Hunting League of legends Scammer(s)

Viruses and worms
1

Hi all,
as you may already know,cyber criminals find different ways to infect computers and steal sensitive information which later they use for their bad purposes.This time,at facebook i stumbled upon a League of legends themed scam.They “offer” free riot points.Let’s have a look then.

http://img337.imageshack.us/img337/1958/20120815201908.png

As you can see,it’s just a programme written in Visual basic.
It looks legit,doesn’t it ? :slight_smile: .
What was my first thoughts?It’s just a programme that sends your Username/Password to someone.I was right.
Let’s see what happens when you press the button “Press Here For RP”

http://img214.imageshack.us/img214/9189/20120815202617.png

As you can see,when you the press this button,some strange network actions are being taken.
But really,what is it?I don’t understand a thing,that’s because the packets are encrypted.
So where where are my info sent?
Luckily,the author was amateur,he didn’t remove several debug information etc.

http://img715.imageshack.us/img715/4447/20120815203137.png

As you can see,he’s using the smtp.gmail client to receive the logs.By the way,i am not that bad to publish his e-mail,i will tell you later why.
I do understand that this is something only a Script-kiddie would show.
Let’s dive into a real debugger and grab more information about the author.

http://img502.imageshack.us/img502/1041/20120812202150.png

Ohhh yea,we strike back at the “hacker” now :smiley: .
His password is 59347763.
As you can see,he only wants Textbox.1 which is obviously your username,and textbox.2 which is your password.
The subject of the email should be victim’s username and the body the password.
Using google i was able to find even more information about the author.
He got the idea of creating a phising applicaiton when he saw a tutorial at YouTube.
He’s seeking for help and he gave his email to contact him.

http://img99.imageshack.us/img99/6405/20120815204617.png

http://img10.imageshack.us/img10/825/20120815204851.png

What literally shocked me is that,he’s only 15 years old and he’s coming from Greece,from my country.
Here he wants to buy a “Spy Recording Camera”.

http://img15.imageshack.us/img15/7376/20120815205118.png

What great times do we live in,even a 15 years old kid can create his own phising application and start stealing information,just from a simple tutorial.
There’s too much freedom in the internet or what.
Since he is only 15 years old(We have the same age),i don’t want to ruin his life and that’s why i didn’t show you his email.
I logged at his gmail and deleted all the logs,i also warned him that the next time,i won’t be that good.
BTW,the application is not malicious by itself,it should be detected as PUP.
https://www.virustotal.com/file/77186a0df7e1e33e619e1f0bc1491cf975749d378111cd72e2b4d883dfc2a9b3/analysis/ .
I just wanted to show you how easy is nowadays to create your own phising programme,and start stealing credentials.
Stay safe.
Philip,
Regards.

2

Hi Left123,

You certainly deserve some AvastPoints in stead of RiotPoints ;D for this heads-up .
People to-day are into all sorts of fraudulent activities,
and you demonstrated how easy the perpretators can do this,
Thanks for posting this here.

polonus

3

I don’t know why someone would think it’s a good idea to type their username and password into that, but I guess some people are just that desperate for RP.

4

Not so much that they are desperate for RP, but lacking in common sense, when something this sounds too good to be true, it frequently is.

Unfortunately there are plenty of such people to make it worth the time for these script kiddies to set-up the site.

5

Sry,misunderstood.Yes you are right i guess.

6

+1 the hacker get hacked ;D

7

Wow that is impressive work!

8

Hi all,

More likely,a kid get “hacked” ::slight_smile: .He was just a usual script-kiddie,net is full of them right now.

Haha,thanks :slight_smile: .

Stay safe.
Philip,
Regards

9

Hi Left123,

But later he will become a net admin, and then he will continue keeping the net insecure,

polonus

10

And we will be there to stop him :slight_smile: .
Good guys from Avast,haha 8) .

11

Hi all,
sorry for bringing such an old topic back.A malware researched from Kasperky accepter my article and posted it @ MalwareDisasters.
You can read it here http://malwaredisasters.blogspot.gr/2012/09/league-of-legends-malware-attack.html
Thanks.

12

Hi Left123,

Thanks for the original post and I’m glad it got posted elsewhere also. :slight_smile:

13

Hi Philip,

Well deserved, kudo´s for you, it is always inspiring to experience something like that,

polonus

14

yeah :slight_smile: avast! will protect us :wink:

15

Hi all and thanks for your kind comments.Avast forum will always get my projects as it’s the forum where i started from 0 :slight_smile: .
Thanks.

16

You are welcome Left123 :slight_smile: