dynamoo.com home

 
Site navigation

home
blog
technical
diary
webmaster
orange book
moobiles
shop
contact
links
  
Updated
October 2005

   Dynamoo 2005

 

 

 

Quickdimer.com & E-expressprocessing.com "Account Locked" Emails

5th October 2005 - updated 8th October 2005

Warning: The quickdimer.com & e-expressprocessing.com sites will attempt to infect your PC if you visit it using Internet Explorer. If your computer is not fully-up-to date in terms of patching then it is quite possible that your PC will be infected with spyware. This spyware will most likely steal your passwords and confidential information, and also may turn your PC into a "Spam Zombie".

Visitors are tricked into visiting the quickdimer.com site by an email similar to the following:

    Date: 5 Oct 2005 11:49:29 -0000
    Received: from soot@gte.net by [munged] by uid 1002 with qmail-scanner-1.22
     ( Clear:RC:0(200.146.150.30):.
     Processed in 4.097554 secs); 05 Oct 2005 11:48:33 -0000
    Received: from unknown (HELO 200-146-150-30.rev.easyband.com.br) (200.146.150.30)
      by 192.168.147.19 with SMTP; 5 Oct 2005 11:48:29 -0000
    Received: from unknown (HELO pest) (192.168.120.30)
        by 200-146-150-30.rev.easyband.com.br with SMTP; Wed, 5 Oct 2005 09:47:06 -0200
    To: [munged]
    From: "Sibylla Anthony" <soot@gte.net>
    Subject: NOTIFICATION. YOUR ACCOUNT LOCKED.

    Dear customer,

    Sorry. Your account was temporally locked.
    The credit card transaction was declined.
    This is an email receipt for your recent payment you just made.

    The system reported the following error:
    KEEP CRD DECLINE NOT AUTHORIZED

    Your receipt #2240076354
    Billed To:
    H WALL
    14 Church Way
    Basingstoke, RG24 9SU
    Hampshire Order Number: L06639795
    Receipt Date: 03/10/05
    Order Total: GBP 108.04
    Billed To: Visa

    Information regarding your personal information can be
    viewed at
    http://quickdimer.com/billing/order/order110902.html

    This site is powered by the SecureTrading payment system
    which means that your credit card details are fully encrypted
    using the most sophisticated e-payment software.

The "14 Church Way" address is fake. There is no such address. Not such credit card transaction has taken place. The entire purpose of the email is to get you to click on the link and infect your PC.

The e-expressprocessing.com email is very similar:

    From: Billing <billing@e-expressprocessing.com>
    Subject: Your Account Has Been Suspended

    Dear customer,

    Sorry. Your account was temporally locked.The credit card transaction was declined.
    This is an email receipt for your recent payment you just made.

    The system reported the following error:
    KEEP CRD DECLINE NOT AUTHORIZED

    Receipt #4650097379   

    Billed To:
    R HALL
    20 North Way
    Basingstoke, RG24 9SU
    Hampshire
    Order Number: YL40084268
    Receipt Date: 05/10/05
    Total Amount:  GBP 201.06
    Billed To: Visa

    Information regarding your personal information can be viewed login in (Your  usercode is 86435076
        Your  passcode is 3296133)

    http://www.e-expressprocessing.com 

    This site is powered by the SecureTrading payment system which means that your credit card details are fully encrypted using the most sophisticated e-payment software.

 

If you have visited this website, we recommend that you scan your PC thoroughly with an up-to-date virus scanner. We recommend ZoneAlarm Security Suite as a good, comprehensive package. Another good (and currently free) package is Microsoft AntiSpyware. Be aware that any passwords you have entered since visiting the site may be compromised - if in doubt, seek the help of an IT professional to disinfect your system. Using a browser such as Firefox instead of Internet Explorer can also help protect you against attacks.

For the technically minded, the exploit code looks like this (we have rendered it as a graphic to prevent false positives from virus scanners):

 quickdimer.com exploit code

The domain registration details for quickdimer.com are no doubt fake:

       Domain Name: quickdimer.com

       Registrant Contact:
          Peitao Ting         pting1000@yahoo.com
          Peitao Ting
          400 Arlington Way
          Menlo Park, ca 94025
          US
          +1.6504731278

       Administrative Contact:
          Peitao Ting         pting1000@yahoo.com
          Peitao Ting
          400 Arlington Way
          Menlo Park, ca 94025
          US
          +1.6504731278

       Technical Contact:
          Peitao Ting         pting1000@yahoo.com
          Peitao Ting
          400 Arlington Way
          Menlo Park, ca 94025
          US
          +1.6504731278

       Billing Contact:
          Peitao Ting         pting1000@yahoo.com
          Peitao Ting
          400 Arlington Way
          Menlo Park, ca 94025
          US
          +1.6504731278

       Record created on 2005-09-27 05:53:47.
       Record expires on 2006-09-27 05:53:47.

       Domain servers in listed order:

          ns1.dreamhost.com
          ns2.dreamhost.com
          ns3.dreamhost.com

The site is currently hosted on 205.196.218.73, a server belonging to New Dream Network, LLC (email abuse -at- dreamhost.com). It appears to be a server shared with several innocent parties.

For e-expressprocessing.com the registration details are:

       Registrant Contact:
          Joy Chang         janejazz@yahoo.com
          Joy Chang
          40182 Lucinda Ct.
          Fremont, CA 94539
          US
          +1.5103648926
     
       Administrative Contact:
          Joy Chang         janejazz@yahoo.com
          Joy Chang
          40182 Lucinda Ct.
          Fremont, CA 94539
          US
          +1.5103648926
     
       Technical Contact:
          Joy Chang         janejazz@yahoo.com
          Joy Chang
          40182 Lucinda Ct.
          Fremont, CA 94539
          US
          +1.5103648926
     
       Billing Contact:
          Joy Chang         janejazz@yahoo.com
          Joy Chang
          40182 Lucinda Ct.
          Fremont, CA 94539
          US
          +1.5103648926
     
       Record created on 2005-10-03 01:38:29.
       Record expires on 2006-10-03 01:38:29.

       Domain servers in listed order:

          ns1.dreamhost.com
          ns2.dreamhost.com
          ns3.dreamhost.com

 Site is hosted on 205.196.214.115 which is again part of New Dream Network, LLC.

 

 Subj: Shopping and Services

 

 home   technical   diary   webmaster stuff   orange book   shop   contact   links   your privacy