Investigating the New video message received calls on Skype
I’ve gotten called plenty of times before with the “New video message received” calls on Skype, and I wanted to shine a light on who must be doing this.
I took about five samples of calls I recently got off of Skype, so see where they traced back to using Skypegrab and Hanz Resolver
I recently got called by a32608871426737, and using Skypegrab/Hanz Resolver traced to 62.210.140.237 and 62.210.214.173. That traces to Online S.A.S, a hosting company based in France.
Yet, the story gets weirder. With older contacts, IPs couldn’t be resolved, but some did resolve using Skypegrab (Hanz returned an error on all). a168362703228580 called me around 1-2 weeks ago, and the IPs resolve to 213.199.179.143 and 157.55.235.143. Doing an IP resolve reveals…213.199.179.143 tracing to Microsoft in Dublin, and 157.55.235.143 resolving to Microsoft in Redmond? What?
Here’s my possible explanation for that. Since people likely report these accounts for abuse, Microsoft claims them, and when they go online again (the process of the account being claimed), it resolves to Microsofts IPs. Or Microsoft is doing this, but that’s unlikely.
I’ll keep on monitoring a32608871426737 with updates, however, I have reported an abuse complaint to Online S.A.S already.
And now for the websites that they tell us to go to. Those are skysrs.com, skyspw.com, skyvsp.com, skyssp.com, skyvmv.com, skyvsr.com, skyvst.com, and many more.
Doing a whois lookup on these domains reveals a few things. First, there is whois protection, however, we can confirm that their domain registrar is Internet Domain Service BS Corp (internetbs.net). Heading to this site reveals that they are a cheap registrar (at $8.48 a month, it’s the same as Namecheap, yet they likely don’t have great abuse protection). Their whois privacy company is whoisprivacycorp.com. Yet, none of their websites work! Nothing! Even on the call I got about 30 minutes ago (from writing this post), however, I do know that they use topdns.com as their DNS services. Going to their site reveals nothing, a hidden site. Modifying the style reveals sponsors, nothing much, and no contact. This is probably why their site has gone down…lol.
I have contacted internetbs.net about the skyxxx domains, whoisprivacycorp.com for the skyxxx domains, and I have directly contacted the owner of all the domains I have been directed to go to in the past month or two.
It’s really stupid how Microsoft hasn’t blocked contacts filtered by a, then numbers at a certain length. It’s been on-going for about a year now, and it’s dumb. Real dumb.
Stay tuned to this post, as I’ll be posting updates on a326, Online SAS’ response to the abuse complaint, internetbs.net abuse complaint, whoisprivacycorp.com abuse complaint, and directly contacting the owner of the sites.
UPDATE (11/29/2015): internetbs.net mailed me back about the abuse, nothing done. I got called around 3 times since the original post, redirecting to skyvpv.com, which is up. Hosting provider is OVH SAS in Warsaw, Poland (IP is 87.98.233.139). It also seems like topdns is also back online, with the nameservers of skyvpv.com going to ns-uk.topdns.com (77.247.183.137), ns-canada.topdns.com (109.201.142.225), and ns-usa.topdns.com (108.61.12.163). Hosting providers for their DNS via. Topdns are Choopa, LLC in for the US, NForce Entertainment B.V. for the UK and Canada. I have also submitted an abuse complaint to OVH SAS for the IP 87.98.233.139.