SHARE
TWEET

American Express Phishing April 12 2014

MalwareMustDie Apr 12th, 2014 541 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie! $ date
  2. // Sat Apr 12 13:28:40 JST 2014
  3. // Case: American Express Phishing April 12 2014
  4. // Analysis base: http://blog.malwaremustdie.org/2014/02/one-upn-time-with-american-express.html
  5.  
  6. //Landings:
  7.  
  8. http://floresdellago.com/fresher/caring.html                    184.107.209.210
  9. http://www.inversionesdecolombia.co/hellishly/flotilla.html     184.107.209.210
  10. http://www.ffgpartners.com/errol/turks.html                     209.90.108.164
  11. http://bravestnightofcomedy.com/larches/auctioning.html         207.45.187.98
  12. http://ftp.autolens.co.uk/kicky/barclay.html                    91.186.25.139
  13. http://web-fx.net/busbies/continuums.html                       91.186.1.166
  14. http://fieldingscarpets.co.uk/shebang/reprobate.html            91.186.1.166
  15. http://steinschatz.de/refusal/prayers.html                      94.101.38.24
  16. http://dos-pistolas.24.co.at/outflanks/grafton.html             46.4.149.201
  17. http://economysquareshoppingcenter.com/taxis/reimposed.html     74.220.207.133
  18. http://safetyworxgroup.co.za/environs/produce.html              196.22.172.216
  19. http://pointcanada.com/lakshmi/specter.html                     184.107.232.2
  20.  
  21. // Remote Scripts:
  22.  
  23. http://bvh.cwsurf.de/slogan/transplant.js                       85.195.104.20
  24. http://debbixler.com/pulley/lifeguard.js                        72.167.186.171
  25. http://electricwinches.co.uk/lofting/retiring.js                91.186.1.215
  26. http://mcnabconstruction.com/morton/cetaceans.js                91.186.1.166
  27.  
  28. // Phishing site:
  29.  
  30. http://218.234.108.131:8080/americanexpress/                    218.234.108.131
  31.  
  32. // IP complete transtation (Reverse|ISP|Location)
  33.  
  34. 184.107.209.210|globalrotor.com.|32613 | 184.107.0.0/16 | IWEB-AS | CA | HOSTINGYSOLUCIONES.COM | JULIAN MESA
  35. 209.90.108.164|for918-128.pricessolanum.com.|5048 | 209.90.64.0/18 | FIBER | US | NETHOSTING.COM | LINKS WEST
  36. 207.45.187.98|ice.securenet-server.net.|22878 | 207.45.176.0/20 | ASACENET1 | US | ACENET-INC.NET | ACENET INC.
  37. 91.186.25.139||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
  38. 91.186.1.166||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
  39. 94.101.38.24|eight.rr1.revido.de.|16097 | 94.101.32.0/20 | HLKOMM | DE | REVIDO.DE | REVIDO LIMITED
  40. 46.4.149.201|static.201.149.4.46.clients.your-server.de.|24940 | 46.4.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | QE GMBH & CO. KG
  41. 74.220.207.133|host133.hostmonster.com.|46606 | 74.220.192.0/19 | UNIFIEDLAYER-AS-1 | US | UNIFIEDLAYER.COM | UNIFIED LAYER
  42. 196.22.172.216|www.swh-02.mweb.net.|10474 | 196.22.172.0/24 | MWEB | ZA | MWEB.CO.ZA | MWEB CONNECT (PROPRIETARY) LIMITED
  43. 184.107.232.2|prolink.elighthost.com.|32613 | 184.107.0.0/16 | IWEB-AS | CA | - | ALIREZA YARMOHAMADI
  44. 85.195.104.20|u01.cwsurf.de.|29066 | 85.195.64.0/18 | VELIANET | DE | VELIA.NET | VELIA.NET INTERNETDIENSTE GMBH
  45. 72.167.186.171|ip-72-167-186-171.ip.secureserver.net.|26496 | 72.167.184.0/22 | AS-26496-GO-DADDY-CO | US | GODADDY.COM | GODADDY.COM LLC
  46. 91.186.1.215||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
  47. 91.186.1.166||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
  48. 218.234.108.131|smf.taratps.com.|9318 | 218.234.0.0/15 | HANARO | KR | TARATPS.COM | TARA TPS
  49.  
  50.  
  51. // The Landing  PoC
  52.  
  53. GET /hellishly/flotilla.html HTTP/1.1
  54. Host: www.inversionesdecolombia.co
  55. Referer: http://MalwareMustDieHatesPhishing.org
  56.   :
  57. HTTP/1.1 200 OK
  58. Date: Sat, 12 Apr 2014 04:17:12 GMT
  59. Server: Apache/2.4.6 (Unix) OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
  60. Last-Modified: Fri, 11 Apr 2014 15:15:26 GMT
  61. Accept-Ranges: bytes
  62. Content-Length: 532
  63. Connection: close
  64. Content-Type: text/html
  65. 200 OK
  66. Length: 532 [text/html]
  67. Saving to: './sample.mmd'
  68.  
  69. // The Remote Script PoC
  70.  
  71. $ cat sample.mmd
  72. <html>
  73. <table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></a>
  74. <script type="text/javascript" src="http://bvh.cwsurf.de/slogan/transplant.js"></script>
  75. <script type="text/javascript" src="http://debbixler.com/pulley/lifeguard.js"></script>
  76. <script type="text/javascript" src="http://electricwinches.co.uk/lofting/retiring.js"></script>
  77. <script type="text/javascript" src="http://mcnabconstruction.com/morton/cetaceans.js"></script>
  78.  
  79. </html>
  80.  
  81. // The Script Redirector PoC
  82.  
  83. Resolving bvh.cwsurf.de (bvh.cwsurf.de)... 85.195.104.20
  84. Caching bvh.cwsurf.de => 85.195.104.20
  85. Connecting to bvh.cwsurf.de (bvh.cwsurf.de)|85.195.104.20|:80... connected.
  86. GET /slogan/transplant.js HTTP/1.1
  87. Referer: http://pointcanada.com/lakshmi/specter.html
  88. Host: bvh.cwsurf.de
  89.  :
  90. HTTP/1.1 200 OK
  91. Date: Sat, 12 Apr 2014 04:14:29 GMT
  92. Server: Apache
  93. Last-Modified: Fri, 11 Apr 2014 22:59:02 GMT
  94. ETag: "90c011c-41-4f6cc479c1af1"
  95. Accept-Ranges: bytes
  96. Content-Length: 65
  97. Connection: close
  98. Content-Type: application/javascript
  99. 200 OK
  100. Length: 65 [application/javascript]
  101. Saving to: './sample.mmd'
  102.  
  103. $ cat sample.mmd
  104. document.location='http://218.234.108.131:8080/americanexpress/';
  105.  
  106. // The rest of the information are similar to the posted blog.
  107.  
  108. ---
  109. #MalwareMUSTDie!
  110. Analysis:  @unixfreaxjp
RAW Paste Data
Pastebin PRO Summer Special!
Get 60% OFF on Pastebin PRO accounts!
Top