Results tagged “phish” from SpywareGuide Greynets Blog

Worth noting that people are still reporting Direct Messages of a "do not click" variety coming through on Twitter, all of which lead to Very Bad Things (TM) depending on what nefarious campaign happens to be doing the rounds at any given time.

Should anybody send you a DM that mentions humorous things taking place in videos - like this one, for example:

This is a step above the usual phish attempt we see here, with a number of bits and pieces that build up a pretty convincing fake website. As you probably guessed from the title, the phish involves the upcoming juggernaut that is Call of Duty: Modern Warfare 2, and the endless desire some people have to take part in a beta.

The URL to avoid is

freemw2beta36.tk

and the page itself is hosted at

freemwbeta36.t35.com

Want to take a look? Sure you do.


What does this phish do that sets it a way above other phish attempts? Well, for starters it looks quite professional. Top left, they use the kind of info splash you normally see on an official XBox page. On the right, there's a media section with screenshots you can actually click into. Might not sound like much, but most phishes like this one don't have anything clickable in that whatsoever. Bottom left, they've embedded a real Youtube video that you can watch to your hearts content. Right at the bottom of the page, they've included a copyright notice - something else phishers tend to lose in translation.

All in all, pretty convincing.

The only real flaw with this phish is that there is currently NO public beta planned, and it's highly unlikely there will ever be one. Don't get suckered into handing over your Windows Live ID, as no good will come of it.

More often than not, most DIY programs I see tend to be on the murkier side of "designed well". In fact, it's more like somebody threw up on their coding tools. However, sometimes a leet hax program comes along and despite the horrible things it does, you can't help but be impressed by the design and general stylistic trappings.

The creators will still burn in Hell, of course.

But ooooh - shiny. Blinky.

Anyway, here it is - the Phish Pharm:




In case you're wondering, the fake Phish pages are in the Source Files Folder, and the two programs used are underneath. Let's take a trip to the pharm - sorry - first.

Finding dumps of stolen logins is a common occurrence round this neck of the woods; if it isn't a bunch of XBox logins, it's 5000+ EBay / Paypal accounts. Well, here we have roughly 86 Windows Live ID accounts taken without permission, via a phishing page.

Windows Live IDs can be used to access everything from Hotmail and MSN to XBox Live and Zune. Grab a Live ID, and the amount of ways you can ruin someones day increases in spectacular fashion.

In this case, the target was XBox Live gamers, by way of a fake "Get Microsoft points for free" phish.

What I found particularly interesting here is that the collected data reveals the (borderline desperate) greed on the part of the victims - allow me to explain. Many of the most popular XBox phishes involve the site creator pretending to be an ex Microsoft employee, who just so happens to have a magical way to create "free" Microsoft points (which otherwise cost money, and are used for digital videogame transactions and Zune marketplace purchases).

Here's a typical example of said fakery:



There's normally a dropdown box (bottom right), asking the victim to select a fictional amount of points while they throw away their login details. More often than not this information isn't included in the phish dump, because the phisher couldn't care less how many points the victim is after. This is what you normally end up with:


Click to Enlarge

...as you can see, nothing more than the Live ID, the password and the date.

Here, however, each stolen account in the data dump looks like this:

Logged IP address: xx.xx.xx.x0 - Date logged: Monday 20th 2009 of July 2009 09:17:27 PM
Email=xxxxxx@xxxxxxxxxx.com
Password=xxxxxxxxxxx
Points=20000
submit=Go!

For some unknown reason, the phisher decided to log the points the victim tried to obtain for free. This means we can gather up some data about the level of frenzied button mashing the victim goes through over a period of days.

Days? You bet. More on that later - for now, let's take a quick look at the amount of points the victims were dying to get their hands on. The stolen logins have been in circulation on forums for a while, and based on comments we've seen all of them have either been locked down or leeched but we've notified Microsoft anyway. All of the below were phished between Monday the 20th of July and Tuesday the 28th:

500 MS Points ($6.25 / 4.25 GBP) - 17 requests
1000 MS Points ($12.50 / 8.50 GBP) - 8 requests
2500 MS Points ($31.24 / 21.25 GBP) -  8 requests
5000 MS Points ($62.48 / 42.50 GBP) - 23 requests
10000 MS Points ($124.95 / 85.00 GBP) - 10 requests
20000 MS Points ($249.90 / 170.00 GBP) - 92 requests

In total, there were 167 attempts to get free points, with 9 misfires (which means the victim didn't pick an amount on the dropdown box, resulting in a "-Select-" left in the relevant data field). Roughly 86 individual Live IDs were phished, and the rest of the 167 attempts were repeated requests for points from the same handful of people - sometimes stretching over the full timespan from Monday 20th July to Tuesday the 28th.

One person made 24 requests over the eight days (at one stage making eleven requests for points in three minutes!), with 17 tries for the maximum amount of 20,000 MS points. That works out at 340,000 points not including his smaller requests, which means this person attempted to collect over FOUR THOUSAND DOLLARS worth of digital downloads for nothing.



In fact, he's still trying to get free points on the 28th despite not having actually received anything from the moment he tried way back on the 20th. The phisher who collected these logins deserves nothing but scorn; however, it's increasingly difficult to feel any sympathy whatsoever for some of the people caught up in the above data log.

Is the only real solution to throw both phisher and victim into a bear pit, filled with angry bears who themselves hold an irrational hatred of both bear pits and bear pit trespassers?

Why yes. Yes it is.

A common warning in relation to many phishing attacks is "Look for the .com in the URL, because that's the official site domain - if you see that you know it's the real thing".

All well and good, but sometimes people find a way to place a ".com" in there anyway.

Here's a fake XBox.com phishing page - note the URL:


Click to Enlarge

Amazingly enough, it's

xbox.com.au.tp

The problem here is that we're so conditioned in relation to "Look for the .com" that many people will see this domain and think, well, it HAS to be legit - completely disregarding the "au.tp" part that comes after it.

Unfortunately, it isn't real in the slightest. How did they get the above domain to look the way it does? Well, a .tp domain is the top level domain for East Timor. You can't actually get them anymore (due to it being replaced by .tl), but you can get various subdomains through resellers. A quick jump over to Tipdots.com, and....

There's a Windows Live ID phish doing the rounds at the moment, aimed at XBox gamers and their overwhelming desire to obtain FREE STUFF. Namely, XBox Live points. Here's the site, which is located at mspsite.t35.com:

It contains the usual nonsense designed to make the victim sit around doing nothing while the phisher changes their login information:

"This website uses an exploit found on the xbox live website. Using this exploit correctly means you can edit your amount of microsoft points on your account. As the flaw is on the Singapore websites, People living outside of singapore may need to wait up to 24 hours for there points..."

Once you enter the info, your account is as good as gone along with anything you have attached to it. If you think people don't fall for things like this, here's the proof:


Click to Enlarge

Chalk up one victim to the above site. There's bound to be more...

Here we have yet another Steam Phish, this one involving some forum based scammery. Our phishing friend sets up a forum account on the official Steam forums, then sends random people a "scary" message like this:


Click to Enlarge

Assuming the victim is suitably terrified by dire warnings of account hackings, they'll promptly jump over to

valve-ipfix.tk

which is a redirection URL hiding the "real" URL at

steampowerness1.awardspace.us

...and the victim will then enter their Steam login credentials to the phisher.

Here it is in all its phishy glory:


Click to Enlarge

Avoid.

Pharming has been around for a few years now, and most (if not all) pharming attacks I've read about usually involve techniques far beyond your average script kiddie. From Wikipedia:

Pharming (pronounced farming) is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses -- they are the "signposts" of the Internet. Compromised DNS servers are sometimes referred to as "poisoned".

Curiously, one individual seems to be whipping up a frenzy on numerous hacking / cracking boards recently, claiming to have invented a "new, revolutionary form of phishing". It's actually "just" Pharming by another name - "Phisher Arms" (a Phisher Arm being the executable used to alter a computers hosts file) - but while being entirely ignorant of Pharming, he's also promoting a broadening and deepening of the amount of script kiddies happy to adopt such tactics. While there's a certain comedy value to him reinventing the wheel, mass adoption by wannabe pharmers is not a good thing, and there's never been a better time not to click on unknown attachments or run strange files...

In the beginning

On the 30th of April 2009, a new video appeared on exploit database Milw0rm, rather breathlessly called "Desktop Phishing: The New Art of Phishing". Along with the video came lots of graphics:


Click to Enlarge


Click to Enlarge

...and a soon to be released E-Book(!), along with an audacious bid for fame in the form of a Wikipedia page which was (unsurprisingly enough) hit with the Banhammer.

In a nutshell, it works like this:

1) Have a random executable file to hand. It can be anything, though obviously you want it to appeal to the victim you intend to send it to.

2) Bind it with a modified hosts file in such a way that it replaces the victims original hosts file when the executable runs.

3) Insert sites such as Paypal, banking sites, Ebay, whatever....into your modified hosts file, and have each of them point to an external IP address for your own computer. I bet you can see where this is going...

4) On your own computer, you host the phishing page using server software such as wampserver.

5) When the victim tries to reach Paypal or a similar site from their computer, they are of course taken to the phish page running on the attackers PC which will still say "Paypal.com" in the address bar. When the victim enters their details, they're actually placing them directly onto the attackers computer - note the URL at the top:



Whoops.

To be fair to our wheel inventing pharmer, it's an interesting technique and will no doubt be adopted en masse by the rank and file of "this is way too hard for me" wannabes out there. His video has already been viewed over 12,000 times - by comparison, most other entries on the Milw0rm frontpage are in the low thousands:


Click to Enlarge

Google "Phisher Arms" or "Desktop Phishing" and you'll already find a lot of hacking forums promoting this as the best thing ever - and they're just the ones publicly viewable.

Whatever you want to call them, there's probably quite a few of these "Phisher Arms" in circulation at the moment given that his video hit a good few weeks ago. As always, be careful what files you download...

The below site:

itunes-multiplier.webs.com

should be avoided, as it's nothing more than a cheap con trick. The gag works like this - you go out and buy an iTunes card (which use codes that are redeemed inside iTunes to credit your account).

Then you see the above website promising it can double your points and start to feel a little greedy. Here is the "multiplier":

The racing season might well be underway, but it's a good idea to be careful where your logins are concerned.

The following domain:

tema-ferrari.tk


Click to Enlarge

Is trying to entice users of popular Social networking site Orkut to login to their accounts - or, to be mre accurate, is trying to entice fans of Ferrari cars to login to their Orkut accounts. You can't really miss the huge Ferrari logo in the middle - the earliest google cache of the site is a few days before the first race in Melbourne, around the 24rd of March. Odd coincidence, that.

In case you're wondering, the text (in Portuguese) roughly translates as follows:

"Connect with friends and family using scraps and instant messaging
Meet new people through friends of friends and communities
Share your videos, pictures, and passions all in one place"

I'm going to go out on a limb here and guess the phisher won't even get a speeding ticket...

There are emails in circulation directing end-users to the following web site:

moxieusa.com/includes/PEAR/Thanks.htm

It's a Paypal phish with an added "bonus" - when you visit the page from the mail, you're presented with the following message:

"You Have Successfully Confirmed your account information.

The New Anti Fraud System has been successfully added to your PayPal account."

Entirely false, of course - nothing has been added. There's also a short ramble about additional security features:


Click to Enlarge

Click the continue button, and you're taken to the inevitable phish page.

Avoid...

We're seeing a wave of Steam related phish scams at the moment. Most (if not all) look something like this:


Click to Enlarge

Ah, the promise of free games. When have you ever let a phisher down?

The domains being used in this scam are:

steampoweredgifts.my3gb.com
steamscommunity.co.cc
gift-steampowered.co.cc
steam-acitvation.co.cc
steamrecommunity.co.cc
mysteamcommunity.co.cc
wtmail.free.fr/steam
games4steam.tk

If / when we come across others, we'll add them to the above list. Quite a few have gone offline already, only to come back to life so it might be a while before all of the above are completely DOA...

There's an old technique in certain forms of martial arts - when confronted by an attacker, just before they start to throw the first punch, you distract them with something utterly stupid.

Could be a silly noise, or you might waggle your arm to the side while pulling a face - doesn't matter. The stupider the better, it's just there to make them wonder what on earth is happening shortly before you put them through a window and run away as fast as you can.

Well, same deal here. Today we came across a program designed to do nothing at all. No hijack, no contacting a server, no files dropped, no registry entries, no staying in memory....nothing.

What is it used for?

Distraction. And lots of it.

There is a video currently in circulation on sites such as Youtube, promoting something called LiveGrabber.



The program looks amazing, gives you all kinds of free things, hands you free accounts for the paid XBox Live service and so on. All done by pushing a few buttons. Here are some pics lifted directly from one of the videos:







Told you it was nice looking.

However, the gimmick here rolls into town exactly six seconds into the video:



"New update available: it will no longer have an interface. It will run silent in the background -  when opened you must visit the website to redeem".

Yes, the NEW version is completely invisible and runs "silently" (extremely silently!), only giving you lots of free things if you visit the website promoted in the video and enter your own Live login details.

Doh.

While we've seen fake programs before, usually they either refuse to work, drop infection files or give out fake error messages.

This is the first time we've seen someone create an extremely slick looking interface for a Youtube video, then reduce it to nothing and pretend it's "doing something in the background". It seems the original version available to download did the usual "fake error message" routine, but the author grew tired of trying to explain away fake error messages.

What could be better than telling people it now runs silently in the background?

At any rate, based on the comments left on the creators Youtube page, it seems it's enough of a distraction to get people to hand over their login details to

lancergrabber.tk


Click to Enlarge


Did I say "user comments"? I sure did. I'll leave you with the thoughts of some people soon to be parted from their Live ID login credentials...









Yes. Of course it does...!

Click to Enlarge

Not much more to add here, other than "avoid".

Today I was browsing around a couple of Arabic language hacking forums, and came across a random link that took me somewhere interesting. Here's a screenshot of said forum, because everyone loves to look at mysterious hacking forums. Right?

Rapidshare premium accounts are big business on phishing / trading sites. It seems they're trying to do something about the problem - anyone going to the premium accounts login screen now sees this:


Click to Enlarge

...a rather fetching "Phishing Warning" box, prominently displayed. Click it, and this appears:




Something like this is always a welcome addition. It's actually been rather humorous watching people on phishing / trading sites agonising over whether or not to include the above on their phish pages in the name of authenticity...

A friend of mine had this sent to them yesterday.

At first glance, it seems like a perfectly regular Phishing mail. However, there's something in there that sort of ruins the whole phishing attempt. In case you miss it, I've highlighted it in bold text. Enjoy...


Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.

We requested information from you for the following reason:

We have reason to believe that your account was accessed by a third party. We have limited access to sensitive PayPal account features in case your account has been accessed by an unauthorized third party. We understand that having limited access can be an
inconvenience, but protecting your account is our primary concern.

Case ID Number:

This is a reminder to log in to PayPal as soon as possible.

Be sure to log in securely by opening a new browser window and typing the PayPal URL. Once you log in, you will be provided with steps to restore your account access. We appreciate your understanding as we work to ensure account safety.

In accordance with PayPal's User Agreement, your account access will remain limited until the issue has been resolved.

Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to log in to your PayPal account as soon as possible to help avoid this.

To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center. If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us".

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

----------------------------------------------------------------
Copyright ? 1999-2009 PayPal. All rights reserved.

Here's a dubious looking domain:

kasperskykeys.za.pl

As you've probably guessed, the site is being used to lure people with the promise of "free keys" for Kaspersky, only to then try and steal various types of login.

At present, it currently points to a fake Rapidshare page.


Click to Enlarge

Once you enter your Rapidshare premium login details, it's all over but the shouting. Steer clear...

This is something we've seen a lot of recently.

First, we need a Habbo phishing page, with something a little different added into the mix. Like this one:


Click to Enlarge

Notice something? Under the login panel, there's a section that says "Promo Code" and "If you have one, enter to receive an extra 100 credits".

Why would a phishing victim enter a "promo code"? And where would they get one from?

If you want the answer to that, you need to know where to go further upstream. In this case, that would be the main website of the person responsible for the phishing page:


Click to Enlarge

As you can see, it's scam city. Specifically:

"Learn to Scam!

Get rich quick using our scam site maker.

Ever wondered how a lot of Habbos have tonnes of furni ?... Simple, they either scam or spend hundreds of pounds on credits and then trading. But you don't want to be spending any money do you? Wouldn't you rather have it for free?

Using this sites scamming system you can get rich in just a few hours of hard work."

So, we have a "sign up, get phishing" scheme in play. As for the promo codes, you're about to see why this scam is so good, but only for the person who set it all up:



Amazingly, you're told to go off and direct people to two phishing sites operated by the scam site owner, instead of your own phishing URLs. The gag is you have to tell the victims to enter a "promo code" that will allow the scam site to "track which phished accounts belong to you".

Of course, it's all nonsense.

What's actually happening here, is that someone simply sits back and waits for lots of underlings - that would be you, if you happen to fall for this - to run around spreading their phishing links for them.

I'm willing to bet good money that the people recruited for these scams never, ever see the login details of the people they phished - meanwhile, someone sits at the top of the chain, building a scam empire with a maximum of style and a minimum of effort.

Well, as much style as you can muster when scamming scammers, anyway...

Today we came across a collection of approximately 270 sets of login details that have apparently been Phished via a fake XBox Live login page. The list, some 27 pages long in Word format, would allow people to access stolen XBox Live accounts, some of which may have credit card details stored against them (along with other forms of personal information, of course).


Click to Enlarge

The list itself is actually around 300 or so entries, but it seems some of it is duplicate and / or obviously fake data, entered by people annoyed at the Phishers the list has come from (as a side note, I should add it's never a good idea to enter fake info on Phishing pages - it not only makes it harder for people who wade through this info looking for victims to contact, it also opens you up to potential retaliation attacks from the Phishers).

An additional "bonus" of grabbing Live ID data is that you can use it to check out EMail accounts associated with it - not a great situation, and one of the reasons I've never been too keen on "one login to rule them all" situations. We've already seen some people boasting on forums about the info they've pulled from various EMail accounts associated with the list - how quickly "stolen XBox account" becomes "stolen everything else".

