You are viewing tacit

Previous Entry | Next Entry

Polyamory and crime on the Internet

terminator
Note: Followups to this entry at http://tacit.livejournal.com/238112.html (part 1) and http://tacit.livejournal.com/240750.html (part 2)

UPDATED 13-December-07 10:50 EST Updates indicated in text
UPDATED2 14-December-07 1:05 PM EST Updates indicated in text
UPDATED3 14-December-07 2:00 PM EST Updates indicated in text
UPDATED4 02-January-08 2:44 PM EST Updates indicated in text

So I recently decided, like many folks do, to Google my name. I do this periodically, because it's always fun to see how many sites are linking to me (and I'm in the process of building a list of non-English mirrors of my polyamory site -- it's been translated into Polish, Hebrew, German, and a bunch of other languages, which is cool).

And in the process, I think I've discovered what might be one of the largest-scale cases of Web site hacking and virus distribution I've ever heard of.

A little background is in order. If you've used Google for any length of time, you probably know that when you Google popular keywords you'll often run into "spam pages." These are pages that are just stuffed full of keywords at random; in the Google search results, they will have titles like "tribadism fight scenes, free tribadism porn video Britney Spears, make money fast terrorism Iran big cock" and have excerpts that look like "she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod". These are spam pages; they are filled with hundreds of keywords, and if you click on them, you will be redirected to the spammer's site. They exist just to intercept popular Google searches and direct traffic wherever the spammers want it.

They are also popular with virus writers. Virus writers will create thousands of fake Web pages filled with popular keywords, then use those Web pages to servers that will attempt to automatically download viruses onto the computer of anyone running Windows who's unwary enough to click on them.

Okay, so.

Yesterday, I did a keyword search for my name. Normally, I get about nine pages of results; but yesterday, I got 56 pages of results, over 200 in all.

Most of these pages look like this:

The polyamory news franklin veaux mitt was rigid enough to prevent me from either closing them too hard or opening polyfamilies polyamory for the practical them too far. She raised my left hand and fastened it in a similar polyamory weekly podcast manner, into a similar latex mitten.society for human sexuality polyamory info "I just wondered. You were standing there with a dazed polyamory open wedding vows look on your face playing with that cucumber and I thought something might world polyamory association presentations and workshops franklin veaux. Once inside, he polyamory san diego quickly stripped off his apron and polyamory cape coral unfastened his belt and pants. It was nearly as big as Mark's, and open relationships polyamory that pleased her. Quickly unbuttoning her blouse to reveal her tits. page personal poly polyamory web He gently squeezed them, making her moan deep in her throat.





UPDATED3: I've looked at some of the random text on these pages, and it's not really random at all--it's a short porn story with random keywords seeded throughout it. It contains a number of statistically improbable phrases. One of these is "Ashley had always wanted to go there"--doing a Google search for that exact phrase results in 13,800 hits--nearly every single one of which is a spam redirector.




You get the idea. "Oh, well, this is interesting," thought I, "polyamory, and my name, have become popular enough Google web searches that the spammers are including them in spam pages now."

I clicked on some of these result links, curious to see who the spammer was and what site he was trying to direct traffic to.

And that's when things started to get weird. What I found was a very large, highly organized campaign to direct Web traffic to servers hosted in Eastern Europe that would infect visitors with a computer virus, all orchastrated by a single person or group of people and all being done by what appears to be a massive breach of hundreds and hundreds of hacked Web sites, all hosted by the same ISP--the largest single Web site security breach I've heard of.

If you want to keep going down the rabbit hole:

CAUTION * CAUTION * CAUTION The spam URLs given in this post redirect to virus droppers. If you are on a Windows machine using a normal Web browser, DO NOT click on these links. A text-based browser is safe to use, and the viruses affect only Windows machines and so will not hurt Mac or Linux systems.

