Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Belarus bidniz: account hacking

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Tue May 05, 2009 4:15 am    Post subject: Belarus bidniz: account hacking Reply with quote

Belarus, along with Russia and Ukraine, is known as a source of comment spam affecting forums, blogs, wikis and any facility that allows transmission of user defined input via forms. As a more recent trend, there is a gradual transistion to combining spam efforts with criminal activities such as hacking into websites or personal accounts (email, social network, forum) and to transform these activities into services that anyone willing to pay the price can make use of.

One of these service offers is located at http://passvzlom.0fees.net/ and operated by a 23 year old male from Belarus. At first glance, passvzlom.0fees.net offers little means of contact. Just one icq number and two contact forms.

Quote:
Welcome to passvzlom.0fees.net

Our site provides services for hacking classmates, vkontakte, as well as any other social networks and any mailservers.

We have guaranteed, efficient, anonymous and fast breaking into mailboxes (mail.ru, yandex.ru, rambler.ru, gmail.com, mail.com, yahoo.com, hotmail.com, etc.), as well as such well-known sites like odnoklassniki.ru, vkontakte.ru and social networking sites and Mamba installations.

Why hacking odnoklassniki.ru, mail and trust us?

We have been working without pre-payment, that is, by placing an order with us, you will not risk falling for the ploy of fraudsters and wasting money.
The password is not changed, so that the user continues to use his mailbox (form) and has no suspicions.
We provide any confirmation of hacking of your choice (screenshot, letter, quoting your email sent to the victims mailbox).
The cost of hacking mail amounts to 40 $ and 50 $ for hacking forms.
Payment via WebMoney.
Order is fulfilled within 1 to 7 days.
We guarantee complete anonymity and confidentiality!

All the information you need can be found under services and questions, as well as by online consultation with [icq number] 380694527. The order can be placed in the appropriate section.

source (in Russian): http://passvzlom.0fees.net/index.php?mainpage=main

The icq profile is of a sparse nature and euphemistically named "internet services":
http://www.icq.com/people/full_details_show.php?uin=380694527

Icq seems to be pivotal for the business as it is spamvertised via ICQ, too:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/0dcba5b75ee31bb2

The critical reader may now wonder where I got the personal details mentioned above from? I followed the traces of a mistake the person had made which revealed his email address:

http://209.85.229.132/search?q=cache:GmePG0YIxbUJ:passvzlom.0fees.net/&hl=en&strip=1

(link is safe as it does not load anything from the remote server)

Note the email address passvzlom@gmail.com on top. But it can also be found in a couple of "promo posts" advertising his services like this one:

Quote:
Продаваемый аксессуар -Всякая фенька
Взлом почты, odnoklassniki, vkontakte, mamba
Город:Москва
Взломаем на заказ без предоплаты почту (e-mail), анкеты odnoklassniki.ru, vkontakte.ru, mamba, loveplanet и любые другие сайты знакомств. ICQ: 380694527. Оплата только после подтверждения наличия пароля (цитирование вашего письмя на адрес жертвы или другой способ на ваш выбор). Взломаем на заказ без предоплаты почту (e-mail), анкеты odnoklassniki.ru, vkontakte.ru, mamba, loveplanet и любые другие сайты знакомств. ICQ: 380694527. Оплата только после подтверждения наличия пароля (цитирование вашего письмя на адрес жертвы или другой способ на ваш выбор).

Цена-9999.99 Телефон:380694527 Взлом passvzlom@gmail.com


source: http://www.pda1.ru/baraxolka/show_barax.php3?Model_id=&From_detail=&Barax_id=112187

However, armed with the email address, the remainder of our research is rather easy, because the person used it for real life activities, too:

Quote:
Добавлено 12:49 03.05.2009
Автор Pin4er___ (Минск)
e-Mail passvzlom@gmail.com
Продам: AthlonX2 6000-8450/4Gb/320-750Gb/GF9800(512-1024)
Цена 340
Дополнительная информация AthlonX2 6000-8450(x3)/4Gb/320-750Gb/GeForce 9800(512-1024MB) - 340 у.е. Новый, гарантия, доставка, установка. Установлено п.о. Любое изменение конфигурации.
Монитор - 19" - 130$, 22" - 185$.
Мышь - 10$;
Мультимедийная клавиатура - 10$;
Колонки - 10$;
Модем - 10$;
Встроенный ADSL модем - 20$;
GeForce 9800 1024MB - +30$;
Винчестер 500GB - +10$;
Винчестер 750GB - +35$;
CPU Athlon X2 8450 - +15$;
DDR2 4GB - +23$;

velcom: +375-44-773-28-33
MTC: +375-29-773-28-33
ICQ: 216763522


source: http://bu.kosht.com/?cmd=show&id=1798199

Note the handle Pin4er which is also used in his service website's footer. For the first time, we have two pointers for a geographic location. One is the cyrillic word in brackets next to the handle, which means Minsk, the capital of Belarus. This is confirmed by his Cellphone number. Velcom is one of the largest cell-phone operators in Belarus. And surprise, we have another - legitimate - icq number containing a more verbose profile:

Quote:
First Name: Viacheslav
Last Name: L
Nickname: Slavent


Year: 1986
Month: March
Day: 26
Age: 23


Gender: Male
I Speak: Russian
I Speak: English
I Speak:
Marital Status:

http://www.icq.com/people/full_details_show.php?uin=216763522

Slavent is a handle he uses in forums unrelated to his hacking bidniz. Slavent aka. Pin4er visits this forum, for example:
http://forum.onliner.by/profile.php?mode=viewprofile&u=45232

A lot more can be found with appropriate Google searches, but for now I stick to the basics I mentioned here.

What can be done about passvzlom.0fees.net?

The good news is, the site is hosted in the US and the contact page even offers an abuse address:
http://www.0fees.net/contact.php

Emails sent to abuse something curly byethost.com may or may not get someone's attention. Alternatively, there is also a forum run by that hosting company which may or may not be read by their abuse staff.

On a more abstract note, you can protect yourself by thinking about the modus operandi Slavent aka. Pin4er is using:

Quote:
Methods of hacking mail in a nutshell
In fact, a great number of methods, here, and both selection and social engineering studies before the attack, human psychology, programming, finding bugs (errors) in the web interface.

Source (in Russian): http://passvzlom.0fees.net/index.php?mainpage=questions

Passwords may be strong, but they are useless when lost password retrieval mechanism rely on simple questions that can be answered with some googling. social networking sites entice people to reveal a great deal of details about their lives, not realising that these are indexed by search engines and provide a valuable source to learn about a victim. I recommend to secure "lost password retrieval" mechanisms by providing *complicated* answers to dull questions. Make them unrelated to the question and use the same care you'd apply for your actual password (hopefully). When running a content system, do keep it current and avoid bug-ridden add-ons or plugins like the plague. Do not allow uploads for complete strangers without appropriate safety measures.

There's much more to say about security, but assume that those who run a business with hacking know more about web programming than yourself. Let this be a warning to you.

O.
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 26 Nov 2014
Posts: 10335
Location: at the beach

PostPosted: Tue May 05, 2009 9:01 am    Post subject: Reply with quote

Interesting. Thanks for all that info.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
sotet
Junior Member


Joined: 10 Sep 2004
Last Visit: 31 Jan 2010
Posts: 47

PostPosted: Sat May 09, 2009 8:10 am    Post subject: Reply with quote

Good research, olliver, thank you for posting that. No surprise about Belarus (Russian name: White Russia) or most any other former Soviet Socialist Republic.
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Sat May 09, 2009 8:54 am    Post subject: Reply with quote

Methinks someone hath protesteth too much Wink
Visitors are now redirected to a social networking site run by byethost et al themselves:
Quote:
olliver@bunkiten:~$ curl -A "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" -I http://passvzlom.0fees.net/

HTTP/1.1 302 Moved Temporarily
Date: Sat, 09 May 2009 16:42:10 GMT
Server: Apache
Location: http://mybookface.net
Cache-Control: max-age=0
Expires: Sat, 09 May 2009 16:42:10 GMT
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from demil1.byetcluster.com
X-Cache-Lookup: MISS from demil1.byetcluster.com:80
Via: 1.1 demil1.byetcluster.com:80 (Lusca/LUSCA_1.0)


Seems to be run independent from referrer and ip-address origin.

O.
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group