Sunday, 17 February 2013

Phish-BankFraud: RDP Spam

I've already do severals posts about EDF phishings:
Phish-BankFraud/PHP.Mailer/PHP.Shell
Phish-BankFraud (EDF+CAF)
Phish-BankFraud (EDF, CAF, and now Carrefour)

Still active:

But this time let's see one source: a compromised french machine...

HTML body:


SMTP:

The machine was also used to search other machines with weak passwords

For example, another French compromised machine used for spam:

This is HTML source of message you composed. Do not modify here.</COMMENT>
To modify this message press HTML Messages Editor button.</COMMENT>
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY bgcolor=#FFFFFF leftmargin=5 topmargin=5 rightmargin=5 bottommargin=5>
<FONT size=2 color=#000000 face="Arial">
<DIV>
<FONT size=3 color=#000080 face="Comic Sans MS"><B><I>From: National Security Agency (N.S.A)</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000080 face="Comic Sans MS"><B><I>United State of America</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000080 face="Comic Sans MS"><B><I>Crime Fighters</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#800000 face="Comic Sans MS"><B><I><U>This is Official advise From U.S. Department of Justice NSA</B></I></U></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>National Security Agency, American's alliance prospect, we work in line with CIA and Federal Bureau of Investigation F.B.I to fight and minimize crime globally.</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>Be informed that you have given three working days extension to provide the required documents needed by Federal Reserve Bank to released the deposit of us$10.5million in your account, We work in affiliation with FBI and Homeland Security to carried out the required duty as mandated. we need mentioned document as soon as possible to enable all concern agency to perform the ratification of the transfer you are about to received from Federal Reserve Bank to your account.</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>A proper documentation of this transfer is important for security of our country and world at large.</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>Original Fund Identification Record Certificate (O.F.I.R.C} is only proof Requested by Federal Reserve Bank to released the Deposit of US$10.5M in your account.</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>Listen very carefully If after this Three Days grace you did not get back to us with the mentioned document National Security Agency shall consider this money as an act of terrorism, money laundering . then Our security men will head to your City to apprehend you and bring you in for further interrogation.for you to have the mentioned documents Contact Mark Kojo on Tel +234-8169609435 or email markkojo2@yahoo.com for acquisition of mentioned Document which will facilitate for immediate release of the us$10.5million in your bank account.</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>Contact Person: Mark Kojo</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>E mail.address: markkojo2@yahoo.com</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>Telephone: +234-8169609435</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>Office Address: 15A Awolowo !Road, Ikoyi, Lagos.Nigeria.</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>This US$10.5Million will be transferred into your bank account within two working days you secure FUND IDENTIFICATION RECORD CLEARANCE CERTIFICATE from Nigeria where the US$10.5M was originated.</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>After providing the document National Security Agency will authorize Federal Reserve Bank to transfer us$10.5million into your bank account because with provision of this required document we shall clear the fund to be released in your account.</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>We need this Fund Identification Record clearance Certificate as a proof to the below frozen wired transaction ID : 1010253822148 and Be informed that You do not have any rights to receive these US$10.5Milion UNTIL YOU SECURE Fund Identification Record clearance Certificate from our payment coordinator Mr Mark Kojo .</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>Note you don't have all the time in the world and delay is dangerous.</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>Mr. Brian Bluckwall</B></I></FONT><FONT size=3 color=#000000 face="Comic Sans MS"> </FONT></DIV>
<DIV>
<FONT size=3 color=#000000 face="Comic Sans MS"><B><I>For: National Security Agency (NSA)</B></I></FONT></DIV>
</FONT>
</BODY></HTML>

French doctor compromised:


4 comments:

  1. Sympa le axis santé du toubib :/
    En plus le mot de passe admin de ce truc n'est pas compliqué à casser...

    Une preuve de plus que la sécurité de nos données informatique passe avant tout par une sensibilisation du personnel le manipulant!

    ReplyDelete
  2. Je saisis pas bien le rapport entre le phishing et les machines compromises ou l'on peut accéder en RDP : le mail de phising était accompagné d'une pièce jointe vérolée ?

    ReplyDelete
    Replies
    1. non, il envoi juste le phishing depuis les machines compromises

      Delete
  3. lol -1 pour kaspersky

    ReplyDelete