RAIFFEISEN PHISHING SPAM

Ok am scris cite ceva despre chestia asta care deranjeaza pe multa lume daca considerati ca e ok sa se stearga acest post nu am nici o problema.
daca nu poate e folositor pt cei care stiu cite ceva mai mult decit mine.

http://www.raiffeise...ontact@***.info
adresa care e spam

https://www.raiffeis...b/login?Lang=ro
adresa corecta de login(Raiffeisen Bank)

http://www.raiffeise...b/login?Lang=ro
adresa stricata de raiffeisen de care profita spammeru

http://adolec.org.mx/inetpub/HtDocs/
adresa de root a serverului unde se preiau datele false

http://www.raiffeise...ontact@***.info
care face redirect la aia de mai sus

care e de fapt - http://adolec.org.mx/r-aaa/index.php


http://adolec.org.mx...?...3323&email= (un exemplu de cod utilizator pus la plezneala trece la pagina asta)

in sursa
<form name="Login" method="post" action="redirectEr.php" target="_top" autocomplete="off" onkeydown="if(event.keyCode==13){if (validateLogin()) document.forms[0].submit();}">
mai departe in sursa

<input type="hidden" name="k1" value="11" id="k1">
<input type="hidden" name="k2" value="9" id="k2">
<input type="hidden" name="email" value="" id="email">

3 fields hidden - probabil emailu e tinut in url deja

daca se face refresh la pagina

<input type="hidden" name="k1" value="11" id="k1">
<input type="hidden" name="k2" value="9" id="k2">

k1 si k2 se schimba automat(functie JS)

dupa submit se trece la
http://adolec.org.mx.../redirectEr.php   apoi (deja cred ca a luat datele necesare deoarece acest fisier e redirect)


la raiffesen original

https://www.raiffeis...b...5&idTata=15

care sint 2 url-uri de fapt
https://www.raiffeis...gWeb/Controller
si
http://www.raiffeise.......5&idTata=15

L3dJdyEvd0ZNQUFzQUMvNElVRS82XzNfMzBV?actiune=internetcontent_ViewAction&internetcontent_ID=15&idTata=15 (nu imi dau seama ce valoare e asta)

OK despre domeniu si server

Domain Name: adolec.org.mx

Created On:      18-nov-1999
Expiration Date: 17-nov-2009
Last Updated On: 19-nov-2008
Registrar: NIC Mexico
URL: http://www.nic.mx

Registrant:
   Name:         Hugo Roberto Hidalgo Rasmussen
   City:         Zapopan
   State:        Jalisco
   Country:      Mexico

Administrative Contact:
   Name:         Hugo Roberto Hidalgo Rasmussen
   City:         Guadalajara
   State:        Jalisco
   Country:      Mexico

Technical Contact:
   Name:         Hugo Roberto Hidalgo Rasmussen
   City:         Guadalajara
   State:        Jalisco
   Country:      Mexico

Billing Contact:
   Name:         Hugo Roberto Hidalgo Rasmussen
   City:         Guadalajara
   State:        Jalisco
   Country:      Mexico

Name Servers:
   DNS:          ns0.nic-reg-dns.com
  
  
  
despre serverul unde e hostat domeniul respectiv

OrgName:    Cyber World Internet Services, Inc.
OrgID:      CWIS
Address:    12402 N. Division St. #240
City:       Spokane
StateProv:  WA
PostalCode: 99218
Country:    US

ReferralServer: rwhois://rwhois.e-insites.com:4321/

NetRange:   66.206.0.0 - 66.206.31.255
CIDR:       66.206.0.0/19
NetName:    CYBERWORLD-INT
NetHandle:  NET-66-206-0-0-1
Parent:     NET-66-0-0-0-0
NetType:    Direct Allocation
NameServer: NS0.NIC-REG-DNS.COM
NameServer: NS1.NIC-REG-DNS.COM
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2001-12-04
Updated:    2002-03-08

RTechHandle: AS1239-ARIN
RTechName:   Slocombe, Alvin
RTechPhone:  +1-509-893-2416
RTechEmail:   [email protected]

OrgTechHandle: AS1239-ARIN
OrgTechName:   Slocombe, Alvin
OrgTechPhone:  +1-509-893-2416
OrgTechEmail:   [email protected]


Server Type:   Microsoft-IIS/6.0
IP Address: 66.206.8.159



mai departe

Registrant:
   e Insites - Mt. Home Distributing
   23403 E. Mission Ave Suite A7
   Liberty Lake, Washington 99019
   United States

   Domain Name: E-INSITES.COM
      Created on: 09-Aug-03
      Expires on: 09-Aug-10
      Last Updated on: 18-May-08

   Administrative Contact:
      Vowels, Henry  
      e Insites - Mt. Home Distributing
      12402 N. Division, #240
      Spokane, Washington 99218-1930
      United States
      5093430016      Fax -- 5093430016

   Technical Contact:
      Vowels, Henry  
      e Insites - Mt. Home Distributing
      12402 N. Division, #240
      Spokane, Washington 99218-1930
      United States
      5093430016      Fax -- 5093430016

   Domain servers in listed order:
      DNS1.E-INSITES.COM
      DNS2.E-INSITES.COM
      

Cam atit am stiut si eu sa fac... poate e folositor la ceva... iar avind in vedere ca majoritatea primesc mail pe yahoo my wild guess(JUST A GUESS) e ca respectivu spammer
detine un site de yahoo status... care din cite am vazut sint din romania majoritatea siteurilor si care capteaza id urile de yahoo la introducere.
Iar respectivul spammer are acces la rootul domeniului respectiv(sau cont FTP 0667) - adolec.org.mx


Anyways sper ca e de folos ... altii mai whiz kidz care le au cu PHP-uu sau admini de server poa sa isi dea seama mai bine ca mine ce se intimpla acolo


Ok pt a evita chestiile de genu https://www.raiffeis...b/login?Lang=ro aia e adresa corecta de login pt ca e HTTPS(secure) nu stiu daca
cei de la raiffeisen vor face ceva in legatura cu http://www.raiffeise...b/login?Lang=ro (adresa de care se profita) dar sa speram ca se va rezolva curind.

Iar cu mailurile no worries ca tot se vor trimite(Dark Mailer,Fast Mailer,Fahrenheit,Listmate,validmate) sint doar citeva exemple de aplicatii prin care se pot trimite mailuri cu
adresa falsa si prin proxy(mai pe intelesul tutuor sa nu se stie de unde vine mailu original).

fingre

monique_all, on Mar 5 2009, 14:19, said:

Si eu am facut acelasi lucru, dar acum vreo 2 ani. Da, am primit un mail din partea bancii in care imi multumea ca am sesizat neregula si ca vor face tot ce e posibil ca sa o remedieze.  

Edited by Jaqueline, 17 April 2009 - 13:22.

tavitavi9323, on Apr 22 2009, 11:02, said:

Vad ca esti tare suparat dar nu inteleg ce ai atacat cu ce ai scris aici? Omul sau ideea?
Si ca idee, sfatul lui nu este rau