The MSN Dark Chain of Spam – yopicz.com and others

Hi,

As you have seen from my precedent posts in this period MSN Privacy Threat Domains signed a significative incrase. You can also see how methods and structures used in these domains are similar.

The same HongKong Domain runned with the same HTTP-Daemon, the same way of Tracking Cookie releasing and finally different advertised End Point Domains.

Now my question was “Is possible to reveal the presence of a Chain of Spam Informations between these sites?”

The response come out automatically yesterday, some time ago I’ve created a fake MSN Account and joined to one of these “Services”, precisely yopicz.com.

yopicz.com is one of the classical Domain spreaded through MSN, but with some basilar difference respect others one.

Let’s see the code:

<html>
<head>
<title></title>
</head>
<frameset cols=”0,*” frameborder=0>
<frame src=”pop.php” name=””>
<frame src=”indexx.php” name=”mainwindow”>
</frameset>
</html>
<script src=”http://www.google-analytics.com/urchin.js&#8221; type=”text/javascript”>
</script>
<script type=”text/javascript”>
_uacct = “UA-3898830-2”;
urchinTracker();
</script>

-> pop.php

<script>
var UserClicked=false;
document.onkeydown=spyclick;
document.onmousedown=spyclick;
function spyclick()
{
UserClicked=true;
setTimeout(“UserClicked=false”,2000);
}
function popup()
{
if(!UserClicked)
{
var win=window.open(“http://awesomeoffers.info&#8221;,””,”width=1024,height=768″)
}
}
window.onbeforeunload=popup;
</script>

In other words you’re redirected to awesomeoffers.info that is the advertised Website.

-> indexx.php

Contains a fake Privacy Policy

“By filling out this form, you authorize TST Management, Inc to spread the word
about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word.Β  This is a harmless
Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

TST Management, Inc reserves the right to change the terms of use / privacy policy
at any time without notice. To view the latest version of this privacy policy,
simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this

agreement and the terms of use you accepted when you signed up with MSN. You also
understand that by temporarily accessing your msn account, TST Management, Inc
is NOT agreeing to MSN’s terms
of use and therefore not bound by them.

Eheheheheeh strange this TST Management!! has a “Legal” Privacy Policy that is not conventionally written, a “Legal Policy” that breaks Microsoft and MSN Laws? wooow are in front of a new frontier of legality!! Sign a Legal Policy to Break legally third parties laws!πŸ™‚

After substribing to yopicz.com my HoneyPot account popped with various advices from

  • awesomezz.com
  • PassionZz.com
  • RealDealzz.com
  • insaneimagz.com

So this IS a CHAIN of Spam Websites that exchange/sends your credentials to the various domains!

If you receive other of these advices report me it, and I’ll dissect itπŸ™‚

May the God of Paranoia be with youπŸ™‚

5 Responses to The MSN Dark Chain of Spam – yopicz.com and others

  1. ^_^ Me says:

    Great analysis my dearπŸ™‚

  2. Jas says:

    how to remove this??

  3. After reading through the article, I feel that I need more info. Could you suggest some more resources ?

  4. evilcodecave says:

    I don’t know other info about msn spam, but by searching on google you can see many msn virus explainations

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: