A Little Phish-Finding
Wednesday, August 01, 2007
Well, I was bored. So what does an InfoSec student do when he's bored?
Hunt phishers, of course.
First, I headed over to SiteAdvisor to try and find an active phishing site. A Wells Fargo site is being hosted on a hacked immigration-support site:
hxxp://www.americanimmigrationnetwork.com/AAAA%20Kits/incudes/www.wellsfargo.com/wellsfargo/Updates_info/
Nothing special, mind you, just your standard hacking package. After a bit of fun with the source code and Tamper Data, I found the mailer, update.php. Unfortunately, all e-mailing is handled server-side (duh), so I had to try and find the uploaded PHP file. This was made *quite* easy by the hacker(s) leaving the entire uploaded kit, includes.zip, behind. Doh.
Upon extracting update.php, I found the following interesting bits:
1) A given author of "KELVINROLEX" Googling the name returns a Mobango account for a Nigerian man with the same handle. (NOTE: I am NOT saying that this is the same guy! There is no evidence of that whatsoever, save for what we know of Nigeria and scams...)
However, there *is* another link that I think is safe to assume our phisher is responsible for. Meet the "Kelvinrolex Php Mailer," a lame attempt at God-knows-what. It calls itself a "Spamer Inbox," but it seems to have no real functionality (and at version 1.5, no less). Whatever. Kelvin's phishing script isn't all that much more interesting...the guys uses Frontpage, for chrissake!
2) An e-mail addy: dv_max4009@yahoo.com
This little gem returns several hits on Google. Meet David Alvin Maxwell, a nice gent who spends his time defrauding women with romance scams. I guess the photos of legit models isn't all he's stealing these days...
3) A second e-mail address: lurdofhonor@gmail.com
No hits on Google, unfortunately.
Interesting part? Though Mr. Mobango is innocent until proven guilty, Mr. Maxwell is also from Nigeria. Hmmm.
Gotta love those anonymous Internets, waiting to be pillaged and plundered by techno-pirates such as KELVINROLEX and dv_max4009. Erm, Kelvin and David. From Nigeria. *grin*
- Nexus7
Labels: phishing
posted by David @ 6:57 PM,
2 Comments:
- At 10:40 PM, Rich said...
-
Yeah, the same jerk hit my site and left 4 or 5 phishing sites. Luckily, I found them within a few hours. I checked out the update.php file too and found the 'Kevin Rolex' name. A google landed me on your page. In the meantime, Wells Fargo had contacted me about the site. I sent them the update.php file so they could check it out.
Later. - At 12:51 PM, Drew and Rachel said...
-
Sorry for the ignorance...
what is phishing?
The only phish I know is Phish, the jam band, you know.