Easy Spyware Tools » Spyware Info

More Google Adwords Phish Pages

HART (1-800-HART) — Mon, 13 Oct 2008 03:13:29 +0000

We’re noticing quite a lot of these appearing in mailboxes at the moment, all .cn and .kr domains. Here’s a few more (that are currently confirmed as live) for your blocklists:

adwords.google.com.qsoil.cn/select/Login
adwords.google.com.apoim.cn/select/Login
adwords.google.com.kfion.cn/select/Login
adwords.google.com.tverdo.cn/select/Login
adwords.google.com.agrod.cn/select/Login

ottoggi.co.kr/bbs/data/schedule/1194604617/redirect.google.com
kilsangsa.or.kr/zero/data/buddha/1223246866/https/portal.google.com/www.adwords.google.com/select/Login.htm

Unsurprisingly, the .cn domains are all registered to “Mr Gfdthy”, the same individual that owns the mehdo.cn domain. At least one of the Korean domains appears to be a legitimate website that’s been hacked and had the phish page uploaded by the hacker, and so might not be part of the “main” campaign that’s currently ongoing.

Google AdWords Phish

HART (1-800-HART) — Mon, 13 Oct 2008 03:13:09 +0000

Time to clear out the mailbox – wait, what’s this?

That’s interesting, considering I don’t have an AdWords account.

Click to Enlarge

Of course, if I did have an account I might be tempted by their fake website:

Click to Enlarge

As fake websites go, it’s quite pretty (but that’s more down to Google than the scammers).

Steer clear of this website:

adwords.google.com.mehdo.cn/select/Login/

The Whois details are unsurprisingly useless:

The Administrative EMail is apparently used for another 320 domains, which is probably not a good sign…

Smash And Grab

HART (1-800-HART) — Mon, 13 Oct 2008 03:13:07 +0000

Ever wondered how people put together huge wordlists made up of things like Usernames from forums as part of their cracking arsenal? Here’s a program that does just that. Simply select the kind of forum you want to leech from (vBulletin, IPB or phpBB), enter the details of the target forum and fire up this thing:

The program will take the required amount of usernames from the forum, and the hacker is then able to integrate those usernames into an increasingly large dictionary for their cracking tools.

Anyone remember when this sort of thing used to take a while?

No, me neither…

Habbo Hotel Fakeout

HART (1-800-HART) — Mon, 13 Oct 2008 03:12:54 +0000

Here’s a fake “Habbo Hotel” Login frontend, designed to be combined with an infection file of choice then sent to an unsuspecting user:

If you’re a Habbo Hotel user and see this appear in your mailbox (or a “friend” offers you it on a forum), just say no. It’s highly likely it’ll come with an unpleasant surprise…

Putting A Smile On Their Face?

HART (1-800-HART) — Mon, 13 Oct 2008 03:12:54 +0000

Clearly, there’s been too much Batman on here lately.

I suppose we could always even things up a little with a screenshot of this DDoS tool:

Click to Enlarge

Those crazy kids…

The Partial Loss Of Data Phish

HART (1-800-HART) — Mon, 13 Oct 2008 03:12:53 +0000

Here, our unfriendly neighbourhood Phisher is attempting to play on the fear of a security breach:

Attention all Apex ACH System Customers!

We inform you that on October 7, 2008 a partial loss of data took
place in our database. Due to this problem urgent request to take the
procedure of account verification. Verification form is located here:

[URL Removed].org

However, failure to confirm your records may result in account suspension.
This is an automated message. Please do not reply.

Best to ignore this kind of EMail, methinks…

Barclays PINsentry Phish

HART (1-800-HART) — Mon, 13 Oct 2008 03:12:42 +0000

This is PINsentry.

This is a PINsentry Phish currently doing the rounds:

Introducing PINsentry for Online Banking

To help protect your account from Online fraud, we are changing the
security for Barclays Online Banking and you will need to upgrade to
PINsentry.

PINsentry upgrade – information by email
We will send you information on PINsentry and details of any cards being
issued or upgraded by email.
Please insert your details in the attachment below.

Barclays Bank PLC is authorised and regulated by the Financial Services Authority

This is the form that comes with the EMail:

Click to Enlarge

Note that it asks you for absolutely everything, including your telephone banking passcode. Barclays Bank do NOT send these kinds of EMails to their customers, so be on your guard…

A (Lemon) Party On Your Desktop

HART (1-800-HART) — Mon, 13 Oct 2008 03:12:00 +0000

Shockmemes have become a big deal in hacking circles recently, and whether its catching out priests with Meatspin or leaving a nice surprise on phished Myspace pages, everybody wants a piece of the action. Well, the use of Shockmemes in hacking and cracking circles takes another plunge into the world of bleeding eyeballs and crying children the World over with this latest infection. Currently doing the rounds on the “Let’s ruin your day” circuit, this bundle of joy (once run by the unsuspecting Windows end-user) will make your previously beautiful and clutter free desktop….

Click to Enlarge

….look like this:

Click to Enlarge

Oh my, is that 40+ copies of Lemonparty on your desktop? I think it is.

In addition to your new favourite desktop image, you’ll find that the author of this file wants you to see more of Lemonparty.

A whole lot more, as it turns out. Within minutes, your desktop will look like this:

Click to Enlarge

Whoops.

Your entire PC has been taken over by endless respawning images of three old guys having the best time of their lives in a hotel room. If you reboot the PC, they’ll come straight back. If you go into task manager and kill the process that keeps creating duplicate images, your desktop will be clean for about ten seconds…then they’ll come straight back.Your PC will slow down to a crawl, making it even harder to go looking for the hidden files that keep the party going.

Even trying to get screenshots of the files involved was nearly impossible due to the images insistence on hogging every square inch of your monitors real estate. As a matter of fact, when I asked my colleague to grab a shot of the file responsible for bringing the desktop hijacks back to life each time what should pop up but…

Click to Enlarge

This is one party you just can’t stop.

We detect this as LemonLover. And this is quite possibly the funniest thing I have ever written about.

Additional Research: Chris Mannon, Senior Threat Researcher

A Case Of Twitter Username Squatting?

HART (1-800-HART) — Mon, 13 Oct 2008 03:11:59 +0000

There’s a lot of security companies on Twitter these days. BitDefender, TrendMicro, Kaspersky, FaceTime, F-Secure and more besides – plus all the researchers and independent security people who have their own Twitter accounts. That’s a whole lot of people yammering on about security, and pretty much all tastes are accounted for.

However, as with all new(ish) sites – if you don’t snap up your personalised domain extension, someone is going to grab it before you get there. Earlier today, I was looking for some security companies on Twitter and saw this:

Very peculiar. If you visit the profile, it’s already been suspended.

The account only sent out the one message before the plug was pulled. There are two possibilities here:

1) The scammer registered the “nod32antivirus” username on Twitter to try and get money from ESET in return for the nod32antivirus username on Twitter, which is about as poorly thought out a plan as it sounds.

2) The message refers to the sale of the website listed in the single Twitter message, though the way it’s worded (and the fact that this person randomly decided to register nod32antivirus as their username) would tend to make this rather unlikely. Either way, Twitter thought there was something sufficiently strange here to suspend the account.

I EMailed the site owner anyway, and have so far had no reply. If I actually get a response, I’ll update the entry…

Hackjob

HART (1-800-HART) — Mon, 13 Oct 2008 03:11:48 +0000

Click to Enlarge

I’m pretty sure this technology services website isn’t supposed to say “Yes, Demian is gay and cannot wag the tail” underneath the nice animated graphic. Time to contact the site owner, methinks…