Yesterday, I took a lighthearted look at some of the Google searches people have used to arrive at this site. I saved one of them for today, however, because it was enough fun to warrant its own post. That search query is:
Well, I suppose I can give that a try.
What is crackpal.com? It’s a service that promises to hack yahoo, hotmail, rediff, and google Email accounts. Here’s what their website looks like, if it’s down by the time you read this:
You might remember that I’ve looked at a site similar to this in a previous post. Here’s how things are supposed to go down, according to their site:
The proof takes the form of screenshots of inboxes, sample emails, contacts, or other personal information.
I decided to see how this would play out, assuming (correctly) that it would work much like the yourhackers.net scheme described in a previous post. So, yesterday I filled out their order form, using my own yahoo email account as a target, from another account that I had created that is posing as someone who doesn’t like me very much:
This morning, in the firstname.lastname@example.org account I had a “surprise”! Yay!
“Helo”? What am I, an SMTP server? As you might be able to imagine, I don’t know anyone named Jonathan Regon, and certainly not well enough to warrant “Luv and Regards”. Let’s take a look at the link to the phishing site:
So, obviously the single “?wesleymcgrew” parameter sets the username. If you punch in anything and Submit, you get forwarded along to a real 123greetings card:
Back to the phishing site, what happens if we take the php filename out of the URL, going straight to the directory?
Neat, no directory protection or index.html/php, but not much of interest. What if we go up a directory?
Now this looks more interesting. What’s in Y.txt?
The phishing URL sent to me contained the directory name ending in “1003″. That corresponds with the “1003″ line in Y.txt with the name “Jonathan Reagan”. Sounds like the Jonathan “Regon” that emailed me. These are the names being used in the phishing emails, and each of the above directories contains links to greeting cards from these names.
The “/Y/” here stands for Yahoo. There are similar directory structures on this site for “/H/” (Hotmail) and “/R/” (Rediff). There is no “/G/” for Gmail, surprisingly, and no other single-letter directories (tried them all).
Who is 123newgreetings.com? WHOIS shows all contacts as:
Kajaria, Sharad (email@example.com)
This is the exact same contact information as on the real 123greetings.com, with a different email and phone number.
Crackpal.com’s WHOIS information is set to its registrant’s (dynadot.com) private registration-by-proxy name and address.
I have fired off an abuse email to 123newgreetings.com’s host, eukhost.com, so it may be down soon. Crackpal.com itself appears to be hosted in China, so I don’t hold out much hope for that going down.