New Year old Credential Theft Way 🙂
This morning my MSN-HoneyPot catched the following URL spreaded as oggline message:
Victim is driven to insert [MSN-E-Mail] and [MSN-Password] to view the fake proclaimed New Year Pics, that does not exists.
I’ve already analysed this system in my other previous posts, there is a fake “Term UserConditions” that victim implicitly accepts and allows Spammers to user his account to promote to other contacts their Market Proposal.
As usual service is placed in Republic of Panama 😉
<frameset cols=”0,*” frameborder=0>
<frame src=”pop.php” name=””>
<frame src=”indexx.php” name=”mainwindow”>
Let’s analyse these links:
A simple Popup that opens speciallofferforu.info
Is the page that you see when click on msn link.
These are the informations on the WebServer:
HTTP/1.0 200 OK
Date: Thu, 01 Jan 2009 17:15:18 GMT
The Server as usual runs PHP/4.4.8 and lighttpd/1.4.19 as the previously seen Credentials Catchers, indeed if we investigate on Domains provenience we discover that all these services comes from HongKong.
|IP Address:||18.104.22.168 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute|
|IP Location||– Hong Kong – Ta_kung_pao|
|Domain Status:||Registered And Active Website|
Finally after all these recurrences, we can Say that MSN Spam works in two Steps, there is a period that could be defined as
1) Data Mining Period, when HongKong cellar try to catch more User Credentials possible.
2)Spread Spam Period, when Collected Credentials are used to spread their Market Proposals.
Have a nice and Happy New Year! 🙂
A[ MaSN E-Mail ]