MSN Credential Theft – http://zopblob.com/

Hi there,

In these days is running another malicious domain specifically developed to Steal MSN Credentials, the propagation system is always the same, you receive an offline message by an already infected user of your msn list.

http://{ACCOUNT_NAME}zopblob.com/

The Server used is as usual lighttpd

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 791
Date: Sun, 25 Jan 2009 01:01:51 GMT
Server: lighttpd/1.4.19

and the link dissected appears as:

<html>
<head>
<title></title>
</head>
<frameset cols="0,*" frameborder=0>

<frame src=”pop.php” name=”"> <frame src=”indexx.php” name=”mainwindow”>var sc_project=4080201;


</frameset>

This time we have also a little difference, this time malicious domain presents a tracking
functionality

<script type="text/javascript">

var sc_invisible=1;
var sc_partition=49;
var sc_click_stat=1;
var sc_security="0c7fe093"; 
</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js'
type='text/javascript'%3E%3C/script%3E"));
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-1033286-4");

pageTracker._trackPageview();http://www.networksolutions.com/whois-search/zopblob.com

</script>
</script>

A Domain Whois reveals that the Source of this Malicious Domain is always the same..from Panama:

See you to the next post..

This entry was posted on Saturday, January 24th, 2009 at 5:44 pm and is filed under (In)Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “MSN Credential Theft – http://zopblob.com/”

A H Says:
January 26, 2009 at 3:48 pm | Reply
Thank you for this info! You solved a mistery for me, I thought I was going insane, and that there was a glitch in the matrix…

I received a message from zopblob, it created a url for me with my name in it like this:

myname.zopblob.com and the message was that my son (the name of my son was written) has ordered 4 ounces of legal herbs from a site.

when I checked the url it directed me to a site selling legal herbs.

This all happened on a sunday morning when I was extremely hungover, and I got all the messages into my phone, so I had no idea what was going on, and I thought of asking my son, but thanks to you, I know now that my 15 year old son is not smoking legal herbs. (And I hope he is not smoking any other herb either, at least not yet

Evilcodecave’s Weblog

MSN Credential Theft – http://zopblob.com/

One Response to “MSN Credential Theft – http://zopblob.com/”

Leave a Reply

Archives

Categories