Scam FBI Site Found

badFBIsite So I was cruising the web a few days ago and stumbled onto, well actually redirected to, this monster scam of a website. In short, it is a fake site parading as an FBI Cyber Defense warning stating that it found your computer to have copyright material and/or child porn on it. It “locks your browser” with several hundred JavaScript alerts using the “onbeforeunload” method which is annoying to say the least and makes the browser kinda feel locked up. You can, however, unlock you PC by paying the “FBI” $300 via a Green Dot Money Pak! Let’s get serious folks… If the FBI found you had Kiddie Porn on your PC, do you really think they would let you off for $300? And do the Feds really not take Master Card or Visa? Green Dot? Really?I spent a better part of today trying to make a brilliant Youtube video/screencast using camstudio. But after 4 hours and nothing but corrupt AVI files, I have resorted to this more than reliable blog post.

Lets get to the analysis!

The Scam URL is:

http://fbi.gov.id657546456-3999456674.l7650.com/?flow_id=2019&&453640=45513/case_id=39994

It is more annoying than malicious, but check it out if you dare and at your own risk!

A break down of the URL shows that FBI.GOV is actually part of a ridiculously convoluted sub-domain. The real domain for this site is l7650.com. And there is where we start our snooping.

http://domaintz.com/tools/reverse-ip/ is my main tool for looking up domains and IP addresses. And by searching it for the attack domain we learn that it is a site from Kazakhstan! Now, think about it. Would the FBI REALLY be hosting a site like this from Eastern Europe? That is about as much info as we can get from the reverse IP and Domain tool. On to something better!

Nmap!

Nmap is a port scanning and digital fingerprinting tool. If you are at all involved in networking or security, you should get to know this software. A quick Nmap scan on the attacker domain shows that TCP port 80 and 22 are open as well as some very high UDP ports in the 40,000 range. The TCP 80 is typical of a web server service like Apache. In this case the attack is hosting its files off an NGINX server. ( A new developing trend among these scammers!) NGINX is a brilliant event based web server that uses far fewer system resources than apache and can be run on small cheap hardware like a Raspberry Pi or a BeagleBone development board. TCP Port 22 is a standard SSH port used to remote control a server as well as transfer files via SFTP if enabled. The UDP ports are peculiar and I can only assume they are there for either remote botnet control of the node, or a communication link for the Green Dot Money Pak codes to be sent back to the attacker collecting the scammed money.

Nmap also shows that the device running is operating a linux 2.6 kernel Asus RT-N16 WAP which I believe is a Free-BSD variant. It is definitely a popular choice with the fraudsters. Nmap shows that its about 19 hops away from my gateway and Whois shows that its owned by a Russian ISP.

Now for the fun part!

Looking at the javascript in the code, it appears that they have several hundred java alert methods in hidden iFrames exploiting the onbeforeunload method. The rest of the site looks rather benign (code wise) and quite clean and commented. More than likely code pulled from a legit site. Upon further snooping, I found a JS function called “check()”. Intuition dictates that this is some sort of input validation for the Green Dot Money Pak code. And intiution would prove correct in this case. Looking at the following JS code pulled directly from the attack site:

function check(){
var input = document.getElementsByTagName('input');
var result = true;
if(input[0].value != '' && input[0].value.length != 14 ){
alert('YOUR PAYMENT INFORMATION IS NOT CORRECT.\n\nALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.');
result = false;
} else {

window.onbeforeunload = null;
window.document.body.onbeforeunload = null;

var strongs = document.getElementsByTagName(“iframe”);
for (var i=strongs.length – 1; i>=0; i–){
var strong = strongs[i];
var acceptor = strong.parentNode;
while(strong.childNodes.length){
var child = strong.childNodes[0];
strong.removeChild(child);
acceptor.insertBefore(child, strong);
};
acceptor.removeChild(strong);
};

}

return result;
}

We can see by the above code that input validation for the Green Dot Money Pak code is really weak. To fulfill the Boolean statement, the input must NOT be empty and must have a character length of 14. This means simply typing in 14 zeros will “authenticate” and “unlock” your PC within 12 hours. If you still believe that crap after getting this far through the analysis!

1258px-Troll_faceFun Idea!

Why not write a script to hammer their server with a billion numbers that are 14 digits long! Not a bad idea if you ask me.

Conclusion

This is a half-baked scam from Eastern Europe. The Code is not malicious and seems to only be calling out people who are naive and possibly guilty of copyright infringement or child porn. My experience with the site was better using FireFox rather than Chrome, which is a first for me! Chrome required me to click on “leave page” in the JS unload alert. This took a lot of time and made my hand tired. It also made me feel a bit “trapped” like my browser was indeed blocked (which I knew was technically impossible). FireFox gave me the option of “ignoring future dialog” from the site. That means I only had to click the check boxes and FF would ignore the extra 200 alerts and finally navigate me from the page.

I wish my video of this panned out. It was going to be quite informative and a lot less reading. I will see what I can do from my Linux box later as time permits.

Leave a comment

Your email address will not be published. Required fields are marked *