Another typical case Column Analysis of phishing

0 × 01Origin
By chance, this Sample is obtained. since ancient times, various brush XXX has become synonymous with X customers, and the great temptation to be greedy and cheap has often become the gentle soil for successful implementation of phishing. throughout the history of refreshing XXX, from the lowest-end internal account recharge, to various WEB phishing sites for refreshing XXX, to various client-side tools for refreshing XXX, although these things seem to be inferior to some extent, they have to admire the fishermen. They are indeed worth using for reference. (Laugh ~)
0 × 02Yiyunfangrong

I firmly believe that a good UI and inflammatory language will certainly improve the user experience of the fishermen. There is also a demo that will be included here to teach you how to use it, this is a very considerate action. from the introduction, I can clearly understand that it is really cool to easily include 100 soft Sister B into your account by programming XXX 300 QB ~ So I started my Vbox + a hips Behavior Set. When I started, there were no other actions.
0 × 03Lu Shan's true face
In general, this tool for refreshing XXX usually carries a complex function at the same time, such as account theft, and there may be various implementation methods. Here, we only need to enter the number on the interface, the phishing method can be basically excluded. it may also be a variety of hooks, which record a type of tricky methods. after a while, I saw several actions.
GET captcha.qq.com/getimage/paycenterqqcard? Aid = 25000101 & % 22 + Math. random () + % 22
GET www.shuaka2013.com/get.htmland its remainder parameters are mutually exclusive (do you want to avoid multiple running tasks ?)
Reg uses a key value to remove the IE proxy (to prevent the Proxy from intercepting packets ?)
The rest are no longer magical...
0 × 04Experience
Actually, I knew it was a phishing scam, but I still want to dig something behind it. I can start with the website opened by the XXX tool and follow up with the hacker behind the scenes, you can also reverse the entire Bin process. here we use a simple and original method, because it is not a confrontation, it is enough to deal with such a brush XXX tool.
Enter the recharge card number and QQ of a great ox, and capture the HTTP packet to see how it goes.



The specific package is as follows:
POST/web/szxqb/index. jsp? Action = dopay HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword ,*/*
Referer: http://mpay.qq.com/web/szxqb/index.jsp? Action = dopay
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Content-Length: 145
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: mpay.qq.com
Cache-Control: no-cache
Cookie: paycenterqqcard = Alibaba
 
 
AppId = 1 & amount = 100 & buyer = 54411363 & buyerre = 54411363 & app = 1 & payer = 12629014288321414 & paywd = 013140088955300238 & verifycode = gbtc & submit. x = 64 & submit. y = 27 the other two Response packages will not be pasted.
Apparently, the QB recharge card's soft Sister B did not go to the QQ of a big ox (comparison chart)
0 × 05Conclusion
Of course, there are many phishing platforms in the black industry. They lament that they are good at grasping the weakness of human nature. In some cases, this is much better than 0-day. in addition, if you have reached the interest of a big bull, please PM me. just 4 fun.