Full Disclosure mailing list archives
Re: block all popups [google knockoff]
From: sh0rtie <this.is () gmail com>
Date: Thu, 26 Aug 2004 22:06:38 +0100
its spyware a quick peek inside the installer reveals links to toolbarshopper.com so definatly not google (although the toolbar does have links to use google as well as the usual affiliate links to other sites (using linksynergy) the site at ipaddress where the installer is located has links selling an ebook ,following the money (purchase) leads to a site called moreinfo4you.net a whois of this site reveals domain: moreinfo4you.net status: production organization: CSI owner: James Real jackson email: domainalias () yahoo com address: 23244 Avenida Pico city: San Clemente state: CA postal-code: 92654 country: US admin-c: domainalias () yahoo com#0 tech-c: domainalias () yahoo com#0 billing-c: domainalias () yahoo com#0 nserver: ns.dnsfree.biz nserver: ns2.dnsfree.biz registrar: JORE-1 created: 2004-08-22 19:53:30 UTC JORE-1 modified: 2004-08-22 22:25:43 UTC JORE-1 expires: 2005-08-22 15:53:28 UTC source: joker.com db-updated: 2004-08-26 20:40:16 UTC fake details and joker.com is a public dns service often used by scammers because they can change domain ipaddresses (where the domain points to) quickly the ipaddress where the exe is located is based in korea (probably a compromised adsl machine) inetnum: 61.248.0.0 - 61.255.255.255 netname: KRNIC-KR descr: KRNIC descr: Korea Network Information Center country: KR admin-c: HM127-AP tech-c: HM127-AP remarks: ****************************************** remarks: KRNIC is the National Internet Registry remarks: in Korea under APNIC. If you would like to remarks: find assignment information in detail remarks: please refer to the KRNIC Whois DB remarks: http://whois.nic.or.kr/english/index.html remarks: ****************************************** mnt-by: APNIC-HM mnt-lower: MNT-KRNIC-AP changed: hostmaster () apnic net 20010321 changed: hostmaster () apnic net 20010606 status: ALLOCATED PORTABLE source: APNIC person: Host Master address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu, address: Seoul, Korea, 137-857 country: KR phone: +82-2-2186-4500 fax-no: +82-2-2186-4496 e-mail: hostmaster () nic or kr nic-hdl: HM127-AP mnt-by: MNT-KRNIC-AP changed: hostmaster () nic or kr 20020507 source: APNIC regards On Tue, 24 Aug 2004 21:49:41 -0400, Jeremy Heslop <vector () ezy net> wrote:
Not sure who this should go to, but I received an email the other day and it is advertising the google toolbar. It installs a toolbar, but not googles. Looks sketchy to me and similar to other phishing attempts. URL to valuebar_setup.exe was in email. Jeremy Html email here: http://footon.jheslop.com/block%20all%20popups.html txt email here: http://footon.jheslop.com/block%20all%20popups.txt
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- block all popups [google knockoff] Jeremy Heslop (Aug 24)
- RE: block all popups [google knockoff] Steven Hess (Aug 25)
- Re: block all popups [google knockoff] sh0rtie (Aug 26)
- Re: block all popups [google knockoff] sh0rtie (Aug 26)
- <Possible follow-ups>
- Re: block all popups [google knockoff] Feher Tamas (Aug 25)
- RE: block all popups [google knockoff] Jim Harrison (ISA) (Aug 25)
- Re: RE: block all popups [google knockoff] Jeremy Heslop (Aug 25)
- RE: block all popups [google knockoff]; Re: Jeremy Heslop (Aug 29)
- Re: RE: block all popups [google knockoff]; Re: Nancy Kramer (Aug 29)
- Re: RE: block all popups [google knockoff]; Re: Martin Lillepuu (Aug 30)
- RE: RE: block all popups [google knockoff] Jim Harrison (ISA) (Aug 25)