The MSN Dark Chain of Spam – yopicz.com and others

August 26, 2008

Hi,

As you have seen from my precedent posts in this period MSN Privacy Threat Domains signed a significative incrase. You can also see how methods and structures used in these domains are similar.

The same HongKong Domain runned with the same HTTP-Daemon, the same way of Tracking Cookie releasing and finally different advertised End Point Domains.

Now my question was “Is possible to reveal the presence of a Chain of Spam Informations between these sites?”

The response come out automatically yesterday, some time ago I’ve created a fake MSN Account and joined to one of these “Services”, precisely yopicz.com.

yopicz.com is one of the classical Domain spreaded through MSN, but with some basilar difference respect others one.

Let’s see the code:

<html>
<head>
<title></title>
</head>
<frameset cols=”0,*” frameborder=0>
<frame src=”pop.php” name=””>
<frame src=”indexx.php” name=”mainwindow”>
</frameset>
</html>
<script src=”http://www.google-analytics.com/urchin.js&#8221; type=”text/javascript”>
</script>
<script type=”text/javascript”>
_uacct = “UA-3898830-2”;
urchinTracker();
</script>

-> pop.php

<script>
var UserClicked=false;
document.onkeydown=spyclick;
document.onmousedown=spyclick;
function spyclick()
{
UserClicked=true;
setTimeout(“UserClicked=false”,2000);
}
function popup()
{
if(!UserClicked)
{
var win=window.open(“http://awesomeoffers.info&#8221;,””,”width=1024,height=768″)
}
}
window.onbeforeunload=popup;
</script>

In other words you’re redirected to awesomeoffers.info that is the advertised Website.

-> indexx.php

Contains a fake Privacy Policy

“By filling out this form, you authorize TST Management, Inc to spread the word
about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word.Β  This is a harmless
Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

TST Management, Inc reserves the right to change the terms of use / privacy policy
at any time without notice. To view the latest version of this privacy policy,
simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this

agreement and the terms of use you accepted when you signed up with MSN. You also
understand that by temporarily accessing your msn account, TST Management, Inc
is NOT agreeing to MSN’s terms
of use and therefore not bound by them.

Eheheheheeh strange this TST Management!! has a “Legal” Privacy Policy that is not conventionally written, a “Legal Policy” that breaks Microsoft and MSN Laws? wooow are in front of a new frontier of legality!! Sign a Legal Policy to Break legally third parties laws! πŸ™‚

After substribing to yopicz.com my HoneyPot account popped with various advices from

  • awesomezz.com
  • PassionZz.com
  • RealDealzz.com
  • insaneimagz.com

So this IS a CHAIN of Spam Websites that exchange/sends your credentials to the various domains!

If you receive other of these advices report me it, and I’ll dissect it πŸ™‚

May the God of Paranoia be with you πŸ™‚


MSN Privacy Threat – passionzz.com

August 25, 2008

Hi,

Here another Privacy threat similar to the previous already seenΒ  the malicious domain is spreaded by offline MSN contacts in form of

http://_mail_address.passionzz.com

Here the classical source html already seen:

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>
<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”body.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
</html>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com”>abuse@cpashield.com</a></b>

-> body.php

<img src=”http://www.ipcounter.de/count.php?u=53083499&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript>

-> indexx.php

Redirection to http://www.incentaclick.com/nclick.php?id=16550&cid=3915&sub=newadx_passion

<html><head><title>Incentaclick Media</title><meta http-equiv=’refresh’ content=”0;url=http://banners.passion.com/go/page/25647_landing_passion_01b?pid=p497792.sub16550-newadx_passion&ip=auto”></head><body></body></html>

Tracking Cookie Installation

Set-Cookie: IncentaclickUC391516550=391516550newadx_passion; expires=Wed, 24-Sep-2008 17:08:59 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC391516550=391516550newadx_passion; expires=Wed, 24-Sep-2008 17:08:59 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3915=16550-newadx_passion; expires=Sun, 23-Nov-2008 17:08:59 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3915=16550-newadx_passion; expires=Sun, 23-Nov-2008 17:08:59 GMT; path=/; domain=www.incentaclick.com

After that Incentaclick trasparently installs its tracking cookies you’re redirected to

http://banners.passion.com/go/page/25647_landing_passion_01b?pid=p497792.sub16550-newadx_passion&ip=auto

Registry Data

ICANN Registrar: ENOM, INC.
Created: 2008-08-24
Expires: 2009-08-24
Updated: 2008-08-24
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 99,883 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 127.0.0.1
IP Location – Loopback
Response Code: 200
Domain Status: Registered And Active Website

Remove Instructions

Remove Cookie and Change your MSN Passwords!!!!

See you to the next Post… πŸ™‚