Christopher Boyd: March 2009 Archives

Yesterday we came across something we haven't seen before - a fake Instant Messaging program used to share stolen data to the masses via the wonders of FTP. Let's begin by introducing iMess:


As you can see, there's two parts to this - the iMess application that steals your MSN login, and "HQ" - the file that lets you grab said stolen data.

This is what the iMess program loading screen looks like when fired up, rather humorously using what appear to be ripped versions of Smilies from the ASK range of products, along with a list of "features" such as "Anti Block System" and "Hundreds of skins":

Click to Enlarge

It's all very slick, and designed to set the end-user at rest. No scam looks that professional, surely?

Well, actually...


....whoops, it does. Note that it's called iMess2 - no idea what happened to the first one, but perhaps that's another confidence trick. At any rate, if you enter your login details, you'll see that staple of rogue applications - the fake error message:


While this is taking place, it's probably a good time to crack open the code and see what's taking place:


Did your MSN login details just get sent to an FTP server in the Netherlands? I think they did.

Want to see where they end up? Sure you do! Time to fire up the "HQ" program - which is used as nothing less than a sort of communal sharing zone for stolen logins. Put simply, if you run HQ, you can see ALL of the stolen logins obtained around the World and sent to the FTP server.

"HQ" stands (rather appropriately enough) for "Headquarters". First you'll see the below - a splash page of sorts, telling you the last time the stolen data was "cleaned" (ie tidied up), with two buttons - "Contact" and "Accounts".

Click to Enlarge

It's the accounts we're interested in...


As you can see above, there are a number of buttons across the top. Simply hit "Connect" to connect to the FTP server, then hit "Get list" and all of the accounts stolen via this program are displayed in the bottom panel. If you want the password for any of the accounts, left click one then press "Show" and...


The login details are yours for the taking. From there, you can use the stolen logins to send spam or infection links via those accounts, dip into EMails that use the same logins (harvesting any additional data / logins stored inside) ....the choice is yours.

It's a common theme of phishing scams (for example) that a ringleader effectively orders the troops to go out and phish under the illusion they get something at the end of it, when in reality the person at the top of the chain keeps all the data.

Here, we have a bizarre example of using rather slick faked IM technology, sharing stolen data with the masses "for the greater good" (in the loosest sense of the phrase of course - there's nothing particularly "good" about this).

Hang onto your MSN Login details and avoid this program.

The SOL Botnet(s)

| | Comments (0)
Over the last week or two, we've seen a couple of Botnets running infection files we haven't come across before. With a little further research, we discovered the tool used to create these Botnets, and  were able to learn a little bit more about these new nets.

The SOL Botnet system allows you to control up to 100 drones at a time, and (as you'll see) uses UDP to perform DDoS attacks against a target of your choosing. In addition, there are paid-for versions (so far, unreleased) that supposedly allow control of up to 200 drones at a time, Windows XP product key theft, "huge bandwidth attacks" through image spamming and "lifetime support".


Shall we take a look at the SOL Botnet creation tool? Let's start by grabbing a snapshot of  what our budding Botnet builder will see on their desktop:


I guess they're supposed to be circuit boards or something - almost reminds me of Tron. As with most hacking related creation tools these days, the emphasis is on being idiot proof and easy to use. Owning a Botnet has never been simpler - just fire up the Builder, and...


Easy as pie. Enter the IP address you want your rogue executable to connect to (usually,  this would be your own IP address via a service like no-ip, so you can control your drones) and your file pops into life with yet another funky looking icon:


Let's look inside the code.

Note the fake error message in the first line, and the wonderfully charming "you got owned" message further down (with nifty swear word removed):


As you can see, "Winservice.exe" is going to end up in the System32 Folder, assuming the victim can be convinced to run the file (which usually isn't too hard).

This is the fake error message our unwilling Botnet participant will see if they run the file:


...and here's the "Winservice" file, now resident and active in the System32 Folder:


At this point, we move back to the attacker who has fired up the Admin console. Note our test drone is now connected to the person controlling the Botnet:

Click to Enlarge

Simply enter the ip address of your target, hit "send" and...

Click to Enlarge

...the attack is underway, ending (logically enough) when you hit the "Stop" button.

Compiled on the 15/03/09, this is probably the most straightforward Botnet creation tool we've seen - I imagine there'll be quite a few SOL nets out there over the coming weeks / months.

Even so, there's a few drawbacks for wannabe net owners - specifically, having to register a number of files in order to run the Admin console. It might not sound like much, but you'd be surprised how many leet kids give up their life of E-Crime when faced with an array of .OCX files and Windows directories.

Thank goodness...

Steamy Phishing

| | Comments (0)
We're seeing a wave of Steam related phish scams at the moment. Most (if not all) look something like this:

Click to Enlarge

Ah, the promise of free games. When have you ever let a phisher down?

The domains being used in this scam are:

If / when we come across others, we'll add them to the above list. Quite a few have gone offline already, only to come back to life so it might be a while before all of the above are completely DOA...

Someone has created a couple of fake applications currently in the wild, both made to look like legitimate chat programs. They're pretty convincing:



We've seen these kinds of scams before, and as with those programs, when the victim enters their details they're stored locally on the PC (in this case, storing them in Settings.ini) for the attacker to collect.

Though this means physical access to the PC is required (think net cafe scammers hawking around unsecured PCs), for around 5$ you can buy an upgraded version which sends the stolen data to an FTP server.

Okay, I hear you cry - how do we spot these particular nasties?

Well, it seems vanity has got the better of the creator. They just couldn't resist putting in a "hidden" about page that tells you who made them - presumably for bragging rights on forums.

This works great for us, especially when I do so enjoy randomly clicking around on the surface of rogue programs just in case something amazing pops up.

As luck would have it...



Thanks, vain hacker type person. Obviously, this will only work where you're presented with a PC running either of the above, but it's better than nothing...
There's an old technique in certain forms of martial arts - when confronted by an attacker, just before they start to throw the first punch, you distract them with something utterly stupid.

Could be a silly noise, or you might waggle your arm to the side while pulling a face - doesn't matter. The stupider the better, it's just there to make them wonder what on earth is happening shortly before you put them through a window and run away as fast as you can.

Well, same deal here. Today we came across a program designed to do nothing at all. No hijack, no contacting a server, no files dropped, no registry entries, no staying in memory....nothing.

What is it used for?

Distraction. And lots of it.

There is a video currently in circulation on sites such as Youtube, promoting something called LiveGrabber.


The program looks amazing, gives you all kinds of free things, hands you free accounts for the paid XBox Live service and so on. All done by pushing a few buttons. Here are some pics lifted directly from one of the videos:




Told you it was nice looking.

However, the gimmick here rolls into town exactly six seconds into the video:


"New update available: it will no longer have an interface. It will run silent in the background -  when opened you must visit the website to redeem".

Yes, the NEW version is completely invisible and runs "silently" (extremely silently!), only giving you lots of free things if you visit the website promoted in the video and enter your own Live login details.


While we've seen fake programs before, usually they either refuse to work, drop infection files or give out fake error messages.

This is the first time we've seen someone create an extremely slick looking interface for a Youtube video, then reduce it to nothing and pretend it's "doing something in the background". It seems the original version available to download did the usual "fake error message" routine, but the author grew tired of trying to explain away fake error messages.

What could be better than telling people it now runs silently in the background?

At any rate, based on the comments left on the creators Youtube page, it seems it's enough of a distraction to get people to hand over their login details to

Click to Enlarge

Did I say "user comments"? I sure did. I'll leave you with the thoughts of some people soon to be parted from their Live ID login credentials...




Yes. Of course it does...!

Installer Fail?

| | Comments (0)
I'm not quite sure what's going on with

But if you want to watch their poor quality, illegally ripped episodes of Avatar: The Last Airbender (quite possibly the stupidest name for anything, ever) then this happens:

Click to Enlarge

Isn't the popup supposed to prevent me from tasting forbidden fruit until I install Zango?

Oh well. As a side note, just when I was about to leave the website, this appeared:


Do you really want me to answer that, kid?
Click to Enlarge

Not much more to add here, other than "avoid".

Runescape. I've never played it, but thanks to the handy Wikipedia article I can tell you that:

"RuneScape is a Java-based Massively Multiplayer Online Role-Playing Game operated by Jagex Ltd. Recognised by Guiness World Records as the world's most popular free MMORPG, RuneScape has approximately fifteen million active free accounts and is a graphical browser-based game with a large degree of 3D rendering."

The Runescape creators don't like Bots very much. In fact, a thriving underworld of botting, cheating and leet haxing exists with a wealth of program sharing and information sharing taking place. Along with Habbo Hotel, it's where a lot of wannabe Phishers cut their teeth. With that in mind, I thought we should take a look at the following website


Here's a sample screenshot. Funky advert for powerlevelling aside, check out the text beneath it:

Click to Enlarge

"iBot Lite is the BEST Free RuneScape Bot around. We offer it for free, or you can suscribe to the paid version(which has more features). However, if you just would like to automine, autofight, etc. on RuneScape, then you can try out the FREE iBot Lite Version. If you want more features, and want to run more bots, and make MORE money, then please consider purchasing iBot Pro. This is the BEST RuneScape Bot EVER released for FREE! As well as the best PAID RuneScape Bot EVER!"

That sounds like all sorts of wrongness. Sure enough, visit the forum and you're presented with a wide array of downloads. One in particular, for a program called iBot / neXus, caught my eye.


Note that they claim more than eighteen thousand downloads - this will be important in a few moments.

What happened next is a bit of a first for me - a Zango installer prompt, launched from a forum instead of a regular website. Even better (or worse), check out the text on the Zango popup:

Click to Enlarge

I'm pretty sure it can't be a good thing to have "Click start to download your Runescape hack" and "& see our new glitch to get past 3k limit" on one of your installers.

The site has been around since 2006, but because Internet Archive hasn't save any of the installer pages there's no way to know how many of those 18,000+ downloaders installed Zango to get their hands on the missing Bot program, though we do know they've been on there since at least February of this year.

Wait, did I just say "missing"? Yep, because in a humorous twist, it seems the site owners want you to download Zango and then give you a missing download.


Really guys, how are these sites getting through quality control?

When I think of all the great (and not so great) moments in history, I sometimes wish there was a place where I could see all these different events.

The good news is, there is. The bad news is, it's not very good.

Presenting the wonderfully named

My eye was initially drawn to the main splash on the site, nothing less than the "I Have a Dream" speech by Martin Luther King:

Click to Enlarge

Aside from the fact the above clip is extremely short, the really interesting part is the Zango branded banner adorning every videopage.

At this point, the randomness of the website comes into play. As with many sites offering Zango adware, what's offered doesn't match up to what's on offer. Case in point, click the Zango banner and instead of being handed what you're looking for - in this case, history videos - you're given...

Click to Enlarge

...Jessica Simpson and Mischa Barton. I don't know about you, but I don't recall seeing Pam Anderson on the steps of the Lincoln Memorial. Okay, I hear you say - that's just some goofy marketing gone awry. It happens.

Sure it does. But as you wade through the site and see increasingly heavy duty material such as the Holocaust offered up as an incentive to install Zango:

mlk3.jpg it too much to ask that when you click through to see more historical videos, the first thing you see isn't Pamela Anderson in a see through top?


Stay classy, guys.

Maybe it's just me, but I think the owner of the site in question should perhaps put a little thought, care and respect into what they're promoting versus what they're actually sending people to. As it stands, it's just another cookie cutter website designed to send as many people as possible to the Zango website for some $$$ in the most tasteless, thoughtless way possible.

As a closing note, here's the full "I Have a Dream" speech, with no condensed videos, Zango or breasts in sight. I also have a dream, which involves tasteful advertising.

It's quite a long way off...
Say hello to "owOHRJ" - or as she likes to call herself, "Lauren".


Lauren is part of a very particular digital plague - those wonderful spammers on Twitter who just cant wait to tell you about their "Free laptop, LOL".

By a strange quirk of fate, I was there moments after her creation and I would be there to witness her somewhat unspectacular demise. Here is the account, roughly ten minutes after it entered our digital world:


Already, Lauren is busy following 149 people, and has picked up a solitary follower. Let's skip forward to her teenage years - roughly 20 minutes after being created:


My, Lauren has been busy! She's pulled in a few more followers, but the amount of people she's going to follow is about to explode as she races headlong into middle age, some 35 minutes after the account went live:


She's now bumped her followers to 20, and is chasing 812 people around Twitter. No doubt they've all been told about her free laptop, LOL. However, a bit of old age seems to be creeping in. We all have to slowdown sometime I guess, which would explain why...


....she's still in the 800 range with roughly 45 minutes used in the name of spamming. Unfortunately for Lauren, the knees are going, the eyesight isn't what it was and then...

Click to Enlarge

....the Great Banhammer From the Sky rains down upon her head.

However, with forty odd minutes on the clock and 800+ people now thoroughly sick of the word "laptop" I think our spamming friend has earned a trip to the next life.

With any luck, it'll be the one with all the brimstone and pitchforks...
Today I was browsing around a couple of Arabic language hacking forums, and came across a random link that took me somewhere interesting. Here's a screenshot of said forum, because everyone loves to look at mysterious hacking forums. Right?


Anyway, the site in question (registered to someone in Rabat, Morocco though this could well be fake data) appears to house the beginnings of a "banking phish" archive. Check it out:

Click to Enlarge

The site is a dumping ground for everything from Wachovia and Natwest to Chase and Barclays phish pages. In general, phish page sharing is usually done in a disorganised and quite random fashion on forums. To start stacking them up like this (it kind of reminds me a little of defacement archives) is quite an interesting and vaguely worrying approach.

At the top, the banner also promises unfinished sections such as "Letters" (presumably forgeries intended for real world scams), Mailing programs (those spam links won't send themselves to people!) and "CVV" (Card Verification Value).

The final insult is that this domain has actually been around since 2001, and in its original form actually fought scams - now it is one.

We'll be reporting the site and monitoring it closely in the meantime...


Rally Against Fear

| | Comments (0)
...pun filled title aside, you could do worse than avoid the following website completely:

The site, which was registered on the 18th of March 2009 to a Mr "Shangguanming Gongyuwuyeyouxiangongsi" (seriously) is currently serving up fake Reuters reports that want you to download a "Flash player". Doing so will infect your system with rogue security software popups - not a good idea.

Click to Enlarge

Interestingly, the site is serving up content from

...a domain associated with a recent Valentines Day infection wave. Avoid!

Here's a worryingly comprehensive malicious file creation tool called "Raptor", currently being sold in limited quantities on a number of websites.


In the top left hand corner, you enter your FTP drop information. Top right, select which programs you want to steal passwords for.

Beneath that, you can select what you want your EXE to detect / avoid:

"Anti: Virtual PC, WMWare, VBox, Sandboxie, ThreatExpert, Anubis, Joebox, CWSandbox"

It also allows you to encrypt your stolen data before uploading it.

Great start to a Friday...!
Rapidshare premium accounts are big business on phishing / trading sites. It seems they're trying to do something about the problem - anyone going to the premium accounts login screen now sees this:

Click to Enlarge

...a rather fetching "Phishing Warning" box, prominently displayed. Click it, and this appears:


Something like this is always a welcome addition. It's actually been rather humorous watching people on phishing / trading sites agonising over whether or not to include the above on their phish pages in the name of authenticity...

Epic Phishing Fail

| | Comments (1)
A friend of mine had this sent to them yesterday.

At first glance, it seems like a perfectly regular Phishing mail. However, there's something in there that sort of ruins the whole phishing attempt. In case you miss it, I've highlighted it in bold text. Enjoy...

Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.

We requested information from you for the following reason:

We have reason to believe that your account was accessed by a third party. We have limited access to sensitive PayPal account features in case your account has been accessed by an unauthorized third party. We understand that having limited access can be an
inconvenience, but protecting your account is our primary concern.

Case ID Number:

This is a reminder to log in to PayPal as soon as possible.

Be sure to log in securely by opening a new browser window and typing the PayPal URL. Once you log in, you will be provided with steps to restore your account access. We appreciate your understanding as we work to ensure account safety.

In accordance with PayPal's User Agreement, your account access will remain limited until the issue has been resolved.

Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to log in to your PayPal account as soon as possible to help avoid this.

To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center. If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us".

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

PayPal Account Review Department

Copyright ? 1999-2009 PayPal. All rights reserved.
As mentioned in this post, this is a program we originally came across way back in July 2008 via a tipoff from an anonymous source. At first, we were a little puzzled as to its purpose and our anonymous source vanished into the ether so no additional information was forthcoming.

All we knew was that it allowed us to browse nothing but Myspace. Specifically, Myspace Groups. When the browser was opened up on the desktop, it would automatically take you to a random Myspace group with no way to enter a different URL, and the display simply showed "previous URL" and "Group ID" in the middle, with a collection of buttons to the left.

"Previous", "Next", "Topics" and "Lottery".

Here is the "Lottery Browser" in action. Note that the browser in its default :

Click to Enlarge

After a little playing around, we noticed that continually hitting the "Lottery" button would (naturally enough) take you to a different group. Depending on how the groups were set up, some were openly accessible, and some displayed "This is a private group".

However, it's the private groups that were of interest where this browser tool was concerned.

If you hit the "Topics" button and the group had no content in it, you'd see the following popup:


If you came across a private group that had posts in it and hit "Topics", this is what you'd see instead:

Click to Enlarge

All of your private topics are belong to us.

Now, I should stress - in testing, this browser rarely worked. More often than not, it would crash, hang, set the monitor on fire and burn down the house, those kinds of things. However, the potential for data theft (depending on the foolish things people post in "secret" groups"), information harvesting, harassment and plain old creepy voyeurism was still a risk where this "Lottery Browser" was concerned.

We don't know where it came from, and it seemed to die a death shortly afterwards. I'd have thought something like this would have spread like wildfire on the underground circuit, but it vanished almost as quickly as our mysterious tipster.

I suppose we should be thankful...
For a long time, I've been fascinated by what I like to call the "Rogue web browser" - a web browser that abuses the trust we place in our gateway to the web, and subverts its use for something more sinister. Here's a brief potted history of the known examples:

Yapbrowser, April 2006: A web browser that didn't force install, asked permission and displayed a EULA. Unfortunately, it also took you to a webpage pushing hardcore child pornography when you typed in any address into the web-browser.

Safety Browser, May 2006: A web browser that installed without permission via IM, looped a soundfile on your desktop, served you ads via geolocational technology and made your PC more unsafe than it was previously by allowing popups by default.

Browsezilla, June 2006: Allegedly inflated the hitcount of pornographic websites by opening up those pages in a way that the end user couldn't see the pages being opened, linked to sites launching the WMF exploit.

NetBrowserPro, March 2007: Pushed fake media codes, installed a rootkit, preyed on trusted brands.

Well, it's been a while but later on we'll be covering another addition to the list. We actually came across this last July, but as we said here, we didn't go into specifics because

1) We wanted to give Myspace some time to address the problem, which they seem to have done.

2) We didn't want lots of crazy people to go hunting for the program being used, given that Myspace sometimes takes a little while to tackle security issues brought to their attention and

3) Nothing tried to exploit your PC or steal your data, or we'd have released more information sooner. The solution to the problem caused by the program was simply to not post any personal or potentially "sensitive" information to private Myspace groups - if you weren't doing that (and you shouldn't be anyway!) then you had nothing to worry about.

4) The program itself was rather buggy, and had an extremely low rate of success. After exhaustive testing, we only saw it do what it was supposed to do twice. No sense in causing a panic.

At any rate, it's been eight months and the program doesn't appear to work at all now. With that in mind, we'll take a peek a little later on...

I hate Bono.

Really, I could end the writeup there. However, I thought it might be interesting (hot on the heels of the fake Wii points generators) to take a look at another neglected aspect of generator scams - iTunes.

