Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« October 2005 | Main | December 2005 »

November 29, 2005

A Phony eBay Survey Phish Permalink

Last June I talked about brand name survey scams, and how I get very suspicious whenever one of these things lands in my inbox. On rare occasions (as noted in my Wall Street Journal experience), the messages are legit. One arrived today that didn't smell right, and could certainly lead plenty of eBay users to giving up valuable personal information.

Today's message, titled "Reward Survey," purported to be driven by eBay. The incentive was no less than a credit to my account. Here's the text of the message (actual URL disguised):

Dear Valued Member,

You have been chosen by the eBay online department to take part in our quick and easy 6 question survey. In return we will credit $20 to your account - Just for your time!

Helping us better understand how our customers feel benefits everyone. With the information collected we can decide to direct a number of changes to improve an expand our online service.

The information you provide us is all non-sensitive and anonymous - No part of it is handed down to any third party groups.
it will be stored in our secure database for maximum of 7 days while we process the results of this nationwide survey.
We kindly ask you to please spare two minutes of your time in taking part with this unique offer!

To Continue click on the link below:

http://www.[not_on_your_nellie].net/[more_blah_blah]


Many Thanks and Kind Regards -
eBay Customer Department

In checking the header details of the message, it was clear that eBay, itself, did not originate the message. As I discovered with my WSJ experience, however, this isn't uncommon, particularly when the survey job has been farmed out to an outside survey firm.

But a check of the domain registration of the active link destroyed any hint of legitimacy.

The domain was registered (literally) yesterday. The domain registration record didn't provide anything looking like a company name. The street address was in a form more suited to Europe or Russia. While the city was listed as "Denver," there were two country lines: one "Australia Capital"; the other "United States of America." The contact email address used the domain "beer.com."

Bottom line: There's no way on Earth that a company like eBay would have hired anyone with this kind of domain registration to operate on its behalf. And certainly not for a campaign designed in one day. These things take weeks to hammer out, get legal clearance, and so on.

Unfortunately, the world's eBay users have not yet read Spam Wars and may not be sufficiently suspicious about this stuff and know how to do the kind of modest, yet revealing, research I just described above. So, what would Joe/Jane EBay find if he/she were to click on the link?

I did this (safely) and captured the pages for you to see in Adobe Acrobat (PDF) format. You can view the screens at your leisure.

The first screen looks like a typical survey form. It asks various questions about the eBay service, and provides selections you can make to express your opinions. Then click "Continue." (Even if you leave all choices empty, the form is accepted—another giveaway that this form is merely window dressing.)

On the second page is the real payload of this scam. The form contains fields for you to enter your eBay username (but not password) and credit card info, including the security number on the back and PIN number if your card needs it. If you try to submit an empty form, the validation routine ignores the empty username field, but squawks about the empty credit card number field.

So, you see, this is not an eBay scam. It's the old credit card scam in eBay clothing. While the Web site plays a little more elaborate charade than others, it's to be expected. Phishers are desperate to reach even "phishing-savvy" recipients. This two-stage form (with the non-personal stuff in the first stage) might fool more recipients into thinking that eBay really wants their opinions—and will pay twenty simoleans for them.

Phishing still pays. Another phishing message I received this morning was one going after eBay account names and passwords. In tracking down the phony Web site, I discovered to my horror that not only had other recipients fallen for the ruse, but the idiot phisher set up the site to capture the data in an unencrypted text file. There, in all-too-plain view, was a list of victim IDs and passwords. Fortunately, the hosting service took down the site very quickly, so I can only hope that the phisher had not yet retrieved his booty.

Please, please, please...be careful out there. And tell your family and neighbors.

Posted on November 29, 2005 at 12:08 PM

November 15, 2005

Inside a Spammer's Template Permalink

Every once in awhile, a spammer's spewing machine goes haywire and fires out a message that reveals all of the placeholders in his template—placeholders that are supposed to be filled with real-looking (but truly phony) information. A lot of this bogus information is intended only for spam processing software or those of us humans who look at spam message headers for clues about their origin. Frankly, I wonder why spammers who use zombie PCs to relay their spam bother with concocting a phony header trail. I doubt that their "tricks" fool anyone.

I'll share with you one that got trapped in my server's "suspects" bin. From the looks of it, the message was going to be an eBay phishing message. Here it is verbatim except for a few disguised items to protect the innocent (me) and the clueless (the IP address of the swbell.net customer whose zombied PC was used to send it to me):


From #FROM_EMAIL@eBay.com Sat Nov 5 02:10:06 2005
Received: from xx-xx-xxx-xx.ded.swbell.net (gzqbaanmli@xx-xx-xxx-xx.ded.swbell.net [xx-xx-xxx-xx]) by dannyg.com (8.12.11) id jA599vMc040581 for <x@dannyg.com>; Sat, 5 Nov 2005 02:10:05 -0700 (MST
Received: from #RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR.bilow.com (IDENT:0@#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR.bilow.com [#TO_DOMAIN]
     by #RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR.beach.net (8.10.0.Beta12/8.10.0.Beta#RAND_DIGIT#RAND_DIGIT) with ESMTP id g26Iqxs0#RAND_DIGIT#RAND_DIGIT#RAND_DIGIT#RAND_DIGIT
     for <#FROM_EMAIL>; #RAND_DATE_TIME
Message-ID: <167#RAND_DIGIT#RAND_DIGIT5285.10#FROM_EMAIL>
Date: #RAND_DATE_TIME
From: "#FROM_NAME" <#FROM_EMAIL@eBay.com>

#TO_CC_HEADER
Subject: #SUBJECT
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

#MESSAGE_BODY

Each item beginning with "#" is a placeholder, followed by a label or key used to tell the merging program running on the zombie PC what kind of text to insert. For instance, "#FROM_EMAIL" is probably to be replaced with either a fixed predetermined "from" user ID or one from a list. Other placeholders include "#RAND_LC_CHR" (random lowercase character) and "#RAND_DIGIT" (random digit). Notice how header data commonly consists of sequences of random characters or digits, sometimes interspersed with fixed characters. For example, the second Received: header generates random-character server names for the bilow.com and beach.net domains. The Message-ID: header (sometimes used in correctly configured email servers to assign a trackable identifier to an outgoing message) has a combination of fixed and random numbers, followed by a repeat of the phony email user ID plugged in earlier.

Spammers who break various laws (e.g., using a zombied PC in the U.S.) cover their tracks pretty well—as far as the real source of the outgoing message goes. And given how phony a message's header information can be (all but the data that your own server adds to the header), I usually don't bother with anything past the top Received: header line (I don't have any further internal transfers in my system, so the top one is the one that my server adds—and at that, only the domain name and IP address inside the parentheses and square brackets are reliable).

You can learn all about email headers and other tricks in Spam Wars. If you're new to this stuff, they may look imposing and confusing. But with a little practice and handholding from the book, you'll become a pro in no time. Such knowledge can also help you determine if that email message appearing to come from your bank really did come from your bank.

Posted on November 15, 2005 at 12:15 PM

November 12, 2005

When Your eBay Account is Stolen Permalink

In Spam Wars, I describe a few scenarios of what can happen if you succumb to an eBay phisher and yield your account to a crook. A double-whammy occurs that not only ruins your account, but can also lead to another eBay user being scammed out of some big bucks. Very often there is also a third victim: an eBay seller whose legitimate auction data (description, photos, etc.) get lifted by the phishing crook.

Some such crooks are far more stupid than others, as is the case I noticed today.

I'm a fountain pen junky (fortunately my jones isn't too bad), so I came upon a legitimate eBay auction for a limited edition Mont Blanc pen no longer in production. The auction is still running, but as of this writing, it has been bid up to $1325.00 (if you use a Bic ballpoint, don't ask). As a limited edition pen, it is numbered—so-and-so out of thus-and-such. In this case, the pen on auction is number 0473/4810. The seller provides eight photos, describing the unused pen's condition thusly:

THE PEN IS UNTOUCHED, STILL WRAPPED IN ITS CELLOPHANE SARCOPHAGE. YOU ARE GETTING IT WITH ALL THE BOXES, ALL THE PAPERS IT CAME WITH FROM ARTHUR BROWN'S PEN SHOP IN MANHATTAN.

Now that's a description you don't see everyday...if ever. The seller takes payment via PayPal, has been an eBay member since 2001, and has a 100% percent feedback score of 591. The auction is a 7-day listing, and both the seller and item are located in the U.S. A check of the seller's recent feedback shows that he has been actively selling a variety of antique items (in fact "antiques" is part of his eBay ID). These and other clues would lead me to trust this offering as being legitimate if I were interested in this item.

Turning up in a search for the same item is another eBay auction with the exact same title. The auction is a 1-day listing, not a very common occurrence on eBay. But get this: The serial number of this second auction is 0473/4810. The description include the very same bit about the pen's "cellophane sarcophage" (in all caps) and its shop of origin. The eight photos are the same.

The seller for this second auction is different, however. He has been a member since 2002 and has a feedback rating of 47. He is located in Germany, and the pen, oddly enough, is located in China. The auction's currency denomination is in Pounds Sterling (GBP)—get out your atlas to follow this one. Oh, and payment has to be done either by wire transfer or Western Union transfer, the latter being highly recommended to speed the transaction. (Yah!)

I looked into the feedback of the seller shown for the second auction. He hasn't been that active recently, but the two auctions I could check are for a ragtag assortment of low-end general merchandise (apparel and home/garden goods). There are a bunch of one-day auctions currently running, all for limited edition pens.

My best guess is that the owner of the second auction's account fell victim to an eBay phisher's scam, yielding the account user name and password. The crook logged on with that combo, and changed the password so that only he can now run amok with the account. The rest is simple copying of existing legitimate auction descriptions and photos, hoping to catch a bargain shopper with a deal that (really is) too good to be true.

To offer a bogus numbered limited edition item while the real item is still on auction won't catch too many eBay buyers who are really into the category. As I write this, there are about 5 hours left on this crook's 10 auctions, and only a handful have single bids (although a couple of them for over 150GBP). If eBay can't close down these auctions in time (how convenient to do bogus 1-day auctions over a weekend), several folks may get swindled because they're letting greed override sanity. In the meantime, some who see both the legitimate and bogus auctions may call the real ones into question, costing the real seller some higher bids.

The guy who gave up his eBay account has also let the crook gain access to credit card and other personal info. His nightmare is just beginning.

Posted on November 12, 2005 at 04:56 PM

November 08, 2005

Adventures in Paranoia Permalink

One of the sides ("up" or "down," I can't figure which) of keeping a close eye on Internet scams and attacks is that I'm hypersensitive to things that just don't seem right. With such ample evidence that "they" are really "out to get" everyone, the slightest inconsistency or unexpected behavior causes all kinds of alarms to go off in my head.

Such was the case several weeks ago when I tried to log into my PayPal account.

I accessed the site by typing the secure PayPal address in my browser, and verifying that not only was the connection secure, but the encryption certificate looked correct. The site correctly read the browser cookie and had my PayPal ID pre-entered into the log-in field. This is another, albeit loose, confirmation that this was the real PayPal site.

I next entered my password. I don't let browsers automatically save and enter passwords to sites containing personal info on the outside chance that someone could steal my computer.

To my surprise, however, the site rejected my ID/password combination. Thinking that I perhaps made a typo in the password (it's a finger-twister), I tried again. No go. I toggled the CapsLock key on and off again, and tried once more. Nope.

By this time, bells and sirens are going off in my head, and my heart rate certainly jumped several notches. Had someone somehow gotten into my account and changed my password? Everything had worked fine a couple of weeks earlier when I made a payment through PayPal. What the fudge?

In the denial page is a link you can click to have PayPal email you a link to reset your password. To get that far, it turns out, you have to take a little identity test that includes portions of information that PayPal would have known from your original registration—not something that a crook could guess at. That looked legit to me. My last concern was that if a crook had gotten into my account, he or she would have changed the email address to deflect notifications away from me. If I "aced" the identity test and didn't get a quick email message, then I'd know the account had been cracked.

Lo and behold, I did receive a message from PayPal. Checking the message's headers, I confirmed that it really did come from PayPal, and I followed directions to get to a page where I could log on and reset my password.

Upon reaching that page, I thought I was going to stroke out. In the very first sentence of the page was a typographical error ("your" for "you"). Was this whole thing some elaborate charade? To what end, other than to gain control over my account?

Enough of the Web stuff. I wasn't going to enter another thing into a Web page form. Time to talk to a human being. At this point, I wondered if I could trust anything I was seeing at this so-called PayPal Web site. But I thought I'd give the support phone number a try, and see how things sound.

After more identity affirmations (they supplied some of the info that they had on file), I felt assured that I was really talking with PayPal. The support rep was quite well-equipped to help out. She could see the record of my login attempts (and none others), but didn't have an answer to why my password didn't work. To her credit, she expressly refused to reveal my password (I didn't ask for it—I already know it). That made me feel good.

We went through the "forgotten password" email sequence again, and I showed her the typo on the page that caused me to start behaving like the South Park character Tweek. Continuing on, when I tried to reset my password, the system wouldn't let me. Now she was perplexed, and placed me on hold. She had explained to me that their system monitors login attempts with bad passwords. When there are too many such attempts, they block the account. It made me wonder if someone had, indeed, tried to gain unauthorized access to my account, although she didn't see any login attempts other than mine.

After a few minutes and an apology for the delay, she asked me to try again, et voilà, it worked. I don't know what they did, nor what kind of glitch blocked access to my account. I asked, but she was not forthcoming—perhaps for the best.

All systems appeared normal, and there had been no unusual activity in my account. Under the heading of "trust, but verify," I kept a daily watch on the account (as I already do for my credit card). The crisis has passed without further ado.

This incident reminded me of my physician brother who, dozens of years ago, was about to undergo surgery to remove a small lump. His medical training taught him all the things that it could be, and that knowledge terrified him. Fortunately, the mass was completely benign, and there was a happy ending. Although not life-threatening, my PayPal situation could have been an indication of identity theft, something I'm not eager to experience and rectify. Having read about security breaches beyond the consumer's control, and having seen firsthand how far crooks will go to trick Internet users, I was terrified that I was perhaps a victim. Meanwhile, millions of Internet users are oblivious to the dangerous junk that slips into their computers without their knowledge (e.g., the stuff that installs from Sony BMG music CDs when played on a PC). Now that's terrifying.

Posted on November 08, 2005 at 01:46 PM
Even More on Phishers with Trojans Permalink

As a followup to a previous post, the folks at Web Sense Security Labs pursued the stuff that the Trojan Dropper drops. One of the things they found was a program that modifies a Windows Registry entry to redirect browser access intended for PayPal to a completely bogus site. Check out the screenshots. While the phishing message described there and in my post are cosmetically identical, the executable file names in the links differ. Perhaps the crook changed the file name after the Web Sense notice.

An alert user (but not alert enough to avoid clicking on the installer link in the first place) would hopefully notice that the bogus pages aren't being served up through a secure (https://) connection. Then again, such a user might be so focused on the possibility of losing his or her PayPal account (and any funds that might be in it), that they look only at the form fields, and not the Web page. Of course, even if the machine is infected with this nasty business, trying to trace the problem without antiviral software or firm knowledge of how the Windows Registry works would be next to impossible.

At least the site that hosted the original Trojan and bogus pages are now no longer active. Until they show up someplace else.

Posted on November 08, 2005 at 12:15 PM

November 05, 2005

More on Phishers With Trojans Permalink

I was so focused on the .exe file mentioned in my previous post that I didn't look that closely at the social engineering aspects of the complete message. The basic approach—"reporting" that they detected unusual login attempts for my account— isn't new. But the quantity of phony detail (some of it ridiculously funny) is new to me, as is the HTML source code of the message.

I therefore display in its entirety, the message as received—but with the offending links to the Trojan downloader removed for everyone's safety:

Security Measures - Are You Traveling?

PayPal is committed to maintaining a safe environment for its community of buyers and sellers. To protect the security of your account, PayPal employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the PayPal system for unusual activity.

We recently noted one or more attempts to log in to your account from a foreign country. If you accessed your account while traveling, the attempt(s) may have been initiated by you.

Because the behavior was unusual for your account, we would like to take an extra step to ensure your security and you will now be taken through a series of identity verification pages.

 
 IP Address  Time
 Country
80.69.115.16 Oct 27, 2005 12:47:01 PDT
Spain
80.69.115.16 Oct 29, 2005 18:37:55 PDT
Spain
217.160.77.45 Nov 14, 2005 16:42:16 PDT
Mexico
217.160.77.45 Nov 15, 2005 16:58:03 PDT
Mexico

Welcome to the PayPal Security Center. Here, you’ll find the latest information on how to buy and sell safely online. You’ll get tools to help keep you protected. And you’ll learn how we fight fraud 24/7 on your behalf. Stay protected, just click on the link and run the software.

Download ultimate PayPal Security Tool now!




Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account.

We apologize for any inconvenience.

If you choose to ignore our request, you leave us no choise but to temporaly suspend your account.

Thank you for using PayPal! The PayPal Team



PayPal Email ID:

All three links in the original message led to the Trojan .exe file, which is hosted on a Romanian server.

Aside from the occasional misspelling ("choise" for "choice"), the foreknowledge of someone supposedly logging into my account from Mexico 10 days from now is hysterical. But that probably still won't prevent many recipients from clicking on the link, installing the program, and handing their identities over to who-knows.

Posted on November 05, 2005 at 08:06 AM

November 04, 2005

Phishers Installing Trojans Permalink

Well, this is a new one for me. When scanning the source code of a PayPal phishing message, I saw that the operative link was not to a Web page or server script, but rather to a direct download of an executable program (with a .exe extension). Examining the data at the other end of the URL showed it to really be a Windows-based application program. Further investigation revealed that the program—which would normally be downloaded directly to a Windows user's machine—is, in fact, a Trojan Downloader.

A Trojan Downloader typically operates to install silently one or more programs embedded within the downloader. Those programs, in turn, fetch more programs that can do things such as disable virus protection, log keystrokes, and turn your PC into a slave in a botnet.

I'll keep saying it a million more times: Clicking on links in suspicious or unsolicited email messages can be lethal to your PC and your identity. Use the tips in Spam Wars to help you identify bad stuff safely before it can do you any harm.

Posted on November 04, 2005 at 07:20 PM

November 02, 2005

Scrubbing Random Word Lists Permalink

There is a concept in the direct marketing business called "scrubbing." In typical usage, it means that a mailer or telephone marketer compares his or her list of prospects against a list of those who don't want to receive solicitations. "Scrubbing the list" means removing the do-not-whatever names and numbers from the prospect list.

Stupid spammers could also help themselves by scrubbing potentially insulting words from lists used to fill in random placeholders in their messages. Here's how one medz spam announced itself to me today:

Subject: You can save few hundreds every month simpleton

No thanks, jerkface! [a non-random selection]

Posted on November 02, 2005 at 04:14 PM