Pharming and Phising in Brazilian sites
Some days ago we received a mail, which notified about a malicious code propagated using a URL as the following:
http://XXXXXXX#/fotos_flagrante-Dilma.JPEG?0.25970
The file could be downloaded from the previous link, it is identified as fotos.com. So far, the antivirus engines that detect it as a threat, are the following:
The digital information from the sample is shown as follows:
When executed, it starts Internet Explorer and Firefox, making a query to the site httpXXXXXX://boloob.com/ /new/total_visitas.php
It performs the deleting of the hosts file in the computer and creates a new one making a pharming of the next sites:
173.XXX.XXX.203 serasa.com.br
173.XXX.XXX.203 www.serasa.com.br
173.XXX.XXX.203 bradescopj.com.br 173.XXX.XXX.203 itau.com.br 173.XXX.XXX.203 bradesconetempresa.com.br 173.XXX.XXX.203 www.bradesconetempresa.com.br 173.XXX.XXX.203 www.santander.com.br 173.XXX.XXX.203 www.banespa.com.br 173.XXX.XXX.203 www.santanderbanespa.com.br 173.XXX.XXX.203 santander.com.br 173.XXX.XXX.203 banespa.com.br 173.XXX.XXX.203 santanderbanespa.com.br 173.XXX.XXX.203 www.americanexpress.com.br 173.XXX.XXX.203 americanexpress.com.br 173.XXX.XXX.203 www.msn.com 173.XXX.XXX.203 msn.com 173.XXX.XXX.203 www.hotmail.com 173.XXX.XXX.203 hotmail.com 173.XXX.XXX.203 www.live.com 173.XXX.XXX.203 live.com 173.XXX.XXX.203 www.itau.com.br 173.XXX.XXX.203 www.itaupersonnalite.com.br 173.XXX.XXX.203 itaupersonnalite.com.br 173.XXX.XXX.203 www.banrisul.com.br 173.XXX.XXX.203 banrisul.com.br 173.XXX.XXX.203 www.bradesco.com.br 173.XXX.XXX.203 www.bradescoprime.com.br 173.XXX.XXX.203 www.prime.com.br 173.XXX.XXX.203 bradesco.com.br 173.XXX.XXX.203 bradescoprime.com.br 173.XXX.XXX.203 prime.com.br 173.XXX.XXX.203 www.bradescopessoajuridica.com.br 173.XXX.XXX.203 bradescopessoajuridica.com.br 173.XXX.XXX.203 www.bradescopj.com.br 173.XXX.XXX.203 www.bb.com.br 173.XXX.XXX.203 bb.com.br 173.XXX.XXX.203 www.bancodobrasil.com.br 173.XXX.XXX.203 bancodobrasil.com.br 173.XXX.XXX.203 www.caixa.com.br 173.XXX.XXX.203 www.caixa.gov.br 173.XXX.XXX.203 www.caixaeconomica.com.br 173.XXX.XXX.203 www.caixaeconomica.gov.br 173.XXX.XXX.203 www.caixaeconomicafederal.gov.br 173.XXX.XXX.203 www.cef.com.br 173.XXX.XXX.203 www.cef.gov.br 173.XXX.XXX.203 caixa.com.br 173.XXX.XXX.203 caixa.gov.br 173.XXX.XXX.203 caixaeconomica.com.br 173.XXX.XXX.203 caixaeconomica.gov.br 173.XXX.XXX.203 caixaeconomicafederal.com.br 173.XXX.XXX.203 caixaeconomicafederal.gov.br 173.XXX.XXX.203 cef.com.br 173.XXX.XXX.203 cef.gov.br At present, the phishing for the following sites remain active: santander.com.br http://173.XXX.XXX.203/language/en-GB/home/images/home/santander/portal/gsb/script/templates/GCMRequest.do.htm serasa.com.br http://173.XXX.XXX.203/language/en-GB/home/consulta/ americanexpress.com.br http://173.XXX.XXX.203/language/en-GB/home/br/ bradesco.com.br http://173.XXX.XXX.203/language/en-GB/home/bnet/ caixa http://173.XXX.XXX.203/language/en-GB/home/cef/ hotmail.com msn.com live.com http://173.XXX.XXX.203/logs/index.htm It can be observed in the site code that it stores account names and passwords, using a php file, in , later it redirects to the genuine hotmail site.http://187.X.X.225/sb/get.php y posteriormente realiza la redirección hacia el sitio oficial de hotmail. Phishing sites: