(The quickest way to register)

Forum

  1. User picture
    • amishrabbit on Wed 26 Aug 2009
    • 06:32:20 PM UTC

    mmowned.com -- distributes "phish kits" but is green-lit

    I've spent a little time browsing around this web forum. It is essentially a trading post for "phish kits" which can be used to defraud gamers.

    The subforum http://www.mmowned.com/forums/wow-scams/ is of particular interest, because its members and the people who post messages there appear to have no qualms about the purpose of their creations: They are creating tools and webpage forgeries expressly for the purpose of committing fraud.

    Please take a look at the site and rate accordingly, if you agree.

Comments:

  1. User picture
    • MysteryFCM on Wed 26 Aug 2009
    • 07:07:59 PM UTC

    ....

    WhoIs shows the owner has another site;

    simianplay.com

    Seems to be marketing related.

    This particular site is hosted at 67.214.139.133, which is on the Invision network;

    Invision.com, Inc. INVISION-NET-02 (NET-67-214-128-0-1)
    67.214.128.0 - 67.214.143.255
    The New York NOC, Inc. NYNOC-NET-01 (NET-67-214-139-0-1)
    67.214.139.0 - 67.214.139.255

    http://hosts-file.net/?s=mmowned.com

    In addition, one of the adverts on the mmowned.com forums sent NOD32 into a hissy fit;

    hxxp://www.mmowned.com/adspot/adpeeps.php?bfunction=fetchad&uid=100000&cid=383830&aid=35&atype=2&bzone=left_bar_middle&bsize=160x600

    Which loaded;

    banner.adtrgt.com

    Screenie:
    http://hosts-file.net/misc/imgadtrgt.com_-_66.179....

    Regards
    Steven Burn
    Ur I.T. Mate Group / hpHosts
    it-mate.co.uk / hosts-file.net

    • User picture
      • MysteryFCM on Wed 26 Aug 2009
      • 07:19:07 PM UTC

      Update ....

      I've just spoken with Invision.com about this, and they've asked me to send them the information + evidence so they can take a look.

      I'll post back if I hear back from them.

      Regards
      Steven Burn
      Ur I.T. Mate Group / hpHosts
      it-mate.co.uk / hosts-file.net

    • User picture
      • amishrabbit on Wed 26 Aug 2009
      • 07:36:31 PM UTC

      Siteadvisor user comments

      Siteadvisor user comments mentioned that the ad host used by this site performs browser exploits. I visited the site using a VM. I'd urge anyone else who visits to be cautious and, at the very least, use Firefox with NoScript installed.

  2. User picture
    • iantuttle on Wed 26 Aug 2009
    • 07:25:22 PM UTC

    This is unfortunate if true,

    This is unfortunate if true, as the rating is quite high...

  3. User picture
    • phantazm on Thu 27 Aug 2009
    • 03:33:17 AM UTC

    Scammers delight

    You're right, the subforum ( www.mmowned.com/forums/wow-scams/ ) is kinda 'interesting'. At the top one can read this: "We do not condone scamming, this section is meant for people to read about scamming so they can prevent being scammed themselves.". Really..? Clicking 'WoW Scams' reveals this, as one of the subforums first stickies:

    "Basically seen alot of Scamming team threads and the looking for a partner thread is kinda old so here is a new one that ALL you scammer people w/e can post in looking for/offering services.
    Looking for a partner template to use:
    How long have you been scamming:
    What are your specialties and what fields do you have experience in (IE phishing, data mining, trade scamming, etc.)
    What you have to offer in a partnership:
    Your average weekly account intake:
    Your average weekly gold intake:
    What you hope to accomplish in a joint scamming effort:
    Your MSN/AIM/Email whatever you want people to contact you by"

    http://www.mmowned.com/forums/wow-scams-help/24018...

    There are plenty of replies to this thread, and none I read wanted to
    "prevent being scammed themselves". Rather the opposite.

    This site looks like a scammers delight...

  4. User picture
    • MysteryFCM on Thu 27 Aug 2009
    • 04:23:23 PM UTC

    ....

