Last visit was: Sat Jul 05, 2014 1:00 pm
It is currently Sat Jul 05, 2014 1:00 pm

uninstallinfo.com / vodafone phishing scam?


All times are UTC - 5 hours [ DST ]


 [ 4 posts ] 
Author Message
 PostPosted: Fri Apr 08, 2011 6:53 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Here is a report of a phishing scam of a kind to which I am unaccoustomed.

http://www.phishtank.com/phish_detail.php?phish_id=1171731

It reports the suspicious URL

hXXp://uninstallinfo.com/wp-content/upgrade/vodafone.html

The URL may respond differently depending upon the IP address block used to reach it; in my case, using a USA web proxy showed different results from using a UK proxy.

The UK proxy presented a Vodaphone login form using a POST service
hXXp://online.vodafone.co.uk/Portal/appmanager/vodafone/fone.php

A USA proxy presented the same form using a POST service
hXXp://uninstallinfo.com/wp-content/upgrade/fone.php

I am simply asking if the reported URL is actually participating in a phishing scam, or if it is something else.


Top
 Profile  
 PostPosted: Sat Apr 09, 2011 9:37 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
It's asking me for a login

The parent site is a blog that was registered anonymously in June. Google reports 54 different blogs with identical content and mostly identical titles. They are linking to some antivirus program. The phish page inactivated my "back" button, but the parent page did not.

My take is the parent site is scammy, but got pwned by phishers. So it's real phish, and you should have no regrets about killing the parent site, since he's got 53 more left.


Top
 Profile  
 PostPosted: Sat Apr 09, 2011 10:18 am   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Definitely a confirmed Vodaphone website. I am able to view and here is why I think it is compromised.

The website: uninstallinfo.com looks to me to be compromised due to a WordPress hack.

The phishing URL:
Quote:
hxxp://uninstallinfo.com/wp-content/upgrade/vodafone.html

The URL still loads for me as I post, hoping to steal Vodaphone mobile logins (4/9/11).

Many times phishing sites are uploaded in compromised directories called "wp-content" due to open permissions or using outdated versions of Wordpress. If you view this Wordpress forum post, it mentions the chmod 777 permissions being open.

The compromised site (uninstallinfo.com) is using Wordpress version ("WordPress 2.9.2"), where as the current one is Version 3.1.1. I think chances are due to outdated WP software, it was hacked by the Vodaphone phisher.


Top
 Profile  
 PostPosted: Sat Apr 09, 2011 11:25 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
AlphaCentauri wrote:
... he's got 53 more left.
Very shrewd observations! I was fixated on other curious facets of the scam and missed them.

meep wrote:
... the chmod 777 permissions being open.
So, anyone could telnet to the problem site and used additional chmod commands to disable the scam web pages without destroying any evidence? ... Not a public service that I perform, though. I probably haven't used telnet in twenty years (and I've never used the term as a verb before).

"777" is the real "mark of the beast"!

Thank you both for your very informative replies.


Top
 Profile  
 [ 4 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot], Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008