DeepSight™ Threat Management System
Research Report
Online Fraud Communities and Tools
Version 1: January 24, 2006
Analysts: The DeepSight Analyst Team
Table of Contents
Introduction………………………………..2
Tour of the underground ……………….2
Honeypot compromise and fraud
activity …………………………………23
Detecting fraudster work habits by
analyzing malicious code …………..30
Passive attacks ………………………….35
Registering a phishing site: an
experiment ……………………………35
Change log ……………………………….37
Glossary …………………………………..38
Index ………………………………………39
Executive Summary
Online fraud is on the rise. The DeepSight Threat and
Vulnerability Analyst Teams have pursued several related
research projects in the last quarter on the topic, and have
reached the following conclusions:
1. The development of malicious code is often a regular, fulltime
activity. Developers may even be employed to produce
malicious code, and several development teams in various
locales may be collaborating on such projects.
2. Besides using the Internet to prey upon victims, fraudsters
also go online to “support” each other, to trade their
particular expertise, to barter stolen credit card numbers, and
so on.
3. Many of their techniques (e.g. the use of old, commonplace
vulnerabilities) lack sophistication, but are still effective
enough to produce rewards.
4. Most disturbing, perhaps, is the relative ease with which an
unskilled novice can enter the world of online fraud and use
the many online tools, forums, and tutorials that will walk
them through practically all the steps and techniques they
need to defraud others.
Online Fraud Communities and Tools — January 24, 2006— Copyright © 2006 Symantec Corporation Page 1 of 41
Introduction
Page 2 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
Introduction
Online fraud has been steadily increasing and shows no signs of leveling off anytime soon. Unfortunately, with
the relative anonymity of the Internet coupled with access to a huge number of potential targets, this activity will
likely persist.
In this analysis, facets of the online fraud community are revealed. We cover the following in this report:
1. A tour through the online communities where many of the deals are made. Here you will meet carders,
rippers, and other fraudsters who frequent the channels and chatrooms devoted to fraud.
2. An evaluation of a specific piece of malicious code used for phishing. From system data contained within
the malicious code itself, we can derive information about the people who created the code.
3. An overview of two compromised honeypots. One is used to join a Romanian chatroom associated with
the exchange of credit card numbers. The other is compromised and quickly converted into a phishing
site, illustrating how fraudulent sites can be set up in minutes.
4. An experiment we conducted to show how plausible certain phishing and pharming tactics can be. This
gives insight into how quickly, and with very few skills, an individual can attempt to defraud others.
Tour of the underground
We begin our tour of the fraudster community by looking at a couple of key communication channels. The
content on these channels reveals a great deal about how fraudsters operate, what they buy and sell online, and
so on.
Communication channels
During this investigation, we attempted to locate possible communication channels used by those engaging in
phishing and other fraud-related activity. Two significant high-activity resources have been highlighted and
presented as case studies in this document:
RealCashout IRC network
CCPower.info forums
Fraudsters use these channels to solicit various intermediate tasks required to perform certain types of fraudulent
activity, including:
Successfully exploiting a vulnerability to gain control of victim hosts. The compromised hosts are often called
“roots” by fraudsters.
Bartering stolen credentials or other commodities recognized by phishers.
Disseminating information to further enable phishers to perform attacks and to evade new detection methods
aimed at countering such attacks.
These communication channels include an online message board that’s viewable only by registered members, and
a small Internet Relay Chat (IRC) network apparently dedicated to discussions of fraud-related activity. The IRC
network is accessible to anyone aware of its existence and the address of one or more of its servers. The
message board, although not viewable by unregistered users, doesn’t screen new registrations beyond verifying
that a valid email address is used to register the account. As such, we were able to view the contents of this
message board by creating a user with an anonymous email address.
RealCashout IRC network
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 3 of 41
There are probably several other discussion forums, at least some of which likely take measures to prevent
unknown users and the general public from gaining access. Such forums may quite possibly operate far less like
an online community and more like an organized criminal enterprise. This is speculation, however, since we have
no further information about such channels.
Multiple IRC channels that appear to exist for the purpose of fraud discussion also operate on several of the large
public IRC networks, but public discussion in these channels was found to be minimal in comparison to the
private channels. Furthermore, the conduct of the users in these channels represents that found on the larger,
dedicated network, albeit on a much smaller scale. This suggests that the various facets of the fraud community,
although independent from one another, share a common modus operandi.
RealCashout IRC network
RealCashout is a small IRC network dedicated to phishing and fraud-related activity. At the time of this writing,
the network consists of three unique server hosts, but we found multiple DNS records on several domains, all of
which point to the IP address of one or more servers.
On average, approximately 800 concurrent users are connected to this network at a given time. Of those,
approximately 700-750 are in the network’s main channel: “#ccpower.”
Using the whois utility, we discovered the following information about the servers:
Server: 84.244.6.5
Country: Sweden
DNS Names: irc.realcashout.net
irc.ircagents.net
irc.ccpoweronline.net
owner-shock.shock.shock.shock.realcashout.net
Server: 70.86.116.133
Country: USA
DNS Names: irc.darkunix.net
133.70-86-116.reverse.theplanet.com
Server: 84.244.4.187
Country: Sweden
DNS Names: irc.realcashout.net
serv-2-4-187.lycos-vds.com
Although the IRC channel contains a large number of users, there’s very little interactive conversation. Most of
the activity consists of advertisements or requests for various services. Interested parties are instructed to
respond to the message by initiating a conversation with the advertiser using private messages. In addition to
these requests, a large amount of the traffic is generated by the users of the channel issuing commands to a bot
program that resides there (see the section “Examples of bot usage” below).
The following is a sample of the general activity seen in this channel at any given time. For those unfamiliar with
the IRC protocol, the contents encapsulated within the angle brackets represent a user’s IRC alias, such as
. In all of the following samples, no attempt has been made to edit the spelling and typographic
errors that are found in many of the interactions in these chatrooms.
CC
I CAN CASH OUT MONEY FROM ANY VALID CCS AND CAN ASLO FUND E-GOLD WITH VALID
CCS ANY HACKER WITH VALID CCS SHOUL MSG ME I SEND YOUR SHARE VIA WU 50-50%
4 #Hacker <============ HaCkeR Channel !!!!
Tour of the underground
Page 4 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
anyone wanna deal i have address if u need address to cards electronics but
my deal is 50,50 and i will send your cut to u through fedex my email is
man2care_008@yahoo.com u can contact me rfor a deal. my name is harry
i can confirm western union of any amount to any count
who has a password hacker sofware sbcrusty@yahoo.com
who can help me plz for paltalk
-join #hacker
i have valid cc,paypal,scam page,phpmailer wanna trade with it
why u paste declined cc
PASTE VALID CVV2
PASTE VALID CVV2
paste valid plzzzzzzzz
<^Secret^> i have paypal..stormpay..bank logins..roots..php mailer…host..Valid CC
<> Rippers Stay away
I GOTY SOME DEAL HERE NEED A LEGIT MAN FOR DEAL….RIPPER STAY AWAY PLS
* CraCc Have BoA [] root [] ebay [] paypal [] maillist [] php mailer [] 3 need
Wells login or Virgin cc // i ver 1st
who have valid cc for deal
<^KoGy^> !state va
* gunit slaps sbcrusty around a bit with a large trout
^KoGy^ => // VA = Virginia \\
any one that can do westernunion online should IM me
i got full banklogins with good balance pm me for deal ripper stay
off i take fresh cc in return
* timidme I have good Wells Drop, Let us discuss, you’ll like the deal
i need Boa & Wells logins; i have their bank drops : cashing out ‘only’
i can open western union online now and i need cc if you can give me we
will share it 50/50
IF YOU CAN MAKE COUNTERFIT BILLS PM ME NOW FOR A LONGTERM DEAL!!!!\\
* LaMorT need Root i have host/scam page/bnc/eggdrop/shell/ircd
Examples of bot usage
Of special note and interest in this channel was the presence of a bot program. This bot lets any new user receive
a list of supported commands by typing !command in the channel. Issuing the sequence would return the
following list from the bot:
!info
!order.log
!socks
!hacksite
!cc
!cclimit
!chk
!bank
!cvv2
!freeshell
!country
!state
!cardable
!proxy
!ProxyChk
!unicode
We observed some of these commands issued by residents of the channel. Note that portions of the information
captured have been censored to protect the identities of the victims. Each command includes a description
followed by a logged example of a user issuing the command:
Examples of bot usage
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 5 of 41
!cc
Returns a random credit card number and all relevant personal information.
!cc
t0rque cc => (IrcAgents) 583) /Name: Joe [removed] /Phone:
509 xxx xxxx /mail: [removed]@[removed].net /Address: 1xxxx
hwy.xxx [removed] Wa. 9xxxx US /Name on card: Joe
[removed] /Ccnumber: 4388xxxx xxxxxxxx /Exp: xx 200x
/CVV2: xxx /Info shipping: 1xxxx hwy.xxx
[removed] Wa. 9xxxx US 509 xxx xxxx [removed]@[removed].net
!cardable
Displays a website known to have weak or no order verification, allowing carders to make orders with stolen
cards relatively easily.
!cardable
wu_dealer Cardable => (IrcAgents) https://www.cdnow.com1
!cclimit
Returns the credit limit for a given credit card number.
!cclimit 4854123412341234
redeyezz I found limit for your Visa (4854123412341234): 7.536 $
!bank
Tells the user what bank a credit card number is associated with.
!bank 5413123412341234
yadanno => Sanwa Bank of Cal. – Phone: 714-627-7601
!cvv2
Returns the CVV2 number of the credit card number given.
!cvv2 6011123412341234 0808
matty CC: 6011123412341234 Type: Discover cvv2: 282
!chk
Determines the validity of a credit card and expiry date.
!chk 4158123412341234 0808
Vietnamhack 4158123412341234 : 0808 (Valid cc)
!chk 6011123412341234 0808
jyde 6011123412341234 : 0808 (You’re Card Is Declined)
!proxy
Lists a random proxy server.
!proxy
raymoney Proxy => (IrcAgents) 24.171.xxx.xxx:8080
!proxychk
Checks the status of a proxy server.
!proxychk proxy.domain.net 8080
1 NOTE: Some PDF viewers may render all URLs as live links. Symantec advises against clicking any URLs in this report.
Tour of the underground
Page 6 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
-CCpowerOnline(Real@70.86.116.143)- I am checking your proxy now
(proxy.[removed].net 8080). Please Wait… (up to 30 seconds), I’ll msg you
the results.
[CCpowerOnline(Real@70.86.116.143)] d The proxy proxy.domain.net : 8080 status
is Invalid
!freeshell
Lists a random site that offers free shells.
!freeshell
Nwr Free Shell => (IrcAgents) Cyberspace.org –
https://www.cyberspace.org/nu/newuser.html – telnet cyberspace.org login
newuser
!hacksite
Displays a random security-related website.
!hacksite
bankhacker Hacking Site => (IrcAgents) https://www.securityprotocols.
com/
!country
Returns the country associated with a given TLD.
!country us
zan_zan88 => US = United States
!order.log
Returns a random URL that appears to be a world-readable credit card logfile (i.e. any user, regardless of
their privileges on the system, can access the file). The URL is likely found by a web spider.
!order.log
duflut Order Log=> (IrcAgents) https://www.cczone-dal.net/cc/order7.txt
!socks
Returns a random SOCKS proxy server.
!socks
PlaY Socks => (IrcAgents) 212.76.xxx.xxx:1080
!state
Converts 2-letter state abbreviations.
!state PA
sQuard => // PA = Pennsylvania \\
!unicode
Displays a random path representing the default location of a webserver script that’s known to be exploitable.
This includes, but is not limited to, Unicode directory traversal exploits.
!unicode
test1 Unicode => (IrcAgents) /scripts/Carello/Carello.dll
!info
Displays basic information regarding the bot itself.
CCPower.info forums
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 7 of 41
!info
Powered By Irc.IrcAgents.Net
By analyzing what the observed commands do, we can see that this bot is quite powerful. And given the number
of people using it in the channel, we believe that it is quite a valuable resource to them. The presence of such a
bot, especially one that dumps such sensitive information to all users of the channel, shows a slightly higher level
of sophistication than we initially expected, and may represent what is used by more advanced groups. It may
also suggest that the group of people has many numbers in their possession, since they are so willing to spread
the information to others. We did notice that some of the credit card information dumped by the bot was
obviously invalid, which may call into question the integrity of the other information posted on the channel.
However, users of the bot can rely on its own !chk command to verify credit card numbers and expiry dates.
CCPower.info forums
The forums hosted at https://www.ccpowerforums.com are a source of a wide range of information to those
looking to commit fraud. Posting of stolen credentials or personal information of any kind is strictly prohibited on
these forums. However, forum members do invite private messaging for help or other items. Discussion of
attacks, techniques, and other information to aid phishers is welcomed. “Diabl0,” the recently arrested Zotob
worm author, was an active participant and well known on these forums.
The threads on this forum give very detailed information on the methods of carrying out any of the steps involved
in committing fraud, from obtaining credit card numbers to arranging drop sites for delivery of goods purchased
with fraudulently obtained credit cards. Currently, there are approximately 4800 registered forum users.
Typical scenario for credit card fraud
The steps involved with one type of credit card fraud may be summarized as follows:
1. Obtain valid credit card numbers, along with as much information on the real owner as possible. This can
be done by:
a. “dumpster diving” — going through the garbage of retail or service industry businesses in an
attempt to find credit card transaction receipts;
b. taking a job in a retail location that will allow the potential fraudster to handle the cards directly
and take information from the cards during the course of a normal transaction. This is referred to
as “skimming” — taking advantage of access to credit card information at a place of employment
and covertly recording a copy for later use. This is done with a wide variety of tactics, such as a
cashier hiding plasticine under the counter and imprinting a customer’s card, or operators in call
centers recording billing information exchanged over the phone;
c. creating a phishing scam;
d. compromising hosts with malicious code that includes a keylogger or similar technology to obtain
valid credit card numbers when the user makes an online purchase;
2. Use these stolen credit card numbers to purchase items online. Alternatively, fraudsters will pass off the
card numbers to cashiers who state that they will return some portion of the money available from the
credit card to the individual who supplied the number. If a cashier is used, a “drop” is unnecessary.
3. Arrange a drop where the goods can be safely sent.
One particular thread on CCPower.info contains a list of “cardable” websites, and discusses steps a carder
should take to avoid having their transaction flagged as suspicious. The thread is 75 pages long and contains
thousands of websites. Typically, a site is considered cardable if the merchant doesn’t require the billing address
to match the shipping address, doesn’t verify orders with the supplied phone number, or will ship to foreign
countries. In some cases, orders must be below a certain value to allow this.
The forum also includes information and templates to create fake credit cards and driver’s licenses. This is often
used when an online order is flagged as suspicious and the merchant requests a photocopy of the card.
Tour of the underground
Page 8 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
Try to make your own one…
Here are some examples:
***.bernardomahoney.com/rrmurders/documents/docu/ccstate06.gif
***.bernardomahoney.com/rrmurders/documents/docu/ccstate05.gif
***.hesaa.org/images/default_prevention/credit_statement.gif
It’s not hard to make one.
Umm… sorry i don’t remember, been a while since i’ve carded them but
creating a CC scan should take no more than 1 hour
Shipments to countries that are known to have a high rate of credit card fraud, such as Morocco, will usually be
flagged by the merchant software or denied completely. One user on the forum posted a technique on how he
bypassed this defense and received his merchandise. He did this by selecting a country that was obviously
incorrect, and entering his actual country in the “City” field. This passes the check performed by the orderprocessing
software. When the shipment is eventually passed to a human employee, the “mistake” is corrected
and mailed to the right address.
on 2000 or 2001 ive got a problem with shipping to my coutry morocco because
old carders have fucked most websites on day ive seen a t-shirt of metallica
but morocco was not listed on shipping coutry then
in the adresse field ive writed my adresse + my city
in the city ive writed my coutry
and in the coutry list ive chosed a coutry that know my coutry im in morocco
ive chosed france an hop after
15 day ive got my tshirt .
Commodities and roles in phishing and fraud communities
Several different commodities are traded among phishers and fraudsters. Following is a list of some of the
compromised resources that users have been observed attempting to trade:
Western Union accounts — Western Union is popular because funds are sent instantly and are not traceable or
recoverable.
credit card numbers — typically CVV2 numbers are required as well for these to be considered of any value.
PayPal accounts
Skype accounts
online banking accounts
counterfeit currency — counterfeit money is printed and sent via mail. Here’s an example of someone soliciting
counterfeit currency:
[Jamal] i need some 1 to make alot of 20 dollar bills
[Jamal] cuz i live in canada
[Jamal] we can make alot of money if u can
[Jamal] i will use it at other stores and return the item
[Jamal] if u can make copies of the bill and send them to me and i change it
to real money and i will send u half via western union
Steam accounts — Steam is an online gaming service provided by Valve Corporation.
e-gold accounts — Similar to Western Union, e-gold is also popular among fraudsters because funds are sent
instantly and are not traceable or recoverable.
root or administrative access to servers — compromised servers are commonly used to host phishing websites
and are often referred to as “roots” by participants in these chatrooms and forums.
email address lists — these are used either for spam advertising or for targets of a phishing scam.
FedEx online accounts
Examples of vendor postings
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 9 of 41
eBay accounts — compromised eBay accounts are used to create fake auctions with the identity of legitimate
sellers with honest reputations. Potential bidders on eBay auctions typically verify the integrity of the seller by
viewing feedback left during previous auctions. Because the attacker has assumed the identity of an honest
seller, potential buyers are more likely to bid on their fake auctions. Accounts with higher positive feedback are
of higher value.
eBay feedback — this involves collaboration between two parties while they create a mock auction on eBay.
One party will create an arbitrary auction for a nonexistent product and provide the details of the auction to the
other party. The other party will then bid on this auction, and ensure they’re the winner. No product exchange
or transaction will be made, but they will take advantage of the opportunity to leave positive feedback for each
other. Depending on the number of times this process is repeated, the fraudster will appear to be a legitimate,
honest seller with a good reputation. This will increase their chances of having other eBay users bid on their
fraudulent auction, after which they will accept payment with no intention of providing the item. Phishers use a
large number of compromised eBay accounts to allow them to provide feedback from unique users every time.
Unsecured email relays — often manifested as PHP scripts, these are used to distribute spam and phishing
emails.
All of these commodities are traded and sold either via impromptu IRC chat conversations, or in an organized
fashion through the online forums where the seller can obtain a “vendor” account and conduct business. This
allows them to post a structured price list; users will provide feedback on their experiences making transactions
with that vendor, which provides some accountability. There is typically a fee and a verification process
associated with obtaining a vendor account.
The following examples taken directly from an online forum illustrate that several of these “vendors” take their
business seriously, in some cases even offering promotions, sales, and guarantees.
Examples of vendor postings
A fraudster operating under the name “earnmoney” sells credit card information, offering prepaid phone cards
on orders exceeding a set amount. For a small surcharge, customers can request a specific Bank Identification
Number (BIN) or a specific gender.
earnmoney
Reviewd CVV2’s Vendor
Join Date: Jan 25th, 2005
Posts: 26
earnmoney is on a distinguished road
Smile Buy Cheap Cvv2s And Get Gifts
Hello all carders !
Iam glad to offer my service to serve all you guys.
Iam selling US cvv2 with NO LIMIT (UK & Canadian and International cvv2s will be
available soon)
* Cvv2s have the following information :
– Card Number
– Card Expiry
– CVV2
– First & Last Names
– Address & City
– State & Zip/Postal code
– Country (US)
– Phone #
Tour of the underground
Page 10 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
======= Here is the price ========
* For US cvv2 :
1 -> 40 cvv2s : $1.5 per card
100+ cvv2s : $1 per card
* For UK ccs : 1$ per each (come with : Name, Address , Town, County, Postcode,
Ccnumber, exp, fromdate, and issue number)
* If you request the following information for Cvv2:
Special Card Type +$0.50
Email, Password +$3
Special Gender +$2
Special bins : +$1
* Special Offers :
If your order > 50$ , u will get a calling card with 5$
If your order > 100$ , u will get a calling card with 10$
If your order > 200$ , u will get a calling card with 20$
A vendor operating with the name “mindtrip” offers COB (Change of Billing) services for various credit cards.
This is useful to carders because it allows them to modify the billing address to match the address of their drop
point, increasing their chances of making inconspicuous transactions. The price differences among credit cards
likely reflect their usability. For example, a Discover card is not as widely accepted as a card such as American
Express, and because of this, it is less desirable to someone attempting to make fraudulent transactions.
This seller also advertises SSN searching, credit report searching, driver’s license searching, and “dumps” (larger
quantities of stolen credit cards). For a mere $30 USD, any arbitrary individual can enlist mindtrip’s services to
obtain a full credit bureau report, including credit score, for the individual of their choice.
Below his posting, a user replies and asks what specific information is provided with the cards:
mindtrip
Reviewed COB Seller
Default Cobs – SSN Searches – Credit Reports – DUMPS
I am selling cobs of the following banks
Discover
FirstUsa
MBNA
Fleet
American Express
Prices:
Discover: 50$ ANY BALANCE
Fusa: 75$ ANY BALANCE
Mbna: 85$ ANY BALANCE
Fleet: 85$ ANY BALANCE
Amex: 85$ ANY BALANCE
All banks currently have 9k+ accs, so first come first serve
Examples of vendor postings
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 11 of 41
I am also offering SSN/DOB Search and Credit Reports
SSN/DOB Search – 3$ ( DOB not always guaranteed )
Credit Reports – 30$ Experian/Equifax/Trans Union w/ Credit Score
Vehicle Search – 14$
DL Search – 14$
SPECIAL: 50 DUMPS , MIXED VARIETY OF US DUMPS FOR 150$ – ALL CHECKED FOR VALIDITY
US Dumps
—————-
US Classic :: $10
US MC Standard :: $10
US Gold :: $15
US Platinum :: $20
US Purchasing/Signature :: $25
US Bussines/Corporate :: $30
US MC World :: $15
Amex ALL :: 40$
Discovery ALL :: $30
Dinners ALL :: $35
Canada Dumps
—————-
Canada/Classic :: $15
Canada/MC Standard :: $15
Canada/Gold :: $35
Canada/Platinum :: $50
Canada/MC World :: $50
EU dumps
—————–
EU/Classic :: $45
EU/MC standart :: $50
EU/Gold :: $100
EU/Platinum :: $130
EU/Bussines/Corporate :: $140
Payments:
EGold – WMZ
Contact:
E-Mail – mindtriporders@safe-mail.net
ALL CARDS ARE GUARANTED WITHIN 48 Hours . I will replace declined cards for you .
Quality of cards is 90 – 99%
Accepted Payment : E-gold (No Minimum) and WU (Minimum 100$)
***** Contact me ******
YIM : vnhackings@yahoo.com
MSN : seamid41@hotmail.com and vnhacking@gmail.com ( only chat , just add both of
them)
If you are interested in , just contact me or Pm me . Thanks.
Tour of the underground
Page 12 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
Cheers !!!
—
saint7
Newbie
Hey sir, what info comes with your cards??? Especially the american express.
Best of luck.
—
mindtrip
Reviewed COB Seller
login
pass
ccnum
exp
cvv
name
billing address
primary telephone
city
state
zip
ssn
dob
mmn
pin ( sometimes )
A seller using the name “blindroot” offers root accounts or administrative access on compromised servers, as
well as unprivileged shell accounts. These are commonly used to host phishing web pages or relay email:
Blindroot
Verified Root Seller
Talking Roots for sell
Prices:
1-9 roots without php and smtp – 20$ per root
10 or more roots without php and smtp – 16$ per root
1-9 roots with php and smtp – 30$ per root
10 or more roots with php and smtp – 25$ per root
I
8$ per shell. You can also put there scam/php mailer (but it does down faster then
root)
also provide shells.
Payment ONLY with E-Gold.
No WU or WIRE.
PM for more info.
Examples of vendor postings
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 13 of 41
Don’t ask me how to set up scam page, php-mailer, otherz..
NO SUPPORT FOR ROOT. I sell only access to root, not my support. Remember that.
MSN: blindroot@yahoo.com
YM: blindroot@yahoo.com
New hot roots avaiable!!!
The author of the Win32.Grams Trojan, which is designed to steal e-gold balances from infected systems, sells
copies of the Trojan preconfigured to deposit stolen money in the account of the customer’s choice. One user
purchases this software and provides positive feedback (omitted below for the sake of brevity) and
“win32.grams” provides a follow-up thanking the user for the feedback and clarifying some information
regarding his service:
win32.grams
Reviewed Win32.Grams Seller
Hello members of ccpower!
I’m here to do business thus i’ll be short and on the subject.
I’m here to sell a working version of win32.grams trojan, for those who don’t know
what this trojan does i will explain. It simply steals all the e-gold from the
victims account and transfers all the gold into your account. Simple and efficient.
The trojan has been tested succesfully with WindowsXP (al SP’s) and works ONLY on
IE(Internet Explorer).
If any bugs are found it is my responsibility to fix them immediately.
The price for this wonder trojan is only 1000 dollars and I accept only WU / MG and
e-gold.
If you are interested in buying the program feel free to PM me or contact me on ICQ
: 226-702-789 and recive a demo version to prove our credibility.
The demo version is made to prove to quality of the trojan and not for spreading.
It’s same as the full version except it is a debug version and doesn’t load the last
page of from e-gold (most important) and it’s a pretty file aproximatly 2mb.
——
win32.grams
Reviewed Win32.Grams Seller
Thank you Morinex for your honest and sinceer review.
I’m am sorry that i haven’t been more clear from the first telling you people that I
am not selling the source code.. i thought i explained l8r in the thread .. and it
was obvious .. i’m sorry and i wish to take this opuritunity to clear this out.
The source is NOT for sale and the reasons are simple.
If the source gets public there would be alot more hard for us to recode an
undetectable version for each customer.
If we sell the source, it will get public .. because we all have friends plus .. you
can just resell the source code, also making it public thus so verry detectable.
Morinex, you are talking about bots wich is a verry different subject, i beg you
Tour of the underground
Page 14 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
search the internet for Trojan sellers and see if any of them is selling the
sourcecode.
I am giving you the trojan unpacked for you to be able to check it for backdoors or
other stuff. You stated yourself that you tested it and it sends all the money
(thouse few cents need to be there so the account to exist, make a new account and
you’ll see you have few cents there) still you dubt me. It is unfair that you make
this remarks. It is just not posible to be more transparent than this.. i cannot
give you the source code and i will not. But untill now everything i sayed was true
and i haven’t decived any of my customers. I am allways opened for
questions/suggestions/remarks, feel free to ask me.
Again, thank you for your honest feedback.
Yours, win32.grams
An individual named “free_prisoner” also provides credit cards, but includes PayPal and eBay information for an
additional surcharge. Requests for a specific gender carry a $2 surcharge:
free_prisoner
Reviewd CVV2’s Vendor
Arrow Yet Another CVV2’s Supplier
Hey bros and frnds,
I am glad to announce offering more services to help you make more money and have
good stay with CCPower Community
I am selling US (only for now) CVV2’s. Cards available are Visa, Master, AE and
Disc.
It’s All have the following info:
– Card Number
– Card Expiry
– CVV2
– First & Last Names
– Address & City
– State & Zip/Postal code
– Country (US)
– Phone #
– IP Address
Price for cards with above info:
1~19 $2 per card
20~99 $1.5 per card
100+ $1 per card
The following informations can also be requested with CVV2’s if paid it’s addon
prices:-
(Paypal & Ebay are not available all the time)
Special Card Type +$0.50
Email, Password +$5
Examples of vendor postings
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 15 of 41
Paypal Password +$3
Ebay ID, Password +$3
Special Gender +$2
Contacting Methods:
BM me here or contact on yahoo sms_gate_keeper
Payment Method:
Only Egold will be accepted as payment method.
Thanks and Good Luck
A user named “elit3” also offers several services:
elit3
Reviewed Fulls, CoB and Paypal Seller
Default Paypals..Full Info..Cobs for sale.!
Hi ALL members..
Elit3 the reviewed vendor CP,SamuraiNetwork.
and Darker’s tech in TG,CP,SC,CA is back.
The Cheapest price around.
The Highest quality.
Best offers.
-Verified
My services & prices
1-Cobs
user,pass,CC info,ssn,mmn,dob,dl number,IP address,paypal,checking
account,routing,pin if included.
Price.
ANY COB 1-3K =150$
ANY COB 3-7K = 170$
ANY COB 7-10K = 200$
OVER 10K = 250$
2-Full infos
prices
1full=10$
ALL fulls come with
ssn-dob-mmn-ip addie
and the special is
e-mail address n password if present
DL number you know what’s the dl no. for
accounting//routing number if present
==================
full is for 10$
min is 100$
==================
Tour of the underground
Page 16 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
you can ask any state
but u won’t get free 2 fulls
if age and sex asked so it will be for 20$
====================
never ask for specific bins maybe banks but dunn tell me if credit or debit.
==========================
back ground report with full info
for extra 5$
====================
3-PayPals
e-mail address & password.
1-unchecked paypals but fresh ones.
so u can check and use the good ones.
Price 1 unchecked paypal=1$
min is 50 paypal.
2-verified with mail access.
1paypal=20$
min is 5 paypals.
Payment
e-gold.
wu for orders over 500$
Contact
icq : 84335404
aol : drunker1980
msn : elit3_orders@hotmail.com
e-mail : elit3_orders@hotmail.com
A user known as “pincasher” advertises his cashier services for ATM cards, and promises an 8-hour turnaround
time:
Pincasher
Reviewed PIN Cashier & e-Gold Exchanger
Thumbs up ATM pins cashout service reborn!
hy there.
Now my service to the board start again.i hope i will be faster,more serious and
some new banks cashable too.
The rules are here:
-cashout in maximum 8 hours,depends of timing.
-contact by PM and YM ONLY.
-i reserve my right to refuse some guys from here(since i was threaten by some guys
).
-if someone say i ripp or cheat ,MUST proove it.Othervise,it deserve to be banned.
-payments by WU or e-gold,upon arrangements.DONT SEND ME PINS WITHOUT AGREEMENTS!
good luck spamming.
regards to all members. special cheers to my special frends
Raghu,goodbutdangerous,linuxtm ,Dunhill and so on.
Examples of vendor postings
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 17 of 41
P.S.
Sale please contact me on YM or PM.
A user called “Selltoanyone” offers eBay accounts and provides volume discounts for larger orders:
Selltoanyone
Reviewed CCs & eBay Seller
Default eBay user account and Cards for sale !!!
eBay user account and Cards for sale !!!
eBay user account`s : 1-10 $5 USD each
eBay user account`s : 10-100 $3 USD each
eBay user account`s : 100-1000 1 USD each
eBay user account`s : +1000 $0.50 USD each
Cards : 1-10 $7 USD each
Cards : 10-100 5 USD each
Cards : +100 3 USD each
Here are the infos on the cards :
.:Personal information:.
Name:
Street:
City:
State:
Zipcode:
Country:
Dayphone:
DOB: //
.:Credit Card information:.
Credit Card Number:
Exp. Date:
Card type:
PIN:
CVV:
Payment by e-gold only !!!
Contacting me by E-mail selltoanyone@mailvault.com
Contacting me by YM Totcevreagiul
Contacting me by MSN selltoanyone@hotmail.com
Thank You and enjoy my service !!!
Tour of the underground
Page 18 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
Another cashier, “bannie”, offers a 50/50 cashing service and as much as 35/65 for preferred clients.
bannie
Reviewed PIN Cashier
Thumbs up Welcome to BANNIE’S CASHOUT SERVICE !!!
Dear Customers,
I’m Bannie – a new cashout vendor on this board. I’m very happy when provide this
service for all of members.
1. What do you need to use my service ?.
– First at all you need contact me to see my bin list (will be updated frequency)
– After that if your infos (ccnumber,exp,cvv2,PIN) match with my list so you’re
welcome to my service.
2. What do you get when using my service ? :
– The reciept of your infos, it show how much money has been withdrawed from the
balance.
– 50% of money from the reciept (if you’re a good provider your share is 65%).
– Payment has been made to you via Egold or Western Union when your order has been
processed (most of them are the same day).
3. How to contact
* I’m online 24/7 – on my ICQ : 302257411 or YM!: bannie79
* If you need in detail about my service plz leave your email, your request or your
questions on my ICQ or YM!.
4. Terms & Conditions
– You only have the money if your info match with my bin list and the PIN is
correct.
– Only contact with me when you’re ready to use my service, i will not reply if you
ask something about not relate with the service of mine (it’s mean you’re welcome to
my ignore list).
– Plz only post on my thread about feedback so that i will improve my service
better.
Thanks for your interest and good luck to all of members.
Best regards,
Bannie
__________________
Customer service : ICQ 302257411 – YM!: bannie79 – Email to contact bannie@hush.com
—————————————————————-
Here is the list of websites that can send your E-gold money to you by check, money
order, wire transfer or exchange it to another e-currency.
—————————————————————
IceGold – https://www.icegold.com
Redeem your money, any country, by a bank wire.
Examples of vendor postings
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 19 of 41
—————————————————————
Business Express – https://www.business-express.net
Redeem your money at any country by Western Union.
—————————————————————
GoldNow – https://www.goldnow.st
Exchange between E-gold, EVOcash, GoldMoney or e-Bullion currencies.
