kahunaburger

Friday I received another “phishing” email (see also: ebay “Account Verification” scam / yernadop and Ebay Account Verification - yernadop again - Wake Up! on this site). This time I was directed to another hijacked server at https://203.229.212.233/ebay1/ebay1/index.html (not linked for obvious reasons).

The page at this URL showed the well-known “Verify your EBay account” page which again included entry fields for all sorts of personal stuff (like SSN, Bank account numbers, PIN numbers for your ATM card, etc.).

I went to the site, looked around and managed to get a nice directory index by going to https://203.229.212.233/ebay1/ebay1/. Here’s a snapshot of this directory:

Again I see “yernadop” appearing in some of the files/directory-names on this site. However this time there’s more stuff.

In one of the source files (verified.html) I find this fragment of HTML code:

<TD><IMG height=1 src="https://203.229.212.233/ebay1/ebay1/My%20eBay_com%20Items %20I'm%20Bidding%20On%20for%20supafly2k@hotmail_com_files/spacer.gif"
width=180></TD>
<TD><IMG height=1 src="https://203.229.212.233/ebay1/ebay1/My%20eBay_com%20Items %20I'm%20Bidding%20On%20for%20supafly2k@hotmail_com_files/spacer.gif"
width=1></TD>


Those are the definitions of two fields in a table which use the same content, an image called “spacer.gif”. The interesting part here: It seems that the creator of this file was not very careful. Notice that “supafly2k@hotmail.com” appears in the “filename” for the images. This happens when somebody uses a browsers feature to save an existing web page (the original at ebay.com) and then reuses the save d files on another web site. I now know that the person who saved the files has an ebay account and uses supafly2k@ebay.com as the username/handle.

The second thing I noticed was the following. In some of the directories on the hijacked site I find WS_FTP.LOG files. Those files are created by a popular windows FTP application (see http://www.ipswitch.com/Products/WS_FTP/) and provide a log of all transfers that happened from a source location to a destination location.

Here are three sample lines from one of those WS_FTP.LOG files:


2003.12.21 17:48 B C:\Documents and Settings\Randy\My Documents\ebay1\ebay1\eBay Verification_files\1_active_35x35.gif --> 080803.netfirms.com /www/eBay Verification_files 1_active_35x35.gif
2003.12.21 17:48 B C:\Documents and Settings\Randy\My Documents\ebay1\ebay1\eBay Verification_files\2_disabled_35x35.gif --> 080803.netfirms.com /www/eBay Verification_files 2_disabled_35x35.gif
2003.12.21 17:48 B C:\Documents and Settings\Randy\My Documents\ebay1\ebay1\eBay Verification_files\3_disabled_35x35.gif --> 080803.netfirms.com /www/eBay Verification_files 3_disabled_35x35.gif


The first sample line says that on December 21, 2003 somebody transferred an image called “1_active_35×35.gif” from the source computer to the ftp-server at 080803.netfirms.com in the directory “/www/eBay Verification_files”. This “somebody” again was not careful and revealed part of his/her identity because we can see “Randy” appearing in the path to the source document.

This links yernadop, supafly2k@hotmail.com and “Randy” together. Let’s wait for the next phishing email to collect more information …

PS: The https://203.229.212.233/ phishing site seems to be down this morning.