Homebrew Discussion This LAN-play server is stealing your personal information

[5viki]

LAN-play server CYBERGATE CLUB (relay.it-cybergate.club:11451) is stealing your personal information with a method called "phishing"

Phishing (Wikipedia)
When I update the Master server list from Lan-Play GUI, Bitdefender blocks a phishing attempt from the address of the server, as you can see on the screenshot here
I'd advise you not to use this server if you don't want your info to be stolen

image link (if image doesn't work) https://imgur.com/a/txEr5UQ

 

[iriez]

What info is it going to steal? Your switches Mac address?

It's not like this server requires you to install software. It can't get anything other than what you feed it, which is just switch lan play data

 

[FMCore]

Yeah, you're gonna need to provide more information than just a screenshot of your anti-virus complaining about a phishing attempt. Which is most likely just a false positive.

Listen to the packets going out through wireshark, if you see anything suspicious going on, then take a screenshot and post it.

--------------------- MERGED ---------------------------

So, I did some basic digging,

it looks like the domain hxxp://it-cybergate.club (hxxp to ensure no one accidentally clicks it) is listed on some malware block lists, I'm looking into why this is the case but it may take some time.

Some info from the whois

Domain Name: it-cybergate.club
Registry Domain ID: DB32EE432BA1C4BC69CA61DE269FD3789-NSR
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2018-10-10T11:07:16Z
Creation Date: 2018-10-05T11:07:16Z
Registry Expiry Date: 2019-10-05T11:07:16Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name:
Registrant Organization:
Registrant Street:
Registrant Street:
Registrant Street:
Registrant City:
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Admin ID:
Admin Name:
Admin Organization:
Admin Street:
Admin Street:
Admin Street:
Admin City:
Admin State/Province:
Admin Postal Code:
Admin Country:
Admin Phone:
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Tech ID:
Tech Name:
Tech Organization:
Tech Street:
Tech Street:
Tech Street:
Tech City:
Tech State/Province:
Tech Postal Code:
Tech Country:
Tech Phone:
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: dns2.registrar-servers.com
Name Server: dns1.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-12-20T16:10:48Z

Looks like the content on the website is just a landing page that you see when you first register a domain with NameCheap.

 

[Nycholas]

Just because your crappy AV shows something does NOT mean it's true. Every heard of a false positive?

 

[FMCore]

So to summarize,

relay-it-cybergate points to a server in Germany
it-cybergate (the main domain) points to an IP belonging to Namecheap (which might explain why it gets picked up by some antivirus blacklists)

The domain was registered in October of 2018

The IP hosting the relay server was at one point used to host an IRC network related to Nintendo Switch topics.

Bitdefender might be checking the main domain's IP instead of checking the sub-domain's IP and that would explain why it's getting blocked.

That or somehow the sub-domain's IP address ended up on Bitdefender's blacklist

 

[PiracyForTheMasses]

What info is it going to steal? Your switches Mac address?

It's not like this server requires you to install software. It can't get anything other than what you feed it, which is just switch lan play data

You obviously do not know what phishing is.

 

[TheRocK]

"stealing personal info"
"a method called Phishing"
Wikipedia Link to Phishing
Bitdefender Antivirus

 

[2Siralv]

Cybergate is a rat (remote admin tool) so running lanplay will exectue his server connecting ur pc as a zombie on his pc

 

[Bladexdsl]

should just pay to use the nintendo online no Fishing there

 

[antiNT]

should just pay to use the nintendo online no Fishing there

*phishing

 

[linuxares]

Bitdefender is fine, and they use machine learning. So it picks up the redirection to a IRC, that a shitload of trojans do so they become bots. So it's actually fine in this instance. I will lock this topic to not cause confusion.

EDIT: Also thanks @FMCore for the information