'only crime on this host'

There is some interesting aspects to research, one is being able to understand and analyse how criminals operate. Another is seeing how other researchers operate. 

Recently there has been a number of incidents that have involved what has been described as 'white hackers', i don't have a term which sufficiently describes the work other than, 'interesting'.

Who IS the Batman?

Last month, i noted that someone had replaced the malicious content usually delivered by Dridex with Avira and a ' calling card'. The calling card gave information as the content on the compromised server, and the intelligence which i believe was to identify the original owner or the original compromiser of the site

I've again been collating the intel behind this  person, or team who are quickly compromising the hosts after its been compromised and listing the details relating to the original compromise.

Following up to now? Good!

Legit site --> compromised ---> compromised again and details posted to identify the original actor.

Recently, a recently compromised site on hxxp://www.wakeupforpeace.org.au/crimeware-server-readme.txt-> Freezepage link http://www.freezepage.com/1456771380KTQSEGLOJB

Has been 'done' by what could be same actors/team previously observed in the Dridex 'incident', i may well be wrong but the details are strikingly similar.

 

The site itself is a simple phisher, looking for PayPay/banking credentials and some really bad .php handles the theft.

[email protected]

If anything this should teach you

  1. Do not use your own name for email address if you're going to use to receive the proceeds of crime.
  2. Do not log into your phishing site from your residential address 
  3. Also, do not include your personal email address in the POST of a transaction of a HTTP request.

Thanks again to https://twitter.com/Techhelplistcom/