Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« August 2005 | Main | October 2005 »

September 29, 2005

Know Your Target Audience's Language Permalink

I really don't think a medz spammer with a solid command of the English language would start a message like this one:

Damn friend

There is a cure for agony
I have found a site with the discounteddeals

The spamvertised domain registration gives me a lot of confidence in this outfit:

Registrant Contact:
   szdfsd gnvgn (gfhfghfhtyead@[disguised_domain])
   Fax: +1.5555555555
   na, na na

Aren't we lucky that domain registration has essentially no human oversight?

Posted on September 29, 2005 at 03:36 PM
Collateral Damage from Phishing Permalink

The majority of phishing sites that I see have been inserted into existing Web servers in various places around the world. Somewhere along the line the server was compromised in such a way that the phisher can create a separate directory that holds the files that both display the lookalike pages (PayPal, eBay, Wells Fargo, et al.) to unsuspecting victims and process the username/password or other form entries to rob victims of their identities. My assumption is that most of these servers had some easily cracked or default passwords set up for them, which crackers must certainly cycle through regularly on any and all servers—in search of crackable Web (and other) servers. I see those attempts from time to time in my servers logs.

Hijack-style phishing sites come in all shapes and sizes (even though many of them use the same HTML and form-handling code obtained in phishing "kits"), but let me describe four types I continually encounter.

The first type is the default Web server placeholder set up by ISPs in anticipation of handing the server to a new customer. Phishing message URLs to this type of hijacked server are always numeric IP addresses because no domain name has yet been assigned to the IP. There must be tons of these otherwise inactive "sites" sitting on the Internet at any given moment (including inside organizations, such as universities), and if the default passwords haven't been changed, or their old Apache (usually) server software hasn't been updated, they're ripe for the picking. They remind me of the alien beings in the recent "War of the Worlds" movie, who planted "seeds" deep inside the Earth eons ago, waiting to be brought to life at a later time to eat everything within reach.

The second type is a Web site that is no longer actively maintained, but the original owner must have prepaid for a few years of domain registration and Web site hosting. No one is really at home for this type of site because the owner has moved on to some other venture, or got a real job. The last copyright notice update was two or more years ago, and it's not likely that any contact email address still works. And, unfortunately, the site was set up without much thought to security. Once compromised, the site's server is played like an accordion on The Lawrence Welk Show.

The third type is the small ISP whose own site or IP space has been intruded upon by a phisher. When I submit my standard phishing report to them, they assume a position of such denial that they refuse to believe such a thing could happen. My report includes a complete copy of the phishing message as well as a highlighted link to the URL within their IP space that contains the fraudulent material. The message header makes it clear that the message did not originate from the same source, but the active link clearly leads to their location. One ISP wrote back to ask me how I could have ever reached that "secret" URL. Duh!

The fourth type is all too common, and can lead to some ugly consequences. The hijacked site is your run-of-the-mill Web site for a small business, a non-profit group, or an educational organization. Having compromised the site's server, a phisher installs the fraudulent material on the site in a subdirectory. Sometimes the phisher even creates a separate user account just for him/herself and places the material in directories belonging to that account.

By and large, the managers of these types of sites are not techies. They probably had a lot of handholding to get the site going in the first place. The consultant or network administrator who got them started (and showed them how to update pages with FrontPage) is either long off the contract, or has gone away to college. The last thing these folks know how to do is to investigate security issues in their servers. Even if they know something about File Transfer Protocol (FTP) to move files to the Web server, they probably don't know how FTP programs typically don't display directories and files whose names start with a period. Even the unmodified Unix ls command to list a directory's contents won't show such items. A great many phishers, of course, install their stuff inside directories whose names start with a period to evade simple detection by site owners.

Things can go haywire if reports of a hijacked site's phishing page reach the Web hosting service for the site. A lot of ISPs act first to disable the entire site, and (perhaps) ask questions later. At this point, not only is the phishing page taken down (that's a Good Thing), but the entire organization's Web presence—and perhaps even their email service—is disconnected. If a big chunk of the company's business is Web-derived, that's more than a little inconvenient (and lawyers probably get involved).

To minimize this kind of collateral damage, I try to contact the hijacked site's owner, rather than the ISP, whenever possible. If the site's home page has a contact email address, I'll send my report only to that address. If there is no contact info on the site, and if I can determine the domain name of the site (some phish links to hijacked sites link to the numeric IP address, and the domain is not obvious unless something else in the site mentions it by name), I'll trace the domain registration record and hope that the contact information there is still accurate. Some records list an "administrative contact" and "technical contact." If the information for these two contacts is different, the former may be a non-techie at the company, and the latter could be the Web hosting service.

I never know if the administrative contact is technically equipped to locate and remove the phishing pages, so I tend to include the technical contact in my email report if the tech contact information doesn't look like an ISP. There is, of course, no guarantee that I don't tip off an ISP, but I try to let the domain holder handle it if possible.

It doesn't always work that way, however. Recently I sent a report to a hijacked site's owner. I could tell from the initial response that the site's owner was not technically equipped to look for and delete a hidden directory on his Web server and know how to secure the server against further attacks. I suggested he get some help from his Web hosting service. But it was too late. Apparently, another reporter had sent a complaint to the site's ISP. The ISP had cut off the compromised site entirely, and email sent to the domain was rejected. This fellow was, for now anyway, screwed.

A few days later I heard again from the site's owner, telling me that everything was back to normal. I'm sure it was a harrowing time for this fella—first to have his site violated by a criminal, and then to get cut off by his ISP as if he were a criminal. Perhaps a change to the server's password scheme will minimize the likelihood of a future hijacking, which means that the experience may have a long-term good outcome for this gentleman and his Web presence.

It just goes to show you that phishing can have even more victims than those who fall for the phony messages and forms.

Posted on September 29, 2005 at 03:24 PM

September 22, 2005

Mortgage Spam On The Decline? Permalink

Extrapolating any set of spam statistics to imply email-wide trends is a dangerous game, so I'll continue to declare trends only in light of observable spam arriving at my inboxes. Your mileage may vary (YMMV).

Fed up with so many lookalike spam messages touting mortgages, I began an aggressive reporting campaign back in February 2005. By "reporting," I mean that I forwarded to the U.S. Federal Trade Commission copies (the full source code, including headers) of all mortgage spam failing to meet CAN-SPAM requirements (a.k.a. all of them). A typical such message failed the CAN-SPAM test in one or more ways: forged headers; sent from zombie PCs; outright deceit; no physical mailing address; etc.

Even when I blocked messages linking to common domains, the mortgage spam continued to ooze through, and I sent it along to spam@uce.gov, the special FTC address that gathers spam samples in what the agency calls "The Refrigerator." I figured that there had to be enough of a U.S. connection to these mortgage lead spammers that if enough evidence accumulated (not just from me), then perhaps the FTC would look into the practice. So many of the messages bore the same B.S. in the same format, that the majority of them had to be connected to a single source somewhere.

Here is a summary of the quantity of mortgage spam forwarded to the FTC over the past many months:

Month (2005)Quantity Reported

Today is the 22nd of September, and upon reporting yet another mortgage spam, I realized that I haven't had to report many recently. Sure enough, my sent log indicates that for the first three weeks of September, I've received/forwarded only 5 mortgage spams. Moreover, the ones I received didn't bear any of the trademarks of the majority of those reported earlier.

Thus begs the question: What's the deal?

Deep down, I'd like to think that some FTC has been on the enforcement job, and they've been quiet about it until all the loose ends are tied up nicely. It would be nice to know if my 740 forwarded messages contributed to the evidence that led to the end of one or more spammers.

It could also be that the main perp was a college kid who finally started a real job in September. Who knows?

In the meantime, I'll simply bask in the glow of a nearly mortgage-spam-free inbox. I hope you're having the same luck.

Posted on September 22, 2005 at 03:02 PM

September 16, 2005

Spam in the Era of Monitored Email Permalink

It's not uncommon these days for corporate or other organization employees to sign an agreement that allows Big Brother to monitor email communications and even Web surfing activity. Some of this "snooping" may be going on even without the employee's knowledge.

Imagine being such a "snoopee" when the following spam message winds up in your inbox:

Subject: Your refill for Vitrx

Hi, your Vitrx natural enhancement product is ready for ordering, as our records indicate that you are due for a refill.

Simply press here to order
[link removed]

Please let us know if you have any questions. We are available 24x7.

Dan Williams, customer support.

To the untrained eye, this could be interpreted as a legitimate communication between an online pharmacy and one of its existing customers. Before (um) long, the word about your enlargement medz usage circulates through the company, and may even get you in hot water, accused of using organization resources (email) for your personal use.

I've wondered if spam content ever got anyone in trouble at work. For instance, if you fail to adhere to Spam Wars guidelines and open up an explicit-image-laden porn spam, and a colleague happens to be looking over your shoulder at that instant, might not a sexual harassment complaint ensue?

If you have a tale to tell about spam used against you at work, I'd like to hear about it (confidentiality assured). Use the contact form to let me know.

Posted on September 16, 2005 at 09:58 AM

September 14, 2005

New eBay Phish Ploy Permalink

I describe in Spam Wars how scam artists use the username and password ripped off from unsuspecting eBay users to further rip off other eBay users and gain access to private information.

EBay phishers do everything they can to trick you into giving up the username and password for your account. In addition to the usual "some mixup in your account" malarkey, I've also seen phony invitations into get PowerSeller status. A new (to me) variation on the theme came across today. The Subject of the message is "Want to buy your item," and here's the body of the message:


I am new to eBay, but i tried to buy this item from you with my Credit Card Visa and it show me an eror at your account. Please look at the link bellow with the eror. And reply me after you are able to sell on eBay.

[link removed for your protection]

Best regards,

Grace Loren.

This appeal is not as universal as others I've seen. It assumes that the recipient currently has something for sale on eBay, either through an auction or an eBay Store. I'd like to think that those who are active sellers on eBay would be cautious about an email message like this, but I know that a seller doesn't want to turn away a buyer. An experienced eBay seller would also (I hope) be suspicious of a message from a stranger addressed directly to the seller, rather than the message arriving through eBay's official messaging system.

The link that most email programs display in the message is an ebay.com address, but the hidden address in the link—where you really end up going when you click on the visible link—is to a hijacked server in Turkey. I've alerted the site's owner and ISP, but my report will arrive very late at night in Istanbul. Unless a night owl is reading email there, the site will have a 10- or 12-hour headstart—by which time most of the damage will have been done.

Don't let your guard down. Phishers and crooks will keep cooking up new scams as long as other recipients keep falling for them.

Posted on September 14, 2005 at 03:24 PM

September 06, 2005

Yahoo and Phishing Permalink

I've been reticent about publicly announcing Web hosting services that do a lousy job of closing down phishing sites because it might give bad ideas to very bad people. But the cat is out of the bag when it comes to Yahoo. Richard Cox, CIO of Spamhaus, blew the whistle on Yahoo at a public speech in London. According to a report from the conference, Cox noted that Yahoo has registered over 5000 domains whose names contain the words "bank," "ebay," and "paypal"—they all can't be legit, and should be looked into.

This prompted me to look at the last few months of my phishing reports to Yahoo. These are reports that I send based on research for each phishing email message's primary link (the one that's normally hidden from view to those who open the messages in their email programs). I had a handful of domain names with the suspect words in them, but the following list comprises the majority of domains I reported that were both registered and hosted by Yahoo (WARNING:Most of these domains are now inactive, but some may still be alive—DO NOT ATTEMPT TO VISIT THE SITES):

  • login-user1422.info
  • login-user1937.info
  • login-user1962.info
  • login-user2112.info
  • login-user2332.info
  • login-user2419.info
  • login-user2626.info
  • login-user2728.info
  • login-user2783.info
  • login-user2891.info
  • login-user2947.info
  • login-user3114.info
  • login-user3664.info
  • login-user3839.info
  • login-user5231.com
  • login-user5336.info
  • login-user6613.info
  • login-user6996.info
  • login-user7687.info
  • login-user8341.info

I think it's time to send this list to the codebreakers at the National Security Agency (NSA). If they enter this list into a Cray, and let the supercomputer crunch on the data long enough, maybe—just maybe—they can find some kind of pattern that would help Yahoo detect when a potential phisher is trying to register a domain or set up a phishing Web site. If the Cray is busy, maybe there's an old Apple // lying around in a closet that could do the job.

When I research these domains further, I find that most of them get hosted at a facility that is within a half-hour drive from here. If gas weren't so darned expensive, I'd think about going over there to pull a plug or two. In the meantime, despite my lickety-split reportage of these abuses, Yahoo manages to let these sites destroy peoples' lives for days on end. My guess is that Yahoo finally shuts them down not because of the phishing, but because they discover that the domain registration was paid for with a stolen credit card (sadly, the registration data looks to me to be identity info stolen from previous phishing successes). <speculation>If it weren't for the chargeback, the sites might run forever.</speculation>

There was a brief moment in time, noted here and here, when Yahoo reacted quickly and decisively. I was really jazzed about it. But that was a fleeting moment.

Kudos to Richard Cox. Perhaps the publicity from the conference will get Yahoo to do something. Anything.

Posted on September 06, 2005 at 12:05 PM

September 04, 2005

Phony Lottery Doesn't Add Up Permalink

While the Nigerian-style advance-fee fraud (a.k.a. 419 fraud) definitely bilks people out of a ton of money each year, I fear more for the recipients of the lottery scams that arrive via email. Unlike the long-winded, broken-English letters describing some hidden cash cache needing help getting out of a faraway country, the lottery letters are probably more plausible to the unwary recipient.

When I was a kid—here we go—there was a television program called The Millionaire. Each week a reclusive benefactor gave some deserving person one million tax-free dollars to do with as they pleased. I think it's everyone's dream to have a big wad of dough wind up in his or her lap without doing squat to earn, or even applying for it. You get picked simply because you exist.

And so, when an email arrives saying that you've won a Europe-based lottery that selected your address from 100,000,000 international email addresses, it's better than the Publisher's Clearinghouse prize. In that contest, you may be a winner; in the email lottery, you are a winner. Woo hoo!

These letters include various official-looking pieces of information, such as a many-digit winning number, lotto code number, cryptic "file Ref number," and so on. All you have to do is contact someone (usually in Holland or Spain) by email or phone to claim your prize. Nine (or more) times out of ten, the email address is an account at netscape.net. This seems to be a favorite free email place for lottery scammers.

If you let yourself get caught up in the winning madness, you'll soon find that before you can get your grubby hands on the moolah, you'll have to pay some fees and taxes. It's all "standard procedure," mind you. Every winner has to pay them, you'll be told. Unfortunately, the lottery officials cannot deduct these expenses from your winnings. No, you have to wire them the funds before the prize money is released. What's several thousand dollars up front against a "sure-fire" win of a million Euros?

And that's where this scam gets its name: Advance Fee Fraud. You pay the money up front. You get bupkis in return. The scam is older than old. Only the medium has changed, allowing the scammers to con more and more hapless email users.

The lottery scam piece that got me on this particular rant started with a paragraph that failed to do the math:

We are please to announce you as one of the 12 lucky winners in the email lottery programme draw of the LOTERIA PRIMITIVA held on the 1st of september.2005.All 12 winning addresses were randomly selected from a batch of 100,000,000 international emails Your email address emerged along side with 12 others as a category 6 winner in this year's loteria primitiva award Draw.

So, there are 12 lucky winners. Me and 12 others. Wait....

Posted on September 04, 2005 at 08:14 PM
Yet Another Domain Mismatch Permalink

The Subject: line of this spam suspect is simply:

Subject: Product Information

Okay, it could be anything. But years (unfortunately) of experience led my intuition to believe it had something to do with medz.

The simple opening to the spam message (viewed only through the source code, mind you) was, indeed, a medzy pitch—the kind for some sort of male enhancement product:

Make HER happy and take a look at this.
Everything is privately shipped within 24 hours.

Seen this a gazillion times in one form or another.

And then comes the closing line to lure you to the Web site (URL partially obfuscated with "?" for your protection):

Further Information available at:

Oh, foolish me! For all these years, I was being told that the way to please a woman was with an enhanced something-or-other. Wrong! It's by learning how to play the guitar.

Posted on September 04, 2005 at 10:45 AM