Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« December 2008 | Main | February 2009 »

January 30, 2009

Sorry to Burst Your Bubble Permalink

With Valentine's Day approaching, hucksters and crooks are ready to exploit the human need to be wanted or needed. A sex chat business has been swamping the spam lines today with this type of crap:

Subject: Your Friend Has an eCrush on You

Your Friend Has Sent You an eKiss!
#3316-233

To find out who has a crush on you go to:
http://[removed-cutsie-domain].com

Sincerely,

eKiss Rep 2973

A click of the link most likely earns a referral fee for the spammer, so somebody is making money off your curiosity. The final destination may also be a drive-by malware site, if you want to take your chances.

Seeing this old ruse of a secret admirer around Valentine's Day prompts me to reprint here a page or so from Spam Wars. Here is a list you should print out and tape to every email user's wall next to the computer screen:

  • You did not win a Dutch (or Spanish, German, or any other country’s) lottery.
  • Paypal, eBay, your financial institutions, and government agencies do not send emails with links to empty account information forms: They know your data when you visit their sites, so they can fill in most, if not all, form fields for you from their databases.
  • You cannot opt out of all spam by registering anyplace, for free or for a fee.
  • You will not receive an email warning about pending government litigation, especially a message that contains attachments of the “evidence.”
  • No one received email addressed to you by mistake, so the attachment does not contain messages intended for you.
  • You do not have a secret admirer.
  • Lisa did not just move into your area.
  • The free gift for which you’re supposed to register is worth less than the value of your “live” email address.
  • No order for anything will be shipped to you if you haven’t placed the order.
  • You have not received an e-card from an unnamed person you know (and if you did, the payload may be deadly).
  • Pay-per-view TV is not free.
  • Anonymous stock tips are for suckers.
  • You will lose money without ever having a chance to stuff envelopes at home in your free time.
  • You do not have a check waiting from a stranger.
  • Filling out surveys is not a road to riches.
  • You need a prescription for legal prescription medicines.
  • Excess fat doesn’t burn—except during exercise or on a barbecue.
  • No stranger is holding a highly valued “position” open just for you in a network marketing plan.
  • Eventually, you’ll be caught having a phony degree from an unaccredited college and be fired.
  • No self-respecting developer or marketer of antispam and antispyware software would have the gall to sell his products via spam.
  • Genuine new and upgradeable copies of multi-hundred-dollar Symantec, Adobe, and Microsoft software products cost a lot more than $30 to $60.
  • The form embedded in an email does not submit the information over a secure connection.

I accumulated this list back in 2004. One more item is worth adding to the list because of the number of people getting suckered out of large amounts of dough in recent years:

  • If a business transaction with an unknown party requires that you send money by wire for any reason, the entire deal is a fraud.

Still, the list holds up very well and goes to show you how much has not changed over the years.

Posted on January 30, 2009 at 08:51 AM

January 26, 2009

Could the Mac Warez Trojan Threat Be a Good Thing? Permalink

Reports are flowing in that a second pirated Mac software application has been "enhanced" to include malware capable of allowing Mac OS X computers to be pwned. Las week it was iWork '09. This week it's Adobe Photoshop CS4, a significantly more expensive program that is therefore welcomed by thieves (who probably wouldn't know the first thing about how to use it).

I'm hoping that this practice of Worse Guys (malware distributors) invading the space of Bad Guys (pirates) spreads like wildfire, including pirated Windows apps. If pirated software earns a widespread reputation of being laden with malware, the whole warez thing could collapse. Could it take the "OEM software" spam business with it? I mean products spammed in that fashion are nothing more than pirated free software for which suckers pay real money under the pretense of respectability.

I think the OEM software crooks should pick fights with both warez pirates and malware authors to keep their businesses intact. (I'm trying to start a gang war in the parking lot.)

On the other hand, teenagers and college kids who bathe themselves in pirated warez, have this innate sense of invincibility — "nothing can hurt my computer!" The more skulls and crossbones attached to a potentially computer-lethal concoction, the more likely they'll download, install, and be pwned.

[Sigh] What was I thinking?

Posted on January 26, 2009 at 09:11 AM

January 21, 2009

Google Group Spamvertising Permalink

I've seen an upsurge in spammers using a Google Group as a spamvertising link destination. This is a way for spammers to include links in their spam that might not get content-filtered.

Once you have set up a free Google account, setting up a group requires no more than filling out three text boxes, clicking one radio button, and clicking a Submit button. The home page for the group then can hold HTML, such as a large image acting as a link to the real spamvertising web site.

That's all the spammers are doing. There are no discussion messages, no members, no nothing that Google Groups are supposed to be all about. Just free web hosting space for an image (sourced from an outside server) and link.

Spam that advertises this way isn't using the group's email to send the messages. In other words, unlike some crap that an occasional Yahoo! Group member tries to pull, your email address hasn't been added to a member's list without your permission. These Googley spams are sent through botnets. Thus, there is nothing in Google's Terms of Service that makes these "groups" out of bounds. The TOS is all about what can be posted in the group, not how you get people to the group, even if by illegal means.

Just another example of how Bad Guys abuse Good Stuff on the Internet.

Posted on January 21, 2009 at 10:41 AM

January 17, 2009

The Subtleties of Language Permalink

Here is an actual Subject: line of an email I saw:

Subject: Find the second half is very simple

When I see the words second half, I envision a sporting event. And, since it's near the end of football season here in the U.S., my mind's eye pictures a front line of padded and helmeted behemoths ready to tear an opponent's head off.

Unfortunately for the spammer, my mental picture was thrown askew by the message body:

Can not find the second half? Want to meet a loving wife and mother of their children?
Luxury Russian Queen is what you need... just visit http://www.[removed]-m0dels.com/?idAff=8

best regards, Nina(owner)

Oh, you mean other half.

I'm not about to follow that link for two reasons. First, unknown web sites promising to display photos of women are typically vectors for malware. Even though my Mac is probably protected from those types of "drive-by" attempts, the second reason for not visiting kicks in. Note that the URL includes an affiliate ID. My visit to the site might put some kopeks into the pocket of the spammer. Forget it.

I'm also not interested in spending time viewing pictures of Russian women built like left guards getting ready to play the second half.

Posted on January 17, 2009 at 11:07 AM

January 13, 2009

Interesting Phishing Angle Permalink

I don't recall seeing the trick used in a PayPal phishing message I saw today. If a phisher can get his message into your inbox, his next goal is to get you to fill out a form with your username/password credentials (if not even more personal data).

At the same time, more consumers may be heeding advice about not clicking on links in email messages because they can be spoofed to lead to bad places that imitate good places. What first struck me about today's phishing message was that there was no link of any kind in the body:

Subject: 1 new e-mail successfully added

Dear PayPal member,

You have added [removed]@sbcglobal.net as a new email address for your PayPal account.

If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your PayPal account.


Thank you for using PayPal!
The PayPal Team

Please do not reply to this email.
This mailbox is not monitored and you will not receive a response.

----------------------------------------------------------------------------------------
Copyright © 1999-2009 PayPal. All rights reserved.

PayPal Email ID PP007

I've removed the sbcglobal.net account name just in case it's a legitimate address belonging to a non-criminal. Of course, any phishing expert would realize that the message didn't address the recipient by name, which PayPal's real messages do.

So, then I went to check out the attachment. The file is named:

Email.reset.form.pdf.html

Now, a lot of non-techy Windows users still have the default preference set to not display filename extensions. All that choice does, however, is strip off the last extension if there are multiples. Therefore, a Windows-using recipient seeing the attachment might think it's an Adobe Acrobat file. They might also not know that a PDF file can be loaded with malware, but might trust it anyway, and open it up. When they do, the HTML file will open in their default web browser (and we know which one that will be).

The attachment is properly base64-encoded, and is, indeed, an HTML file—but a file with nothing but a blank document and a <meta> refresh tag, which causes the browser to redirect immediately to a URL whose web page can look like anything...including a phony PayPal login page.

Fortunately for this particular message, the destination URL was already disabled when I tried to check it. That may be because the URL had been used for other nefarious purposes earlier:

http://[removed DSL location]/stimulus/refund/refund.html

Yes, the URL appears to have been used for a phony IRS economic stimulus refund phishing scam. Once a crook, always a crook, I guess.

The real bottom line of this exercise is that the more frightening-sounding the Subject: line and the bigger shot of adrenalin that rushes through you when reading an unexpected email message, the more likely it's a complete scam. Phishers, other scammers, and spammers want to drive you to act. If you let them pull your strings, yank your chain, get you to jump, they've won. If you can't filter out their messages before they get to your inbox, then your best defense is to not even let them know you're alive. Ignore-ance is bliss.

Posted on January 13, 2009 at 02:58 PM

January 11, 2009

A 100% Opt-in Only Newsletter. Oh, Really! Permalink

The latest pump-and-dump stock spam has been arriving under the guise of an outfit named SmartTraders (hyping an energy stock). I don't know if such an organization really exists. The messages have forged From: addresses, and the originating servers are all over the place—likely from botnetted PCs. No legitimate emailing company would take such CAN-SPAM-flaunting risks.

As if to make the spam sound like it's a legitimate stock newsletter, look at this B.S. (not Bachelor of Science) compliance statement near the end:

SmartTraders may receive compensation. In order to be in full compliance with the Securities Act of 1933, Section 17(b), SmartTraders discloses compensation in our disclaimer for our efforts in presenting and disseminating information contained herein. Unauthorized use, dissemination in whole or in part, disclosure, distribution or copying of this private email is prohibited without written consent. SmartTraders received $800 compensation from a third party for dissemination of company news. SmartTraders encourages readers to review the investing information available from the Securities and Exchange Commission ("SEC") and/or the National Association of Securities Dealers ("NASD") The NASD has published information on how to invest carefully at its web site.

This reminds me of the pre-CAN-SPAM days when spammers would cite a U.S. Senate bill number that was supposed to make recipients believe the message complied with government regulations (the bill never left the Senate).

And then this pump-a-dumper ends with a classic:

This is a 100% opt-in only newsletter intended for a specific audience. To unsubscribe please Reply with "Unsubscribe" in the header

Don't try to assign logic to the assemblage of those two sentences. Your brain will explode, like the sci-fi movie robot that blows up when a confronting human tells it that everything he (the human) says is a lie.

Posted on January 11, 2009 at 11:58 PM

January 09, 2009

Another Look Inside a Spam Message Permalink

A few weeks ago, I wrote about how one spam campaign embedded spam filter hash busting words within an HTML <style> tag to hide the text from view. At the time, I wondered if the words had been carefully selected to help the message get past content filters. A subsequent barrage showed me that the word list was not sacrosanct.

Today, I saw another spew of this campaign, but this time the spammer failed to configure his botnet properly, and some of the inside guts spilled out onto the floor:

From: <Colleen@7{%RND_WRD%}399.com>
To: <[removed]@dannyg.com>
Subject: loved your pics
Date: Fri, 09 Jan 2009 19:32:01 GMT
MIME-Version: 1.0
Message-Id: <8352238119.1090941034596498409@stc.7{%RND_WRD%}647.com>
X-Priority: 3
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Return-Path: Brittany@3{%RND_WRD%}998.com


<html>
<body>

<br />
waaaaaasup<br>Loved your pics hun..good profile too i would love to chat if your around tonight<br>Add me to your buddylist on msn<br>Lets Chat on YAHOO or MSN Messenger plz. add me [removed]@yahoo.com<Br><br>Talk to you soon!
</body>
<style>
{%RND_WRD%};{%RND_WRD%};{%RND_WRD%};{%RND_WRD%};{%RND_WRD%};{%RND_WRD%};{%RND_WRD%};{%RND_WRD%};{%RND_WRD%};{%RND_WRD%};
...[a total of 156 of these]...
{%RND_WRD%};{%RND_WRD%};{%RND_WRD%};
</style>
</html>

Part of the misconfiguration caused the raw HTML and part of a second header to be displayed in the message body. But more revealing is the fact that the spam-sending robot didn't replace the {%RND_WRD%} placeholders with random words from a word list presumably provided by the spammer. It has exactly the same number of slots as there were hash-busting words in the earlier message.

Note, too, that such random words are supposed to be inserted into lines intended to be in the message's header, including return email address domain names and one line (Message-Id:), which—in normal email communications—is commonly added by the initiating email server. This message serves as one more example of how the only header information you can begin to trust is the stuff written by your own receiving server. For the worst spam, everything else in the header is pure fiction.

I'd really prefer that this message be so garbled that no one could make any sense out of it to respond. As it is, I don't know if I'd be hooking up with Juanita (the name in the hidden header that would appear in the inbox From column), Colleen, or Brittany. Or Vladimir.

Posted on January 09, 2009 at 01:13 PM

January 04, 2009

Another Confused Spammer Permalink

Can't keep his goofy campaigns straight:

Subject: Hump the best girls

You can save 75% with us! <http://pharm[removed].com>

Your discount code #nzzvqi.

Add some bootleg CDs to the mix, and we'll have sex, drugs, and rock-and-roll.

Posted on January 04, 2009 at 02:12 PM
About "podmena traffica test" Permalink

It seems that I'm not the only one receiving spammy messages whose body contains nothing but the following:

podmena traffica test

The Subject: lines are of the typical medz/watchez variety, and not always in well-constructed English:

  • New products supersite for you to find product you need.
  • Always be ready.
  • Get rid of terrible pounds!
  • Security and privacy guaranteed.
  • Worldwide delivery instantly to your home
  • Affordable prices on quality medications.
  • Don't pay a fortune for your watch.
  • the best presents for Christmas and Sylvester party

The From: plain-language names are, for the most part, realistic-sounding—although "Mohamed Clifford" might be a stretch. The sending machines are from all over the place, typically indicating that they come from infected PCs acting as members of a botnet.

So, what does the message or the existence of this message mean?

The text appears to have a Russian-language heritage. I'm no Russian expert, but some have suggested that the first word is transliterated from a Russian word having the meaning of "spoofing." Interestingly, I have found many instances around the Web in which blog comment posters—legitimate members of a blog, not blog spammers—have had their messages invisibly modified upon sending, so that the "podmena traffica test" phrase appears at the very beginning of the message they posted.

Affected posters, of course, blame the blog hosting software, but if that were so, then more than the odd message in an active thread would be affected. No, it has to be an infection embedded within the poster's PC...the same types of infected PCs sending out otherwise blank spam, but whose empty body has this phrase inserted at the start.

Receiving such spam messages is harmless (except for the aggravation), and because the botnet controller keeps sending these things, it makes it easy for spam filters to block them and report infected IP addresses to their providers. If you find that one of your blog comments had the phrase inserted without your knowledge, you are in deep doodoo. Shut 'er down, and clean 'er up.

UPDATE (5 Jan 2009): The "test" is over, and spam is spewing.

Posted on January 04, 2009 at 02:07 PM