Applications such as these:



...are doing their level best to convince you they can give you lots and lots of free music. In reality, they'll just give you a headache.

Here's a couple of random iTunes code generators sitting on the desktop, because I know you love these kinds of pictures:


Quite a lot of these things have cute little icons and other gimmicks, all designed to convince you the programs you're running are legitimate. However, it doesn't matter if they look like this in the funky Youtube videos:


When you run the file, you'll always either end up with

a) nothing happening (there'll be quite a bit happening in your System 32 Folder, though) or

b) this:


Endless fake error messages. Amazingly, not only did this application not work on my Vista computer, but also on XP, NT and Me. I even wheeled Windows 98 out of cold storage, just to see what happened.

The answer, of course, was "nothing at all".

Remember, fake error messages (along with promises of "It's not working now, but you WILL get your codes later") are all part of the gag.


When you start to dig around in these programs for a while, you might think twice about running them. For example, here's a generator that seems to have some virtual machine awareness:

Click to Enlarge

Something as supposedly harmless as a points generator looking out for virtual machines? Uh, that sounds a little suspicious to me. If you run the program in a virtual machine, nothing happens, and no files are deposited into various folders on the PC. I've seen a lot of fake generator programs, but to turn up one that has some basic virtual machine awareness in it is quite an interesting catch.

Generally, any videos on Youtube promoting these applications will be stuffed full of "Oh wow, it worked!" comments from accounts registered purely to leave those messages - another indicator that all is not what it seems. Sadly, a large proportion of Youtube users wouldn't stop to check if the commenters are actually legit users.

Finally, here's two promos from two different people, each advertising a separate product - one is an iTunes points generator, the other for Wii points.

See if you can spot the error:



Despite the fact that these are both supposed to be different programs, they both link to the SAME file on Rapidshare, a rather suspiciously named file called "Youtube.exe". Five minutes investigation like the above would be enough to set alarm bells ringing in the heads of most users, but would they be too enticed by the prospect of free music to care?

And more importantly, did I mention that I hate Bono?
If you have a Wii console, you're probably aware that you can purchase games online. What you might not be aware of is the growing popularity of entirely fake "points generators", all of which do little more than dump lots of horrible files onto your PC. Keylogging and Trojans are the order of the day.

XBox points generators
have been around for a while, but Wii generators seem to be a little newer. They're certainly nice to look at:

Click to Enlarge

Well, most of them are. This one sort of ruins it:

Click to Enlarge

...oh dear.

You might have noticed all of the screenshots are a little blurry - that's because the only place you'll ever see programs such as the above are on Youtube videos promoting said applications - the pretty bells and whistles only exist on the desktop of the person who created the fake front end.

Downloading the file will only ever give you faked error messages on the desktop - something many Youtube videos will promote as a "feature", claiming the points take up to 48 hours to come through.

Yeah, right. It's all an elaborate con trick, designed to make you run the EXE then go about your daily business. Meanwhile, the files deposited on your PC are logging everything then sending it back to base.

Did I mention they look nice, though?

Click to Enlarge

Eye candy. It's surprisingly effective...

Here's a dubious looking domain:

As you've probably guessed, the site is being used to lure people with the promise of "free keys" for Kaspersky, only to then try and steal various types of login.

At present, it currently points to a fake Rapidshare page.

Click to Enlarge

Once you enter your Rapidshare premium login details, it's all over but the shouting. Steer clear...
This is something we've seen a lot of recently.

First, we need a Habbo phishing page, with something a little different added into the mix. Like this one:

Click to Enlarge

Notice something? Under the login panel, there's a section that says "Promo Code" and "If you have one, enter to receive an extra 100 credits".

Why would a phishing victim enter a "promo code"? And where would they get one from?

If you want the answer to that, you need to know where to go further upstream. In this case, that would be the main website of the person responsible for the phishing page:

Click to Enlarge

As you can see, it's scam city. Specifically:

"Learn to Scam!

Get rich quick using our scam site maker.

Ever wondered how a lot of Habbos have tonnes of furni ?... Simple, they either scam or spend hundreds of pounds on credits and then trading. But you don't want to be spending any money do you? Wouldn't you rather have it for free?

Using this sites scamming system you can get rich in just a few hours of hard work."

So, we have a "sign up, get phishing" scheme in play. As for the promo codes, you're about to see why this scam is so good, but only for the person who set it all up:


Amazingly, you're told to go off and direct people to two phishing sites operated by the scam site owner, instead of your own phishing URLs. The gag is you have to tell the victims to enter a "promo code" that will allow the scam site to "track which phished accounts belong to you".

Of course, it's all nonsense.

What's actually happening here, is that someone simply sits back and waits for lots of underlings - that would be you, if you happen to fall for this - to run around spreading their phishing links for them.

I'm willing to bet good money that the people recruited for these scams never, ever see the login details of the people they phished - meanwhile, someone sits at the top of the chain, building a scam empire with a maximum of style and a minimum of effort.

Well, as much style as you can muster when scamming scammers, anyway...
Today we came across a collection of approximately 270 sets of login details that have apparently been Phished via a fake XBox Live login page. The list, some 27 pages long in Word format, would allow people to access stolen XBox Live accounts, some of which may have credit card details stored against them (along with other forms of personal information, of course).

Click to Enlarge

The list itself is actually around 300 or so entries, but it seems some of it is duplicate and / or obviously fake data, entered by people annoyed at the Phishers the list has come from (as a side note, I should add it's never a good idea to enter fake info on Phishing pages - it not only makes it harder for people who wade through this info looking for victims to contact, it also opens you up to potential retaliation attacks from the Phishers).

An additional "bonus" of grabbing Live ID data is that you can use it to check out EMail accounts associated with it - not a great situation, and one of the reasons I've never been too keen on "one login to rule them all" situations. We've already seen some people boasting on forums about the info they've pulled from various EMail accounts associated with the list - how quickly "stolen XBox account" becomes "stolen everything else".

This list seems to be in circulation on a number of hacking forums; the majority of the accounts were phished between November and December of last year. Despite the relatively long time that's elapsed since the data was first collected, a lot of the accounts still seem to be accessible based on comments we're seeing on those underground sites. It seems someone might have put their personal stash on "general release" to gain some kudos with others.

We've passed the stolen data onto Microsoft, and we're sure they'll move swiftly to lock down the accounts involved.
You might not have heard of this "marketing tool", but Twitter Blaster is helping to generate a fair few messages that have a distinctive spammy look about them.

Here's an example of a marketing scheme cooked up with the aid of said tool.

First, the hook:

Click to Enlarge

Over $5,000 of free stuff just for sending out a message on Twitter? Sign me up!

Hit the "Click Here" link, and you're taken to this:

Click to Enlarge

As you can see, you're asked to enter your Twitter login details and the message you'll send is displayed in the "Message" box. This particular promotion seems to change the message every few days. There's also a pre-ticked box to follow the person who set the campaign up on Twitter.

This is smart for a number of reasons. Firstly, the campaign owner can see at a glance a good idea of how many Twitter users have sent out his message. Secondly, he can then send those people messages about other promotions at a later date. I'm willing to bet the people who submit their details to these kinds of things are unlikely to untick the checkbox. Also:

"We promise that your details are NOT stored anywhere on our servers".

There is, of course, no way to know that for certain with any of these websites. Moving on, once you hit the "Download Now" button you're taken to a page full of offers and freebies (to be fair, the example given above seems to link to genuine offers, if a little drawn out and stuffed full of link clicking and hoop jumping) and your profile sends out something like this:


Can't say I'd be hugely impressed if a contact sent me a message like that on Twitter. Are some (potentially useless) freebies worth losing a pile of followers?

Probably not. We'll likely take a look at Twitter Blaster itself in a future writeup...
If you're in the market for domain names, it might be worth your time reading this.

Consider this a public service announcement :)

For a long time now, I've wondered exactly why so many people are creating identikit websites, all asking you to install Zango in return for "free" movies and TV shows, almost always illegally ripped and streamed without the permission of the rights holder.

These sites have become something of a plague over the last year or so, and sometimes they seem to tie into other areas such as cookie cutter sites offering games. Who can forget the wonderful Batman game from a few months ago that followed the same template as the movie sites?

At any rate, I've spent quite some time trying to find out who could have come up with the idea of telling everyone to run out and make these movie / TV sites. It stands to reason that the idea of creating these things en masse and rolling them out to the public at large must have had a good, solid nudge from somewhere, right?

Well, step right up, interesting and faintly outrageous PDF Document.

For your eyes only, Ladies and Gentlemen:

"Annihilating Zango For Skyrocket Profit".

No really, that's the title.

Click to Enlarge

What we have here, is nothing less than an instruction manual encouraging people to go out and create as many of these movie streaming cookie cutter sites as possible to make a tidy profit from installing Zango. I should add, right at the outset, that this has NOT been created by Zango - rather, an enterprising person (or persons) that decided to hop on the gravy train.

Indeed, check out the comical "disclaimer":


This entire document promotes illegal streaming to make a profit and unethical activity (it even has section on how to get an account approved with Zango if you've been previously rejected), yet the creator says "I'm not responsible".

Well, there's a surprise

Even better, he says "You have NO rights to distribute this document", yet he stomps upon the copyright of the TV show creators he's making money from without permission. Once again, I'm shocked. On the bright side, I'm definitely not "dumb" where obtaining a copy of this document is concerned, because I woke up to find it tucked under my pillow.

Moving on, the rest of the introduction gives you a general rundown on Zango, payout rates and a screenshot of his earnings. Then we come to this:

Click to Enlarge

I'd take issue with this being the "only unethical thing" in the PDF, considering the whole thing is based on generating profit from pirated movies but anyway. Some choice extracts:

"Now, when you signup with Zango, use some fake details" is a nice start. I've blanked out his actual method for attempting to scam Zango, but honestly? I'm a little surprised that he claims such a stupid technique actually works.

As for this:

"...I've never been verified by phone, because I registered under a famous Zango user and he simply told them to accept me anyway"

If that's true, I'm dazzled - especially given that this guy is the King of promoting installs via pirated material in PDFs you have to pay 10 to 15$ to obtain.

The next section shows you how to build a site quickly, targeting the TV shows most likely to make you a lot of money. Oh, I forgot - the package comes with phpvideoscript, which enables you to build an endless stream of identikit websites.


Handy, eh?


Good job Lost is keeping him rolling in the money. It goes a bit wrong on the next page though, because he leaves what is apparently his Zangocash username in the screenshot.

Click to Enlarge

Say hello to xMastex! If Zango are reading this, you might want to go slamdunk his account in a ditch (if you haven't already), seeing as he's

1) Making money from PDFs ready rolling websites designed to profit from illegally ripped TV shows and movies via installs of your Adware and
2) Giving out "unethical" advice with regards joining your program with fake details.

Click to Enlarge

As you can see above, he then goes on to list the best places to grab ripped streams, ready to be placed on your freshly created army of websites. Because of the system used to manage the sites you've created, you can add a stupid amount of videos to the pages with little to no fuss:

Click to Enlarge

The rest of the document covers sites to submit your movie links to, traffic boosting and tricks involving places such as Oh, and this:


...I thought the only unethical part of this PDF was the bit where they signed up to Zango with fake information? Oh well.

Who is Doing This?

Well, there's a bit of a tangled web where that's concerned. A number of different names are used in Whois for many of the sites referenced by "Mastex" on various places, the document signs off as "Stefano" and there's apparently an updated version of this document floating around on the net too.

To make things more complicated, it seems there are quite a few people now making their own versions of these PDFs.

There's usually a trail though, and sure enough I happened to find a review of one of these PDFs where someone is asking for "review copies". It's screenshot time:


It's pretty likely "Marko" and Mastex aren't the same people,  because Stefano appears here as Mastex on Digg - but he's certainly promoting one of his own PDFs. The reviewer blanked out the URLs, but it's not too difficult to Google Marko + Gossipgirl websites ...

Click to Enlarge

Look at that - someone called Marko spamming links to, via a number of streaming sites. However, the really interesting bit is the Digg link.

Click to Enlarge

Well, I'm surprised by all the "watch free episodes online" links. Honestly.

Do a Whois search on, and...


Man, someone forgot their anonymous Whois Guard, didn't they?

The document Marko is pushing seems to be different from the original Mastex version, so it's entirely possible there's a whole industry out there involving people creating (then selling) their very own "make money in a dubious fashion" PDFs. All of the Marko sites that offered up Zango (here's one) seem to have had the Zango popup removed so perhaps they killed his account - but that doesn't mean he has to stop selling his PDFs. And so the industry continues to grow.

The question is, when is someone going to do something about it?
There are a couple of Steam account stealers currently in circulation. How do I know they're account stealers? Well, a couple of clues coming up - but first, the obligatory "picture of the file on the desktop", because I know you love them as much as I do.



Anyway, fire the program up and you'll see this:


Seems great, doesn't it? Simply enter your Steam ID and Password, and you can choose to have either Counter Strike or "All Games" for free. I'm not sure why people would choose Counter Strike when they could get it with all the others via the first option, but then logic never plays into it where these kinds of programs are concerned.

Bonus points for the creator though, because they made a slightly snazzier version of the original program:


This one lets you pick from a wide variety of individual programs, just to give things a little more credibility.

