Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« June 2007 | Main | August 2007 »

July 29, 2007

Test Your Scam Awareness Permalink

McAfee, the security software vendor, has a free online test everyone can take to see how well they know their email and web site scams. Focusing primarily on phishing sites and issues, takers of the ten-question quiz learn how well they can spot phony sites and email messages, as well as how much they know about general online security.

I've seen tests like these before, but they always fell short to my way of thinking because they didn't offer test takers enough information about the items in some of the questions. But this test is different. You'll commonly have to view the larger images of the web site screen captures to compare the good against the evil. Clues to which is which are embedded in different portions of the screens, as pointed out in the results page, where the warning signs are specifically pointed out.

Take the test, and aim for the Safety Guru perfect score.

Posted on July 29, 2007 at 12:29 PM

July 26, 2007

Answer to Caller Brian Permalink

I was today's guest on Doug Fabrizio's RadioWest program. You can listen to the program (18.8MB .mp3 file), if you like. The subject was one near and dear to my heart: Spam Wars (the book and the wars).

It's fun to take live calls on such shows because you never know what you're going to get. It really keeps me on my toes, while I try to provide a meaningful answer within a few sentences.

One caller had a question that I didn't answer as well as I should have. Allow me to elaborate a bit here because it's an important question that almost every email user faces at one point or another—even if you are spam-savvy.

This caller (I think it was Brian, but I'm not positive) had his own personal dot-com web domain, which he uses for family and friends. He had received an unsolicited message from a domain broker who was inquiring about Brian's copyright of his own domain name and what issue there might be if it were registered by someone else at a dot-cn (.cn) domain, signifying China. Was this a legitimate inquiry? How would one find out?

My immediate advice was to ignore the message, and certainly avoid clicking any link that might be in it. That someone in China would be concerned about a U.S. copyright holder is a bit of a laugh (just ask the copyright police of today's fashionable brand name companies facing Chinese knockoffs).

Without seeing the actual message, I couldn't determine exactly what the goal of the message was. My guess, however, is that it was a domain broker who was trying to scare our caller into registering his domain name in China to avoid being trademark-hijacked. I'll probably get one of these messages wanting me to do the same for spamwars.cn (which does not currently resolve on the web).

Another route to inquiring about the legitimacy of the offering—this is what I didn't mention—is to use Google to search for other references to the firm making the offer. Google is your friend for these kinds of inquiries. If within the first few results pages you see listings (blogs—woohoo!) by other people who have either received the same message or had business dealings with the firm, you can learn a lot. In fact, if absolutely nothing came up on the company (other than its own web site), I'd take that to mean the offer is a fly-by-night deal, and should be avoided.

The bottom line still holds, however. Don't visit the spamvertised web site until you have verified its legitimacy through multiple third parties.

Posted on July 26, 2007 at 01:37 PM

July 17, 2007

The Wild Wild West (of Spam) Permalink

The worldwide nature of the Internet and, by extension, any less-than-desirable activity is one of the major sticking points among antispam devotees. I can only shake my head when I receive a spam like the following from a company I'll rename here as SPAM_HOST:

We offer Bullet Proof dedicated servers & Antiabuse hosting for direct mailing, all types of adults, logs, fakes and other projects.

We have:
· 100 Mbit channel
· Guaranteed uninterrupted power supply
· Support service
· Anonymity
· Remote access to power supply (APC PDU)

Standard server configuration: Pentium 4 3.0G/DDR2 1024Mb/HDD 80Gb Sata2

Also, any configuration can be ordered.

After the server will be ordered setup is done within 24 hours.

All types of spam is allowed.

You can pay us by:
- webmoney
- E-gold
- paypal
- wire transfer

If you have any questions, please contact us:
icq: [number removed]
www: http://www.SPAM_HOST.com
tel: [Belarus telephone number removed]

Thank you for your time and attention!
Best regards, SPAM_HOST.

Here's an outfit bragging that its goal is to make money by being (supposedly) immune to antispam or antiabuse filtering. The message, as expected, was delivered through a bot-net.

I then looked at the domain registration information for the outfit. Although some fields were correct (admitting to be from Belarus, and offering the same phone number as in the spam), other fields, such as the street or mailing address, were devoid of information.

It is sometimes possible to wreak havoc with an ill-intentioned online company by challenging an incomplete or bogus domain registration with the registrar. Unfortunately, that is not an option in this case: The company is, itself, the domain registrar for its own domain.

Oy!

Posted on July 17, 2007 at 11:52 AM

July 15, 2007

Amazon.com--Phish or Phor Real? Permalink

I had posted the following on July 12, 2007:

I am currently investigating a potentially serious issue of an email message that—by all hallmarks in the message headers and URL in the body source code of the message—looks to come from Amazon.com. The message subject concerns the account password. The problem is, Amazon.com has no record of sending that message.

Until I can get a resolution about what's going on, my advice is to not follow any link in any email message you receive from Amazon.com. Instead, visit the site through other means (e.g., bookmark, or typing the amazon.com URL into the browser's Address field), then log onto your account only through the web site.

Stay tuned...

Here is the message that started this whole mess:

Date: 12 Jul 2007 09:05:45 -0700
To: [removed]@dannyg.com
From: "account-update@amazon.com" <account-update@amazon.com>
Subject: Amazon.com Password Assistance

Greetings from Amazon.com.

Click the link below to go to Step 3 to reset your password using our
secure server:

https://www.amazon.com/gp/css/account/forgot-password/redeem-forgotten-password-token.html?token=[47-character string deleted]

If clicking doesn't seem to work, you can copy and paste the link into your browser's address window, or retype it there. Once you have returned to Amazon.com, we will give instructions for resetting your password.

Thank you for visiting Amazon.com!

-------------------------------------------------------------
Amazon.com
http://www.Amazon.com/
-------------------------------------------------------------

At first glance—without looking at the message's headers or source code—it looked like a fairly typical attempt at phishing for my username and password. There was no information in the body that contained personalized data, such as my name, or anything else about my account. And then there's the recommendation to click on the link. Needless to say, phishing phlags were waving all around this one.

Looking further into the matter, I checked the message's headers. The only absolutely unforged line is the Received: header line written to the message by my own email server. It read:

Received: from mm-notify-out-1102.amazon.com (mm-notify-out-1102.amazon.com [207.171.164.40]) by dannyg.com (8.12.11.20060614) id l6CG5nXk091012 for <[removed]@dannyg.com>; Thu, 12 Jul 2007 10:05:50 -0600 (MDT)

The IP address in square brackets is the address that the sending server used to identify itself for the email transaction. My email server did a reverse DNS (rDNS) lookup of that IP address, and showed the identity right before the square brackets (inside the parentheses): mm-notify-out-1102.amazon.com. That sure looked like a real amazon.com server, and it matched the way the server identified itself during the transaction (the server name right after "Received: from").

I had never encountered a forging of rDNS in a phishing message, but I was open to the possibility. As one more check, I did my own DNS search on the IP address. That IP is, indeed, within a very large block owned by Amazon. There was no doubt in my mind that this message originated from a real amazon.com server.

What about the link in the message body? The URL was not one of those phony HTML tricks, where the body author writes one URL for display, but the HTML is coded with an entirely different URL to an Evil Site. In fact, this message was not delivered as HTML, but as plain text (how I like 'em). The destination of the link was to the real amazon.com web site.

At this point, everything pointed to the message being legitimate. The problem, however, is that I had not been trying to log into my account prior to receiving this message. This is precisely the type of message I would expect to receive from amazon.com if I had forgotten my password and clicked the "Forgot password?" link at a login page. But I didn't click that link.

That led me to the next obvious thought: Someone had been trying to access my account (trying to break my password). Either he clicked the link, or (less likely, and I hope not) perhaps amazon's server is set up to reset the password after a certain number of failed attempts.

This came to mind because of an incident I had with Paypal a while back. Paypal refused to let me access my account. It turned out that someone had been trying to hack into my account. After a fixed number of failed attempts, Paypal simply blocked all access to the account. A phone call to their support folks revealed that the login attempts came from IP addresses far from my own.

To verify that everything was still OK at Amazon, I wasn't going to use the link supplied in the message just yet. Instead, I visited amazon.com my usual way, and logged in through the usual process. Everything worked fine.

I contacted Amazon's support department through its email system. Because I didn't suspect the message as being a phishing message, I didn't bother sending along a copy. But I did ask if someone had been trying to log into my account earlier that morning; if so, what were the IP addresses? In fact, here is what I submitted:

I received a Password Assistance notification (truly from amazon.com, mailed from mm-notify-out-1102.amazon.com [207.171.164.40]) as if I had clicked on the "forgot password" link. But I had not tried to log into my account in the hours prior to that email message.

This makes be believe that someone may have tried to hack into my
account. I am able to access my account with my original password,
so no changes are needed.

Do you have a record of attempts to log into my account from 0600-
0915 PDT on 12 July 2007? If so do you have the IP addresses of
those attempts?


Here's the response I received:

Thank you for writing to us at Amazon.com.

The e-mail you received was not from Amazon.com. We are
investigating the situation, and we appreciate you letting us know
that you received this.

[Tons more stuff on phishing omitted.]

Whoa! Stop! Halt! Not from Amazon.com? WTF?

Time to get on the phone to Amazon. Of course, when you get on the phone to Amazon, you're actually tunneling your way to south Asia via VOIP—the type of support call connection I've grown to dislike.

The call taker was courteous (almost too courteous, if you know what I mean), and repeated back to me almost everything I said (assuming she's typing madly into her terminal). After a bit of checking, she was able to look into the record of email messages sent to me by Amazon. That's a nice tracking system, to say the least. But the bottom line was that Amazon had no record of having sent me the password assistance message.

My Amazon lady didn't seem very concerned, but I certainly was—for Amazon's sake, not mine. By all indications, somehow someone managed to get Amazon's real email server to send a potential phishing message to one of its real customers. Was the destination link perhaps some rogue directory on Amazon's web server that could get unsuspecting visitors to give away their usernames and passwords right under Amazon's nose? When you've learned about as much cyber-criminal activity on the Internet as I have, the scenario machine can go into overdrive.

As I've lamented many times before, it's next to impossible for an ordinary citizen to get potentially valuable security issues in front of the right people quickly at large organizations. It's as if they believe their systems are infallible, and thus there is no reason for anyone outside the company to make contact except for things like checking on an order.

Figuring that my best approach would be to follow procedure, I walked through Amazon's phishing pages—after all, Amazon, itself, told me this was a phishing message. I submitted the full deal, in an effort to demonstrate that this message really did come from Amazon, and they didn't know it.

While I slept, the following response arrived:

Thank you for contacting us at Amazon.com.

We apologize for any concern our recent e-mail regarding your Amazon
password may have caused.

This e-mail was sent in error, and you may safely ignore it if you did
not request a password change.

If you clicked the link in the e-mail and entered a new password, this
change will be reflected in your Amazon account, and you'll need to
use this new password to access your Amazon account.

Thank you for shopping at Amazon.com.

The message was sent in error? That's all there is to it? I got all worked up for nothing?

On the one hand, that response really popped my balloon; on the other hand, I'm glad that Amazon thinks everything is cool with their system, and that no one had been attacking my account. Maybe my issue helped them find a gap or bug somewhere in their system. I'll never know, and large companies like this aren't likely to disclose such issues. Amazon's customer service inquiry responses exhibit a strange kind of detached, unemotional character. I don't think this last one was a canned response, but it feels rather robotic, doesn't it?

And thus ends a rather large non-event. I still won't click on that link—my password is working fine, thank you.

It's clear that I go to extremes before accepting an unexpected email message as valid, but I make no apologies for my suspicions. If the rest of the emailing public were only half as suspicious, there would be fewer compromised personal identities and PCs in the world.

Posted on July 15, 2007 at 11:49 AM

July 07, 2007

Internet Bandwidth is a Terrible Thing to Waste Permalink

The number of what I rate as "dictionary attacks" was consistently high this week, peaking at 11,125 attempts on one day, July 5, 2007. While I don't meticulously pore over each day's logs, I was curious to see if, as has happened in the past, this high level was due to a particular attacker. A couple of years ago, for example, there was a 10,000+ attack that reached my server in less than a minute from a Canadian IP address. A few months ago, I noticed that such attacks were more widely distributed across IP addresses, each attack consisting of, say, ten attempts at finding a valid username—presumably to avoid detection by servers smart enough to recognize the older, more massive type of attack.

So, I started looking through the log for the 11,125 attack day. Instead of finding big blocks of multiple username attempts with each connection, I found that by far most attempts involved a single username from a single connection from a single IP address, spread throughout the 24-hour period. There were often multiple attempts on the same user name from separate IP addresses.

This is clearly a sign of bot-net activity. To escape being singled out as a spam machine, the bots are instructed to try just one username at a domain at a time, and not too frequently at that. Instructing multiple bots to give it a go means that more than one zombie may try the same username. Thus, spread across a one-hour period, there were 55 attempts to send to the username (pulled at random from the log) veneersprolix from hijacked computers at 55 IP addresses from around the world.

Two points strike me about this observed behavior.

First, I have in this one day's log file, the IP addresses of thousands of compromised computers. If only there were the mechanisms and wills of ISPs to force the owners of these computers to start ridding their machines of their infections, I'd report them in an instant. As things stand, however, it's a waste of time. That makes me sad.

Second, the amount of Internet traffic spent on this type of botnet activity—in search of new, valid email addresses to spam, and then possibly infect their owners' machines—must be an enormous drain on the globe's Internet bandwidth resources. Although the criminals behind this activity aren't paying for that bandwidth, somebody is. Ultimately, it's you and me. And that makes me mad.

Posted on July 07, 2007 at 09:02 AM