uninstallinfo.com / vodafone phishing scam?

Phishing operations, including perpetrators, how to report them and get them shut down.

uninstallinfo.com / vodafone phishing scam?

Postby NotBuyingIt » Fri Apr 08, 2011 6:53 pm

Here is a report of a phishing scam of a kind to which I am unaccoustomed.

http://www.phishtank.com/phish_detail.php?phish_id=1171731

It reports the suspicious URL

hXXp://uninstallinfo.com/wp-content/upgrade/vodafone.html

The URL may respond differently depending upon the IP address block used to reach it; in my case, using a USA web proxy showed different results from using a UK proxy.

The UK proxy presented a Vodaphone login form using a POST service
hXXp://online.vodafone.co.uk/Portal/appmanager/vodafone/fone.php

A USA proxy presented the same form using a POST service
hXXp://uninstallinfo.com/wp-content/upgrade/fone.php

I am simply asking if the reported URL is actually participating in a phishing scam, or if it is something else.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: uninstallinfo.com / vodafone phishing scam?

Postby AlphaCentauri » Sat Apr 09, 2011 9:37 am

It's asking me for a login

The parent site is a blog that was registered anonymously in June. Google reports 54 different blogs with identical content and mostly identical titles. They are linking to some antivirus program. The phish page inactivated my "back" button, but the parent page did not.

My take is the parent site is scammy, but got pwned by phishers. So it's real phish, and you should have no regrets about killing the parent site, since he's got 53 more left.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: uninstallinfo.com / vodafone phishing scam?

Postby meep » Sat Apr 09, 2011 10:18 am

Definitely a confirmed Vodaphone website. I am able to view and here is why I think it is compromised.

The website: uninstallinfo.com looks to me to be compromised due to a WordPress hack.

The phishing URL:
hxxp://uninstallinfo.com/wp-content/upgrade/vodafone.html

The URL still loads for me as I post, hoping to steal Vodaphone mobile logins (4/9/11).

Many times phishing sites are uploaded in compromised directories called "wp-content" due to open permissions or using outdated versions of Wordpress. If you view this Wordpress forum post, it mentions the chmod 777 permissions being open.

The compromised site (uninstallinfo.com) is using Wordpress version ("WordPress 2.9.2"), where as the current one is Version 3.1.1. I think chances are due to outdated WP software, it was hacked by the Vodaphone phisher.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: uninstallinfo.com / vodafone phishing scam?

Postby NotBuyingIt » Sat Apr 09, 2011 11:25 am

AlphaCentauri wrote:... he's got 53 more left.
Very shrewd observations! I was fixated on other curious facets of the scam and missed them.

meep wrote:... the chmod 777 permissions being open.
So, anyone could telnet to the problem site and used additional chmod commands to disable the scam web pages without destroying any evidence? ... Not a public service that I perform, though. I probably haven't used telnet in twenty years (and I've never used the term as a verb before).

"777" is the real "mark of the beast"!

Thank you both for your very informative replies.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm


Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest

cron