Unfortunately that credibility is about to fly out the window. Shall we take a look inside the code?


Whoops. I wonder why EMail addresses are in there. Could it be your logins are sent back to base when you hit the "Get free games" button?

You bet. I wonder if this guy left his name in the code, too....


Marias Aas of Norway, I have a hunch you're about to become extremely popular. Looking at his Youtube profile, I'd be surprised if he wasn't already...


At least, not if you're asked to do it at the following location:

The site is, of course, a phish page. Not a very clever one, at that. There's a particularly useful clue on the page that will helpfully deter some end-users from giving away their login details:

Click to Enlarge

In case you're still wondering, the clue would be the huge Cursormania advert at the bottom of the page. Not too many banking websites have those - even the trendy ones...

Get The Message?

| | Comments (0)
I've noticed this site:

is having a weird resurgence in popularity - a typical "enter your MSN login details to find out who blocked you" affair, it's been around for some time but appears to be on the up. Indeed, I've already had 3 MSN contacts in the past week have their name changed to

" <-- Find out who deleted you from the MSN without noticing it"

Here's the site in question:

Click to Enlarge

Of course, anyone checking out their T&Cs will notice the warning signs:

If ScanMessenger considers it necessary, it will use different means to advertise the site, sending from the users' account an only automatic message to their online contacts promoting the website."


"After checking your contact list, your nick will be changed to " <-- Find out who deleted you from the MSN without noticing it" . This happens only ONCE and you will be able to change your nick back whenever you want, in the same way you usually change it."

Do you really want to annoy all your contacts and have them drop you quicker than you can blink? Seriously, these kinds of services do nothing but annoy people. If they already have you on block, they're hardly going to be inclined to start talking to you again when you're spamming them senseless about some service they couldn't care less about.

Your choice...

I came across a Chinese site earlier today:

Click to Enlarge

Apart from the snazzy Neo picture, it's also harbouring an MS SQL injection tool. I love stumbling across sites like this, because there's no easy way to tell if the site is legitimate, if it's a penetration test tool, something designed to be malicious or they just have a thing for Neo and hacking.


Setting aside the issues of "this tool can be used for evil, as well as good" I thought it might be interesting to take a look at what it does. After a while, I found a Flash demonstration of the program going through its paces, but frankly had no idea what was going on. After checking with a colleague, I think I have a pretty reasonable play by play account of what's happening. I could be horribly wrong, of course.

Warning: lots of Chinese text coming your way.

Let's kick things off with a look at the program itself:

Click to Enlarge

I think the word I'm looking for here is "impenetrable". This next shot is an image of someone attempting to get the name of the database via asking it through http. Unfortunately for them, it doesn't work. Drama!

Click to Enlarge

At this point, they fire up the program. The next picture is our wily hacker trying to find out what kind of database the target is running:

Click to Enlarge

He quickly discovers the target is running a Microsoft MSSQL server:

Click to Enlarge

In the next image, he's digging around in the site to find out various bits and pieces of information he can use to his advantage:

Click to Enlarge

Finally, here's a shot of our persistent offender creating an .asp page on the target server:

Click to Enlarge

As you can imagine, uploading files directly onto the server is not a particularly good thing to have happen.

At this point, our bumpy ride into the wilds of Chinese injection tools ends abruptly, due to the Flash animation refusing to play past the above screenshot. I'm still trying to find out if the program was created by a legit security outfit for penetration testing or if it's Black Hats all the way.

Fun while it lasted, though....

Additional Research: Chris Mannon, Sr. Threat Engineer

....apparently not. I've no idea what the unfortunate person above had stolen, but always worth remembering: never trust anything asking for your login credentials, regardless of whether it comes via email, phone, text or carrier pigeon.
Jonathan Ross, the well known TV presenter has found himself the subject of a website promoting his television show. Unfortunately, it's nothing to do with him and only exists to install Zango Adware onto PCs.

The site in question is

and looks like this:

Click to Enlarge

Pretty, isn't it? Anyway, click into any of the episodes and you'll see a Zango installer.

Click to Enlarge

He doesn't look too happy about having his head pasted onto an adware prompt, but oh well.

What really made me laugh about this website was the usual boilerplate disclaimer at the bottom of the page:

"Disclaimer: We are not responsible for any content which is streamed through this website. If any damage occurs by the use of information presented here, only shall the content provider be held liable.The streaming videos that has been found here are hosted by third party. Any copyrighted videos, pictures or music is a property of the original copyright holder and it was found on third party sites. Therefore for any copyright violations, the owner of this blog is not liable."

Oh really? Is the owner of the blog "not liable" when we find the person uploading at least some of the content is what appears to be....

Click to Enlarge

....the owner of the blog?

This person is seemingly ripping, then uploading BBC material to promos on Youtube to make a quick profit from Zango. Some of the other sites out there doing this can try and squirm out of copyright related shenanigans by linking to videos hosted in China - nothing to do with us, someone else uploaded it - but here we apparently have the site owner himself uploading the copyrighted content.

Funnier still, once you've actually installed Zango, all of the pages look like this:

Click to Enlarge

There's a complete lack of videos. Whether you browse the site in IE or Firefox, there's nothing there. If you go back and check out what any of the supposed episode pages look like before you install Zango, you can see one of the "movie" windows behind the installer prompt. Note the length of the clip:

Click to Enlarge

Every single video has a running time of 8:10.

Could it be - and I don't want to appear overly cynical here - that the supposed Youtube videos "featured" on site are nothing more than jpegs of a Youtube video window? The alternative is the site is coded extremely poorly and there's some sort of glitch preventing you from watching a ream of episodes that all last exactly 8:10.

Either way, it's not the greatest deal going, especially when the people promoting the site on Youtube place messages such as these in their videos to bait people in:


Maybe Jonathan Ross should do a show about it...
Remember this? Well, a rep for Virgin Atlantic left the following comment:

"Virgin Atlantic can confirm that the website has been shut down.

The website was associated with a recruitment phishing scam. Virgin Atlantic is in no way associated with this scam and would never offer to ask members of the public to part with money in applying for a career at the airline.

At Virgin Atlantic we take these matters very seriously. We have reported this matter to the Police and have been successful in clamping down on the scam, by closing down associated websites, telephone numbers and email addresses.

To look for legitimate recruitment opportunities with Virgin Atlantic Airways, please visit

Virgin Atlantic"

Kudos to Virgin Atlantic for actively pursuing the offending website - it doesn't always pan out like that...

