Phishing Scams: March 2009 Archives

Steamy Phishing

| | Comments (0)
We're seeing a wave of Steam related phish scams at the moment. Most (if not all) look something like this:

stegiveaway1.jpg
Click to Enlarge

Ah, the promise of free games. When have you ever let a phisher down?

The domains being used in this scam are:

steampoweredgifts.my3gb.com
steamscommunity.co.cc
gift-steampowered.co.cc
steam-acitvation.co.cc
steamrecommunity.co.cc
mysteamcommunity.co.cc
wtmail.free.fr/steam
games4steam.tk

If / when we come across others, we'll add them to the above list. Quite a few have gone offline already, only to come back to life so it might be a while before all of the above are completely DOA...

There's an old technique in certain forms of martial arts - when confronted by an attacker, just before they start to throw the first punch, you distract them with something utterly stupid.

Could be a silly noise, or you might waggle your arm to the side while pulling a face - doesn't matter. The stupider the better, it's just there to make them wonder what on earth is happening shortly before you put them through a window and run away as fast as you can.

Well, same deal here. Today we came across a program designed to do nothing at all. No hijack, no contacting a server, no files dropped, no registry entries, no staying in memory....nothing.

What is it used for?

Distraction. And lots of it.

There is a video currently in circulation on sites such as Youtube, promoting something called LiveGrabber.

livegrabber.jpg

The program looks amazing, gives you all kinds of free things, hands you free accounts for the paid XBox Live service and so on. All done by pushing a few buttons. Here are some pics lifted directly from one of the videos:

livegrabber2.jpg

livegrabber3.jpg

livegrabber4.jpg

Told you it was nice looking.

However, the gimmick here rolls into town exactly six seconds into the video:

livegrabber5.jpg

"New update available: it will no longer have an interface. It will run silent in the background -  when opened you must visit the website to redeem".

Yes, the NEW version is completely invisible and runs "silently" (extremely silently!), only giving you lots of free things if you visit the website promoted in the video and enter your own Live login details.

Doh.

While we've seen fake programs before, usually they either refuse to work, drop infection files or give out fake error messages.

This is the first time we've seen someone create an extremely slick looking interface for a Youtube video, then reduce it to nothing and pretend it's "doing something in the background". It seems the original version available to download did the usual "fake error message" routine, but the author grew tired of trying to explain away fake error messages.

What could be better than telling people it now runs silently in the background?

At any rate, based on the comments left on the creators Youtube page, it seems it's enough of a distraction to get people to hand over their login details to

lancergrabber.tk

livegrabber6.jpg
Click to Enlarge


Did I say "user comments"? I sure did. I'll leave you with the thoughts of some people soon to be parted from their Live ID login credentials...

livegrabber7.jpg


livegrabber8.jpg

livegrabber9.jpg


Yes. Of course it does...!
casg1.jpg
Click to Enlarge

Not much more to add here, other than "avoid".

Today I was browsing around a couple of Arabic language hacking forums, and came across a random link that took me somewhere interesting. Here's a screenshot of said forum, because everyone loves to look at mysterious hacking forums. Right?

phrepos1.gif

Anyway, the site in question (registered to someone in Rabat, Morocco though this could well be fake data) appears to house the beginnings of a "banking phish" archive. Check it out:

phrepos2.gif
Click to Enlarge

The site is a dumping ground for everything from Wachovia and Natwest to Chase and Barclays phish pages. In general, phish page sharing is usually done in a disorganised and quite random fashion on forums. To start stacking them up like this (it kind of reminds me a little of defacement archives) is quite an interesting and vaguely worrying approach.

At the top, the banner also promises unfinished sections such as "Letters" (presumably forgeries intended for real world scams), Mailing programs (those spam links won't send themselves to people!) and "CVV" (Card Verification Value).

The final insult is that this domain has actually been around since 2001, and in its original form actually fought scams - now it is one.

We'll be reporting the site and monitoring it closely in the meantime...

 

Rapidshare premium accounts are big business on phishing / trading sites. It seems they're trying to do something about the problem - anyone going to the premium accounts login screen now sees this:

rsantiph1.jpg
Click to Enlarge

...a rather fetching "Phishing Warning" box, prominently displayed. Click it, and this appears:

rsantiph2.jpg


Something like this is always a welcome addition. It's actually been rather humorous watching people on phishing / trading sites agonising over whether or not to include the above on their phish pages in the name of authenticity...

Epic Phishing Fail

| | Comments (1)
A friend of mine had this sent to them yesterday.

At first glance, it seems like a perfectly regular Phishing mail. However, there's something in there that sort of ruins the whole phishing attempt. In case you miss it, I've highlighted it in bold text. Enjoy...


Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.

We requested information from you for the following reason:

We have reason to believe that your account was accessed by a third party. We have limited access to sensitive PayPal account features in case your account has been accessed by an unauthorized third party. We understand that having limited access can be an
inconvenience, but protecting your account is our primary concern.

Case ID Number:

This is a reminder to log in to PayPal as soon as possible.

Be sure to log in securely by opening a new browser window and typing the PayPal URL. Once you log in, you will be provided with steps to restore your account access. We appreciate your understanding as we work to ensure account safety.

In accordance with PayPal's User Agreement, your account access will remain limited until the issue has been resolved.

Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to log in to your PayPal account as soon as possible to help avoid this.

To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center. If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us".

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

----------------------------------------------------------------
Copyright ? 1999-2009 PayPal. All rights reserved.
Here's a dubious looking domain:

kasperskykeys.za.pl

As you've probably guessed, the site is being used to lure people with the promise of "free keys" for Kaspersky, only to then try and steal various types of login.

At present, it currently points to a fake Rapidshare page.

kaspkeys1.jpg
Click to Enlarge

Once you enter your Rapidshare premium login details, it's all over but the shouting. Steer clear...
This is something we've seen a lot of recently.

First, we need a Habbo phishing page, with something a little different added into the mix. Like this one:

scamhb1.jpg
Click to Enlarge

Notice something? Under the login panel, there's a section that says "Promo Code" and "If you have one, enter to receive an extra 100 credits".

Why would a phishing victim enter a "promo code"? And where would they get one from?

If you want the answer to that, you need to know where to go further upstream. In this case, that would be the main website of the person responsible for the phishing page:

habscm2.gif
Click to Enlarge

As you can see, it's scam city. Specifically:

"Learn to Scam!

Get rich quick using our scam site maker.

Ever wondered how a lot of Habbos have tonnes of furni ?... Simple, they either scam or spend hundreds of pounds on credits and then trading. But you don't want to be spending any money do you? Wouldn't you rather have it for free?

Using this sites scamming system you can get rich in just a few hours of hard work."


So, we have a "sign up, get phishing" scheme in play. As for the promo codes, you're about to see why this scam is so good, but only for the person who set it all up:

habscm3.gif

Amazingly, you're told to go off and direct people to two phishing sites operated by the scam site owner, instead of your own phishing URLs. The gag is you have to tell the victims to enter a "promo code" that will allow the scam site to "track which phished accounts belong to you".

Of course, it's all nonsense.

What's actually happening here, is that someone simply sits back and waits for lots of underlings - that would be you, if you happen to fall for this - to run around spreading their phishing links for them.

I'm willing to bet good money that the people recruited for these scams never, ever see the login details of the people they phished - meanwhile, someone sits at the top of the chain, building a scam empire with a maximum of style and a minimum of effort.

Well, as much style as you can muster when scamming scammers, anyway...
Today we came across a collection of approximately 270 sets of login details that have apparently been Phished via a fake XBox Live login page. The list, some 27 pages long in Word format, would allow people to access stolen XBox Live accounts, some of which may have credit card details stored against them (along with other forms of personal information, of course).

stolenxbox1.jpg
Click to Enlarge

The list itself is actually around 300 or so entries, but it seems some of it is duplicate and / or obviously fake data, entered by people annoyed at the Phishers the list has come from (as a side note, I should add it's never a good idea to enter fake info on Phishing pages - it not only makes it harder for people who wade through this info looking for victims to contact, it also opens you up to potential retaliation attacks from the Phishers).

An additional "bonus" of grabbing Live ID data is that you can use it to check out EMail accounts associated with it - not a great situation, and one of the reasons I've never been too keen on "one login to rule them all" situations. We've already seen some people boasting on forums about the info they've pulled from various EMail accounts associated with the list - how quickly "stolen XBox account" becomes "stolen everything else".

This list seems to be in circulation on a number of hacking forums; the majority of the accounts were phished between November and December of last year. Despite the relatively long time that's elapsed since the data was first collected, a lot of the accounts still seem to be accessible based on comments we're seeing on those underground sites. It seems someone might have put their personal stash on "general release" to gain some kudos with others.

We've passed the stolen data onto Microsoft, and we're sure they'll move swiftly to lock down the accounts involved.
At least, not if you're asked to do it at the following location:

updateyourabbeybank.tk

The site is, of course, a phish page. Not a very clever one, at that. There's a particularly useful clue on the page that will helpfully deter some end-users from giving away their login details:

fakeabbey1.jpg
Click to Enlarge

In case you're still wondering, the clue would be the huge Cursormania advert at the bottom of the page. Not too many banking websites have those - even the trendy ones...
pshtxt1.jpg


....apparently not. I've no idea what the unfortunate person above had stolen, but always worth remembering: never trust anything asking for your login credentials, regardless of whether it comes via email, phone, text or carrier pigeon.
Remember this? Well, a rep for Virgin Atlantic left the following comment:

"Virgin Atlantic can confirm that the website www.virrgin-atlanticsairways-uk.com has been shut down.

The website was associated with a recruitment phishing scam. Virgin Atlantic is in no way associated with this scam and would never offer to ask members of the public to part with money in applying for a career at the airline.

At Virgin Atlantic we take these matters very seriously. We have reported this matter to the Police and have been successful in clamping down on the scam, by closing down associated websites, telephone numbers and email addresses.

To look for legitimate recruitment opportunities with Virgin Atlantic Airways, please visit http://www.virgin-atlantic.com/careers

Virgin Atlantic"

Kudos to Virgin Atlantic for actively pursuing the offending website - it doesn't always pan out like that...


Airmiles Phish?

| | Comments (1)
We came across an interesting site the other day:

virrgin-atlanticsairways-uk.com/default.aspx

A replica of the Virgin Atlantic website:

v1.jpg
Click to Enlarge

None of the links worked, but you were able to login over on the right. Well, I say "login" - what I actually mean, is "send your account details to the phisher".

Now, I'm not familiar with Virgin Atlantic so you might have to help me out here. The only possible reason I could think of for obtaining Virgin Atlantic "Flying Club" logins was to somehow make use of the airmiles stored against the account. If anyone out there reading this has a Virgin Atlantic account - is that possible? Can you transfer (say) airmiles to other accounts, perhaps? I can't see how the phisher could simply book flights under the name of the stolen account, so I'd guess there must be some way to exploit the system involving airmiles.

Either that, or someone just really likes collecting Virgin Atlantic logins.

Curiously, this phish page pops up in a few other places - most notably, involving complaints related to fake job offers with Virgin Airlines here and here. The site is currently offline, but don't be surprised if they take to the skies again shortly...
I've previously written about phishing scams which appear to look like Rapidshare pages, and claim to offer specific products (without linking to any actual files).

Well, this seems to be an evolution of that particular attack.

Here's one of the newer kinds of Phish I'm talking about.

rsupd1.jpg
Click to Enlarge

"This file is larger than 200 Megabyte. To download this file, you either need a Premium Account, or the owner of this file may carry the downloading cost by making use of "TrafficShare".

The interesting part is that (unlike the earlier phish pages covered) these ones actually link to genuine files on Rapidshare, all adding to the illusion that this is legitimate (if you try to download the file on Rapidshare, you'll be given the same message regarding premium accounts).

Quite a smart tactic, then. Of course, you really shouldn't be downloading files with "Warez" in the name anyway...
Here's another site related to Steamgift.com. The site in question this time round is called

steamverification.com

This one takes a (somewhat bizarre) spin on attempting to take your login credentials:

stvr1.jpg
Click to Enlarge

The site reads:

"The Steam Verification System is to ensure that multiple IP addresses are not used to access a single account. Please enter you account credentials below to verify your account. Accounts not verified within 24 hours of notice will be permanently disabled."

Given that one of the biggest plus points of Steam is that you can use your account on as many PCs as you want to - indeed, there are dedicated Steam sections in web cafes for just such a purpose - it seems ludicrous to base their scare tactics on multiple IP addresses (especially as the scam site actually links to a web cafe information page just out of screenshot).

However, there's always going to be someone who falls for this kind of scam.

Interestingly, the creator of both these sites has been promoting them on Youtube, under the account name of

SteamVerification

And is listed as being 30, based in the United States. Typically, he's leaving comments such as these on Youtube videos:

stvr2.jpg

stvr3.jpg

As you might imagine, there are some rather angry comments appearing on his userpage. Here's some of the friendlier ones:

stvr4.jpg
Click to Enlarge

Another interesting "feature" of these scams is that the Whois data isn't anonymised. Currently, the information for both sites reads as follows:

Domain Name: STEAMGIFT.COM / STEAMVERIFICATION.COM

Registrant:
    N/A
    Steve Zestner
    4163 Mesa Drive
    Lake Mead
    California,16609
    US

Of course, these could be entirely fake details - but usually, websites such as these are either use anonymous registration service or obviously fake information. Could our phisher have been so silly to use his real name and address?

Perhaps. The only really important part to remember is to give websites such as the above a very wide berth...
I write quite frequently about Steam scams, because there's a fair chance stolen Steam accounts can have a significant amount of money invested in them. I could simply link to the Wikipedia article describing it, but instead I'll give you a more condensed rundown - hopefully it'll give you a better idea of what's at stake.

Steam - What's The Big Deal?

If you're anything like me, you'd buy a PC game, hurl the discs somewhere and then sometime later when you came to reinstall find the manual with the license key on it was missing.

That used to happen to me a lot.

Steam is an entirely digital distribution service for PC games. Effectively, you substitute those annoying printed keys for a username and password - any games bought under your steam account can be downloaded as many times as you need to, installed on any PC and the purchase made against your username authorises the game to be played.

This means, of course, that someone with a Steam account could well have spent many hundreds of pounds / dollars / insert currency of choice on a wide variety of games. Lose your account, and you've lost a pretty big investment. Now that we've got that out of the way...

What's The Scam?

The website we're looking at today is

Steamgift.com

The website looks almost identical to the real Steam website - indeed, there is only one small (yet crucial) difference. Here's a screenshot:

steamgift1.jpg
Click to Enlarge

There's a large blue banner that really shouldn't be there. It reads:

"Free Steam Gift Pack! Absolutely Nothing Required!

Also including The Orange Box, Left 4 Dead, Audiosurf, Counter Strike Source, Counter Strike, Garry's Mod, Call of Duty 4 and more".


Sounds too good to be true, doesn't it?

Sure enough, click the banner and you'll see a page positively stuffed to bursting point with encouragement.

steamgift2.jpg
Click to Enlarge

Encouragement to fall victim to a scam, that is. Hit the "Click here for free gift" button and a final piece of "DO IT NOW" harassment awaits...

steamgift3.jpg
Click to Enlarge

If you fill in your Steam account details and hit "Login", you've just waved goodbye to your account.

steamgift4.jpg
Click to Enlarge

"Success - Your account will be credited with the Steam Gift Pack within 24 hours".


I'm willing to bet good money that isn't going to be the case...

Pages

About this Archive

This page is a archive of entries in the Phishing Scams category from March 2009.

Phishing Scams: February 2009 is the previous archive.

Phishing Scams: April 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.