Tuesday 5 October 2010

Long lost friends asking you to do IQ tests? Just say NO!

Started noticing a trend where people I've not spoken to in years, seemingly limited to Yahoo! Messenger so far, message me saying I should go do an IQ test whilst they go have a shower.

I figured something was afoot, and sure enough by the third or fourth time I'd figured out the pattern...
(05:09:41) Bot: hey its been a long time :p
(05:10:44) Me: Don't tell me.. you want me to do an IQ test?
(05:11:01) Bot: I just took an IQ test here.. pretty cool :P
(05:11:10) Me: You got 113, right?
(05:11:30) Bot: got a 113 lol... I thought I was smarter than that
(05:11:46) Me: I'm thinking your next comment will be the link?
(05:12:07) Bot: its http://iqscorechallenger.com/?invitecode=..........
(05:12:20) Me: Thought so.. I reckon you're full of shit to be honest
(05:12:44) Bot: you should see if you can do better than me... if you can ill buy you a drink
(05:12:59) Me: Mrrmm.. alcohol.. I'd need a lot of that to fall for this :)
(05:13:20) Bot: try it... http://iqscorecalc.com/?invitecode=.......... I bet you cant lol
(05:13:32) Me: I'm waiting for the comment that says you have to go and you'll be right back..
(05:13:40) Me: Funny how that link changed..
(05:13:45) Bot: take it now while I take a shower lol
(05:13:52) Me: ... and there we go :)
(05:14:07) Bot: ill be back in a few after im all fresh
(05:14:19) Me: Sure... with a new script... I wonder how long it is :)
(05:14:36) Bot: brb, let me know your score when im back!
(05:14:47) Me: Hrrmm.. must be getting towards the end of it..

Appears to be a very unintelligent, automated process that simply spews forth the same script on a timed basis with different URLs with different ID codes pointing to the same IP address, listed as part of a Russian range, registered to an address in the Seychelles. Oh, and who puts a smiley in the description of a AS number/route?

$ host iqscorechallenger.com
iqscorechallenger.com has address
$ host iqscorecalc.com
iqscorecalc.com has address
$ host domain name pointer 2x4u175.2x4.ru.
$ whois
% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to ' -'

inetnum: -
netname:        NET-2X4
descr:          2x4.ru network
country:        RU
admin-c:        UDF667-RIPE
tech-c:         UDF667-RIPE
status:         ASSIGNED PA
mnt-by:         RU-WEBALTA-MNT
source:         RIPE # Filtered

person:         Pavel Ivanov
address:        Sound & Vision House, Francis Rachel Str.
address:        Victoria, Mahe, Seychelles
remarks:        ***************************************
remarks:        Virtual and shared hosting, Windows Linux FreeBSD
remarks:        Virtual private Servers (VPS/VDS), Dedicated Servers
remarks:        Protected managed hosting solutions, DDOS protection systems
remarks:        Satellite CPC/VSAT telecomunications
remarks:        Wireless links services.
remarks:        English and Russian Sales contact: ICQ 758291
remarks:        ***************************************
abuse-mailbox:  abuse@2x4.ru
remarks:        West Europe customers office & NOC
phone:          +44 20 3286 6617
remarks:        East Europe customers office & NOC
phone:          +7 495 657-90-57
mnt-by:         IDEAL-MNT
nic-hdl:        UDF667-RIPE
source:         RIPE # Filtered

% Information related to ''

descr:          Wahome IP's =)
origin:         AS41947
mnt-by:         RU-WEBALTA-MNT
mnt-routes:     GIGABASE-MNT
mnt-routes:     RU-WEBALTA-MNT
source:         RIPE # Filtered

I decided to follow one of the links... from a text only browser that doesn't support scripting! Enter.. elinks!

