lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: dsardina at si.rr.com (DSardina)
Subject: Fw: Citibank reminder: please update your data

Frederic, I couldn't of said it better myself.

Attached is the screenshot of the email and the emails html source code.





 

 
There is also another one going around acting as Microsoft Update, telling
the user to click on a link to update to SP2.
 
 
<http://www.dslreports.com/r0/download/687798~6d674802d815a8f9963e8c90f72615
28/untitled.PNG> 


DS-

 
 




-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Frederic
Charpentier
Sent: Friday, October 08, 2004 9:48 AM
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Fw: Citibank reminder: please update your
data


About Citibank Scam :
it's an phising attack based on GDI+ JPEG overflow.

The exploit JPEG is named Ducky.jpg, and is detected by some antivirus
systems as Trojan.Ducky.

The message from CityBank is not textual, but an imagemap of an image
that is made to look like text.
The image is called sushi.gif, and it is believed to be used in attempt
to evade anti-spam systems that
are based purely on textual analysis. When the recipient clicks on the
link within the imagemap, they are
redirected to 67.43.211.1871:87/cit/index.htm.

Upon clicking on the imagemap, the user is taken to a site to enter
confidential information. The interesting part of this image entry
dialog box is that it also opens a legitimate copy of the Citibank Web site
under the phishing dialog to further enhance its perceived
legitimacy. The Window in the foreground is malicious and posts to
verify.php on 67.182.134.119, while the window in the background is the
legitimate homepage of Citibank.

The result of a successful compromise is the downloading and execution
of ll.exe from maybeyes.biz. ll.exe is then saved to c:\y.exe and executed.
Upon execution, y.exe calls URLDownloadToFile() on
http://www.maybeyes.biz/upd.exe.
This file is then saved as %SYSTEMROOT%\divxencoder.exe. When executed,
divxencoder.exe will parse the system for the explorer.exe process for
the purpose of injecting a DLL into its memory space.

When run, the DLL contacts 65.75.185.210 on ports 9348 and 9323 to
download the XML configuration file that will be used as the basis for
the phishing spam.

Frederic Charpentier

Pablo wrote:

> This hit me today.
> The URL is:
> http://%32%31%31%2E%39%37%2E%32%34%38%2E%36%30:%38%37/%63%69%74/%69%6E
> %64%65%78%2E%68%74%6D
>
> ( http://211.97.248.60:87/cit/confirm.htm )
>
>
>
> ----- Original Message -----
> From: "CITI" <supprefnum2@...ibank.com>
> To: <paa-listas@...entina.com>
> Sent: Thursday, October 07, 2004 9:08 PM
> Subject: Citibank reminder: please update your data
>
>
>
>>
>>in 1965 Surfing Love Stories in 1905 a When you in 1920 Vacation
>
> Entertainment Everything please Andrea Thompson ANALYSIS NYTimes It's
> impossible no doubt Nintendo Have a good time So, if we.. Coyote Ugly
> that's a call for you Father's Day in 1955 Terra in 1850 X Men What
> area, please?
>
>>
>> ---------------------------------------------------------------------
>> ---
>>

--
_______________________________________
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041008/bd7137f8/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 39926 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041008/bd7137f8/attachment.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 12749 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041008/bd7137f8/attachment-0001.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 25167 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041008/bd7137f8/attachment.png

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