Phishing Scams: March 2009 Archives

We're seeing a wave of Steam related phish scams at the moment. Most (if not all) look something like this:


Click to Enlarge

Ah, the promise of free games. When have you ever let a phisher down?

The domains being used in this scam are:

steampoweredgifts.my3gb.com
steamscommunity.co.cc
gift-steampowered.co.cc
steam-acitvation.co.cc
steamrecommunity.co.cc
mysteamcommunity.co.cc
wtmail.free.fr/steam
games4steam.tk

If / when we come across others, we'll add them to the above list. Quite a few have gone offline already, only to come back to life so it might be a while before all of the above are completely DOA...

There's an old technique in certain forms of martial arts - when confronted by an attacker, just before they start to throw the first punch, you distract them with something utterly stupid.

Could be a silly noise, or you might waggle your arm to the side while pulling a face - doesn't matter. The stupider the better, it's just there to make them wonder what on earth is happening shortly before you put them through a window and run away as fast as you can.

Well, same deal here. Today we came across a program designed to do nothing at all. No hijack, no contacting a server, no files dropped, no registry entries, no staying in memory....nothing.

What is it used for?

Distraction. And lots of it.

There is a video currently in circulation on sites such as Youtube, promoting something called LiveGrabber.



The program looks amazing, gives you all kinds of free things, hands you free accounts for the paid XBox Live service and so on. All done by pushing a few buttons. Here are some pics lifted directly from one of the videos:







Told you it was nice looking.

However, the gimmick here rolls into town exactly six seconds into the video:



"New update available: it will no longer have an interface. It will run silent in the background -  when opened you must visit the website to redeem".

Yes, the NEW version is completely invisible and runs "silently" (extremely silently!), only giving you lots of free things if you visit the website promoted in the video and enter your own Live login details.

Doh.

While we've seen fake programs before, usually they either refuse to work, drop infection files or give out fake error messages.

This is the first time we've seen someone create an extremely slick looking interface for a Youtube video, then reduce it to nothing and pretend it's "doing something in the background". It seems the original version available to download did the usual "fake error message" routine, but the author grew tired of trying to explain away fake error messages.

What could be better than telling people it now runs silently in the background?

At any rate, based on the comments left on the creators Youtube page, it seems it's enough of a distraction to get people to hand over their login details to

lancergrabber.tk


Click to Enlarge


Did I say "user comments"? I sure did. I'll leave you with the thoughts of some people soon to be parted from their Live ID login credentials...









Yes. Of course it does...!

Click to Enlarge

Not much more to add here, other than "avoid".

Today I was browsing around a couple of Arabic language hacking forums, and came across a random link that took me somewhere interesting. Here's a screenshot of said forum, because everyone loves to look at mysterious hacking forums. Right?

Rapidshare premium accounts are big business on phishing / trading sites. It seems they're trying to do something about the problem - anyone going to the premium accounts login screen now sees this:


Click to Enlarge

...a rather fetching "Phishing Warning" box, prominently displayed. Click it, and this appears:




Something like this is always a welcome addition. It's actually been rather humorous watching people on phishing / trading sites agonising over whether or not to include the above on their phish pages in the name of authenticity...

A friend of mine had this sent to them yesterday.

At first glance, it seems like a perfectly regular Phishing mail. However, there's something in there that sort of ruins the whole phishing attempt. In case you miss it, I've highlighted it in bold text. Enjoy...


Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.

We requested information from you for the following reason:

We have reason to believe that your account was accessed by a third party. We have limited access to sensitive PayPal account features in case your account has been accessed by an unauthorized third party. We understand that having limited access can be an
inconvenience, but protecting your account is our primary concern.

Case ID Number:

This is a reminder to log in to PayPal as soon as possible.

Be sure to log in securely by opening a new browser window and typing the PayPal URL. Once you log in, you will be provided with steps to restore your account access. We appreciate your understanding as we work to ensure account safety.

In accordance with PayPal's User Agreement, your account access will remain limited until the issue has been resolved.

Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to log in to your PayPal account as soon as possible to help avoid this.

To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center. If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us".

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

----------------------------------------------------------------
Copyright ? 1999-2009 PayPal. All rights reserved.

Here's a dubious looking domain:

kasperskykeys.za.pl

As you've probably guessed, the site is being used to lure people with the promise of "free keys" for Kaspersky, only to then try and steal various types of login.

At present, it currently points to a fake Rapidshare page.


Click to Enlarge

Once you enter your Rapidshare premium login details, it's all over but the shouting. Steer clear...

This is something we've seen a lot of recently.

First, we need a Habbo phishing page, with something a little different added into the mix. Like this one:


Click to Enlarge

Notice something? Under the login panel, there's a section that says "Promo Code" and "If you have one, enter to receive an extra 100 credits".

Why would a phishing victim enter a "promo code"? And where would they get one from?

If you want the answer to that, you need to know where to go further upstream. In this case, that would be the main website of the person responsible for the phishing page:


Click to Enlarge

As you can see, it's scam city. Specifically:

"Learn to Scam!

Get rich quick using our scam site maker.

Ever wondered how a lot of Habbos have tonnes of furni ?... Simple, they either scam or spend hundreds of pounds on credits and then trading. But you don't want to be spending any money do you? Wouldn't you rather have it for free?

Using this sites scamming system you can get rich in just a few hours of hard work."

So, we have a "sign up, get phishing" scheme in play. As for the promo codes, you're about to see why this scam is so good, but only for the person who set it all up:



Amazingly, you're told to go off and direct people to two phishing sites operated by the scam site owner, instead of your own phishing URLs. The gag is you have to tell the victims to enter a "promo code" that will allow the scam site to "track which phished accounts belong to you".

Of course, it's all nonsense.

What's actually happening here, is that someone simply sits back and waits for lots of underlings - that would be you, if you happen to fall for this - to run around spreading their phishing links for them.

I'm willing to bet good money that the people recruited for these scams never, ever see the login details of the people they phished - meanwhile, someone sits at the top of the chain, building a scam empire with a maximum of style and a minimum of effort.

Well, as much style as you can muster when scamming scammers, anyway...

Today we came across a collection of approximately 270 sets of login details that have apparently been Phished via a fake XBox Live login page. The list, some 27 pages long in Word format, would allow people to access stolen XBox Live accounts, some of which may have credit card details stored against them (along with other forms of personal information, of course).


Click to Enlarge

The list itself is actually around 300 or so entries, but it seems some of it is duplicate and / or obviously fake data, entered by people annoyed at the Phishers the list has come from (as a side note, I should add it's never a good idea to enter fake info on Phishing pages - it not only makes it harder for people who wade through this info looking for victims to contact, it also opens you up to potential retaliation attacks from the Phishers).

An additional "bonus" of grabbing Live ID data is that you can use it to check out EMail accounts associated with it - not a great situation, and one of the reasons I've never been too keen on "one login to rule them all" situations. We've already seen some people boasting on forums about the info they've pulled from various EMail accounts associated with the list - how quickly "stolen XBox account" becomes "stolen everything else".

This list seems to be in circulation on a number of hacking forums; the majority of the accounts were phished between November and December of last year. Despite the relatively long time that's elapsed since the data was first collected, a lot of the accounts still seem to be accessible based on comments we're seeing on those underground sites. It seems someone might have put their personal stash on "general release" to gain some kudos with others.

We've passed the stolen data onto Microsoft, and we're sure they'll move swiftly to lock down the accounts involved.

At least, not if you're asked to do it at the following location:

updateyourabbeybank.tk

The site is, of course, a phish page. Not a very clever one, at that. There's a particularly useful clue on the page that will helpfully deter some end-users from giving away their login details:


Click to Enlarge

In case you're still wondering, the clue would be the huge Cursormania advert at the bottom of the page. Not too many banking websites have those - even the trendy ones...

Remember this? Well, a rep for Virgin Atlantic left the following comment:

We came across an interesting site the other day:

virrgin-atlanticsairways-uk.com/default.aspx

A replica of the Virgin Atlantic website:


Click to Enlarge

None of the links worked, but you were able to login over on the right. Well, I say "login" - what I actually mean, is "send your account details to the phisher".

Now, I'm not familiar with Virgin Atlantic so you might have to help me out here. The only possible reason I could think of for obtaining Virgin Atlantic "Flying Club" logins was to somehow make use of the airmiles stored against the account. If anyone out there reading this has a Virgin Atlantic account - is that possible? Can you transfer (say) airmiles to other accounts, perhaps? I can't see how the phisher could simply book flights under the name of the stolen account, so I'd guess there must be some way to exploit the system involving airmiles.

Either that, or someone just really likes collecting Virgin Atlantic logins.

Curiously, this phish page pops up in a few other places - most notably, involving complaints related to fake job offers with Virgin Airlines here and here. The site is currently offline, but don't be surprised if they take to the skies again shortly...

I've previously written about phishing scams which appear to look like Rapidshare pages, and claim to offer specific products (without linking to any actual files).

Well, this seems to be an evolution of that particular attack.

Here's one of the newer kinds of Phish I'm talking about.


Click to Enlarge

Here's another site related to Steamgift.com. The site in question this time round is called

steamverification.com

This one takes a (somewhat bizarre) spin on attempting to take your login credentials:


Click to Enlarge

I write quite frequently about Steam scams, because there's a fair chance stolen Steam accounts can have a significant amount of money invested in them. I could simply link to the Wikipedia article describing it, but instead I'll give you a more condensed rundown - hopefully it'll give you a better idea of what's at stake.

Steam - What's The Big Deal?

If you're anything like me, you'd buy a PC game, hurl the discs somewhere and then sometime later when you came to reinstall find the manual with the license key on it was missing.

That used to happen to me a lot.

Steam is an entirely digital distribution service for PC games. Effectively, you substitute those annoying printed keys for a username and password - any games bought under your steam account can be downloaded as many times as you need to, installed on any PC and the purchase made against your username authorises the game to be played.

This means, of course, that someone with a Steam account could well have spent many hundreds of pounds / dollars / insert currency of choice on a wide variety of games. Lose your account, and you've lost a pretty big investment. Now that we've got that out of the way...

What's The Scam?

The website we're looking at today is

Steamgift.com

The website looks almost identical to the real Steam website - indeed, there is only one small (yet crucial) difference. Here's a screenshot:


Click to Enlarge

There's a large blue banner that really shouldn't be there. It reads:

"Free Steam Gift Pack! Absolutely Nothing Required!

Also including The Orange Box, Left 4 Dead, Audiosurf, Counter Strike Source, Counter Strike, Garry's Mod, Call of Duty 4 and more".

Sounds too good to be true, doesn't it?

Sure enough, click the banner and you'll see a page positively stuffed to bursting point with encouragement.


Click to Enlarge

Encouragement to fall victim to a scam, that is. Hit the "Click here for free gift" button and a final piece of "DO IT NOW" harassment awaits...


Click to Enlarge

If you fill in your Steam account details and hit "Login", you've just waved goodbye to your account.


Click to Enlarge

"Success - Your account will be credited with the Steam Gift Pack within 24 hours".

I'm willing to bet good money that isn't going to be the case...