A few days ago, after a week of non-stop spam referrers, I posted about spam referrers from ru ccTLD. Just moments ago, I saw this:

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOP-fYZDzIBb0e7XLdU2Y1k3cEOZc0KHRHt8UbTaWi8F6ldv5nh0VlBAn3x-r8MX04o4vrquT4ZhRUcNJqU-DOoYHpG3XD8CU6_8adE5h7wYXq9V5WX5-IcuiZIaTIFXUxiQmo3Pq7rgY/s640/Blogger%2520Stats%2520spam%2520could%2520be%2520phishing%25202013-11-05--23%253A24%253A48.png

At first glance, although I was aware of that link was a login page of WordPress, I didn’t think much of it, then I realized that could be used for very bad purpose: phishing for logins and passwords.

Yes, the Stats is on Blogger, but I am sure you all have experiences to open multiple tabs at the same time, then come back to deal each tab, one at time. You might forget or totally unaware of how a tab is opened. So, when you are happened to have a WordPress account, even the username field is empty, you might still be entering the username and password without thinking too much, then your login is stolen and it would be too late but going on to changing all your passwords if you also use exactly the same password across sites.

Here are a few whois records:


$ whois neho.ru
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: NEHO.RU
nserver: ns1.bilq.ru.
nserver: ns2.bilq.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2011.10.09
paid-till: 2014.10.09
free-date: 2014.11.09
source: TCI

Last updated on 2013.11.05 19:21:35 MSK

$ whois hesd.ru
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: HESD.RU
nserver: ns1.bilq.ru.
nserver: ns2.bilq.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2010.12.24
paid-till: 2013.12.24
free-date: 2014.01.24
source: TCI

Last updated on 2013.11.05 19:21:35 MSK

$ whois hot-edu.ru
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: HOT-EDU.RU
nserver: ns1.bilq.ru.
nserver: ns2.bilq.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2011.07.04
paid-till: 2014.07.04
free-date: 2014.08.04
source: TCI

Last updated on 2013.11.05 19:21:35 MSK

I look around for the price of .ru, but not sure how much it really costs, saw the price rangin from 7 to some ridiculous amount of money. Even if it only costs 1 dollar, the amount of .ru domains I have seen in Stats, the sum isn’t a small number, spamming isn’t cheap, I’d say.

Fortunately, I believe this spammer has no such intention of phishing—or haven’t been graduated from spamming school and move onto phishing college, the WordPress is set in Russian language, probably different than spamming victim’s. Nonetheless, this is possible. Also phishing isn’t the only thing can do harm via spamming Blogger Stats, virus or malware is also a possibility.

I am no longer just seeing Blogger Stats is a useless feature, but a potential bed of danger, but I don’t think Blogger really cares, or they would have done something to the spammers. Guess we will have to wait until a victim by phishing or malware for Blogger to start to take serious consideration of this Blogger Stats.