RE: Phishing attack. Basic encoding

["Peter Kruse" <alert () krusesecurity dk>]

Hi Peter,

> I have had a number of reports of messages targetting users on domains 
> for their credentials.
> The interesting part of this message is the very basic but effective 
> encoding of the message. It appears that there are a couple of 
> characters that instruct the mail program to display the characters in 
> the reverse order.

Yep, this has been going on for a week or so. We have blocked many copies at
our gateway service.
 
> An example is attached. This appears to be random in the characters 
> reversed based on a number of examples forwarded.
> I would say this is a simple yet effective way of bypassing signature 
> based filters.

Indeed. 
 
> They also appear to be bouncing through Google to the compromised 
> website for phishing credentials. I am guessing it is phishing as the 
> websites that I have seen were unavailable at the time.

Yes, it uses a google redirector and a encoding scheme in order to slip past
filters.

If clicked, it will post data to a remote cgi script "poch.cgi" in a small
window. The domain where the cgi script is hosted changes, but
"stand_artza._com" is the most popular.  

The poch.cgi returns the following code:

<S_CRIPT>
window.close();
</S_CRIPT>

This is not phishing. My guess is this is data collection. The purpose is
likely to collect IP addresses, domainname, date, time etc. What this
information is used for, we can only speculate, but it could be some sort of
seeding vector calculator.

Regards
Peter Kruse


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/