“ChaO” (Cagatay Evyapan) was well-known in the underground carding community.  Watch the footage below, you will be very impressed how this fraudster converted his villa into a high profile ATM skimming device production factory.

ChaO’s fraud devices in action:

The attached skimming device copies all 3 tracks from the magnetic stripe of a credit/debit card, the keypad captures the PIN.  After is really easy for the fraudster to copy all collected info to  ISO 7812 blank cards  and eventually be able to cash out the money.

His hacking tips are the following (did not prove to be the best tips in his case):

* don’t install a skimmer in the morning, because people are more vigilant then;
* determine where a person would have to stand to keep an eye on everything happening on that block;
* avoid blocks where more than 250 people per day walk through, because of the danger of detection;
* don’t install skimmers in towns with fewer than 15,000 people, because people in those towns know what their ATMs look like;
* avoid areas with small shops open 24 hours a day, because there may be surveillance cameras and vigilant shopkeepers;
* don’t set up in areas where a lot of illegal immigrants live;
* places with a lot of tourist traffic are good;
* look for affluent neighborhoods and drive-through ATMs;
* ATMs near cash-only bars are a good bet for lots of customer activity.

Using google-dorks, the attackers can search for frame scripts allowing the inclusion of any url. This search reveals thousands of results with too many websites vulnerable to cross-site framing:

allinurl:”url=http” “frame”

inurl:frame filetype:asp  inurl:”url=”
inurl:frame filetype:aspx inurl:”url=”
inurl:frame filetype:php  inurl:”url=”
inurl:frame filetype:cfm  inurl:”url=”

inurl:iframe filetype:asp  inurl:”url=”
inurl:iframe filetype:aspx inurl:”url=”
inurl:iframe filetype:php  inurl:”url=”
inurl:iframe filetype:cfm  inurl:”url=”

allinurl:http frame.asp
allinurl:http frame.aspx
allinurl:http frame.php
allinurl:http frame.cfm

allinurl:frame.php?url=http
allinurl:frame.asp?url=http

Phishing and other scams are now easier to perform due to cross-site framing.
Having found such frame scripts, allows the attackers to include a webpage which is hosted somewhere else. This webpage can be designed to look like the original website and can be any cross-platform server-side script. It can contain a fake login form which on submit parses the inputted usernames and passwords and sends them to the attacker’s mailbox in cleartext format.

It is also possible to perform XSS attacks as in most cases there is no filtering of special characters, script or other common tags in the URL parameter.

Daniel Hugh mailed us about a cross-site framing and scripting vulnerability affecting Gov.MT (Official website of the Government of Malta):

Gov.MT with Frame Redirect and XSS

The XSS vulnerabilities affecting websites can also be used to perform frame redirects, but not the contrary. So if you submit a website vulnerable to cross-site framing along with a XSS attack vector, we will publish it as XSS.

The above news were written in order to heighten the awareness of potential privacy threats to users of the web.

You can also access this blog post  from XSSed.com – a project I run with Kevin Fernandez.

Here is the link:

http://www.xssed.com/news/26/Cross-site_framed/

This resource is called when the navigation to a page has been canceled, it displays an error message with a link to reload the current page, however the link is not filtered before being used (successful exploitation requires the user to click on the link). The researcher also explains how the browser does not show in the URL the local resource when it is called, this design flaw can thus be combined with the XSS vulnerability to conduct very dangerous phishing attacks.

A PoC is available on the Aviv Raff’s website:
http://www.raffon.net/research/ms/ie/navcancl/cnn.html
For those who do not have Internet Explorer 7, a video is also provided:
http://raffon.net/videos/ie7navcancl.wmv

Original News #1: http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx by Aviv Raff

Original News #2: http://www.xssed.com/news/23/IE7_users_beware_of_Navigation_Canceled_errors/ by Kevin Fernandez

The following utility allows you to decipher an obfuscated IP and make it easier for yourself to track down spammers, scammers and software pirates.

IP obfuscator/de-obfuscator: http://www.odditysoftware.com/page-webtools5.htm

Another link: http://www.treachery.net/tools/obfuscator.html

Furthermore, here is an interesting tutorial on “How to obscure any URL”.
This is a description of what obfuscation is (from OdditySoftware.com):

So you don’t understand what Obfuscation is? Lets look at an idea of employing it as URL Obscuration.

For example, start with the regular Google URL: http://www.google.com
And convert it to IP: http://64.233.161.104
Then add some bogus authentication gibberish: http://www.msnbc.com@64.233.161.104
And convert the real URL into a single number with the calculator above so it looks like a document on the MSNBC web site: http://www.msnbc.com@1089053032 Paste this link in your browser, and where does it go? That’s right… Google.

Believe it or not, this is just the tip of the iceberg. In some browsers, even the IP address numbers can be expressed using “percent sign” ASCII encoding.

It seems to me that this group was very organised. They were providing how-to articles on carding, proxies and online payment processors. They were also selling laptops, mobile phones and cameras, which were bought with stolen/phished credit cards. They were even selling the software and equipment required to copy full details of stolen/phished credit cards into blank cards, in order to be able to cash-out from an ATM the money in the bank accounts.

Screenshot of Google results for “carders online”:

At the bottom of their website, they provided a form which was allowing potential buyers to pay them via E-gold for their illegal services… Their E-gold account seems suspended.

I recommend downloading and installing the Netcraft Anti-Phishing Toobar, which allows you to report a phishing site. You can also report phishing sites by adding the form to your Google personalized homepage.

The form looks like this:

The following is the F.A.Q which was shown on their homepage:

Note: Reading this F.A.Q can help you to better understand how to become more vigilant on protecting your sensitive personal information and banking details from being scammed online with phishing and other techniques. You will never be asked by genuine internet services for your PIN number, SSN and other very sensitive personal information!

F.A.Q.

Q: What will I get?
A: – 20 virgin Credit Cards with full information: Credit Cards number (Master Card, VISA, Amex), expiration date, CVV2/CVC2 digits, card holders name, residing address, state, country, zip code, telephone, DOB (date of birth), SSN (social security number), drivers license number, e-mail, pin code and more.

Q: What is the format of CC you provide?
A: – Format as fallows:

—————————-
Name:
Address:
State:
Zip:
Country:
Home Phone:
E-mail:
Date Of Birth:
Social Security Number:
Mothers Maiden Name:
Drivers License Number:
Drivers License State:
Secret Question:
Secret Question Answer:
Name On Card:
Credit Card Number:
Credit Card Brand:
Credit Card Type:
EXP Date:
Credit Card PIN Number:
CVC2:
—————————-

Q: How will I get it?
A: – You will receive CCs list via e-mail as an attachment |full_info_list.zip| in 24h.

Q: Where do you get full infos?
A: – We get it from various places. Mainly from scamming, spamming and shopadmins.

Q: What does it mean ‘virgin’ credit card?
A: – Virgin means – not used or reselled.

Q: What country CC’s do you have?
A: – United States (US US flag), United Kingdom (UK UK flag), Germany (DE German flag), Ireland (IE Ireland flag), Canada (CA Canadian flag), Australia (AU Australian flag), France (FR French flag).

Q: What is your replace policy?
A: – Declined credit cards are replaced with a new one. We take no responsibility for credit cards validaty after one week.

Q: How can I pay for it?
A: – All you need to make is a small contribution of 50€ worth of gold to e-gold account nr: 3260200. You will get 20 FULL INFOS, 2.5€ each. (We use http://www.e-gold.com ONLY for good anonymity. Open an account for free here).

Q: Do you offer any discounts?
A: – Yes, we offer a discount for serious buyers who buys more than 40 ccs. The price falls to 2€/’Full Info’.

Q: How can I fund my e-gold account?
A: – You should use an exchanger generally. You can fund your account using mailed payments, bank wires, cash deposits, western union, moneygram, credit card, netpay and etc. A list of exchangers you can find here: http://www.golddirectory.com/exchangers.html

Q: What if I have a question?
A: – Do not hesitate to contact us Weandydeal@yahoo.com

Before asking a question: We do not accept western union, paypal, webmoney, wire transfers and etc., E-GOLD ONLY. We do not give free samples for testing or checking, serious buyers only.

The Internet Corporation for Assigned Names and Numbers (ICANN) and the registrars have to do something in order to protect the individuals from phishing scams. The current situation is: A complaint about a scammer’s domain – e.g. payppaal.com – has to be legally resolved and it takes ages until the court’s final decision to take the domain name down, while phishers need only a few minutes or hours to setup their scam websites and steal dozen of credit card details.

The registrars therefore have to setup something like a prevention mechanism to filter a list of suspicious words that can be used to register domains for phishing scams and raise an alarm to the registrar staff or hosting companies. With this way the transaction won’t continue until proper verification of proof of identity of the suspicious individual attempting to register the suspicious domain name.

Domain policymakers and stakeholders must work together to reduce frequency of phishing scams.