The first Web site I found that contained one of these spam pages is on page 19 of the Google results for the search term "franklin veaux" (with quotes). It's on a site called patkolstad.org; the URL of the spammer redirect page is

http://patkolstad.org/images/ipmtt/har/ad/5/polyamory.html

The Web site at patkolstad.org belongs to a man named Pat Kolstad, who is one of the city councilmen in Santa Clara, CA. Not, in other words, a likely spammer interested in directing people to virus droppers in Eastern Europe. Clearly, his Web server has been hacked, and the redirectors have been placed on his server without his knowledge. I did a whois lookup on his domain name to see who his Web host is. He is hosted by ipowerweb, a cut-rate Web hosting company that advertises "Hosting over 700,000 Web sites!"

The next Web site I found that contains one of these spam pages is a place called u4info.net. It's a Chinese-language forum of some sort. The spam page is at

http://u4info.net/study/templates/subSilver/images/lang_english/nucrz/har/ad/5/polyamory.html

It looks like what happened here is pretty straightforward; the forum software has a security vulnerability, and the hackers used it to drop spam redirection pages into the forum template directory, right? Anyway, I did a whois on this site, and found that it is also hosted by ipowerweb. Interesting coincidence, I thought.

Next on the list is axlemike.com. It's a Web site for a business in Mesa, Arizona that recycles and rebuilds axles for trucks. The hacker apparently penetrated this site's security and placed a redirector at

http://axlemike.com/Catalog/image/Index2/wclyn/har/ad/1/polyamory.html

that goes to the same virus dropper. I looked up this site's hosting information; it's hosted at ipowerweb.com.

Okay, two is coincidence; three is starting to look like a trend.

I started skipping around, looking up the whois information for Web sites that contained obvious spam pages in the search.

indielegaldocs.com? Hosted by ipowerweb. theannuityvault.com? Hosted by ipowerweb. cntmicrosystems.com? Hosted by ipowerweb. sixgunband.com? Hosted by ipowerweb.

Every one of these Web sites, and hundreds and hundreds more, has been hacked. In every case, the hacker has placed pages filled with keywords related to polyamory, that redirect to virus droppers. And every one of them is hosted by the same Web hosting firm: ipowerweb.

I kept going. maggerific.com. footloosecanada.com. osynergyc.com. culpeperchristianschool.com. peoplethought.com. ansacnet.com. All hosted by ipowerweb. In fact, I kept this up for over an hour, checking hundreds of domains that had been hacked and had these redirector pages installed on them. ALL of them reside on servers owned by ipowerweb.com.

In other words, it appears that someone has figured out how to penetrate Web sites hosted by this hosting company at will, and has all at once placed Web pages on all of them which intercept popular Google keyword searches and redirect them to virus droppers.

ipowerweb boasts that it hosts over 700,000 Web sites. Think about that for a minute.

UPDATE: Apparently, this is nothing new. It seems ipowerweb.com is notorious across the Internet for their poor security, and sites hosted on ipowerweb.com can be hacked at will. This blog post claims that ipowerweb has known about their security issues for quite some time, and that the anti-malware organization Stop Badware reports that one out of every five compromised virus-dropping Web sites is hosted by ipowerweb.




I dropped an email to the abuse team at ipowerweb.com, letting them know that I had found a number of Web sites they were hosting had been compromised, and contained Web pages that redirected visitors to sites that tried to install viruses on their systems. I gave them a list of some of the URLs of the redirectors, and told them there were hundreds, if not thousands. more, and that they seemed to have a massive security breach on a huge scale.

Today, I got an email back that said "I have checked the web site (domain name) and noticed that there is no virus redirector files located at (redirector URL) . Please get back to us with link where exactly no virus redirector files are located so that we can take necessary action against this web site."

Well, hmm, that's odd, I thought, they were there yesterday.

I clicked on the links in the email that I'd sent, and sure enough, all of them showed 404: File Not Found errors. "Now that's damn odd," I thought.

I went back and repeated the Google search. The same comporomised servers came up. I clicked on the links in Google and found myself redirected to the virus droppers.

I clicked on the links in the email and found myself staring at a 404 File Not Found error.

I clicked on the links in Google and found myself at a virus dropper.

A light bulb went on. "Aha!" I thought. "I bet these redirectors hide themselves! If you visit one of these pages from Google, it'll redirect you; but if not, it won't!"

A little background is necessary for anyone who does not understand how the Web works. If you are on a Web site, and you click on a link to another site, your browser will tell the site you clicked on where you came from. For example, if you are reading my LiveJournal, and you click on a link to my SymToys site, your browser will tell my Symtoys site "I came from tacit.livejournal.com".

This is called a "referer." Your browser will tell any link you clicked on who the referer was--that is, where you clicked on the link.

My theory was that if the referer to one of these spam pages was set to anything but "google.com" the page would redirect to a 404 error; otherwise, it would redirect to the virus dropper.

To test this, I used a program called wget. This is a nifty little program that's sometimes used to troubleshoot malfunctioning Web servers. If you type "wget www.symtoys.com" on a command line, it will show you step by step every bit of communication between your computer and the symtoys.com server; that is, you'll be able to see the exact commands that a Web browser would send to www.symtoys.com, and the exact responses the server would send back.

You can tell wget to pretend to be just about any browser, and you can tell wget to pretend to have any referer you want. I picked one of the URLs of one of these redirectors, namely:

http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html

Then I typed the command "wget http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html" This is what I saw:

wget http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
--16:21:32-- http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
=> `polyamory.html'
Resolving mdhardyinc.com... done.
Connecting to mdhardyinc.com[66.235.203.135]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /404 [following]
--16:21:34-- http://mdhardyinc.com/404
=> `404'
Connecting to mdhardyinc.com[66.235.203.135]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
16:21:35 ERROR 404: Not Found.


It got a "file not found error. Then I used the same command, only this time I instructed wget to pretend that it had come from a link on Google:


wget --referer=http://www.google.com http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
--16:19:40-- http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
=> `polyamory.html'
Resolving mdhardyinc.com... done.
Connecting to mdhardyinc.com[66.235.203.135]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://traffloader.info/go.php?s=mdhardyinc.com&ver=6 [following]
--16:19:41-- http://traffloader.info/go.php?s=mdhardyinc.com&ver=6
=> `go.php?s=mdhardyinc.com&ver=6'
Resolving traffloader.info... done.
Connecting to traffloader.info[87.248.180.67]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
--16:19:43-- http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php?id=4161&n=teen&bgcolor=000000'
Resolving www.clipsfestival.com... done.
Connecting to www.clipsfestival.com[82.208.18.109]:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
--16:19:45-- http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php?id=4161&n=teen&bgcolor=000000'
Resolving powerof3x.com... done.
Connecting to powerof3x.com[85.255.118.156]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.3xpowered.com/m4/index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg [following]
--16:19:47-- http://www.3xpowered.com/m4/index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg
=> `index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg'
Resolving www.3xpowered.com... done.
Connecting to www.3xpowered.com[85.255.115.180]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 32,811 5.17K/s

16:20:03 (5.17 KB/s) - `index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg' saved [32811]


Look at that!

Here is what is happening:

You go to one of these spam pages. If you came from anywhere but Google, you see a 404 file not found error. However, if you came from Google:

It sends you off to a Web site called "traffloader.info". Traffloader.info is a Web site hosted in the country of Moldova, a tiny Eastern European country that used to be part of the Soviet Union.

The traffloader.info Web site then picks one of three other Web sites at random, and redirects to that Web site. In this case, it randomly picked www.clipsfestival.com. Clipsfestival.com is a Web site in the Czech Republic, also in Eastern Europe.

Clipsfestival.com redirects to powerof3x.com. The server powerof3x.com is registered in the Ukraine, in Eastern Europe. It redirects to www.3xpowered.com, also registered in the Ukraine.

3xpowered.com is the virus dropper. When you go here, your computer will attempt to download an .exe file, which will, if downloaded and executed, infect your computer.




UPDATED2: A representative from ipowerweb has posted a reply in the comments saying that ipowerweb is actively working to clean up the problem, and working with Google to flag the redirectors in Google search results. However, new entries are appearing in Google search results this afternoon, from additional compromised ipowerweb sites.

These new entries work the same way, but redirect through a different chain of servers to a different virus dropper. An example of one of the new redirectors is at

http://www.nundachamber.com/img/.../qq33/02/polyamory.html

It redirects through a different set of Eastern European servers to a different virus dropper as follows:

wget --referer=http://www.google.com http://www.nundachamber.com/img/.../qq33/02/polyamory.html
--12:54:09-- http://www.nundachamber.com/img/.../qq33/02/polyamory.html
=> `polyamory.html'
Resolving www.nundachamber.com... done.
Connecting to www.nundachamber.com[66.235.211.83]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://xerxer.net/go.php?s=nundachamber.com_qq33 [following]
--12:54:09-- http://xerxer.net/go.php?s=nundachamber.com_qq33
=> `go.php?s=nundachamber.com_qq33'
Resolving xerxer.net... done.
Connecting to xerxer.net[87.248.180.88]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://shockbabetv.com/l/coloraz/id/3912960/black/white/ / [following]
--12:54:09-- http://shockbabetv.com/l/coloraz/id/3912960/black/white/%20/
=> `index.html.1'
Resolving shockbabetv.com... done.
Connecting to shockbabetv.com[85.255.119.93]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 9,896 2.36M/s





So, to recap: A huge number of Web sites, all hosted by a company called ipowerweb, have recently been hacked all at once. The hacked Web sites have all had new files placed on them which contain thousands of common Google keywords, including my name. When someone visits one of these pages from Google, he gets passed from the hacked Web site through a chain of Web sites in Eastern Europe, and finally ends up on a server that attempts to install a virus.

But who is 3xpowered.com? Surely, there must be some information about the owner of this Web site, right?

Well, no.

UPDATE: I have received a reply from privacyprotect.org; they have stripped the private registration from the virus site. The old and new information is shown below.

OLD information:

whois 3xpowered.com

Domain Name: 3XPOWERED.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.3XPOWERED.COM
Name Server: NS2.3XPOWERED.COM
Status: clientTransferProhibited
Updated Date: 22-nov-2007
Creation Date: 22-nov-2007
Expiration Date: 22-nov-2008

>>> Last update of whois database: Wed, 12 Dec 2007 23:07:34 UTC <<<

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: 3XPOWERED.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 22-Nov-2007
Expiration Date: 22-Nov-2008

Domain servers in listed order:
ns2.3xpowered.com
ns1.3xpowered.com


Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Technical Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Billing Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Status:ACTIVE


CURRENT information:

whois 3xpowered.com

Domain Name: 3XPOWERED.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.3XPOWERED.COM
Name Server: NS2.3XPOWERED.COM
Status: clientTransferProhibited
Updated Date: 22-nov-2007
Creation Date: 22-nov-2007
Expiration Date: 22-nov-2008

>>> Last update of whois database: Thu, 13 Dec 2007 15:45:23 UTC <<<

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: 3XPOWERED.COM

Registrant:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Creation Date: 22-Nov-2007
Expiration Date: 22-Nov-2008

Domain servers in listed order:
ns2.3xpowered.com
ns1.3xpowered.com


Administrative Contact:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Technical Contact:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Billing Contact:
n/a
Nikolay Fedorov (nik@getxxxphotos.com)
Chapligina ul 4
Novosibirsk
null,630099
RU
Tel. +7.3832235851

Status:ACTIVE




The information about the person who registered this domain is hidden by a privacy protection organization. These organizations--and there are many--register domains on behalf of others, and then place their own imformation in the whois. They exist because the owner of a domain is required to be listed in the whois database, but many people don't like revealing that they own a particular Web site. There may be legitimate reasons for this, but it's popular with spammers and criminals, too.



UPDATE2: The new virus dropper being used in the newest wave of attacks is shockbabetv.com. Unsurprisingly, its whois is also protected by privacyprotect.org:

whois shockbabetv.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: SHOCKBABETV.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.SHOCKBABETV.COM
Name Server: NS2.SHOCKBABETV.COM
Status: clientTransferProhibited
Updated Date: 12-dec-2007
Creation Date: 12-dec-2007
Expiration Date: 12-dec-2008

>>> Last update of whois database: Fri, 14 Dec 2007 18:10:05 UTC <<<

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: SHOCKBABETV.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676




The domain that drops viruses is very new--less than a month old. I'd be willing to bet that all the hacked Web sites have been hacked for less than a month, too. I did a simple search for "polyamory" confined to one of the hacked Web sites, mdhardyinc.com, and got 125 hits. So not only have the hackers penetrated hundreds or thousands of Web sites, but each hacked site has hundreds of redirector pages on it.

My conclusion: the Web hosting company ipowerweb.com has been victimized by a security breach on a scale that's hard to imagine. Eastern European criminals have hacked a huge number of ipowerweb customers, and are using them to catch Google searches for popular search terms, including search terms about polyamory, and redirect them to virus droppers while simultaneously hiding them from anyone not coming in from Google.

The things you can learn by Googling your name.

Any sysadmins or abuse people out ther know what I should do with this information? Who should I report it to?




UPDATED4 Incredibly, the attacks on iPowerWeb documented above are still ongoing, nearly three weeks after iPower was first notified of the problem! I have identified several hundred more compromised Web sites which are as of this writing still redirecting to the same virus droppers. Also incredibly, the same virus droppers are still active on the same servers. Some of the compromised iPower Web site URLs that are still active include:

http://pcdoctor-community.com/pcdblog/wp-admin/hvfjv/her/bad/3/violet-wand.html
http://anthonydilorenzo.com/images/_notes/bxoct/her/bad/8/glans.html
http://lckitchen.com/_borders/_vti_cnf/crfyz/her/bad/8/gay-cowboys.html
http://whitneygaylord.com/css/tfcph/her/bad/8/exhibit.html
http://europaparcs.com/old/img/cpuqc/her/bad/3/spermicide.html
http://riversideauctionsc.com/img/.thumbs/otlvl/her/bad/8/virginity.html
http://dizzysfarm.com/img/_vti_cnf/fdtoi/her/bad/3/queef.html
http://thebizmate.com/LazyBoy/Ads/ocdko/her/bad/3/harlot.html
http://thebizmate.com/LazyBoy/Ads/ocdko/her/bad/3/harlot.html
http://michaelannyoung.com/PuertoV/images/uplhz/her/bad/3/vaginal.html
http://motionpicturesdvd.com/shopping/files/hczwv/her/bad/8/oral-contraceptives.html
http://heavenstouchgifts.com/bksbbls/bible/rswmd/her/bad/8/pregnant.html
http://jphonline.com/pdffiles/_vti_cnf/ddzqv/her/bad/3/yaoi.html

and hundreds more. As before, going to any of these links directly produces a 404 error; going to these links with the browser referrer set to "google.com" causes redirection to the traffloader.info site, which then further redirects to a virus dropper hosted at 3xfestival.com or scanner.spyshredderscanner.com.

Comments

tacit
Dec. 13th, 2007 04:00 pm (UTC)
That'd be awesome!

I suspect it will do little good, however. I've updated the main post with additional information about ipowerweb.com; it appears they have persistent security problems that extend back a long time, possibly related to vulnerabilities in their Web control panel software. According to stopbadware.org, an astonishing 20% of all Web sites being used to host or download malware are hosted by ipowerweb.com. If this is correct, it appears their problems run deep indeed, and that to date they have not acknowledged or addressed these problems.
Powered by LiveJournal.com
Designed by Lilia Ahner