lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040407040512.GB30108@phxby.com>
From: irwanhadi at phxby.com (Irwan Hadi)
Subject: Another phishing attack

I just got another phishing attack. The interesting thing about this attack
is instead trying to trick me to open an URL, the 'phisher' tried to trick
me into clicking a zipped file.

The extracted file itself is clean of virusses as McAfee says:
ms# uvscan --version
Virus Scan for BSD v4.24.0
Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832  LICENSED COPY - Jan 27 2003

Scan engine v4.2.40 for BSD.
Virus data file v4348 created Apr 06 2004
Scanning for 88550 viruses, trojans and variants.

ms#

ms# uvscan --summary www.fdic.com.fraud.security.pif.pif

Summary report on /tmp/www.fdic.com.fraud.security.pif.pif
File(s)
        Total files: ...........       1
        Clean: .................       1
        Not scanned: ...........       0
        Possibly Infected: .....       0
ms#


Moreover, based on strings result I can guess that once someone opens this
file, the file will "call home", though I can't find the IP address of where
this program is calling.
WSAStartup
connect
gethostbyname
htons
recv
send
socket
GetCommandLineA
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetVersion
GetWindowsDirectoryA
MoveFileExA
CreateFileA
RtlUnwind
SetFilePointer
WinExec
WriteFile
CreateThread
DeleteFileA
__GetMainArgs
_sleep
atoi
exit
raise
rand
signal
sprintf
strchr
wsock32.dll
KERNEL32.DLL
CRTDLL.DLL

--------------
    X-Hydra-AttHeader: www.fdic.com.fraud.security.pif.zip
    Return-path: <security@...c.com>
    Received: from barracuda.usu.edu
     ("port 51995"@barra.ss.usu.edu [129.123.104.27])
     by cc.usu.edu (PMDF V6.1 #39089) with ESMTP id
<01L8M9XDSOZ4AFUJLZ@...usu.edu>
     for @cc.usu.edu (ORCPT @cc.usu.edu); Tue,
     06 Apr 2004 17:48:21 -0600 (MDT)
    Received: from pcp03457982pcs.csouth01.va.comcast.net
     (pcp03457982pcs.csouth01.va.comcast.net [68.57.182.239])
     by barracuda.usu.edu (Barracuda Spam Firewall) with SMTP id
6C8A8D03C458	for
     <@cc.usu.edu>; Tue, 06 Apr 2004 16:48:16 -0700 (PDT)
    Date: Mon, 05 Apr 2004 19:40:08 -0700
    From: Brian Spencer <security@...c.com>
    Subject: fraud report
    To: @cc.usu.edu
    Message-id: <20040422683.22863.qmail@...c.com>
    MIME-version: 1.0
    Content-type: multipart/mixed; boundary=----------2171105EE3ED50
    X-ASG-Debug-ID: 1081286665-27043-183-0
    X-Barracuda-URL: http://129.123.104.27:8000/cgi-bin/mark.cgi
    X-ASG-Orig-Subj: fraud report
    X-Virus-Scanned: by Barracuda Spam Firewall at usu.edu
    X-Barracuda-Spam-Status: No, SCORE=1.5 using global scores of
TAG_LEVEL=5.0
     QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1000.0 tests=DATE_IN_PAST_12_24,
     DEAR_SOMETHING
    X-Barracuda-Spam-Report: Rule breakdown below pts rule name description
----
     ----------------------
-------------------------------------------------- 1.2
     DEAR_SOMETHING BODY: Contains 'Dear (something)' 0.4 DATE_IN_PAST_12_24
     Date: is 12 to 24 hours before Received: date
    Original-recipient: rfc822;@cc.usu.edu

    
    Dear Sir!
    
    We are sorry to report that your bank account has been 
    temporarily closed cause of explicit fraud activity. We are about 
    to report to the police about this incident and they.ll carefully 
    investigate this matter. If you.ll be found guilty, your can be 
    charged up to $57,183.  
    You can find all the details about this incident in the attached 
    file and if you still have any questions until the police start
    investigation, please contact us as soon as possible. Sir, fraud 
    activity is prohibited by the US legislation and you must note down
    that from now on your every step is being carefully traced down. 
    So if you don.t want any other incidents to take place, wait for 
    the end of this investigation or contact us. You can find our email
    and phone number in the attached file(password - MarH3Jl4).
    
    Faithfully yours, Brian Spencer (Chief Manager)

www.fdic.com.fraud.security.pif.zip



-------------- next part --------------
A non-text attachment was scrubbed...
Name: fdic.pif.zip
Type: application/x-zip-compressed
Size: 3429 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040406/adb45e95/fdic.pif.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