Blog for hpHosts, and whatever else I feel like writing about ....

Friday 9 July 2010

Scam Alert: fadebook.info

I came across a rather intruiging domain whilst investigating a case - fadebook.info.

The domain obviously set off alarms due to the obvious similarity to fadebook.info, and when deciding to look at it, wasn't expecting very much, just the usual phish if anything. However, upon closer inspection, it surprised me a little - it wasn't a facebook phish at all - it was something else.

When first loading fadebook.info, you see internal traffic, suggesting it's loading pictures (one of which, is the image shown top left - nice touch, not sure LE will like it though) and whatnot, the same way other sites do. Alas no, it actually redirects to /stacy/, which displays the following bit of lovelyness;



What you may have noticed, is the usual Facebook notification dialog, which is obviously a carbon copy of the one you see at Facebook - don't be surprised though - they've actually lifted the dialog from Facebook (apparently our little scammers couldn't be bothered to immitate that). This leads us on next, to /iq/, which as you've guessed from the images so far, has one purpose - to get us to take the IQ test it so desperately wants us to go to.

Perhaps not surprisingly, it doesn't take us there directly - oh no. This little fellow wants us to go through some ad servers first - yummy. First Zedo, then TrackLead.net, then jmpads.com, until finally, we reach the phish err, IQ test, itself - cellrow.com.

hxxp://www.cellrow.com/s/uk_iq_central_red_138_5c019/?ref4=6811&ref5=9190&sa=poplstlwslpsq&ref2=lnk_fb&ref3=sh_ukiq_lnk_fb&sa=poplstlwslpsq&keyword=43395&affiliate=43395&od=r9sh36

The full redirection, for those interested, is (Fiddler log: fadebook.info_-_Fiddler_Log.saz);

http://fadebook.info/
http://www.fadebook.info/stacy/
http://cdn.fadebook.info/js/jquery.min.js
http://cdn.fadebook.info/js/jquery.blockUI.js
http://cdn.fadebook.info/3vydwzbf.css
http://cdn.fadebook.info/65ysd8qz.css
http://cdn.fadebook.info/ak6z838s.css
http://cdn.fadebook.info/img.png
http://www.facebook.com/plugins/like.php?href=http://www.fadebook.info/red.php&layout=standard&show_faces=true&width=450&action=like&colorscheme=light&height=80
http://cdn.fadebook.info/rsrc.php/zCCSI/hash/7am1obcj.png
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=1720077742&utmhn=www.fadebook.info&utmcs=windows-1252&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.0%20r45&utmdt=Stacy%20Bosanko's%20Photos%20-%20Wall%20Photos&utmhid=313385123&utmr=-&utmp=%2Fstacy%2F&utmac=UA-17372133-1&utmcc=__utma%3D161306154.523508363.1278725813.1278725813.1278725813.1%3B%2B__utmz%3D161306154.1278725813.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&gaq=1
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=1404945826&utmhn=wepawet.cs.ucsb.edu&utmcs=utf-8&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.0%20r45&utmdt=Wepawet%20%C2%BB%20JavaScript%20report&utmhid=2123445275&utmr=-&utmp=%2Fview.php%3Fhash%3D834246d820cd58538ae66b81baede36b%26t%3D1278722362%26type%3Djs&utmac=UA-6144483-1&utmcc=__utma%3D245414530.477027083.1278722335.1278722335.1278722335.1%3B%2B__utmz%3D245414530.1278722335.1.1.utmcsr%3Dvurldissect.co.uk%7Cutmccn%3D(referral)%7Cutmcmd%3Dreferral%7Cutmcct%3D%2F%3B
http://static.ak.fbcdn.net/rsrc.php/z6O32/hash/e9lj9nd6.css
http://static.ak.fbcdn.net/rsrc.php/z7SOH/hash/avnl55ao.css
http://static.ak.fbcdn.net/rsrc.php/z8AS8/hash/efhfcyt5.js
http://static.ak.fbcdn.net/rsrc.php/z86SM/hash/191wiexm.png
http://static.ak.fbcdn.net/rsrc.php/zCBBG/hash/dgdjhcho.js
http://static.ak.fbcdn.net/rsrc.php/z4YJ8/hash/7foje0d3.js
http://static.ak.fbcdn.net/rsrc.php/zFX4P/hash/c4aknps2.js
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=1824286987&utmhn=wepawet.cs.ucsb.edu&utmcs=utf-8&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.0%20r45&utmdt=Wepawet%20%C2%BB%20JavaScript%20report&utmhid=466208229&utmr=-&utmp=%2Fview.php%3Fhash%3D834246d820cd58538ae66b81baede36b%26t%3D1278722362%26type%3Djs&utmac=UA-6144483-1&utmcc=__utma%3D245414530.477027083.1278722335.1278722335.1278722335.1%3B%2B__utmz%3D245414530.1278722335.1.1.utmcsr%3Dvurldissect.co.uk%7Cutmccn%3D(referral)%7Cutmcmd%3Dreferral%7Cutmcct%3D%2F%3B
http://www.fadebook.info/iq/
http://d3.zedo.com/jsc/d3/ff2.html?n=1315;c=4;s=4;d=14;w=728;h=90
http://d3.zedo.com/bar/v16-108/d3/jsc/iframe2.js
http://d7.zedo.com/jsc/lang.js
http://d7.zedo.com/bar/v16-108/d3/jsc/igeo.js
http://h.zedo.com/init/0.9329382706280032/g.gif
http://simg.zedo.com/speed-test/10k.gif?3106
http://d3.zedo.com/ads3/d/3597/171/1315/4/i.js?z=0140
http://d3.zedo.com/OzoDB/cutils/R48_4/jsc/1315/zmpfc.js?v=2-110
http://d3.zedo.com/ads2/e/1315/eli.js
http://d3.zedo.com//ads2/k/796539/3597/171/0/1315000004/1315000004//0/1315/4//1000002/i.js
http://m1.zedo.com/log/p.gif?a=796539;;r=1;x=3597;g=171,0;c=1315000004,1315000004;i=1;n=1315;q=13071;i=0;u=jlY2bwoBADYAAC@NvikAAACF~071010;1=2;2=1;e=i;s=4;g=171;w=1;m=603;z=0.83241506713903310.5606796556733622
http://www.fadebook.info/iq/uk.php
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=975551769&utmhn=wepawet.cs.ucsb.edu&utmcs=utf-8&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.0%20r45&utmdt=Wepawet%20%C2%BB%20JavaScript%20report&utmhid=1048670353&utmr=-&utmp=%2Fview.php%3Fhash%3D834246d820cd58538ae66b81baede36b%26t%3D1278722362%26type%3Djs&utmac=UA-6144483-1&utmcc=__utma%3D245414530.477027083.1278722335.1278722335.1278722335.1%3B%2B__utmz%3D245414530.1278722335.1.1.utmcsr%3Dvurldissect.co.uk%7Cutmccn%3D(referral)%7Cutmcmd%3Dreferral%7Cutmcct%3D%2F%3B
http://www.fadebook.info/iq/uk.php
http://www.tracklead.net/click.track?CID=108547&AFID=134038&ADID=245020&SID=
http://www.jmpads.com/click.track?CID=104349&AFID=43395&ADID=228241&SID=134038
http://www.cellrow.com/go/sh_ukiq_lnk_fb?keyword=43395&affiliate=43395
http://www.cellrow.com/go/ukiq_fb?ref2=lnk_fb&ref3=sh_ukiq_lnk_fb&link_type=offer&sa=poplstlwslpsq&keyword=43395&affiliate=43395&od=r9sh36
http://www.cellrow.com/s/uk_iq_central_red_138_5c019/?ref4=6811&ref5=9190&sa=poplstlwslpsq&ref2=lnk_fb&ref3=sh_ukiq_lnk_fb&sa=poplstlwslpsq&keyword=43395&affiliate=43395&od=r9sh36


But hang on - our dear fadebook.info does something else aswell. Remember the issues raised concerning like.php? If you look at the source code for /stacy/, you'll notice the lovely hidden iFrame that loads;

hxxp://www.facebook.com/plugins/like.php?href=http://www.fadebook.info/red.php&layout=standard&show_faces=true&width=450&action=like&colorscheme=light&height=80

Oh dear, looks like Facebook are no closer to sorting this one out (they were notified a while ago about the issues with this file, and said they were "aware of it" and were working on it, but I've heard nothing since). Getting back to the IQ test, let's see what they've got in store for you shall we?



We're already familiar with what an IQ test is actually for, but in this case, it's something else we're looking for. You'll notice it states;

This is a subscription service, it will cost £3.00 per week until you send STOP to 88448 (£3.00 per message. 1 message per day, 1 day per week). By completing the quiz and sending the keyword to shortcode 88448, you acknowledge that you are subscribing to our brain teasers service so you will get the brain teasers sent straight to your mobile phone. All plans are subject to the Terms and Conditions. You may receive marketing messages from us from time to time once you subscribe to this service. Customers will receive weekly brain teasers with a once-off joining fee of £3.00 being 1 x £3.00 and £3.00 per message being £3.00/wk thereafter. Customers may stop this subscription service at any time by sending a text message with STOP, to short code 88448. You must be the device owner and be over 18 or have the permission of your parent or guardian. Standard/other text messaging rates may apply. For more information call 08081-203-628. Content Provider: Entertone. Please click here to see full 'Terms and Conditions'. Affiliates

Disclaimer

This site is not associated and affiliated in any way with MySpace, Facebook, Bebo, Friendster or any other social network site. The test results and information on this site are provided for personal entertainment purposes only and does not represent a professional report, calculation or personal statement for any aspect of your personality, mental capacity or personal life.


But I smell a rat here - something just isn't right. We already know what they're going to charge you, or at least, what they say they're going to charge you - but are they telling the truth? Of course not.



See something different? You should do - they're going to charge you a £9 "joining fee". Do yourself a favour, just compare the following "terms", taken from the second screenshot, to the first lot of terms;

Summary Terms & Conditions:This is a subscription service, it will cost £9 per week with a £9.00 join fee until you send STOP to 88448 (£3.00 per message. 1 message per day, 3 messages per week). By completing the quiz and sending the keyword to shortcode 88448, you acknowledge that you are subscribing to our subscription service so you will get the latest brain teasers sent straight to your mobile phone. Entertone. All plans are subject to the Terms and Conditions. You may receive marketing messages from us from time to time once you subscribe to this service. Customers will receive tri-weekly brain teasers, with a once-off joining fee of £9.00 being 3 x £3.00 and £3.00 per message being £9.00/wk thereafter. You will be charged for each message received regardless of whether a message is responded to. Customers may stop this subscription service at any time by sending a text message with STOP, to short code 88448. You must be the device owner and be over 18 or have the permission of your parent or guardian. Standard/other text messaging rates may apply. For more information call 0-808-120-3628. Content Provider: Entertone. Please click here to see full 'Terms and Conditions'.


First:

hxxp://www.cellrow.com/s/uk_iq_central_red_138_5c019/?ref4=6811&ref5=9190&sa=poplstlwslpsq&ref2=lnk_fb&ref3=sh_ukiq_lnk_fb&sa=poplstlwslpsq&keyword=43395&affiliate=43395&od=r9sh36

Second:

You can access the second one, by right clicking any of the "answers" on the first, and opting to open it in a new tab (that's all I did), or of course, directly with the following;

hxxp://www.cellrow.com/s/uk_iq_central_red_138_5c019/?ref4=6811&ref5=9190&sa=poplstlwslpsq&ref2=lnk_fb&ref3=sh_ukiq_lnk_fb&sa=poplstlwslpsq&keyword=43395&affiliate=43395&od=r9sh36#

cellrow.com incase you're wondering, is owned by mobileservicedesk.com (also owns health-md.info), which was registered via GoDaddy, and has connections to fake meds (not surprising). Both sites live at 206.51.237.164 (206.51.232.0/21 BBBJ48559::SAGONETWORKS, LLC AS29802 via Cogent).

cellrow.com itself, is living at 174.37.212.168, which I'm sure you'll already recognize, as being SoftLayer IP space. Just like the rest of SoftLayers IP space, 174.37.212.0/24 is a range I'd strongly urge you blackhole (sorry SoftLayer, but you should've been shut down years ago, and I'm not going to stop until you either are shut down, or drastically change).

The domains running the IQ scam itself, are all hidden with Domains By Proxy (I'll be reaching out to GoDaddy concerning those), but fadebook.info shows (it's faked of course - but you already knew that);

Domain ID:D33662723-LRMS
Domain Name:FADEBOOK.INFO
Created On:08-Jul-2010 10:46:40 UTC
Last Updated On:08-Jul-2010 10:46:41 UTC
Expiration Date:08-Jul-2011 10:46:40 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR51580772
Registrant Name:dorthy morin
Registrant Organization:Denied Ltd
Registrant Street1:Suite 9, Ansurya Estate
Registrant Street2:Revolution Avenue
Registrant Street3:
Registrant City:Victoria
Registrant State/Province:Victoria
Registrant Postal Code:00000
Registrant Country:SC
Registrant Phone:+248.610770
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: denied.ltd@gmail.com
Admin ID:CR51580778
Admin Name:dorthy morin
Admin Organization:Denied Ltd
Admin Street1:Suite 9, Ansurya Estate
Admin Street2:Revolution Avenue
Admin Street3:
Admin City:Victoria
Admin State/Province:Victoria
Admin Postal Code:00000
Admin Country:SC
Admin Phone:+248.610770
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email: denied.ltd@gmail.com
Billing ID:CR51580781
Billing Name:dorthy morin
Billing Organization:Denied Ltd
Billing Street1:Suite 9, Ansurya Estate
Billing Street2:Revolution Avenue
Billing Street3:
Billing City:Victoria
Billing State/Province:Victoria
Billing Postal Code:00000
Billing Country:SC
Billing Phone:+248.610770
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email: denied.ltd@gmail.com
Tech ID:CR51580775
Tech Name:dorthy morin
Tech Organization:Denied Ltd
Tech Street1:Suite 9, Ansurya Estate
Tech Street2:Revolution Avenue
Tech Street3:
Tech City:Victoria
Tech State/Province:Victoria
Tech Postal Code:00000
Tech Country:SC
Tech Phone:+248.610770
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email: denied.ltd@gmail.com
Name Server:NS1.AFRAID.ORG
Name Server:NS2.AFRAID.ORG
Name Server:NS3.AFRAID.ORG
Name Server:NS4.AFRAID.ORG


Surprised to see afraid.org making an appearance? Nope, me neither, they're a little of a favourite amongst the criminal fraternity.

No comments: