*** WARNING **** Liberty reserve phishing attack

[Herodes]

Anyway, there's a very serious fishing attack ongoing:

If you google for 'liberty reserve', the first add you get says:

Annonse relatert til liberty reserve

    libertyreserve.com - Liberty Reserve
    www.libertyreserve.com/
    largest payment processor and money transfer, Login now!

Then, when you click that link, you're forwarded to http://llbertyreserv.com/en/login/

This is a phishing site, inputting credentials there means you'll lose all liberty reserve funds that you have.


And it seems like the criminals are raking in:

http://www.talkgold.com/forum/r384797-.html

From an academic viewpoint, this phishing attempt is quite clever..

The real bad thing here is that adsense is getting exploited, leading users that google for Liberty Reserve to click on that link. You should be rather alert not to click on it. Seasoned users would not do it, but for beginners and for anyone tired it's easy to do a mistake.

I can't phantom why Liberty Reserve doesn't have mandatory two-factor authentication ?

The thieves probably are using fake id and fake visa towards google/adsense and probably multiple Liberty Reserve accounts, and most likely trying to withdraw from there as quickly as possible, but coupled with Liberty Reserve in general being very poor at customer service, this is a disaster.

[1714823525]

1714823525

[1714823525]

1714823525

[1714823525]

1714823525

[1714823525]

1714823525

[1714823525]

1714823525

[chmod755]

Reported to Google & others!

[Herodes]

Reported to Google & others!

I sent a PM to one google employe on this forum, usually whenever I want to tell Google something it's really frustrating because I don't have any e-mails to send to, and there doesn't seem to be any reporting mechanism directly connected to the ad.

DAMN: That was fast, it seems to have gone already!

[Herodes]

Seems like the domain is registered through GoDaddy, I'll give them notice.

  Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
   Domain Name: LLBERTYRESERV.COM
      Created on: 17-Mar-13
      Expires on: 17-Mar-14
      Last Updated on: 17-Mar-13

   Registrant:
   asad asdad
   asdad
   delhi, Delhi 1100091
   India

   Administrative Contact:
      asdad, asad  dunncwhu@hotmail.com
      asdad
      delhi, Delhi 1100091
      India
      2188075364

   Technical Contact:
      asdad, asad  dunncwhu@hotmail.com
      asdad
      delhi, Delhi 1100091
      India
      2188075364

   Domain servers in listed order:
      NS75.DOMAINCONTROL.COM
      NS76.DOMAINCONTROL.COM

[Jaw3bmasters]

From an academic viewpoint, this phishing attempt is quite clever..

The real bad thing here is that adsense is getting exploited, leading users that google for Liberty Reserve to click on that link. You should be rather alert not to click on it. Seasoned users would not do it, but for beginners and for anyone tired it's easy to do a mistake.

"quite clever"? You make it seem like a new exploit. That's why we have AdblockPlus, NoScript, Sandbox, etc.......

[Herodes]

From an academic viewpoint, this phishing attempt is quite clever..

The real bad thing here is that adsense is getting exploited, leading users that google for Liberty Reserve to click on that link. You should be rather alert not to click on it. Seasoned users would not do it, but for beginners and for anyone tired it's easy to do a mistake.

"quite clever"? You make it seem like a new exploit. That's why we have AdblockPlus, NoScript, Sandbox, etc.......

As opposed to the spam e-mails that you receive with phishing attempts, where it says: "Log in to your account within 24 hours or else you will lose your account", this is more clever, absolutely. It's blatantly criminal, so I'm not applauding it, but you gotta give the crooks some credit for their ingenuity.

Personally I do not know how this could go undetected for 5 days according to the TalkGold thread I linked to in the first post. And yes, it's the first time I've seen this kind of phishing. I would think both Liberty Reserve and Google/Adsense would have a bigger interest of avoiding stuff like this in the first place, but I guess profit is more important for them than adding lots of measures to prevent stuff like this. Still with good routines, I guess some ads may slip through the cracks anyway if it's manually verified, and probably ads are not verified before put online at all.

[chmod755]

Nmap scan report for llbertyreserv.com (203.124.116.1)
Host is up (0.38s latency).
rDNS record for 203.124.116.1: sg2nlhg558c1558.shr.prod.sin2.secureserver.net
Not shown: 986 filtered ports
PORT      STATE  SERVICE VERSION
21/tcp    open   ftp     PureFTPd
22/tcp    open   ssh     OpenSSH 5.1 (protocol 2.0)
|_ssh-hostkey: 1024 62:5e:b9:fd:3a:70:eb:37:99:e9:12:e3:d9:3f:4e:6c (DSA)
80/tcp    open   http    Apache httpd
|_html-title: Liberty Reserve \xE2\x80\x93 largest payment processor and money transf...
443/tcp   open   http    Apache httpd
|_html-title: 403 Forbidden
50000/tcp closed iiimsf
50001/tcp closed unknown
50002/tcp closed iiimsf
50003/tcp closed unknown
50006/tcp closed unknown
50300/tcp closed unknown
50389/tcp closed unknown
50500/tcp closed unknown
50636/tcp closed unknown
50800/tcp closed unknown

btw.: I made a little bookmarklet to report phishing to several services:

javascript:(function(){var%20r=encodeURIComponent(location.href);window.open('https://www.google.com/safebrowsing/report_phish/?tpl=mozilla&continue=http://www.google.com/tools/firefox/toolbar/FT2/intl/en/submit_success.html&hl=en-US&url='+r);window.open('http://toolbar.netcraft.com/report_url?url='+r);window.open('https://submit.symantec.com/antifraud/phish.cgi?url_1='+r);})();