If you attempt to load a URL without a valid ID code, it'll return a 404 (Not Found error) advising you that the page doesn't exist. Give it a valid code and you immediately get redirected to another page:

IQ Friend Challenge
Refresh: http://spacetrk.com/aff_c?offer_id=74&aff_id=60

If you view the source of the page, you'll see there's some framesets at work:
<!-- make <3, not war -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<title>IQ Friend Challenge</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<script type="text/javascript">
setInterval("window.status='';", 50);
<frameset cols="100%,0%">
<frame marginwidth=0 marginheight=0 frameborder=0 name="topframe" src="/index.php?test=ff27fb0739&redirect=1" noresize>
<frame id="waitframe" name="waitframe" src="wait.php?n=0">

... and a sense of humour.. Make love not war?

Anyway, spacetrk.com page then redirects off to affiliate.a4dtracker.com which then advises that www.test-my-iq.net/au/?p_id=..... can't be found. Awww, and I so wanted some half ar...baked website to make some stab in the dark as to what my IQ is :(...

No doubt if I'd used a more modern browser I would have been hit by some drive-by download.

The moral of the story here, folks, is not to click on anything that doesn't sound right. If someone appears out of the blue to get you to click on something and then has to vanish conveniently, something is NOT RIGHT.


  1. Noticed the same fishy thing goin' on here too.. I instantly didn't trust, seeing as this person hasn't been on for years, also when they did get on about 2 months ago they just spewed useless 'check out this pic' links. Put on firefox's 'noscript' and went strait to 404 page.. Funny to see the script almost exactly the same.. It was however on MSN instead of yahoo.

    I laughed when I pulled up a whois of the link
    (whatsthisiq.com) and the address it gave was of an italian food place in CA.

    did a ping, snagged the IP and did a quick google search of it.. this is what came up.

    Anyways, glad to know that not everyone is a moron.


  2. i just got this, too! i got suspicious though when my "friend" didn't seem to be taking any hints and refused to answer me in our language (i'm from asia). would i have gotten a virus or something if i had been to stupid enough to click on the link?

  3. Well unfortunately I klick, but nothing happend, just 404. Then I became suspicious too, pinged the IP, googled and here I am.
    The bot even knows German xD
    Did anyone find out what's behind this?!

  4. haha this is what just happened to me! my friend i havn't talkedto in about two years just random MSN messaged me saying "hi!" hmm... this is weird... haha then that exact conversation came up. i thought it was hilarious. i really wanna know who started this!!

  5. Got the same from a "friend" a few months ago, when I received the same chat sequence from her three times, and "she" would not answer any questions that would identify her, I emailed her and she got back, thanking me and telling me she had been hit with a virus.

  6. the latest method is the "you have received an e-card from a secret admirer e-mail

  7. Hey Robert,

    Yeah, they'll come up with a new method - the emails I must admit I delete within maybe 2 seconds of reading the first sentence.. the problem with the IQ test one was that unlike emails it wasn't relying on spoofing an email (trivial) but upon hijacking people's IM accounts so the messages were being actually sent with authenticated accounts.

    Expect to see spim (Instant message spam) to take the fore more and more. That's not to say that newsgroups don't get spam anymore (everyone remember usenet/nntp?).

    Actually nntp leads onto another issue. How 'social' websites are slowly seeking to replace various protocols with their own closed, bundled experiences.

    SMTP, NNTP, IRC - on one hand, a lot of websites give a more cohesive experience than individual clients or even the multi-protocol ones could ever... but at the cost of choice. Definitely a post there :)

    Facebook allowing XMPP connectivity for chat is interesting - but as far as I can tell, Facebook isn't configured for federation.. another post in that too I reckon :)

  8. I had a friend doing this just now, and after being suspicious, I opened the link. Of course a few things were done pre-emptivly. I fired up malwarebytes and got my antivirus's browser sheild up and watched its status. When the link was clicked the only thing that changed was my browsing history, I checked the source code, and it was empty. 0kbs. Weird huh? I even commented at her with "Dude, you have a very fail virus" and she replied back with "lol no dont doubt me"


Hey... thanks for leaving a comment! Due to Casino spam, I've had to turn on moderation for some of the posts. Apologies - I do read every comment left!