New MSN Privacy Threat – ultimatestufff.com

August 17, 2008

Hi,

Today I was informed of a new Privacy Threat spreaded through MSN.

Offline contacts sends to all online contacts the following link http://ultimatestufff.com/

Let’s see how ultimatestufff works..

At a first analysis dissection we can see that this Webservice is runned surely from
a little private server;

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 345
Date: Sun, 17 Aug 2008 13:04:33 GMT
Server: lighttpd/1.4.19

Because lighttpd is used.

The content of the first page is similar to my previous MSN-Malicious-Website discovery,
indeed we have:

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>

<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>

</frameset>
</html>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

Looks perfectly similar to the previous case, but without java obfuscation.

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript>

And finally the most intersting, indexx.php that performs a redirection to:

http://www.incentaclick.com/nclick.php?id=14955&cid=3674&sub=newadx

This time the entity of the Webservice is more important, is used a famous service Incentaclick
that installs some Tracking Cookies:

HTTP/1.1 200 OK
Date: Sun, 17 Aug 2008 05:06:08 GMT
Server: Apache
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
P3P: CP=”NOI DSP COR NID”
Content-Length: 184
Connection: close
Content-Type: text/html; charset=UTF-8

And this is the source code:

<html><head><title>Incentaclick Media</title><meta http-equiv=’refresh’ content=”0;url=http://www.perfspot.com/join.asp?LanguageID=1&p=98958&t=14955-newadx“></head><body></body></html>

As you can see there is a Meta Renfresh that redirects (instantly!) the user to another
website:

http://www.perfspot.com/join.asp?languageid=1&p=98958&t=14955-newadx

A common visitor will not see the passage from Incentaclick, but will have its cookies..

Perfspot is a Website that offers a Meeting Service.

It’s interesting to see that during registration the user is asked to provide MSN/Linkedin/Live account, and is this the point where dumb user allows perfspot to reach other users.

Another interesting point is that, after you have completed the registration you’re automatically prompted to a geo-location that corresponds to the location of the Offline user that sent you the Advisory.

Here the Domain Informations for ultimatestufff.com

Domain Informations

ICANN Registrar: ENOM, INC.
Created: 2008-08-15
Expires: 2009-08-15
Updated: 2008-08-15
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 94,989 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 210.56.53.73
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited
Response Code: 200
Domain Status: Registered And Active Website

What to say..I’m a proud paranoid!!! πŸ™‚

See you to the next post..

PS: I’m open to job offerings! πŸ™‚