    I've had it killed :o)

    Regards
    Steven Burn
    Ur I.T. Mate Group / hpHosts
    it-mate.co.uk / hosts-file.net

    • User picture
      • Dragonshadow on Fri 28 Aug 2009
      • 08:48:59 PM UTC

      You're an idiot, we were just moving ;)

      I'm a moderator on the website, and no, you didn't have it killed lol

      We were just moving hosts
      http://mmowned.net has details on it

      And trust me, the scamming section is one of the most hated sections on the site, its full of noobish leechers... We delete keyloggers and the like, but the section really IS meant to protect you FROM scams x_x

      Its kinda just blown up

      And to the original poster, don't say we are a trading post for that sh*t. The site is devoted to exploits & cheats for mmos, not scamming.

      • User picture
        • MysteryFCM on Fri 28 Aug 2009
        • 09:11:22 PM UTC

        Just moving huh?

        .... then explain why Invision informed me they'd shut off the hosting for the site, and further, explain why the sites owner sent me the following a few hours ago?

        *********************************************************************************
        Name: Roger Kipe
        E-mail: [REMOVED]
        How did you find us?: Other
        ... Other: I own mmowned.com
        Site navigation: Very easy
        Comments:

        Mr. Burn,

        It is my understanding that you have instigated the shut down of one of my sites. This site is a large community that plays world of warcraft and they talk about it mostly. We have always removed anything that is malicious at the first site of it or at any complaint. If you have sent complaints to our host they have not forwarded them on to us. I take these things very seriously and would have resolved it immediately.

        Do you have specific links to any malware or anything else that was on our site that I could take off when I get the sites up and running again. Also it should be noted that you claimed we develop and distribute
        1. Exploits
        2. Malware
        3. Phishing packs

        This is simply untrue. We are a community of users and while it is possible that someone posted a link to a URL that held a Malware program, it was certainly not developed or distributed by us. It would have harmed our users as well and we would have removed any such item as soon as we found out about it. We have several Moderators whos job it is to ensure these type of things do not take place.

        Roger
        *********************************************************************************

        Regards
        Steven Burn
        Ur I.T. Mate Group / hpHosts
        it-mate.co.uk / hosts-file.net

        • User picture
          • phygar on Fri 28 Aug 2009
          • 09:29:16 PM UTC

          I can't explain that...

          I can't explain that... But it is up http://mmowned.com/

          • User picture
            • MysteryFCM on Fri 28 Aug 2009
            • 09:34:40 PM UTC

            ,,,,

            Never said I'd had the DNS killed, just the content ;o)

            Regards
            Steven Burn
            Ur I.T. Mate Group / hpHosts
            it-mate.co.uk / hosts-file.net

          • User picture
            • MysteryFCM on Fri 28 Aug 2009
            • 09:37:38 PM UTC

            ...

            ... as an addendum, I find your comment on the sites scorecard to be somewhat humerous;

            "These people commenting on the site are mentioning something that 80% of the site feels wrongly about. But are being very extreme about it. They are against what is happening, but the site is NOT a scam. The admins of the site do not like the "scam" section, and is only there to increase the member count. None of the High ranked Forum members participate in discussing scamming methods."

            If this was indeed the case, the forums admin/site owner, would NOT allow such content. Allowing it just to increase the member count makes the site just as guilty as the people posting the stuff.

            Regards
            Steven Burn
            Ur I.T. Mate Group / hpHosts
            it-mate.co.uk / hosts-file.net

        • User picture
          • Dragonshadow on Fri 28 Aug 2009
          • 11:46:50 PM UTC

          RE: Just moving huh?

          Because their new office screwed up ;)

          • User picture
            • MysteryFCM on Fri 28 Aug 2009
            • 11:52:25 PM UTC

            ....

            Well fear not, we'll (myself, a contact at Invision, and several other people) be monitoring mmowned.com and .net, to see what type of content is presented, especially given the previous content, and rest assured, if it's the same as previously, I'll have the entire account closed, rather than just the content removed.

            Regards
            Steven Burn
            Ur I.T. Mate Group / hpHosts
            it-mate.co.uk / hosts-file.net

            • User picture
              • Dragonshadow on Fri 28 Aug 2009
              • 11:55:01 PM UTC

              lol

              MMOwned.net is owned by myself, and doesn't have any "bad" content on it at all, its just a blog. So your rating on my site for "Engaged in the distribution of malware." is untrue.

              MMOwned.com is moving hosts.

              • User picture
                • MysteryFCM on Sat 29 Aug 2009
                • 12:02:52 AM UTC

                .....

                Given the .net site is related to the .com variant, the classification is actually valid.

                Be sure to let me know which hosting company you move to, save me the 2 seconds to notice the IP change.

                Regards
                Steven Burn
                Ur I.T. Mate Group / hpHosts
                it-mate.co.uk / hosts-file.net

          • User picture
            • jpvip on Fri 28 Aug 2009
            • 11:53:58 PM UTC

            hm...

            Why would their office screw up?

            ~DragonMaster Jay, malware researcher,
            Admin, helpmyos.com

      • User picture
        • amishrabbit on Sun 30 Aug 2009
        • 05:38:38 AM UTC

        response to Dragonshadow

        I didn't imply that my evaluation of your entire site was exhaustive. But in my analysis, that particular forum served precisely that purpose.

        That forum features, essentially, advertisements by phishing kit creators, followed by posts of praise and helpful suggestions by regular contributors. These kits do not exclusively comprise PE files, but some do, and I didn't see any attempt to moderate the discussion away from the distribution of files that can serve only the purpose of permitting those with malicious intent a clear path to engage in criminal conduct. In fact, the forum rules appear to solicit users to actively participate, and penalize those who register but fail to post useful messages, as "leechers."

        There was extensive posting in that forum relating to current, ongoing attempted account-phishing schemes. For example, one very busy forum thread relates to a phishing scheme directed at gullible users, anxious to access the Cataclysm expansion pack. The scheme involves posting a video promising exclusive access to a "beta account" which requires users to provide account credentials to a web site. The phishing attempts, all of which use exactly the same video, but link to copies of the identical phish kit hosted on a multitude of free web hosting services, apparently continue to be posted to Youtube.

        The source of the video, and exhaustive posting instructions from user "Jebus Fist" were packaged as a "how to phish for WoW accounts" step by step guide, not as a warning to others. Members of the forum were solicited to rate these "videos" highly on Youtube, and it appears that many of them did just that. The user received a lot of praise for his very accurate reproduction of Blizzard's branding and site design in the replica PHP page, as well as for the volume of accounts the scheme netted for participants.

        Members also argued amongst themselves in another thread about "honor among thieves" when one of the members posted instructions to steal the text file containing stolen account details from unsophisticated phishers who failed to protect the file.

        I was able to download about eight of the more comprehensive HTML and PHP phish kits, including this Jebus Fist one, as well as several PE phishers, and the source code to a phishing application written in Visual C++, links to which were all posted within topics in that forum. Of course, all of the files are hosted on free file sharing services like Rapidshare.

        I have no problem with the vast majority of the site. Game botting is not my concern. But if the site does not condone this kind of activity, then why permit the forum to exist in the form it has taken at all? And if the forum really is designed as a "here's how not to get scammed" guide, why not strictly enforce the forum's own rules about not posting content that facilitates exactly that?

        Yes, a small portion of your users appear to be engaged in criminal conduct, and their actions tarnish the reputation of your entire site. There's no way to separate the two groups through the mechanism of WOT, and it is somewhat of a blunt instrument. A good start would be to clean up that forum, and demonstrate your honest desire to prohibit this kind of behavior on your forums with strict controls.

        • User picture
          • Dragonshadow on Tue 01 Sep 2009
          • 12:11:25 PM UTC

          Understandable

          Yay someone who actually knows how to talk to other people! *glares at steven*

          Yea I agree with this, the section is stupid and phishers are retarded. In fact if I remember correctly Jebus' post was deleted 3? times. I myself do not have moderation powers over the scams section (that might change? I dunno) and as such can't hit it with the hammer I'd like to.

          The section itself brings in alot of traffic and would hurt the site if we were to simple delete it. I would like to revamp the section (as do pretty much all of the staff) but that will have to be discussed at the next staff meeting (when? I have no idea). Until then we do what we can (deleting the hiiiighly illegal stuff like keyloggers, fraud, and hacking tutorials)

          I think I was going to add another paragraph but I can't remember what I was going to say.

  5. User picture
    • jpvip on Sat 29 Aug 2009
    • 12:01:24 AM UTC

    Malware is not acceptable

    Your comments are ok, but malware is not acceptable and will be dealt with. If that means the closing of the account, via MysteryFCM, then accept it.

    ~DragonMaster Jay, malware researcher,
    Admin, helpmyos.com

    • User picture
      • Dragonshadow on Sat 29 Aug 2009
      • 12:04:06 AM UTC

      I'm not the one running the

      I'm not the one running the site, so I'm just saying its unfair to ding my site for the same reasons.

      • User picture
        • MysteryFCM on Sat 29 Aug 2009
        • 12:07:41 AM UTC

        ...

        It would only be unfair if they were unrelated.

        /edit

        Oh and, the comments on your blog haven't helped your case either ;o)

        Regards
        Steven Burn
        Ur I.T. Mate Group / hpHosts
        it-mate.co.uk / hosts-file.net

  6. User picture
    • jpvip on Sat 29 Aug 2009
    • 12:06:57 AM UTC

    Since you...

    Directly support it....and it has the same name, just different extension (.com versus .net).

    ~DragonMaster Jay, malware researcher,
    Admin, helpmyos.com

  7. User picture
    • Dragonshadow on Sat 29 Aug 2009
    • 12:13:45 AM UTC

    I bought the domain because

    I bought the domain because mmowned.com gets alot of traffic and was then asked to put up a blog for the upcoming move >_>

    And comments like what? The ones laughing at this page?

    Edit: I can't even send a message to hphosts because my ip (that I just got a few days ago) is blacklisted? I move from .189.x to .190.x and suddenly everything thinks I'm a spammer.

    • User picture
      • MysteryFCM on Sat 29 Aug 2009
      • 12:15:13 AM UTC

      ....

      Given hpHosts is owned by me, you'd get the same response as I've given already.

      As far as your IP being blacklisted, you can check the following to see which blacklist it's on;

      http://temerc.com/Check_Spammers/

      Regards
      Steven Burn
      Ur I.T. Mate Group / hpHosts
      it-mate.co.uk / hosts-file.net

  8. User picture
    • Dragonshadow on Sat 29 Aug 2009
    • 12:19:35 AM UTC

    Yea its on fspamlist for

    Yea its on fspamlist for both email and IP... I've never spammed from my email, granted I get alot of spam to it. My IP on the other hand, I have no idea whats up with it.

    • User picture
      • MysteryFCM on Sat 29 Aug 2009
      • 12:23:46 AM UTC

      ....

      Given you've said you just got the IP, chances are it was blacklisted due to whoever had it previously. You'd need to get in touch with the DNSBL that's black;listed it to find out when and why.

      The IP DNSBL result will be displayed on the results page under "Checking DNS Blacklists".

      Regards
      Steven Burn
      Ur I.T. Mate Group / hpHosts
      it-mate.co.uk / hosts-file.net

  9. User picture
    • Dragonshadow on Sat 29 Aug 2009
    • 12:35:00 AM UTC

    Ah thank you

    Ah thank you

  10. User picture
    • MysteryFCM on Sat 29 Aug 2009
    • 01:44:02 AM UTC

    ....

    Just a warning folks. mmowned.com is back online (and at the same IP address - moved host huh? I don't think so). NOD is still going nuts at the advert it did previously, due to the exploit present.

    Ref:
    http://hosts-file.net/?s=mmowned.com

    I've already fired off an e-mail to the hosting company, but anyone else that would like to send in an abuse report, you'll find the contact details for the hosting company in the Net-block information.

    Regards
    Steven Burn
    Ur I.T. Mate Group / hpHosts
    it-mate.co.uk / hosts-file.net

  11. User picture
    • Dragonshadow on Sat 29 Aug 2009
    • 01:50:24 AM UTC

    We had to come back online

    We had to come back online to change hosts I guess? Dunno.