Government website of Jordan used for phishing

27/05/2009 Written by Boris Mutina (minor)

The phish­ing scams are quite com­mon in our mail­boxes, among them Pay­Pal related are the ones most used and the less to be believed. Any­way it might appear to be use­ful to observe those scams and thanks to this one of the lat­est phish­ing attempts appeared to be really interesting.

Fol­low­ing scam email was deliv­ered to our mail­box:

Dear Mem­ber,
This is your offi­cial noti­fi­ca­tion from Pay­Pal Inc. that the service(s) listed below will be deac­ti­vated and deleted if not renewed imme­di­ately. Pre­vi­ous noti­fi­ca­tions have been sent to the Billing Con­tact assigned to this account. As the Pri­mary Con­tact, you must renew the service(s) listed below or it will be deac­ti­vated and deleted.

Renew Now your Online Account and Debit Card ser­vices.
 
SER­VICE: Online Account and Debit Card.
EXPI­RA­TION: May, 27 2009

Thank you for using Online Account.
We appre­ci­ate your busi­ness and the oppor­tu­nity to serve you.
 
Pay­Pal Inc.

*****************************************************************************
IMPOR­TANT MEM­BER SER­VICE INFOR­MA­TION
*****************************************************************************
 
Please do not reply to this mes­sage. For any inquiries, con­tact Mem­ber Ser­vice.
 
Copy­right © 1999 – 2007 Pay­Pal. All rights reserved.


A link in this email pointed to the fol­low­ing URL:

http://​www​.vtc​.gov​.jo/​a​c​c​o​u​n​t​s​.​p​a​y​p​a​l​.​u​s​/​w​w​w​.​p​a​y​p​a​l​.​c​o​m​/​c​g​i​-​b​i​n​/​w​e​b​s​c​r​/​c​m​d​=​_​l​o​g​i​n​-run/




Yes, you’re right, the phish­ing scam appears to be located on gov­ern­ment web­site of the Hashemite King­dom of Jor­dan. When we real­ized this we had sev­eral thoughts. DNS hijack­ing was not the case, Net­craft recorded the web­site about one year ago on IP_212.118.8.52, which we also dis­cov­ered by now.



Any­way, the Net­craft claimed, the web­site is pow­ered by IIS6, which can be eas­ily proven by Google by search­ing for any pages from this web­site (they appar­ently used ASP​.NET).


If you try to open any doc­u­ment from the search results, you will get the 404, every­thing van­ished… and server is Apache on win32?!?



By observ­ing the behav­ior of the phish­ing scam activ­i­ties we also found out where our “credit card data” should travel to. Attempt­ing to tam­per the post request revealed email address:
jauclair@​afllp.​com



…which is not unknown — there already was at least one phish­ing scam con­nected with this email address. Unfor­tu­nately we can­not read about it online any­more, Castle­Cops, the vol­un­teer web­site that recorded sim­i­lar phish­ing case doesn’t work any­more. By the way, they were hit by Pay­Pal related attack tar­geted on their rep­u­ta­tion.

http://​news​.zdnet​.co​.uk/​s​e​c​u​r​i​t​y​/​0​,​1​0​0​0​0​0​0​1​8​9​,​3​9​2​8​9​5​0​9​,​0​0.htm

Our final result on this case could be this:
As we told already before, com­pro­mised servers will be less used for putting deface­ments on them, they will be mis­used for spread­ing of the mal­ware, the phish­ing scams and other crim­i­nal activ­i­ties. This hap­pened also in this case: we believe that the server has been com­pro­mised by the attack­ers, IIS has been sus­pended, data was removed and scammer’s tools and fake web­site files were mounted on it (Apache). Since such scams do not last for ever, in next days the phish­ing page dis­ap­pears from the server and reg­u­lar con­tent will be mounted.

This time it was yet another phish­ing attack. Com­pro­mised web­server belong­ing to the gov­ern­ment could be used for attack­ing users on many dif­fer­ent ways, not just like that. Thanks God.

Share this content: