Another MSN Privacy / Spam Threat awesomezz.com

Hi,

Thanks to the signalation of Roberta I’ve identified another MSN spreading Spam/Privacy threat.

The structure is completely equal to ultimatestufff, but changes the End-Point Domain.

Online contacts receives an offline message composed in this way http://_mail_address.awesomezz.com

Let’s dissect it!

From HTTP headers we can see that this domain is runned by a little Webserver

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 242
Date: Thu, 21 Aug 2008 15:00:41 GMT
Server: lighttpd/1.4.19

And this is the html code

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>
<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
</html>

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink” alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

-> indexx.php

The way is always the same, the user lands to a certain Website by passing from another Website that installs some Tracking Cookies. Indeed as we can see indexx.php points to Incentaclick

http://www.incentaclick.com/nclick.php?id=17133&cid=4804&sub=newadx_ita

that trasparently (a common user will not see that passage) installs some cookie:

Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com

Redirection points to

http://www.flycell.it/offer/?ref=2650&transid=17133-newadx_ita

The Pattern is totally similar to Ultimatestufff.com, with the difference that the End-Points seems to be a Website for Cellulars, but probabily user is asked to give MSN Credentials

Here the Domain Analysis:

Registry Data

ICANN Registrar: ENOM, INC.
Created: 2008-08-20
Expires: 2009-08-20
Updated: 2008-08-20
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 96,391 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 210.56.53.73
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited
Response Code: 200
Domain Status: Registered And Active Website

See you to the next post

21 Responses to Another MSN Privacy / Spam Threat awesomezz.com

  1. DonovanB says:

    I would be interested to know how this happens. Ive just been contacted by a new contact which i made today, i can smell spam a mile away so i havnt visited the link … – as far as i know she is a mac user … is it a local infection on her machine, or does another 3rd party have access to her msn logon details ?

  2. gingeralice says:

    I’ve got it.
    Boooooo.
    What can I do to fix it?
    I’m a mac user with no experience of viruses.
    Thank you.

  3. dionysis says:

    My computer is infected, but i couldn’t dissect it with the instructions given, I don’t even understand from where I should get started! If it is possible , please make the instructions a little bit more analytic. Thanks anyway.

  4. Djarlo says:

    I got the link from my wife today, and she uses a webmessenger, can she removes this thing by just removing all Cookies from her browser?

  5. evilcodecave says:

    Hi,

    First of all this application does not affect any part of PC, but an external entity have your Credentials.

    The User is asked to to give its Credentials (User and Passwords) SO to
    FIX it all you have to do is to CHANGE PASSWORDS and CLEAR CACHE🙂.

    Cookies can be removed if you use Mozilla FireFox (and I hope you use It) with an Addon that you can download from Mozilla site that is called Monster Cookies, if you use other search about Cookie Cleaner.

    Regards,
    Giuseppe ‘Evilcry’ Bonfa’

    PS: If someone has other examples of MSN Spreading Domains please report me It and I’ll dissect it!!!

  6. dionysis says:

    Thanks a lot, once more, I thought that it would be way more difficult🙂.

  7. Djarlo says:

    now it dont seem to bee only awesomezz.com i also got one today from the same person wit the domain yutubez.com

  8. Djarlo says:

    oh i forgot to mension instead of .yutubez.com it is .yutubez.com

  9. evilcodecave says:

    Many thanks for your link, I’ll inspect it as soon as possible!🙂

    If someone has other links please make me know the URL

    Regards,
    Giuseppe ‘Evilcry’ Bonfa’

  10. gingeralice says:

    Many thanks!😀

  11. […] Another MSN Privacy / Spam Threat awesomezz.com Hi, Thanks to the signalation of Roberta I’ve identified another MSN spreading Spam/Privacy threat. The structure […] […]

  12. Boinz says:

    i have another one as well from msn that ends in
    RealDealzz.com
    PassionZz.com

  13. Ronale says:

    I don’t know if you’ve got this one yet:
    imagshackz.com
    There were some others as well, but haven’t written them down.

  14. evilcodecave says:

    Thank You!!

    please report me all domains that you know🙂

    tnx!

  15. […] – bookmarked by 2 members originally found by XxMomsCutiexX on 2008-10-19 Another MSN Privacy / Spam Threat awesomezz.com https://evilcodecave.wordpress.com/2008/08/21/another-msn-privacy-spam-threat-awesomezzcom/ – […]

  16. […] Nice post, I put a link to it from my site for ya. […]

  17. The style of writing is quite familiar . Did you write guest posts for other bloggers?

  18. evilcodecave says:

    hehe no I write only in this blog

  19. sandrar says:

    Hi! I was surfing and found your blog post… nice! I love your blog. 🙂 Cheers! Sandra. R.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: