Monday, August 19, 2013

Cross Brand Intelligence and Phishing

While there is certainly a reason to shut down any site imitating your company as fast as possible, we have to always consider what the implications are of understanding the Cross-Brand Intelligence aspects of any site being abused to imitate an organization. A rare open directory shared by our friend, security researcher Tom Shaw, gives a perfect example of this.

The website on the IP address 38.64.138.118 has an open directory on it's root, showing the dates of creation of a number of phishing campaigns:

July 23, 2013 @ 23:47 == "v3/"
August 8, 2013 @ 11:58 == "picture.png/"
August 9, 2013 @ 01:56 == "apple.png/"
August 14, 2013 @ 17:42 == "paypal.png/"
August 15, 2013 @ 06:49 == "contar.png/"
Attempting to visit the "/apple.png/" page on that server results in a 302 redirection to the address "http://venenolabs.activo.in/h5-apple"

Similarly, attempting to visit the "/picture.png/" page on that server results in a 302 redirection to the address "http://venenolabs.activo.in/h6-vbv/" The Apple page redirects to pearstech.com where an Apple phishing page is displayed: The Visa page redirects to rajeshwasave.com where a Visa Argentina phishing page is displayed: venenolabs.activo.in is on the IP address 174.36.29.21.

Both Pearstech.com and Rajeshwasave.com are on the IP address 174.37.147.184.

The "paypal.png" site no longer resolves to a Paypal server, although it did. It has now been repurposed to also redirect to: The "contar.png" page is an interesting one, after showing what appears to be an AdFly link for a pay-per-click affiliate program run by "theunifiedwealthteam.com" we are forwarded to the Facebook page of "Veneno Labs" who seem to primarily boast in Spanish about the various websites they have hacked and defaced. No idea if V3NEN0 LABS, whose facebook posts are mostly from the area of Lima Peru, has anything to do with the phishing sites or not until we review some logs. Veneno uses the email address "venenolabs@yahoo.com", according to his Facebook page.

MAD666 and #d3xt3rH4ck seem to be members of the T34M. (SO elite! Did you see how they spelled Team?)

As with most defacers, it's often interesting to look at their very first actions. In this case, as soon as Veneno had a facebook page, "Jesusedus" Jesus Edu Soto Meza, was clicking Like on his images. A Computer Science student from Lima, Peru attending IDAT Computacion?

(Perhaps Dexter Hack? ==> https://www.facebook.com/dexterhackperu.defaced.3 )

The Veneno Labs group has more than 500 members, and a gmail account ==> venenolabs@Gmail.com ( https://www.facebook.com/groups/419870534733048/ )

Perhaps the most interesting is the "lol.exe" which is a Zeus malware installer.

It seems that our Peruvian website defacers have moved across the line from Hacktivism to Phishing and Malware distribution!