Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« April 2005 | Main | June 2005 »

May 24, 2005

Lottery Scammers Need Better Coordination Permalink

I think it might take the "specialness" of winning a lottery when two different announcements reach my inbox right after each other. While I was sleeping, I supposedly won both four million dollars and 1.5 million Euros.

The sad part is that even this coincidence (they're entirely different letters with slightly different approaches) wouldn't dissuade some recipients from thinking this was the freakinest luckiest day of their lives. Many thousands of dollars of their money down the toilet later, they'll have a different view of this day.

Posted on May 24, 2005 at 09:02 AM

May 23, 2005

Lost Weekend Becomes Lost Weekdays Permalink

By my clock, it has been 61 hours since I received the incident number for the Bank of America phishing page report and 34 hours since getting the incident number for the Trojan loader page report—both from iPowerWeb's abuse department.

Both pages are still up and running. More identities stolen. More zombies created (according to sightings, others received the same message I did, pointing to the same domain).

Sorry, iPowerWeb, your hat is no longer white in my eyes.

I'll continue to report incidents that point to your IP space, but only because my conscience requires it. Not because I expect any action.

I now return this blog to its regularly unscheduled program....

Posted on May 23, 2005 at 11:26 PM

May 22, 2005

Lost Weekend-Part Two Permalink

I guess it's Danny vs. iPowerWeb this weekend.

More than 24 hours after my Saturday morning report about a Bank of America phisher hosted at iPowerWeb, the page is still up. This, of course, after the live chat support person I tapped on last night told me the abuse incident would be handled "shortly." In Neptune years, perhaps.

Then I get another suspicious spam confirming an order for something I supposedly bought (it doesn't say what), with a link to click on to get more information. I've seen things like these before, and they usually lead directly to pages that silently install malware on Windows PCs. Smelling a rat, I used ultra-safe steps (involving a remote non-Windows machine that retrieves the raw output of a Web page) to see what the page was.

Sure 'nuf, the page uses a variety of techniques to install a Trojan into one's PC. Even though I run a Mac here, I wouldn't want to get my personal machines anywhere near these kinds of pages. One of these days, they'll take the time to find a way into Mac OS X, but it won't be my Mac.

So, following the trail, I check the registration of the domain hosting this malware installer. Lo and behold, it's hosted by—you guessed it—iPowerWeb. The domain had been in existence for over a year, so I suspect the server had been hijacked.

I jump on iPowerWeb's support chat line to warn them of this before too many visitors get taken. Here's the transcript of that chat session:

Chat Information Please wait for a site operator to respond.
Chat Information You are now chatting with 'Mack P.'
Mack P.: Welcome to iPower HelpChat. How may I help you?
Mack P.: Hi Danny.
Danny Goodman: I just received a spam message that links to a site hosted by iPowerweb. The page is a Trojan downloader.
Danny Goodman: Here is the URL (do _not_ visit it with a Windows machine): http://www.[redacted_for_your_safety].com/order.html
Mack P.: I'll be happy to assist you.
Mack P.: Are you getting lots of spam messages with the same subject?
Danny Goodman: No, the message claims to be an order confirmation. A common scam that leads unsuspecting recipients to visit the page. Then BAM, they're zombied.
Mack P.: Ok please hold on let me check.
Mack P.: Do you have hosting account with us?
Danny Goodman: No.
Mack P.: I suggest you to please ignore the email as it is a spam email.
Mack P.: If problem persist then please contact us back.
Danny Goodman: I KNOW THAT! I'm trying to get you to close down the site so OTHERS do not have their PCs taken over.
Mack P.: I suggest you to please email at our abuse dept at abuse@ipower.con.
Mack P.: Our abuse dept tech will look into your issue and get back to you.
Danny Goodman: Unbelievable.
Mack P.: I am sorry but this issue can not be solve online hence I suggest you to please contact our abuse dept regarding your problem.

Shaking my head in disbelief, I dutifully filed my report to their abuse address, and just received back my incident number (like I did with yesterday's phishing message). Foolish me, I thought by going to a live person, there might be some urgency assigned to this (IMHO) serious issue.

It's amazing to me that an outfit that I thought was a real white hat turns into an empty hat on weekends. The scammers, however, are working 24/7. No wonder we're losing.

Posted on May 22, 2005 at 01:11 PM

May 21, 2005

Lost Weekend Permalink

No sooner do I praise iPowerWeb for being quick on the draw to take down phisher sites than I find they're not so quick, at least on weekends. I reported a Bank of America phishing site hosted on that service Saturday morning. Fourteen hours later (as confirmed via a live chat with a support person), my abuse "incident" is still in the queue.

