Maybank Phishkit Analysis

Just couple of days ago, we discovered a certain Maybank Phishing kit that limits access to only IP address from Malaysia. The phishing kit is hosted in a server in the US. This is basically done via the .htaccess file.

Directory of C:\temp\xyz\xyz\m2u\abc

07/04/2011  12:43 PM                           .
07/04/2011  12:43 PM                           ..
27/01/2011  01:12 AM             8,701 HTACCE~1     .htaccess
26/01/2011  03:44 PM               877              acc.php
27/01/2011  04:51 PM               870              favicon.jpg
15/01/2011  09:00 AM            16,372 M2ULOG~1.PHP M2ULogin.do.php
26/08/2010  11:21 AM            14,745 MAYBAN~1.PHP Maybanksecure.php
26/08/2010  11:50 AM            14,632 RE-ACT~1.PHP re-activate.php
04/10/2010  12:44 PM               518 SSLACT~1.PHP sslactivate.php
26/01/2011  03:41 PM               572 SSLVER~1.PHP sslverify.php
27/07/2010  09:32 PM             2,530 TACREQ~1.PHP tacrequested.php
26/01/2011  03:41 PM               543 VALIDA~1.PHP validating.php
26/01/2011  03:41 PM            21,301 VERIFY~1.PHP verifydetails.php
              11 File(s)         81,661 bytes

htaccess-phish

There is about 300 network addresses listed in the  .htaccess file and makes other  anti-phishing researchers  think that  site does not exit.

On another note, do make use of our DontPhishMe plugin for Firefox and Chrome!

Leave a Reply