05/26/2009

what happens after the .be facebook phishing

"The form sends your stolen credentials back to bestspace.be for processing:

<form method=”POST” action=”/?login_attempt=1″>

Digging a little deeper we find this site is hosted on  211.95.78.98 which hosts a few other malicious domains as well:

degunter.cn
daratop.cn

Doing a quick search for daratop.cn yields more hostile activity in the form of malware. Honeynet.cz has more information and so does the Malware Domains List.

The registrant of daratop.cn is steven_lucas_2000@yahoo.com, a couple of searches for this email reveals many different attacks that this individual has been involved in.

Example 1
Exmaple 2

In closing, all of these sites are hostile and should be blocked and avoided."

source

Permalink | |  Print |  Facebook | | | | Pin it! |

new .be facebook phishing site discovered

databus.be

bo23 who has registered it

bo24

only the email address is different

and where is it hosted - even if no dns information is found(robtex)

bo25

 

Permalink | |  Print |  Facebook | | | | Pin it! |

05/25/2009

.be phishing attack destroys online image belgium and .be domain

even if we are the only domainextension that has succesfully thwarted and stopped an attack by a fastflux botnet and are in proces of doing so again with those phishers, there is a certain damage that is being done

Phishing Facebook, la Belgique attaque - Forums ZATAZ

 - [ Vertaal deze pagina ]

1 post - 1 auteur - Laatste bericht: 9 uur geleden

Phishing Facebook, la Belgique attaque. Options V ... à des tentatives d´

hameçonnages à destination des utilisateurs du portail communautaire Facebook. ...
www.zataz.com/forum/index.php?showtopic=10506&view=getnewpost -

PICOBAND BE

 - [ Vertaal deze pagina ]
2 uur geleden - minutes ago from TwitterFox in reply to EmmanuelGadenne; some ppl sent me kind of phishing facebook links from belgium...like picoband.be, and so on. ...
mag7ficfinder.com/links-by-category.php?picoband-be/ - Gelijkwaardige pagina's


Permalink | |  Print |  Facebook | | | | Pin it! |

more .be facebook phishing sites and FCCU gets into the act

greenbuddy.be, silvertag.be, picoband.be -- leads to some malicious Web sites, which if visited, could secretly download malware onto computers through a "drive-by download" application.
http://infotech.indiatimes.com

and another one from here

goldbase.be
greenbuddy.be
silvertag.be
picoband.be
http://worldoftimepass.com

the messages are sent by Facebook mails - so there will be facebook communities or accounts sending them. Facebook says that a number has already been closed. But as they seem to use another domain each day, they probably have also made another facebook profile every day. This will keep them busy, the security people of facebook

DNS.Be and FCCU.Be are working together to resolve the situation as fast as possible. As it is impossible to block the .be domains hosted in Chine I suppose they will use the same method they have used to block the fastflux campaign with .be domains in the beginning of this year.(where we were also involved in the mobilizing of the resources to do that....)

some of these domains have even been suppressed from their own dns servers after (ab)use.

we publish the information as it comes in, so administrators and the police can do their work as information flows in or is found. The analysis is for later. It is clear that more .be domains were being set up for the coming days, so it is important to stop the campaign as fast as possible with a domain rootblocking.

 

Permalink | |  Print |  Facebook | | | | Pin it! |

more .be phishing attack sites

Most of the facebook users searching 'www.bitclan.be', 'www.atomclub.be' and 'picoband.be'. sites same design
http://monkeydollars.blogspot.com

Not all domainnames are mentioned on the server. They existed when you ask robtex.com

bo18

 

and they were registered by the same people

bo19but when you ask them today, they are gone .... for how long ? or is it just "use once and throw away" phishing

