Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 22 November 2009

msbitsoftware.com + veramigos.com + Conduit = Facebook Phish!

Jonathan sent me an e-mail earlier, refering a domain involved in phishing. This particular one however, contains several interesting aspects.

Most notably, it not only asks for your Facebook credentials, it also leads to what claims to be a legit software developer, and this "legit" developer, is offering a Conduit toolbar, claiming it to be a "Facebook toolbar". msbitsoftware.com is an Israel based firm, and had it not been for this, I'd have likely considered them legit.

Anyway, getting back to it, the first page you see, is veramigos.com, shown top left. This is the page that asks for your Facebook credentials. The "Free Download" for the Facebook toolbar, leads through Google/DoubleClick adverts;

http://googleads.g.doubleclick.net/aclk?sa=l&ai=Bm8b2LU0JS73VDMXcjQeuwqmiDvS7wI0B4u-HyA3AjbcBkIMZEAEYAyDVvtsVOABQ9rTDuAdgu66yg9AKoAGWgMvwA7IBDXZlcmFtaWdvcy5jb226AQozMzZ4MjgwX2FzyAED2gEVaHR0cDovL3ZlcmFtaWdvcy5jb20v4AEDqQK-36UwP6KRPqgDAcgDBegDigPoA-IF9QMAAACE&num=3&sig=AGiWqtzIYQnyLFpaOzrNSxwz4iJgAH1ayg&client=ca-pub-4179032962662895&adurl=http://www.msbitsoftware.com/FacebookToolbar/Google-UK-DownloadToolbar.htm%3Fdp%3D40011120068_33a_add%2520msn%2520toolbar_veramigos.com&nm=11

Which leads you to;

http://www.msbitsoftware.com/FacebookToolbar/Google-UK-DownloadToolbar.htm?dp=40011120069_72a_msn%20messenger%20toolbar_veramigos.com


This page leads to;

http://facebooktbtoolbar.ourtoolbar.com/exe

VirusTotal Analysis
http://www.virustotal.com/analisis/ff43cc83b428708fca9698025ce9ec40f370071a8513830aecd5a3e511a22b31-1258901559

Stats:

Host: veramigos.com
Current IP*: 69.175.60.242
IP PTR: server.veramigos.com
ASN: 32475 69.175.0.0/17 SINGLEHOP-INC - SingleHop

Host: msbitsoftware.com
Current IP*: 208.112.108.80
IP PTR: trunghocpleiku.com
ASN: 20021 208.112.0.0/17 LNH-INC - HostMySite

Referred to: whois.dattatec.com
By: whois.internic.net

Datttatec.com - Registration Service Provided By: Dattatec.com
Contact: +54 341 599000
Email: dominios@dattatec.com
Website: http://www.dattatec.com

Domain name: veramigos.com
Creation Date: 2009-10-14
Expiration Date: 2010-10-14

Status(es):
OK

Domain Name servers(es):
ns1.veramigos.com
ns2.veramigos.com

Registrant conatct:
Name: Ezequiel Martinez
Company: Ezequiel Martinez
Email: ezekiel.anibal.martinez@gmail.com
Address: Billingurst 1039
AR - Capital Federal ( zip: 1175 )
Phone : 54 - 1147776537

Admin conatct:
Name: Ezequiel Martinez
Company: Ezequiel Martinez
Email: ezekiel.anibal.martinez@gmail.com
Address: Billingurst 1039
AR - Capital Federal ( zip: 1175 )
Phone : 54 - 1147776537

Billing conatct:
Name: Ezequiel Martinez
Company: Ezequiel Martinez
Email: ezekiel.anibal.martinez@gmail.com
Address: Billingurst 1039
AR - Capital Federal ( zip: 1175 )
Phone : 54 - 1147776537

Tech conatct:
Name: Ezequiel Martinez
Company: Ezequiel Martinez
Email: ezekiel.anibal.martinez@gmail.com
Address: Billingurst 1039
AR - Capital Federal ( zip: 1175 )
Phone : 54 - 1147776537


Referred to: whois.tucows.com
By: whois.internic.net

Registrant:
MSBit Ltd.
7 Ha'Sadna St. P.O.B 2416
Ra'anana, NA 43650
IL

Domain name: MSBITSOFTWARE.COM

Administrative Contact:
Comfort, Ofer info@msbitsoftware.com
7 Ha'Sadna St. P.O.B 2416
Ra'anana, NA 43650
IL
+972.97486785 Fax: +972.97486786

Technical Contact:
Support, Technical support@hostmysite.com
260 Chapman Road
Suite 205
Newark, DE 19702
US
+1.3027314948 Fax: +1.0

Registrar of Record: TUCOWS, INC.
Record last updated on 24-Oct-2009.
Record expires on 23-Oct-2010.
Record created on 23-Oct-2006.

Registrar Domain Name Help Center:
http://domainhelp.tucows.com

Domain servers in listed order:
NS3.LNHI.NET
NS1.LNHI.NET
NS2.LNHI.NET

Domain status: ok

1 comment:

Anonymous said...

M.S.Bit Ltd. Official response:

M.S.Bit Ltd. is a legit software development company, located and registered legally in Israel, http://www.msbitsoftware.com and in no way, directly and indirectly, has something to do with phishing of any kind.
The ad in issue, was indeed advertised under the veramigos.com domain, but seems to be mistakenly merged with internal veramigos.com advertising, which requires personal details in Spanish (as shown in the screen shot).
M.S.Bit Ltd. has developed a legit toolbar for all Facebook fans, based on world leader toolbar framework provider, Conduit Ltd.
The toolbar is totally legit and registered as a valid Facebook application: Facebook Fans Toolbar (All-In-One Toolbar).
Other then Facebook credentials, which are obligatory for any interaction with Facebook API (and are only stored locally on the client machine, as any other browser cookie), the toolbar does not require any personal information.
In addition, in order to avoid any misunderstandings, we have decided to permanently remove all advertizing material from veramigos.com domain.

Please feel free to contact us at any time for further information regarding Facebook Fans Toolbar: Email – info@msbitsoftware.com, Phone – 972 9 7486785