MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

12.3.10

Phishing campaign aimed at players Zynga

Zynga is a virtual game developer that has a wide repertoire of games in flash, allowing fun with them even through some social networks like Facebook, MySpace and Tagged, among others.

Recently Zynga image is being used as a phishing campaign animation using as cover some of the games that the company offers.

The domains involved in the campaign are:

claimpokerbonus.t35.com/zynga_poker/
claimpokerbonus.t35.com/zynga%20bonus/login_failed.php
claimpokerbonus.t35.com/zynga%20poker/login_failed.php
claimpokerbonus.t35.com/zynga/chip_bonus/login_failed.php
claimpokerbonus.t35.com/zynga_bonus/login_failed.php
claimpokerbonus.t35.com/zynga/poker_chips/login_failed.php
claimpokerbonus.t35.com/zynga/poker_bonus/login_failed.php
claimpokerbonus.t35.com/zynga/claim_poker/login_failed.php

claimpokerbonus.t35.com/zynga/claim_bonus/login_failed.php
claimpokerbonus.t35.com/zynga/chips_bonus/login_failed.php
claimpokerbonus.t35.com/games_bonuschips/zynga_bonus/login_failed.htm
claimpokerbonus.t35.com/games_bonuschips/claim_bonus/login_failed.htm
claimpokerbonus.t35.com/games_bonuschips/login_failed.htm
claimpokerbonus.t35.com/poker-bonus/login_failed.htm
claimpokerbonus.t35.com/poker_chipclaim/login_failed.htm
claimpokerbonus.t35.com/zynga-dailygift/login_failed.htm
claimpokerbonus.t35.com/zynga-game-bonus/login_failed.htm
claimpokerbonus.t35.com/game_lottery/login_failed.htm
claimpokerbonus.t35.com/game_bonus/login_failed.htm
claimpokerbonus.t35.com/claim_poker/login_failed.php


claimpokerbonus.t35.com/claim%20poker/login-failed.html
claimpokerbonus.t35.com/claim%20bonus/login-failed.html
claimpokerbonus.t35.com/Bonus/login_failed.php
claimpokerbonus.t35.com/Bonus/games/login_failed.php
claimpokerbonus.t35.com/Bonus/claim_poker/login_failed.php
claimpokerbonus.t35.com/Bonus/claim_chips/login_failed.php

The structure of each folder containing the files used during the process comprises files Fraud login_failed.php, logs.php, search.php, succes.html and two files with the .txt file in which data are recorded stolen in clear text.

The file succes.html is called from logs.php file and contains two exploits for the vulnerabilities described in CVE-2008-2463 (Office Snapshot Viewer) and CVE-2008-0015 (MsVidCtl Overflow).

On the other hand, contains a Drive-by-Download through an iframe tag that redirects to Trenz.pl/rc/pdf.php? spl=pdf_ie2 from where you download a pdf file detected for 50% of the antivirus engines offered by the VirusTotal service, and whose md5 is 47ea66b43e25169e6bb256e000a16ffd. In addition, download the file load.exe (c2a41abc43dd0bcf98ae07315eb4c6f6). In this case, detected by 90%.

Both files are located In-the-Wild and part of a pack known as exploit version 1.2: Eleonore Exploit Pack.


InformaciĆ³n relacionada
Phishing database III

Jorge Mieres

0 comentarios:

Post a Comment