Wednesday, April 30, 2014

Citadel & ZA eFile Tax Phishing

KINS (Citadel) C&C listed on ZeuS Tracker

Was looking for a KINS panel, but its Citadel.

So I break in and look around.

Also found on this server:
(SARS) South Africa Revenue Service phishing page, shell, and "hacked by" page.

SARS phishing landing page

Some dude was here already: make me laugh :-)

Some mailer settings:

define("EMAIL", ",");

$recipient = "";

A shell:

Art Spam and Four-In-One Phishing

Spam email campaign leads to Gmail, Yahoo, Live, and AOL phishing site.

Spam Email:
From: Richard Webber [mailto:ab_bc6@AOL.COM]
Subject: Art Investments 2014
Sent: Friday, April 25, 2014 8:01 AM
To: xxxx
Subject: Art Investments 2014
Duely Important Updates on Art Investment Options, review the attached PDF and get back to me soonest,
2014 Documents.pdf--
Richard Webber
Art Adviser Webber Art Management
Landmark Square , 2nd Floor
Stamford, CT 060908

Attachment link redirects to:

Phishing landing page.
Stolen from

The old four-in-one.

We've seen this guy before:

At least you stopped using that hideous background.

More found junk>


Tuesday, April 22, 2014

Phishing - - Imad Bazzi

Spam Campaign linking to Phishing Page on (private registration)

Spam Email: 

From: IT Help Desk []
Sent: Tuesday, April 22, 2014 05:50 AM Eastern Standard Time
To: <>

We are currently in the process of upgrading basic Email services and WebMail center to a new system. We are deleting all Old Web Mail email account.
Kindly (Click Here) to Verify And Validate your Email
Do Not ignore this Message to Avoid Termination of your webmail account. 
Thank you for your cooperation
Inf Ufsc Web Mail Administration

Phishing landing page

Directory Listing allowed

More phishing pages:

PHP Mail Logs:

Email Addresses Used in Campaign:

Imad Bazzi