Sponsored by..

Sunday, 21 September 2014

Why is Mobiquant pretending to be Southampton Solent University?

I wrote about the French (or possibly Moroccan) IT security firm Mobiquant Technologies last year when their website was serving up an exploit kit, and they failed to respond to any attempts at communicating with them. Eventually (after several weeks) they woke up and fixed the problem, and then proceeded to mount a bizarre and highly personal attack on me.

I've kept a bit of an eye on them since then as there are several things that don't add up. One of them is an a website they are running at mobiquantacademy.com. For some reason I cannot fathom, it appears to have been set up to spoof a site belonging to Southampton Solent University, an organisation that they do not seem to be affiliated with in any way.




It isn't a copy of the current Solent myCourse site, it seems to be a couple of years old. So a copy, not a mirror or anything.

The Mobiquant site prominently displays a login box:


A look at the HTML source [pastebin] shows that although there are plenty of references back to the solent.ac.uk domain, the part that handles processing the login is very much on the mobiquantacademy.com domain.

<form action="http://www.mobiquantacademy.com/login/index.php" method="post" id="login"  >
  <div class="loginform">
    <div class="form-label"><label for="username">Username</label></div>
    <div class="form-input">
      <input type="text" name="username" id="username" size="15" value="" />
    </div>
    <div class="clearer"><!-- --></div>
    <div class="form-label"><label for="password">Password</label></div>
    <div class="form-input">
      <input type="password" name="password" id="password" size="15" value=""  />
      <input type="submit" id="loginbtn" value="Log in" />
    </div>
  </div>
    <div class="clearer"><!-- --></div>
    <div class="rememberpass">
  <input type="checkbox" name="rememberusername" id="rememberusername" value="1"  />
  <label for="rememberusername">Remember username</label>
      </div>
<div class="clearer"><!-- --></div>
  <div class="forgetpass"><a href="forgot_password.php">Forgotten your username or password?</a></div>
</form>


So, if a student found this site somehow and typed in their credentials, then they would be processed by a PHP scripts on the mobiquantacademy.com site. That's a bit peculiar, isn't it? You might think that this was a security risk, which is an odd thing for an IT security firm to be doing.

So perhaps this is some sort of configuration error? I have certainly seen cases where misconfigured webservers serve up the wrong website. Well, there are several reasons why this isn't the case.. Solent host their websites in their own IP address range of 194.81.144.0 - 194.81.159.255, www.mobiquantacademy.com is hiding behind a Cloudflare IP address but plain old mobiquantacademy.com (without the www) is hosted on the real IP address of 192.163.241.167 which also contains a number of sites that clearly link the domain with Mobiquant.

mseclabs.com
mail.mseclabs.com
secotnow.com
tripteek.com
clouderya.com
djmisterz.com
mail.djmisterz.com
mobiquant.com
www.mobiquant.com
mail.mobiquant.com
com1agency.com
mobiquantacademy.com
mobilesecurityfirst.com
ns1.mobilesecurityfirst.com
ns2.mobilesecurityfirst.com
securityinternetofthings.com


As I found before with Mobiquant's main mobiquant.com domain, the WHOIS details for mobiquantacademy.com are completely fake.

Registrant Name: ALEXANDRA MEYER
Registrant Organization: FORTESIA
Registrant Street: 33
Registrant Street: KNIGHTSBRIDGE RD
Registrant City: PISCATAWAY
Registrant State/Province: NJ
Registrant Postal Code: 08854
Registrant Country: US
Registrant Phone: +1.3477481090
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: adds31@gmail.com
Registry Admin ID: 


This isn't the first set of fake WHOIS details they have supplied for the domain. When I complained to their registrar and host that they were using fake details, they briefly removed the spoof Solent site and changed their WHOIS details from:

Registry Registrant ID:
Registrant Name: INTERNET GROUP
Registrant Organization: HOSTING JEWEL
Registrant Street: 7
Registrant Street: CHEVAL PLACE
Registrant City: LONDON
Registrant State/Province: LD
Registrant Postal Code: S6SDJ7
Registrant Country: GB
Registrant Phone: +44.2077776588
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: ADDS31@GMAIL.COM
Registry Admin ID: 


The fact that the spoof Solent site was removed and then re-added looks rather strange in my personal opinion. Namecheap (the registrar) confirmed that the content had been removed, but now it is back.

Another thing that makes this look like a deliberate act is the way that the mobiquantacademy.com website is explictly referred to in the HTML source code when it comes to the login handler which means that the code was altered deliberately. If the site had somehow been accidentally mirrored then it would not have that explicit reference.

Neither Mobiquant's websites or Solent's website has any reference to the other party. A Google search of the two parties does not show any relationship, apart from Mobiquant's copy of Solent's site. I cannot see any legitimate reason why Mobiquant would be running a site that was asking for the credentials of Solent students.

So what is this site for? I leave you to draw your own conclusions.

UPDATE: Mobiquant must be keeping track of my blog or my Tweets as they have now deleted the site.


However, if you wish to analyse a copy of the site yourself you can download a ZIPped copy from here.

No comments: