Saturday, July 27, 2013

gldd.me - Text Message Scam

Recently I received a text message from an unknown number (18324646571), saying it was from a friend of mine and that I should click a link. The link alone is a dead giveaway that I should be concerned. I decided to trace the request path to see how the link resolved and what would be waiting on the other end. This meant I would have to see where the link took me (this was done in a controlled environment to prevent against possible viruses and trojans). I watched as the domain resolve against several other servers and eventually ended up at the glide.me homepage.

Some people online have said this is a virus, but the truth is, that's wrong. This is a simple (and exploited) marketing tactic someone is trying to use to make some money. Basically here is what is happening.

A company obtained names and numbers with the knowledge of who has who as contacts. This could be obtained using a virus or trojan but some people have stated that it was stolen from mobile carriers (which I think is more likely). The company connects to a advertising network as a publisher (someone who sends out spam, advertisements, or displays advertisements on their website). They assigned each person a unique code to track which users click and to control the tracking data associated with the click.

If you click your link it resolves against a page that converts this code into tracking data, like this.

http://launch1.co/serve?action=click&publisher_id=20320&site_id=20708&offer_id=251638&site_id_ios=16660&site_id_android=20712&sub_campaign=sms_invite

The people publishing this link are going to get a kick back from glide.me for all traffic that is referred there. And probably even more if the person downloads their software. Looking at the link, you can see that they  track the site that sent it out, the offer/advertisement (i.e. "Hey buddy, check out this link! - Your friend"), the mobile sites connected, and how the user interacted with the offer (SMS).

Well this isn't a virus or a scam necessarily, it is spam and an exploitation of user data. Basically this is the text message version of junk mail.

Tariff DNS Scam Email - DreamHost Phishing Scam

Recently, I received an email that was supposed to have come from my hosting company. It said I needed to confirm a request for changing of a tariff plan. Although, the wording was awful and it was very non-specific as to the recipient. The email I got was as follows:

Dear DreamHost client,

In your account has been created request for changing of a tariff plan. 
It is necessary confirmation of this request. 
You can do it in the section (Change tariff) Virtual Offices :

https://dreamhost.com/login.aspx?ts=domain.org?
19abc7f04ff-c0ac4315-99bf3-55dcbd7ec5c44AECA3E759B1992CFA6Ad4

Sincerely,

DreamHost hosting Team.


Someone who is rushing may not read the contents of this email and just click link. This clever scammer set up a catch-all subdomain so that the link would even appear to be directing to dreamhost. The link would take you here:

http://panel.dreamhost.com.login.2qjesez0l6dlilz4tuz67gzzz1bkwp4lyg3apxo1jrzimfx27l9wbbgbuaf72m.vqp9gqp87c8za6gayfc0fvryrbzkczg4r4u5f95me64v9q1ddk99x4qcoo85e.eyt0b3of65cvtd5c6shn2baq8xslyuj4yckz72tgwok4n5npixapz02xr3viztc.kidea.com/login.php?domain=domain.org

At first glance, this appears to go to http://panel.dreamhost.com, but notice that it is really all part of a complex sub-domain meant to confuse the recipient. The root domain is actually: kidea.com

Looking at the whois record for this domain we can find out the following information.

This domain is hosted by tucows.com and resolves with domain servers to bluehost.com by a company with the following registration record:

XOL Holding
Beirut
Beirut, Beirut xxxxx
LB

The technical contact information for this domain is:
Nassar Center
5th Floor
Charles El-Helou Avenue, Rmeil
Beirut,  20727508
LB

This happens to be the ISP end point, a company in Lebanon called Terra Net. This company has chosen to not disclose more information about the scammers.

So looking at the main website for kidea.com, we find out some interesting information. One, that they used a company called art-promotion to build and design their site. This company happens to also be in Lebanon, so I looked up their whois and found that they were also hosted on bluehost.com and contact information.

Saab, Jean web@artpromotion-lb.com
Art Promotion
Nahr el Mot
Beirut, -
Lebanon
+961.3737247

So I went to look closer at kidea.com and found that this might be a cover site (or some poor site that got hacked). The poor design and lack of ecommerce functionality is what seem to indicate that there was more than what meets the eye.You can't checkout with any of the items they sell. It's difficult to think that isn't part of the scam.

Regardless of who this phishing scam came from, be sure to take the time to read your emails before you go clicking links and signing in.




 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Bluehost Review