By: ThreatLabz

Following Recent QQ Phishes

Uncategorised


QQ is a popular email and instant messaging service within China. In yesterday's logs I saw entries for:

aq.qq.com.cn-inddex.com
qq.com.cn.indexx-cn.com

Following the pages, the display looks identical to the qq.com pages. Click on the login within the phish and a login similar to qq.com is displayed. The above screenshot is of the phish login prompt.


The phish pages load a lot of external content from qq.com, however the login form is local on the phish server:

/images/login.htm

Viewing the source of the page, it appears that the credentials are passed to qq.com, but are also POSTed locally on the phish sites to the file:

/mb_reset/mb_reset_index.asp

The phish URLs are not currently listed in Phishtank or other blacklists. (Update: I added these to Phishtank).

When we view the domain registration / hosting information for the legit qq.com:
Domain Name ..................... qq.com
Name Server ..................... dns1.imok.net
dns2.imok.net
dns3.imok.net
Registrant ID ................... hc041720747-cn
Registrant Name ................. echo meng
Registrant Organization ......... Shenzhen Tencent Computer Systems Company Limited
Registrant Address .............. 10 F, Fiyta Building, Gaoxinnanyi Avenue, Southern District
Registrant City ................. Shenzhen
Registrant Province/State ....... Guangdong
Registrant Postal Code .......... 518057
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.075586013388 -
Registrant Fax .................. +86.075586013090 -
Registrant Email ................

aq.qq.com. 6941 IN A 58.251.61.155
aq.qq.com. 6941 IN A 58.251.61.153
aq.qq.com. 6941 IN A 58.251.61.154
aq.qq.com. 6941 IN A 58.251.61.152

NetRange: 58.0.0.0 - 58.255.255.255
CIDR: 58.0.0.0/8
NetName: APNIC-58

Whereas the phishing sites were recently registered through Melbourne IT and hosted on Yahoo servers:

Domain Name: CN-INDDEX.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Status: clientTransferProhibited
Updated Date: 29-mar-2010
Creation Date: 29-mar-2010
Expiration Date: 29-mar-2011

Domain Name.......... cn-inddex.com
Creation Date........ 2010-03-29
Registration Date.... 2010-03-29
Expiry Date.......... 2011-03-29
Organisation Name.... li li
Organisation Address. Room 748,Building B,GongxiFaCai road
Organisation Address.
Organisation Address. Yanluuo
Organisation Address. 518000
Organisation Address. FaCai
Organisation Address. CHINA

Admin Name........... li li
Admin Address........ Room 748,Building B,GongxiFaCai road
Admin Address........
Admin Address........ Yanluuo
Admin Address........ 518000
Admin Address........ FaCai
Admin Address........ CHINA
Admin Email.......... yumin6546545@yahoo.com.cn
Admin Phone.......... +86.5201314
Admin Fax............


and:

Domain Name: INDEXX-CN.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Status: clientTransferProhibited
Updated Date: 04-apr-2010
Creation Date: 04-apr-2010
Expiration Date: 04-apr-2011


Admin Name........... liu li
Admin Address........ Room 748,Building B,GongxiFaCai road
Admin Address........
Admin Address........ Yanluuo
Admin Address........ 518000
Admin Address........ FaCai
Admin Address........ CHINA
Admin Email.......... qq8983707@yahoo.cn
Admin Phone.......... +86.5201314
Admin Fax............

GongxiFaCai roughly translates to "Happy (Chinese) New Year"
Approximate location of where registration info is pointing (Yanluo at the 518000 zip code - Shenzhen, China):

Investigating the registration information, it looks very similar to that for gtobuys.com, a reported scam page, and likely attributed to among others, the scams registered from:
li li / fansrl@yahoo.cn
lian xing / sfmop@vip.qq.com
yueguo li / 1185839312@qq.com

Google results for the registration information (e.g., address and phone), aliases, and emails yield additional domains and fraud/scam activities. For example,

Learn more about Zscaler.