ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
crackpal.com

Evidence Menu:

crackpal.com Index


Country: India
State:
Hosts in China, Australia and elsewhere. Uses Yahoo accounts. Probably Indian, may be related to or partner with ROKSO "MailTrain".


crackpal.com SBL Listings History
 Current SBL Listings
 Archived SBL Listings

crackpal.com


[whois.dynadot.com]
Domain Name: crackpal.com
Registered at http://www.dynadot.com

Registrant:
Rajesh Kumar P c/o Dynadot Privacy
PO Box 701
San Mateo, CA 94401
United States

Administrative Contact:
Rajesh Kumar P c/o Dynadot Privacy
PO Box 701
San Mateo, CA 94401
United States
privacy@dynadot.com
1-650-585-1961

Technical Contact:
Rajesh Kumar P c/o Dynadot Privacy
PO Box 701
San Mateo, CA 94401
United States
privacy@dynadot.com
1-650-585-1961

Record expires on 2013/05/05 UTC
Record created on 2003/05/05 UTC

Domain servers in listed order:
ns1.1stchina.cn
ns2.1stchina.cn



[whois.PublicDomainRegistry.com]
Registration Service Provided By: RAJESH DOMAINS
Contact: +91.9880165878

Domain Name: 123NEWGREETINGS.COM

Registrant:
123Greetings.com, Inc.
Kajaria, Sharad (greetings123name@yahoo.com)
1674 Broadway
Suite 403
10019
New York,10019
US
Tel. +001.9176036425

Creation Date: 18-Dec-2008
Expiration Date: 18-Dec-2009

Domain servers in listed order:
ns1.platypushost.com.au
ns2.platypushost.com.au

Administrative Contact:
123Greetings.com, Inc.
Kajaria, Sharad (greetings123name@yahoo.com)
1674 Broadway
Suite 403
10019
New York,10019
US
Tel. +001.9176036425

Technical Contact:
123Greetings.com, Inc.
Kajaria, Sharad (greetings123name@yahoo.com)
1674 Broadway
Suite 403
10019
New York,10019
US
Tel. +001.9176036425

Billing Contact:
123Greetings.com, Inc.
Kajaria, Sharad (greetings123name@yahoo.com)
1674 Broadway
Suite 403
10019
New York,10019
US
Tel. +001.9176036425

Status:ACTIVE



URL: http://123newgreetings.com/Y/Y7BD40106194621000/

Server IP address is 115.178.17.181

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Dec 2009 05:45:31 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7a DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.28
Content-Length: 370
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /Y/Y7BD40106194621000</title>
</head>
<body>
<h1>Index of /Y/Y7BD40106194621000</h1>
<ul><li><a href="/Y/"> Parent Directory</a></li>
<li><a href="greetingcard.php"> greetingcard.php</a></li>
<li><a href="greetingcard_ver.php"> greetingcard_ver.php</a></li>
</ul>
</body></html>



[whois.apnic.net]

inetnum: 115.178.16.0 - 115.178.23.255
netname: DEDAUS-AU
descr: PO Box 58
country: AU
admin-c: AT500-AP
tech-c: AT500-AP
status: ALLOCATED PORTABLE
remarks: Used for co-location-hosting
mnt-by: APNIC-HM
mnt-lower: MAINT-DEDAUS-AU
mnt-routes: MAINT-DEDAUS-AU
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.

role: Angus Thomson
address: PO Box 58, Greenslopes, QLD, 4120
country: AU
phone: +61-7-3114 2767
fax-no: +61-7-3847 6684
e-mail: noc@dedicatedserversaustralia.com.au
admin-c: AT500-AP
tech-c: AT500-AP
nic-hdl: AT500-AP
mnt-by: MAINT-DEDAUS-AU
changed: hm-changed@apnic.net 20080904
source: APNIC
changed: hm-changed@apnic.net 20080904



http://www.mcgrewsecurity.com/2009/01/08/looking-at-the-crackpalcom-phishing-for-hire-scheme/comment-page-1/#comment-27744

(screenshots have additional info -SH)

Yesterday, I took a lighthearted look at some of the Google searches people have used to arrive at this site. I saved one of them for today, however, because it was enough fun to warrant its own post. That search query is:

* crackpal.com review

Well, I suppose I can give that a try.

What is crackpal.com? Its a service that promises to hack yahoo, hotmail, rediff, and google Email accounts. Heres what their website looks like, if its down by the time you read this:

You might remember that Ive looked at a site similar to this in a previous post. Heres how things are supposed to go down, according to their site:

The proof takes the form of screenshots of inboxes, sample emails, contacts, or other personal information.

I decided to see how this would play out, assuming (correctly) that it would work much like the yourhackers.net scheme described in a previous post. So, yesterday I filled out their order form, using my own yahoo email account as a target, from another account that I had created that is posing as someone who doesnt like me very much:

This morning, in the wesleymcgrew@yahoo.com account I had a surprise! Yay!

Helo? What am I, an SMTP server? As you might be able to imagine, I dont know anyone named Jonathan Regon, and certainly not well enough to warrant Luv and Regards. Lets take a look at the link to the phishing site:

So, obviously the single ?wesleymcgrew parameter sets the username. If you punch in anything and Submit, you get forwarded along to a real 123greetings card:

Cute.

Back to the phishing site, what happens if we take the php filename out of the URL, going straight to the directory?

Neat, no directory protection or index.html/php, but not much of interest. What if we go up a directory?

Now this looks more interesting. Whats in Y.txt?

The phishing URL sent to me contained the directory name ending in 1003. That corresponds with the 1003 line in Y.txt with the name Jonathan Reagan. Sounds like the Jonathan Regon that emailed me. These are the names being used in the phishing emails, and each of the above directories contains links to greeting cards from these names.

The /Y/ here stands for Yahoo. There are similar directory structures on this site for /H/ (Hotmail) and /R/ (Rediff). There is no /G/ for Gmail, surprisingly, and no other single-letter directories (tried them all).

Who is 123newgreetings.com? WHOIS shows all contacts as:

Registrant:

123Greetings.com, Inc.

Kajaria, Sharad (greetings123name@yahoo.com)

1674 Broadway

Suite 403

10019

New York,10019

US

Tel. +001.9176036425

This is the exact same contact information as on the real 123greetings.com, with a different email and phone number.

Crackpal.coms WHOIS information is set to its registrants (dynadot.com) private registration-by-proxy name and address.

I have fired off an abuse email to 123newgreetings.coms host, eukhost.com, so it may be down soon. Crackpal.com itself appears to be hosted in China, so I dont hold out much hope for that going down.




http://123newgreetings.com/Y/Y7BD40106194621000/greetingcard.php

(Yahoo! India password page)


http://123newgreetings.com/Y/Y7BD40106194621000/greetingcard_ver.php redirects to http://www.123greetings.com/send/view/07409609603221114177/

"ecard sent by friend_online@ymail.com to you@you.com (09-Jul-2009)"

The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: http://www.spamhaus.org/rokso/evidence/ROK8980/crackpal.com/crackpal.com

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2013 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy