How social engineering and web technology go together

I spent a day chasing a network of sites which finally turned out to belong to one company only. Their common purpose was to get people to download their "free" access tool - a 0190 dialer.

www.firewall-admin.de - or how it started

On a friday in november 2002 I ended up on the site firwall-admin.de WARNING: 0190 dialer site . This is not really a surprise as IT-security is one of my topics at HDM. The content looked quite interesting at the first glance - until I wondered about all these little flags. Turned out they were all links to 0190-dialer programs called "free Zugangstool" which means they are free (of course) but their USE is everything but free.

I started looking around at the site and discovered that it belonged to a company with the name "hyro-mediaservice, owned by Joerg Dudzinski. So far so good. I started following some links from this page and looked at the legal info contained on those pages ("Impressum"). Turns out they ALL belonged to Mr. Dudzinski. By now I had not only discovered hacker site like hackerspider - or better sites that were supposed to attract would be hackers. Other sites offered porn content or handy tones etc.

And again and again the name Dudzinski appeared. Finally I went to google and did a search on the name "Joerg Dudzinksi". The result kind of blew me away. On 17 pages google listed domain after domain owned by Mr. Dudzinski. Many sites had domain names ending in .cc or .ws.

Now it was time to do some investigating. I soon learned that a number of core sites referenced each other frequently. "hackerspider.de", piratos etc. were the most prominent ones. They all seemed to follow similiar rules and - most important - offered the same dialer from webg... for download. So where do these dialers come from?

Turned out they all come from www.stardialer.de, developed from the company web.... in Germany.

And I notices something else: Clicking repeatedly on the same URL brought different looking homepages. Like a round-robin schema delivering a (slightly) different look and feel. That was when I learned about the "Partner program".

The Partner Program franchise

Like a McDonalds you can link your own page into this network of dialer sites. It is called "Partner Program" and works like this: you are an aspiring new web master looking for attractive content to get "eyeballs". Hyro-mediaservice offers you a dialer with your own account-ID. If your visitors download the dialer and use it to connect to your side, you will get a certain percentage of the profit. see picture of profit scale.

Sounds ok until you notice that to participate you have to download some information first - of course by using a 190-dialer (grin).

Right now I don't know if the webmasters are ripped off or part of the whole scam - perhaps both.

Why do I call it a scam?

Let's have a look at the information that visitors will receive after using the dialer. BTW: legal fees are - according to hyro-mediaservice - already deducted from your profits. And it looks like some dialers will now cost you a whopping 47 or 49 euro per call.

This is a filelisting of the content one would be able to download through the dialer: picture of ftp directory. Remember: I did this little survey in November 2002. Practically all "hot" hacker software is rather old and also available for free. And: not in my live would I download and run stuff from such a site on my machines (see the capabilities vs. ACL discussion in Capabilities . But that is not all. There is still a good dose of social engineering waiting for us.

Social Engineering

Do I need to mention that many participating sites do never mention the fact that they operate through dialer programs? In many cases there will be no sign of the amount charged per minute or call. Frequently the amount is printed in SILVER - a very hard to read color on screens. But perhaps the worst case of abuse is done through sites like alkoholikerinnen.de . Who do you think will go to this site? Would you expect a dialer operated site under this URL? Do you think the special clientele for this site does realize what is going on?

Ok, but there is more to come yet.

Tracking users

Sometimes the sites I visited had problems displaying things (no wonder given the browser I am using (;-) and I started looking at the source code. It was littered with javascript. Many functions opened new windows displaying content from participating sites. Some functions where used by a central tracking service called extremetracking.com.

It is worth looking at the services provided by this tracking service. Needless to say that ALL sites used the same tracking service.

The power of many sites

At that time I knew that many of the sites I had visited belonged to the same company or franchise. But it turned out that even the banner service belonged to Mr. Dudzinski. The effect of all these different sites referencing each other is simple and well known: It creates an aura of credibility as long as people do not realize that it is all controlled through one company.

But this is not the end yet. Think about the possibilities of interacting sites. Cross site scripting is an attack technology where one site uses errors in the implementation of a different site to e.g.extract session cookies from this site. These session cookies are then abused. Usually cross site scripting means finding errors in the implementation of sites. But what if all these sites BELONG TO YOU already?

Note

I have no evidence for intentional cross site scripting attacks on this network yet. But there is an astonishing amount of java script involved and I have not digested everything yet. At least web bugs are used permanently to track user behavior.

The good guys

I would like to close this survey with a screenshot from the hyro-mediaservice homepage. Now aren't these really the good guys? No spam, no child porn.