed two vulnerabilities found in iPhone on Jewish new year (Oct 2). But, to my surprise the phishing vulnerability isn’t new to me, this is bit old, in fact I created a crafted email with spoofed URL on it, as inspired by its original author Juan Pablo Lopez Yacubian.

This topic has been blogged last April 24 – Zero Day Exploit: Safari Address Bar URL Spoofing

Since this vulnerability affects Safari 3.1, obviously iPhone users are affected as well. I just created this email to show that this vulnerability exist.

Notice the URL, you’ll find it creepy ‘coz in Desktop email browser you will usually see the complete URL in the lower right side bar. But in this case, the attacker can simply create a hyperlink to hide it and it’s not that obvious!

Upon clicking it, here’s what you’ll find …

Google in URL bar and Yahoo on the content ? Yes, this is the security flaw found in Safari. This happens when you input a URL containing special characters followed by “@” which indicates the actual hostname. The special characters was crafted long enough to hide the URL of the page.

However,  once you minimize the page, the URL displayed should ring a bell, that this is something fishy!

The lesson here is to be aware and stay safe!

IRS Phishing Sites

A month after Internet Crime Complaint Center (IC3) published an Alert concerning US Internal Revenue Service (IRS) scams and phishing sites and a series of public media attention, guess what? These guys are still up and running …

Perhaps, they have enough data to prove that they still have the market (people who doesn’t care about information security) after all.

Identity Theft And Your MSN Account

There are more MSN fraudsters roaming around and this time they are serving twenty different languages.
Last February, I posted this topic “Your MSN Account Has Been 0WN3D“. 

These are phising sites that employs social engineering technique to lure MSN users in giving out their email address and password.

As an effect, the MSN stolen identity can remotely perform instant messaging and email spamming to all contacts as well as it can sneak your personal messages. 


As of the moment, the following IP addresses and domain names are actively serving these MSN phising sites.


Be careful and stay away from these sites!

Phishing or Joking ?

My manager forwarded me this email with a note …

“I think this is the funniest, undoubtedly most clumsy phisher I have ever seen”.

**Note: CommonWealth Bank and Westpac are two different banks in Australia.

This email is already one week old, but still it make sense. For somebody who understands phising emails, you will certainly agree and think these guys are joking.
But in contrary, there’s a wide population that does not understand anything of this and are vulnerable even to it’s very obvious trick.
The importance of continuous education and awareness is significant to Information Security and this was discussed in recent meeting of Anti-Spyware Coalition in Washing D.C.
Related Topic:
Education: What Works and What Doesn’t? [Audio]

Phish Facebook, Phish Myspace too!

Investigating the recent Facebook phishing attack has resulted more information including Myspace phising sites and Gambling Casino spams.

Let’s start with this screenshot below.


Let’s perform DNS lookup with the FQDN – 371233.cn.

As you can see, this phising domain runs in a double fast flux DNS service, which means both NS and A records are dynamic and constantly changing. Observing further the activity, there are 10 round robin addresses that changes every minute and this rogue network host thousands of domain. So, shutting down these fakes sites are not that easy!

The screenshot below is a Myspace phising site.


more links …

login.myspace.com.cfm.fuseaction.splash.mytoken.76701a26.0j643z.com
profile.myspace.com.fuseaction.user.viewprofile.9w.11523822.cn
profile.myspace.com.fuseaction.id.0ed37i8xdd.378d38.cn
profile.myspace.com.fuseaction.id.user.viewprofile.1878800.cn
Aside from phising sites, this node (particularly, myluludns.com) is also responsible for Gambling Casino spams (found 6 active mail domains) and even marijuana scam (like thebudshop.net and crazybuds.com).

In summary, phising and scam spams are cross-platform web base attack. It aims to steal your identity and your money!

Mac and iphone users are not exempted.