So I got an email today...
NOTE: The addresses have all been changed.
The email was a delivery failure notice from a Yahoo address I didn't recognize. It was a Paypal
phishing scam. You get them all the time.. "We're updating our records, please log in and verify your account"...
===========
Return-Path: <
myemail@hotmail.com>
Received: (qmail 89555 invoked from network); 13 Feb 2006 23:22:35 -0000
Received: from unknown (HELO User) (11@buyerbwhere.us@68.17.xxx.xx with login)
by smtp106.biz.mail.re2.yahoo.com with SMTP; 13 Feb 2006 23:22:29 -0000
Reply-To:
myemail@hotmail.com
From: support@paypal.com<
myemail@hotmail.com>
Subject: You have added new email address to your account
Date: Mon, 13 Feb 2006 17:22:29 -0600
===========
I did an nslookup on the from IP and got adsl-068-017-xxx-xxx.sip.mob.bellsouth.net. Great. I know the message came from a Bellsouth DSL subscriber. I contacted their abuse team and filed a report saying that one of their users most likely has a backdoor virus and is being used as a zombie mail relay for a fraud spammer.
Continue further down the email...
===========
glasshk32@comcast.net> and if you need assistance with your account, please
click here to login to your account.
===========
So the person had a bad address in the link but left the email address in the message. Quick check on that
led to this. That's the exact email I got, only I have HTML off, so I just saw the code. The screenshot at the bottom is of the page that you see when you click the login link above.
The address the link is to is http://xxxx.us/redirect.html. A
whois lookup of the domain gives us John Doe. I gave Mr. Doe a call at the phone number listed and asked him why his website was pointing to a Paypal phishing scam. He wanted to know why he kept getting these calls. He claimed to have never heard of the website - even though it's pretty much his
last name. He confirmed that the contact info was his, but denied all knowledge of the site. I advised him to run a virus scan on his computer.
Since Yahoo is the domain contact, I sent an email to their abuse team as well advising them of the situation. Maybe the guy is innocent, but since he's listed as the contact and the site is so close to his name, I doubt it.
.. which brings us to actual redirected page : http://999999999:89/ssl/index.php. 999999999 is an IP address in
DWORD format. If you convert it back into its decimal form, it's 24.11.xxx.xxx. Do an
nslookup of that and get c-24-11-xxx-xxx.hsd1.mi.comcast.net. File a report about it with Comcast's abuse team.
I looked at the page.. almost all of the links call a javascript function that loads a fake login page. That Javascript removes your address bar and then creates a new one with a paypal address in it.. so that it looks like you're at Paypal. That page asks for your Paypal user/pass and when you put that in, it asks you to confirm your credit card number, complete with box for "PIN verification". I had logged in with a fake name, and I put in fake credit card info here. I know a bunch of test credit card numbers that validate a
mod10 check from using them at work to test the apps I write. Once you submit that page, it cleverly redirects you to paypal's site and logs you in.. so you'd never know it happened.
At this point, I had found the machine actually hosting the scam. Comcast is mostly a home service, so I did some more poking around. I noticed that it was running PHP, so I typed in a fake page name to see if it would give me an error. It gave me the default apache error message and listed admin@zzzzzzzzz.net as the contact. Whois on that showed nothing, so I figured it was made up.
I then tried port 80- the default HTTP port - since the URL was calling 89. I got a prompt to log in, so I tried the Guest account, but it was denied. I canceled that and noticed that I got back an IIS error message.. meaning that was a Windows box. Either port 89 is forwarded to another box on the network, or someone is running IIS and Apache and PHP on the same box.
I tried doing a Remote Desktop.. and got a Windows 2003 Server log in screen. I've never been a great hacker, so after trying to crack that with a couple of brute force dictionary attack tools I found (that work on Terminal Services connections), I gave up. That's the only part that kills me (though in retrospect, it's a damn good thing since then I would have had access to the stolen info and would have fucked myself). It would have been awesome to take control of the web server, just to say I did.. I didn't get that thrill, but it did give me another piece of the puzzle.. the computer's name was BREAKxxxx.
The Apache error message I got also had the version, so I looked up some Apache/PHP exploits. I noticed a lot of them had to do with OpenSSL. I tried the IP address as https at port 443 - the default SSL port. I got a certificate acceptance button meaning SSL was installed, but the certificate was made on that machine and not signed by any
Certificate Authority. I viewed the details of the certificate and lookie there.. the company was listed as breakxxxxonline.net. I tried http://breakxxxxonline.net:89/ssl/index.php and there was the phishing page.
Jackpot.
The name on the cert was close enough to machine name, and the URL worked. That ties someone there to it, since it's on their network and most likely involves 2 computers since someone had to either route that traffic or installed Apache and PHP on a Windows box.
Since there was nothing at http://breakxxxxonline.net, I went to
http://web.archive.org and Google's cache to see what used to be on the page.. Looked like it used to be the website of a legit company.
I did a whois on that and got the contact info, then called Network Solutions (since they were the registrar) and filed an in-depth report, explaining it all. They said they would be getting in touch with me once they resolved it. I really want to find out what happens. I wonder how much follow up any of those companies - Yahoo, Comcast or Network Solutions - will actually do on this. I'm not claiming to be some super sleuth or have extraordinary skills, but it'd be pretty cool to think I broke up a spam phishing ring, even if it only means one less message for my filter to process.
If you liked this post, please be sure to subscribe to my
RSS Feed.
