Skip to content →

Phishing Attack #5 – Cartasi

Phishing attacks are becoming more and more sophisticated and narrowed. One of the last phishing kit I analyzed is built just to target Italians and filter out people from other countries. The financial institution, target of the phishing campaign is CartaSi, company leader in Italy for electronic payments. CartaSi manages a total of 27 million credit cards, prepaid and debit and guarantees the acceptance service to approximately 600,000 merchants. CartaSi coverage is worth about 50% of the Italian market, while the number of debit cards managed are about a quarter of the market.

Let’s have a look on on the phishing website.

The email sent to phish the victim is poorly designed, but still can trick few people to insert their credentials.

screen-shot-2016-12-05-at-10-47-22-am

In order to filter the users based on their geolocation, the phishing website uses a PHP plugin called “geoPlugin 1.0”, and allows only the users connecting from Italy:


// ccr.php - country code redirect
require_once('geoplugin.class.php');
$geoplugin = new geoPlugin();
$geoplugin->locate();
$country_code = $geoplugin->countryCode;
switch($country_code) {
case 'IT':
header('Location: crts.php');
exit;
default: // exceptions
header('Location: http://www.cartasi.it/gtwpages/index.jsp');
exit;
}

If the country code is not IT,the user is redirect to the official page of CartaSi.

The phishing kit folders’ structure is “obfuscated” by using a random folder generation algorithm:

$random=rand(0,100000000000);
$md5=md5($random);
$base=base64_encode($md5);
$dst=md5($base);
function recurse_copy($src,$dst) {
$dir = opendir($src);
@mkdir($dst);
while(false !== ( $file = readdir($dir)) ) {
if (( $file != '.' )  ( $file != '..' )) {
if ( is_dir($src . '/' . $file) ) {
recurse_copy($src . '/' . $file,$dst . '/' . $file);
}
else {
copy($src . '/' . $file,$dst . '/' . $file);
}
}
}
closedir($dir);
}
$src=acrts/;
recurse_copy( $src, $dst );
header("location:$dst");

The initial structure go the phishing kit is very simple and the directory listing is avoided by using a fake 404 page (index.html) in every folder.

screen-shot-2016-12-01-at-10-55-07-pm

The all logic of the phishing website is stored inside the folder acrts where is possible to find the following files

screen-shot-2016-12-01-at-11-13-49-pm

 

The main file is “login.php” that is the entry point of the phishing website and is responsible to filter the user IP and to collect the username, password and IP address of the user. The information collected, are stored inside three files:

  • hits.txt
  • cts1.txt
  • cts2.txt

where cts1.txt contains (truncated) username – password – IP – Country

screen-shot-2016-12-05-at-10-17-45-am

and cts2.txt the credit cards stolen:

screen-shot-2016-12-05-at-10-15-54-am

The PHP code of login.php responsible to filter the Italian IP is reported below ( truncated)

$IP = getenv("REMOTE_ADDR");
$day = date('l jS \of F Y h:i:s A');
if ( substr($IP, 0, 7) == "174.123") die;
if ( substr($IP, 0, 7) == "75.125.") die;
if ( substr($IP, 0, 7) == "74.125.") die;
if ( substr($IP, 0, 7) == "64.235.") die;
if ( substr($IP, 0, 7) == "209.85.") die;
if ( substr($IP, 0, 7) == "64.235.") die;
if ( substr($IP, 0, 7) == "84.14.2") die;
if ( substr($IP, 0, 7) == "194.106") die;
if ( substr($IP, 0, 7) == "173.178") die;
if ( substr($IP, 0, 7) == "216.82.") die;
if ( substr($IP, 0, 7) == "79.176.") die;
if ( substr($IP, 0, 7) == "219.117") die;
if ( substr($IP, 0, 7) == "150.70.") die;
if ( substr($IP, 0, 7) == "209.120") die;
if ( substr($IP, 0, 7) == "67.159.") die;
if ( substr($IP, 0, 7) == "143.127") die;
if ( substr($IP, 0, 7) == "67.172.") die;
if ( substr($IP, 0, 7) == "202.75.") die;
if ( substr($IP, 0, 7) == "38.127.") die;
if ( substr($IP, 0, 7) == "128.242") die;
if ( substr($IP, 0, 7) == "64.125.") die;
if ( substr($IP, 0, 7) == "69.163.") die;
if ( substr($IP, 0, 7) == "149.20.") die;
if ( substr($IP, 0, 7) == "91.199.") die;
if ( substr($IP, 0, 7) == "38.111.") die;
if ( substr($IP, 0, 7) == "174.122") die;
if ( substr($IP, 0, 7) == "124.178") die;
if ( substr($IP, 0, 7) == "199.48.") die;
if ( substr($IP, 0, 7) == "199.76") die;
if ( substr($IP, 0, 7) == "62.213.") die;
if ( substr($IP, 0, 10) == "194.72.238") die;
if ( substr($IP, 0, 7) == "66.227.") die;
if ( substr($IP, 0, 10) == "87.249.110") die;
if ( substr($IP, 0, 7) == "204.95.") die;
if ( substr($IP, 0, 7) == "220.25.") die;
if ( substr($IP, 0, 10) == "66.249.71.") die;
if ( substr($IP, 0, 10) == "208.80.194") die;
if ( substr($IP, 0, 10) == "94.228.131.") die;
if ( substr($IP, 0, 10) == "66.150.14.") die;
if ( substr($IP, 0, 7) == "64.71.") die;

.... (logic to store and send the stolen data via email to the phisher)

After the phisher successfully stole the credentials to login in the portal, the user is redirected to the CartaSi website www.cartasi.it, like most of the phishing websites.  This mechanism allows CartaSi to easily detect the phishing website, analyzing the logs of the web server.

The phishing website also contains a simple PHP shell called ttt.php that can be used to access the files in the web server. Below the code of ttt.php.

screen-shot-2016-12-05-at-10-43-53-am

 

 

It is very easy to detect that this website is fake and belongs to a phisher.

So far ~15 credit cards were inserted and ~30 username/password where stolen. The awareness is still very low.

 

 

Published in News >>

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *