Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 6 August 2009 in MSN Phishing scam, with bonus malware!

My friend Tom sent me a couple links earlier, to URL's that were reported to contain worms. ( - - QITX Inc. PEER1-QITX-51)

Not seeing anything other than references to freeze, and login requests in the source code, I created a new MSN account, and duly loaded the page in the browser to see if there was indeed a worm. Alas nope, not thus far.

This one, courtesy of, presents you a lovely little login form, asking for your MSN login details, and yep, it obviously checks if they're valid or not as I tried several times using random and bogus data that it kept rejecting, before I gave up and created a dedicated MSN test account for it.

Needless to say, you aren't given any nude pictures, contrary to it's claim, nor however, was I able to find a worm - I did however, find malware from, which is the only other thing (aside from stealing MSN credentials) this thing seems to give. Once "logged in" (and I use that term very loosely here), you're presented with;

You've no doubt guessed, but I'm going to tell you anyway, that big "Click here to continue" button, leads you to, but not before it's taken you on a little run-around;

START: (IPC-NEWT - Hong Kong)

2. ( -, Inc)

3. ( - - Digital River, Inc. TWTC-DIGITALRIVER)

4.|34103 ( - - GamePoint Inc. TWTC-GAMEP3)

END: ( - - Limelight Networks, LLNW-EU-2)

Or if you're using Opera, the URL it links you to, redirects you to;|34103 ( - - GamePoint Inc. TWTC-GAMEP3)

The other images, to the left and right of the "Click here to continue" button, are all located on MSN search results, so it's possible, if there was a worm, it came from one of those, but I couldn't find it.

No comments: