March 2009 Archives

As you can see, there's two parts to this - the iMess application that steals your MSN login, and "HQ" - the file that lets you grab said stolen data.

This is what the iMess program loading screen looks like when fired up, rather humorously using what appear to be ripped versions of Smilies from the ASK range of products, along with a list of "features" such as "Anti Block System" and "Hundreds of skins":


Click to Enlarge

It's all very slick, and designed to set the end-user at rest. No scam looks that professional, surely?

Well, actually...

....whoops, it does. Note that it's called iMess2 - no idea what happened to the first one, but perhaps that's another confidence trick. At any rate, if you enter your login details, you'll see that staple of rogue applications - the fake error message:

While this is taking place, it's probably a good time to crack open the code and see what's taking place:

Did your MSN login details just get sent to an FTP server in the Netherlands? I think they did.

Want to see where they end up? Sure you do! Time to fire up the "HQ" program - which is used as nothing less than a sort of communal sharing zone for stolen logins. Put simply, if you run HQ, you can see ALL of the stolen logins obtained around the World and sent to the FTP server.

"HQ" stands (rather appropriately enough) for "Headquarters". First you'll see the below - a splash page of sorts, telling you the last time the stolen data was "cleaned" (ie tidied up), with two buttons - "Contact" and "Accounts".


Click to Enlarge

It's the accounts we're interested in...

As you can see above, there are a number of buttons across the top. Simply hit "Connect" to connect to the FTP server, then hit "Get list" and all of the accounts stolen via this program are displayed in the bottom panel. If you want the password for any of the accounts, left click one then press "Show" and...

The login details are yours for the taking. From there, you can use the stolen logins to send spam or infection links via those accounts, dip into EMails that use the same logins (harvesting any additional data / logins stored inside) ....the choice is yours.

It's a common theme of phishing scams (for example) that a ringleader effectively orders the troops to go out and phish under the illusion they get something at the end of it, when in reality the person at the top of the chain keeps all the data.

Here, we have a bizarre example of using rather slick faked IM technology, sharing stolen data with the masses "for the greater good" (in the loosest sense of the phrase of course - there's nothing particularly "good" about this).

Hang onto your MSN Login details and avoid this program.

I guess they're supposed to be circuit boards or something - almost reminds me of Tron. As with most hacking related creation tools these days, the emphasis is on being idiot proof and easy to use. Owning a Botnet has never been simpler - just fire up the Builder, and...

Easy as pie. Enter the IP address you want your rogue executable to connect to (usually,  this would be your own IP address via a service like no-ip, so you can control your drones) and your file pops into life with yet another funky looking icon:

Let's look inside the code.

Note the fake error message in the first line, and the wonderfully charming "you got owned" message further down (with nifty swear word removed):

As you can see, "Winservice.exe" is going to end up in the System32 Folder, assuming the victim can be convinced to run the file (which usually isn't too hard).

This is the fake error message our unwilling Botnet participant will see if they run the file:

...and here's the "Winservice" file, now resident and active in the System32 Folder:

At this point, we move back to the attacker who has fired up the Admin console. Note our test drone is now connected to the person controlling the Botnet:

Click to Enlarge

Simply enter the ip address of your target, hit "send" and...

Click to Enlarge

...the attack is underway, ending (logically enough) when you hit the "Stop" button.

Compiled on the 15/03/09, this is probably the most straightforward Botnet creation tool we've seen - I imagine there'll be quite a few SOL nets out there over the coming weeks / months.

Even so, there's a few drawbacks for wannabe net owners - specifically, having to register a number of files in order to run the Admin console. It might not sound like much, but you'd be surprised how many leet kids give up their life of E-Crime when faced with an array of .OCX files and Windows directories.

Thank goodness...

Thanks, vain hacker type person. Obviously, this will only work where you're presented with a PC running either of the above, but it's better than nothing...

Do you really want me to answer that, kid?

"iBot Lite is the BEST Free RuneScape Bot around. We offer it for free, or you can suscribe to the paid version(which has more features). However, if you just would like to automine, autofight, etc. on RuneScape, then you can try out the FREE iBot Lite Version. If you want more features, and want to run more bots, and make MORE money, then please consider purchasing iBot Pro. This is the BEST RuneScape Bot EVER released for FREE! As well as the best PAID RuneScape Bot EVER!"

That sounds like all sorts of wrongness. Sure enough, visit the forum and you're presented with a wide array of downloads. One in particular, for a program called iBot / neXus, caught my eye.

Note that they claim more than eighteen thousand downloads - this will be important in a few moments.

What happened next is a bit of a first for me - a Zango installer prompt, launched from a forum instead of a regular website. Even better (or worse), check out the text on the Zango popup:


Click to Enlarge

I'm pretty sure it can't be a good thing to have "Click start to download your Runescape hack" and "& see our new glitch to get past 3k limit" on one of your installers.

The site has been around since 2006, but because Internet Archive hasn't save any of the installer pages there's no way to know how many of those 18,000+ downloaders installed Zango to get their hands on the missing Bot program, though we do know they've been on there since at least February of this year.

Wait, did I just say "missing"? Yep, because in a humorous twist, it seems the site owners want you to download Zango and then give you a missing download.




Really guys, how are these sites getting through quality control?

Click to Enlarge

...Jessica Simpson and Mischa Barton. I don't know about you, but I don't recall seeing Pam Anderson on the steps of the Lincoln Memorial. Okay, I hear you say - that's just some goofy marketing gone awry. It happens.

Sure it does. But as you wade through the site and see increasingly heavy duty material such as the Holocaust offered up as an incentive to install Zango:



...is it too much to ask that when you click through to see more historical videos, the first thing you see isn't Pamela Anderson in a see through top?




Stay classy, guys.

Maybe it's just me, but I think the owner of the site in question should perhaps put a little thought, care and respect into what they're promoting versus what they're actually sending people to. As it stands, it's just another cookie cutter website designed to send as many people as possible to the Zango website for some $$$ in the most tasteless, thoughtless way possible.

As a closing note, here's the full "I Have a Dream" speech, with no condensed videos, Zango or breasts in sight. I also have a dream, which involves tasteful advertising.

It's quite a long way off...

Already, Lauren is busy following 149 people, and has picked up a solitary follower. Let's skip forward to her teenage years - roughly 20 minutes after being created:

My, Lauren has been busy! She's pulled in a few more followers, but the amount of people she's going to follow is about to explode as she races headlong into middle age, some 35 minutes after the account went live:



She's now bumped her followers to 20, and is chasing 812 people around Twitter. No doubt they've all been told about her free laptop, LOL. However, a bit of old age seems to be creeping in. We all have to slowdown sometime I guess, which would explain why...

....she's still in the 800 range with roughly 45 minutes used in the name of spamming. Unfortunately for Lauren, the knees are going, the eyesight isn't what it was and then...

Click to Enlarge

....the Great Banhammer From the Sky rains down upon her head.

However, with forty odd minutes on the clock and 800+ people now thoroughly sick of the word "laptop" I think our spamming friend has earned a trip to the next life.

With any luck, it'll be the one with all the brimstone and pitchforks...

Anyway, the site in question (registered to someone in Rabat, Morocco though this could well be fake data) appears to house the beginnings of a "banking phish" archive. Check it out:


Click to Enlarge

The site is a dumping ground for everything from Wachovia and Natwest to Chase and Barclays phish pages. In general, phish page sharing is usually done in a disorganised and quite random fashion on forums. To start stacking them up like this (it kind of reminds me a little of defacement archives) is quite an interesting and vaguely worrying approach.

At the top, the banner also promises unfinished sections such as "Letters" (presumably forgeries intended for real world scams), Mailing programs (those spam links won't send themselves to people!) and "CVV" (Card Verification Value).

The final insult is that this domain has actually been around since 2001, and in its original form actually fought scams - now it is one.

We'll be reporting the site and monitoring it closely in the meantime...

 

Quite a lot of these things have cute little icons and other gimmicks, all designed to convince you the programs you're running are legitimate. However, it doesn't matter if they look like this in the funky Youtube videos:

When you run the file, you'll always either end up with

a) nothing happening (there'll be quite a bit happening in your System 32 Folder, though) or

b) this:

Endless fake error messages. Amazingly, not only did this application not work on my Vista computer, but also on XP, NT and Me. I even wheeled Windows 98 out of cold storage, just to see what happened.

The answer, of course, was "nothing at all".

Remember, fake error messages (along with promises of "It's not working now, but you WILL get your codes later") are all part of the gag.

When you start to dig around in these programs for a while, you might think twice about running them. For example, here's a generator that seems to have some virtual machine awareness:


Click to Enlarge

Something as supposedly harmless as a points generator looking out for virtual machines? Uh, that sounds a little suspicious to me. If you run the program in a virtual machine, nothing happens, and no files are deposited into various folders on the PC. I've seen a lot of fake generator programs, but to turn up one that has some basic virtual machine awareness in it is quite an interesting catch.

Generally, any videos on Youtube promoting these applications will be stuffed full of "Oh wow, it worked!" comments from accounts registered purely to leave those messages - another indicator that all is not what it seems. Sadly, a large proportion of Youtube users wouldn't stop to check if the commenters are actually legit users.

Finally, here's two promos from two different people, each advertising a separate product - one is an iTunes points generator, the other for Wii points.

See if you can spot the error:

Despite the fact that these are both supposed to be different programs, they both link to the SAME file on Rapidshare, a rather suspiciously named file called "Youtube.exe". Five minutes investigation like the above would be enough to set alarm bells ringing in the heads of most users, but would they be too enticed by the prospect of free music to care?

And more importantly, did I mention that I hate Bono?

Well, most of them are. This one sort of ruins it:


Click to Enlarge

...oh dear.

You might have noticed all of the screenshots are a little blurry - that's because the only place you'll ever see programs such as the above are on Youtube videos promoting said applications - the pretty bells and whistles only exist on the desktop of the person who created the fake front end.

Downloading the file will only ever give you faked error messages on the desktop - something many Youtube videos will promote as a "feature", claiming the points take up to 48 hours to come through.

Yeah, right. It's all an elaborate con trick, designed to make you run the EXE then go about your daily business. Meanwhile, the files deposited on your PC are logging everything then sending it back to base.

Did I mention they look nice, though?


Click to Enlarge

Eye candy. It's surprisingly effective...

Over $5,000 of free stuff just for sending out a message on Twitter? Sign me up!

Hit the "Click Here" link, and you're taken to this:


Click to Enlarge

As you can see, you're asked to enter your Twitter login details and the message you'll send is displayed in the "Message" box. This particular promotion seems to change the message every few days. There's also a pre-ticked box to follow the person who set the campaign up on Twitter.

This is smart for a number of reasons. Firstly, the campaign owner can see at a glance a good idea of how many Twitter users have sent out his message. Secondly, he can then send those people messages about other promotions at a later date. I'm willing to bet the people who submit their details to these kinds of things are unlikely to untick the checkbox. Also:

"We promise that your details are NOT stored anywhere on our servers".

There is, of course, no way to know that for certain with any of these websites. Moving on, once you hit the "Download Now" button you're taken to a page full of offers and freebies (to be fair, the example given above seems to link to genuine offers, if a little drawn out and stuffed full of link clicking and hoop jumping) and your profile sends out something like this:



Can't say I'd be hugely impressed if a contact sent me a message like that on Twitter. Are some (potentially useless) freebies worth losing a pile of followers?

Probably not. We'll likely take a look at Twitter Blaster itself in a future writeup...

This entire document promotes illegal streaming to make a profit and unethical activity (it even has section on how to get an account approved with Zango if you've been previously rejected), yet the creator says "I'm not responsible".

Well, there's a surprise.

Even better, he says "You have NO rights to distribute this document", yet he stomps upon the copyright of the TV show creators he's making money from without permission. Once again, I'm shocked. On the bright side, I'm definitely not "dumb" where obtaining a copy of this document is concerned, because I woke up to find it tucked under my pillow.

Moving on, the rest of the introduction gives you a general rundown on Zango, payout rates and a screenshot of his earnings. Then we come to this:


Click to Enlarge

I'd take issue with this being the "only unethical thing" in the PDF, considering the whole thing is based on generating profit from pirated movies but anyway. Some choice extracts:

"Now, when you signup with Zango, use some fake details" is a nice start. I've blanked out his actual method for attempting to scam Zango, but honestly? I'm a little surprised that he claims such a stupid technique actually works.

As for this:

"...I've never been verified by phone, because I registered under a famous Zango user and he simply told them to accept me anyway".

If that's true, I'm dazzled - especially given that this guy is the King of promoting installs via pirated material in PDFs you have to pay 10 to 15$ to obtain.

The next section shows you how to build a site quickly, targeting the TV shows most likely to make you a lot of money. Oh, I forgot - the package comes with phpvideoscript, which enables you to build an endless stream of identikit websites.



Handy, eh?

Good job Lost is keeping him rolling in the money. It goes a bit wrong on the next page though, because he leaves what is apparently his Zangocash username in the screenshot.


Click to Enlarge

Say hello to xMastex! If Zango are reading this, you might want to go slamdunk his account in a ditch (if you haven't already), seeing as he's

1) Making money from PDFs ready rolling websites designed to profit from illegally ripped TV shows and movies via installs of your Adware and
2) Giving out "unethical" advice with regards joining your program with fake details.


Click to Enlarge

As you can see above, he then goes on to list the best places to grab ripped streams, ready to be placed on your freshly created army of websites. Because of the system used to manage the sites you've created, you can add a stupid amount of videos to the pages with little to no fuss:


Click to Enlarge

The rest of the document covers sites to submit your movie links to, traffic boosting and tricks involving places such as Sidereel.com. Oh, and this:



...I thought the only unethical part of this PDF was the bit where they signed up to Zango with fake information? Oh well.

Who is Doing This?

Well, there's a bit of a tangled web where that's concerned. A number of different names are used in Whois for many of the sites referenced by "Mastex" on various places, the document signs off as "Stefano" and there's apparently an updated version of this document floating around on the net too.

To make things more complicated, it seems there are quite a few people now making their own versions of these PDFs.

There's usually a trail though, and sure enough I happened to find a review of one of these PDFs where someone is asking for "review copies". It's screenshot time:



It's pretty likely "Marko" and Mastex aren't the same people,  because Stefano appears here as Mastex on Digg - but he's certainly promoting one of his own PDFs. The reviewer blanked out the URLs, but it's not too difficult to Google Marko + Gossipgirl websites ...


Click to Enlarge

Look at that - someone called Marko spamming links to viewgossipgirl.info, via a number of streaming sites. However, the really interesting bit is the Digg link.


Click to Enlarge

Well, I'm surprised by all the "watch free episodes online" links. Honestly.

Do a Whois search on Sick-Videos.net, and...

Man, someone forgot their anonymous Whois Guard, didn't they?

The document Marko is pushing seems to be different from the original Mastex version, so it's entirely possible there's a whole industry out there involving people creating (then selling) their very own "make money in a dubious fashion" PDFs. All of the Marko sites that offered up Zango (here's one) seem to have had the Zango popup removed so perhaps they killed his account - but that doesn't mean he has to stop selling his PDFs. And so the industry continues to grow.

The question is, when is someone going to do something about it?

Wow.

Anyway, fire the program up and you'll see this:

Seems great, doesn't it? Simply enter your Steam ID and Password, and you can choose to have either Counter Strike or "All Games" for free. I'm not sure why people would choose Counter Strike when they could get it with all the others via the first option, but then logic never plays into it where these kinds of programs are concerned.

Bonus points for the creator though, because they made a slightly snazzier version of the original program:

This one lets you pick from a wide variety of individual programs, just to give things a little more credibility.

Unfortunately that credibility is about to fly out the window. Shall we take a look inside the code?

Whoops. I wonder why EMail addresses are in there. Could it be your logins are sent back to base when you hit the "Get free games" button?

You bet. I wonder if this guy left his name in the code, too....

Marias Aas of Norway, I have a hunch you're about to become extremely popular. Looking at his Youtube profile, I'd be surprised if he wasn't already...

Apart from the snazzy Neo picture, it's also harbouring an MS SQL injection tool. I love stumbling across sites like this, because there's no easy way to tell if the site is legitimate, if it's a penetration test tool, something designed to be malicious or they just have a thing for Neo and hacking.

Anyway.

Setting aside the issues of "this tool can be used for evil, as well as good" I thought it might be interesting to take a look at what it does. After a while, I found a Flash demonstration of the program going through its paces, but frankly had no idea what was going on. After checking with a colleague, I think I have a pretty reasonable play by play account of what's happening. I could be horribly wrong, of course.

Warning: lots of Chinese text coming your way.

Let's kick things off with a look at the program itself:


Click to Enlarge

I think the word I'm looking for here is "impenetrable". This next shot is an image of someone attempting to get the name of the database via asking it through http. Unfortunately for them, it doesn't work. Drama!


Click to Enlarge

At this point, they fire up the program. The next picture is our wily hacker trying to find out what kind of database the target is running:


Click to Enlarge

He quickly discovers the target is running a Microsoft MSSQL server:


Click to Enlarge

In the next image, he's digging around in the site to find out various bits and pieces of information he can use to his advantage:


Click to Enlarge

Finally, here's a shot of our persistent offender creating an .asp page on the target server:


Click to Enlarge

As you can imagine, uploading files directly onto the server is not a particularly good thing to have happen.

At this point, our bumpy ride into the wilds of Chinese injection tools ends abruptly, due to the Flash animation refusing to play past the above screenshot. I'm still trying to find out if the program was created by a legit security outfit for penetration testing or if it's Black Hats all the way.

Fun while it lasted, though....

Additional Research: Chris Mannon, Sr. Threat Engineer

....apparently not. I've no idea what the unfortunate person above had stolen, but always worth remembering: never trust anything asking for your login credentials, regardless of whether it comes via email, phone, text or carrier pigeon.

Pretty, isn't it? Anyway, click into any of the episodes and you'll see a Zango installer.


Click to Enlarge

He doesn't look too happy about having his head pasted onto an adware prompt, but oh well.

What really made me laugh about this website was the usual boilerplate disclaimer at the bottom of the page:

"Disclaimer: We are not responsible for any content which is streamed through this website. If any damage occurs by the use of information presented here, only shall the content provider be held liable.The streaming videos that has been found here are hosted by third party. Any copyrighted videos, pictures or music is a property of the original copyright holder and it was found on third party sites. Therefore for any copyright violations, the owner of this blog is not liable."

Oh really? Is the owner of the blog "not liable" when we find the person uploading at least some of the content is what appears to be....


Click to Enlarge

....the owner of the blog?

This person is seemingly ripping, then uploading BBC material to promos on Youtube to make a quick profit from Zango. Some of the other sites out there doing this can try and squirm out of copyright related shenanigans by linking to videos hosted in China - nothing to do with us, someone else uploaded it - but here we apparently have the site owner himself uploading the copyrighted content.

Funnier still, once you've actually installed Zango, all of the pages look like this:


Click to Enlarge

There's a complete lack of videos. Whether you browse the site in IE or Firefox, there's nothing there. If you go back and check out what any of the supposed episode pages look like before you install Zango, you can see one of the "movie" windows behind the installer prompt. Note the length of the clip:


Click to Enlarge

Every single video has a running time of 8:10.

Could it be - and I don't want to appear overly cynical here - that the supposed Youtube videos "featured" on site are nothing more than jpegs of a Youtube video window? The alternative is the site is coded extremely poorly and there's some sort of glitch preventing you from watching a ream of episodes that all last exactly 8:10.

Either way, it's not the greatest deal going, especially when the people promoting the site on Youtube place messages such as these in their videos to bait people in:



Maybe Jonathan Ross should do a show about it...

"ya viste mi nuevo corte? me lo hice yo

img110.buscandopics.info/img110/1540/DVR-IMAGEN006.jpeg.zip"

The link has been taken down, but was directing people to a malicious file. The naming convention seems to be similar to a few files currently causing problems on MSN, and we may have some more information on this shortly. For now, if any of your contacts on Skype randomly send you messages with

.jpeg.zip

at the end of them, consider advising them to run a couple of system scans...

If you're wondering, the spam accounts all pretty much look like this:

Click to Enlarge

It's a little depressing that the spam profile above already has 148 people following it. Someone at Twitter needs to try and get a grip on this one before every other message sent out is FREE LAPTOP, LOL.

Ignoring the fact that it resembles a cartoonish piece of meat on a bone, let's fire it up:

Click to Enlarge

As you can see, the Facebook logo sits in the middle, just above the "Freeze" button. Above the EMail field, you can see a dropdown box where the attacker selects their service of choice:

This particular version "only" has Facebook, Windows Live and YouTube but there are other versions out there which do much the same thing but target other Social Networking sites.

Once you've picked your poison (so to speak), you simply enter the EMail address or Username into the space provided and hit the "Freeze" button. But wait! For those who woke up in a particularly malicious mood, the program allows you to watch the demolition of your targets account in a sort of "realtime" mode, with the aid of an extremely slick built-in browser window. Simply hit the "Let me watch" button, and the browser extends out on the right hand side of the application:


Click to Enlarge

Hit "Freeze", and as a meter at the bottom gives you a % score with regards freezing completion, the view in the browser window alternates between the bottom two images - the first, the Facebook login screen:

Click to Enlarge

...and the second, the page telling your your login combination is incorrect:


Click to Enlarge

Once you hit 100%, this is what you see inside the applications browser window:


Click to Enlarge

"You have exceeded the number of invalid login attempts that we allow for your account. If you have forgotten your password, reset your password here".

Whoops.

Now, I know what you're thinking. This is easily fixable, you just hit the "reset password" link and you're back in business. However - if your attacker decides to keep attacking you over a short period of time while you keep on resetting your password, eventually your mailbox will look like this...

...and not only will you be utterly sick to death of resetting your password, you'll be even more fed up when you get locked out one too many times and see this:

Yes, eventually you're even prevented from sending a password reset. Bizarrely, you're still given an option to hit a "reset password" button, even though it won't actually work for you anymore.

All you can do now is brave the wilds of the "Contact Us" page, and generally speaking, most people give up in despair and a flailing of arms when presented with such pages. If I'd been the victim of this kind of time wasting "fun", I'd probably be more inclined to simply start again from scratch.

I tried a little earlier on to see if I was now able to resend a password reset to the account used in the above screenshots...I was presented with an "Unconfirmed Account" message:

I can only assume they do this as an antispam precaution when your account is frozen out in this way. I'd be ready to give up and go home by this point.

In case you were wondering, it does much the same thing with YouTube:


Click to Enlarge

However, doing this to a YouTube account doesn't quite cause as much aggravation as it does where Facebook is concerned - at no point during testing did YouTube lockdown the account the same way Facebook did, although I can't assume there isn't an "upper limit" at which point YouTube also brings down the final curtain.

All in all, something a lot of rage fueled kids will likely be deploying over the coming months.

While it's a little tricky to prevent people from knowing your username on YouTube - because you want people to know who you are on there, right? - it seems a sensible precaution to be as secretive as possible where the EMail account used with Facebook is concerned...

Writeup: Chris Boyd, Director of Research
Additional Research: Chris Mannon, Senior Threat Researcher

 ...pretty, isn't it?.....you'll see this appear in the bottom left hand corner of your browser:

However, instead of being taken to the Zango gateway like you were previously, the screen flashes briefly and you're taken directly to the demo download.

In other words, no more Zango.

If I had to guess, I'd say Zango have either cancelled the site owners account, or it's still live but they're blocking him. Either way, the site is no longer making people install something before presenting them with a major letdown in the form of lame demo versions. So hey, if someone from Zango is reading this and you did indeed whack the account - thanks.

In addition to the nifty diagrams of how their lag switches work, they also have a pile of photographs of their switches connected to various controllers:

Click to Enlarge

They even have an EBay store.

However, what I find particularly disturbing (aside from the fact they claim to have sold nearly 5,000 of these things) is the following quote taken from their FAQ page:

Wait - videogame stores are going to be selling game-breaking devices that aren't actually allowed on gaming networks such as XBox Live?

I see angry legal people on the horizon, all of them excited by the smell of their next meal...

"This file is larger than 200 Megabyte. To download this file, you either need a Premium Account, or the owner of this file may carry the downloading cost by making use of "TrafficShare".

The interesting part is that (unlike the earlier phish pages covered) these ones actually link to genuine files on Rapidshare, all adding to the illusion that this is legitimate (if you try to download the file on Rapidshare, you'll be given the same message regarding premium accounts).

Quite a smart tactic, then. Of course, you really shouldn't be downloading files with "Warez" in the name anyway...

The site reads:

"The Steam Verification System is to ensure that multiple IP addresses are not used to access a single account. Please enter you account credentials below to verify your account. Accounts not verified within 24 hours of notice will be permanently disabled."

Given that one of the biggest plus points of Steam is that you can use your account on as many PCs as you want to - indeed, there are dedicated Steam sections in web cafes for just such a purpose - it seems ludicrous to base their scare tactics on multiple IP addresses (especially as the scam site actually links to a web cafe information page just out of screenshot).

However, there's always going to be someone who falls for this kind of scam.

Interestingly, the creator of both these sites has been promoting them on Youtube, under the account name of

SteamVerification

And is listed as being 30, based in the United States. Typically, he's leaving comments such as these on Youtube videos:

As you might imagine, there are some rather angry comments appearing on his userpage. Here's some of the friendlier ones:


Click to Enlarge

Another interesting "feature" of these scams is that the Whois data isn't anonymised. Currently, the information for both sites reads as follows:

Domain Name: STEAMGIFT.COM / STEAMVERIFICATION.COM

Registrant:
    N/A
    Steve Zestner
    4163 Mesa Drive
    Lake Mead
    California,16609
    US

Of course, these could be entirely fake details - but usually, websites such as these are either use anonymous registration service or obviously fake information. Could our phisher have been so silly to use his real name and address?

Perhaps. The only really important part to remember is to give websites such as the above a very wide berth...