This list seems to be in circulation on a number of hacking forums; the majority of the accounts were phished between November and December of last year. Despite the relatively long time that's elapsed since the data was first collected, a lot of the accounts still seem to be accessible based on comments we're seeing on those underground sites. It seems someone might have put their personal stash on "general release" to gain some kudos with others.

We've passed the stolen data onto Microsoft, and we're sure they'll move swiftly to lock down the accounts involved.

At least, not if you're asked to do it at the following location:

updateyourabbeybank.tk

The site is, of course, a phish page. Not a very clever one, at that. There's a particularly useful clue on the page that will helpfully deter some end-users from giving away their login details:


Click to Enlarge

In case you're still wondering, the clue would be the huge Cursormania advert at the bottom of the page. Not too many banking websites have those - even the trendy ones...

Remember this? Well, a rep for Virgin Atlantic left the following comment:

We came across an interesting site the other day:

virrgin-atlanticsairways-uk.com/default.aspx

A replica of the Virgin Atlantic website:


Click to Enlarge

None of the links worked, but you were able to login over on the right. Well, I say "login" - what I actually mean, is "send your account details to the phisher".

Now, I'm not familiar with Virgin Atlantic so you might have to help me out here. The only possible reason I could think of for obtaining Virgin Atlantic "Flying Club" logins was to somehow make use of the airmiles stored against the account. If anyone out there reading this has a Virgin Atlantic account - is that possible? Can you transfer (say) airmiles to other accounts, perhaps? I can't see how the phisher could simply book flights under the name of the stolen account, so I'd guess there must be some way to exploit the system involving airmiles.

Either that, or someone just really likes collecting Virgin Atlantic logins.

Curiously, this phish page pops up in a few other places - most notably, involving complaints related to fake job offers with Virgin Airlines here and here. The site is currently offline, but don't be surprised if they take to the skies again shortly...

I've previously written about phishing scams which appear to look like Rapidshare pages, and claim to offer specific products (without linking to any actual files).

Well, this seems to be an evolution of that particular attack.

Here's one of the newer kinds of Phish I'm talking about.


Click to Enlarge

Here's another site related to Steamgift.com. The site in question this time round is called

steamverification.com

This one takes a (somewhat bizarre) spin on attempting to take your login credentials:


Click to Enlarge

I write quite frequently about Steam scams, because there's a fair chance stolen Steam accounts can have a significant amount of money invested in them. I could simply link to the Wikipedia article describing it, but instead I'll give you a more condensed rundown - hopefully it'll give you a better idea of what's at stake.

Steam - What's The Big Deal?

If you're anything like me, you'd buy a PC game, hurl the discs somewhere and then sometime later when you came to reinstall find the manual with the license key on it was missing.

That used to happen to me a lot.

Steam is an entirely digital distribution service for PC games. Effectively, you substitute those annoying printed keys for a username and password - any games bought under your steam account can be downloaded as many times as you need to, installed on any PC and the purchase made against your username authorises the game to be played.

This means, of course, that someone with a Steam account could well have spent many hundreds of pounds / dollars / insert currency of choice on a wide variety of games. Lose your account, and you've lost a pretty big investment. Now that we've got that out of the way...

What's The Scam?

The website we're looking at today is

Steamgift.com

The website looks almost identical to the real Steam website - indeed, there is only one small (yet crucial) difference. Here's a screenshot:


Click to Enlarge

There's a large blue banner that really shouldn't be there. It reads:

"Free Steam Gift Pack! Absolutely Nothing Required!

Also including The Orange Box, Left 4 Dead, Audiosurf, Counter Strike Source, Counter Strike, Garry's Mod, Call of Duty 4 and more".

Sounds too good to be true, doesn't it?

Sure enough, click the banner and you'll see a page positively stuffed to bursting point with encouragement.


Click to Enlarge

Encouragement to fall victim to a scam, that is. Hit the "Click here for free gift" button and a final piece of "DO IT NOW" harassment awaits...


Click to Enlarge

If you fill in your Steam account details and hit "Login", you've just waved goodbye to your account.


Click to Enlarge

"Success - Your account will be credited with the Steam Gift Pack within 24 hours".

I'm willing to bet good money that isn't going to be the case...

Nothing particularly jaw dropping, but I thought it was worth mentioning. There's quite a lot of fake Rapidshare phish pages in circulation at present - they all look like this:


Click to Enlarge

...and they want you to enter your login details to "activate premium membership immediately".

What really grabbed my attention was the URL. All of these pages specifically place certain products into the web address - no random hacker usernames or swear words in these babies. Case in point:



You can see what they did there.

At any rate, avoid any so-called "Rapidshare" page seemingly promoting albums, movies or videogames. They're not what they seem...

