Stupid Phishers

Last night at 10:20PM CST, the droid’s green status light started blinking. It was an email on one’s school email. Titled “An Important Message From The University of Minnesota”, the message claimed that one needed to provide information in order to retain one’s email account after a mail server upgrade. 25 minutes later the message was sent again. The email, in it’s textual entirety is as follows:

Dear Webmail User,

Due to high volume of unused account on our server and the upgrade of The University of Minnesota webmail Service, we hereby request every webmail account holders to submit the below information for our server upgrade purposes.





failure to submit the above information may lead to automatic closure of your webmail account as we are upgrading our server to serve you best.

We appreciate your continued co-operation.

Well, let’s see here. Let’s start with information the sender already had (if they were legitimate). Anyone that has a University of Minnesota email can find the full name of any UMN email address, so asking for one’s name was not necessary. Second, asking for one’s email address, why? Seriously, emails don’t just randomly appear in inboxes (well truth be told, gmail has delivered mail not addressed to one, in one’s inbox before).

Now onto the information that sender doesn’t need to know (to do their job, assuming they are legitimate). One’s password, which one did they want, the email one? Oh wait, with the way the University does its online authentication, the password would be one’s x500 password. The fact that the University uses a global authentication system means that the password is irrelevant for email servers (or any individual server for that matter). Never mind the fact that you should never, under any circumstances send a password via email (especially to unknown recipients). Finally, the request for one’s department. Well that one makes even less sense. One’s department is completely irrelevant to one’s University email account.

At one point, one was tempted to reply with fake information (possibly containing highly inflammatory language). Looking at the headers, one found that the email was sent through Yahoo’s mail servers (originating from, the reply to address was (feel free to sign this address up for copious amounts of spam, send fake replies to undermine their Phishing operations, or do both).

If all of that wasn’t enough to place the message into the spam/phisher bin there was the top image, linked from a non UMN website. The phisher also used a footer that official UMN email has not used for at least a semester now.

-John Havlik

[end of transmission, stay tuned]

Phone Spammers

On Wednesday, at 9:18am CDT someone called me from the number 800-465-7962. Since lecture just began, the call was ignored. One was going to ignore the call, especially since no message was left, however one is waiting for a call from PayPal in regards to a claim (a whole other story). When attempting to call back one received the message “We’re sorry that number does not exist…”. This morning another 800 number called, this time at 9:11am CDT and from the number 800-954-9358. Since one was on the bus, in the “Rider requested quite zone” the call was not answered again. And again, the caller did not leave a message. In the past one has received SMS spam, but never spam phone calls (no they’re not telemarketers when they call a cellphone, they’re spammers).

Due to the nature of 800 numbers, a very shady nature at that, little short of (or threat of) legal action against a member of the SMS/800 (think of them sort of like the RIAA/MPAA) will yield actual details of the organization that called. They claim they are protecting the identity of their customers, sure but one is their customer as well and some how one does not feel that one’s identity is protected. Sure, signing up for the do not call list should end it, but for many it does not, and why should one have to opt out of unsolicited annoyances?

Since there is no directory listing for cell phone numbers it’s interesting as to how one’s number was ever obtained. One generally does not give it out, the only remotely “free for all” place would be Facebook. What does this mean? If placing the blame on Facebook, then it’s either Facebook (which one does not use very often) is selling the phone numbers, or they are allowing spammers to operate bots on their site to harvest information. Neither possibility would be a surprise, Facebook has been going downhill ever since they opened up to the general public.

If the calls were not to one’s cell phone the annoyance would be minimal (pressing ‘2’ when picking up the phone is now a routine procedure (humans ignore it, most autodialers will claim to remove the number from their list)). Since one’s Motorola Razr v3c is over three years old, it’s battery life is about six hours of standby time at best. Any call has a great effect on useful battery life. In the event of an emergency, the energy wasted by the spammer could result in insufficient battery power to make a phone call. In this case, the spammer could, if brought to justice, found liable for any damages incurred due to the inability to seek assistance (a glorious day indeed). Maybe H1N1 will get to them first.

-John Havlik

[end of transmission, stay tuned]

New Spamming Tactics

Something caught one’s eye today, there was a new comment the seemed far too familiar. The chosen name for the commenter may have been a complete give away. However, one has seen people with legitimate comments use their website name as their alias. It did not take much effort to find where the comment’s body came from, they were one’s own words from a comment placed earlier on post–over a month ago. Differentiating between simple, and misguided plagiarism and spam required looking at, or in this case only the URI of, the site linked to as the commenter’s “website” (some World of Warcraft gold selling site).

This seems to be the “holy grail” of comment spam, producing “relevant” comments while linking to what ever site they are promoting. Spam Karma 2 even thought it was valid–SK2 is losing it’s effectiveness. While in this case the site was not relevant, the body of the comment was relevant to the discussion. It took plagiarism to accomplish it, but for people already breaking laws what’s another broken law (plagiarism is a form or copyright violation/theft).

To protect against this new breed of spam a few things could be done to resolve the issue. The first is, in the case of SK2, the comment author website URI needs to be checked against a distributed blacklist as all other URIs in the comment body are (SK2 probably already does this, but the site was not on the list yet). Secondly, comments should be checked for an “originality” percentage. Basically, this would compare it against other comments for the post, and then under the potential matches, find how close it is to them. This would prevent direct sentence, paragraph and comment plagiarism/lifting. Ultimately, making code behave as a human is the goal. If all else fails, improving the ability to find the person behind the spam so that justice may be brought to him (or her) would suffice.

-John Havlik

[end of transmission, stay tuned] Exploite

Even though things are updated regularly on this blog, an iframe based exploit was discovered today. Unlike the previous iframe attack, which came through a SQL injection, this one involved modified theme files. Unlike the previous iframe attack, this one’s payload does not appear to be malicious, rather it is spammy.

There are a few things that point to some level of sophistication in the injection. First off, the code was injected into the end of the header.php file, only on the active theme. Typically, a script kiddy will not bother figuring out which theme is in use and instead will carpet bomb the place with malicious code. Secondly, the modification date on the file matches the last time the header was uploaded from the testbed. No, the testbed’s code was not compromised. This points to a possible Windows exploit (yes the server still runs on Windows, unfortunately.) as any changes should have caused the modification date and time to update. Finally, rather than having the iframe hidden via CSS, there is a container div which is hidden instead, making it more difficult to have a general CSS rule to expose the iframe.

< div style="display:none" >< iframe src="" frameborder="0" height="1" width="1" > < iframe > < div >

That is the offending code. Spaces were added to prevent execution. Klikvp is the same as Klikvip which is a known spammer. The tricky sucker is using a wrapping div now. The good news is that WordPress Exploit Scanner will find this, so keeping it around and periodically scanning is a good thing to do. It doesn’t offer dashboard notifications like Iframe-b-gone does but it scans files and other things that Iframe-b-gone does not.

-John Havlik

[end of transmission, stay tuned]

Uninstall Captchas?

Software follows a life cycle on a computer, which begins with installation and ends in uninstallation. Uninstallation may happen for various reasons, new version of the software, free disk space for other things. Removing software should be less painful than installation. Software that is difficult to remove is evil. Viruses and spyware/malware typically make the removal process as painful as possible. Oddly enough Symantec does the same thing with their consumer grade “Security Software”.
Are you human?
While working on a computer for a neighbor, I came across a few tool bars and other general junk installed on the computer. Even though tool bars usually are not spyware, there is no reason to have the Google, Yahoo, and ask tool bars installed plus a few others. The uninstallers were one or two click installers, pretty standard stuff. Then came the odd software. No one knew what it was, but it was sitting on the installed applications list. Before uninstalling, the user was prompted to fill out a captcha to prove that they were not a computer. After filling it out the uninstall process proceeded as usual. A second software package had the same sort of thing, but it was a tad more sophisticated. It had animated noise bars. Either way, why are these software writers afraid of automated removal of their software? It is pretty obvious, they wrote malware.

What did it do? Well, the obvious thing was auto spawning and eating up 50% of the CPU resources (the system has a Pentium D 820 processor). It disguised itself as Internet Explorer (Why anyone still uses IE is beyond comprehension). Additionally it would cause periodic pop ups and a odd message alert prompt stating “Windows Explorer” when entering Control Panel.

-John Havlik

[end of transmission, stay tuned]