PayPal Phishing Scam Fake Website PCAP file download Traffic Sample

PayPal Phishing landing page:   Stealing Credentials Traffic:   2017-04-17 22:00:47.498090 IP 192.168.1.100.46042 > 184.154.127.226.80: Flags [P.], seq 1:785, ack 1, win 229, options [nop,nop,TS val 1037083633 ecr 3076619526], length 784: HTTP: POST /inc/login.php HTTP/1.1 E..D..@.@..W…d…….P…2..a]……….. =….a}.POST /inc/login.php HTTP/1.1 Host: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/ Content-Length: 285 Connection: keep-alive user=johnny5alive%40gmail.com&pass=johnny5alive&xBrowser=Mozilla+FireFox+v43&xOperatingSystem=Linux&xPlatForm=Desktop+Platform&xTimeZone=Mon+Apr+17+2017+22%3A00%3A35+GMT-0400+(EDT)&xResoLution=Computer%3A+1920×1080%3B+Browser+inner%3A+1920×762%3B+Browser+outer%3A+1920×1027&xLang=en-US 2017-04-17 22:00:47.557561 IP 184.154.127.226.80 > 192.168.1.100.46042: Flags [.], ack 785, win 239, options [nop,nop,TS val 3076619602 ecr 1037083633], length 0 E..4..@.4.0,…….d.P….a]..  B….   …… .a}R=… 2017-04-17 22:00:48.036469 IP 192.168.1.100.47166 > 52.22.15.101.443: Flags […]

HSBC National Financial Bank Banking Phishing Scam Attack PCAP file download Traffic Analysis – Uses Google Toolbar to validate account!

Landing Page:     Sample Traffic – it provides error checking to see if the account is valid!   2017-04-17 21:53:58.432516 IP 192.168.1.100.33488 > 178.255.83.1.80: Flags [P.], seq 1:450, ack 1, win 229, options [nop,nop,TS val 1036981367 ecr 553279224], length 449: HTTP: POST / HTTP/1.1 E…..@.@.am…d..S….P….l.P………… =..w .^.POST / HTTP/1.1 Host: ocsp.comodoca.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Length: 84 Content-Type: application/ocsp-request Connection: keep-alive 0R0P0N0L0J0     ..+……..z.>…*,.(….F.@…….j:.Z…..Vs.C.:(……..6…`.r#S…H 2017-04-17 21:53:58.433215 IP 162.251.85.174.443 > 192.168.1.100.52148: Flags [P.], seq 4747:5037, ack 330, win 122, options [nop,nop,TS val 2260808893 ecr 1036981351], length 290 E .V..@.2…..U….d…..k.6F……z.E….. […]

CapitalOne Capital One Bank Auto Loans Phishing Campaign PCAP file download Traffic Analysis

Landing page:   Sample of posting credentials:   2017-04-17 21:57:05.598674 IP 192.168.1.100.41236 > 89.46.73.231.80: Flags [P.], seq 1:535, ack 1, win 229, options [nop,nop,TS val 1037028158 ecr 1270481385], length 534: HTTP: POST /CapitaLonE/SignIn/page/booting.php HTTP/1.1 E..J;.@.@……dY.I….P.5..u}>P….g^….. =..>K…POST /CapitaLonE/SignIn/page/booting.php HTTP/1.1 Host: 89.46.73.231 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://89.46.73.231/CapitaLonE/SignIn/page/ Cookie: PHPSESSID=aepqe8mcrenvcnj1utpej09oi2 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 31 userId=johnny5&userPass=johnny5 2017-04-17 21:57:05.722090 IP 89.46.73.231.80 > 192.168.1.100.41236: Flags [.], ack 535, win 243, options [nop,nop,TS val 1270481511 ecr 1037028158], length 0 E..4<7@.5..kY.I….d.P..u}>P.5…………. K..g=..> 2017-04-17 21:57:06.135295 IP 89.46.73.231.80 > 192.168.1.100.41236: Flags [P.], seq 1:273, ack […]

USAA Phishing Campaign PCAP File Download Traffic Analysis Sample

They do make the site look decent:   Here you can see the POST containing the fake information I entered:   2017-04-17 21:32:22.952265 IP 192.168.1.100.47366 > 78.135.65.3.80: Flags [.], seq 1:2849, ack 1, win 229, options [nop,nop,TS val 1036657496 ecr 1337509293], length 2848: HTTP: POST /wp-content/usa/account/logind.php HTTP/1.1 E..T..@.@.=a…dN.A….P%Z…L……\…… =.#XO…POST /wp-content/usa/account/logind.php HTTP/1.1 Host: www.lidergold.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.lidergold.com/wp-content/usa/account/USAA%20_%20Welcome%20to%20USAA.htm Cookie: utag_main=v_id:015b7e84629b00a6d3faa895bd3001055005200900bd0$_sn:2$_ss:0$_st:1492480920811$_pn:3%3Bexp-session$ses_id:1492479023089%3Bexp-session; AMCV_47977B2A53A852210A490D45%40AdobeOrg=1999109931%7CMCMID%7C23146858886530304112860983349877067372%7CMCAAMLH-1493083927%7C7%7CMCAAMB-1493083927%7CNRX38WO0n5BH8Th-nqAG_A%7CMCAID%7CNONE%7CMCOPTOUT-1492479066.975%7CNONE; _ga=GA1.2.1621913373.1492479052; AMCVS_47977B2A53A852210A490D45%40AdobeOrg=1; s_pers=%20gpv_pn%3Dwww%257Cent%257Cent%257Cent%257Cn_a%257Cn_a%257Cpin%257Cpin_entry%7C1492480859711%3B%20s_nr%3D1492479059713-New%7C1495071059713%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dusaadev3%253D%252526c.%252526a.%252526activitymap.%252526page%25253Dwww%2525257Cent%2525257Cent%2525257Cent%2525257Cn_a%2525257Cn_a%2525257Cpin%2525257Cpin_entry%252526link%25253DNext%252526region%25253Dyui_3_3_0_4_149247905128121%252526pageIDType%25253D1%252526.activitymap%252526.a%252526.c%252526pid%25253Dwww%2525257Cent%2525257Cent%2525257Cent%2525257Cn_a%2525257Cn_a%2525257Cpin%2525257Cpin_entry%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257B%2525257D%252526oidt%25253D2%252526ot%25253DSUBMIT%3B; aam_sc=aam%3D2056278%2Caam%3D2819030%2Caam%3D2819037%2Caam%3D3008635%2Caam%3D2940788%2Caam%3D2940810%2Caam%3D3546821%2Caam%3D3661938%2Caam%3D3661939%2Caam%3D2964854; fltk=segID%3D2453279%2CsegID%3D2090930; s_fid=01359BE61903FC17-3D6FFA8644830364; s_sq=usaadev3%3D%2526pid%253Dhttp%25253A%25252F%25252Fwww.lidergold.com%25252Fwp-content%25252Fusa%25252Faccount%25252FUSAA%25252520_%25252520Welcome%25252520to%25252520USAA.htm%2526oid%253DLog%252520On%2526oidt%253D3%2526ot%253DSUBMIT Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 1628 userid=pwnyou%40yourpwned.com&password=harharhar123&fp_syslang=&CSRFToken=778d07881ecc5398b4bd766ec1d697f5&fp_software=&fp_userlang=undefined&fp_display=24%7C1920%7C1080%7C1053&fp_lang=lang%3Den-US%7Csyslang%3D%7Cuserlang%3D&fp_timezone=-5&fp_browser=mozilla%2F5.0+%28×11%3B+linux+x86_64%3B+rv%3A43.0%29+gecko%2F20100101+firefox%2F43.0+iceweasel%2F43.0.4%7C5.0+%28X11%29%7CLinux+x86_64&risk_deviceprint=version%253D3%252E4%252E1%252E0%255F1%2526pm%255Ffpua%253Dmozilla%252F5%252E0%2520%2528×11%253B%2520linux%2520×86%255F64%253B%2520rv%253A43%252E0%2529%2520gecko%252F20100101%2520firefox%252F43%252E0%2520iceweasel%252F43%252E0%252E4%257C5%252E0%2520%2528X11%2529%257CLinux%2520×86%2 Please follow and like us: