The MSN Dark Chain of Spam – yopicz.com and others

August 26, 2008

Hi,

As you have seen from my precedent posts in this period MSN Privacy Threat Domains signed a significative incrase. You can also see how methods and structures used in these domains are similar.

The same HongKong Domain runned with the same HTTP-Daemon, the same way of Tracking Cookie releasing and finally different advertised End Point Domains.

Now my question was “Is possible to reveal the presence of a Chain of Spam Informations between these sites?”

The response come out automatically yesterday, some time ago I’ve created a fake MSN Account and joined to one of these “Services”, precisely yopicz.com.

yopicz.com is one of the classical Domain spreaded through MSN, but with some basilar difference respect others one.

Let’s see the code:

<html>
<head>
<title></title>
</head>
<frameset cols=”0,*” frameborder=0>
<frame src=”pop.php” name=””>
<frame src=”indexx.php” name=”mainwindow”>
</frameset>
</html>
<script src=”http://www.google-analytics.com/urchin.js&#8221; type=”text/javascript”>
</script>
<script type=”text/javascript”>
_uacct = “UA-3898830-2”;
urchinTracker();
</script>

-> pop.php

<script>
var UserClicked=false;
document.onkeydown=spyclick;
document.onmousedown=spyclick;
function spyclick()
{
UserClicked=true;
setTimeout(“UserClicked=false”,2000);
}
function popup()
{
if(!UserClicked)
{
var win=window.open(“http://awesomeoffers.info&#8221;,””,”width=1024,height=768″)
}
}
window.onbeforeunload=popup;
</script>

In other words you’re redirected to awesomeoffers.info that is the advertised Website.

-> indexx.php

Contains a fake Privacy Policy

“By filling out this form, you authorize TST Management, Inc to spread the word
about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word.  This is a harmless
Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

TST Management, Inc reserves the right to change the terms of use / privacy policy
at any time without notice. To view the latest version of this privacy policy,
simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this

agreement and the terms of use you accepted when you signed up with MSN. You also
understand that by temporarily accessing your msn account, TST Management, Inc
is NOT agreeing to MSN’s terms
of use and therefore not bound by them.

Eheheheheeh strange this TST Management!! has a “Legal” Privacy Policy that is not conventionally written, a “Legal Policy” that breaks Microsoft and MSN Laws? wooow are in front of a new frontier of legality!! Sign a Legal Policy to Break legally third parties laws! 🙂

After substribing to yopicz.com my HoneyPot account popped with various advices from

  • awesomezz.com
  • PassionZz.com
  • RealDealzz.com
  • insaneimagz.com

So this IS a CHAIN of Spam Websites that exchange/sends your credentials to the various domains!

If you receive other of these advices report me it, and I’ll dissect it 🙂

May the God of Paranoia be with you 🙂


Another MSN Privacy / Spam Threat awesomezz.com

August 21, 2008

Hi,

Thanks to the signalation of Roberta I’ve identified another MSN spreading Spam/Privacy threat.

The structure is completely equal to ultimatestufff, but changes the End-Point Domain.

Online contacts receives an offline message composed in this way http://_mail_address.awesomezz.com

Let’s dissect it!

From HTTP headers we can see that this domain is runned by a little Webserver

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 242
Date: Thu, 21 Aug 2008 15:00:41 GMT
Server: lighttpd/1.4.19

And this is the html code

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>
<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
</html>

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink” alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

-> indexx.php

The way is always the same, the user lands to a certain Website by passing from another Website that installs some Tracking Cookies. Indeed as we can see indexx.php points to Incentaclick

http://www.incentaclick.com/nclick.php?id=17133&cid=4804&sub=newadx_ita

that trasparently (a common user will not see that passage) installs some cookie:

Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com

Redirection points to

http://www.flycell.it/offer/?ref=2650&transid=17133-newadx_ita

The Pattern is totally similar to Ultimatestufff.com, with the difference that the End-Points seems to be a Website for Cellulars, but probabily user is asked to give MSN Credentials

Here the Domain Analysis:

Registry Data

ICANN Registrar: ENOM, INC.
Created: 2008-08-20
Expires: 2009-08-20
Updated: 2008-08-20
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 96,391 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 210.56.53.73
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited
Response Code: 200
Domain Status: Registered And Active Website

See you to the next post