—————————————————————
NetPay – https://www.netpay.tv
This site provides a debit card internationally. Once you have a card with them, you
can transfer your E-gold money to that card and then withdraw cash using an ATM at
any country in the world.
—————————————————————
The websites below differ from the above ones because they only operate with certain
countries:
OmniPay – https://www.omnipay.net/secure/payment.asp
Operates with:
– United States
– Canada
– Denmark
– Japan
– Great Britain
– France
– Switzerland
– Australia
—————————————————————
Asian Gold – https://www.asianagold.com/
Operates with:
– China
– Hong Kong
– South Korea
– Singapore
– Thailand
– Macao
—————————————————————
Russ Service – https://www.russervice.de
Operates with:
– Russia
– Ukraine
– Belarus
Tour of the underground
Page 20 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
– Moldova
– Uzbekistan
– Kazakhstan
– Kyrgyz Republic
– Armenia
– Georgia
– Azerbaijan
– Tajikistan
– Turkmenistan
– Estonia
– Latvia
– Lithuania
—————————————————————
E-gold has most affiliated Merchants on a special page. You can find these by
clicking on «Contact» then look for a question regarding «How can I get my money?»,
click that link and on the page that loads click on the pertinent link. You then see
a page with many logos of companies that exchange e-gold for currency, such as OMNI.
If your country is not covered by the websites listed above, take a look at the
following links:
https://www.e-gold.com/unsecure/links.htm
https://www.golddirectory.com ( https://www.golddirectory.com/e-gold.htm )
Interdependence within the phishing community
To successfully launch and profit from a phishing attack, many roles must be fulfilled. Most often, attackers don’t
have the skills to perform all of these tasks, and therefore must rely on each other to specialize in a given area.
Fortunately, many of the phishers aren’t technically advanced enough to exploit software and to compromise
systems, nor do many of them appear to be able to effectively use utilities and bots created to automate such
tasks.
Here are some of the different roles required to complete an attack:
1. Spammers — responsible for disseminating the phishing emails to as many addresses as possible.
2. Web designers — responsible for creating the phishing websites and having them appear as legitimate as
possible.
3. Exploiters — typically “script kiddies” who gather hosts (referred to as “roots”) that can be used to host a
phishing site or a spam relay. In some cases, these individuals will compromise credit card databases directly
to harvest credit cards, skipping the phishing stage entirely.
4. Cashiers — capable of withdrawing funds from a compromised card or bank account.
5. Droppers — able to receive carded merchandise at an untraceable drop point.
Below is an excerpt of an IRC log where “PaPaRiNu” is asking for help on how to operate a bot’s scanning and
propagation routines. He has pasted what appears to be the output of a status command for this bot, which
displays the number of successful exploits for a number of propagation vectors.
who are here ?
[SCAN]: Exploit Statistics: lsass135: 0, lsass445: 2, lsass1025: 0,
NetBios: 0, NTPass: 0, Dcom135: 0, Dcom445: 0, Dcom1025: 0, IIS5SSL: 0, MSSQL: 0,
Beagle1: 0, Beagle2: 0, MyDoom: 0, Optix: 0, UPNP: 0, NetDevil: 0, DameWare: 0,
Kuang2: 0, Sub7: 0, Total: 2 in 0d 8h 58m.
how i get this shell ?
No honor among thieves
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 21 of 41
..
?
No honor among thieves
A significant problem in the fraud community is actually fraud itself. Because of their interdependence, phishers
are often required to trust each other with sensitive data. A common example is when one individual has
sufficient credit card or bankcard information to retrieve funds from an account, but is unable to perform the task
of withdrawing cash, either due to a lack of knowledge or from fear of being caught by authorities.
In this case, they will enlist the services of a “cashier” who can withdraw cash (e.g. by physically creating
fraudulent cards and replicating the original using the data provided, doing a wire transfer to another account, or
perhaps forging and cashing checks). This offers little security to the individual providing the account information,
because the cashier may simply keep all of the funds rather than send a share back as promised. Those who
steal credentials or funds rather than provide the service as agreed upon are known as “rippers” and are banned
from the channel or the network. To minimize this problem, the channel operators have a verification process for
channel regulars who wish to be cashiers.
Topic (#CCpower): changed by Security: .:: CCPower ::. RULES: @/+v verify first,
NOTE: English only, Ripper logs show to Ops/@. Irc.CCpowerOnline.Net &
Irc.IrcAgents.Net & Irc.RealCashout.net & Irc.DarkUnix.net , Enjoy Your Stay!
(z00m^x)
The following two messages illustrate the procedure one has to follow to attain the “verified” status. These
messages were copied verbatim from the CCpower.info threads dealing with seller verification. The authors of
the messages appear to hold administrative privileges on the forum.
Ok guys, there is the deal,
If you guys are providing any services(Credic Reporting,Drops,Bank
Drops,Spamming,ID’s,Selling Stuff, etc)
And you want to be reviewed, You can PM me after sending $150 to CCpowerforum’s EGold
account, If we found you can do the stuff what you claimed, we’ll post insame
thread about your service(s) and we’ll change your status to «Reviewed Vendor».
* For Cashing you need to send $500.
Before you PM Romeo to be Reviewed, please read these rules,
*- DONOT PM before sending $150 to CCpowerforum’s E-Gold Account, else i’ll ingore
your PM.
*- You gotta give us your personal info (whatever we ask) & Stuff You’re
Selling/Offering.
*- for more details, please read this post
https://www.ccpowerforums.com/forums/showthread.php?t=4082
P.s (This thread is not for public discussion so im closing it, we’ll only post
about «Reviewed Vendors» in this thread.)
Raghu & Romeo
Tour of the underground
Page 22 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
Hi
Welcome back again to CCpowerForums.com.
Here is The Rules for this section.
1. The seller/service provider MUST HAVE TO DONATE $150 (USD) to start business
here. Posting topic to start business without Donation will be delated immedietly
and will have to pay $50 more as a punishment. (ALL Payments through E-gold Only.)
2- You must keep all PMS safe, if you make a deal with someone, we might need it as
a log if you got ripped.
3- All Sellers/Buyers MUST provide us their personal info (whatever we ask), we
will take action if you got ripped by them.
4- All Cashing service Providers contact me to verify their services.
5- You can only post ONE thread in a week, if you wanna sell/trade something else,
edit you old thread instead of making a new one. Otherwisre your thread would be
removed without any warning.
6- Use this URL to send us your E-GOLD payments
Click for Donate $150 USD
Click for Donate $200 USD (include $50 Fine)
more rules are coming…
the rules applied for only Seller/service provider.
Sellers:
CC, cvv2, full info, staff, software, mathodes etc.
service provider:
Cashout service (WU, PIN, e-gold, paypal, webmoney, moneygram etc).
No donation requred for exchange stuffs.
No donation requred for buyers.
Thank You
Raghu & Romeo
The verification process itself appears to be relatively simple. The site operators demand a fee from anyone
wishing to conduct business via the site. Furthermore, personal information of the applicant must be provided to
the site operators.
Another tactic is the distribution of malware purporting to be a utility that may provide some benefit to phishers.
Examples include SMTP server scanners, vulnerabilities in online payment systems, and FTP server exploits. We
saw several filenames posted, all of which claim to be a unique utility, but are actually the very same malware —
all have a matching MD5 hash value. Having analyzed these malware programs, we found them to be remotely
accessible Trojans packed with the FSG packer. The functionality of these Trojans is similar to that of Back Orifice
and Subseven, allowing a remote attacker to perform administrative tasks and spy on the victim.
https://teamstudents.com/Boa.zip
Conclusions
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 23 of 41
new western union bugs https://www.kerkida.net/wu_mtcnbugz.zip
12who needs hacked host = new version of windows upload host hacker
https://www.musicorner.net/wu_admin.zip
who needs hacked host = new version of windows upload host hacker
https://www.musicorner.net/wu_admin.zip this is virus dont accept
its an exploiter
to exploit hosts
During discussions of cardable websites on the CCPower.info forums, one user is accused of reporting a fake
cardable merchant with a suspicious lack of security measures. Presumably, his motive is to have carders try to
use their stolen credit cards to purchase items through a site under his control, causing them to unknowingly
divulge their stolen credentials to him. This is somewhat ironic, since he is attempting to pharm information that
had been obtained by phishing! The allegations demonstrate a general distrust among the community, and may
indicate that this type of activity has been seen before.
Originally Posted by hazard
Brothers. This is my best and easiest cite to card. no need for proxy diff bill
ship . NO verification of any type. FOR SNOWBOARDS. Dont fuck it up please
brothers. Ships worldwide.
www.boardsforless.com
Inhm, I think its a scam. The site doesnt look ‘pro’ and the many products are at
0,00$ … but they worth 300.00$ (as written on the page) lol…
Conclusions
By observing the activity of fraudsters on two key communication channels, we have determined the following:
1. Fraudsters use these dedicated channels to advertise their services to other fraudsters and to request various
services they may need.
2. Novice attackers can find detailed instructions in the art of online fraud (e.g. how to obtain credit card
numbers, where to purchase goods online using fraudulent data, etc.).
3. Vendors of illicit information conduct their business online in a serious way (e.g. they post price lists for their
wares, offer promotions, etc.)
4. Fraudsters rely on a sort of division of labor to achieve their goals (e.g. those with fraudulent card data may
hire a cashier to help them perform cash withdrawals).
5. This division of labor among thieves gives rise to an interesting phenomenon — some fraudsters (known as
“rippers”) renege on agreements to provide cash for stolen data, and simply keep the data without paying
the vendor.
Honeypot compromise and fraud activity
Since the deployment of the DeepSight Honeypot Network, we have been able to observe numerous fraudrelated
attacks. These attacks have targeted both Windows and Linux operating systems. While fraudsters attack
Windows computers typically to steal information from the user, attackers tend to target Linux systems to host
fraudulent sites or to set up proxies when contacting other nefarious users. These trends are most likely
attributed to the fact that the most fruitful target base is the Windows desktop environment.
The compromise of DeepSight Honeypot systems has often highlighted the lack of sophistication in many of the
attackers involved in this type of fraudulent activity. A prime example is a compromise that occurred on March
15, 2005, where the attacker was actually observed numerous times on different days carrying out the exact
same attack.
Honeypot compromise and fraud activity
Page 24 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
In these situations, a DeepSight Honeypot was compromised using a public and quite old OpenSSL client-side
vulnerability (i.e. certificate buffer overflow). Although a fraudster may not bother to use a more sophisticated
attack simply because such a trivially exploitable vulnerability is so readily available, the lack of similar
compromises on more secured honeypots would suggest that the real reason is in fact a lack of sophistication on
the attacker’s part, rather than a deliberate, intelligent selection of a vulnerability.
After having effectively established shell access to the computer, the attacker then uploaded a copy of the
popular Adore rootkit and an exploit toolkit containing various public exploits. The attacker used the rootkit to
hide the presence of the uploaded files. This extra precaution taken by the attacker is more than can be said for
many of the compromises observed, but it still lacks expertise. The shell connection or transfer of these files
didn’t include any sort of data obfuscation or encryption, a very common oversight in amateur attacks.
Following the successful compromise of the system, the attacker then proceeded to connect to fraud-oriented IRC
channels on an unencrypted public IRC network. The server used on this particular attack was
Amsterdam2.NL.EU.undernet.org. This lack of covertness once again highlights the utter lack of
sophistication of this attacker, since IRC operators, administrators on the local subnet, or an ISP would be
capable of trivially capturing logs of the activity.
Despite the obvious flaws in this communication mechanism, numerous people occupied the channels, which
sported names like #ccard, #economics2, and #OnlineBanking. Of most interest to us was the activity
observed in the #ccard channel, which was occupied mostly by Romanians. To join this channel, new users must
be voted in by existing users or at least by a group of users authorized to do so. Due to the language barrier, it
was difficult to determine what was going on most of the time, but we still managed to obtain some interesting
findings (detailed below).
The most common posts to the channel involve people advertising skills they possess or seeking other people
who possess skills required by an attacker. This corroborates information described earlier in the document (see
the section “Interdependence within the phishing community”). Here’s an example of this type of advertisement:
“I Can Cash Out ZIP NETWORK , PEOPLES BANK , MONEY ACCESS , REGIONAL , TCF ,
COMERICA , HUNINGTON , and more other banks , your share is 50 % . I need Suplier
for a long time bussines /msg OverCash for a safe bussines .”
Evidently, this person is looking for other people who have been phishing, hacking, or sniffing credentials from
victims, perhaps because he can’t obtain the money himself without being caught by law enforcement. Such
messages are extremely frequent, and the number of banks targeted largely exceeds the small list in the
message above.
Of note was the bot found in the #ccard channel that messaged users when they joined informing them that
they may type !command to receive a list of commands supported by the bot. It would then say that the bot
was made by McToN| and was designed for use in #ccard. This is the same bot that was found on the
RealCashout IRC network (see the section “Examples of bot usage”), despite the fact that these appear to be
completely independent channels. This suggests that this same bot software may be traded among carders and
used by different groups.
Analysis of a compromised honeypot used in a phishing scam
The Symantec Honeynet recently detected a breached Red Hat Linux system. Upon further inspection, we
discovered that access to the computer was gained by exploiting a vulnerability in the OpenSSL library. The
attacker gained remote interactive shell access with the privileges of the Apache webserver process. The attacker
then attained superuser privileges on the compromised system by exploiting further vulnerabilities. With
superuser access, the attacker installed custom software designed to hide his presence on the compromised
Phishing emails and forms
computer. Having secured the computer, the attacker then downloaded and installed an IRC-based remote
control tool. Finally, the attacker placed a complete phishing website on the system.
The captured phishing website
The phishing website mimics the “sign-in” interface of the legitimate and well-known eBay.com online auction
website. The malicious site itself consists of HTML files designed to faithfully reproduce the look and feel of a real
eBay sign-in page. The attacker also installed a set of PHP scripts to drive the fake website.
The index.html page renders in a web browser as follows, looking very much like the legitimate eBay sign-in:
Figure 1. Screenshot of index.html
We conjecture that the victim is first directed to visit the above page. The process of attracting victims to this
malicious website hasn’t been determined for this particular instance, but traditionally this is accomplished by
employing social-engineering techniques, such as mass-emailing to victims specially crafted email messages
containing a link to the phishing site.
NOTE: This particular site was in fact taken down before any victims could fall prey to the scam.
The messages are typically constructed to appear as legitimate messages from the security department of the
institution in question, attempting to convince the recipient of a possible problem with their account.
Phishing emails and forms
The following text excerpt contains an example of such a phishing email. A fake URL (https://signin.ebaaycom.
us) was included in the references section. This URL is clearly formatted (note the spelling of “ebaay”) to
trick potential victims into thinking that it’s innocuous and legitimate. Although this email isn’t associated with the
above phishing website that was captured on the Symantec Honeynet, it’s useful in providing evidence of the
methods typically used in the critical step of carrying out social-engineering attacks intent on tricking potential
victims into visiting a phishing website.
The email below was originally received in HTML format. We added inline numbering to elaborate on what
resources each of the numbered elements in this email actually reference in the original sample:
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 25 of 41
Honeypot compromise and fraud activity
Page 26 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
Subject: Warning ! Credit/Debit card update
[1]Register for eBay
[2][poweredByLogo_112x22.gif]
Dear Valued Customer [3][SYIStart_LiveHelp_75x20.gif]
We regret to inform you that your eBay account could be
suspended if you don’t re-update your account information. To
resolve this problems please [4]click here re-enter your account
information. If your problems could not be resolved your account
will be suspended for a period of 24 hours, after this period
your account will be terminated.
For the User Agreement, Section 9, we may immediately issue a
warning, temporarily suspend, indefinitely suspend or terminate
your membership and refuse to provide our services to you if we
believe that your actions may cause financial loss or legal
liability for you, our users or us. We may also take these
actions if we are unable to verify or authenticate any
information you provide to us.
Due to the suspension of this account, please be advised you are
prohibited from using eBay in any way. This includes the
registering of a new account. Please note that this suspension
does not relieve you of your agreed-upon obligation to pay any
fees you may owe to eBay.
Regards,
Safeharbor Department eBay,Inc
The eBay team.
This is an automatic message. Please do not reply.
[5]About eBay | [6]Announcements | [7]Security Center |
[8]Policies | [9]Site Map | [10]Help
__________________________________________________________
Copyright © 1995-2005 eBay Inc. All Rights Reserved. Designated
trademarks and brands are the property of their respective
owners. Use of this Web site constitutes acceptance of the eBay
[11]User Agreement and [12]Privacy Policy.
[13]TrustE
Figure 2. Actual phishing email
Phishing emails and forms
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 27 of 41
References:
1. https://pages.ebay.com/
2. https://pages.ebay.com/ebay_IBM.html
3. https://pages.ebay.com/help/index.html?ssPageName=h:h:help:US
4. https://signin.ebaay-com.us/sawcgi/
eBayISAPIdll/PlaceCCInfo/SignIn-co_partnerId-2pUserId/siteid-
0pageType-pa1-i1bshowgif/log.htm
5. https://pages.ebay.com/community/aboutebay/?ssPageName=f:f:US
6. https://www2.ebay.com/aw/marketing.shtml?ssPageName=f:f:US
7. https://pages.ebay.com/securitycenter/?ssPageName=f:f:US
8. https://pages.ebay.com/help/policies/hub.html?ssPageName=f:f:US
9. https://pages.ebay.com/sitemap.html?ssPageName=f:f:US
10. https://pages.ebay.com/help/?ssPageName=f:f:US
11. https://pages.ebay.com/help/policies/useragreement.
html?ssPageName=f:f:US
12. https://pages.ebay.com/help/policies/privacypolicy.
html?ssPageName=f:f:US
13. https://pages.ebay.com/help/community/png-priv.html
Figure 3. Phishing email reference history
When the victim visits the captured phishing website, they’re presented with a sign-in form to make the
masquerade seem authentic. The sign-in form action is handled by the PHP script verify.php.
When the victim submits their username and password using the Sign In button on the index.html page, this
script validates the submitted data and presents an error if either the username or password hasn’t been
supplied. Once both credentials have been successfully harvested, they are logged by the script, while the user is
redirected to a page contained in verify.html, which is shown in Figure 4:
Honeypot compromise and fraud activity
Figure 4. Screenshot of verify.html form
Page 28 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
Phishing emails and forms
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 29 of 41
The HTML file verify.html is designed to masquerade as a billing profile update form. As can be seen in the
screenshot (Figure 4), the form’s input fields include credit/debit card details as we might expect. But, perhaps
more insidiously, the form also includes fields for Social Security Number details, address information, driver’s
license number, and checking-account details. An attacker could use such information in identity-theft attempts.
When the user clicks the Continue button, a script called ebayISAPI.php then handles the form. This script
performs some very cursory and trivial checks on the data that the victim has just entered. If the supplied data
passes all the error checks, the script retrieves the username and password credentials previously saved during
the authentication phase and stores all the information for later usage.
—————————————————————————-
On Monday 23rd of August 2004 06:02:33 AM the user (82.77.146.144) wrote:
CreditCard Number – 4111411141114111 ; Month – 1 ; Day – 1 ; Year – 2003
UserId – dsadsadsa
Password – asdasdsad
Email – balaci@balaci.balaci
Email Password – balaci
Full Name – balaci
Address – balaci
City – balaci
State – balaci
Zip Code – 12345
Phone number – 123456
Country – United States
CVV – 123
Bank Name – balaci
Bank Routing # – 123456789
Checking Account # – 123456789
Social Security Number – 123456789
Card PIN Number – 1234
Mother’s Maiden Name – balaci
Date of Birth – 1 1 2001
Driver Licence Number – balaci
Figure 5. Sample contents of the <$message> variable
The ebayISAPI.php script then emails the collected victim’s data to the email address l1tere@yahoo.com
with the message subject of xxEBAYxx and a message body consisting entirely of the data collected so far. The
email message has a spoofed source address of Willson FBI@FBI.Gov. The script ebayISAPI.php appears to
contain some FTP functionality designed to save the collected data into a file for later retrieval, but
