This is not a phishing site. Now, be a good victim and enter your login credentials in the form!
Tuesday June 10, 2008 at 12:58 pm CST
Posted by Elodie Grandjean
A few days ago I was browsing a forum while I read a message from someone saying that he received a strange link from one of his MSN contact list, which was formed like the following:
http://[MSN_login].flatl1n[removed].info
This domain hosts a webpage asking for MSN logins and passwords and pointing to another webpage asking for ICQ login credentials:
But let’s examine this page in details, especially the “Terms of Use” for example:
“Terms of Use / Privacy Policy:
By filling out this form, you authorize TST Management, Inc to spread the word about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.We do not share your private information with any third parties.
By using our service/website you hereby fully authorize TST Management, Inc to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).
ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.
We may temporarily access your MSN account to do a combination
of the following:
1. Send Instant Messages to your friends promoting this site.
2. Introduce new entertaining sites to your friends via Instant Messages.”
Oh well, that reminds me how social engineering is powerful…
The victim received this URL from who is supposed to be one of his MSN contact and it is unlikely he will spend a few minutes reading those lines. So I agree, everything that the attackers do is published inside the Privacy Policy, but I disagree when they say that they don’t “trick” people to get their login credentials: they use social engineering attacks to get users’ passwords, this is dishonest and this is phishing scam!!
Now, here is the funny part of the “Terms of Use”:
“This is a free service. You will not be asked to pay at any time.
You will not be subscribed to anything asking for payment.
This service is made possible by many hours of human effort.TST Management, Inc reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.”
So ironic…
And the last part, the one that aroused my curiosity:
“You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, TST Management, Inc is NOT agreeing to MSN’s terms of use and therefore not bound by them.
This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.
If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.
Copyright 2008 TST Management, Inc”
I was wondering if this website was effectively hosted in republic of Panama, but a whois of the domain informed me that the IP address is located in Hong Kong actually:
The Reverse IP field says there are 32 other sites hosted on this server (210.56.53.224).
And we can see also that “TST Management, Inc” (who is the registrant of the domain), owns 412 other domains.
So I decided to do a Google search and I wasn’t surprise to notice that they are apparently used to phishing scams!
“TST Management, Inc” seems to be another name for the “Blue China Group Ltd”, the one that was sued by MySpace last year for mass spamming.
I managed to create a screenshot of the old “Mass Comment Poster” website that belonged to them:
We can see that the Terms of use were very cynical too!!
They also host what they introduce as a MySpace tracker (called “Stalker Tracker”) which is in fact another phishing scam website:
Besides the website displays another “typical” Privacy Policy mentioning:
We may temporarily access your MySpace account to do a combination
of the following:
1. Post bulletins to your friends promoting stalkertrack.com.
2. Post comments to your friends promoting stalkertrack.com.
3. Post a blog about our upcoming tracker for your friends to read.
4. Customize your blog header html with a clickable stalkertrack.com ad image.
5. Send a batch of blog invites on your behalf.
6. Send IM invites with a personalized stalkertrack.com message and/or image advertisement attached - to your friends and potential friends and other members.
7. Introduce new entertaining sites to your friends via comments, bulletins, and messages
And guess how can they do that? Once again, just by using the login credentials entered in the form…
Last but not least, once the login credentials are submitted via the phishing scam MSN/ICQ web pages, a PHP script is called to increment an online counter, and here are the statistics available at the moment:
This counter seems to supervise the activity on all their phishing websites, not only on a couple of them.
We can see that 92 people were reaching one of their phishing scam websites when I was looking at the statistics, they were 35334 unique visitors yesterday, 284746 visitors since the beginning of June, 3616516 visitors last month, and 7031582 visitors since this counter has been created (since February/March 2008 according to the second screenshot).
Be vigilant of such IM messages and websites marked as “copyright” to “Blue China Group, Ltd” or “TST Management, Inc“. Whatever the website purports to be they are certainly requesting your login credentials in an unclear way!!
June 23rd, 2008 at 05:17
Thanks but how to remove it??? Can’t find the solution anywere
July 6th, 2008 at 00:41
why the hell doesnt MSN come out with some patches to prevent this garbage ?!?!
July 7th, 2008 at 06:28
It’s not a virus or anything of the sort. They simply have stolen your login information. Change your password and they can’t access your account any more. I only found out about this when one of my close friends sent me the link. Fortunately, I wasn’t foolish enough to get caught by this and immediately did some Google-research.
July 12th, 2008 at 09:03
What can i do except changing my password?
July 15th, 2008 at 08:20
Tali Says: “What can i do except changing my password?”
Well, be less gullible next time someone phishes for your password. And if you’re still tempted? Always read the TOS!
Or you could check the site here: siteadvisor.com or mywot.com
August 4th, 2008 at 05:58
Thanks but how to remove it??? Can’t find the solution anywere
August 4th, 2008 at 11:30
why the hell doesnt MSN come out with some patches to prevent this garbage ?!?!
August 6th, 2008 at 03:22
~ “why the hell doesnt MSN come out with some patches to prevent this garbage”
There is no patch for stupidity.
Just change your password, and don’t give out your login details again.
August 6th, 2008 at 03:31
If MSN can come up with at patch for stupidity, I’m sure they’ll let you know…
August 18th, 2008 at 01:49
[...] RSS feed is. Thanks for visiting, Phil!My brother who has started using MSN messsenger was recently hit by this scam that has been spreading over the last few months by ‘TST Management’. I think the advice here, like always, is [...]
November 27th, 2008 at 14:17
[...] a company in Panama, but as you can see here, the site was actually [...]
November 28th, 2008 at 03:01
[...] websites (all six billion of them) were supposedly run by a company in Panama, but as you can see here, the site was actually controlled by a group in China with ties to all sorts of dubious practices. [...]
April 5th, 2009 at 13:27
[...] de ta part des messages que tu ne leur as pas envoys? Genre un lien sur un pseudo site de photos comme a ? Une seule solution : change ton mot de passe MSN. Et par prcaution, change aussi tous les mots [...]