Nasty IM Spam Sites Comin' at ya - UPDATE!

NOTE: It only took the DNS provider an hour or so to shut these bastards down. Good Riddance! I'm leaving the post up for educational purposes. Don't give out your Windows Live ID (Passport) or other credentials to any site unless you absolutely know who they are. In this case, you are getting a message from a trusted friend to go visit this site. That's social engineering.

UPDATE 7/28/2007: These guys are back with a new domain and a new provider, and now they have EVEN MORE "FAQ" like stuff to try and convince you that they aren't "Phishing".
TRUST ME: THEY ARE:
http://www.messenger-tips.com/

Visit this site:
http://msnlive.bounceme.net/ (This domain was TURNED OFF by the DNS provider)




it tells you who deleted or blocked you from their MSN (Live) Messenger contacts.

BUT DO NOT LOG IN!

This is one of the best examples of social engineering I've seen in a while. It looks really professional doesn't it. You are going to log in with your Windows Live messenger credentials (your Passport account, essentially - are you SURE you want to do this?). It will give you a list of all your contacts from the very beginning, and whether they are blocked or not. They could be using DotMsn - this is easy to do. Fine. Unfortunately it doesn't stop there. It will proceed to message every account (from you!) telling them about itself. You have no idea what else it may do with your credentials. I repeat: you have no idea what they will do.

I quote from their site:
"Is it safe? Absolutely. Messenger-Tips.com does not save your mail address, your password or contact list. The data you enter is just used to retrieve the requested info and discarded immediately. If you still feel insecure change your password temporarily before using this tool. "

It must be true, right? After all, you just read it on the Internet! GET REAL!

RECOMMENDATION: IF YOU DIDN'T LISTEN TO ME, CHANGE YOUR PASSWORD.

Thanks to my friend John Bailey for the heads - up on this one.

BTW, here are the people that run this little spam /scam deal:

Domain Name: MESSENGER-TIPS.COM
Registrant: Virtus Offshore Investment Co. Virtus Offshore Investment Co. (private@voichaven.com) Suite 2007 20th Floor The Century Tower Ave Ricardo J. Alfaro Panama City Panama,- PA Tel. +507.2051616
Creation Date: 02-Apr-2007 Expiration Date: 02-Apr-2008
Domain servers in listed order: ns2.ipnames.net ns1.ipnames.net
Administrative Contact: Virtus Offshore Investment Co. Virtus Offshore Investment Co. (private@voichaven.com) Suite 2007 20th Floor The Century Tower Ave Ricardo J. Alfaro Panama City Panama,- PA Tel. +507.2051616
Technical Contact: Virtus Offshore Investment Co. Virtus Offshore Investment Co. (private@voichaven.com) Suite 2007 20th Floor The Century Tower Ave Ricardo J. Alfaro Panama City Panama,- PA Tel. +507.2051616
Billing Contact: Virtus Offshore Investment Co. Virtus Offshore Investment Co. (private@voichaven.com) Suite 2007 20th Floor The Century Tower Ave Ricardo J. Alfaro Panama City Panama,- PA Tel. +507.2051616
Status:ACTIVE

Comments

  1. Anonymous2:49 PM

    Panama bastards!!

    ReplyDelete
  2. Umm, calm down, fanboy.

    ReplyDelete
  3. Anonymous7:57 PM

    Is it possible for you to turn off those stupid hover over images or they come with the blog, I can't click on a link without clicking 10 times on your blog because they get in the way of the mouse!!

    A fan of your blog.

    ReplyDelete
  4. Anonymous4:47 AM

    If a man comes to your front door and says he is conducting a survey And asks you to show him your bum, do not show him your bum. This is a scam. He only wants to see your bum. I wish I had got this yesterday. I feel so stupid and cheap. -The Bum http://www.widgetmate.com/posters Some of the best images available for free.

    ReplyDelete
  5. Anonymous:
    I have no "hover over" images here. You must be thinking about someplace else. Or, you've caught some malware!

    ReplyDelete
  6. Bum,
    Don't feel stupid and cheap - I suckered too, and it's because the social engineering made it come from your friends, whom you trust.

    Phishing filter didn't even work on this particular site.

    ReplyDelete
  7. Yes, you do have the hover images and they are incredibly annoying.

    If you hold your mouse over a link long enough, it begins to trigger. It is the package you use to preview the page before the link is clicked.

    ReplyDelete
  8. Anonymous8:33 AM

    "Is it possible for you to turn off those stupid hover over images or they come with the blog, I can't click on a link without clicking 10 times on your blog because they get in the way of the mouse!!"

    I have the same issue, hover over to any link on your blog brings up a preview image of the link (it says 'powered by snap shots'
    http://www.snap.com/?source=petesbloggerama.blogspot.com&campaign=shot_bsblogo!!petesbloggerama.blogspot.com
    )
    That is really annoying as it would not allow you to click on the link.

    Note: I am on IE 6.

    Grewal.

    ReplyDelete
  9. Ah, now I know what you are talking about. Those image popups each have a url link at the top that you can click. However, if more people complain I'll take them out. I thought they were useful, but in the big scheme of things I really do not care. The reader is more important.

    ReplyDelete
  10. I took the "hover images" out. I'm convinced that any value they added was being more than offset by the annoyances.

    ReplyDelete
  11. Anonymous2:52 PM

    I was stupid enough to fall for this stupid scam... I changed my password, will it keep sending messages/spam to my contacts as me now?

    ReplyDelete
  12. No, because it would not be able to log in with the original credentials you provided.

    ReplyDelete
  13. Anonymous7:31 PM

    These people in Panama are also involved with a HYIP site. They have failed to pay me todate. Smartertrades is their name. Beware! HJM

    ReplyDelete
  14. Well! That doesn't surprise me at all. Go after them man! Shut them down. I'm sick of this el cheapo Internet Mafia bullshit. Peons!

    ReplyDelete
  15. Anonymous8:52 AM

    The whois address is the same as used by the RBN.

    ReplyDelete
  16. Anonymous8:54 AM

    IE6? You're visiting an avant-garde blog and you're running a M$ browser?

    ReplyDelete

Post a Comment

Popular posts from this blog

FIREFOX / IE Word-Wrap, Word-Break, TABLES FIX

Some observations on Script Callbacks, "AJAX", "ATLAS" "AHAB" and where it's all going.

IE7 - Vista: "Internet Explorer has stopped Working"