Wednesday, April 30, 2014

Citadel & ZA eFile Tax Phishing

KINS (Citadel) C&C listed on ZeuS Tracker




Was looking for a KINS panel, but its Citadel.

So I break in and look around.





Also found on this server:
(SARS) South Africa Revenue Service phishing page, shell, and "hacked by" page.

SARS phishing landing page


Some dude was here already:


..to make me laugh :-)


Some mailer settings:

define("EMAIL", "naks@top2roues.com,garicofa@blumail.org");

$recipient = "fof204@gmail.com";



A shell:



Art Spam and Four-In-One Phishing

Spam email campaign leads to Gmail, Yahoo, Live, and AOL phishing site.


Spam Email:
From: Richard Webber [mailto:ab_bc6@AOL.COM]
Subject: Art Investments 2014
Sent: Friday, April 25, 2014 8:01 AM
To: xxxx
Subject: Art Investments 2014
Duely Important Updates on Art Investment Options, review the attached PDF and get back to me soonest,
thanks
 
2014 Documents.pdf--
Richard Webber
Art Adviser Webber Art Management
Landmark Square , 2nd Floor
Stamford, CT 060908



Attachment link redirects to:
http://www.concrete.zuuummm.com.br/administrator/archived/2014/index.php


Phishing landing page.
Stolen from dropbox.com


The old four-in-one.


We've seen this guy before: b_hacker_1@yahoo.com
http://protectyournet.blogspot.com/2014/03/upgradetoservercom-botnets-phishing.html


At least you stopped using that hideous background.



More found junk>
Related




What?




Tuesday, April 22, 2014

Phishing - Trella.org - Imad Bazzi

Spam Campaign linking to Phishing Page on Trella.org

trella.org (private registration)
181.224.139.157
twitter.com/TrellaLB


Spam Email: 

From: IT Help Desk [mailto:david@plumascontabil.com.br]
Sent: Tuesday, April 22, 2014 05:50 AM Eastern Standard Time
To: info@mail.com <david@plumascontabil.com.br>
Subject:

We are currently in the process of upgrading basic Email services and WebMail center to a new system. We are deleting all Old Web Mail email account.
Kindly (Click Here) to Verify And Validate your Email
Do Not ignore this Message to Avoid Termination of your webmail account. 
Thank you for your cooperation
Inf Ufsc Web Mail Administration



Phishing landing page

Directory Listing allowed

More phishing pages:

PHP Mail Logs:


imad.bazzi@gmail.com


Email Addresses Used in Campaign:

bbupgard11@gmail.com 
embassyloanz091@gmail.com
imad.bazzi@gmail.com


Trella.org


Imad Bazzi




Why?