Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 6 August 2009

Freeze.com/screensaver.com/shameful-pictures.com in MSN Phishing scam, with bonus malware!

My friend Tom sent me a couple links earlier, to URL's that were reported to contain worms.

girls.without.clothes.are.on.these.shameful-pictures.com (69.90.81.141 - my.stupid.isp.did.not.update.my.dns - QITX Inc. PEER1-QITX-51)

Not seeing anything other than references to freeze, and login requests in the source code, I created a new MSN account, and duly loaded the page in the browser to see if there was indeed a worm. Alas nope, not thus far.

This one, courtesy of shameful-pictures.com, presents you a lovely little login form, asking for your MSN login details, and yep, it obviously checks if they're valid or not as I tried several times using random and bogus data that it kept rejecting, before I gave up and created a dedicated MSN test account for it.

Needless to say, you aren't given any nude pictures, contrary to it's claim, nor however, was I able to find a worm - I did however, find malware from Freeze.com, which is the only other thing (aside from stealing MSN credentials) this thing seems to give. Once "logged in" (and I use that term very loosely here), you're presented with;

girls.without.clothes.are.on.these.shameful-pictures.com/pics.php


You've no doubt guessed, but I'm going to tell you anyway, that big "Click here to continue" button, leads you to off.freeze.com, but not before it's taken you on a little run-around;

START: 59.152.207.213/redir/?id=1c (IPC-NEWT - Hong Kong)

2. www.cpaclicks.com/secure.asp?e=cinksipisena&d=0&l=0&o=&p=0&subID1=&subID2=&subID3=&subID4=&subID5= (69.18.218.156 - Invision.com, Inc)

3. affiliates.copeac.com/ez/cinksipisena/&dp=0&l=0&p=0 (207.67.0.35 - intermarkmedia.wip.directresponsetech.com - Digital River, Inc. TWTC-DIGITALRIVER)

4. rdt.screensaver.com/?lgid=362&a=8305&f=2338|34103 (207.250.236.170 - ip170.freeze.com - GamePoint Inc. TWTC-GAMEP3)

END: lan.screensaver.com/LPQueue/885/index.asp?SessionId=444a7770-6aea-4935-a4c8-8086c356a5de&nat=0&cc=gb&cid=863170&lgid=362&a=8305&f=2338%7c34103 (87.248.211.177 - cds247.lon.llnw.net - Limelight Networks, LLNW-EU-2)

Or if you're using Opera, the URL it links you to, redirects you to;

register.freeze.com/Download/index.aspx?s=games&c=863168&SessionId=1679581c-2788-4b52-bc03-c2064fee86b0&fn=2334|34103 (207.250.236.107 - ip170.freeze.com - GamePoint Inc. TWTC-GAMEP3)

The other images, to the left and right of the "Click here to continue" button, are all located on MSN search results, so it's possible, if there was a worm, it came from one of those, but I couldn't find it.

No comments: