Showing posts with label scam. Show all posts
Showing posts with label scam. Show all posts

Thursday, 9 July 2015

Scams spreading through Skype



I got a message today on Skype to check out an eBay page with my name on. Sounds great!

Hey $name! Look http://www.ebay.com/new/$username





Another example is:






However, the link was not exactly pointing to eBay:

Not eBay, but what appears to be google.dj







Turns out the actual link behind the eBay one is pointing to:





What follows after is for tracking and to disable the Redirect notice message from Google. For those who are curious, google.dj is a legitimate website of Google for the African country Djibouti.

The what seems to be random numbers is actually just hex for:





When you click the link, you will simply do a Google search for that webpage and visit it. This does not mean google.dj is compromised in any way. As an example, you can use the same link but instead use google.com instead of google.dj.

On the lengthy site mentioned above, you'll get a Javascript which you can view on this Pastebin link:
Scams spreading through Skype
(In short, it does a simple math.random method to serve you a slightly different website each time.)



Fiddler capture






Eventually, you'll end up on a typical weight loss scam website:

Obviously not the real Women's Health website









Trying to leave the website










Long story short.....


Prevention

Install the WOT extension into your browser. (Compatible with most modern browsers)
WOT is a community-based tool and is therefore very useful for these kinds of scams, whereas other users can warn you about the validity.

Use a strong password for Skype and anything else for that matter.

Don't click on "funny" links. A trick is to "hover" on the link to reveal the actual website behind it.



Disinfection

Close your browser.

Change your Skype password immediately. How do I change my password?

If the message came from an unknown contact, How do I report abuse by someone in Skype?

If the message came from a friend, be sure to notify him/her and to follow the steps in this post.

To be sure, you can always run a scan with your favorite antivirus and/or antimalware product. (however, I have not seen any malware in this particular campaign)


Conclusion

In the past, malware has spread via Skype, but this is the first time I'm seeing a scam presented in this way. I have contacted Skype to ask how they were able to hide the actual website behind the eBay link, as I do not know - if you do, be sure to let me know in the comments.

Also, follow the steps above to stay safe.

By at No comments:
Labels:forex, iqoption, pubg Hacked , , , ,

Monday, 12 May 2014

A word on phone scammers

You have probably heard of any of the terms "cold call", "calling from Windows" or "phone scam" before. 

Microsoft's definition:
In this scam cybercriminals call you and claim to be from Microsoft Tech Support. They offer to help solve your computer problems. Once the crooks have gained your trust, they attempt to steal from you and damage your computer with malicious software including viruses and spyware.

In other words:
someone unknown to you calls you, telling you there's an issue with your computer and they can fix it.

Recently, I received a machine and report from people who had been so unfortunate as to fall for this scam.

In this post I'll be dissecting how the scam works, why it works and what to do to protect yourself, as well as what to do if you've already been scammed.

How it works
Why it works

What to do next 
Conclusion



How it works

Preface

Usually, the scammers will simply open up a phonebook and start going down the list of names.

Other means may be, but are not limited to:


  • Fake support services -
    websites claiming to help you with computer issues- but in fact are just another scam
  • Your phonenumber has been spread on the web one too many times (by either yourself or someone else)
Only just recently several internet giants (Google, Facebook, Twitter, ...) have joined forces to combat malicious tech support ads. You can find them on: http://trustinads.org



 
Scenario

The phone rings. You do not recognise the number, but you pick up anyway. A voice says: 
"Hello Sir/Madame, we are calling from Windows". A man or woman tells you to browse to a certain website and connect with them so they can repair or restore your computer.

Some characteristics about the call itself:


  • The man or woman often has an Indian accent
  • They call from a number outside your current country or have an unknown caller ID
  • They urge you that there's a problem with your computer that needs immediate fixing
  • They impersonate legit companies, for example Microsoft or even an antivirus company


On this Pastebin is a list of numbers which are being used or have been used for these cold calls. Often though they'll use a "private number", "anonymous" or unknown caller ID. They may also spoof the caller ID.

It doesn't matter which operating system you use or which type of computer, they'll always state there are critical system errors, thus you should connect to a certain website, download and run a program.

They always use legitimate services - remote software tools which are not harmful by itself, but can be used (as in these cases) by phone scammers. A comprehensive list of the tools most often used:


  • Ammyy
  • Bomgar
  • GoToAssist
  • ScreenConnect (ConnectWise Control)
  • ShowMyPC
  • TeamViewer
  • LogMeIn (LogMeIn Rescue)
  • ...  Others


Like stated before, these tools are not malicious. Often free - they're a simple way for a technician to connect to a customer's machine (for example) and solve a technical issue. Unfortunately, they can also be used for malicious purposes.

Some of these tools have clearly stated they are not associated with any of these scams. Other tools provide a form to fill in if abuse is suspected or witnessed, like LogMeIn.

Next up: say you have downloaded and executed one of those tools and the scammer now has access to your machine. There are several known scenarios, but it usually boils down to them showing you the Event Viewer (a legit tool by Windows which can provide useful information in event of system crashes or simply system information. More information here). 

Usually, you'll find one or more errors in there, unless the machine was freshly installed. Note that it is not unusual at all. Sometimes, this part works the other way around: they will first ask you to open up the Event Viewer so you can verify they are speaking the truth (but not really) and there are indeed "errors on your machine which need to be fixed as soon as possible."


"Scary errors in the Windows Event Viewer." Source





















Afterwards, you'll have to pay a certain amount of money to fix the errors (which weren't there in the first place). This can usually go down in either of these ways:


  • You have to pay a reasonable sum of money, say 5 or 10 euros/dollars/pounds.
  • You have to pay a not-so-reasonable amount of money, varying from 100 to 300 euros/dollars/pounds.

In both cases, chances are very likely you'll end up paying even more. Again, some possibilities:


  • The "technician" claims the transfer did not work or was incomplete and asks to try again.
    (but in fact it did work and they're just trying to rip you off even more.)
  • They will steal login information and/or CC credentials or other bank account/Paypal/.... information.
    (several possibilities here obviously, depending on which type of payment you used.)

It is also possible they install fake antivirus software (rogueware) or even a cracked copy of antivirus software (for the cynics: no, they are not the same). Which in turn means you'll need to get rid of that as well... And have to cough up more money.

Other reports have pointed out that - when the scammer's patience runs out- critical files (Windows system files) or personal documents were deleted by the scammer.


Background

It is not entirely certain when the first phone scams as described in this blog post began. If you do have a timeline, be sure to let me know so I can include it.

This type of social engineering may be well known by now, but is not that much in the media in comparison to other types of threats. 

Small remark here, don't be fooled: you're not the first one and certainly not the last one they will try to scam. There's in fact a whole business model behind the scam - call centers filled with "technicians" whom will do nothing all day but call people and try to scam them.

There's also an excellent video by Malwarebytes showing the different stages of the scam - and the scammer eventually getting irritated and going on a rampage (or that's what the scammer believed):



Why it works

Obviously, the scammers use a certain tactic to convince you to pay them your hard-deserved money. This tactic is mostly known as FUD. (Fear, Uncertainty, Doubt) There's a Wiki link available by clicking here.

In short:
  • Fear: they tell you there's an issue or several issues with your computer
  • Uncertainty: you may have had some slowdowns recently. Or - coincidentally or not- you just had malware.
  • Doubt: "I did have this issue, maybe they can help me?"

No! Doubt is their product, you being uncertain is their second step for a successful scam. The third part is fear and eventually you giving in.

The scam or social engineering tactic may be as old as the hills, but that doesn't mean it won't work. Hence the many reports on this scam - and people still falling for it, even though it exists for several years. (but no exact figures or statistics present on that.)

It is always possible you recently had some issues with your machine, but that doesn't mean the scammers know. They are just guessing and hoping you'll fall for it - most people are trustworthy, right? Not on the internet.

What to do next

Investigation

If possible, write down as much information as you can before following the remediation steps:


  • Often, the remote tools mentioned will utilize an ID or code. Write down the ID or code.
  • Write down the date and time when this remote sessions happened. Write down your public IP address if known - you can also check this via whatismyip.com.
  • Write down the phone number(s) as well as date and time when they called you.
  • Write down the name of the remote program/tool, as well as any other information you may think of. (name of the person calling you (99,9% of the time fake, but you never know), what exactly happened, if/how/when you paid or transferred any money and any other information which you think may be helpful.)

Remediation or disinfection

If it is too late, the first thing to do is to stop whatever the scammers are/were doing. In particular:


  • Unplug the ethernet cable or turn off your wireless. Reboot your machine. Is a pop-up coming up asking for a connection or waiting for a connection? Close it.
  • Call your bank, your CC card provider, Paypal or whichever means you have used - call your financial institution as soon as possible to cancel the transfer!
  • Uninstall any new & unknown software you find. Verify in Add/Remove programs if none of the above mentioned tools have been installed, for example.
    Also check the usual locations, for example C:\Program Files or C:\Program Files (x86).
  • Perform a full scan with your antivirus software, especially in the case of a fake antivirus or rogueware. Restore internet access at this point and run a scan with another online antivirus.
  • Call your phone company! Ask them if they can verify who has called in case of an unknown caller ID - or to block the specific numbers should you receive these calls regularly.
  • Change passwords of your computer - meaning your user password, but the password(s) of your bank account/Paypal and others as well.
  • When you deem this necessary, perform a system restore of your machine. In serious cases, an even better option is to format your machine completely (though usually not necessary).

Now, file a complaint via the Internet Crime Complain Center (IC3) or via your local police station or CERT (list of CERTs available via Enisa or Europol). Include any information you have gathered. It is important you do this to be able to uncover and jail these scammers. If you were redirected via an ad on a legitimate website, file a report via TrustInAds as well. Do not be afraid to ask for further information.

Prevention

Unfortunately, there aren't too many options to prevent this particular scam. A few pointers:


  • Unknown caller ID or private number? Don't pick up, unless you're indeed expecting a phone call.
  • Weird or long number calling you? Don't pick up. If you decide to pick up, listen to what they have to say, smile and put down the phone anyway.
  • Receiving these calls regularly? Call your phone company so they can block it. If you're receiving a lot of these calls, be sure to not pick up, as they'll know there's someone on the other side, even though you put down the phone immediately.
  • Missed a few calls from these numbers? Don't be tempted to call back. A similar scam is calling you, but after 1 second immediately hanging up. This may tempt you into calling back. Don't fall for that scam either. (they are not necessarily the same cybercriminals, but they both want your money.)
  • Avoid shady "tech support" websites. A tool which may help you in this is WOT - Web Of Trust.
  • Add yourself to the National Do Not Call Registry (US only). This may not prevent phone scammers, but it does prevent other marketeers from calling you and spreading your number to others. For all other countries: inform with your local CERT for options, as there aren't many available.
  • If you are managing someone else's computer it may be a good idea to set up a limited user account.
  • Last but not least: use your common sense! When in doubt, simply hang up the phone.


For providers of these remote tools:


  • Include a clear page on your website warning about the possible malicious use of your software.
  • Include an abuse report form - whether via a ticketing system, by call or mail or any other means.
  • Send all information the victim provided to the legal authorities so they can take action.
  • Inform the user of what has happened - should they blame you. Refer to your warning page about this scam.



Conclusion

As pointed out in this blog post, phone scammers are not new. Yet their scare tactics still seem to work. 

Just like other cybercriminals, phone scammers need to be put down. You can help if you were a victim by reporting this incident to the authorities. Follow the tips above to be able to protect yourself better.

For any other questions, suggestions or remarks: do not hesitate to leave a comment or contact me on Twitter: @bartblaze

Finally, I've added some other useful resources and documentation on this type of scam down below. 


Resources

Federal Trade Commision (FTC) - Phone Scams
DataNews / Knack - Hoe herken je een oplichter via de telefoon? (NL)
DataNews / Knack - Comment reconnaître un escroc au téléphone? (FR)
KrebsonSecurity - Tech Support Phone Scams Surge
Malwarebytes - Tech Support Scams – Help & Resource Page
Microsoft - Avoid tech support phone scams
TrustInAds - Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams (PDF)  
WeLiveSecurity - My PC has 32,539 errors: how telephone support scams really work (PDF)
By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , , , , , ,

Tuesday, 13 August 2013

Scams, scams everywhere


It's the scam season. Well, actually scams are always going around. Facebook is pretty popular to spread those scams, for example the Gina Lisa Facebook scam and the scam to have Facebook in a different color.

There's one recently that caught my attention:

"This is incredible"




















Basically what happened here is that someone on Facebook clicked on the wrong link, and the event got automatically created. Consequently, all of his/her friends were invited to the event as well.

Of the 4 pages that showed up in the search results (there are many more), ~500 people clicked on the bit.ly links. Which is not very much, considering how many people got the invite. Most of the comments on the events were "What is this?", so this means most people realised it's fake.

The CNN logo is being (mis)used, probably to make it look more legit. When you click on the link, you get redirected through affiliates but eventually you land on the following page:


"Dr. Oz Miracle Diet"




















Websites:
hxxp://consumerhealthnews9.org  - URLvoid Report
hxxp://consumerhealthnews6.com   - URLvoid Report

When clicking on any of the links on those sites, you get redirect to:
hxxp://ww90.thorizo.net  - URLvoid Report

More affiliates, more links to click on. The title for this blog post could also have been "affiliates, affiliates everywhere". 



Removal

If it seems that you have created the event, simply go to the event page, click the "wheel" icon and choose "Cancel Event":

Cancel the event















Be sure to also check your Apps, it's possible you allowed a malicious app to post & create things on your behalf:

Check your Apps












If you were invited to the event, simply ignore the message. You can also report the event as scam or spam by clicking on the Report button on the left of the event:

Report the event






















Conclusion


To keep it short and simple:
don't fall for these types of spam/scam, most of the times it's pretty obvious it's fake.

If in doubt, send your friend on Facebook (or if someone sent you the link) via PM if he or she knows what this is about.

You can also use a linkscanner to verify the integrity of a link on either http://www.urlvoid.com or https://www.virustotal.com/

To get some information on a bit.ly (or other URL shortener services) link, you can use any of the following websites:
- http://www.getlinkinfo.com/
- http://longurl.org/
- http://www.longurlplease.com/ (includes Firefox extension)

To report a malicious bit.ly link use:
http://bitly.com/a/report_spam
By at No comments:
Labels:forex, iqoption, pubg Hacked , , , ,

Monday, 24 June 2013

Gina Lisa Facebook scam



Yet another Facebook scam, this time luring users with a sextape from Gina Lisa, whom is apparently a German model:


Yet another Facebook scam: "Gina Lisa Sextape"





















When you click on the link you get:
Verify your age first
















When you click on the video to "verify your age" you are redirected to what appears to be a site for gambling, pokergames, etc....:

Subscribe and get a free bonus. Looks legit
















I suspect you'll probably have to pay up sooner or later to continue playing. Stargames.com is apparently known for spamming blogs & other sites.

hXXp://hot-movie.pw - URLvoid Report
hXXp://stargames.com - URLvoid Report



This scam and/or spam will also post on Facebook on your behalf. Go over your Privacy Settings on Facebook and make sure you delete this "app" if you see it. Remove any posts you have made as well and report posts similar as this made by your friend(s).



Prevention

Pretty straightforward: do not click on any of these links, how tempting they might be ! Ask your friend if he or she knows what it means, and slightly hover over the post until the 'X' becomes visible. You can then mark the post as spam, and it will be removed from your friend's wall.

It might also help to install the WOT extension into your browser. (Compatible with most modern browsers)
WOT is a community-based tool and is therefore very useful for these kinds of scams, whereas other users can warn you about the validity.
More information and to download WOT: http://www.mywot.com/



Conclusion
To keep it short and simple:
don't fall for these types of spam/scam, most of the times it's pretty obvious it's fake.
By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , ,

Wednesday, 20 February 2013

Facebook in a different color? Nah, just a survey scam


I got messaged about an obvious scam on Facebook:


New Facebook colors!













Strangely enough, that person's Facebook color was still in blue. Is it possible this is just a scam? ;-)


Going to the application:

The application "Pick a col0r" requests your permissions


 Next screen....:
I choose the blue color. Oh, right...




















You've won!



As with most applications like these, you first have to fill in a survey to get your Facebook in a different color. Obviously, you still won't be able to even if you have filled in all your information for a chance to win product X or Y.


The application will make the same post on your wall as in the first picture. To remove it:

Go to your privacy settings, applications and remove "Pick a C0lor".



Confirm the removal and check the box. 




 Conclusion

You cannot change the color of Facebook at this point, there is no dislike button, ....

