« October 2008 · April 2009 · September 2010 »

Calendar:

• 21.02.2009: More on the Adobe Acrobat 0-Day
• 19.02.2009: When PDFs Attack - Acrobat [Reader] 0-Day On the Loose
• 16.02.2009: Shadowserver - ASN & Netblock Alerting & Reporting Service
• 12.02.2009: Joint Effort at Conficker Disruption
• 02.02.2009: Reports and Data
• 29.01.2009: See below.
• 24.01.2009: More Waledac Domains to Block
• 22.01.2009: Asprox - It's Baaaaaaack
• 19.01.2009: Inauguration Themed Waledac - New Tactics & New Domains
• 09.01.2009: Waledac Domains - Updated List
• 31.12.2008: Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?
• 11.12.2008: IE7 0-Day Exploit Gets Worse
• 10.12.2008: IE7 0-Day Exploit Sites
• 05.12.2008: Anti-Fraud Website Under Constant DDoS Attack

Thursday, 29 January 2009

Asprox Goes Phishing Again

The first time around with Asprox, we saw a little bit of phishing. The question with any botnet is "how do they make money off of this?" Phishing is certainly one way. Renting your botnet out to a phishing organization is probably an even better way. Must less risk for you, Mr. Botnet Herder. Today we saw a template update to the drones:

<hls>
/d
/wps
/favicon.ico
/cs70_banking/logon/blank.gif
/cs70_banking/logon/favicon.gif
/cs70_banking/logon/id_logo-outside.gif
/cs70_banking/logon/id_main_sb.css
/cs70_banking/logon/popup.gif
/cs70_banking/logon/sconfirm
/cs70_banking/logon/sdetails.aspx
</hls>

Point a browser at <asprox node>/cs70_banking/logon/sconfirm and you find a phish for Alliance and Leicester Commercial Bank:

I admit I'm not entirely familiar with this bank, but it doesn't look to be your standard consumer type bank. Bigger gains to be had?

Once you fill in some details, your form is submitted to <asprox node>/cs70_banking/logon/sdetails.aspx and then your browser is redirected to the homepage of the real bank site.

With Asprox's template capabilities, I imagine we'll see more of this.

=>Posted January 29, 2009, at 01:28 PM by Mike Johnson