Permalink | |  Print |  Facebook | | | | Pin it! |

more facebook .be phishing attack news

The recent news is that certain Facebook message appearing to some accounts with the word “redbuddy dot be“, redbuddy.be, redbuddy, red buddy, redbuddy be, or red buddy dot be source

some domains are hosted here

bo17

more other domains that are mentioned as sending fraudulent messages

Dynasale.be

Linkteria.be

and everyday will have another - or that is their plan

Hello Facebook users, Picoband.be website is phishing site. Today, Reported by Facebook. Don't check out this site. Facebook already reported most of the ".be" site links are Phishing Scam hitting Facebook links. Whitemart.be was Friday’s scam, Dynasale.be is Saturday’s. Picoband.be is Today's scam
source http://www.zimbio.com/

and more links

Phishing sites attacks on Facebook List: [Don't Check Following Links]

  • afoi.ru
  • areps.at
  • bests.at
  • brunga.at
  • indigoline.be
  • kirgo.at
  • nutpic.at
  • ponbon.im
  • redfriend.be


http://monkeydollars.blogspot.com

and it seems to be directed also at Bulgarian users of Facebook

more to follow

Permalink | |  Print |  Facebook | | | | Pin it! |

the limits of automated blacklists (example whiteflash.be)

whiteflash.be is a phishing site for facebook

bo16

do not trust blacklists automatically, you will have to add some links yourself

Permalink | |  Print |  Facebook | | | | Pin it! |

reset your facebook password immediately if you clicked on those links

If you accidentally did that, then change you facebook password immediately. If it has already been changed by the rogue malware (there have been reports to this effect), then you can use the lost password link to reset your facebook password

http://www.facebook.com/security


source http://anshprat.wordpress.com

and you should change all the passwords in the other portals and services where you use the same passwords or a small variation on them

and just the same as with online banking, never click on a link, close all your other webservices (chat, cam, P2P, ....) and open a new browser as the only one and type the domainname with your own hands (no links or other stuff like that)

and patch your browser and pc always

Permalink | |  Print |  Facebook | | | | Pin it! |

.be facebook phishing underway (to be updated)

we thought some were blocked, but this isn't the case some are still working

we contacted the FCCU (Belgian cyberpolice) and tried to contact dns.be

a number of Russians bought an number of domains in Belgium and placed stupid facebook login screens for Facebook on it and have send messages around to make people login to them - as these logins are used for other services it can give them access to other things .....

the domains are

whiteflash.be

redfriend.be

redbuddy.be

picoband.be

  • sweeter.be
  • bestspace.be

bo15

Permalink | |  Print |  Facebook | | | | Pin it! |

03/04/2009

paypal phishing in french and pretending to come from securenet.com

From: Service Clients [mailto:service@securenet.com]
Sent: mardi 3 mars 2009 7:14
To: undisclosed-recipients:
Subject: PayPal - Notification de restriction de l'accés au compte RXI0058
Importance: High

Bonjour
 
Dans le cadre de nos mesures de sécurité, nous contrôlons régulièrement les activités en cours dans le système PayPal. Nous vous avons récemment contacté à la suite d'un problème sur votre compte PayPal.

 
Des informations vous ont été demandées pour le motif suivant :
 
Notre système a détecté des débits inhabituels sur une carte de crédit associée à votre compte PayPal.
 
Dossier nº : PP-1124-075-998
 
Ceci est un dernier rappel vous invitant à vous connecter à PayPal dès que possible.
Veuillez ne pas répondre à cet email. Les emails envoyés à cette adresse ne peuvent pas recevoir de réponse.

 
Copyright © 1999-2008 PayPal. Tous droits réservés.
 
PayPal (Europe) S.à r.l. & Cie, S.C.A.
Société en Commandite par Actions
Siège social : 5ème étage 22-24 Boulevard Royal L-2449, Luxembourg
RCS Luxembourg B 118 349
 
Email PayPal n° PP344

Permalink | |  Print |  Facebook | | | | Pin it! |

01/25/2009

2008 phishing in Belgium

We also follow closely the phishing in Belgium, new techologies and the possibilities of protecting people by getting those sites noticed or taken out before they try to login.

21/12/08 00:09 msntracer.eu is a phishing server according to phishtank
21/12/08 00:06 cnes.be used as phishing server 
03/12/08 11:30 .be domain used by Rock gang to place phishing pages
11/11/08 13:46 how we found these astonishing new Belgian hacked sites used for phishing 
27/11/08 09:01 zwemvereniginglier.be AGAIN used for phishing
24/11/08 12:23 phishing tegen Scarlet klanten
10/11/08 12:18 blocklist : fake antivirus and socialwebsite login phishing sites (with photojoke)
29/10/08 17:13 Belgian phishing hosters : hostbasket, schendom Europe, Teledis, behostings and ulg.ac.be 
27/10/08 12:13 many bank and phished sites in top malware serving list
26/10/08 23:33 salsabruxelles hacked for phishing
26/10/08 23:27 vietnamese domain hosting hundreds of phishing sites
26/10/08 23:20 parked .be domain consc-fr.be used for phishing ebay
26/10/08 23:10 Belgian site hacked and used as a phish site 
21/10/08 17:28 tk free domain used by phishers 
16/09/08 12:38 Some articles about anti-phishing 
30/08/08 11:00 Belgium has still some anti-phishing work to do 
29/08/08 09:33 internal phishpage by changing the external links on the site
06/08/08 10:15 phishing or pharming taxonweb.be the final shootdown
18/06/08 15:24 Make your own NMBS railticket site
17/06/08 15:18 What do you have against taxonweb ?
17/06/08 14:49 confuse people about taxonweb domains ? it is easy (kinderspel)
17/06/08 01:28 Typosquatting taxonweb is childplay (kinderspel) 
16/06/08 23:39 phishing a fgov.be change loginsite is childsplay (kinderspel)
11/06/08 13:52 Make your own phishing site part 1 
06/06/08 12:10 Can ebanking client software resist the tests of a security researcher ?
05/06/08 11:57 Next phishing victims : domain owners
05/06/08 11:25 SMS vishing and SMS spamming coming together
28/05/08 23:19 Official RSA numbers about Belgian hosts of Phishing sites (last 6 months)
22/05/08 10:24 Top 10 phishers april 2008 according to phishtank.com
17/04/08 23:31 altervista.org is a heaven for phishing
11/04/08 12:51 Phishers attack ISA server to place phishing sites on servers
11/04/08 14:11 Some .be sites used for phishing attacks
29/03/08 21:36 Belgian sites now used for phishing operations
26/03/08 15:44 Atos Banksys time-attacked itself 
20/03/08 13:46 The biggest Belgian Bankhackers were using simple keyloggers 
14/03/08 12:48 This is how simple it is to copy and paste Bank of the post 
13/03/08 12:57 About dns.be, bpo-banking (bank van de post) and phishers
13/03/08 12:36 Domainsellers make it phishers too simple
13/03/08 10:18 Our bank of the Post is AGAIN a victim of phishing
19/02/08 09:59 Another way how banks make it easy for phishers
19/02/08 09:36 5 minutes does it take to bring down a phished website
18/02/08 13:09 How banks are making it easy for phishers
18/02/08 13:01 One way for a bank to discover phishing sites
15/02/08 11:26 phishste active on smsonweb.be 
15/02/08 09:15 Security of Belgian banks between hype and fear
12/02/08 09:10 This .BE phish site is still up since second of february 
01/02/08 16:29 These .be and altervista.org domains are being used as phishing sites NOW
27/01/08 15:28 The most dangerous phishing hosts in Belgium
18/01/08 12:56 Example of SMS phishing

Permalink | |  Print |  Facebook | | | | Pin it! |

01/13/2009

bot phishing attack with belgian and .eu domainnames

There are several domainservers being used for the domainnames .be and .eu that are used in  the attack. The Whois says for some that the main server is in Romania, but there is a group on a personal adress IP in Spain and another is in Japan. All the names have been registered yesterday and are used today.

It would be interesting for the responsable people and institutions to research how many domainnames have been registered yesterday or during the weekend that have the same characteristics and to get this going.

If someone has some more time for research, please do and let us know, too busy for the moment.

Permalink | |  Print |  Facebook | | | | Pin it! |

postforum.be hacked for phishing

http://www.phishtank.com/phish_detail.php?phish_id=609208

Would you please also look in your logs to see who has actually contacted your site and inform Lloyds so they can contact these clients....

now041

and this happens when you are so insecure you get hacked for phishing

now040

Permalink | |  Print |  Facebook | | | | Pin it! |

12/08/2008

http://vzw-bachelor.be used in phishing and tarnished reputation as a result

http://www.phishbucket.org/main/content/view/3923/  This is the case. 

We didn't research or check the information, there are journalists for a job like that I have other things to do. 

But when I look at the website with all those organisations and names of institutions in them, than I hope for those institutions and names that the organisation is valid http://vzw-bachelor.be/ 

Or maybe they needed some attention because their forum and guestbook are a bit empty.

curious...

 

Permalink | |  Print |  Facebook | | | | Pin it! |

Belgian Banks in Trojan silent bankers software as target

http://www.trusteer.com/FIsearch/open_search.php

This gives you the possibiity to see if the name of your site is mentioned in the list of the silent banking trojans. They are called silent because they are hard to discover, - which includes also for securitysoftware and they often only become active when a connection to a listed site is found. THis software is one of the best written malware ever (maybe they can invest more in development because they earn  (sic) much more money). 

Search results for '.be' in WSNPOEM/Zeus/PRG/Zbot configuration file (Q4 2008):

In WSNPOEM/Zeus/PRG/Zbot configuration file (Q4 2008), position 694:
abnamro.be

In WSNPOEM/Zeus/PRG/Zbot configuration file (Q4 2008), position 1036:
*anhyp.be

In WSNPOEM/Zeus/PRG/Zbot configuration file (Q4 2008), position 1173:
*axionweb.be* bacob.be* 

In WSNPOEM/Zeus/PRG/Zbot configuration file (Q4 2008), position 1539:
bbl.be*bcb.be* 

Search results for 'fortis' in Torpig configuration file (Q2 2008):

In Torpig configuration file (Q2 2008), position 315:
 www.fortisbanking.com

In Torpig configuration file (Q2 2008), position 955:
fortisbanking.be 

In Torpig configuration file (Q2 2008), position 4375:
*fortisbanque.lu 

In Torpig configuration file (Q2 2008), position 20342:
fortisbusiness 

Search results for 'dexia' in Torpig configuration file (Q2 2008):

In Torpig configuration file (Q2 2008), position 3977:
*dexia.be 

In Torpig configuration file (Q2 2008), position 7908:
 directnet.dexia.be 

In Torpig configuration file (Q2 2008), position 7935:
directnetbusiness.dexia.be 

In Torpig configuration file (Q2 2008), position 8084:
dexia.sk 

In Torpig configuration file (Q2 2008), position 12620:
secure.dexia-bil.lu 

Search results for 'KBC' in Torpig configuration file (Q2 2008):

In Torpig configuration file (Q2 2008), position 10356:
kbconline.kbc.be 

and so on : find yoursel http://www.trusteer.com/FIsearch/open_search.php

Permalink | |  Print |  Facebook | | | | Pin it! |

10/26/2008

vietnamese domain hosting hundreds of phishing sites

537467http://www.0045yv0b04c4s5epdvy.web.ve/saw-cgi/eBayISAPI.dll/...
added on Oct 26th 2008 6:33 AM
by buayaVALID PHISHONLINE
537468http://www.0040tp38g6666r3ashd.org.ve/cmd-confirm/...
added on Oct 26th 2008 6:33 AM
by buayaVALID PHISHONLINE
537469http://www.0040tp38g6666r3ashd.org.ve/saw-cgi/eBayISAPI.dll/...
added on Oct 26th 2008 6:33 AM
by buayaVALID PHISHONLINE
537464http://www.004rybow6mavtz4ysbo.org.ve/cmd-confirm/...
added on Oct 26th 2008 6:33 AM
by buayaVALID PHISHONLINE
537465http://www.004rybow6mavtz4ysbo.org.ve/saw-cgi/eBayISAPI.dll/...
added on Oct 26th 2008 6:33 AM
by buayaVALID PHISHONLINE
537466http://www.0045yv0b04c4s5epdvy.web.ve/cmd-confirm/...
added on Oct 26th 2008 6:33 AM
by buayaVALID PHISHONLINE
537460http://www.004acnhdf2lk9p73lms.info.ve/cmd-confirm/...
added on Oct 26th 2008 6:33 AM
by buayaVALID PHISHONLINE
537461http://www.004acnhdf2lk9p73lms.info.ve/saw-cgi/eBayISAPI.dll/...
added on Oct 26th 2008 6:33 AM
by buayaVALID PHISHONLINE

and it goes on and on and on and on and on

Permalink | |  Print |  Facebook | | | | Pin it! |

Belgian site hacked and used as a phish site

what is even more interesting is that it is being hosted on a small personal site and they installed maybe a library of OpenID which is a common passwordsystem that makes it possible to use the same password on a big number of sites.

http://irodewilde.be/libraries/openid/Services/Yadis/ 

and off course it is nice that they also have copied the hackers-safe logo and the verisign safe logo - you have to trust us

len24

Permalink | |  Print |  Facebook | | | | Pin it! |

07/01/2008

what is awaiting other tax services : tax phishing

this is one that is becoming something common in the US

From: "IRS"<tax-refund-online@irs.info>
Subject: IRS - Tax Refund Online Form -
Date: Mon, 30 Jun 2008 20:16:29 -0400
MIME-Version: 1.0
Content-Type: text/html;
 charset="Windows-1251"
Content-Transfer-Encoding: 7bit
Bcc:
Return-Path: tax-refund-online@irs.info
Message-ID: <EMSCEtnldkkUxQK5xSx0001e992@ems.teacher.com.cn>
Content-Length: 1503

After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of $949.30.



Please submit the tax refund and allow us 3-9 business days in order to process it.

If you don't receive your refund within 9 business days from the original IRS mailing date shown on Where's My Refund?, you can start a refund trace online.

To get to your personal refund information, be ready to enter your:

Filing status (Single, Married Filing Joint Return, Married Filing Separate Return, Head of Household, or Qualifying Widow(er))
Social Security Number (or IRS Individual Taxpayer Identification Number) and your Date of Birth
Full name, Address, Phone and the Debit Card where refunds will be made.

To access the form for your tax refund, please click here : Tax Refund Online Form

Note:
For security reasons, we will record your ip-address and date.
Deliberate wrong inputs are criminally pursued and indicted.

note : there are people that actually believe this

Permalink | |  Print |  Facebook | | | | Pin it! |

05/28/2008

Official RSA numbers about Belgian hosts of Phishing sites (last 6 months)

RSA.com detects in realtime for its clients phishing sites and has 4hours to get them down. These are the Belgian hosts that they have contacted for their international clients to bring down phish sites.   

 

Belgian ISPsNumber of attacks
Schedom60
Priorweb50
ISP Server - ISP System43
STONE INTERNET SERVICES BVBA41
Belgacom18
Xhost17
RealRoot17
scarlet14
Combell13
Telenet9
Colt8
Skynet4
Teledisnet4
Hostbasket4
Belgian Network Solution4
MyOwn sprl3
inet server3
TV Cable Net3
Evonet3
Ithagi2
MAC Telecom2
Belgon2
OpenMinds2
Rackboost2
Research network University of Ghent2
Cyber Hosting2
webline2
Spectrum NET2
BELGIUMDOMAINS1
Web Line1
All Information Technology SPRL1
SiteHosting1
Allit1
Universite Catholiqe de Louvain1
Universiteit Antwerpen1
One.com1
DS Improve sprl1
CTC Computer Technologies1
Hepcut1
Globalhost1
chello1
bvdcs.be1
Contact Office1
coditel.be1
Mobistar1
LazerNet1
Nucleus1
Netmanagment1
IN.be1
Hostonet1
IT - Solid Solutions1
Belnet1

Permalink | |  Print |  Facebook | | | | Pin it! |