All of these 'applications' point to survey scams where you fill in all your information and your inbox will be flooded with spammail. And no, you haven't won anything.




By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , ,

Thursday, 17 January 2013

About YouTube top comments


Have you seen  the top comments on YouTube recently? Mostly, they're about the videoclip itself, or about other artists that do not live up to the talent of said videoclip ;-) .

Sometimes, however, spam reaches the top comments (whether or not with a lot of upvotes):
Another user is being addressed, "confirming" the site is real








I've seen this kind of Youtube spam unfold into 2 scenarios:
1) The usual survey scams, promising an iPad for example
2) The download of adware or a PUP (Potentially Unwanted Program) to your machine


Let's take a look at both scenarios, we will go more in depth about the second one, as it is the most interesting. This post includes prevention methods, a removal process and a conclusion at the bottom if you want to skip the investigation.



Investigation


1) Survey scam

As seen in above picture, another user is being addressed. This user did not make any comments on the video at all. I'm guessing they use this little trick to 'confirm' someone asked about it and they are 'just helping out'. The comment has several upvotes as well, thanks to the use of bots.

Clicking on the bit.ly link, you are being redirected to another website:
hxxp://alllightsfull.info/prize/prize.html
2/30 - URLvoid Result
2/33 - VirusTotal Result
AllLightsFull.info - Whois Record

Screenshot:
Congratulations! You won a... Survey scam!
















After clicking on Start Now!, you'll get redirected to fill in a survey for a chance in winning an iPad... Which will redirect you to another survey... To another survey.... Until you need to fill in personal details such as your email address. In my case, I had to subscribe to about 20 other instances (read: Brace yourselves, spam is coming) to win the iPad.

 Obviously, you won't win anything and your email address will end up on several spamlists.

 

 2) Adware / Potentially Unwanted Program

In this scenario, you end up on a different website, but with a similar, easy layout:
Download Youtube videos with "YouTubeSaved"



























Some information about the website:  
hxxp://www.youtubesaved.com 
1/30 - URLVoid Result
0/34 - VirusTotal Result 
YoutubeSaved.com - Whois Record

You can download from Download.com/CNET or directly via their website. I'm not sure what's worse: the fact that you can download this beautiful piece of crap via CNET or that it's Norton/VeriSign Secured.

The following file is downloaded:
cid_185425_sono.exe
Result: 3/46
MD5: a3675a8439b09049a76da7f9c93c4a34
VirusTotal Report
Anubis Report
ThreatExpert Report


In the following minutes, I got several new screens to install additional software:
FLV Media Player coming along with WhiteSmoke


FLV Media Player coming along with PriceGong, Freetwittube,...

















Some readers might remember WhiteSmoke from a few years ago, when it came bundled with a rootkit and was particularly annoying as well as hard to remove.

While I was eagerly clicking Next on all of the screens, there were a few connections. In fact, in those 5 minuts of installing FLV Media Player, (and thus also: Yontoo, Relevant Knowledge, Free Ride Games, Moyea, Remote Programs, PriceGong, Conduit and WhiteSmoke) there were about 1140 outbound HTTP requests installing even more adware.

If you're interested in these connections, I have uploaded a Fiddler log to Pastebin:
http://pastebin.com/QxcHca1Z


Interesting to note is that Firefox gave a warning about a particular toolbar:
https://addons.mozilla.org/en/firefox/blocked/i226
From that page:
This add-on is silently side-installed by other software, and doesn't do much more than changing the users' settings, without reverting them on removal.

Actually it does more than that, it redirects your searches (through ad-sponsored networks), changes your homepage, annoys you with pop-ups, .... This does not solely apply to WhiteSmoke.

A total of 63 newly created PE files was found on my machine. Seems like they really wanted me to install as much toolbars and adware as possible. Sometimes, besides being referred to as a PUP or adware, this kind of software is called foistware.

You can find a Pastebin here with all VirusTotal results:http://pastebin.com/87HspUgu



Prevention

Now, how do we prevent these applications from ever entering our system? Here are a few tips:

  • Carefully consider what you are installing. Is this program known at all? What does it do? Do I really need this installed? A simple Google search reveals a lot of answers.
  • Don't click Next, Next, Next or OK to everything or in any of the screens you get. This is a golden rule in general.
  • Read the EULA. No wait, what? Those EULAs are always way too long! That's right, luckily there's a tool available which can assist us in identifying unwanted behaviour. The tools is called EULAlyzer, by the same developer as SpywareBlaster (which also helps prevent these).

    I did a scan on a EULA from PriceGong which uncovered the following results:
    EULA states advertising, your searches being submitted and more










  • Use the extension WOT (Web of Trust) to get a second opinion about website X or Y.
  • If you encounter a link that is shortened (for example bit.ly, t.co, tinyurl, ....) you can use a website as GetLinkInfo or Unshorten to acquire more information on that link. Awesome!



Removal

Of course, it might be too late for some users. They are already seeing pop-ups everywhere, getting amazing deals or are getting redirect in their search engines. Again, you can find some hints:

  • Most of these programs can be easily removed via the Control Panel > Add/Remove Programs. There's also a small guide by Microsoft on how to do that. After uninstallation, these programs will open your browser and offer to reinstall the "product". Just close the browser when that happens.
  • "I removed these programs but am still getting redirected. Why?"
    Probably the Add-On, Extension or Plugin is still installed and active in your browser. Remove or disable this manually by following these steps:
    Removing extensions from Internet Explorer
    Removing extensions from Mozilla Firefox
    Removing extensions from Google Chrome

    Restart your browser afterwards and confirm the changes. It's possible you need to manually reset your homepage as well.

  • "Not everything is gone and I don't see anything in the Add/Remove Programs."
    When this happens, you can use a tool like AdwCleaner. Please keep the following in mind:
    - Close all browsers before executing AdwCleaner
    - Click on Search. A logfile will open. Review this carefully! AdwCleaner is pretty strict in removing adware. Then, you can select delete to delete all the unwanted/malicious entries.
    - More information can be found on the download page of AdwCleaner (see above).
  • After following these steps, use your already installed Antivirus and perform a full scan. When that's finished, you can also use Malwarebytes to perform a Quick Scan and ensure everything is gone. Be sure to select in the Settings tab > Scanner Settings that PUPs are shown in the scan results.
  • If you are having difficulties or are not too sure of following these steps all by yourself, you can always make a post on one of the several forums out there specialized in removing malware and other nonsense from a machine. An example forum where you can get help is BleepingComputer.



Conclusion

After reading this post, I'm sure you can now differentiate the thin line between goodware and foistware, adware, or Potentially Unwanted Programs. With the tips above, you should be able to weapon yourself against this kind of threats.

Some legit programs like Java or Adobe also offer these "toolbars". Don't be fooled! The same above rules should be applied here. Tick off those boxes and read carefully through the installation wizard! Why are these things still around you might ask? There's an interesting article here by Ed Bott:
Why does crapware still exist? Follow the Silicon Valley money trail

You might wonder why your antivirus didn't ring any bells when installing this software. The easy answer is: it is hard to differentiate if this is malicious behaviour, as the users consents and agrees on the EULA - which is basically an agreement to all these unwanted modifications!
The hard and longer answer is something to discuss in a future blogpost.

Conclusion: don't install something when you have no idea what it is or does. Google can be your friend.


By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , , , , , , , , ,

Wednesday, 14 November 2012

Diablo account phishing


Do you love the smell of phishing in the morning? I surely don't. In today's post we will be reviewing a phishing attempt for Diablo or Diablo III.

The following mail ended up in my mailbox:

You need to login as soon as possible to avoid account closing

There are other, less fancy examples:

Same trick as in the previous example. You need to "verify" your account


Subjects of the mail can vary, but these are the most common:
- Blizzard Notification About Diablo III Account
- Diablo III Account-Notice
- Diablo III Account - login validation‏
- You must verify your identity as the registered account .World of  Warcraft - Diablo III account (s).

The introduction in the email reads:

Greetings!   It has come to our attention that you are trying to sell your personal Diablo III account(s). As you may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled.  It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership.


Let's move on to the actual link in the phishing mail. When clicked you'll land on the following page:

An exact copy of the real login page at Battle.net















Below you can find the list of URLs I've gathered in the past days, do not visit any of them as they may harm your computer (or even worse, your Diablo account ;-) ).

hxxp://battle.net.noreply-login.com
hxxp://cn15mcc.com
hxxp://eu.diablo.net.account.oy-login.in
hxxp://eu.diablo.net.account.ts-login.in
hxxp://eu.diablo.net.ca.zx-login.in
hxxp://eu.diablo.net.jiagedi.info
hxxp://eu.diablo.net.tianzhou58.info
hxxp://us.battle.com.wwowus.com
hxxp://us.battle.net.aacc.cn.com
hxxp://us.battle.net.cacc.cn.com
hxxp://us.battle.net.ccus.asia
hxxp://us.battle.net.ddeu.asia
hxxp://us.battle.net.eacc.cn.com
hxxp://us.battle.net.en.oo-rs.com
hxxp://us.battle.net.en.qq-rs.com
hxxp://us.battle.net.en.uu-rs.com
hxxp://us.battle.net.facc.cn.com
hxxp://us.battle.net.ffus.asia
hxxp://us.battle.net.gacc.cn.com
hxxp://us.battle.net.ggwow.asia
hxxp://us.battle.net.hhwow.asia
hxxp://us.battle.net.iacc.cn.com
hxxp://us.battle.net.iieu.asia
hxxp://us.battle.net.jacc.cn.com
hxxp://us.battle.net.kacc.cn.com
hxxp://us.battle.net.lacc.cn.com
hxxp://us.battle.net.lacc.cn.com
hxxp://us.battle.net.llus.asia
hxxp://us.battle.net.login.en.ddus.asia
hxxp://us.battle.net.login.en.yykiki.com
hxxp://us.battle.net.login.en.zkiki.com
hxxp://us.battle.net.ok.jjweb.asia
hxxp://us.battle.net.ok.kk-rs.com
hxxp://us.battle.net.ok.qw-rs.com
hxxp://us.battle.net.ok.uuweb.asia
hxxp://us.battle.net.ok.yywow.asia
hxxp://us.battle.net.pacc.cn.com
hxxp://us.battle.net.ppwow.asia
hxxp://us.battle.net.qacc.cn.com
hxxp://us.battle.net.racc.cn.com
hxxp://us.battle.net.rreu.asia
hxxp://us.battle.net.tacc.cn.com
hxxp://us.battle.net.uacc.cn.com
hxxp://us.battle.net.uuwow.asia
hxxp://us.battle.net.w.llweb.asia
hxxp://us.battle.net.wacc.cn.com
hxxp://us.battle.net.w-u.asia
hxxp://us.battle.net.xacc.cn.com
hxxp://us.battle.net.yacc.cn.com
hxxp://us.battle.net.zacc.cn.com
hxxp://us.battle.net-bizzard-d3-com.account-com.net
hxxp://us.diablo.net.en.rk-login.in




Most of the domains seem to be set up by the same person, someone named "Jin Yu":
Registrant Contact:
   Jin Yu
   Yu Jin jinyu2000@yahoo.cn
   +86.324242434233 fax: +86.324242434233
   ShengLiLu
   Shangraoshi Jiangxi 610041
   CN

Other email addresses associated with Jin Yu:
329409115@qq.com
service@511web.com


Almost all of the IP addresses are originating from China. The hosting companies are as follows, and seem to not care (or know) that malware and phishing pages are set up:

Beijing Weishichuangjie Technical Development Co. - IPvoid Result
DEEPAK MEHTA FIE - IPvoid Result
New World Telecom Ltd., Hong Kong - IPvoid Result
XIN XIN LING - IPvoid Result


Thanks to IPvoid you can easily see other sites hosted there, seems there is more of the same. (read: more malware & phishing pages are hosted)




Conclusion

Stay away from phishing mails like the ones pointed out in this post. There are several variants, some more graphical than others, but in the end they serve the same purpose:
Trying to steal your login credentials!

I'm sure that even when you open the mail, alarm bells should be going off if you simply check the URL, it's pointing to another address than the usual login page.

To be clear, the real webpage to login for your Battle.net account is:
https://battle.net/login/en/

If you're ever in doubt, visit the website directly and do not click on any links in emails from unknown senders. Use add-ons like WoT and/or NoScript to stay protected against these types of threats.
You can also use the URL scanning services at VirusTotal or URLvoid to double-check a URL.



By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , ,
Subscribe to: Posts (Atom)