Look at what some lame phisher tried to do to me.

He sent me a fake Bank of America email.

I have no account with them or a very bad memory, because I never had an account.
LOL




Dear Bank of America client,

You have received this email because you or someone had used your account from
different locations.For security purpose, we are required to open an
investigation into this matter.

In order to safeguard your account, we require that you confirm your banking
details.

The help speeed up to this process, please access the following link so we ca
complete the verification of your Bank of America Online Banking Account
registration information.

http://0x40164870/www.bankofamerica.com/sslencrypt218bit/online_banking

... blah, blah, blah ....


Bad English and all.





Here's where it really goes:
http://64.22.72.112/



He's not too bright to leave his folders in plain view.

Look at what he did:





http://64.22.72.112/htdocs

[htdocs]
this is the the website root folder
the default folders found here follow
cgi-bin/
apache2triadcp/
awstats/
phpmyadmin/
phppgadmin/
phpsqliteadmin/
phpxmail/
uebimiau/
phpsftpd/
its not good if you delete/move/rename these




This scammer deserves to be hacked !

LOL


I get this crap all the time, either fake EBay emails or some bank.

Firefox catches it as a forgery.

This little phisher is lucky he's patched up all the software he's using to current versions, or else he'd be waaaay screwed. He's running all these services as localhost (i.e. off his own computer).

TIME TO LOAD THE DOS CANNONS! (Yes, DoS is skiddie, but in this case, it's actually gonna harm the person's computer).

Firefox catches it as a forgery.

I didn't need the browser to tell me that! (I use 4 browsers) IE7 also considers it suspicious, but the URL alone was obviously phony. Bad English in the email too was a symptom.

But the biggest giveaway was that I never had any Bank of America account and I've had several previous similar emails.

Fool me once ...

LOL

I've seen so many such scams, that I can smell them a mile away.

This one was especially lame, since it was so easy to track down and he left his folders in public view.

Hotmail often sends legitimate email to the spam folder, but it seems the old 419 scam emails and phony ebay and banking scams never seem to get sent there!

The email connected to the IP 64.22.72.112

and traces to
GA, 30310, Atlanta, 1100 White St SW
Global Net Access, LLC (GNAL-2)

TeliaSonera in (Sweden?) showed up in the trace list using Visual Route, but the trace ended in the USA on the map displayed.

Why Sweden?



====================================================
= VisualRoute report on 09-Sep-07 12:31:58 PM =
====================================================

Report for 64.22.72.112

Analysis: '64.22.72.112' was found in 19 hops (TTL=110). It is a HTTP server (running Apache/2.2.0 (Win32) PHP/5.1.2).

--------------------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network |
--------------------------------------------------------------------------------------------------------------------------------------------------------------
| 0 | | 192.168.1.6 | GOOFY-KNOWS-ALL | ... | | | | (private use) |
| 1 | | 192.168.1.1 | - | ... | | 0 | x | (private use) |
| 2 | | 10.111.240.1 | - | ... | | 9 | x---- | (private use) |
| 3 | | 24.93.3.221 | fas1-0-0.rochnygnv-rtr01.nyroc.rr.com | Rochester, NY, USA | -5.0 | 9 | x---- | 24.93.3.0 |
| 4 | | 24.93.3.212 | srp4-0.rochnynwk-rtr01.nyroc.rr.com | Rochester, NY, USA | -5.0 | 21 | -x-- | 24.93.3.0 |
| 5 | | 24.93.3.118 | srp7-0.rochnymth-rtr04.nyroc.rr.com | Rochester, NY, USA | -5.0 | 21 | -x- | 24.93.3.0 |
| 6 | | 24.93.3.178 | srp3-0.rochnymth-rtr02.nyroc.rr.com | Rochester, NY, USA | -5.0 | 20 | -x--- | 24.93.3.0 |
| 7 | | 24.24.7.62 | so-1-2-2.syrcnycsr-rtr03.nyroc.rr.com | Rochester, NY, USA | -5.0 | 30 | --x- | 24.24.7.0 |
| 8 | | 4.78.59.45 | te-3-1.car2.Cleveland1.Level3.net | - | | 31 | -x- | 4.78.59.0 |
| 9 | | 4.69.132.197 | ae-11-11.car1.Cleveland1.Level3.net | - | | 34 | -x- | 4.69.132.0 |
| 10 | | 4.69.132.194 | ae-4-4.ebr1.Washington1.Level3.net | Washington, DC, USA | -5.0 | 45 | -x-- | 4.69.132.0 |
| 11 | | 4.69.134.130 | ae-61-61.csw1.Washington1.Level3.net | Washington, DC, USA | -5.0 | 44 | -x-- | 4.69.134.0 |
| 12 | | 4.68.17.6 | ae-14-69.car4.Washington1.Level3.net | Washington, DC, USA | -5.0 | 45 | --x-- | 4.68.17.0 |
| 13 | | 213.248.88.85 | ash-bb1-113898-link.telia.net | - | | 48 | -x-- | TeliaSonera International Carrier |
| 14 | | 213.248.80.142 | atl-bb1-link.telia.net | - | | 57 | -x-- | TeliaSonera International Carrier |
| 15 | | 213.248.91.14 | globalnet-113073-atl-bb1.c.telia.net | - | | 53 | -x- | TeliaSonera International Carrier |
| 16 | | 207.210.92.142 | - | | | 52 | -x-- | 207.210.92.0 |
| 17 | | 207.210.114.162 | - | | | 55 | -x- | 207.210.114.0 |
| 18 | | 64.22.72.2 | - | | | 63 | --x--- | 64.22.72.0 |
| 19 | | 64.22.72.112 | - | | | 58 | -x- | 64.22.72.0 |
--------------------------------------------------------------------------------------------------------------------------------------------------------------
VisualRoute Report for 64.22.72.112 produced at 12:31 PM on September 9, 2007.
Roundtrip time to 64.22.72.112 (64.22.72.112) average = 58ms min = 41ms max = 68ms








Starting Nmap 4.22SOC6 at 2007-09-08 20:48 Eastern Daylight Time

Initiating Ping Scan at 20:48

Scanning 64.22.72.112 [2 ports]

Completed Ping Scan at 20:48, 0.39s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 20:48

Completed Parallel DNS resolution of 1 host. at 20:48, 0.09s elapsed

Initiating SYN Stealth Scan at 20:48

Scanning 64.22.72.112 [1705 ports]

Discovered open port 53/tcp on 64.22.72.112

Discovered open port 3389/tcp on 64.22.72.112

Discovered open port 25/tcp on 64.22.72.112

Discovered open port 80/tcp on 64.22.72.112

Discovered open port 21/tcp on 64.22.72.112

Discovered open port 554/tcp on 64.22.72.112

SYN Stealth Scan Timing: About 42.38% done; ETC: 20:49 (0:00:40 remaining)

SYN Stealth Scan Timing: About 52.90% done; ETC: 20:50 (0:01:04 remaining)

Increasing send delay for 64.22.72.112 from 0 to 5 due to 15 out of 37 dropped probes since last increase.

Increasing send delay for 64.22.72.112 from 5 to 10 due to 11 out of 11 dropped probes since last increase.

SYN Stealth Scan Timing: About 69.88% done; ETC: 20:51 (0:00:59 remaining)

SYN Stealth Scan Timing: About 85.28% done; ETC: 20:52 (0:00:34 remaining)

Completed SYN Stealth Scan at 20:52, 256.66s elapsed (1705 total ports)

Initiating Service scan at 20:52

Scanning 6 services on 64.22.72.112

Completed Service scan at 20:53, 10.50s elapsed (6 services on 1 host)

Initiating OS detection (try #1) against 64.22.72.112

Retrying OS detection (try #2) against 64.22.72.112

Initiating gen1 OS Detection against 64.22.72.112 at 278.563s

For OSScan assuming port 21 is open, tcp/22 and udp/41633 are closed, and neither are firewalled

Initiating Traceroute at 20:53

64.22.72.112: guessing hop distance at 18

Completed Traceroute at 20:53, 0.38s elapsed

Initiating Parallel DNS resolution of 20 hosts. at 20:53

Completed Parallel DNS resolution of 20 hosts. at 20:53, 4.09s elapsed

SCRIPT ENGINE: Initiating script scanning.

Initiating SCRIPT ENGINE at 20:53

Completed SCRIPT ENGINE at 20:53, 16.53s elapsed

Host 64.22.72.112 appears to be up ... good.

Interesting ports on 64.22.72.112:

Not shown: 1683 filtered ports

PORT STATE SERVICE VERSION

21/tcp open ftp?

22/tcp closed ssh

23/tcp closed telnet

25/tcp open smtp MailEnable smptd 1.981-

| SMTP: Responded to EHLO command


| home [66.66.246.122], this server offers 4 extensions


| AUTH LOGIN


| SIZE 5120000


| HELP


|_ 250 AUTH=LOGIN

53/tcp open domain?

80/tcp open http?

|_ HTML title: Index of /

113/tcp closed auth

256/tcp closed FW1-secureremote

266/tcp closed unknown

280/tcp closed http-mgmt

281/tcp closed personal-link

389/tcp closed ldap

415/tcp closed bnet

443/tcp closed https

554/tcp open rtsp?

567/tcp closed banyan-rpc

636/tcp closed ldapssl

716/tcp closed unknown

916/tcp closed unknown

1421/tcp closed gandalf-lm

1723/tcp closed pptp

3389/tcp open ms-term-serv?

Device type: general purpose

Running: Microsoft Windows 2003/.NET

OS details: Microsoft Windows 2003 Server SP1

TCP Sequence Prediction: Difficulty=9999999 (Good luck!)

IPID Sequence Generation: Busy server or unknown class

Service Info: Host: VE952.home



TRACEROUTE (using port 21/tcp)

HOP RTT ADDRESS

1 0.00 192.168.1.1

2 15.00 10.111.240.1

3 0.00 fas1-0-0.rochnygnv-rtr01.nyroc.rr.com (24.93.3.221)

4 0.00 srp4-0.rochnynwk-rtr01.nyroc.rr.com (24.93.3.212)

5 16.00 srp7-0.rochnymth-rtr04.nyroc.rr.com (24.93.3.118)

6 16.00 srp3-0.rochnymth-rtr02.nyroc.rr.com (24.93.3.178)

7 31.00 so-1-2-2.syrcnycsr-rtr03.nyroc.rr.com (24.24.7.62)

8 63.00 te-3-1.car2.Cleveland1.Level3.net (4.78.59.45)

9 172.00 ae-11-11.car1.Cleveland1.Level3.net (4.69.132.197)

10 31.00 ae-4-4.ebr1.Washington1.Level3.net (4.69.132.194)

11 31.00 ae-81-81.csw3.Washington1.Level3.net (4.69.134.138)

12 31.00 ae-24-79.car4.Washington1.Level3.net (4.68.17.70)

13 31.00 ash-bb1-113898-link.telia.net (213.248.88.85)

14 46.00 atl-bb1-link.telia.net (213.248.80.142)

15 250.00 globalnet-113073-atl-bb1.c.telia.net (213.248.91.14)

16 47.00 207.210.92.142

17 47.00 207.210.114.162

18 47.00 64.22.72.2

19 47.00 64.22.72.112


Nmap done: 1 IP address (1 host up) scanned in 304.203 seconds

Raw packets sent: 3561 (161.804KB) | Rcvd: 92 (4930B)



He left some interesting ports open.

:)

I looked at this topic earlier, ran nmap and all of his server software seems to be up-to-date. No public vulnerabilities.

I guess that leaves denial-of-service attacks and spamming the hell out of any email accounts located on that server.

Or, reporting him to his ISP to get his connection shut off. I suppose sending mass spammings spoofed from his address would achieve the same effect.

I also tried Brutus on all directories that required HTTP authing, no good results.

The problem with reporting this IP to authorities is that the computer sending these emails and hosting this content is probably a hijacked machine. Grandma, might be sitting behind her computer with no idea, while this hacker is using her computer to host phishing pages!

These scams are well known throughout the online community, BUT you would be surprised how many organization do not inform their employees! I have watch two large ebay account 15000 + feedback get taken over because of a phishing scam.

Does the phisher change the password and take over the account? No!, that would be stupid of them because the account owner would report it right away. Instead they will start FAKE listings under your account telling visitors to "EMAIL ME" for more details. This is the only critical flaw in the communication chain. This is the only way to trace these phishers back. Play along with the scam, until you have enough information to put them under. A phone number would end the phishing trip early.

~SyntaX

I also tried Brutus on all directories that required HTTP authing, no good results.


I haven't used Brutus yet. Wanted to but ...

I tried twice to download it, but got virus warnings and it aborted - not cool!

The site was hoobie.net


Avast Antivirus alert said:

http://www.hoobie.net/brutus/brutus-aet2.zip\BrutusA2.exe
Win32:Trojan-gen. {Delphi}
Virus/Worm

Virus repair failed.


Something odd though.

The virus warning came up when I used the "Save Target as..." from IE7

When I just downloaded it directly by clicking on the link, there was no virus alert - untill I tried to unzip it.

As an experiment, I tried "Save Target As" again, and again the virus alert aborted the DL!

Stange things afoot at the Circle-K.


Any idea where I can find a clean copy of Brutus or something similar?

Several web links referring to it lead directly back to the infected file.


Grrrrrrrr