1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Somehow I Got Phished - Any Anti-Phishing Experts Here?

Discussion in 'BlackHat Lounge' started by WizGizmo, Dec 7, 2009.

  1. WizGizmo

    WizGizmo Super Moderator Staff Member Premium Member

    Joined:
    Mar 28, 2008
    Messages:
    3,832
    Likes Received:
    55,431
    Hey B-Hatters:

    I am sure that many of you are aware of the PayPal email scam where you receive an email supposedly from PayPal saying that "for security purposes" they need to have you re-fill a form with all of your personal info in it. Well, I could smell a scam on that one and didn't fall for it. However, I have somehow been Phished and when I go to log on to my actual PayPal account, it looks like the main log on page of PayPal, but it isn't, because I could see that I was getting a re-direct from:
    Code:
    altfarm.mediaplex.com
    Anyone know about this? . . and does anyone know how to remove this very sneaky re-direct? . . . I would be interested to know.

    Thanks - "Wiz"
     
    Last edited: Dec 7, 2009
  2. oyeah22

    oyeah22 Power Member

    Joined:
    Nov 9, 2009
    Messages:
    633
    Likes Received:
    244
    Location:
    i dont remember
    what account was phished? hotmail, craigslist, yahoo, gmail? also give us the phishing link so we can possibly track the link
     
  3. WizGizmo

    WizGizmo Super Moderator Staff Member Premium Member

    Joined:
    Mar 28, 2008
    Messages:
    3,832
    Likes Received:
    55,431
    It's PayPal. I try going there, but get a re-direct to a page that looks like the log in page, but it actually isn't.
     
  4. oni3350

    oni3350 Regular Member

    Joined:
    Sep 24, 2008
    Messages:
    361
    Likes Received:
    194
    Occupation:
    Internet Marketer/ Black Hatter
    Location:
    Perth, Western Australia
    Home Page:
    Is it possible for you to back up your system and do a format?

    I think that would be the best thing to do......

    Have no idea how you would of got that redirect or how to remove it tho.

    but even if you do find and remove it, how can you be sure that EVERYTHING to do with this redirect is really gone?
     
  5. oyeah22

    oyeah22 Power Member

    Joined:
    Nov 9, 2009
    Messages:
    633
    Likes Received:
    244
    Location:
    i dont remember
    did u use ccleaner? Maybe its some kind of cookie or temporary file
     
  6. WizGizmo

    WizGizmo Super Moderator Staff Member Premium Member

    Joined:
    Mar 28, 2008
    Messages:
    3,832
    Likes Received:
    55,431
    Yes. That is the last resort. But I was interested to know if there was a way to somehow restore it back to the true PayPal link.
     
  7. oyeah22

    oyeah22 Power Member

    Joined:
    Nov 9, 2009
    Messages:
    633
    Likes Received:
    244
    Location:
    i dont remember
    go to the page and hit view source too see where its sending the login info
     
  8. WizGizmo

    WizGizmo Super Moderator Staff Member Premium Member

    Joined:
    Mar 28, 2008
    Messages:
    3,832
    Likes Received:
    55,431
    I have cleaned my cookies and even re-installed Eset NOD 32 and Spyware Doctor and also installed an anti-keylogger, but I still get that damned re-direct.

    Edit: I will check the "View Source".
     
  9. oyeah22

    oyeah22 Power Member

    Joined:
    Nov 9, 2009
    Messages:
    633
    Likes Received:
    244
    Location:
    i dont remember
    its something to deal with a file being rewritten in the windows folder supposedly.I'm talking to my friend right now about it.
     
  10. WizGizmo

    WizGizmo Super Moderator Staff Member Premium Member

    Joined:
    Mar 28, 2008
    Messages:
    3,832
    Likes Received:
    55,431
    Cool. Any info would be helpful.
     
  11. Alex Brooks

    Alex Brooks BANNED BANNED

    Joined:
    Mar 17, 2009
    Messages:
    1,199
    Likes Received:
    297
    It's called pharming, more or less, instead of phishing, creating a fake page, it redirects the domain to the fake page, so you believe it's a legit page and therefore enter your details in and so on.

    Check your hosts file, this link will help you understand the hosts file and how to access it.
    http://en.wikipedia.org/wiki/Hosts_file
     
  12. oyeah22

    oyeah22 Power Member

    Joined:
    Nov 9, 2009
    Messages:
    633
    Likes Received:
    244
    Location:
    i dont remember
    Last edited: Dec 7, 2009
  13. WizGizmo

    WizGizmo Super Moderator Staff Member Premium Member

    Joined:
    Mar 28, 2008
    Messages:
    3,832
    Likes Received:
    55,431
    Thanks antonio. I will try it now and see if I am successful. Be back shortly . . .
     
  14. Alex Brooks

    Alex Brooks BANNED BANNED

    Joined:
    Mar 17, 2009
    Messages:
    1,199
    Likes Received:
    297
    I'm quite sure thats a exploit for XOOPS 2.0.18 ( http://www.xoops.org/
    )
     
  15. Remington

    Remington Regular Member

    Joined:
    Feb 27, 2009
    Messages:
    305
    Likes Received:
    148
    I found this thread on a Windows forum with a bit of Googling:
    Code:
    http://www.windowsbbs.com/general-security/71070-altfarm-mediaplex-nonsense.html
    The jist of it seems to be that they make deals with companies like ebay (and I presume paypal) to track user info. So it may be legit...or at least, as legit as that kind of thing goes.

    I also came across some suggestions to check the hosts file when I searched under "altfarm.mediaplex.com" although I didn't take note of the URLs of those sites.

    It turns out that Mediaplex is a ValueClick company (I checked via domaintools.com), so it's unlikely that they'd blatantly phish.

    Edit: Of course, I may turn out to be wrong, so no guarantees...
     
  16. Alex Brooks

    Alex Brooks BANNED BANNED

    Joined:
    Mar 17, 2009
    Messages:
    1,199
    Likes Received:
    297
    I don't see why major companies such as eBay would use external services to track user data, when they could just do it themselves? Same with Paypal, but your right about the hosts file, I stated that above. It's very itneresting IMO.
     
  17. Piree

    Piree Junior Member

    Joined:
    Mar 7, 2009
    Messages:
    110
    Likes Received:
    27
    They could've injected a file on your PC (can't remember which) that redirect you automatically if you go to a certain URL. But the URL looks legit to you.

    so they can change paypal.com with phishdomain.com and you wouldn't notice it because the injection doesn't show up as a virus.
     
  18. oyeah22

    oyeah22 Power Member

    Joined:
    Nov 9, 2009
    Messages:
    633
    Likes Received:
    244
    Location:
    i dont remember

    just doing some quick googling
     
  19. emperorniks

    emperorniks Registered Member

    Joined:
    Mar 9, 2009
    Messages:
    91
    Likes Received:
    6
    These things still exist? :LOL: It's particularly what we used to do in junior high school.
     
  20. WizGizmo

    WizGizmo Super Moderator Staff Member Premium Member

    Joined:
    Mar 28, 2008
    Messages:
    3,832
    Likes Received:
    55,431
    Thanks everyone. I will try some of your suggestions and post my results. You are welcome to keep posting replies if you think they are helpful, and I will keep checkin back on the thread :)

    "Wiz"