[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040407040512.GB30108@phxby.com>
From: irwanhadi at phxby.com (Irwan Hadi)
Subject: Another phishing attack
I just got another phishing attack. The interesting thing about this attack
is instead trying to trick me to open an URL, the 'phisher' tried to trick
me into clicking a zipped file.
The extracted file itself is clean of virusses as McAfee says:
ms# uvscan --version
Virus Scan for BSD v4.24.0
Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Jan 27 2003
Scan engine v4.2.40 for BSD.
Virus data file v4348 created Apr 06 2004
Scanning for 88550 viruses, trojans and variants.
ms#
ms# uvscan --summary www.fdic.com.fraud.security.pif.pif
Summary report on /tmp/www.fdic.com.fraud.security.pif.pif
File(s)
Total files: ........... 1
Clean: ................. 1
Not scanned: ........... 0
Possibly Infected: ..... 0
ms#
Moreover, based on strings result I can guess that once someone opens this
file, the file will "call home", though I can't find the IP address of where
this program is calling.
WSAStartup
connect
gethostbyname
htons
recv
send
socket
GetCommandLineA
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetVersion
GetWindowsDirectoryA
MoveFileExA
CreateFileA
RtlUnwind
SetFilePointer
WinExec
WriteFile
CreateThread
DeleteFileA
__GetMainArgs
_sleep
atoi
exit
raise
rand
signal
sprintf
strchr
wsock32.dll
KERNEL32.DLL
CRTDLL.DLL
--------------
X-Hydra-AttHeader: www.fdic.com.fraud.security.pif.zip
Return-path: <security@...c.com>
Received: from barracuda.usu.edu
("port 51995"@barra.ss.usu.edu [129.123.104.27])
by cc.usu.edu (PMDF V6.1 #39089) with ESMTP id
<01L8M9XDSOZ4AFUJLZ@...usu.edu>
for @cc.usu.edu (ORCPT @cc.usu.edu); Tue,
06 Apr 2004 17:48:21 -0600 (MDT)
Received: from pcp03457982pcs.csouth01.va.comcast.net
(pcp03457982pcs.csouth01.va.comcast.net [68.57.182.239])
by barracuda.usu.edu (Barracuda Spam Firewall) with SMTP id
6C8A8D03C458 for
<@cc.usu.edu>; Tue, 06 Apr 2004 16:48:16 -0700 (PDT)
Date: Mon, 05 Apr 2004 19:40:08 -0700
From: Brian Spencer <security@...c.com>
Subject: fraud report
To: @cc.usu.edu
Message-id: <20040422683.22863.qmail@...c.com>
MIME-version: 1.0
Content-type: multipart/mixed; boundary=----------2171105EE3ED50
X-ASG-Debug-ID: 1081286665-27043-183-0
X-Barracuda-URL: http://129.123.104.27:8000/cgi-bin/mark.cgi
X-ASG-Orig-Subj: fraud report
X-Virus-Scanned: by Barracuda Spam Firewall at usu.edu
X-Barracuda-Spam-Status: No, SCORE=1.5 using global scores of
TAG_LEVEL=5.0
QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1000.0 tests=DATE_IN_PAST_12_24,
DEAR_SOMETHING
X-Barracuda-Spam-Report: Rule breakdown below pts rule name description
----
----------------------
-------------------------------------------------- 1.2
DEAR_SOMETHING BODY: Contains 'Dear (something)' 0.4 DATE_IN_PAST_12_24
Date: is 12 to 24 hours before Received: date
Original-recipient: rfc822;@cc.usu.edu
Dear Sir!
We are sorry to report that your bank account has been
temporarily closed cause of explicit fraud activity. We are about
to report to the police about this incident and they.ll carefully
investigate this matter. If you.ll be found guilty, your can be
charged up to $57,183.
You can find all the details about this incident in the attached
file and if you still have any questions until the police start
investigation, please contact us as soon as possible. Sir, fraud
activity is prohibited by the US legislation and you must note down
that from now on your every step is being carefully traced down.
So if you don.t want any other incidents to take place, wait for
the end of this investigation or contact us. You can find our email
and phone number in the attached file(password - MarH3Jl4).
Faithfully yours, Brian Spencer (Chief Manager)
www.fdic.com.fraud.security.pif.zip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fdic.pif.zip
Type: application/x-zip-compressed
Size: 3429 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040406/adb45e95/fdic.pif.bin
Powered by blists - more mailing lists