Yesterday, I took a lighthearted look at some of the Google searches people have used to arrive at this site. I saved one of them for today, however, because it was enough fun to warrant its own post. That search query is:
Well, I suppose I can give that a try.
What is crackpal.com? It’s a service that promises to hack yahoo, hotmail, rediff, and google Email accounts. Here’s what their website looks like, if it’s down by the time you read this:
You might remember that I’ve looked at a site similar to this in a previous post. Here’s how things are supposed to go down, according to their site:
The proof takes the form of screenshots of inboxes, sample emails, contacts, or other personal information.
I decided to see how this would play out, assuming (correctly) that it would work much like the yourhackers.net scheme described in a previous post. So, yesterday I filled out their order form, using my own yahoo email account as a target, from another account that I had created that is posing as someone who doesn’t like me very much:
This morning, in the wesleymcgrew@yahoo.com account I had a “surprise”! Yay!
“Helo”? What am I, an SMTP server? As you might be able to imagine, I don’t know anyone named Jonathan Regon, and certainly not well enough to warrant “Luv and Regards”. Let’s take a look at the link to the phishing site:
So, obviously the single “?wesleymcgrew” parameter sets the username. If you punch in anything and Submit, you get forwarded along to a real 123greetings card:
Cute.
Back to the phishing site, what happens if we take the php filename out of the URL, going straight to the directory?
Neat, no directory protection or index.html/php, but not much of interest. What if we go up a directory?
Now this looks more interesting. What’s in Y.txt?
The phishing URL sent to me contained the directory name ending in “1003″. That corresponds with the “1003″ line in Y.txt with the name “Jonathan Reagan”. Sounds like the Jonathan “Regon” that emailed me. These are the names being used in the phishing emails, and each of the above directories contains links to greeting cards from these names.
The “/Y/” here stands for Yahoo. There are similar directory structures on this site for “/H/” (Hotmail) and “/R/” (Rediff). There is no “/G/” for Gmail, surprisingly, and no other single-letter directories (tried them all).
Who is 123newgreetings.com? WHOIS shows all contacts as:
Registrant:
123Greetings.com, Inc.
Kajaria, Sharad (greetings123name@yahoo.com)
1674 Broadway
Suite 403
10019
New York,10019
US
Tel. +001.9176036425
This is the exact same contact information as on the real 123greetings.com, with a different email and phone number.
Crackpal.com’s WHOIS information is set to its registrant’s (dynadot.com) private registration-by-proxy name and address.
I have fired off an abuse email to 123newgreetings.com’s host, eukhost.com, so it may be down soon. Crackpal.com itself appears to be hosted in China, so I don’t hold out much hope for that going down.
In conclusion:
. I have a friend who had the misfortune of having his resume retitled “Ethan Frome” from this same macro virus several years ago. He didn’t realize it till I pointed it out. Funny stuff.
:
Recent Comments