Phish: October 2008 Archives

While investigating an unrelated case of Phishing yesterday, we came across the biggest haul of stolen EBay logins we've ever seen.

How big?

Well, here's a screenshot of the "Word Count" from the document the details are stored in:

logins.gif

Each line is taken up by a single EBay Username, Password and EMail account.

Unfortunately, there are 5,534 of them and they're spread across 121 pages. Here's a random screenshot of page 113, each page containing roughly 46 usernames apiece:

page11.gif
Click to Enlarge

Quite a lot of the accounts don't exist or are no longer registered users, but there's enough live accounts in there for this to be something of a worry (there also don't appear to be any duplicates, which is unusual for a collection this big). At first glance, it's hard to say exactly where the data has come from or how new / old some of it is (it's apparently been passed around various file download sites over the past week or two), though a massive "roll-up" of stolen accounts from various Phishers seems most likely.

Most of the live accounts we saw look like this:

ebay1.jpg

These would be newly registered users, or users with low feedback scores because they don't tend to use EBay that much. These are prime targets for Phishers, because they're more likely to be fooled by fake logins.

Another worry is that many new / inexperienced users on EBay use the same login details for Paypal, so there's the possibility of being able to access two sets of accounts from the same data. I should mention, it's not just new EBayers that can be caught out by these kinds of scams - there were quite a few high scoring EBayers in the stolen logins too.

A source tells me that hackers attempting to use these logins claim some have been "locked out" (presumably logging in on an account from an unfamiliar IP address is triggering EBay Security checks) though my source also tells me there are people bragging about there being "A lot of goodies" still in the list.

We've notified EBay, and had the data removed from the web where possible (a hat tip to Google for assisting in the removal of some cached data from their search engine). Hopefully EBay will act quickly on the information they've been provided and assist those unfortunate enough to have been Phished.

We're noticing quite a lot of these appearing in mailboxes at the moment, all .cn and .kr domains. Here's a few more (that are currently confirmed as live) for your blocklists:

adwords.google.com.qsoil.cn/select/Login
adwords.google.com.apoim.cn/select/Login
adwords.google.com.kfion.cn/select/Login
adwords.google.com.tverdo.cn/select/Login
adwords.google.com.agrod.cn/select/Login

ottoggi.co.kr/bbs/data/schedule/1194604617/redirect.google.com
kilsangsa.or.kr/zero/data/buddha/1223246866/https/portal.google.com/www.adwords.google.com/select/Login.htm

Unsurprisingly, the .cn domains are all registered to "Mr Gfdthy", the same individual that owns the mehdo.cn domain. At least one of the Korean domains appears to be a legitimate website that's been hacked and had the phish page uploaded by the hacker, and so might not be part of the "main" campaign that's currently ongoing.

Google AdWords Phish

| | Comments (0)
Time to clear out the mailbox - wait, what's this?

adw1.jpg

That's interesting, considering I don't have an AdWords account.

adw2.jpg
Click to Enlarge

Of course, if I did have an account I might be tempted by their fake website:

aw3.jpg
Click to Enlarge

As fake websites go, it's quite pretty (but that's more down to Google than the scammers).

Steer clear of this website:

adwords.google.com.mehdo.cn/select/Login/

The Whois details are unsurprisingly useless:

aw4.jpg

The Administrative EMail is apparently used for another 320 domains, which is probably not a good sign...
Here, our unfriendly neighbourhood Phisher is attempting to play on the fear of a security breach:

Attention all Apex ACH System Customers!

We inform you that on October 7, 2008 a partial loss of data took place in our database. Due to this problem urgent request to take the procedure of account verification. Verification form is located here:

[URL Removed].org

However, failure to confirm your records may result in account suspension.
This is an automated message. Please do not reply.


Best to ignore this kind of EMail, methinks...
This is PINsentry.

This is a PINsentry Phish currently doing the rounds:

Introducing PINsentry for Online Banking

To help protect your account from Online fraud, we are changing the
security for Barclays Online Banking and you will need to upgrade to
PINsentry.

PINsentry upgrade - information by email
We will send you information on PINsentry and details of any cards being
issued or upgraded by email.
Please insert your details in the attachment below.

Barclays Bank PLC is authorised and regulated by the Financial Services Authority


This is the form that comes with the EMail:


pinsentry1.jpg
Click to Enlarge

Note that it asks you for absolutely everything, including your telephone banking passcode. Barclays Bank do NOT send these kinds of EMails to their customers, so be on your guard...

Pages

About this Archive

This page is a archive of entries in the Phish category from October 2008.

Phish: August 2008 is the previous archive.

Phish: November 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.