Recently in Phish Category

Proving conclusively that there is no honour among thieves (as if you needed proof), here's a website that goes hunting for so-called "big fish" - namely, phishers with a plentiful collection of logins stored on their phishing pages.

The website itself is free of content, save for one small search bar at the top of the screen.

autowhle1.jpg

As you've probably guessed, the wannabe Whaler (traditionally a hunter of high level executives and CEOs, now turning their target on, um, random phishers) enters the URL of a confirmed phishing site into the box and hits "Submit".

At this point, the site checks a large list of common (and not so common) filenames that are likely to contain lots of logins gathered up by the original phisher.

If the Whaler is successful, they'll see something like this:

autowhle3.jpg

From there, it's simply a case of the Whaler collecting the logins, changing all the passwords and bumping up their tally of stolen details with a minimum of effort. If you're one of the phishing victims whose login details are now changing hands from phisher to whaler, you have my apologies - it can't be nice to see your already stolen account become that little bit dirtier.

While the above site will no doubt be crashing and burning sometime in the near future (especially as the free hosting it sits on can't seem to cope with the strain of becoming the most popular site on the web for script kiddies and account stealers in general), you can bet there will be endless copycats to take its place.

Can't wait to see what "Version 2" brings...

Phishing For Dummies

| | Comments (0)
phishingforskiddies.jpg

...the best part is, there's a three page thread on one forum promoting this EXE stuffed to bursting point with people saying "thank you" for the download.

Har-de-har.
Worth noting that people are still reporting Direct Messages of a "do not click" variety coming through on Twitter, all of which lead to Very Bad Things (TM) depending on what nefarious campaign happens to be doing the rounds at any given time.

Should anybody send you a DM that mentions humorous things taking place in videos - like this one, for example:

dmroguetwitterlinkz1.jpg

...you should avoid it like the plague. Otherwise, you're in for some phishing fun which is surely a contradiction in terms.
mw2dontgetbanned.jpg

All XBox owners have a list of most recently played games set against their profile. As you might have guessed, every game has a unique ID assigned to it so Halo 3 doesn't accidentally show up as The Amazing Adventures of My Little Pony.

Well, like most other things related to the console it can be hexed, modded and generally given a bit of a fiddling. I've seen a few furtive mentions of this in the backroom areas of certain leet forums, so this might not even be doing the rounds yet. But hey, a little advance warning never hurt anyone.

Let's take a look at the scam, it's a pretty clever one.

1) Phisher tampers with their data and makes it look like Modern Warfare 2 - which isn't out until November - shows up in their recent games list. Note the big number "2" in the below image, complete with handy red box just so you know exactly which icon I'm on about.

fakemodernz010.jpg

2) Phisher then trawls around various forums and websites touting access to the "Modern Warfare 2 Beta" - and of COURSE it exists and they have played it, because it wouldn't be in their recent games list if they hadn't. Right?

3) Phisher then asks you for your login details in order to "gain access". All that's actually going to happen is you lose your account to a scumbag.

I've already seen quite a few accounts (including the one above) hit with various degrees of banhammer for altering their recent games list, so hopefully that'll kill a few phishes off before they're even launched. In the meantime, know this: there is currently NO beta planned for this game, and in all probability there won't be one.

Don't be suckered in!



This is a step above the usual phish attempt we see here, with a number of bits and pieces that build up a pretty convincing fake website. As you probably guessed from the title, the phish involves the upcoming juggernaut that is Call of Duty: Modern Warfare 2, and the endless desire some people have to take part in a beta.

The URL to avoid is

freemw2beta36.tk

and the page itself is hosted at

freemwbeta36.t35.com

Want to take a look? Sure you do.


Modern Warfare 2 Beta Phish, originally uploaded by Paperghost.

What does this phish do that sets it a way above other phish attempts? Well, for starters it looks quite professional. Top left, they use the kind of info splash you normally see on an official XBox page. On the right, there's a media section with screenshots you can actually click into. Might not sound like much, but most phishes like this one don't have anything clickable in that whatsoever. Bottom left, they've embedded a real Youtube video that you can watch to your hearts content. Right at the bottom of the page, they've included a copyright notice - something else phishers tend to lose in translation.

All in all, pretty convincing.

The only real flaw with this phish is that there is currently NO public beta planned, and it's highly unlikely there will ever be one. Don't get suckered into handing over your Windows Live ID, as no good will come of it.
More often than not, most DIY programs I see tend to be on the murkier side of "designed well". In fact, it's more like somebody threw up on their coding tools. However, sometimes a leet hax program comes along and despite the horrible things it does, you can't help but be impressed by the design and general stylistic trappings.

The creators will still burn in Hell, of course.

But ooooh - shiny. Blinky.

Anyway, here it is - the Phish Pharm:


phpharmz1.jpg

In case you're wondering, the fake Phish pages are in the Source Files Folder, and the two programs used are underneath. Let's take a trip to the pharm - sorry - first.

phpharmz2.jpg
Click to Enlarge

As you can see, it's a well designed package with a lot of options. A whole bunch of "target sites" are pre-made and ready to roll, from Twitter and Myspace to GMail and Steam - no messing around trying to create fake login pages here.

There's SQL support too:

phpharmz3.jpg

.....slick. The final option allows you to be notified via EMail every time someone falls for one of your Phish pages. However, you can skip that altogether in favour of a more elegant solution - the Monitor.

Fire up the second program, and it dumps itself into your System Tray. As and when stolen accounts appear in your logs, the program - which can be made to check at an interval of your choosing - pops up a message like this:

phpharmz5.jpg


 Click the message, and the Monitor program launches:

phpharmz4.jpg
Click to Enlarge

Type of Phish (in this case, a GMail phish), Username, Password and IP Address are all logged.

Did I mention this was slick? Depressingly so. Anyway, avoid phish pages, etc etc and yadda yadda.
Thought I'd get this online asap, as Maplestory is a pretty popular MMORPG and this one seems to be doing the rounds so let's get down to business.

A number of leet hax forums are promoting a tool that looks like this:

maplemezosz1.jpg

As you've probably guessed, the above is sent to the victim with the promise of free stuff (in this case, up to 100 million mesos and 50k NX, which I suppose sounds very impressive).

Anyone unfortunate enough to enter their Username, Password and PIN is going to find themselves on a one way trip to Phishtown courtesy of an EMail sent in the background to the attacker. We're still trying to grab a copy of this program (wary of leeching, distribution is currently limited to direct requests from trusted members on certain forums) but some of the features are pretty interesting. Check this out:

*Vista manifest for highest permission available (asks for admin permission before starting)
*Edits the hostfile so the victim cannot go to any help sites/nexon mainsite
*Checks to see if the username & password is correct, via the official website.
*Comes with a builder.
*E-mail tester in builder

In addition, these are pretty clever things for a program like this to do:

* Encrypts your GMAIL E-Mail & Password.
*Auto kills ALL running Process explorer(s) before sending you the inputted info.
*Auto kills ALL running WireShark(s) before sending you the inputted info.

Auto killing Wireshark and process explorers? Can't say I've seen that done in a phisher like this before.

Avoid the above program like the plague...
Finding dumps of stolen logins is a common occurrence round this neck of the woods; if it isn't a bunch of XBox logins, it's 5000+ EBay / Paypal accounts. Well, here we have roughly 86 Windows Live ID accounts taken without permission, via a phishing page.

Windows Live IDs can be used to access everything from Hotmail and MSN to XBox Live and Zune. Grab a Live ID, and the amount of ways you can ruin someones day increases in spectacular fashion.

In this case, the target was XBox Live gamers, by way of a fake "Get Microsoft points for free" phish.

What I found particularly interesting here is that the collected data reveals the (borderline desperate) greed on the part of the victims - allow me to explain. Many of the most popular XBox phishes involve the site creator pretending to be an ex Microsoft employee, who just so happens to have a magical way to create "free" Microsoft points (which otherwise cost money, and are used for digital videogame transactions and Zune marketplace purchases).

Here's a typical example of said fakery:

fakez101.gif

There's normally a dropdown box (bottom right), asking the victim to select a fictional amount of points while they throw away their login details. More often than not this information isn't included in the phish dump, because the phisher couldn't care less how many points the victim is after. This is what you normally end up with:

stolenxbox1.jpg
Click to Enlarge

...as you can see, nothing more than the Live ID, the password and the date.

Here, however, each stolen account in the data dump looks like this:

Logged IP address: xx.xx.xx.x0 - Date logged: Monday 20th 2009 of July 2009 09:17:27 PM
Email=xxxxxx@xxxxxxxxxx.com
Password=xxxxxxxxxxx
Points=20000
submit=Go!


For some unknown reason, the phisher decided to log the points the victim tried to obtain for free. This means we can gather up some data about the level of frenzied button mashing the victim goes through over a period of days.

Days? You bet. More on that later - for now, let's take a quick look at the amount of points the victims were dying to get their hands on. The stolen logins have been in circulation on forums for a while, and based on comments we've seen all of them have either been locked down or leeched but we've notified Microsoft anyway. All of the below were phished between Monday the 20th of July and Tuesday the 28th:

500 MS Points ($6.25 / 4.25 GBP) - 17 requests
1000 MS Points ($12.50 / 8.50 GBP) - 8 requests
2500 MS Points ($31.24 / 21.25 GBP) -  8 requests
5000 MS Points ($62.48 / 42.50 GBP) - 23 requests
10000 MS Points ($124.95 / 85.00 GBP) - 10 requests
20000 MS Points ($249.90 / 170.00 GBP) - 92 requests

In total, there were 167 attempts to get free points, with 9 misfires (which means the victim didn't pick an amount on the dropdown box, resulting in a "-Select-" left in the relevant data field). Roughly 86 individual Live IDs were phished, and the rest of the 167 attempts were repeated requests for points from the same handful of people - sometimes stretching over the full timespan from Monday 20th July to Tuesday the 28th.

One person made 24 requests over the eight days (at one stage making eleven requests for points in three minutes!), with 17 tries for the maximum amount of 20,000 MS points. That works out at 340,000 points not including his smaller requests, which means this person attempted to collect over FOUR THOUSAND DOLLARS worth of digital downloads for nothing.

greedy.png

In fact, he's still trying to get free points on the 28th despite not having actually received anything from the moment he tried way back on the 20th. The phisher who collected these logins deserves nothing but scorn; however, it's increasingly difficult to feel any sympathy whatsoever for some of the people caught up in the above data log.

Is the only real solution to throw both phisher and victim into a bear pit, filled with angry bears who themselves hold an irrational hatred of both bear pits and bear pit trespassers?

Why yes. Yes it is.
A common warning in relation to many phishing attacks is "Look for the .com in the URL, because that's the official site domain - if you see that you know it's the real thing".

All well and good, but sometimes people find a way to place a ".com" in there anyway.

Here's a fake XBox.com phishing page - note the URL:

finalgive1.png
Click to Enlarge

Amazingly enough, it's

xbox.com.au.tp

The problem here is that we're so conditioned in relation to "Look for the .com" that many people will see this domain and think, well, it HAS to be legit - completely disregarding the "au.tp" part that comes after it.

Unfortunately, it isn't real in the slightest. How did they get the above domain to look the way it does? Well, a .tp domain is the top level domain for East Timor. You can't actually get them anymore (due to it being replaced by .tl), but you can get various subdomains through resellers. A quick jump over to Tipdots.com, and....

finalgive2.png

....whoops. Of course, the fact that the fake site is promoting a "4th of July giveaway" would hopefully make people stop and think that all is not right here, but that's not an assumption I'd be comfortable in making.

Looking out for ".com" in a domain is indeed useful - but only if you pay attention to what comes after it.
There's a Windows Live ID phish doing the rounds at the moment, aimed at XBox gamers and their overwhelming desire to obtain FREE STUFF. Namely, XBox Live points. Here's the site, which is located at mspsite.t35.com:



Free Microsoft Points Scam, originally uploaded by Paperghost.

It contains the usual nonsense designed to make the victim sit around doing nothing while the phisher changes their login information:

"This website uses an exploit found on the xbox live website. Using this exploit correctly means you can edit your amount of microsoft points on your account. As the flaw is on the Singapore websites, People living outside of singapore may need to wait up to 24 hours for there points..."

Once you enter the info, your account is as good as gone along with anything you have attached to it. If you think people don't fall for things like this, here's the proof:

mspointzgenz102.jpg
Click to Enlarge

Chalk up one victim to the above site. There's bound to be more...



Pages

About this Archive

This page is a archive of recent entries in the Phish category.

P2P / File Sharing is the previous category.

Phishing Scams is the next category.

Find recent content on the main index or look in the archives to find all content.