This XBox Live phish attempt caught my eye:


Click to Enlarge

It's a lot better looking than many of the others I see, and the phisher took the time to make a fake screenshot to impress you with all the fake money he (doesn't) have. The most interesting thing about it for me is that it references another domain ("Runeflux.com"). Usually they're pretty anonymous.

Anyway, I decided to check out the domain - there's nothing there, could it have been taken down? Well, a quick search later and we have this (rather well edited) Youtube video. Apparently the domain simply hosted the same phishing page, so yes - it's a fair bet someone had it taken offline.

The important part is when you check out the profile of the person who owns the account:




Yes, our phishing friend is only 14. I've had quite a bit of experience researching people at the younger end of the age spectrum involved in this sort of thing, and I have to say the basic mechanics of "how to phish" are all in place with this kid.....slick websites, Youtube promotion, little touches like fake screenshots....it's all there.

Worrying, isn't it?

Anyway, the URL to avoid here is

h1.ripway.com/microsoftpointsgen/

There seem to be quite a few sites online at present claiming they can give you "online tax refunds", if only you fill in your bank details and click "submit". It's not a good idea, and they look pretty convincing:



Click to Enlarge


Click to Enlarge

....not really.

We've heard reports of a couple of these websites currently doing the rounds - they call themselves "Microsoft Points Heaven", and usually sit on free hosting domains. They promise you "free" Microsoft points, then ask you to enter your Live login details. At that point, your data has been stolen.


Click to Enlarge

If you check the code, you can see you're not "signing in to XBox Live" at all - you're entering your information into a standard submission form, which will send the information you enter directly to the site owner.



The last URL we saw this scam residing at was

microsoftpointheaven.weebly.com

which is now offline. It will no doubt resurface somewhere else, so be on your guard...

Wow, this is creepy.

It's an EBay phish page that does two things.


Click to Enlarge

The first is that it bizarrely asks you to install a Firefox extension called QIP (as you can see from the yellow bar across the top in the above screenshot), which (as far as I'm aware) is a legitimate Russian extension that allows you to converse with friends across multiple platforms.



Call me crazy, but I'm sure most EBay users would immediately think something was wrong if they were presented with a Russian Firefox extension on EBay.

Worse is to come, however. If the end-user should scroll down a little, they're presented with adverts - and they don't exactly convince you that this is the real EBay website. One usually contains a naked woman of some sort. The other? Well, it tends to show a close up of a randomly selected dead womans face, often horribly mutilated.

Yes, I have no idea what's going on here either.

(Automatically translated from Italian):


Click to Enlarge

...sadly, as crude as it is you'd be surprised how many people will fall for the old "Send your login to a random Hotmail address" gag. The domain to avoid is

habbohack2.blogspot.com

If you like shooting zombies in the face - and who doesn't - then you may well have already purchased Left 4 Dead, a videogame pitting four survivors against a relentless zombie horde.

Well, it appears to be a popular target for scammers. An EMail popped up in my mailbox over the weekend, claiming I'd received a "guest pass" that would let me play the full game "for a limited time". Here's the mail in question:


Click to Enlarge

"The steam support has invited you to use a free guest pass for Left 4 Dead on Steam, the leading digital distribution platform for PC games.

Once you've installed Steam (or if you already have an account) click here to accept steam supports invitation to a full game of Left 4 Dead."

Of course, the link for the "guest pass" doesn't take you to an official site - it takes you to

steampovvered.co.cc (note that's steampo v v ered, NOT steampowered)

At that point, if you enter your Steam password, you've potentially lost it for good. The site is currently offline, presumably because it's already been reported ("This domain is under examination at the moment, it will be finished within 24 hours"). However, there are probably more Phishing scams out there attempting to capitalise on the popularity of this particular game.

Now if you'll excuse me, I have to prepare for the coming Zombie Apocalypse...

This is a particular favourite of Phishers - a page claiming to give you free Microsoft Points for XBox Live, only to take your login and do what they want with it (which could range from using the credit card stored against your account to buy lots of games you don't actually want to just trashing your gamer profile).

With that in mind, then, here's the offering for today:

freemspoints4all.blackapplehost.com


Click to Enlarge

The "3.1" in the bottom right hand corner is particularly humorous. Anyway, hit "Click here" and you're taken to a standard fake Live login page:


Click to Enlarge

If the unwary visitor should enter their details, some code in a .php file will stash the login for the Phisher to grab later while immediately redirecting you to the following (entirely fake) message on a blank page:


Click to Enlarge

If you get to the stage where you see this message, you should be thinking about logging in as quickly as you can and changing your password. Top tip for the day - any website that offers "Free Microsoft points" should be avoided like the plague. I've yet to see a genuine one, and I think I can safely say I'll be waiting for quite some time before I do...

There seem to be quite a lot of these doing the rounds at the moment:


Click to Enlarge

They've not done a very good job with this Phish - they display an obviously fake URL, for one thing - but they do get some bonus points for attempting to lure the end-user in:

"You've been selected to take part in our quick and easy 9 questions survey.
In return we will credit $20 to your account - Just for your time!"

Sounds tempting, right?

Click the link, and you find the deal has suddenly sweetened - you're now being told the offer is for $90, not $20 - courtesy of an extremely slick looking phish page:


Click to Enlarge
 
The red text on the right that says "Capital One will add $90 credit to your account just for taking part in our quick survey." is actually a scrolling ticker. Of course, the survey itself is just fluff - the meat of the scam is directly underneath:


Click to Enlarge

As you can see, a spectacular grab for personal information. Name, address, Mothers Maiden name, phone number....the works. Directly below, they want your full card details, the number on the verification strip, your social security number and even your ATM Pin number. Note how they keep up the pretense of this being a real webpage (asking you if you want to sign up for an "EMail Newsletter" inbetween the different sections).

The URL to avoid is

capitalone.iseoul.net:202/capital.online.survey/

The site has been reported, and will hopefully be offline soon.

Not the newest scam on the block, but it does seem to be currently doing the rounds so it's worth highlighting. If you're sent an EMail with the same title as this article, with content that looks like this (usually sent from a random Hotmail account):


Click to Enlarge

...then delete it, it's a scam.

I'm not sure why, but I'm being sent an awful lot of Phish mails this month. The latest one takes you to

home.doramail.com/spade526/

The page is a typical Paypal phish, though they're not actually interested in obtaining your Paypal login in the slightest. They're after something a little more personal.


Click to Enlarge

Note that in addition to your name and address, they're also asking for your social security number. Not a particularly new idea for a scam, but still not a good thing. The creators have made some basic errors which will cost them potential victims, though - they assume the victim receiving the mail lives in the United States, and they also have a few typos in there - enough to set off alarm bells for those not specifically targeted, with any luck.

This is a particularly thoughtless and poor-taste hack. This is Rapecrisiscenter.org, a support site for people in the Central Massachusetts area:

While investigating an unrelated case of Phishing yesterday, we came across the biggest haul of stolen EBay logins we've ever seen.

How big?

Well, here's a screenshot of the "Word Count" from the document the details are stored in:

We're noticing quite a lot of these appearing in mailboxes at the moment, all .cn and .kr domains. Here's a few more (that are currently confirmed as live) for your blocklists:

adwords.google.com.qsoil.cn/select/Login
adwords.google.com.apoim.cn/select/Login
adwords.google.com.kfion.cn/select/Login
adwords.google.com.tverdo.cn/select/Login
adwords.google.com.agrod.cn/select/Login

ottoggi.co.kr/bbs/data/schedule/1194604617/redirect.google.com
kilsangsa.or.kr/zero/data/buddha/1223246866/https/portal.google.com/www.adwords.google.com/select/Login.htm

Unsurprisingly, the .cn domains are all registered to "Mr Gfdthy", the same individual that owns the mehdo.cn domain. At least one of the Korean domains appears to be a legitimate website that's been hacked and had the phish page uploaded by the hacker, and so might not be part of the "main" campaign that's currently ongoing.

Time to clear out the mailbox - wait, what's this?

Here, our unfriendly neighbourhood Phisher is attempting to play on the fear of a security breach:

Attention all Apex ACH System Customers!

We inform you that on October 7, 2008 a partial loss of data took place in our database. Due to this problem urgent request to take the procedure of account verification. Verification form is located here:

[URL Removed].org

However, failure to confirm your records may result in account suspension.
This is an automated message. Please do not reply.

Best to ignore this kind of EMail, methinks...

This is PINsentry.

This is a PINsentry Phish currently doing the rounds:

Introducing PINsentry for Online Banking

To help protect your account from Online fraud, we are changing the
security for Barclays Online Banking and you will need to upgrade to
PINsentry.

PINsentry upgrade - information by email
We will send you information on PINsentry and details of any cards being
issued or upgraded by email.
Please insert your details in the attachment below.

Barclays Bank PLC is authorised and regulated by the Financial Services Authority

This is the form that comes with the EMail:

Oh dear.

Here we have a phish page for the Bank of India:

I've always been fascinated by how many net hoaxes and scams have revolved around the Dreamcast console and related games (in particular, Shenmue). I thought it might be interesting to have a look at some of the most memorable ones, though this list is by no means exhaustive so please feel free to add to the list if I've missed any.