It's already too late. Feh!

Posted on May 21, 2005 at 11:47 PM

May 19, 2005

Do Spammers Lie or Bullshit? Permalink

Anti-spammers have long held the view that Rule #1 of spam is, "Spammers Lie." So deeply ingrained is this rule, that Rule #2 is, "If you think a spammer is telling the truth, see Rule #1."

I raise these old saws because of the recent attention given to a book by now-retired Princeton philosophy professor, Harry Frankfurt. The book, titled On Bullshit, is a reprint of a 20-year-old classic essay of the same title. Thanks to the resurgent interest in the essay and attendant publicity, it's now almost okay to say [titter titter] "bullshit"—unless you're on 60 Minutes in prime time on Sunday evening, which case you have to blur the "shit" part in every visible image of the book's cover or spine. Thank goodness for The Daily Show With Jon Stewart, where the whole word may be aired (after 11PM, that is).

The heart of Professor Frankfurt's essay is establishing the distinction between a lie and bullshit; between a liar and a bullshitter; between lying and bullshitting. When I look at a few spam messages that either landed in my "suspects" bin or had the luck of slipping through my filters and arriving in my inbox, I wonder if spammers lie, as the Rules say, or if they bullshit.

As I point out in Spam Wars, it is foolish to attempt to characterize a spammer as a clearly drawn stereotype. There are all kinds of spammers. For purposes of this investigation, however, I'll consider three fairly typical unsolicited messages whose content I noticed today:

  1. The subject reads, "Re: did you get my email yesterday?" but the message body asks a different question: "Have you thought about taking Viagra but decided it wasn't worth the risk?" and then directs me to visit a Web site. The message originated at a comcast.net account in the state of Washington, very likely a zombie PC.
  2. The subject of the next message reads, "crucified with christ;". A recipient might then be surprised to find a mortgage lead message in the body: "Thanks to a private nomination, there are potentially three deals that will be offered to you." It's signed by Tim Laird, Senior Business Consultant - Low-Rate Advisors Inc." The message originated from a server in China.
  3. The third message has no subject, and begins: "Dear Friend, Permit me to inform you of my desire to go into business with you. I got your name and contact on the Internet during my search for a sincere partner." The message goes on to ask my help in freeing up $11.5 million that his late father had stored at a security company in Europe—for which I'll get a 20% cut. This message originated from an open proxy in the Philippines.

Frankfurt says that both the liar and bullshitter "represent themselves falsely as endeavoring to communicate the truth." The differences between the two can be found in the execution of their means to their ends.

The liar knows the truth but tries to "lead us away from a correct apprehension of reality." A key point is that "we are not to know that [the liar] wants us to believe something he supposes to be false." In contrast, what the bullshitter hides "is that the truth-values of his statements are of no central interest to him." His art is in the telling, not in a conviction to the reality or unreality behind the tale.

Let's look at the spam messages to see where the senders land in the continuum between liar and bullshitter.

In spam No.1 the Subject: line starts with "Re:" to lead the recipient to believe it is a reply to an ongoing communication with the sender. The question in the line is something that anyone could have sent, even if the name of the sender in the From: column of the inbox list doesn't ring any bells. Upon opening the message, an unsuspicious recipient sees the disconnect between the subject and body, and realizes that the sender loaded the Subject: line with at least two lies that are counter to reality.

The Subject: line of spam No.2 probably perplexes most recipients. If the subject were truthful, one might expect a message having some connection with religion. Instead we find a mortgage-related spam message. The body tells me I was privately nominated to have three deals (presumably mortgage offers, based on the rest of the message) presented to me. I did a Google search on the company name in the signature. The only hits with that hyphenation were copies of the same or similar message body either reported as spam or sent as spam to mailing lists (they got posted as messages). The names in the signatures were different, and the Subject: lines were also different selections of three seemingly random words. An unsuspicious recipient would not know from the message that the Web site the link navigates to is not a lender or broker, but a firm interested only in the information filled out in the form—to be sold for tens of dollars apiece as a lead to mortgage brokers. The sender who gets a recipient to fill out the form has succeeded in not letting the recipient know that the exchange was based on lies.

Spam No.3 comprises an elaborate tale. It begins with the claim that my email address came up in an Internet search for "a sincere partner." Unless Google has a new search and ranking service (sincerity.google.com?), how could a stranger make such an evaluation? So, the message starts out with a lie, and continues to tell a string of more lies to build an elaborate, but entirely phony scenario. Actually, the lies of this tale are in the eyes of a recipient who believes the story. I can't believe that the 419 (advance-fee) scammers who write these letters see each other as anything more than bullshit artists. To the senders, the details of Miriam this or Abu that or XX MILLION U.S. DOLLARS are of no consequence. The bullshit is not being used to displace something else that is true—other than the absence of any story at all.

I think we have to look at the lie vs. bullshit issue from two different frames of reference: the sender and the recipient.

It's clear that the senders of all three spam messages lied at some point to avoid the truth be revealed. Spammer No.1 wants the recipient to open the message, something that would be less likely if the Subject: line said something about Viagra. Spammer No.2 doesn't want his recipients to know that he's not a real mortgage broker, nor that the identical message went out to thousands of people who also got a "private invitation." The same goes for Spammer No.3 who tries to make each of the thousands of recipients believe that he or she is the one chosen "friend" to receive the offer.

And, yet, when I see each of these messages, I am quick to yell "bullshit!" Why? Because having seen thousands—perhaps tens of thousands by now—of the same kinds of messages over 10+ years, I can assure the senders that they fail to make me believe the lies they attempt to convey.

Professor Frankfurt notes an interesting distinction between bullshit and lies:

We may seek to distance ourselves from bullshit, but we are more likely to turn away from it with an impatient or irritated shrug than with the sense of violation or outrage that lies often inspire.

This is where I see the issue of frame-of-reference playing a big role in the debate. A liar can continue to spew lies, but the ones hearing the output are not obligated to continue regarding them as lies. The first time you read a 419 or phishing message, you may be fooled by the lies transmitted by the liar. The first time you realize those messages are lies (perhaps after it's too late), you are outraged. After that, you see each such message as nothing more than bullshit, and shrug it off. In the mind of the recipient, the lie becomes bullshit and the liar becomes bullshitter.

That leads me to think about why I spent a year on my own nickel to research and write Spam Wars, why I speak out about the spamming and scamming that's killing email, why I take the time to report spam, and even why I find it necessary to vent on my Web log. My heart goes out to those recipients who are being lied to, who don't yet know or know how to treat garbage email as bullshit. I guess you could characterize my aim as raising the Bullshit Quotient (BQ) of all email users. A liar who is regarded by his intended victims as a bullshitter won't be able to make a penny from his attempts at lying.

Posted on May 19, 2005 at 09:54 AM

May 15, 2005

Phoiled Phisher Phollowup Permalink

There was quite a bit of interest in my skirmish with a phisher last Tuesday night. I thought I'd write an epilog to the tale. Now that I got my most recent book (#42 if you're counting) into the hands of my editor, I can catch my breath.

The four phishing messages (one I believe to be an inadvertent mistake in that it pointed to no valid domain) were the only ones of that style to arrive that night. After the third site take-down, that was it for the night. It was my night—I don't know what it was where the phisher lived.

Since then, I've seen a couple of messages bearing the same source code hallmarks as the ones that caught my eye the other night. They usually arrived during my overnight hours or while I was away from the office. But I'm glad to say that most of the target sites were already closed down by the time I got to check them out.

Emboldened by the quick reactions of three large hosting providers last Tuesday, I've taken the time to report even more phisher sites to their site owners (there are tons of legitimate servers that get hijacked to host phishing sites) and host providers. (Don't tell my editor I was doing this instead of finishing the book. Shh!)

Despite my praise of quick action the other night, I may have spoken too soon about yahoo.com. A different phishing stream came my way, pointing to another domain hosted at yahoo.com. Several days later, the page is still up and running. [frownie emoticon]

ISP response to phishing site reports is all over the map, and highly unpredictable. Foolishly, I expect smaller ISPs to respond quickly if for no other reason than the level of abuse complaints they get should be rather small; an account hosting an obvious phishing page at a URL under their control should be easy enough to suspend for further investigation. Some are very good (iPowerWeb appears to do an excellent job from my observations), but others (I'm talking about small, U.S.-based providers) completely ignore the reports. The phishing sites hosted thereon are running long after they've trapped the bulk of their unwitting victims. I dare not mention those services here by name, lest phishers flock to them.

It would be great if ISPs, big and small, had a uniform phishing reporting system in place. All of the reporting I do is to the regular abuse or other whois contact email address, and sometimes through a provider's support form on its Web site. But I never know if the report will get past the droves of other spam complaints that certainly accrue to any provider.

Speedy closure of phishing sites is essential. A site that has been up 24 hours after the first mailings go out to victims has already done the bulk of its damage. My suspicion is that phishers who "buy" domains and cheap hosting space do so on stolen credit card numbers, fully expecting the domain and site to be gone after 48 hours. In contrast, hijacked legitimate sites (whose real owners do nothing about reports from the outside—often because they don't know English or because the systems administrator who set up the site in the first place is away at college) stay up for weeks, and the phish messages keep pouring in, pointing to the same numeric IP address. Those sites that stay up awhile even gain a further subdirectory with pages for other financial institutions. Hey, if the site owner ignores reports and lets anyone gain access through default passwords, why not adopt the server, and add more sites there?

In the meantime, I don't believe that phished institutions do a sufficient job of educating their customers about the threats. But that's a whole 'nother subject I'll leave for later. That you are reading this means that you're hip to the problem. Spread your hipness to every emailing family member and neighbor.

Posted on May 15, 2005 at 01:09 PM

May 10, 2005

Imagine That: Phishers Are Cynical Permalink

One newbie PayPal phisher forgot to fill in some of the blanks to the message, so the phishing kit's placeholders got through in his first attempt. The placeholder link for this one was to the nonexistent domain:


Eight minutes later, he corrected his mistake and sent out the same message (through the same zombie, no less), but this time with a newly-minted domain hosted at yahoo.com.

Click on the link, fill out the form, and you will be a victim.

UPDATE: Kudos to yahoo.com for taking down the working site from the second phish within about an hour after my report. Others may have reported, too, and that's OK. As long as they act quickly.

UPUPDATE (18:53 PDT): Well, I see this is going to be a battle. No sooner did the yahoo-hosted site go down, than the same spammer opened up a new godaddy.com-hosted site with a slightly different domain. His current domain name scheme is to use "paypal-" followed by typical URL letters one sees in PayPal and eBay log-in URLs before the "dot com." I don't know how quickly go-daddy will respond, but I've got my fingers crossed. If he wouldn't keep sending me this crap, I wouldn't be the wiser.

UPUPUPDATE (20:07 PDT): The godaddy-hosted version is now also no more. But, no, I don't expect this guy to give up this easily.

UP(x4)DATE (22:39 PDT): I was right. The guy started up yet another domain, this time hosted at networksolutions.com. I reported it at 20:15, and just checked at 22:39 to find that Network Solutions shut this one down. Quite an evening (while I'm busy working on something else). It's encouraging that three large ISPs—Yahoo, Godaddy, and Network Solutions—responded within one to two hours to shut down phishing sites. Speed is vital, so I'm glad they have mechanisms in place to act quickly. Three phishing sites out of hundreds is a drop in the bucket, but those ISPs definitely saved the identities of some folks tonight.

Posted on May 10, 2005 at 05:20 PM
Back to 419 School, Pal Permalink

Having read hundreds of the Nigerian (et al.) advance-fee scam letters over the years, I've seen that one of the main ploys is that the scammer wants you to believe that he singled you out among all the people on the planet to assist in the URGENT BUSINESS TRANSACTION. That's one of the ego boosters that helps the scammer gain the target's con-fidence.

In comes one today that blows the whole deal. The To: field of the message is empty, and the CC: field has (count 'em) 204 email addresses to which this blast went out. How am I supposed to feel special if you're offering my cut (of a paltry 8.6 million this time) to 203 other greedy bastards?

How do you say "D'oh" in Hausa, Yoruba, and Igbo?

Posted on May 10, 2005 at 08:26 AM
The Art of Illogical Social Engineering Permalink

A rather sloppy eBay phishing message arrived that, despite several clues to its bogusity, will probably grab some eBay users.

I say it's sloppy because there is no eBay art embedded in the message, and the signature says:

Thank you for using eBay!
The PayPal Team

The crook also didn't do a good job of authoring the HTML in the message. In my email client, the real URLs (with plain-as-day numeric IP addresses) are clearly visible alongside the phony eBay links. Maybe the IP address URLs are hidden in clients such as Outlook Express.

But the trick of this message is the social engineering it employs. The message claims to be a confirmation of having changed the eBay account address to a new address (an @yahoo.com address). I guess I'm supposed to believe that somebody hijacked my account and changed the email address without my knowledge or permission. If I were to believe that, of course I'd be outraged and follow the instructions to "click here" and supply all my information again.

And then I'd really be hijacked and hosed.

My question is, Does eBay really send out a confirmation like this? I can't believe they'd bother sending a message to an old address. If you've changed your address, you've changed your address. I did change my eBay address a few years ago to a unique username (and have not had one—not one—spam message sent to that address), but I don't recall if eBay sent a confirmation like that to my old address (which was still active).

Logical or not, professional-looking or not, this phishing message will probably grab several unsuspecting users before theplanet.com gets around to shutting down the hijacked server in its block (the site is still running 6 hours after the message arrived here, so most of the damage is already done).

Posted on May 10, 2005 at 08:11 AM

May 06, 2005

YAES* Permalink

(*Yet Another Ebay Scam)

I should have written this up before, but it's never too late to help put you on your guard. If you're an eBay seller—especially if you're just a casual seller—you may be surprised (and perhaps flattered) to receive an email purporting to come from eBay inviting you to become a PowerSeller. That's a status badge that sellers with very high volume and feedback ratings earn.

Con artists know that flattery gets them everywhere, so it shouldn't come as a shock to discover that this offer is a complete scam to get you to part with your eBay username and password. Hijacking an eBay account allows for a variety of scams (some of them detailed in Spam Wars) that, unfortunately, trick a fair number of eBay buyers who desperately want to get something that's too good to be true.

Behind the one bogus PowerSeller invitation spam I just saw is a form (in the email message) that gets submitted (after some indirection) to an AOL address, not to eBay. Oh, and the message originated from a wireless access point in Romania...a far cry from eBay's headquarters.

Are "they" really out to get you? You betcha!

Posted on May 06, 2005 at 03:21 PM

May 03, 2005

"Hear No Evil" Policy Permalink

How frustrating! I get a Southtrust Bank phish that points to a newly minted domain (yesterday) that I see is hosted at charter.com. So, following my usual operating procedure, I wanted to alert charter about the site so they can shut it down. I've had a fair amount of success at this recently.

Visiting charter.com's Web site, I look for the Contact or Customer Support page. They'd be glad to hear from me...as long as I am a charter.com customer. Following several paths through the Customer Help menu, I'm always led to the login page. I can't find a way to get past the login page to make my report. If I'm not a customer, they simply don't want to hear from me, even if the place was on fire.

Okay. The fallback position is to send a report to abuse@charter.com. This address is reported in the whois database as the official abuse address for the outfit. Off goes my message.

A moment later, the message bounces with an error that says abuse@charter.com is an unknown address. Aaargh!

When no one can tell you there's a problem, there must not be any problems. To charter.com I say, Way to put your head in the sand...or some other dark place.

Posted on May 03, 2005 at 07:36 PM

May 02, 2005

A Phisher With a Sideline? Permalink

Looking through the source code of a new eBay phishing message today, I noticed something I don't recall seeing before: the hidden URL that a click of the active link navigates to had my email address embedded as a parameter to the login script at the phisher's server. In other words, if I were to have clicked on the link, the phisher's server program would have been able to record by email address as being "live"—just like a Web beacon/bug. If this guy is collecting live email addresses, he could benefit by reselling my address, even if I didn't fill out his phony phorm. A live email address isn't as valuable as someone's identify info or ebay password, but to a crook, somethin's better than nothin'.

The server appears to be an otherwise unused but hijacked server at a South Korean university. Ugh! It could take awhile to shut this one down.

All the more reason, my friends, to not click on links from unsolicited or bogus email. Spam Wars shows you how to spot a fake...but you already knew that, right?

Posted on May 02, 2005 at 03:02 PM

May 01, 2005

Too Dumb To Know When To Quit? Permalink

For the last couple of weeks I've been seeing spam messages come through for every erectile dysfunction med advertised in the Sunday supplements. That, of course, is nothing new. But what's odd about these messages is that it's clear from the HTML source code behind them that the spammer has gone to great lengths to disguise the text to try to slip through content filters. He breaks up words with all kinds of HTML tags and goes to considerable trouble to fashion an all-text message out of a sort of jumbled HTML table.

But he consistently leaves out one thing I'd expect to see: any link, URL, email address, or other way to contact him to buy his ED drugs. The return (From:) addresses are universally bogus, and the messages are sent through hijacked zombie PCs.

It appears that the messages I'm seeing are cut off before they're completed. There is a telltale "[2" sequence at the end of all of these messages. Perhaps it's only part of his zombie runs that have the glitch, and others get through that have a link (and my filters auto-delete them before I ever see them).

If a good chunk of the messages aren't earning the drugger a dime, that's fine with me. I'd really like it if his return is so low that he feels spamming no longer pays. I'd like it even more if he's paying a spewer on the number of messages accepted for delivery so that he's out money he'll never ever recover. I'm liking this more and more....

Posted on May 01, 2005 at 11:50 AM