Over the weekend you may have noticed that this site was suspended. My hosting service only issued me with a brief email saying “Due to scripts taking too long to execute the website was disabled”. This email was not entirely helpful, and after repeated support emails that went without reply and a few calls to the support line I found I could not get my site reactivated until today.
I decided to do a little research myself while my site was done. As I had no access whatsoever to any part of my hosting (logs, emails, cpanel, etc etc) I had to rely on what little data Google Analytics recorded before the site was suspended. I found something quite interesting.
Google recorded a bunch of hits to the following URL:
/_vti_logs/VideoEclusivo.avi.mpg.exe
Obviously something dodgy going on. Once I had access to my site again this morning, the first place I went to was this _vti_logs folder. In it I found a phishing site and a PHP email generator. I contacted support at webcity but they were unable to tell me who put these files on my site and seemed uninterested in helping me further.
Snooping around the files I found a few things. First that around emails 6089 were generated by the PHP script. Second the script was written by “MurdeR” who’s website is Diosdelared.com . This does not mean this phishing site was put there by this character though. Third the scam seems to be a phishing site masquerading as “Moviestar” a Venezuelan phone company.
Apart from the lack of support I got regarding this matter, the most frustrating thing is that this scam seems to have worked quite well. The phishing site received thousands of hits, with 2397 being to the exe which is obviously a virus/trojan. Out of the 6089 emails that “Murder”‘s script reported it generated almost half landed with people who fell for the scam. Quite scary when you think about it. It is quite obvious from the URL (www.agamersodyssey.com/_vti_logs/index.php) that the user had come to something unaffiliated with Moviestar, but nearly 50% of the people who received this poorly crafted email clicked on the link AND entered details.
My hope for humanities future continues to decline.
I have kept a copy of the phishing site incase anyone else would like to look into this issue. Please contact me if you need more info, or if you can provide any info that would help track down the perpetrators.
i will MURDER HIM!!!
May 4th, 2009 at 7:51 pmsounds like something that only an expert forensic IT analyst could investigate Sim… if I had a website with a problem like that I’d probably just ask you how to fix it
Good to see you back on the air.
May 5th, 2009 at 11:11 amhacked = simster ran oot of cash
May 5th, 2009 at 11:08 pmApologize for the inconvenience, nothing related with Diosdelared or with me.
For sure, you have got a serius security bug and some bad guy used to upload scams and Mail Extractor.
November 30th, 2009 at 5:44 pm