Fake Shenmue Passport, February 2006: Back in 2006, gamers were amazed to find the Shenmue Passport spring back to life. For those of you who don't know what the Shenmue Passport is, click here. Everyone else can just skip to the "good stuff", which would be seeing this appear on your TV if you'd had the brainwave to go online with your long-dead Dreamcast in February 2006:


Click to Enlarge

A message proclaiming that downloadable content for Shenmue was back online, and that more would be "coming soon". Forums everywhere started to look like this. All of a sudden, downloads were available from the seemingly official (and freshly reborn) website and messages saying "We'll be back soon" were plentiful, sparking rumours  of a Shenmue 3  announcement (or even something related to the  limbo-ridden Shenmue Online).

However, something didn't seem quite right about all this and the truth eventually came out thanks to a fantastic bit of detective work here. Someone had bought the domain once it had expired, and decided to "give fans hope" with a bunch of uploads and fake messages. As you might expect, this did not go down very well (in fact, you can see the process of SEGA reclaiming the domain from the culprit here thanks to someone who was copied in on the EMail conversations).

Shenmue 3 Youtube Trailer, January 2007: This is a fairly crummy hoax, but did seem to sucker a lot of people. Take some CGI footage from the canceled "Shenmue Online" game, stick "Shenmue 3" over the top of it:



Place the whole mess onto Youtube then sit back and laugh. Even though the video was placed online in 2007, it's still fooling people a year on.

Dreamcast Phish, March 2008: This one was particularly nasty, and was similar in execution to the way the Shenmue.com domain was swiped for the above scam. Someone grabbed the Dreamcast.com domain, then used it to phish for email logins and caused an awful lot of LET'S KILL THE PERSON RESPONSIBLE IMMEDIATELY type comments across the Net. This is what the previously dormant website suddenly looked like after being offline for all those years:



Seeing that sent quite a few Dreamcast fans insane (myself included) which made it all the more horrible when it was revealed to be nothing more than yet-another-Dreamcast-hoax.

Luring you in with the promise of an official @dreamcast.com Email address, they asked for your serial number, desired username, password and a current Email address. Once registered, you would end up with a seemingly valid yourserialnumber@user.dreamcast.com address.

The only problem, of course, was that it wasn't SEGA sending out your details, it was the scammer who had grabbed the domain name. The theory is that people would likely use the same password for their desired Dreamcast address as the alternate Email address they provided when signing up to the "service". Thus, you would have spam lists and hijacked email addresses galore.

It didn't take long before SEGA denounced the site, and it was pulled offline shortly after. In retrospect, a dead giveaway should have been the fact that the site had Google Ads and a few other things on it (check out the rather small screenshot) that probably wouldn't have been there if SEGA had actually been in charge. SEGA almost certainly wouldn't have had a Play-Asia affiliate code embedded in the page, for that matter:

Messing around with one particular videogame is one thing, but whipping fans of the Dreamcast console into a frenzy with the promise of an out-of-the-blue Dreamcast revival was never going to end well. Sadly, the culprit was never found but hopefully they'll drop a really heavy plantpot stuffed with bricks on their foot at some point in the near future.

Shenmue "Believe" Advert, July 2008: Oh dear. EDGE magazine usually post up a cryptic, arty image as a substitute for a regular "Next Month" page. For the September issue, someone started a thread on the NEOGAF forum previewing said issue. In this case, the Next Month page looked like a notepad - and one of the more iconic images of Shenmue was the Notepad the main character used to store notes, items and the like.

A quick photo manipulation later and...


Click to Enlarge

If you can't see it, in the middle of the pad the original poster has placed "Shenmue 3: Believe" in very faint text.

This spread across the net like wildfire for a few days, until of course people started to get their hands on the issue in question and realised the whole thing was....yet again.....a hoax. I believe the EDGE preview turned out to be for an article about videogame instruction manuals.

Shenmue 3 Disc Hoax, August 2008: Sometimes innocent bloggers (who really should check the source material...) are sent images and post them up. Bad idea. Not so long ago, SEGA unveiled a room containing every single game they'd ever made. One of the images contained a pile of GD-Rom discs which SEGA used to store prototypes and early build versions of Dreamcast games on. Despite the blogger in question actually linking to the original, they were suckered in by a photoshop alteration where someone had placed "Shenmue 3" over the top:


Click to Enlarge

As SEGA themselves said,

"Ha, that's too funny, they've totally photoshopped the image. I wonder how long it is before we see this getting picked up as fact."

As it turns out, it wasn't too long - I did see this pop up on a couple of forums, but this one was caught pretty early. It's still surprising that the blogger didn't just check the original image more closely though.

This ends our tragic roundup of scams related to the Dreamcast console. I have a feeling we'll be seeing more soon enough...