New Spam Retaliation Tool

[ghodgson]

Hi, been running Spur-menator with Opera 9 without any problem. I did get the page referred to above though. [invalid sql etc]. Forgot to turn it off though so they [hopefully] got 530 orders. How remiss of me.
G

[spamislame]

A new version again.

I'm seeing the exact same form setups represented in a few new sites for ManXL, and featuring the following two new affiliate ids:

Code:

okok
victory

As such: into the Spur-M-Enator they go.

http://www.mytempdir.com/1079074

That mysql error does not mean the orders aren't being inserted, it means they're improperly using the php command for "mysql_free_result" (an insert very often has no result to free.)

Enjoy, and spread the word.

SiL

Your new version works with Sea Monkey.
Had a thought on this. Might be a sensible precaution to post an MD5 signature for the zip file here, just in case the spammers ever try to compromise the archive. Might not be likely but wouldn't hurt to be careful.

Just got a phishing e-mail for Sears card data. First I've seen in a while. Original link goes to China, then redirects to Russia. I'm getting worn out on adding fake data manually to their site. Besides the usual submission sites, anywhere I can send this to have the site attacked? This is just the kind of site I was looking for tools to go after.
original addy: hxxp://218.26.1.147/.index.html
redirects to:
hxxp://217.12.241.9/~upload/www.sears.com/index.jsp.htm

[spamislame]

Quote:

Originally Posted by herbalist

Just got a phishing e-mail for Sears card data. First I've seen in a while. Original link goes to China, then redirects to Russia. I'm getting worn out on adding fake data manually to their site. Besides the usual submission sites, anywhere I can send this to have the site attacked? This is just the kind of site I was looking for tools to go after.
original addy: hxxp://218.26.1.147/.index.html
redirects to:
hxxp://217.12.241.9/~upload/www.sears.com/index.jsp.htm

Holy crap they're phishing for frikkin' SEARS?!?!

I've never seen that one before. Yikes.

I'll build out something give me a few minutes to investigate. Yikes these criminals are idiots.

SiL

[Smokey]

Quote:

Originally Posted by spamislame

I'll build out something give me a few minutes to investigate. Yikes these criminals are idiots.

In future you should name yourself: Spaminator

(Like you know, i already gave you this name as "AKA")

[spamislame]

Okay so as it happens: it's not possible to remotely attack this site. They can tell when a third-party script is attempting it.

But you could use the spur-m-enator(TM) to generate fake cc data and then fill in whatever you like for a username and password.

I'd report it to castlecops if I were you:

http://www.castlecops.com/pirt

That and call Sears 800 # (which the phisher site conveniently supplies)

1-800-815-7701

I can't call it cuz I'm not in the US. Their site offers no means of contacting them if you don't already have an account. The spammers chose a pretty good target. They don't appear to care about phishing at Sears. Weird.

That's what I got.

I hate Phishers.

SiL

[spamislame]

Oh!

I stand corrected.

http://rapidshare.com/files/4691958/...hisherator.zip

(Looks like MyTempDir is experiencing difficulties today.)

This will post the first form (login) then wait three seconds and post a second form (cc details) then refresh after three seconds. Should be enough time to do both. The refresh settings are at the end of the scripting due to it being multi-part.

Send them phishing leads! The more they have, the more actual man-hours it takes to sift through them and verify them, and that raises the alarm at Visa, Mastercard, etc.

Thanx for this lead. Law Enforcement will be interested to see that one. Yikes.

SiL

[spamislame]

This is kinda puzzling also.

Whoever created it didn't hide the file index, and it exposed a couple of confusing files:

http://217.12.241.9/~upload/www.sears.com/locations.txt
http://217.12.241.9/~upload/www.sears.com/edu.txt

It's pretty clear that the function of this phishing attempt is to send an email to someone, as opposed to writing the captured data to a file.

