Phish: February 2008 Archives

A Phishy Tale

| | Comments (0)

I'd been watching the antics of a 20 year old girl from Malaysia who had a serious thing for Phishing. I couldn't have predicted the direction the investigation would take when, quite randomly, I came across the following post with regards one of her former identities:

rib1.gif

...."Ribut", eh? Interesting. A quick Google search later, and we find some interesting Ribut-related Phish pages:

ributmyspace1.gif

...don't bother to look for it, I already had it killed off. What really intrigued me here was if she had any more pages floating around under her "old" username. Using a few search strings that tend to reveal some of the more "obvious" password-stealing fake logins via Google, I stumbled across a rather unusual way of keeping an eye on Phish pages:

ads_galore.gif

There she is, buried in a pile of other phish pages. What is that a screenshot of, I hear you ask? And why exactly is she buried in a wall of phish? Well, note the title - "Where can I find these ads?"

This is a page from advertising network Adbrite, who the host of all these phish pages (2222mb.com) has an account with. If someone wants to host an advert on 2222mb.com, they make their selection and purchase ad space:

http://blog.spywareguide.com/upload/2008/02/advertiseon2222mb-thumb.gif

However, this isn't the part of the page we're interested in. You've already seen it, above, listing the "most trafficked pages" from the site in question. That's right, it appears that the most popular pages on 2222mb.com are phish pages, going off the information presented to us by Adbrite.

In fact, here's a snapshot of the current set of pages listed by Adbrite as "most trafficked pages":

currentphish.gif

...is anyone else faintly disturbed that EVERYTHING being listed for this webhost is almost always a phish page?

At this point, you normally contact the host and (depending on a whole range of factors) they kill off the rogue pages in a few days or so. My hopes were high, seeing as another host (110mb.com) with the same Admin contact (a person called Tycho Luyben, more on him later) had previously removed phish pages for me in as little as six minutes.

My first mistake, as it turns out, was getting my hopes up.

http://blog.spywareguide.com/upload/2008/02/2222mb-thumb.gif
Click to Enlarge

The above is the frontpage of 2222mb.com. At the bottom of the page, it mentions Terms of Service, but you can't click into it. There is no contact email address anywhere on site, and no mention of what to do when finding evidence of abuse on the network.

Uh-oh.

As it turns out, the only way to try and get someones attention was to register for the hosting service, then submit a ticket which......was completely ignored by whoever received it.

> http://dustyd34th.2222mb.com/myspace.php
> http://ribut.2222mb.com/myspace.php
> http://najn.2222mb.com/
> http://tjt1991.2222mb.com/myspace.php
> http://darktornadic.2222mb.com/myspace/myspace.php
> http://english-naats.2222mb.com/index.htm
> http://titan7.2222mb.com/myspace.php

....were all reported on the 21st of January, and a few days later, nobody had replied to my ticket. So much for the "24 / 7" support - I added to the ticket a few days later (with words to the effect of, "these pages still appear to be live"?) and that was ignored too.

Okay, change of plan. Let's go to the guy who must be providing these reseller accounts to these webhosts in the first place. A quick check of the whois data for 2222mb reveals....something weird, actually. The other hosting services that are presumably reseller accounts provided to individuals by "Tycho" have different addresses listed, as you would expect (110mb.com, for example, is owned by someone in Australia). With 2222mb.com though, Tychos own "Admin Contact" address is listed as the main contact address for this domain.

owner-contact: O-EZL21
owner-organization: E-lab BV
owner-street: Weverstede 27 b
owner-city: Nieuwegein
owner-zip: 3431 JS
owner-country: NL
owner-phone: +31 615065229
owner-email: tycho@e-lab.nl

Is the owner of this reseller account living with Tycho or something? Could it be Tycho himself? It seems unlikely, given that Tycho replied to my first email to him (sent on the Tenth of February) with the following:

"Dear,
I will tell my client to remove these asap.

Regards,
Tycho"

...."My Client"? Okay, so why is his own Admin address listed as the primary contact point for this domain when someone else apparently owns it?

Anyway, all of the above phish pages were deleted - but I had a second, final batch of pages that needed to be deleted too. As anything and everything sent to abuse@2222mb.com and postmaster@2222mb.com went unanswered, I thought I'd better send Tycho another email. He'd fix those too, right?

Wrong.

Three more emails, sent on the 11th, 13th and 15th of February went unanswered - as did the second round of tickets raised inside the 2222mb system:

http://blog.spywareguide.com/upload/2008/02/unanswered-thumb.gif
Click to Enlarge

Two of the above phish pages have since gone offline, but it seems unlikely that I had anything to do with it, given that all the rest are still online and happily phishing away. I thought I'd check out the E-Lab site attached to Tychos email address - here's where things spiral into madness:

http://blog.spywareguide.com/upload/2008/02/elab1-thumb.gif
Click to Enlarge

Note the "www" at the start of the web address. So far, so good - nothing out of the ordinary. Just a page that talks about helping people "start out" online with regards technology based ventures and the like.

However - type in the address minus the "www" and look what happens:

http://blog.spywareguide.com/upload/2008/02/stoopid3-thumb.gif
Click to Enlarge

...you're redirected to a site called "Stoopidsh*t.com" that contains links to numerous "extreme / crazy" videos, and also a number of videos that require you to install Zango to play them (they're the ones with the red "play video" buttons).

Apart from the fact that it's a little odd for a site acting as some kind of provider for web services to redirect to something like that, can you guess who the site is registered to?

fakedata11.GIF

I have no idea what's going on with that whois data, but it looks a little strange, right? S4V 3C5 is merely a postcode - where is the rest of the address?

Actually, that's not the only website connected to Tycho that looks a little odd in a whois search. Take, for example, the whois for a site called "Riddleman.net":

riddleman.gif

....I'm sure you'll agree, that's a pretty strange looking contact address. At any rate, I think we're done poking around the weird and wonderful world of domain registrations. Time to contact Adbrite and let them know anyone going looking for either

a) 2222mb.com information via Google or

b) more information regarding Myspace phish pages on 2222mb.com via Google

are (more often than not) going to see Adbrite pages appear before anything else, usually listing some phishing pages in their own "most trafficked pages results:

http://blog.spywareguide.com/upload/2008/02/adbritemyspace2222-thumb.gif
Click to Enlarge

Now to me, having your own pages pop up when searching for someone else's phish pages is a form of negative association you could do without - both in terms of not wanting to be associated with such a thing, and also not wanting to be seen to be providing a way to generate money for webhosts that don't seem to be overly speedy with regards removing network abuse.

Surely, when notified about such antics you'd be quick to take action, right? At the very least, you might want to drop the person running your ads a note and suggest that a housecleaning might be in order, lest your account be canceled?

Well, that's what I thought too. However, the emails sent to Adbrite on both the 17th and the 22nd of February have (so far) not had a response from either pr@adbrite.com or support@adbrite.com (note that I only sent Adbrite details of 2222mb.com and the way that requests for phishing pages to be removed were seemingly ignored - they were not sent any additional information regarding other domains, which although interesting, were irrelevant to the point I wanted to raise with Adbrite).

I would hope that Adbrite will take a second look at this and take appropriate action if needed - 2222mb.com has already gained a form of notoriety on hacking / cracking forums as a good place to host phishing pages. Indeed, look at the results from this search...there are many hacking sites distributing tutorials recommending 2222mb.com for phish hosting.

Take those tutorials and combine them with the experiences I had simply trying to get a handful of phish pages taken offline and you have the makings of a problem that is going to grow and grow unless something is done about it.

The question is, is anybody listening and do they actually care?

Pages

About this Archive

This page is a archive of entries in the Phish category from February 2008.

Phish: March 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.