Global Payment Services Hacked

I was sent a strange e-mail earlier today as a word document.
It contained a heavily obscured macro that downloaded a file:

httX://gpsbah.com/images/1.exe

gpsbah.com resolves to 173.230.242.18

NetRange	173.230.240.0 - 173.230.255.255
CIDR	173.230.240.0/20
Name	ACENETMI
Handle	NET-173-230-240-0-1
Parent	NET173 (NET-173-0-0-0-0)
Net Type	Direct Allocation
Origin AS	AS36444
AS2828
Organization	ACENET, INC. (ACENE)

This is worrying – as the domain gpsbah.com seems to be associated with a card payment processor and issuer!
Global Payment Services
P.O.Box: 2110
Manama
Kingdom of Bahrain

I’ve contacted them and will update this post if they respond.

When the exe file is run and connects / exchanges encrypted or obscured data with 62.75.182.94

inetnum:         62.75.128.0 - 62.75.255.255
netname:         DE-INTERGENIA-20010727
descr:           PlusServer AG
country:         DE
org:             ORG-iGCK1-RIPE
admin-c:         TS12776-RIPE
tech-c:          IT1309-RIPE
status:          ALLOCATED PA
mnt-by:          RIPE-NCC-HM-MNT
mnt-lower:       INTERGENIA-MNT
mnt-lower:       MAINLAB-MNT
mnt-routes:      INTERGENIA-MNT
mnt-routes:      MAINLAB-MNT
source:          RIPE # Filtered
POST /gWFOZM~5MV~R%26/Sg=%7EKls%3Fc.A/%2B HTTP/1.1
Host: 62.75.182.94
Connection: Close
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: octet/binary
Accept: */*
Accept-Language: q=0.8,en-US;q=0.6,en;q=0.4
Content-Length: 4962

A......CA..."......]......@_*J+0L"........JE.LKELKJKJ..K.OIJ...I.M_]......@_LOH_]......@_HKNDO_]....@_..._]...@_NO_RCA....CA\&>9<)<&0......];......]NMSM]U.EK]..P:?T]UNMSMTF0........]2.....]-...........]-...]OMLM]ULISMSJMLHSLMMMTF2.....]+0]+......?..]:....]<........]ISNSLM]UISNSLMSMTF/...-.....]>....]ULJSMSLMTF*../</]HSLM]UNOP...T]UHSLMSMTF/...9.
POST /eozHt~R~C%2CGlz/Z&SCFSHCaEe+/%3F HTTP/1.1
Host: 62.75.182.94
Connection: Close
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: octet/binary
Accept: */*
Accept-Language: q=0.8,en-US;q=0.6,en;q=0.4
Content-Length: 4962

A......CA..."......]......@_*J+0L"........JE.LKELKJKJ..K.OIJ...I.M_]......@_LOH_]......@_HKNDO_]....@_..._]...@_NO_RCA....CA\&>9<)<&0......];......]NMSM]U.EK]..P:?T]UNMSMTF0........]2.....]-...........]-...]OMLM]ULISMSJMLHSLMMMTF2.....]+0]+......?..]:....]<........]ISNSLM]UISNSLMSMTF/...-.....]>....]ULJSMSLMTF*../</]HSLM]UNOP...T]UHSLMSMTF/...9.

I’ve also seen it try to POST to 208.89.214.177 but fail.

NetRange	208.89.208.0 - 208.89.215.255
CIDR	208.89.208.0/21
Name	VIRPUS-KC-1
Handle	NET-208-89-208-0-1
Parent	NET208 (NET-208-0-0-0-0)
Net Type	Direct Allocation
Origin AS	AS32875
Organization	DNSSLAVE.COM (VIRPU-1)
Registration Date	2008-04-25
Last Updated	2012-03-02
Comments	http://www.virpus.com
GET /V3n7%3F0i1r7/s.U87BRsV%7ESkt1f%3F7xIxYE/vtlMjyijVjnr HTTP/1.1
Host: 208.89.214.177
Connection: Close
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: octet/binary
Accept: */*
Accept-Language: q=0.8,en-US;q=0.6,en;q=0.4

HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
Date: Tue, 21 Oct 2014 17:09:56 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 147
Connection: close
X-Powered-By: PHP/5.5.16-1~dotdeb.1
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
</body></html>

A full report can be found here.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Global Payment Services Hacked

  1. Pingback: E-mail account of company nomow.co.uk hacked | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s