As an aside: the site is apparently Romanian in origin. It's actual domain is:

http://modny.spb.ru

The phishing site can just as easily be presented using the domain:

http://modny.spb.ru/~upload/www.sears.com/index.jsp.htm

Anyway I think it's weird that they have an interest in educational sites located in the US.

SiL

That phish was definitely a bit different. I did call Sears. They asked me to forward the phish to spoof@citicorp.com. Submitted it to PIRT as well.
Your script runs quite nicely on Sea Monkey. Just in time too. I was running out of fake names to enter manually. I should copy it over to the dialup connected PC as well and make use of its floating IP.
Still getting all the plug-ins and extensions re-installed and getting used to Sea Monkey's little quirks. As much as I know I should use it (or something else that's new) in place of the old Mozilla suite, nothing I've tried runs or feels as good.
If anyone can use it, heres a plain text copy of the phish with full headers (minus my e-mail addy)

Quote:

Thanx for this lead. Law Enforcement will be interested to see that one.

Where/how would you send something like this in regards to law enforcement?
Rick

PIRT#102528
According to them, there's a virus there. I don't see where this is part of that phish site? Am I just missing where it is?

Quote:

Originally Posted by PIRT

VIRUS WARNING: beware virus at hxxp://217.12.241.9/~upload/poze.exe

VirusTotal scan of file.
On mine, F-Prot says the archive is infected but an F-Prot scan of its contents come up clean. Is this a FP issue with Rar archives?
Rick

[spamislame]

The exe file is merely a zipped archive of photos. If you run winRar you can just right-click on it and "extract here." It appears to be a variety of images from July of this year of a group of 20 somethings on vacation. (the girl is cute! )

Of slightly more interest is this:

hxxp://217.12.241.9/~upload/ws.tgz

Which is the entire php code archive for the eBay phishing attempt also located on that server in the /ws directory.

hxxp://217.12.241.9/~upload/ws/

It sends all the phished data to:

nyck@2d.com

As for where to tell law enforcement about it, if you report the phishing attack to PIRT, they automatically let law enforcement know. So does the anti-phishing work group.

If you want to submit a more detailed report you could do so directly to the FBI's ic3 group.

http://www.ic3.gov/complaint/

That's a bit more laborious but it does get the data directly to an investigator who can do something about it.

These phishers are sloppy. But so are the owners of that server, apparently.

SiL

Sears phish site is down.
Rick

[spamislame]

Quote:

Originally Posted by herbalist

Sears phish site is down.
Rick

Hm.

But in its place:

hxxp://217.12.241.9/~upload/ws/data/www.mutualcu.org/

Mutual credit union.

I hate phishers.

Has anybody contacted this website specifically? They don't appear to have any clue what they're doing. This appears to be an ftp hack.

SiL

[spamislame]

Lots of people reporting on the recent "update" to the processing sites the Spur-M-Enator(TM) is posting to.

They now attempt to do two things to anyone posting to the site directly:

1) loop through 1000 alerts claiming "ALERT: Thanks we have downloaded your harddrive successfully" (right. Well! Thanks for that!! )
2) In some cases: attempt to pop 1000 new windows with yahoo.com (that part fails for me but is apparently working in some browsers.)

I did some preliminary testing and discovered that this will NOT stop the orders from going through. It just makes life slightly harder for the user attempting to use this utility.

With that in mind I'd like to suggest that ONLY non-IE browsers be used, since these criminals could obviously se activex to install some malicious virus on a victim's pc (firefox will usually flatly disallow such activity.)

Thanx again for helping with this retaliation. It's clearly had an effect. And I should mention: I haven't seen a single spam for Spur-M in weeks. That's gotta be hurting a spammer hard. Which is as it should be.

Thanx again

SiL

They aren't exactly trying to hide what they're doing. This one is a bit pickier about numbers as well. Not accepting random credit card numbers. What's the format for this type of card?

[spamislame]

Quote:

Originally Posted by herbalist

They aren't exactly trying to hide what they're doing. This one is a bit pickier about numbers as well. Not accepting random credit card numbers. What's the format for this type of card?

You're talking about that phishing attempt?

I have no idea. Credit unions are pretty obscure in the first place.

The owner of that web server has extremely negligent security practices.

SiL

Quote:

The owner of that web server has extremely negligent security practices.

I'd question if that servers owner might be more of a willing accomplice. Might be actually allowing them to use it as long as they make it appear that they hacked in. Keeps him off the hook that way.
As for the phish itself, I'll keep plugging numbers and see what I can get them to accept.
Rick

[dallen]

Quote:

Originally Posted by spamislame

Lots of people reporting on the recent "update" to the processing sites the Spur-M-Enator(TM) is posting to.

They now attempt to do two things to anyone posting to the site directly:

1) loop through 1000 alerts claiming "ALERT: Thanks we have downloaded your harddrive successfully" (right. Well! Thanks for that!! )
2) In some cases: attempt to pop 1000 new windows with yahoo.com (that part fails for me but is apparently working in some browsers.)

I did some preliminary testing and discovered that this will NOT stop the orders from going through. It just makes life slightly harder for the user attempting to use this utility.

With that in mind I'd like to suggest that ONLY non-IE browsers be used, since these criminals could obviously se activex to install some malicious virus on a victim's pc (firefox will usually flatly disallow such activity.)

Thanx again for helping with this retaliation. It's clearly had an effect. And I should mention: I haven't seen a single spam for Spur-M in weeks. That's gotta be hurting a spammer hard. Which is as it should be.

Thanx again

SiL

Is there a way to block the fact that this alert is triggered?

[spamislame]

Quote:

Originally Posted by dallen

Is there a way to block the fact that this alert is triggered?

Unfortunately: not completely, no. Not without having access to their servers so I could edit that page. (HIGHLY unlikely.)

However: I've attempted a quick GreaseMonkey addition to see if I wrote a competing function of the same name that it would negate it. So far no go. Their page has to load completely before GreaseMonkey takes over. By that time: the alert is popped.

I did try something though, which for me appears to be working.

You can install the AdBlock plugin and just cancel any active content from running on those domains.

http://adblock.mozdev.org/

It kinda works!! You still have to kill the alert, which if you do it fast enough (once per order, not thousands of times) makes sure your cpu is unaffected. That's obviously more work than just letting it run in the background.

- Make sure firefox is blocking popups for that domain
- Using adblock, add the entry:
http://gborders.com/onse/*
- Run the spurmenator and watch the address bar of the target window. If the address changes: it is indeed posting.

I see the bar across the top saying "FireFox prevented this site from opening a window", and I still get the alert. My CPU is fine though. (I do notice the initial load is heavy on it, but after that it returns to normal.)

You only have to close one alert per order.

Anyway I am assuming that that means it's working. I'm keeping at it. I was still doing a few dozen per day just to see what else changed.

Hope this helps. (Somewhat)

SiL

[Devinco]

Would some kind of Proxomitron filter work?
This would limit the size of the pool of volunteers, but it might be useful to isolate the script that calls the alerts.

[spamislame]

Does Proxomitron allow the filtering of specific lines of javascript?

SiL

[Devinco]

Yes, I think it does.
There are a lot of excellent filters available that permit very granular control.
New custom filters can also be created. It is capable of rewriting the entire HTML page on the fly.

I don't know very much about the details, but I think it may be worth looking into for this purpose.
I know member (and Security Expert) Kye-U has created an excellent set of Proxomitron filters.
It is a powerful local web filtering proxy.

[Devinco]

Paranoid2000,

Do you think Proxomitron would be useful for this purpose?
If not one of the premade filters by Kye-U or others, then perhaps a custom filter?

[spamislame]

If you run it, try these (I can't install it where I work. Not allowed.)

A filter for:

Code:

window.onload = f**kup ;

(That keeps getting modified by profanity filters on this site. Replace the asterisks. I think you know what it says )

And another for:

Code:

alert("ALERT: Thanks we have downloaded your harddrive successfully")

Let me know if that works.

SiL