USAA Phishing Campaign PCAP File Download Traffic Analysis Sample

Download Attachments

  • 1 pcap usaa
    Date added: April 18, 2017 1:44 am Added by: admin File size: 1 MB Downloads: 65

They do make the site look decent:

 

Here you can see the POST containing the fake information I entered:

 

2017-04-17 21:32:22.952265 IP 192.168.1.100.47366 > 78.135.65.3.80: Flags [.], seq 1:2849, ack 1, win 229, options [nop,nop,TS val 1036657496 ecr 1337509293], length 2848: HTTP: POST /wp-content/usa/account/logind.php HTTP/1.1
E..T..@.@.=a…dN.A….P%Z…L……\……
=.#XO…POST /wp-content/usa/account/logind.php HTTP/1.1
Host: www.lidergold.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.lidergold.com/wp-content/usa/account/USAA%20_%20Welcome%20to%20USAA.htm
Cookie: utag_main=v_id:015b7e84629b00a6d3faa895bd3001055005200900bd0$_sn:2$_ss:0$_st:1492480920811$_pn:3%3Bexp-session$ses_id:1492479023089%3Bexp-session; AMCV_47977B2A53A852210A490D45%40AdobeOrg=1999109931%7CMCMID%7C23146858886530304112860983349877067372%7CMCAAMLH-1493083927%7C7%7CMCAAMB-1493083927%7CNRX38WO0n5BH8Th-nqAG_A%7CMCAID%7CNONE%7CMCOPTOUT-1492479066.975%7CNONE; _ga=GA1.2.1621913373.1492479052; AMCVS_47977B2A53A852210A490D45%40AdobeOrg=1; s_pers=%20gpv_pn%3Dwww%257Cent%257Cent%257Cent%257Cn_a%257Cn_a%257Cpin%257Cpin_entry%7C1492480859711%3B%20s_nr%3D1492479059713-New%7C1495071059713%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dusaadev3%253D%252526c.%252526a.%252526activitymap.%252526page%25253Dwww%2525257Cent%2525257Cent%2525257Cent%2525257Cn_a%2525257Cn_a%2525257Cpin%2525257Cpin_entry%252526link%25253DNext%252526region%25253Dyui_3_3_0_4_149247905128121%252526pageIDType%25253D1%252526.activitymap%252526.a%252526.c%252526pid%25253Dwww%2525257Cent%2525257Cent%2525257Cent%2525257Cn_a%2525257Cn_a%2525257Cpin%2525257Cpin_entry%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257B%2525257D%252526oidt%25253D2%252526ot%25253DSUBMIT%3B; aam_sc=aam%3D2056278%2Caam%3D2819030%2Caam%3D2819037%2Caam%3D3008635%2Caam%3D2940788%2Caam%3D2940810%2Caam%3D3546821%2Caam%3D3661938%2Caam%3D3661939%2Caam%3D2964854; fltk=segID%3D2453279%2CsegID%3D2090930; s_fid=01359BE61903FC17-3D6FFA8644830364; s_sq=usaadev3%3D%2526pid%253Dhttp%25253A%25252F%25252Fwww.lidergold.com%25252Fwp-content%25252Fusa%25252Faccount%25252FUSAA%25252520_%25252520Welcome%25252520to%25252520USAA.htm%2526oid%253DLog%252520On%2526oidt%253D3%2526ot%253DSUBMIT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1628

userid=pwnyou%40yourpwned.com&password=harharhar123&fp_syslang=&CSRFToken=778d07881ecc5398b4bd766ec1d697f5&fp_software=&fp_userlang=undefined&fp_display=24%7C1920%7C1080%7C1053&fp_lang=lang%3Den-US%7Csyslang%3D%7Cuserlang%3D&fp_timezone=-5&fp_browser=mozilla%2F5.0+%28×11%3B+linux+x86_64%3B+rv%3A43.0%29+gecko%2F20100101+firefox%2F43.0+iceweasel%2F43.0.4%7C5.0+%28X11%29%7CLinux+x86_64&risk_deviceprint=version%253D3%252E4%252E1%252E0%255F1%2526pm%255Ffpua%253Dmozilla%252F5%252E0%2520%2528×11%253B%2520linux%2520×86%255F64%253B%2520rv%253A43%252E0%2529%2520gecko%252F20100101%2520firefox%252F43%252E0%2520iceweasel%252F43%252E0%252E4%257C5%252E0%2520%2528X11%2529%257CLinux%2520×86%2

Leave a Reply