Recently in Phish Category

Here we have yet another Steam Phish, this one involving some forum based scammery. Our phishing friend sets up a forum account on the official Steam forums, then sends random people a "scary" message like this:


Click to Enlarge

Assuming the victim is suitably terrified by dire warnings of account hackings, they'll promptly jump over to

valve-ipfix.tk

which is a redirection URL hiding the "real" URL at

steampowerness1.awardspace.us

...and the victim will then enter their Steam login credentials to the phisher.

Here it is in all its phishy glory:


Click to Enlarge

Avoid.

Pharming has been around for a few years now, and most (if not all) pharming attacks I've read about usually involve techniques far beyond your average script kiddie. From Wikipedia:

Pharming (pronounced farming) is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses -- they are the "signposts" of the Internet. Compromised DNS servers are sometimes referred to as "poisoned".

Curiously, one individual seems to be whipping up a frenzy on numerous hacking / cracking boards recently, claiming to have invented a "new, revolutionary form of phishing". It's actually "just" Pharming by another name - "Phisher Arms" (a Phisher Arm being the executable used to alter a computers hosts file) - but while being entirely ignorant of Pharming, he's also promoting a broadening and deepening of the amount of script kiddies happy to adopt such tactics. While there's a certain comedy value to him reinventing the wheel, mass adoption by wannabe pharmers is not a good thing, and there's never been a better time not to click on unknown attachments or run strange files...

In the beginning

On the 30th of April 2009, a new video appeared on exploit database Milw0rm, rather breathlessly called "Desktop Phishing: The New Art of Phishing". Along with the video came lots of graphics:


Click to Enlarge


Click to Enlarge

...and a soon to be released E-Book(!), along with an audacious bid for fame in the form of a Wikipedia page which was (unsurprisingly enough) hit with the Banhammer.

In a nutshell, it works like this:

1) Have a random executable file to hand. It can be anything, though obviously you want it to appeal to the victim you intend to send it to.

2) Bind it with a modified hosts file in such a way that it replaces the victims original hosts file when the executable runs.

3) Insert sites such as Paypal, banking sites, Ebay, whatever....into your modified hosts file, and have each of them point to an external IP address for your own computer. I bet you can see where this is going...

4) On your own computer, you host the phishing page using server software such as wampserver.

5) When the victim tries to reach Paypal or a similar site from their computer, they are of course taken to the phish page running on the attackers PC which will still say "Paypal.com" in the address bar. When the victim enters their details, they're actually placing them directly onto the attackers computer - note the URL at the top:



Whoops.

To be fair to our wheel inventing pharmer, it's an interesting technique and will no doubt be adopted en masse by the rank and file of "this is way too hard for me" wannabes out there. His video has already been viewed over 12,000 times - by comparison, most other entries on the Milw0rm frontpage are in the low thousands:


Click to Enlarge

Google "Phisher Arms" or "Desktop Phishing" and you'll already find a lot of hacking forums promoting this as the best thing ever - and they're just the ones publicly viewable.

Whatever you want to call them, there's probably quite a few of these "Phisher Arms" in circulation at the moment given that his video hit a good few weeks ago. As always, be careful what files you download...

The below site:

itunes-multiplier.webs.com

should be avoided, as it's nothing more than a cheap con trick. The gag works like this - you go out and buy an iTunes card (which use codes that are redeemed inside iTunes to credit your account).

Then you see the above website promising it can double your points and start to feel a little greedy. Here is the "multiplier":

The racing season might well be underway, but it's a good idea to be careful where your logins are concerned.

The following domain:

tema-ferrari.tk


Click to Enlarge

Is trying to entice users of popular Social networking site Orkut to login to their accounts - or, to be mre accurate, is trying to entice fans of Ferrari cars to login to their Orkut accounts. You can't really miss the huge Ferrari logo in the middle - the earliest google cache of the site is a few days before the first race in Melbourne, around the 24rd of March. Odd coincidence, that.

