Anyone heard of final-flights.com?

[Craigie]

Just an update.

We are aware of this website and a number of investigations have been taking place. We’ve been advised that the ISP hosting www.final-flights.com has now taken the site down.

Qantas has no affiliation with this site whatsoever.

AFF - Kicking cough and chewing bubblegum!!

 

[QF WP]

Thank you for the update, Red Roo. Hope you were able to pass on lots of good information to the authorities

Hope they get their man (men)

 

[kevrosmith]

Well, now that the site has been taken down (mind you, check out finalflights dot com for a different experience altogether! :shock: ), and this thread has made the weekly email, can someone tell those of us a bit slower to catch on what the web site was purporting to provide?

idea: I didn't quite go through all 15 pages of postings!)

 

[megmcw]

I just did a quick ABN search - yes it exists, but the location and the phone numbers don't match. If you are based in Eight Mile Plains, why is your fax going to somewhere north of the Sunshine Coast?
Is also a new business. I would be highly dubious as they say they have been doing this for 3 years, yet the company was only registered in March last year. Also, the format of the webpage is template based, vs a custom built - again ringing some bells for me.
Finally, their twitter link suggests that they are @qftravelinsider which would suggest they are part of Qantas, which they obviously aren't given their ABN.
Happy to be proven wrong, but too good to be true IMHO.
Taez

I just tried to log on and all it came up with was "forbidden site" so dont know what is going on.

 

[markis10]

Well, now that the site has been taken down (mind you, check out finalflights dot com for a different experience altogether! :shock: ), and this thread has made the weekly email, can someone tell those of us a bit slower to catch on what the web site was purporting to provide?

idea: I didn't quite go through all 15 pages of postings!)

Cheap Tickets that are issued prior to you paying for them!

 

[drross]

this has been a very interesting few minutes - reading 15 pages of comments. highly instructive and i'm amazed at the skills/knowledge of some of the authors. Go AFF!!

 

[reflector]

It's terribly frustrating discovering this thread today after all the fun has been had... taking down internet scammers has become somewhat of a hobby of mine after my parents were scammed by a shady business.

Kudos to all the well informed and skilled members for unleashing our coughnal of registration checks, internet know-how, airline knowledge and "1337 5killz" against the dodgy people.

 

[QF WP]

I think we've heard of final-flights for the final time.

I wonder in what name it will be re-born?

 

[aussiejohn]

If you click on the link in Red Roos post, the site still comes up (8.42pm 15/4/11) so not sure why people are saying it has been taken down??

Has he put it up again with a different hosting company perhaps?

Maybe we haven't heard the last word on this.

 

[lovestotravel]

Hmmm my anti-virus blocks the page now when I try to go to it!

Says it's infected with some virus... :shock:

 

[QF WP]

Did someone here infect it

 

[Mal]

Yep, site is now back up. Seems to be the same hosting company as before, and the registration details are still the same.

 

[Mal]

Hmmm my anti-virus blocks the page now when I try to go to it!

Says it's infected with some virus... :shock:

Yep, I suggest people keep away from that site at the moment.

The Webpage contains what is known as an Iframe, which loads a very suspicious page from the domain cheapotickets.org

Still analysing what it does, and whether it is malicious or not ... but not a good idea to be looking yourself!

 

[straitman]

Hmmm my anti-virus blocks the page now when I try to go to it!

Says it's infected with some virus... :shock:

Similarly my anti virus comes up with a Malware message when I go to look at the site. :shock:

 

[rwatts]

Yep, I suggest people keep away from that site at the moment.

The Webpage contains what is known as an Iframe, which loads a very suspicious page from the domain cheapotickets.org

Still analysing what it does, and whether it is malicious or not ... but not a good idea to be looking yourself!

Hmmm. 188k of interestingly encoded content. Very suss but I'm too stuffed to try to decode it.

Richard

 

[Mal]

Hmmm. 188k of interestingly encoded content. Very suss but I'm too stuffed to try to decode it.

Yeah... likewise. All I know so far is that it attempts to use MS10-042 to attempt to launch Help'n'support with another encoded set of data.
Still trying to determine what the next step is!

 

[rwatts]

Yeah... likewise. All I know so far is that it attempts to use MS10-042 to attempt to launch Help'n'support with another encoded set of data.
Still trying to determine what the next step is!

Please share when you've done that. Not exactly zero-day but would be very effective on unpatched systems running old IE.

Richard.

 

[lovestotravel]

Please share when you've done that. Not exactly zero-day but would be very effective on unpatched systems running old IE.

Richard.

Time to boot up the old laptop and see what happens with no protection :mrgreen:

 

[LiamR]

Time to boot up the old laptop and see what happens with no protection :mrgreen:

These days we do it in Virtual Boxes on servers somewhere in the cloud, but yours sounds a lot cheaper! I must remember to bring this up at the next department meeting!

 

[Mal]

Please share when you've done that. Not exactly zero-day but would be very effective on unpatched systems running old IE.

Nothing scientific, but I think I've chased that little rabbit through the various rabbit holes.

End result is the download (and running) of an Executable from cheapotickets.org (VT report): VirusTotal - Free Online Virus, Malware and URL Scanner

File itself seems to drop extensions for Firefox and also installs itself as a Browser Helper in IE. Presume it's adware/search hijack/fake AV type program.


It's a pretty old vulnerability, and most people should be patched for it.

Took me a long time tonight as I haven't done analysis like that for a while, and it really wasn't my highest priority on a Friday night!!