Thursday, January 02, 2020

Backdoored Phishing Kits are still popular

What did you do for the holidays?  If you're a cybercrime geek you probably took advantage of some of the extra time on your hands to investigate some new phishing sites, right?



Jone Fredrick is the type of Facebook user who is quite open about his criminal activity.  He boasts about his phishing skills by having a Facebook profile picture of someone taking a selfie showing their government issued ID and their credit card!  He claims to live in Blida, Algeria, and probably does.  Over the holidays Jone update his YouTube channel, "mr azert" with a new Chase Bank phishing kit.  (Phishers don't call this phishing.  They call it "bank scams" or "scam pages."

In the past two weeks, Jone, who uses the alias "Mr Azert", has uploaded several videos about his new scam pages to his YouTube channel.  Chase, Spotify, Dropbox, Alibaba, and Paypal all have new scam pages courtesy of Mr Azert.  How generous that he just gives them away for free!


After listening to so much bad gangster/scammer rap music, it was nice to hear some Algerian rap while I did my investigation.  Mr Azert confirms this is him by replying to "Tutor Arena421" giving him his email address (foley.victoria998@gmail.com) and Facebook address ( jone.fredrick.79).


Of course, we report the offending content to YouTube.  If you ever encounter the same, please use the "Report" function.  The correct flow is to click the "Three Dots" ... then "Report".  Then choose  "Spam or misleading" and then the subcategory "Scams / fraud"



In this case, the reason Mr Azert is giving away these phishing kits is that he has backdoored all of the kits.  We'll look at the Chase one first.   There are five separate PHP files that send the various stolen information back to the person using the kit.  



When we look at the actual "Send" command, we notice that the email command says "for each $send" ... but the instructions for the kit have told the kit downloader that they should include their own email address in a certain place, which is "import"ed into this code.  What other address is being used here?


If we scroll up about we see that $send is receiving a variable called "token" from the form post that called this PHP code, and then converting it into ASCII with "hex2bin".


The calling code in this case is "myaccount.php" which seems to do some "input validation" but in reality, is also loading the "token" value:


That hex string at the bottom starting with "6665" is decoded in the "hex2bin" call into a pair of email addresses:  

  fenction@gmail.com  and fenction@yahoo.com

So, anyone who downloads Mr Azert's kit is going to either create or hack a website, upload and unpack the kit, spam out links to that URL, and then have all of their stolen data go back to Mr Azert in Algeria, who is likely to be better at cashing out the information than someone too lame to make their own phishing kit.

We're of course reporting all of this to YouTube, Gmail, Yahoo, and Facebook ... 

So how did you spend YOUR holiday?  

Happy New Year everyone!




2 comments:

  1. SEASONS GREETINGS!!!


    INSTEAD OF GETTING A LOAN,, I GOT SOMETHING NEW
    Get $5,500 USD every day, for six months!

    See how it works

    Do you know you can hack into any ATM machine with a hacked ATM card??
    Make up you mind before applying, straight deal...

    Order for a blank ATM card now and get millions within a week!: contact us
    via email address::{Universalcardshackers@gmail.com}

    We have specially programmed ATM cards that can be use to hack ATM
    machines, the ATM cards can be used to withdraw at the ATM or swipe, at
    stores and POS. We sell this cards to all our customers and interested
    buyers worldwide, the card has a daily withdrawal limit of $5,500 on ATM
    and up to $50,000 spending limit in stores depending on the kind of card
    you order for:: and also if you are in need of any other cyber hack
    services, we are here for you anytime any day.

    Here is our price lists for the ATM CARDS:

    Cards that withdraw $5,500 per day costs $200 USD
    Cards that withdraw $10,000 per day costs $850 USD
    Cards that withdraw $35,000 per day costs $2,200 USD
    Cards that withdraw $50,000 per day costs $5,500 USD
    Cards that withdraw $100,000 per day costs $8,500 USD

    make up your mind before applying, straight deal!!!

    The price include shipping fees and charges, order now: contact us via
    email address:::::: {Universalcardshackers@gmail.com}
    Whatsapp:::::+31687835881

    Visit our Website for more Info: https://7anonymoushackers.wordpress.com
    ®

    ReplyDelete
  2. I got my ATM card already programmed and blank to withdraw the maximum of $ 10,000 to $ 15,000 per day for a maximum of 3 months, I am very happy about this because I got mine last week and used it to get more than $ 70,000 and I'm ready to pay more. MUSA Hackers is giving the card just to help those in need. This programmed ATM CARD cannot be tracked and can be used in any country in the world according to MUSA, which also sent me the ATM CARD. You now have the blank ATM Card of the 2020 software that can withdraw at least $ 30,000 to $ 50,000 every day and is available to those who wish to invest in any business ... This is a lifetime opportunity for all who are interested In MUSA BLANK ATM HACKED CARD, which is loaded with programmed cash. If you want to know more details about this card, you can contact MUSA directly through your person's email address: cyberghosthacker2019@gmail.com

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.