« "Does Anyone Fall for Lottery Scams?" You Ask | Main | eBay Phishing for High Value Accounts »
Home | The Book | Training | Events | Tools | Stats |
December 08, 2007
Wrong on So Many LevelsAn author of 45 books is, by nature, a bibliophile (lover of books). I can't help it. When I was in the Eisenhower-era third or fourth grade, my elementary school belonged to a program that let students buy books (not the textbooks) right in the classroom—probably some program that a publisher or distributor sold to the school district to provide kickbacks to the district (ah, the cynicism of middle-to-old age). I don't remember much about the selections (the catalog must have been well-sanitized for our protection), but those rare days when the books arrived were my happiest days of the otherwise desperately long school year.
Thus, the Subject: line in my email program's Spam folder peaked my curiosity:
New amazing shopping place for books [removed].com
I didn't recognize the domain name at all. It sounded like something in a foreign language, perhaps from South Asia. For a reason I'll never be able to fathom, I am on a lot of Malaysian spam lists, and the domain name for this spam sounded as though it could have been from there.
First things first. I opened the source code view of the message to look for any signs of nastiness, even though my email client is theoretically immune to the usual "phone home" and auto-download shenanigans. You can't be too careful these days.
The message was in plain text, so there was no HTML malarkey going on. But the content...well, I think I'd expect a bit more literacy from a bookseller:
HelloThe newest shopping place just start to work and we invite You to look us site. There You can bargain for the lowest price ever. Books aprox. for 4$ and lower. You must see that .
administration
www.[removed].com
This message is sent using [Removed] Server Professional Trial:
http://www.[removed].com/
Not wanting to assist this spammer in any way—including registering a hit on his web site—I started a typical investigation trail. I began with the domain registration. The identity was blocked through one of those domain cloaking services. For a commercial endeavor, that can't be a good sign. To his partial credit, the domain was registered in February of 2007, so it wasn't born yesterday.
Next I went to Google to see if the domain name (thankfully uncommon) garnered any hits elsewhere. I found a few listings that appeared to be affiliate sites ("buy 9 get 5 free" appeared in the Google summary), as well as several blog spam hits with links to the main site. Ugh, this was going to be painful. The main site, itself, showed up in Google's listing. Fortunately, Google had a cached copy of the page, which would allow me to view the home page without registering a hit with the actual site. Cool.
But before I would even do that, I bore in mind that Google has been linking to pages that have contained malware. Although Google has been working to clean that up, the fact a) that my invitation to the site came via spam, b) that the domain name record is cloaked, and c) that they use blog spam made me more than cautious. To be on the safe side, I viewed the HTML source code of the cached copy on the Mac's text-only Terminal program (using the curl command). I agree, it's like wearing two hazmat suits to clean up a spilled glass of milk, but I didn't want to give this spammer any chance of benefiting from his emission.
I saw no malware loading on the page, but there was a hit counter on another domain. Checking only the HTML source code prevented the hit counter from counting. Yay!
Based on what I read in the HTML source code (horribly coded, by the way), this site sells ebooks. It's not painfully clear from the home page because aside from being garbled English (no better than the spam message), details about what they do are few and far between. But links on the home page to download WinZip and Adobe Acrobat are dead giveaways.
With a bit more careful digging, I found a very long list of computer books this outfit offers (under "Business," go figure). My books get pirated quite a bit, especially the editions that come with a CD-ROM containing the PDF version of the book. It takes zero effort on the part of a pirate to compress the file and put it up on RapidShare and elsewhere for free download. My publishers' legal departments have staff whose jobs are to find these pirated copies and get them taken down. It was no surprise to find some of my books on the list.
Here's where it gets a bit interesting. Two editions of my JavaScript Bible appear on the list. Both editions (which were released in 2001—it's a long, boring story) are two editions earlier than the current 6th edition. We're talkin' Olde Schoole. But this "amazing shopping place for books" is charging money for these old ebooks. As partly described in the spam message, the sales premise for this "bookstore" is that interested buyers make an offer on however many titles they're interested in. There is no listed price per title, although the email message suggests prices are $4 or lower. Payment is made through PayPal and Skype Pay.
In looking through the rest of the list and other categories, I sensed that this list was awfully familiar. If I'm not mistaken, the inventory source for this "amazing shopping place for books" was a DVD available a few years ago that contained all of these titles already. The disc used to be offered on eBay (especially in the U.K.) for dirt cheap (like ten pounds for the entire collection). I had dozens of those auctions taken down. Some of the sellers then took my title off the displayed lists of titles, although I'm sure the books were still on the discs. I also alerted my publishers and author friends to pursue the same action whenever these unauthorized ebooks appeared on auction.
And so, we have a spammer trying to sell for real money pirated electronic copies of very outdated books (most already available for free download with a little digging) to unsuspecting suckers. It wouldn't surprise me if this spammer didn't buy a kind of kit containing the DVD and instructions how to spam using a free copy of the [Removed] Server software—all in an effort to start his own Internet business. If that's the case, I suspect that the only party who makes money on this deal is the guy selling the kit and the promise of Internet Riches.
The capper is that this spamvertiser of pirated property has the gall—no, the balls—to plaster a copyright notice at the bottom of his ugly-ass web site pages. All Rights Reserved. He can't possibly know what that means.
As for the true identity of this spammer, it's hard to say. The server software referenced in the message lets you essentially install an outgoing email server on your PC, allowing you to send email without going through your ISP's outgoing server. That's how computers that are members of a botnet convey their messages to escape being quantity-limited by an ISP's server. (I'm not saying that this particular server software isn't a legitimate program, but its mechanism appears to be the same as that used by zombies.) That the tagline appears in the spam message means that the spammer has outlasted the software's trial period, and doesn't appear to be ready to pay for it (surprise, surprise!).
The computer that sent the message was located not in South Asia, but in Lithuania, as likely as any place for this spammer to be waiting to Get Rich Quick on the Internet. I'll have to drop him a note and tell him to make sure he sends me my royalty checks.
Posted on December 08, 2007 at 10:56 AM