In case you're wondering, the text (in Portuguese) roughly translates as follows:

"Connect with friends and family using scraps and instant messaging
Meet new people through friends of friends and communities
Share your videos, pictures, and passions all in one place"

I'm going to go out on a limb here and guess the phisher won't even get a speeding ticket...

There are emails in circulation directing end-users to the following web site:

moxieusa.com/includes/PEAR/Thanks.htm

It's a Paypal phish with an added "bonus" - when you visit the page from the mail, you're presented with the following message:

"You Have Successfully Confirmed your account information.

The New Anti Fraud System has been successfully added to your PayPal account."

Entirely false, of course - nothing has been added. There's also a short ramble about additional security features:


Click to Enlarge

Click the continue button, and you're taken to the inevitable phish page.

Avoid...

We're seeing a wave of Steam related phish scams at the moment. Most (if not all) look something like this:


Click to Enlarge

Ah, the promise of free games. When have you ever let a phisher down?

The domains being used in this scam are:

steampoweredgifts.my3gb.com
steamscommunity.co.cc
gift-steampowered.co.cc
steam-acitvation.co.cc
steamrecommunity.co.cc
mysteamcommunity.co.cc
wtmail.free.fr/steam
games4steam.tk

If / when we come across others, we'll add them to the above list. Quite a few have gone offline already, only to come back to life so it might be a while before all of the above are completely DOA...

There's an old technique in certain forms of martial arts - when confronted by an attacker, just before they start to throw the first punch, you distract them with something utterly stupid.

Could be a silly noise, or you might waggle your arm to the side while pulling a face - doesn't matter. The stupider the better, it's just there to make them wonder what on earth is happening shortly before you put them through a window and run away as fast as you can.

Well, same deal here. Today we came across a program designed to do nothing at all. No hijack, no contacting a server, no files dropped, no registry entries, no staying in memory....nothing.

What is it used for?

Distraction. And lots of it.

There is a video currently in circulation on sites such as Youtube, promoting something called LiveGrabber.



The program looks amazing, gives you all kinds of free things, hands you free accounts for the paid XBox Live service and so on. All done by pushing a few buttons. Here are some pics lifted directly from one of the videos:







Told you it was nice looking.

However, the gimmick here rolls into town exactly six seconds into the video:



"New update available: it will no longer have an interface. It will run silent in the background -  when opened you must visit the website to redeem".

Yes, the NEW version is completely invisible and runs "silently" (extremely silently!), only giving you lots of free things if you visit the website promoted in the video and enter your own Live login details.

Doh.

While we've seen fake programs before, usually they either refuse to work, drop infection files or give out fake error messages.

This is the first time we've seen someone create an extremely slick looking interface for a Youtube video, then reduce it to nothing and pretend it's "doing something in the background". It seems the original version available to download did the usual "fake error message" routine, but the author grew tired of trying to explain away fake error messages.

What could be better than telling people it now runs silently in the background?

At any rate, based on the comments left on the creators Youtube page, it seems it's enough of a distraction to get people to hand over their login details to

lancergrabber.tk


Click to Enlarge


Did I say "user comments"? I sure did. I'll leave you with the thoughts of some people soon to be parted from their Live ID login credentials...









Yes. Of course it does...!

Click to Enlarge

Not much more to add here, other than "avoid".

Today I was browsing around a couple of Arabic language hacking forums, and came across a random link that took me somewhere interesting. Here's a screenshot of said forum, because everyone loves to look at mysterious hacking forums. Right?

Rapidshare premium accounts are big business on phishing / trading sites. It seems they're trying to do something about the problem - anyone going to the premium accounts login screen now sees this:


Click to Enlarge

...a rather fetching "Phishing Warning" box, prominently displayed. Click it, and this appears:




Something like this is always a welcome addition. It's actually been rather humorous watching people on phishing / trading sites agonising over whether or not to include the above on their phish pages in the name of authenticity...