At the time of writing, a new URL emerged and, according to the ‘official’ phishing site’s server status report, “c0mpics.info” is now the most active site that’s hoaxing not only MSN users, but ICQ users.

When you visit the phishing site (never do it!), a window pops up displaying content from ‘awesomeoffers.info’ (see picture below, click to display large image) saying, ‘We’re sorry! This offer is not available in your area. You will

be redirected shortly. If you are not automatically redirectly, please click here.’ Then you are served ads from various sources.

Thanks to our fellow netizens, sites such as jumphost.info, ther1ng.info, etc. were alerted as potential phishing sites by FireFox. But if you are using IE or Safari, the chances are you won’t see these warnings.

Personally I think MSN and ICQ should do their fair share of work and warn their users never trust any offline messages containing such links. That will be the most effective and proactive way to deal with these bad guys. However, each one of us who knows about the phishing attempt can also lend a helping hand by telling our MSN/ICQ or other IM buddies about this and report any such sites through FireFox or IE.

Here’s how:

FireFox:

When you are on that site, click on ‘Help’ -> ‘Report Web Forgery.’

French version, click on ‘?’ -> ‘Signaler un site contrefait…’

IE:

When you are on that site, right-click this icon on bottom status bar.

*UPDATE*

Good news. As on June 6, all phishing sites from the so-called ‘TST Management Inc.’ have been down. But I am not sure if they are simply banned by the ISP in Hong Kong and are in the process of finding other server locations. If you find any further information, please let me know. Thanks.

*UPDATE-1*

The phishing sites are back on again. A new one to watch:

“freakpics.info”

The message ran as follows:

“hii.. check out this.. http://real.amazing-stuff.info .. brb he!!”

Since this was from my close friend, and she’s immediately offline when I got these, I guessed s might be in a hurry and hoped to connect with me using some social network, so I clicked on the link and it brought me to a web page that required me to sign in using my MSN user name and password. The page had detailed service terms and ‘report abuse’ email and told me:

We may temporarily access your MSN account to do a combination
of the following:
1. Send Instant Messages to your friends promoting this site.
2. Introduce new entertaining sites to your friends via Instant Messages.

Again, since it’s ‘recommended’ by my close friend, I logged in and set up some personal page there. But since it was not very attractive, I logged off and never went there again afterwards. But my user name and password were already stolen!

I realized this on the second day when my MSN messenger automatically logged off saying another user had logged in. This is the ONE security feature of MSN messenger I love. (Skype wouldn’t prompt you anything like this when a thousand other users logged into your account and eavesdropped on your chats!) Then I changed my password. I suspect the hacker site used my credential to send similar links to all my contacts that day.

However, if not today another victim sent me a message (also when he’s offline!) as follows, I wouldn’t associate these things together:

“http://username.very.c0o0lthing.info”

I immediately sent a message back to him asking if he knew about this. When he was back online he confirmed that it was some kind of ‘virus’ he got from other MSN users.

Technically speaking, this is not a virus, but phishing. Phishing sites fake other sites to steal your personal information and use them to access your accounts such as email, PayPal or Moneybookers accounts.

In this very case, the hidden criminals’ true intention is not using your email account to spread their links. Since many people use the same password for their email and other accounts such as PayPal, they could easily obtain your private financial information.

If you experienced a similar situation recently:

1. make sure you post a status message in your MSN messenger warning all contacts not to click on any links you send out before verification;
2. change your MSN password immediately and change the password of other accounts that share the same password.
3. help to spread the warning by blogging about it, digging this and other related articles to fight against further phishing attempts.

The phishing site page looks like the following:

The site claims to be TST Management Inc. And here are three domain names they used (They probably use tons of other domains for such purposes) and related information:

1. pr0filepix.info

Domain ID:D24638073-LRMS
Domain Name:PR0FILEPIX.INFO
Created On:29-Apr-2008 12:16:31 UTC
Last Updated On:29-Apr-2008 12:54:46 UTC
Expiration Date:29-Apr-2009 12:16:31 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:TRANSFER PROHIBITED
Registrant ID:d5574c1883d
Registrant Name:Mark Bradley
Registrant Organization:TST Management, Inc
Registrant Street1:edificio Magna Corp – 5th Floo
Registrant City:PANAMA
Registrant State/Province:PANAMA
Registrant Postal Code:0000
Registrant Country:PA
Registrant Phone:+1.2021577

Server IP: 210.56.53.224
Hong Kong – Dedicated Internet Access (sunhk Datacenter)
Registrant Search: “TST Management, Inc” owns about 85 other domains

2. 1FP9.INFO

Domain ID:D18304546-LRMS
Domain Name:1FP9.INFO
Created On:07-Jun-2007 10:10:35 UTC
Last Updated On:21-Apr-2008 12:59:51 UTC
Expiration Date:07-Jun-2008 10:10:35 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
Registrant ID:90f98cddfd4
Registrant Name:Jeff Fisher
Registrant Organization:TST Management, Inc
Registrant Street1:Room 1204, 12/F, Shanghai Ind.
Registrant Street2:
Registrant Street3:
Registrant City:Panama City
Registrant State/Province:Panama
Registrant Postal Code:0000
Registrant Country:PA
Registrant Phone:+507.2021577

Server IP: 216.52.184.243
Washington – Redmond – Enom

3. c0o0lthing.info

Domain ID:D24611209-LRMS
Domain Name:C0O0LTHING.INFO
Created On:27-Apr-2008 15:25:13 UTC
Last Updated On:27-Apr-2008 15:25:26 UTC
Expiration Date:27-Apr-2009 15:25:13 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:TRANSFER PROHIBITED
Registrant ID:999AD5DB09046351
Registrant Name:Peter Call
Registrant Organization:Blue China Group, Ltd
Registrant Street1:Room 1204, 12/F, Shanghai Ind.
Registrant Street2:Investment Bldg.,
Registrant Street3:48-62 Hennessy Road
Registrant City:Wanchai
Registrant State/Province:HK
Registrant Postal Code:0000
Registrant Country:HK
Registrant Phone:+852.94230671

Server IP: 65.39.175.61
Quebec – Montreal – Qitx Inc
Registrant Search: “Blue China Group, Ltd” owns about 1,669 other domains

*UPDATE*

Thanks to all visitors who provided further phishing addresses as follows (also see comments). I believe we can dig out all those bad urls soon :

“adp0int.info”
“real.awesome-stuff.info”
“cache2.imagehosters.info”
“h0st3d.on.prof1lepix.info”
“save.p1ctures.info”
“fr1endp1cs.info”
“username.get.n1ce4ds.info”
“username.likes.ch33se.info”
“down.l0ader.info”
“was.d1ssed.info”
“arm18618.this.are.the.fri3ndp1x.info”
“ch3k3r.info”
“ch3ck3r.info”
“username.the.great-th1ng.info”
“username.partyp1x.info”
“username.1ik5.info”
“username.found.some.c0o0ol5tuff.info”

“username.awes0me.info”
“fileho5t.info”
“m33tpoint.info”
“checkdiz.info”
“snapsh0t.info”
“ther1ng.info”
“greatblockier.info”
“blockierteplatz.info”
“t0nez.info”
“c0mpics.info”
“jumphost.info”
“flatl1ne.info”
“g4ng.info”
“b4ng.info”
“h0stp1cs.info”

If you know any other phishing urls of this MSN messenger scam, please leave a voice or video comment below. (The text comment function crashed my database and many comments got lost.) I’ll update this post.

*UPDATE-1*

Eric translated part of this post into German. If you are not comfortable with English and would like to read German, please visit: http://erichaas.spaces.live.com/blog/cns!20AE01BBC9DF0C0!1014.trak for the German version. Translation into other languages is also welcomed. Please link back to this article and let me know your post address and I’ll add it to this list. Thanks for your help!

*UPDATE-2*

Interesting registrant name of one of its domains (see below):

Domain ID:D24997781-LRMS
Domain Name:THER1NG.INFO
Created On:30-May-2008 14:57:47 UTC
Last Updated On:31-May-2008 10:02:05 UTC
Expiration Date:30-May-2009 14:57:47 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:TRANSFER PROHIBITED
Registrant ID:47429cff5a9
Registrant Name:Jeff Fisher
Registrant Organization:TST Management, Inc
Registrant Street1:Edificio Magna Corp. 5th Floor
Registrant Street2:
Registrant Street3:
Registrant City:Panama City
Registrant State/Province:Panama
Registrant Postal Code:0000
Registrant Country:PA
Registrant Phone:+507.2021577
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.: