May 22, 2005Lost Weekend-Part Two
I guess it's Danny vs. iPowerWeb this weekend.
More than 24 hours after my Saturday morning report about a Bank of America phisher hosted at iPowerWeb, the page is still up. This, of course, after the live chat support person I tapped on last night told me the abuse incident would be handled "shortly." In Neptune years, perhaps.
Then I get another suspicious spam confirming an order for something I supposedly bought (it doesn't say what), with a link to click on to get more information. I've seen things like these before, and they usually lead directly to pages that silently install malware on Windows PCs. Smelling a rat, I used ultra-safe steps (involving a remote non-Windows machine that retrieves the raw output of a Web page) to see what the page was.
Sure 'nuf, the page uses a variety of techniques to install a Trojan into one's PC. Even though I run a Mac here, I wouldn't want to get my personal machines anywhere near these kinds of pages. One of these days, they'll take the time to find a way into Mac OS X, but it won't be my Mac.
So, following the trail, I check the registration of the domain hosting this malware installer. Lo and behold, it's hosted by—you guessed it—iPowerWeb. The domain had been in existence for over a year, so I suspect the server had been hijacked.
I jump on iPowerWeb's support chat line to warn them of this before too many visitors get taken. Here's the transcript of that chat session:
Chat Information Please wait for a site operator to respond.
Chat Information You are now chatting with 'Mack P.'
Mack P.: Welcome to iPower HelpChat. How may I help you?
Mack P.: Hi Danny.
Danny Goodman: I just received a spam message that links to a site hosted by iPowerweb. The page is a Trojan downloader.
Danny Goodman: Here is the URL (do _not_ visit it with a Windows machine): http://www.[redacted_for_your_safety].com/order.html
Mack P.: I'll be happy to assist you.
Mack P.: Are you getting lots of spam messages with the same subject?
Danny Goodman: No, the message claims to be an order confirmation. A common scam that leads unsuspecting recipients to visit the page. Then BAM, they're zombied.
Mack P.: Ok please hold on let me check.
Mack P.: Do you have hosting account with us?
Danny Goodman: No.
Mack P.: I suggest you to please ignore the email as it is a spam email.
Mack P.: If problem persist then please contact us back.
Danny Goodman: I KNOW THAT! I'm trying to get you to close down the site so OTHERS do not have their PCs taken over.
Mack P.: I suggest you to please email at our abuse dept at firstname.lastname@example.org.
Mack P.: Our abuse dept tech will look into your issue and get back to you.
Danny Goodman: Unbelievable.
Mack P.: I am sorry but this issue can not be solve online hence I suggest you to please contact our abuse dept regarding your problem.
Shaking my head in disbelief, I dutifully filed my report to their abuse address, and just received back my incident number (like I did with yesterday's phishing message). Foolish me, I thought by going to a live person, there might be some urgency assigned to this (IMHO) serious issue.
It's amazing to me that an outfit that I thought was a real white hat turns into an empty hat on weekends. The scammers, however, are working 24/7. No wonder we're losing.Posted on May 22, 2005 at 01:11 PM