A word of caution - we've noticed quite a few messages similar to the below currently in circulation on Skype:

Click to Enlarge

"ya viste mi nuevo corte? me lo hice yo"

The link has been taken down, but was directing people to a malicious file. The naming convention seems to be similar to a few files currently causing problems on MSN, and we may have some more information on this shortly. For now, if any of your contacts on Skype randomly send you messages with

at the end of them, consider advising them to run a couple of system scans...
Over the past few days, if you were to take a sample of Twitter messages, you'd see a lot of increasingly annoyed people mixed in with inane laptop spam:

Click to Enlarge

The site at the heart of this: a fairly typical "get a free laptop / phone / whatever" URL, and given the incredibly spammy nature of its promotion it seems fair game to advise avoiding it completely. Check out the fresh wave of spam messages from multiple accounts popping up on Twitter even as I'm typing out this blog entry:

Click to Enlarge

If you're wondering, the spam accounts all pretty much look like this:

Click to Enlarge

It's a little depressing that the spam profile above already has 148 people following it. Someone at Twitter needs to try and get a grip on this one before every other message sent out is FREE LAPTOP, LOL.

Facebook Freezers

| | Comments (3)
Today we came across an extremely slick tool designed purely to annoy and confound users of popular Social Networking sites such as Facebook. While it also allows the attacker to target other sites and services such as Youtube and Windows Live, it seems to cause the most problems on Facebook.

What is it?

A malicious program designed to repeatedly lock you out of your various accounts. In time honoured tradition, here it is on the desktop:


Ignoring the fact that it resembles a cartoonish piece of meat on a bone, let's fire it up:

Click to Enlarge

As you can see, the Facebook logo sits in the middle, just above the "Freeze" button. Above the EMail field, you can see a dropdown box where the attacker selects their service of choice:


This particular version "only" has Facebook, Windows Live and YouTube but there are other versions out there which do much the same thing but target other Social Networking sites.

Once you've picked your poison (so to speak), you simply enter the EMail address or Username into the space provided and hit the "Freeze" button. But wait! For those who woke up in a particularly malicious mood, the program allows you to watch the demolition of your targets account in a sort of "realtime" mode, with the aid of an extremely slick built-in browser window. Simply hit the "Let me watch" button, and the browser extends out on the right hand side of the application:

Click to Enlarge

Hit "Freeze", and as a meter at the bottom gives you a % score with regards freezing completion, the view in the browser window alternates between the bottom two images - the first, the Facebook login screen:

Click to Enlarge

...and the second, the page telling your your login combination is incorrect:

Click to Enlarge

Once you hit 100%, this is what you see inside the applications browser window:

Click to Enlarge

"You have exceeded the number of invalid login attempts that we allow for your account. If you have forgotten your password, reset your password here".


Now, I know what you're thinking. This is easily fixable, you just hit the "reset password" link and you're back in business. However - if your attacker decides to keep attacking you over a short period of time while you keep on resetting your password, eventually your mailbox will look like this...


...and not only will you be utterly sick to death of resetting your password, you'll be even more fed up when you get locked out one too many times and see this:


Yes, eventually you're even prevented from sending a password reset. Bizarrely, you're still given an option to hit a "reset password" button, even though it won't actually work for you anymore.

All you can do now is brave the wilds of the "Contact Us" page, and generally speaking, most people give up in despair and a flailing of arms when presented with such pages. If I'd been the victim of this kind of time wasting "fun", I'd probably be more inclined to simply start again from scratch.

I tried a little earlier on to see if I was now able to resend a password reset to the account used in the above screenshots...I was presented with an "Unconfirmed Account" message:


I can only assume they do this as an antispam precaution when your account is frozen out in this way. I'd be ready to give up and go home by this point.

In case you were wondering, it does much the same thing with YouTube:

Click to Enlarge

However, doing this to a YouTube account doesn't quite cause as much aggravation as it does where Facebook is concerned - at no point during testing did YouTube lockdown the account the same way Facebook did, although I can't assume there isn't an "upper limit" at which point YouTube also brings down the final curtain.

All in all, something a lot of rage fueled kids will likely be deploying over the coming months.

While it's a little tricky to prevent people from knowing your username on YouTube - because you want people to know who you are on there, right? - it seems a sensible precaution to be as secretive as possible where the EMail account used with Facebook is concerned...

Writeup: Chris Boyd, Director of Research
Additional Research: Chris Mannon, Senior Threat Researcher
Not so long ago, I wrote about

a site that promised "games", but insisted you download and install Zango before being taken to a series of extremely failure-filled demo versions. Well, I've been back to the site lately and things seem to have changed a little bit.

If you hit the "Download" button now:


 ...pretty, isn't it?'ll see this appear in the bottom left hand corner of your browser:


However, instead of being taken to the Zango gateway like you were previously, the screen flashes briefly and you're taken directly to the demo download.

In other words, no more Zango.

If I had to guess, I'd say Zango have either cancelled the site owners account, or it's still live but they're blocking him. Either way, the site is no longer making people install something before presenting them with a major letdown in the form of lame demo versions. So hey, if someone from Zango is reading this and you did indeed whack the account - thanks.
I wanted to share this comment with you, left by a reader of the blog. The comment is in relation to a set of websites promising thousands of dollars in Government grants. The message left reads as follows:

"My husband and I did this and found this morning that we were charged 79.95 on our card. They told me that it was a monthly fee and I told them to cancel it because it was not mentioned in the email that I replied to. The man on the phone did cancel my subscription but also mentioned that it was a loan, I told him that I was not stupid and that grants are not loans. I asked to speak with his supervisor but the supervisor never came on he just came back on saying that he spoke with his supervisor and was authorized to give the refund."

Ouch. These sites seem to be based on a site we'd already covered, the "Obama Stimulus Program" website that did much the same thing. Although the overall aim for these sites was this:

"What they want you to do is send them $2.95 shipping & handling, for which they'll send you some "information" on how to obtain said Government loans."

...I said you should always check the terms and conditions for such sites:

"Furthermore, any free trials that may or may not be offered with this product are only free during the said allotted time of the free trial period as outlined within the product sales page, confirmation of order page, and confirmation email. If you have not cancelled the free bonus within the 7 day trial period (if offered on product purchasing), you are agreeing to purchase the bonus material and/or service at a monthly reoccurring cost. The resource center is billed at $58.61 monthly."

I did wonder at the time if these charges were applicable - it seems they well might have been. Hopefully the above message will serve as a warning to avoid these sites...

Here's a bunch of people complaining about stuff on the Internet.

Click to Enlarge

What are they complaining about? The "art" of lag switching, which is where someone playing a game online uses a special "switch" to make the game....surprise....lag. Doing this can kick other people out of the game, make their connection drop, give you an edge as you "magically" appear behind their characters and shooting them into oblivion.

All in all, it's pretty cheap.

However, some people seem to be doing quite well out of it all. I was somewhat surprised to see this:

Click to Enlarge

That's right, for $15 (plus $7 shipping) you too can cheat your way out of the trickiest situations with a custom built lag switcher, lovingly delivered to your doorstep via the USPS. I love the quotes on the site:

"This is one of the easiest switches on the market.
Set unit on the floor, tap button with foot to create lag.
Quickly tap (only once) to create 5 seconds of lag,
wait 5 seconds, tap again to lag 5 more seconds.

Our favorite: Wait until you see your opponent,
tap the button, run next to that same opponent
& start shooting, tap again at the next opponent"

.....yes, wonderful.

In addition to the nifty diagrams of how their lag switches work, they also have a pile of photographs of their switches connected to various controllers:

Click to Enlarge

They even have an EBay store.

However, what I find particularly disturbing (aside from the fact they claim to have sold nearly 5,000 of these things) is the following quote taken from their FAQ page:


Wait - videogame stores are going to be selling game-breaking devices that aren't actually allowed on gaming networks such as XBox Live?

I see angry legal people on the horizon, all of them excited by the smell of their next meal...

Random Roundup

| | Comments (0)
A couple of bits and pieces that don't really fit anywhere else...

1) I recently spoke at a "Beat Cyber Criminals Workshop" put together by the good people at Prevx. You can see a summary of what went on here.

2) Someone came up with the idea of a FaceTime "Web Security Channel" on Youtube. It only has two videos on it so far, but it has a slightly surreal thing going on so it might be worth checking out if Youtube vids are your bag.

3) If you're on Twitter, feel free to follow me or add me or whatever.

Airmiles Phish?

| | Comments (1)
We came across an interesting site the other day:

A replica of the Virgin Atlantic website:

Click to Enlarge

None of the links worked, but you were able to login over on the right. Well, I say "login" - what I actually mean, is "send your account details to the phisher".

Now, I'm not familiar with Virgin Atlantic so you might have to help me out here. The only possible reason I could think of for obtaining Virgin Atlantic "Flying Club" logins was to somehow make use of the airmiles stored against the account. If anyone out there reading this has a Virgin Atlantic account - is that possible? Can you transfer (say) airmiles to other accounts, perhaps? I can't see how the phisher could simply book flights under the name of the stolen account, so I'd guess there must be some way to exploit the system involving airmiles.

Either that, or someone just really likes collecting Virgin Atlantic logins.

Curiously, this phish page pops up in a few other places - most notably, involving complaints related to fake job offers with Virgin Airlines here and here. The site is currently offline, but don't be surprised if they take to the skies again shortly...
I've previously written about phishing scams which appear to look like Rapidshare pages, and claim to offer specific products (without linking to any actual files).

Well, this seems to be an evolution of that particular attack.

Here's one of the newer kinds of Phish I'm talking about.

Click to Enlarge

"This file is larger than 200 Megabyte. To download this file, you either need a Premium Account, or the owner of this file may carry the downloading cost by making use of "TrafficShare".

The interesting part is that (unlike the earlier phish pages covered) these ones actually link to genuine files on Rapidshare, all adding to the illusion that this is legitimate (if you try to download the file on Rapidshare, you'll be given the same message regarding premium accounts).

Quite a smart tactic, then. Of course, you really shouldn't be downloading files with "Warez" in the name anyway...
Here's another site related to The site in question this time round is called

This one takes a (somewhat bizarre) spin on attempting to take your login credentials:

Click to Enlarge

The site reads:

"The Steam Verification System is to ensure that multiple IP addresses are not used to access a single account. Please enter you account credentials below to verify your account. Accounts not verified within 24 hours of notice will be permanently disabled."

Given that one of the biggest plus points of Steam is that you can use your account on as many PCs as you want to - indeed, there are dedicated Steam sections in web cafes for just such a purpose - it seems ludicrous to base their scare tactics on multiple IP addresses (especially as the scam site actually links to a web cafe information page just out of screenshot).

However, there's always going to be someone who falls for this kind of scam.

Interestingly, the creator of both these sites has been promoting them on Youtube, under the account name of


And is listed as being 30, based in the United States. Typically, he's leaving comments such as these on Youtube videos:



As you might imagine, there are some rather angry comments appearing on his userpage. Here's some of the friendlier ones:

Click to Enlarge

Another interesting "feature" of these scams is that the Whois data isn't anonymised. Currently, the information for both sites reads as follows:


    Steve Zestner
    4163 Mesa Drive
    Lake Mead

Of course, these could be entirely fake details - but usually, websites such as these are either use anonymous registration service or obviously fake information. Could our phisher have been so silly to use his real name and address?

Perhaps. The only really important part to remember is to give websites such as the above a very wide berth...
I write quite frequently about Steam scams, because there's a fair chance stolen Steam accounts can have a significant amount of money invested in them. I could simply link to the Wikipedia article describing it, but instead I'll give you a more condensed rundown - hopefully it'll give you a better idea of what's at stake.

Steam - What's The Big Deal?

If you're anything like me, you'd buy a PC game, hurl the discs somewhere and then sometime later when you came to reinstall find the manual with the license key on it was missing.

That used to happen to me a lot.

Steam is an entirely digital distribution service for PC games. Effectively, you substitute those annoying printed keys for a username and password - any games bought under your steam account can be downloaded as many times as you need to, installed on any PC and the purchase made against your username authorises the game to be played.

This means, of course, that someone with a Steam account could well have spent many hundreds of pounds / dollars / insert currency of choice on a wide variety of games. Lose your account, and you've lost a pretty big investment. Now that we've got that out of the way...

What's The Scam?

The website we're looking at today is

The website looks almost identical to the real Steam website - indeed, there is only one small (yet crucial) difference. Here's a screenshot:

Click to Enlarge

There's a large blue banner that really shouldn't be there. It reads:

"Free Steam Gift Pack! Absolutely Nothing Required!

Also including The Orange Box, Left 4 Dead, Audiosurf, Counter Strike Source, Counter Strike, Garry's Mod, Call of Duty 4 and more".

Sounds too good to be true, doesn't it?

Sure enough, click the banner and you'll see a page positively stuffed to bursting point with encouragement.

Click to Enlarge

Encouragement to fall victim to a scam, that is. Hit the "Click here for free gift" button and a final piece of "DO IT NOW" harassment awaits...

Click to Enlarge

If you fill in your Steam account details and hit "Login", you've just waved goodbye to your account.

Click to Enlarge

"Success - Your account will be credited with the Steam Gift Pack within 24 hours".

I'm willing to bet good money that isn't going to be the case...

About this Archive

This page is a archive of recent entries written by Christopher Boyd in March 2009.

Christopher Boyd: February 2009 is the previous archive.

Christopher Boyd: April 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.