Yesterday, I took a lighthearted look at some of the Google searches people have used to arrive at this site.  I saved one of them for today, however, because it was enough fun to warrant its own post.  That search query is:

  • review

Well, I suppose I can give that a try.

What is  It’s a service that promises to hack yahoo, hotmail, rediff, and google Email accounts.  Here’s what their website looks like, if it’s down by the time you read this:

You might remember that I’ve looked at a site similar to this in a previous post.  Here’s how things are supposed to go down, according to their site:

The proof takes the form of screenshots of inboxes, sample emails, contacts, or other personal information.

I decided to see how this would play out, assuming (correctly) that it would work much like the scheme described in a previous post.  So, yesterday I filled out their order form, using my own yahoo email account as a target, from another account that I had created that is posing as someone who doesn’t like me very much:

This morning, in the account I had a “surprise”!  Yay!

“Helo”?  What am I, an SMTP server?  As you might be able to imagine, I don’t know anyone named Jonathan Regon, and certainly not well enough to warrant “Luv and Regards”.  Let’s take a look at the link to the phishing site:

So, obviously the single “?wesleymcgrew” parameter sets the username.  If you punch in anything and Submit, you get forwarded along to a real 123greetings card:


Back to the phishing site, what happens if we take the php filename out of the URL, going straight to the directory?

Neat, no directory protection or index.html/php, but not much of interest.  What if we go up a directory?

Now this looks more interesting.  What’s in Y.txt?

The phishing URL sent to me contained the directory name ending in “1003″.  That corresponds with the “1003″ line in Y.txt with the name “Jonathan Reagan”.  Sounds like the Jonathan “Regon” that emailed me.  These are the names being used in the phishing emails, and  each of the above directories contains links to greeting cards from these names.

The “/Y/” here stands for Yahoo.  There are similar directory structures on this site for “/H/” (Hotmail) and “/R/” (Rediff).  There is no “/G/” for Gmail, surprisingly, and no other single-letter directories (tried them all).

Who is  WHOIS shows all contacts as:

Registrant:, Inc.

    Kajaria, Sharad        (

    1674 Broadway

    Suite 403


    New York,10019


    Tel. +001.9176036425

This is the exact same contact information as on the real, with a different email and phone number.’s WHOIS information is set to its registrant’s ( private registration-by-proxy name and address.

I have fired off an abuse email to’s host,, so it may be down soon. itself appears to be hosted in China, so I don’t hold out much hope for that going down. 

In conclusion:

  9 Responses to “Looking at the Phishing-For-Hire Scheme”

  1. Nice bit of investigative security reporting!

  2. Great work. Thanks for sharing!

  3. Full ftp functionality, hosted through i’m thinking.

    Meh, I suppose if i’m going to start learning offensive sec, it might as well be against the guilty.

  4. well, funny, you can look at those sites too, same guys, maybe:, but i think that yourhacker is just mirror of those guys

  5. I used this site several years ago and they actualy did get me a password for a yahoo email account. It did cost me $100.00 though. I submitted a new request on Dec 31, 2009 but have not had any password returned as of Jan 22, 2010.

  6. [...] pressochè identico. Per procurarsi la password i sedicenti hacker di ricorrono ad un volgarissimo attacco di phishing, inviando un’improbabile email alla vittima, sperando che questi abbocchi e tenti di loggarsi [...]

  7. Thanks a lot for this, this explains a suspicious greeting card I received about a couple of months ago and didn’t open. I was wondering what was up with that! Now I know what it was and who it was.

  8. got a cheating husband accidentally found his pass word and confronted him, heartbroken I tried again today to find that he of course changed his password, so do i pay for someone to crack it or not?

    • I’d say not, tish. You’d be paying someone directly to break the law for you, which leaves you with a charge for solicitation.

      I’d say that if you know he’s cheating, just go ahead and dump him.

 Leave a Reply



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2012 McGrew Security Suffusion theme by Sayontan Sinha