« How to Scare Phisherees...Not! | Main | This Phisher is...um...Confused »

March 04, 2005

If you've ever wondered why the Internet is cluttered with over a million zombie PCs, here's a lesson for you and your mother.

One of today's spam suspects had the Subject: line "Complete your registration!" and the From: field said "BestHyip Forum." In my quick scan of this info, I didn't associate "Hyip" with its well-worn acronym for "high-yield investment program"—frequently associated with the schemes that guarantee a 1000% return on your money before breakfast.

I did see the "forum" part, and thought at first that this message might be a confirmation message for a legitimate online forum. Indeed, checking the body of the message in the source code, I found the typical confirmed opt-in message ("Thank you for registering blah blah. Before we can activate your account blah blah."). Although I know I hadn't signed up for this forum, I figured the forum registration software got a spam or virus message with my email address forged in the From: field. While I don't like getting automated responses to stuff I didn't send, I'd sooner receive a confirmed opt-in blockade message than having my address blindly registered to some crap I don't want to get. At least if I ignore a confirmed opt-in confirmation (which requires me to click on a coded URL to confirm my registration), that will be the end of it.

But a few things got my nose twitching about this message as I started safely looking at its source code (Spam Wars readers know how to do this). In particular:

• The return address associated with the "BestHyip Forum" in the From: field was a gibberish user name at yahoo.com, while the forum appeared to have its own domain (i.e., this was not a Yahoo Group).
• The message entered the Internet email system from a server in Japan, while the forum's domain is both hosted and registered (plus or minus bogus domain registration) in Texas.
• If I had been viewing the message in the regular email view, I would not have seen that the forum's link URL was disguising the true destination to a numeric IP address. That IP address was not the same as the forum's, and was hosted in a different state.

In my experience, the vast majority of spam links pointing to numeric IP addresses lead to one of three types of places:

1. Outright scam sites
2. Virus propagation sites
3. Pornography sites

What stuck out to my eye was that the plain-view URL invoked the "hyip" moniker, which has its share of scaminess associated with it. Whoever was behind this, was hiding behind something that a good number of recipients might already consider shady. How bad could this Bad Guy be?

A little safe snooping revealed the answer.

Anyone who clicks on the link is first delivered to a nearly blank page, which, before redirecting the clicker to yet another site, installs a rather dangerous payload into Windows PCs that ultimately allows control of the PC to be handed over to others. The particular vulnerability being exploited is one that definitely affects Windows XP prior to SP2 and perhaps even those with SP2 installed (using Internet Explorer).

Visitors get no warnings about the installation. The first one is quick, but it opens the door for the machine to have additional software installed (e.g., key loggers that capture keystrokes while you're connected to secure sites such as your bank). Your email address book may be ripped off (and your friends will get lots of spam or similar lures to these types of sites). Your PC may end up spamming the world.

Tons of these kinds of messages flood inboxes around the world each day. Unsuspecting recipients who click on the links don't know what they're getting their computers and their identities into. The tactic is called a "drive-by," but in this case, it's the victim who does the driving...straight into the line of fire. In January, I reported on a similar, consumer oriented trick I saw.

Today's message is, in a way, more efficient in finding its victims. Most people clicking on the link for the message I describe here would know what the "hyip" acronym means because they want to join a forum on the subject. In my searches around the Web, I see a lot of associations between "hyip" and what are called e-gold accounts. Someone clicking the link in this message is someone who probably has a higher-than-most likelihood of logging into one or more online accounts involving monetary transactions and/or investments. Wowie...what a PC on which to get a keylogger installed!

All I can say is that clicking on a link embedded in any unsolicited message is one of the riskiest actions any Internet user can make. Updated OS, antivirus, and antispyware software might reduce your exposure, but it's no guarantee you won't be hit with something that was released to the Net just today.

Didn't your mother warn you against accepting candy or rides from strangers? Today she should also warn you about clicking on links from unknown sources. Or maybe you should warn her. Today. Right now.