I asked Keith to help me out with this URL. I searched for URL decode, came up with his page: http://www.swishweb.com/dec.htm http://www.earthlink.net:ac=a098832d19f03cc7cbe3c1248e071434a098832d19f03c43a098832d19f03cc7cbe3c1248e071434a098832d19f03cc7cbe3c1248e07143c7cbe3c1248e07143a098832d19f03cc7cbe3c1248e071434a098832d19f03cc7cbe3c1248e07143@a098832d19f03cc7cbe3c1248e071434a098832d19f03cc7cbe3c1248e07143.cc Keith Replied: Here's how it works. The URL is taking advantage of the authentication-string trick which is actually described on my URLs page. The authentication string has two parts. The first part is seen by your browser as a username, with a colon (:) as separator. The second part is seen as a password, with the "@" symbol then separating username/pass from the domain name. As follows: username: www.earthlink.net: password: ac=a098832d19f03cc7cbe3c1248e071434a098832d19f03c43a098832d19f03cc7cbe3c1248 e071434a098832d19f03cc7cbe3c1248e07143c7cbe3c1248e07143a098832d19f03cc7cbe3c 1248e071434a098832d19f03cc7cbe3c1248e07143@ domain name: a098832d19f03cc7cbe3c1248e071434a098832d19f03cc7cbe3c1248e07143.cc Yes, that long string of random characters is a domain name. Its owner's identity is deliberately hidden from public view by the eNIC Registry; a very questionable practice. Here's the reply I got when I queried for the domain's WHOIS data: Reserved usage - Domain is in restricted class. This information is (c) 1997-2002 eNIC Corp. ... ENIC Network Information Center: http://www.nic.cc/index.html ENIC WHOIS Gateway: http://www.nic.cc/who.html Note: ENIC WHOIS Gateway only verifies the existence of a name. Well, there's more than one way to skin a cat. First of all, we trace the domain's IP address (64.85.73.31). Here's the owner of the network block where our ridiculously-long name is hosted: 12-21-2003 10:10:57.76a Rwhois rwhois.exodus.net:4321 64.85.73.31 %rwhois V-1.5:001ab7:00 rwhois.exodus.net (Exodus Communications) network:Class-Name:network network:Auth-Area:0.0.0.0/0 network:Network-Name:64.85.73.0 network:IP-Network:64.85.73.0/25 network:Organization;I:Dotster, Inc. network:Name;I:Nick Reeves network:Email;I:nreeves@dotster.com network:Street;I:11807 N.E. 99th Street. Suite 1100 network:City;I:Vancouver network:State;I:WA network:Postal-Code;I:98682 network:Country-Code;I:USA network:Class-Name:network network:Auth-Area:0.0.0.0/0 network:Network-Name:64.85.64.0 network:IP-Network:64.85.64.0/18 network:Organization;I:Exodus IDC - SE/SE2 network:Name;I:Exodus IP Address Administrator network:Email;I:ipaddressadmin@exodus.net network:Street;I:12301 Pacific Coast Hwy network:City;I:Tukwila network:State;I:WA network:Postal-Code;I:98168 network:Country-Code;I:USA %ok What happens when we try to visit the URL? Here's what the browser gets: HTTP/1.1 302 Found Date: Sun, 21 Dec 2003 17:54:28 GMT Server: Apache/1.3.29 (Unix) PHP/4.3.4 X-Powered-By: PHP/4.3.4 Location: http://fat32.host.sk/ Connection: close Transfer-Encoding: chunked Content-Type: text/html Itr's a redirect. So -- we go there. Which yields: HTTP/1.1 200 OK Date: Sun, 21 Dec 2003 17:54:32 GMT Server: Apache Vary: * Last-Modified: Fri, 19 Dec 2003 23:59:12 GMT ETag: "7267bc-298-3fe390d0" Accept-Ranges: bytes Keep-Alive: timeout=1 Connection: Keep-Alive Content-Type: text/html Content-Encoding: gzip Content-Length: 354 ... Ah, it's ZIP-encoded! Sneaky. The content can't be read directly. Fortunately, a browser with Javascript disabled will easily reveal the decoded content:

 

We see by this that the user is redirected yet again, this time to a URL on the same server (actually http://fat32.host.sk/index2.htm). But that screwy URL utilizes a recently discovered and as-yet unpatched IE exploit, which causes IE to display a spoofed domain (earthlink.net of course) in the Location bar. Very, very deceptive. (And another fat black mark against Microsoft for their endlessly insecure browser and for the patch they're deliberately delaying merely to keep to their self-imposed monthly-patches-only schedule.) The web page it then displays looks exactly like an Earthlink page, and provides a form to enter username and password. Here's where the domain is hosted: inetnum: 62.168.109.0 - 62.168.109.255 netname: SK-GTS-INTERNAL descr: Poprad, Trencin, Namestovo, descr: Ruzomberok, Nove mesto nad Vahom country: SK admin-c: GSNH1-RIPE tech-c: GSNH1-RIPE status: ASSIGNED PA mnt-by: GTSSK-MNT changed: cibco@gtsgroup.sk 20030713 source: RIPE route: 62.168.64.0/18 descr: GTS Slovakia NET origin: AS5578 mnt-by: GTSSK-MNT changed: marek.heriban@gtsgroup.sk 20020610 source: RIPE role: GTS-INEC Slovak Net Hostmaster address: GTS Slovakia s.r.o. address: Liscie Udolie 5 address: Bratislava 4 address: 841 01 address: Slovak Republic phone: +421 2 5778 1111 fax-no: +421 2 5778 1117 e-mail: noc@gtsgroup.sk e-mail: hostmaster@gtsi.sk admin-c: JW239-RIPE tech-c: MH6751-RIPE nic-hdl: GSNH1-RIPE mnt-by: GTSSK-MNT changed: cibco@gtsgroup.sk 20030714 source: RIPE The SK top-level domain has no WHOIS server, but they do offer text listings of all registered domains and registrants at: https://www.sk-nic.sk/documents/domeny_1.txt and https://www.sk-nic.sk/documents/registratori.txt So here's the domain record for fat32.host.sk, what there is of it: Fields: domena;ID reg;ID drzitela;NEW(OLD);Stav domeny;NS1;NS2;NS3;NS4;ICO drzitela Data: host.sk;LMM--0001;LMM--0001;NEW;DOM_OK;ns.host.sk;nic.profinet.sk;;;35748346 ;23.01.2004 And the registrant record: Fields: Reg ID;Firma;Ulica;Mesto;Telefon;E-mail Data: LMM--0001;Prime Interactive s.r.o.;Tulipánova 7;Bratislava;0903-556778;orpheus@primeinteractive.net Sorry for the Slovak, but I'm no translator and they offer no English version. You now have contact addresses for the hosts and the domain owner. That's where to send your complaint. Obviously, the purpose of the scam is to steal accounts; which are probably then used primarily to send mass emails. Hope this helps. Best, Keith