« PayPal Phishing via Attachment | Main | Mix 'n Match Phisher »

March 27, 2009

People have love-hate relationships with Classmates, a site that tries to connect fellow school classmate alumni. I had a very bad experience with them in the early days, wherein very soon after I signed up with a special address, that address became a spam target. I immediately severed my relationship with the site, and, well, that's one more no-longer-usable account name for the spamtrap list. I also object to some of their banner ads that suggest that they somehow know you are being sought by your old classmates—a preposterous idea. Other people I know haven't had the problems I experienced and use the service all the time.

All the more odd to find a spam message today that claims (in the highly forgeable From: header field) to come from classmates:

From: "Classmates Support Center" <announcecenter41@classmates.com>

More appalling, however was the rest of the message:

Subject: Classmates private: Exotic Dancing (Last rated by Brittany Montano)

Announcements: Posted March 27, 2009

News from Classmates - Classmates Hot Body Dance Video Competition!
Today: "Girls in beautiful black underwear dancing in the pub, showing off perfect bodies. Unbelievable Final!"

Proceed to view full video:

http://classmates.messagecenter.disbursements.personalid-gjhqakl4r.authentication.[removed].com/registration.htm?/based/application=5uasps5kj90xc3b

Added 73 minutes ago. Message ID: CM-oxst28fjpgp2wxe
2009 Classmates, Get news as it happens.

This just seemed way too bizarre to be true, and, of course, the domain name of the link (if you know enough to get past the five (!) subdomains) is not to classmates.com. The domain is one that was created way, way back earlier today.

I suspect that the destination page uses the old "install the codec to view the porn" trick to get visitors to install malware. The only boob you're going to see is yourself in the mirror once you find your PC is pwned.

The destination page might also query users for their classmates.com user IDs and passwords. Not that one's classmates.com account has much worth hijacking, but any pair of login credentials is gold because users tend to use the same pairs for multiple sites, including those whose accounts have real value. Automated crook systems are out there pounding every online financial institution and e-commerce site with known login credentials to gain access and bleed you dry.

Classmates.com does have lots of satisfied customers, and if those trusting souls receive this message, the unwitting ones will click the link and potentially get in big trouble. How about I threaten clickers with a black mark on their permanent records?