*** WARNING **** Liberty reserve phishing attack

chmod755

legendary

Activity: 1554

Merit: 1021

Quote

Nmap scan report for llbertyreserv.com (203.124.116.1)
Host is up (0.38s latency).
rDNS record for 203.124.116.1: sg2nlhg558c1558.shr.prod.sin2.secureserver.net
Not shown: 986 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp PureFTPd
22/tcp open ssh OpenSSH 5.1 (protocol 2.0)
|_ssh-hostkey: 1024 62:5e:b9:fd:3a:70:eb:37:99:e9:12:e3:d9:3f:4e:6c (DSA)
80/tcp open http Apache httpd
|_html-title: Liberty Reserve \xE2\x80\x93 largest payment processor and money transf...
443/tcp open http Apache httpd
|_html-title: 403 Forbidden
50000/tcp closed iiimsf
50001/tcp closed unknown
50002/tcp closed iiimsf
50003/tcp closed unknown
50006/tcp closed unknown
50300/tcp closed unknown
50389/tcp closed unknown
50500/tcp closed unknown
50636/tcp closed unknown
50800/tcp closed unknown

btw.: I made a little bookmarklet to report phishing to several services:

Quote

javascript:(function(){var%20r=encodeURIComponent(location.href);window.open('https://www.google.com/safebrowsing/report_phish/?tpl=mozilla&continue=http://www.google.com/tools/firefox/toolbar/FT2/intl/en/submit_success.html&hl=en-US&url='+r);window.open('http://toolbar.netcraft.com/report_url?url='+r);window.open('https://submit.symantec.com/antifraud/phish.cgi?url_1='+r);})();

Herodes

hero member

Activity: 868

Merit: 1000

Quote from: Jaw3bmasters on March 18, 2013, 06:24:56 AM

Quote from: Herodes on March 18, 2013, 05:49:30 AM

From an academic viewpoint, this phishing attempt is quite clever..

The real bad thing here is that adsense is getting exploited, leading users that google for Liberty Reserve to click on that link. You should be rather alert not to click on it. Seasoned users would not do it, but for beginners and for anyone tired it's easy to do a mistake.

"quite clever"? You make it seem like a new exploit. That's why we have AdblockPlus, NoScript, Sandbox, etc.......

As opposed to the spam e-mails that you receive with phishing attempts, where it says: "Log in to your account within 24 hours or else you will lose your account", this is more clever, absolutely. It's blatantly criminal, so I'm not applauding it, but you gotta give the crooks some credit for their ingenuity.

Personally I do not know how this could go undetected for 5 days according to the TalkGold thread I linked to in the first post. And yes, it's the first time I've seen this kind of phishing. I would think both Liberty Reserve and Google/Adsense would have a bigger interest of avoiding stuff like this in the first place, but I guess profit is more important for them than adding lots of measures to prevent stuff like this. Still with good routines, I guess some ads may slip through the cracks anyway if it's manually verified, and probably ads are not verified before put online at all.

Jaw3bmasters

full member

Activity: 196

Merit: 100

Another block in the wall

Quote from: Herodes on March 18, 2013, 05:49:30 AM

From an academic viewpoint, this phishing attempt is quite clever..

The real bad thing here is that adsense is getting exploited, leading users that google for Liberty Reserve to click on that link. You should be rather alert not to click on it. Seasoned users would not do it, but for beginners and for anyone tired it's easy to do a mistake.

"quite clever"? You make it seem like a new exploit. That's why we have AdblockPlus, NoScript, Sandbox, etc.......

Herodes

hero member

Activity: 868

Merit: 1000

Seems like the domain is registered through GoDaddy, I'll give them notice.

Quote

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: LLBERTYRESERV.COM
Created on: 17-Mar-13
Expires on: 17-Mar-14
Last Updated on: 17-Mar-13

Registrant:
asad asdad
asdad
delhi, Delhi 1100091
India

Administrative Contact:
asdad, asad [email protected]
asdad
delhi, Delhi 1100091
India
2188075364

Technical Contact:
asdad, asad [email protected]
asdad
delhi, Delhi 1100091
India
2188075364

Domain servers in listed order:
NS75.DOMAINCONTROL.COM
NS76.DOMAINCONTROL.COM

Herodes

hero member

Activity: 868

Merit: 1000

Quote from: chmod755 on March 18, 2013, 06:10:00 AM

Reported to Google & others!

I sent a PM to one google employe on this forum, usually whenever I want to tell Google something it's really frustrating because I don't have any e-mails to send to, and there doesn't seem to be any reporting mechanism directly connected to the ad.

DAMN: That was fast, it seems to have gone already!

chmod755

legendary

Activity: 1554

Merit: 1021

Reported to Google & others!

Herodes

hero member

Activity: 868

Merit: 1000

Anyway, there's a very serious fishing attack ongoing:

If you google for 'liberty reserve', the first add you get says:

Quote

Annonse relatert til liberty reserve

   libertyreserve.com - Liberty Reserve
   www.libertyreserve.com/
   largest payment processor and money transfer, Login now!

Then, when you click that link, you're forwarded to http://llbertyreserv.com/en/login/

This is a phishing site, inputting credentials there means you'll lose all liberty reserve funds that you have.

And it seems like the criminals are raking in:

http://www.talkgold.com/forum/r384797-.html

From an academic viewpoint, this phishing attempt is quite clever..

The real bad thing here is that adsense is getting exploited, leading users that google for Liberty Reserve to click on that link. You should be rather alert not to click on it. Seasoned users would not do it, but for beginners and for anyone tired it's easy to do a mistake.

I can't phantom why Liberty Reserve doesn't have mandatory two-factor authentication ?

The thieves probably are using fake id and fake visa towards google/adsense and probably multiple Liberty Reserve accounts, and most likely trying to withdraw from there as quickly as possible, but coupled with Liberty Reserve in general being very poor at customer service, this is a disaster.

Topic: *** WARNING **** Liberty reserve phishing attack (Read 1870 times)

Topic: * WARNING ** Liberty reserve phishing attack (Read 1870 times)