Barusan tiba2 temen aku yg udah lama gak ngobrol di YM manggil. Trus dia ngajak ikutan IQ Test.. wew.. mencurigakan. Jadi aku coba search Google dan dapet ini :)
Long lost friends asking you to do IQ tests? Just say NO!
Started noticing a trend where people I've not spoken to in years, seemingly limited to Yahoo! Messenger so far, message me saying I should go do an IQ test whilst they go have a shower.
I figured something was afoot, and sure enough by the third or fourth time I'd figured out the pattern...
Appears to be a very unintelligent, automated process that simply spews forth the same script on a timed basis with different URLs with different ID codes pointing to the same IP address, listed as part of a Russian range, registered to an address in the Seychelles. Oh, and who puts a smiley in the description of a AS number/route?
I decided to follow one of the links... from a text only browser that doesn't support scripting! Enter.. elinks!
If you attempt to load a URL without a valid ID code, it'll return a 404 (Not Found error) advising you that the page doesn't exist. Give it a valid code and you immediately get redirected to another page:
If you view the source of the page, you'll see there's some framesets at work:
I figured something was afoot, and sure enough by the third or fourth time I'd figured out the pattern...
(05:09:41) Bot: hey its been a long time :p
(05:10:44) Me: Don't tell me.. you want me to do an IQ test?
(05:11:01) Bot: I just took an IQ test here.. pretty cool :P
(05:11:10) Me: You got 113, right?
(05:11:30) Bot: got a 113 lol... I thought I was smarter than that
(05:11:46) Me: I'm thinking your next comment will be the link?
(05:12:07) Bot: its http://iqscorechallenger.com/?invitecode=..........
(05:12:20) Me: Thought so.. I reckon you're full of shit to be honest
(05:12:44) Bot: you should see if you can do better than me... if you can ill buy you a drink
(05:12:59) Me: Mrrmm.. alcohol.. I'd need a lot of that to fall for this :)
(05:13:20) Bot: try it... http://iqscorecalc.com/?invitecode=.......... I bet you cant lol
(05:13:32) Me: I'm waiting for the comment that says you have to go and you'll be right back..
(05:13:40) Me: Funny how that link changed..
(05:13:45) Bot: take it now while I take a shower lol
(05:13:52) Me: ... and there we go :)
(05:14:07) Bot: ill be back in a few after im all fresh
(05:14:19) Me: Sure... with a new script... I wonder how long it is :)
(05:14:36) Bot: brb, let me know your score when im back!
(05:14:47) Me: Hrrmm.. must be getting towards the end of it..
Appears to be a very unintelligent, automated process that simply spews forth the same script on a timed basis with different URLs with different ID codes pointing to the same IP address, listed as part of a Russian range, registered to an address in the Seychelles. Oh, and who puts a smiley in the description of a AS number/route?
$ host iqscorechallenger.com
iqscorechallenger.com has address 92.241.168.102
$ host iqscorecalc.com
iqscorecalc.com has address 92.241.168.102
$ host 92.241.168.102
102.168.241.92.in-addr.arpa domain name pointer 2x4u175.2x4.ru.
$ whois 92.241.168.102
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '92.241.168.0 - 92.241.169.254'
inetnum: 92.241.168.0 - 92.241.169.254
netname: NET-2X4
descr: 2x4.ru network
country: RU
admin-c: UDF667-RIPE
tech-c: UDF667-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
person: Pavel Ivanov
address: Sound & Vision House, Francis Rachel Str.
address: Victoria, Mahe, Seychelles
remarks: ***************************************
remarks: Virtual and shared hosting, Windows Linux FreeBSD
remarks: Virtual private Servers (VPS/VDS), Dedicated Servers
remarks: Protected managed hosting solutions, DDOS protection systems
remarks: Satellite CPC/VSAT telecomunications
remarks: Wireless links services.
remarks: English and Russian Sales contact: ICQ 758291
remarks: ***************************************
abuse-mailbox: abuse@2x4.ru
remarks: West Europe customers office & NOC
phone: +44 20 3286 6617
remarks: East Europe customers office & NOC
phone: +7 495 657-90-57
mnt-by: IDEAL-MNT
nic-hdl: UDF667-RIPE
source: RIPE # Filtered
% Information related to '92.241.160.0/19AS41947'
route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
mnt-routes: GIGABASE-MNT
mnt-routes: RU-WEBALTA-MNT
source: RIPE # Filtered
I decided to follow one of the links... from a text only browser that doesn't support scripting! Enter.. elinks!
If you attempt to load a URL without a valid ID code, it'll return a 404 (Not Found error) advising you that the page doesn't exist. Give it a valid code and you immediately get redirected to another page:
IQ Friend ChallengeRefresh: http://spacetrk.com/aff_c?offer_id=74&aff_id=60
If you view the source of the page, you'll see there's some framesets at work:
Jadi ati2 aja teman2.. ternyata YM dia kena Hack tuh...
yeah, just got one of these myself. Thanks for the heads up. I was beginning to wonder why my friend wasn't answering any of my questions. It just didn't sound like him at all.
ReplyDeleteI just got the exact same form two different friends within seconds of each other I immediately suspected infection. os something of the like.
ReplyDeleteI am having fun with the bot
ReplyDeleteGot this one too, but with slightly different script at the "I'll but you a drink" instead of that I got the "I'll give you 20 dollar" which I begin to think that something is really wrong because that friend of mine (He's move to Google talk n told me that he use that Yahoo for mailing only) is SUPER EXTREME STINGY but when he telling me he gonna give me 20 buck, I thought he won a lotto, lol
ReplyDelete