Identity Theft And Your MSN Account

There are more MSN fraudsters roaming around and this time they are serving twenty different languages.

Last February, I posted this topic "Your MSN Account Has Been 0WN3D".

These are phising sites that employs social engineering technique to lure MSN users in giving out their email address and password.

As an effect, the MSN stolen identity can remotely perform instant messaging and email spamming to all contacts as well as it can sneak your personal messages.

As of the moment, the following IP addresses and domain names are actively serving these MSN phising sites.


Be careful and stay away from these sites!

MySpace Spammers Are Back

What is Crowdguard.com ? This is the question asked by MySpace user after getting a message from a friend telling her to visit this site.

You need to login your MySpace email address and password to view your pictures. For some people this site seems harmless, but behind this page the objective is to lure people in giving out their Myspace credentials.

Once you give your login credentials, a cgi script will take these informations to a remote server.

And, this message box will pop-up.

To make the story short, the user will not be able to see any pictures - because there's none. This site is phising for your login details so a remote attacker could use it and send spam bulletins or messages to your MySpace friends. It also generates web traffics for all visited sites.

Similar to Crowdguard is Stalkertrack.com. This site promises for free tracking tool that will let you track or "stalk" all profiles that visits your Myspace page.

Once you entered your MySpace login details, this spammer will start using it to spam your friends.

Not only that, your email address and password are sent to multiple IP addresses in clear text form.

**Note: IP address may change.

Do you wonder how many spams were already created in Myspace?

There are 4 million generated post relating to StalkerTrack and this number will keep increasing if more and more vulnerable MySpace users will get deceived by this trick.

Stay away from these sites!

Snoop, Sneak, Sniff

Mac users are more likely affected by tracking threats than malware.

Why? Let's start by defining what is a tracking threat.

Tracking threat are software or application that snoop user's activity, sneak password and sniff out private information. Software or applications such as keyloggers and sniffers are considered as tracking threats and they are vastly available over the internet.

This type of software/application are also classified as grayware. Graywares are not considered as malwares and they are not even dangerous by itself. However, just like a kitchen knife, if it falls to a wrong guy it will definitely poses threat to the user and to other people as well.

Let's take a look on LogKext.

Downloaded file: logKext.pkg.zip (107,080 bytes)

LogKext is the only kernel-based freeware keylogger for Mac OS X. It is controlled by a command-line client called logKextClient.

LogKext.pkg is the installer that contains eight different packages. During the installation process, the user is required to enter the administrator or root user password to authenticate.

Below are the packages and its descriptions.

logkextclient.pkg - This package contains logKextClient, which is in Mac universal binary format. This binary file is the interactive client of LogKext, which also manages the output logfile, encryption controls and daemon preferences.

logkextdaemon.pkg - This package contains logKextDaemon, which is in Mac universal binary format. This binary is a daemon program that runs in background and manages the keylogging activity.

logkextkeymap.pkg - This package contains property list file, logKextKeymap.plist. The list includes identifiable keys such as numbers, letters (upper and lower case) and characters.

logkextkeygen.pkg - This package contains a logKextKeyGen, which is in Mac universal binary format. This binary is responsible for recording or logging keyboard typed information.

Logkext-1.pkg - This package contains another package named LogKext.kext, which contains a binary file LogKext. LogKext is the main program responsible for intercepting keyboard events by using IOHIDSystem and IOHIKeyboard classes in the kernel.

logkextReadme.pkg - This package contains LogKext Readme.html, which includes install and uninstall guide, release notes and frequently asked questions.

logkextuninstall.pkg - This package contains LogKextUninstall.command, which is a terminal shell script that stops logKext from running and removes it's related files.

The packages were installed in this order:

logKext.pkg/Contents/Packages/logkextReadme.pkg
logKext.pkg/Contents/Packages/logkextuninstall.pkg
logKext.pkg/Contents/Packages/logkext.pkg
logKext.pkg/Contents/Packages/logkextkeymap.pkg
logKext.pkg/Contents/Packages/logkext-1.pkg
logKext.pkg/Contents/Packages/logkextdaemon.pkg
logKext.pkg/Contents/Packages/logkextclient.pkg
logKext.pkg/Contents/Packages/logkextkeygen.pkg

The following files were created:

LogKextUninstall.command
LogKext Readme.html
/Library/Application Support/logKext/logKextDaemon
/Library/Application Support/logKext/logKextKeyGen
/Library/Application Support/logKext/logKextKeymap.plist

This program can monitors and record user's keystrokes including username, password, PII, private conversations, typed-in urls and more.

So, imagine if this piece of software went to the wrong hands ?

It is more scary when you thought you have downloaded and installed a clean application, but with undocumented details there's more hidden or unexplainable features that could work in background.


Let's take a look on Keylogger X.

Downloaded file: KeyloggerX.dmg.sit (768,805 bytes)

Inside this image are the following files:

Disclaimer.rtf - This document informs the user that "You are held resposible for your actions". Check the full disclaimer here.

Keylogger X - This is the binary file in Prefered Executable Format File (signature start with "Joy!peffpwpc").

Read Me.rtf - This document describes this program as "Keylogger X is designed to run on OSX. The logged file is saved in the users preference folder called "User Preferences". "

Ok, let's run and check this program. Oops, there's nothing on your screen, you cannot even search for "User Preferences" folder. Where? Nobody knows!

Is it running in background ?


Upon checking the code, this program imports 3 containers with over 900 imported symbols that includes multimedia and networking.
From the data section, you will find more interesting strings.

Congratulations! You just installed a "more efficient keylogger".

The behavior of this program is not acceptable and absolutely real threat to users.