Hi,
New Year old Credential Theft Way 🙂
This morning my MSN-HoneyPot catched the following URL spreaded as oggline message:
http://_MSN_USER_NAME.crazy-new-year-party-pics.com/
Victim is driven to insert [MSN-E-Mail] and [MSN-Password] to view the fake proclaimed New Year Pics, that does not exists.
I’ve already analysed this system in my other previous posts, there is a fake “Term UserConditions” that victim implicitly accepts and allows Spammers to user his account to promote to other contacts their Market Proposal.
As usual service is placed in Republic of Panama 😉
<title></title>
</head>
<frameset cols=”0,*” frameborder=0>
<frame src=”pop.php” name=””>
<frame src=”indexx.php” name=”mainwindow”>
</frameset>
Let’s analyse these links:
–>pop.php
function popup()
{
if(!UserClicked)
{
var win=window.open(“http://specialofferforu.info“,””,”width=1024,height=768″)
}
}
A simple Popup that opens speciallofferforu.info
->indexx.php
Is the page that you see when click on msn link.
These are the informations on the WebServer:
HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 791
Date: Thu, 01 Jan 2009 17:15:18 GMT
Server: lighttpd/1.4.19
The Server as usual runs PHP/4.4.8 and lighttpd/1.4.19 as the previously seen Credentials Catchers, indeed if we investigate on Domains provenience we discover that all these services comes from HongKong.
| IP Address: | 202.64.61.208 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute |
| IP Location |  – Hong Kong – Ta_kung_pao |
| Response Code: | 200 |
| Domain Status: | Registered And Active Website |
Finally after all these recurrences, we can Say that MSN Spam works in two Steps, there is a period that could be defined as
1) Data Mining Period, when HongKong cellar try to catch more User Credentials possible.
2)Spread Spam Period, when Collected Credentials are used to spread their Market Proposals.
Have a nice and Happy New Year! 🙂
Evilcry
A[ MaSN E-Mail ]
A
[…] 狠明显,这是一种钓鱼方式,目的是骗取你的账户和密码。凶手已经被人抓出来了,是香港的一个家伙,参考: https://evilcodecave.wordpress.com/2009/01/01/httpcrazy-new-year-party-picscom-msn-credential-theft/。 […]
Cheers mate, I read the terms and conditions, somthing didnt seem right from the start, the message poped up in MSN messenger today. Im surprised that in this day and age that people still fall for this stuff. Gotta say its not the best start to the New Year.
Mass people is easy to Deceive, just consider that if Spam lives is cause people that “believe” in their offers 😉
hej
Thank you for your link 🙂
Hi:)
A friend of mine fell for this one and his computer is infected. Do you know how I can help him get rid of it?
Happy new year and best wishes for 2009:)
It depends on the king of malware your friend has, he knows the name? if yes post me the name and I’ll release a post with removal informations.
From this kind of MSN Activities there are no Infectors, only privacy theft, change MSN pwd and no more messages will bore you 🙂
Thankfully i knew something was wrong after falling for the last time this happened. 2 of my friends fell for it already, but i just got off with one of them after giving her an aplication to fix/divert the problem.
I have no idea of what kind of malware he has, and I bet he don’t know it either.. But thank you ever so much for replying:)
Red62 – what app did you use to remove the MSN spammer?
Again, NO APPLICATIONS JUST CHANGE PASSWORD
Thanks for your sorce. it will very safe if you don’t pour password in other website.
Hi,
Glad to have helped you 🙂
Remember to change the password of the MSN contact that sends you notices, so you will not
get these annoing messages 😉
Regards,
Evilcry