Title: *** WARNING **** Liberty reserve phishing attack Post by: Herodes on March 18, 2013, 10:49:30 AM Anyway, there's a very serious fishing attack ongoing:
If you google for 'liberty reserve', the first add you get says: Quote Annonse relatert til liberty reserve libertyreserve.com - Liberty Reserve www.libertyreserve.com/ largest payment processor and money transfer, Login now! Then, when you click that link, you're forwarded to http://llbertyreserv.com/en/login/ This is a phishing site, inputting credentials there means you'll lose all liberty reserve funds that you have. And it seems like the criminals are raking in: http://www.talkgold.com/forum/r384797-.html From an academic viewpoint, this phishing attempt is quite clever.. The real bad thing here is that adsense is getting exploited, leading users that google for Liberty Reserve to click on that link. You should be rather alert not to click on it. Seasoned users would not do it, but for beginners and for anyone tired it's easy to do a mistake. I can't phantom why Liberty Reserve doesn't have mandatory two-factor authentication ? The thieves probably are using fake id and fake visa towards google/adsense and probably multiple Liberty Reserve accounts, and most likely trying to withdraw from there as quickly as possible, but coupled with Liberty Reserve in general being very poor at customer service, this is a disaster. Title: Re: *** WARNING **** Liberty reserve phishing attack Post by: chmod755 on March 18, 2013, 11:10:00 AM Reported to Google & others!
Title: Re: *** WARNING **** Liberty reserve phishing attack Post by: Herodes on March 18, 2013, 11:19:14 AM Reported to Google & others! I sent a PM to one google employe on this forum, usually whenever I want to tell Google something it's really frustrating because I don't have any e-mails to send to, and there doesn't seem to be any reporting mechanism directly connected to the ad. DAMN: That was fast, it seems to have gone already! Title: Re: *** WARNING **** Liberty reserve phishing attack Post by: Herodes on March 18, 2013, 11:21:14 AM Seems like the domain is registered through GoDaddy, I'll give them notice.
Quote Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: LLBERTYRESERV.COM Created on: 17-Mar-13 Expires on: 17-Mar-14 Last Updated on: 17-Mar-13 Registrant: asad asdad asdad delhi, Delhi 1100091 India Administrative Contact: asdad, asad dunncwhu@hotmail.com asdad delhi, Delhi 1100091 India 2188075364 Technical Contact: asdad, asad dunncwhu@hotmail.com asdad delhi, Delhi 1100091 India 2188075364 Domain servers in listed order: NS75.DOMAINCONTROL.COM NS76.DOMAINCONTROL.COM Title: Re: *** WARNING **** Liberty reserve phishing attack Post by: Jaw3bmasters on March 18, 2013, 11:24:56 AM From an academic viewpoint, this phishing attempt is quite clever.. The real bad thing here is that adsense is getting exploited, leading users that google for Liberty Reserve to click on that link. You should be rather alert not to click on it. Seasoned users would not do it, but for beginners and for anyone tired it's easy to do a mistake. "quite clever"? You make it seem like a new exploit. That's why we have AdblockPlus, NoScript, Sandbox, etc....... Title: Re: *** WARNING **** Liberty reserve phishing attack Post by: Herodes on March 18, 2013, 11:30:23 AM From an academic viewpoint, this phishing attempt is quite clever.. The real bad thing here is that adsense is getting exploited, leading users that google for Liberty Reserve to click on that link. You should be rather alert not to click on it. Seasoned users would not do it, but for beginners and for anyone tired it's easy to do a mistake. "quite clever"? You make it seem like a new exploit. That's why we have AdblockPlus, NoScript, Sandbox, etc....... As opposed to the spam e-mails that you receive with phishing attempts, where it says: "Log in to your account within 24 hours or else you will lose your account", this is more clever, absolutely. It's blatantly criminal, so I'm not applauding it, but you gotta give the crooks some credit for their ingenuity. Personally I do not know how this could go undetected for 5 days according to the TalkGold thread I linked to in the first post. And yes, it's the first time I've seen this kind of phishing. I would think both Liberty Reserve and Google/Adsense would have a bigger interest of avoiding stuff like this in the first place, but I guess profit is more important for them than adding lots of measures to prevent stuff like this. Still with good routines, I guess some ads may slip through the cracks anyway if it's manually verified, and probably ads are not verified before put online at all. Title: Re: *** WARNING **** Liberty reserve phishing attack Post by: chmod755 on March 18, 2013, 11:37:51 AM Quote Nmap scan report for llbertyreserv.com (203.124.116.1) Host is up (0.38s latency). rDNS record for 203.124.116.1: sg2nlhg558c1558.shr.prod.sin2.secureserver.net Not shown: 986 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp PureFTPd 22/tcp open ssh OpenSSH 5.1 (protocol 2.0) |_ssh-hostkey: 1024 62:5e:b9:fd:3a:70:eb:37:99:e9:12:e3:d9:3f:4e:6c (DSA) 80/tcp open http Apache httpd |_html-title: Liberty Reserve \xE2\x80\x93 largest payment processor and money transf... 443/tcp open http Apache httpd |_html-title: 403 Forbidden 50000/tcp closed iiimsf 50001/tcp closed unknown 50002/tcp closed iiimsf 50003/tcp closed unknown 50006/tcp closed unknown 50300/tcp closed unknown 50389/tcp closed unknown 50500/tcp closed unknown 50636/tcp closed unknown 50800/tcp closed unknown btw.: I made a little bookmarklet to report phishing to several services: Quote javascript:(function(){var%20r=encodeURIComponent(location.href);window.open('https://www.google.com/safebrowsing/report_phish/?tpl=mozilla&continue=http://www.google.com/tools/firefox/toolbar/FT2/intl/en/submit_success.html&hl=en-US&url='+r);window.open('http://toolbar.netcraft.com/report_url?url='+r);window.open('https://submit.symantec.com/antifraud/phish.cgi?url_1='+r);})(); |