• crackpal.com review

Well, I suppose I can give that a try.

What is crackpal.com?  It’s a service that promises to hack yahoo, hotmail, rediff, and google Email accounts.  Here’s what their website looks like, if it’s down by the time you read this:

You might remember that I’ve looked at a site similar to this in a previous post.  Here’s how things are supposed to go down, according to their site:

The proof takes the form of screenshots of inboxes, sample emails, contacts, or other personal information.

I decided to see how this would play out, assuming (correctly) that it would work much like the yourhackers.net scheme described in a previous post.  So, yesterday I filled out their order form, using my own yahoo email account as a target, from another account that I had created that is posing as someone who doesn’t like me very much:

This morning, in the wesleymcgrew@yahoo.com account I had a “surprise”!  Yay!

“Helo”?  What am I, an SMTP server?  As you might be able to imagine, I don’t know anyone named Jonathan Regon, and certainly not well enough to warrant “Luv and Regards”.  Let’s take a look at the link to the phishing site:

So, obviously the single “?wesleymcgrew” parameter sets the username.  If you punch in anything and Submit, you get forwarded along to a real 123greetings card:

Cute.

Back to the phishing site, what happens if we take the php filename out of the URL, going straight to the directory?

Neat, no directory protection or index.html/php, but not much of interest.  What if we go up a directory?

Now this looks more interesting.  What’s in Y.txt?

The phishing URL sent to me contained the directory name ending in “1003″.  That corresponds with the “1003″ line in Y.txt with the name “Jonathan Reagan”.  Sounds like the Jonathan “Regon” that emailed me.  These are the names being used in the phishing emails, and  each of the above directories contains links to greeting cards from these names.

The “/Y/” here stands for Yahoo.  There are similar directory structures on this site for “/H/” (Hotmail) and “/R/” (Rediff).  There is no “/G/” for Gmail, surprisingly, and no other single-letter directories (tried them all).

Who is 123newgreetings.com?  WHOIS shows all contacts as:

Registrant:

    123Greetings.com, Inc.

    Kajaria, Sharad        (greetings123name@yahoo.com)

    1674 Broadway

    Suite 403

    10019

    New York,10019

    US

    Tel. +001.9176036425

This is the exact same contact information as on the real 123greetings.com, with a different email and phone number.

Crackpal.com’s WHOIS information is set to its registrant’s (dynadot.com) private registration-by-proxy name and address.

I have fired off an abuse email to 123newgreetings.com’s host, eukhost.com, so it may be down soon.  Crackpal.com itself appears to be hosted in China, so I don’t hold out much hope for that going down. 

In conclusion:

This particular bad-guy IP is a great example of an IP address that has really made its mark on Google, so I’ll link the results here:

* Google search results for “196.3.61.4″

Off the eastern coast of Madagascar, there’s an island called Mauritius.  On this island there’s the city of Ebene.  In this city, there’s this building, the “Cyber Tower”.  According to Whois, on the third floor of this building, there’s a computer being used for all sorts of phishing and fraud.  

It would be “just another scammer”, but this one has a great sense of humor.  Check out this diff on an edit made from that IP address on the Wikipedia entry for Advance fee fraud:

Very nice.

Please do this:

I’m sure most of my readers can imagine what a bad idea it is to hand their email password over to a third party. What’s more dangerous is that this functionality might become more common. If every social-networking-site-of-the-week integrates something similar into their signup process (and it is attractive for them), then it will become more natural for users to expect it, making them less likely to question it. Overall, it makes phishing a lot easier, as now you have a wider choice of sites you can mimic, or you can just make up something completely new.

Also, at least in this specific case, the credentials you’re handing over are not going over SSL. Who knows what precautions are being taken on the other side of this web application, where it’s actually signing into your email and harvesting out the information. You might be carefully using GMail only over SSL for your sessions with it, but there’s no guarantee that SlideShare/Twitter/Facebook will be doing the same. There’s also no real assurance that your credentials haven’t been cached or stored in some way.

You may make yourself out to be a bad Internet citizen if you utilize these features, as well. I know of at least one case where a user signed up, the site automatically picked up all of his contacts, and immediately spammed out a referral email to every one of them, including mailing lists. Your friends and other contacts might not like this very much.

I think it’s a bad idea, and I hope that it doesn’t become more widespread trend than it already is.

Here’s what the main page looked like:

I created a new email address on Gmail, with the name of a recent, but inactive, troll on the forums (so there’d be a few things in Google if they decided to do their research). Then, I filled out their order form with the information in the screenshot below, asking them to attack my own Gmail account, wesleymcgrew@gmail.com . I had to give them something that didn’t look as much like a dummy account. Besides, it’s funnier this way. I had a lot of fun filling out the form asking why they should hack my Gmail account :

A short while later, I received an automated mail confirming my order (very professional!) in my dummy account’s inbox:

A full day later, I received the following phishing mail in my own Gmail account:

A plaintext copy of this email with full headers is available here for those who love to dig . I suppose they got around Gmail’s filters by being such a small operation. Does anyone really trust 123greetings-type emails anymore? I guess they must. Notice the domain name 123greetingsline.com, and the just-for-me unique URL. I tried modifying the URL, however it seems like they just generate the files as-needed when they receive an order.

Clicking on the link takes you to the phishing site itself:

Here’s the source for the login form:

For all the domain names they have, and all the web hosts they’ve been using, they had to resort to using a form mail script and leave the email addresses they use for harvesting out in the open. Hilarious.

If you’re a regular reader of this blog, you already know what I like to do with phishing sites (read up here if you’re not familiar with the technique I use to set up web bugs for catching phishers unaware). This one is no exception, so I set up a unique image and page on my site here to use with a web bug. Then I fill out the form fields with the html needed to try and render the image and link to the unique URL:

Once that was submitted, it actually went through the trouble of redirecting me to the real 123greetings for a nice card:

I set up tail and grep to look for a hit to either of the unique URLs I set up, and a day later I got the hit:

81.129.180.36 - - [23/Oct/2007:12:23:19 -0400]
"GET /XXXXXXXXXXXXXXX>HAY</a&gt HTTP/1.1" 404 245
"http://desigubshup.com:2095/horde/imp/message.php?index=245"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506;
InfoPath.2)"

So, here you have the IP address (resolves to one of btcentralplus.com’s customers), which at a glance didn’t appear to be running any sort of open proxy, a referral URL revealing where and how they’re checking their mail (there might be somewhere around 244 other victims, judging from the mail ID), and a nice long user agent string. Judging by the mangled end of the request, my web bugs didn’t render very well within IMP, however the phisher was dumb enough to click on the link anyway. This is the reason I try to put HTML links in along with normal image-based web bugs, and you’d be amazed at how often this happens.

I sent a couple of emails to them inquiring about the status of my order. Unfortunately, I haven’t heard back from them. As of a day or two ago, the sites they were advertising their services on look like this:

I’m sure they’re not very happy about that. Maybe they’ll find this post and leave us a comment bringing us up to speed on their situation .

To tide you over until then, I ran across this post, by HD Moore, on the Full-Disclosure list today:

[Full-disclosure] You shady bastards.

This is interesting for a couple reasons. One, it gets you thinking about the potential value ex-employee email addresses have to a company. The temptation to continue monitor incoming mail on these addresses is high. Is it legal? As you can tell by the discussion already on the list, it all depends on the agreements the employee has signed. Pretty soon you’ll start seeing clauses about post-employment on consent-to-monitoring agreements, if you haven’t already seen it.

Another reason this is interesting is that HDM pulled a neat, low-tech trick to verify that someone was reading mail to the address he was sending mail to. I’ve done this before, and it works fairly well . In a way it’s similar to the phish-baiting techniques that I’ve written about before on here. This is something you can add to your bag of tricks (also works well for other protocols: IM, IRC, etc.), and it’s something you can keep in mind when you’re given a link by someone in a situation like this.