?

Log in

Previous Entry | Next Entry

The election is over...

...and not even twelve hours after Obama's acceptance speech, Eastern European organized crime are using America's feelings about this historic moment to spread computer viruses.

A little while ago, I posted about a gang of computer criminals who, while building a network of hacked computers to use to spread viruses and fake bank sites, had hacked a system belonging to the US Department of Defense.

Those very same criminals are now hitting my inbox with messages attempting me to visit a server that downloads a computer virus disguised as a news story about Barack Obama's victory.

I've received two of the emails so far. Both are formatted the same way, and are identical in formatting to the phish emails that masqueraded as a bank "security update." The first carries a subject line reading "Obama win sets stage for showdown;" the second, "Priorities for the New President - TIME". Both come from the forged email address "news@unitedstates.com".



As before, each contains a link that has been formatted to appear confusing (and sooner or later, I need to write a tutorial about how not to be fooled by long, confusing-looking URLs). The link in one of the emails looks like this:

http://servletdologin.encrypted.configlogin.yUkYbU7OQ.verification.cfmaster.ZmRx9aavP.bfiinwach.com/president.htm?/onlineupdate/communitypage/OSL.htm?LOGIN=OtxjLyUkYb&VERIFY=U7OQIrZmRx9aavP

*** WARNING *** WARNING *** WARNING ***
This link is live as of the time of this writing. It WILL take you to a site that will try to download a Windows computer virus. DO NOT click on this link if you do not know what you are doing!




Okay, so, further down the rabbit hole...

The server name in this link is ervletdologin.encrypted.configlogin.yUkYbU7OQ.verification.cfmaster.ZmRx9aavP.bfiinwach.com. The only part of this long meaningless string that matters is the part at the end, where it says "bfiinwach.com". The stuff before that part is just rubbish.

The long string of rubbish is surprisingly effective at tricking people. Folks are slowly becoming savvy enough to know to glance up at the top of a browser window to see what Web site they're on, and smart enough to know to look for the name of their bank if they're on a banking site, or to look for "ebay.com" if they want to be on eBay. Unfortunately, a lot of people still aren't savvy enough to look at the entire string; if they see something that looks like

onlineservices.bankofamerica.com.secure-ssl.russianmafia.ru

or

ebay.com.ws.secure.dll.russianmafia.ru

they don't really realize that they're actually on russianmafia.ru, not bankofamerica.com or ebay.com.

The hostile sites in this scam, like the ones used in the phishing scams I wrote about earlier, are registered by a corrupt Chinese registrar called bizcn. I gotta hand it to the Chinese; they're really figuring this capitalism shit out. The registrar of choice for organized crime used to be ESTdomains; however, now that ESTdomains and ESThosts have lost their upstream provider and are facing revocation of their registrar status after their president was convicted of identity theft and other related crimes, it looks like bizcn has stepped in to fill the needs of Russian mafia that are currently going unserved.

The criminals register a domain, such as bfiinwach.com, using a corrupt Chinese domain registrar. They then set up Web sites designed to steal bank account information and spread viruses. These Web sites are running on many different compromised computers all over the world. They then set up their own private network of domain name servers, also running on hacked computers, and use their own domain name servers to resolve their Web sites.

At the moment, bfiinwach.com is hosted on five different IP addresses:

tacits-computer:~ tacit$ dig bfiinwach.com

; <<>> DiG 9.3.5-P2 <<>> bfiinwach.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5435
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bfiinwach.com. IN A

;; ANSWER SECTION:
bfiinwach.com. 1800 IN A 89.137.210.212 (in Romania)
bfiinwach.com. 1800 IN A 84.109.7.195 (in Israel)
bfiinwach.com. 1800 IN A 85.178.195.97 (in Germany)
bfiinwach.com. 1800 IN A 86.124.65.201 (in Romania)
bfiinwach.com. 1800 IN A 87.207.9.23 (in Poland)

Name server services for bfiinwach.com are provided by NS1.SPRITSONLINE.NET and NS2.SPRITSONLINE.NET. The server at ns1.spritsonline.net lives on a network belonging to a company called Limestone Networks, in Dallas, Texas. The server at ns2.spritsonline.net lives on a hacked PC connected to BellSouth's residential high-speed Internet service.

Most likely, the computers hosting this virus dropper, and the computers hosting name server services for this network of criminal sites, all belong to innocent home computer users who don't know that their computers are infected and can be controlled at will by Eastern European organized crime.


Okay, so that's the technical angle. The social angle is more interesting.

In the past, this particular group of criminals has contented itself with your standard, garden-variety phishing scams. They send out emails that read, for example,

"Attention all Bank of America Consumers.

At Bank of America, the security of your information is paramount. Our systems and security procedures are designed to keep your personal and financial data confidential at all times.
You also have a significant role to play and should adopt the following practices to help keep your personal and financial information protected from unauthorized use - Keep Your Internet Banking Session Secure and set up SSL Certificate."

The site that you go to when you click the link looks just like the Bank of America site, but of course it's not; and the "security certificate update" it downloads to your computer is, of course, a computer virus.

The new emails, though, have been branching out a little. They've been experimenting with using come-ons not related to banks, like this one:

"Dear Classmates customer.

Classmates Day 2009 soon! Video Invitation from your Classmates "2009 Classmates Day Announcement!" prepared to view.
Reunite Your High School Classmates and Celebrate This Day! Your Classmates Are Waiting to Hear From You!"

And, natch, the "video invitation" is actually a computer virus.

Today, Barack Obama's victory has given them a new angle:

"Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!"

The "video" of his amazing speech is--you guessed it--actually a computer virus.

The Russian criminals behind this have demonstrated themselves to be adept at keeping track of hot-button issues and using them to exploit those folks who are inclined to believe every email they read.

It's interesting that these scams succeed, in part because the Web sites set up by the criminals have telltale markers of fakery all over them. The people responsible for these scams do not speak English as a first language, so the Web sites masquerading as banking sites or news sites tend to be replete with spelling and grammar errors.

Yet folks don't seem to notice.

I wonder if this isn't a side effect of America's culture of anti-intellectualism; learning and knowledge are so despised that people either expect their bank's Web site to be covered with spelling mistakes and grammar errors...or, worse yet, people don't notice the spelling mistakes and grammar errors.

The site that tries to download a virus disguised as Barack Obama's speech, claims to be "America.gov: Telling America's Story" and then says "Introduction America.gov. Look amazing speech of new president."


Comments

( 17 comments — Leave a comment )
(Deleted comment)
delphinea
Nov. 5th, 2008 04:51 pm (UTC)
Did you get the email I sent you (from Petri)?
tacit
Nov. 5th, 2008 05:24 pm (UTC)
I did, thanks! It ties in to something else I've discovered that I'll be posting about later. Thanks!
mouser
Nov. 5th, 2008 05:01 pm (UTC)
If they were really on the ball they'd have an automated program that culls a Reuters feed for headlines...
catdragon_
Nov. 5th, 2008 05:24 pm (UTC)
How much of the not seeing the grammatical and spelling errors is due to the usage of "texting speak" becoming the norm for some younger people?
I drive my kids nuts when I text because I actually spell out the words.
delphinea
Nov. 5th, 2008 08:36 pm (UTC)
I do that, too. I even use correct grammar and punctuation.
claws_n_stripes
Nov. 6th, 2008 09:10 pm (UTC)
I've been known to bust out with semicolons and shit when I text. But as we all know, I'm some kind of freak. :-D
tacit
Nov. 7th, 2008 01:18 am (UTC)
In all honesty, I text in complete sentences with full punctuation--including semicolons and stuff. I cheat a bit, because I have a smartphone, but I did the same thing even when I was stuck with T9.
claws_n_stripes
Nov. 7th, 2008 01:38 am (UTC)
Blarrrgh, T9. I would do the same thing back in the day, but I tried using T9 and I figured it would be better if I just took the extra time instead of wanting to yell at my phone. Nowadays, I have a Samsung Alias-- which flips open horizontally and vertically-- and I can QWERTY to my heart's content, but it takes a minor bit of hoop-jumping to get certain characters. It's worth it to me, though.
odetomutilation
Jul. 6th, 2010 04:23 pm (UTC)
Where's the screencap? You were supposed to "BRB" with it. That was yesterday. Or the deletion?
claws_n_stripes
Jul. 6th, 2010 09:51 pm (UTC)
Between feeding myself, having a life, and searching through a HUGE assload of entries, it's taking longer than I expected. Rest assured, troll, that I did not make a mistake, and I will find it eventually.

You're awfully eager to look like an idiot, I must say.

(Sorry about this, Mr. Veaux.)
odetomutilation
Jul. 6th, 2010 10:51 pm (UTC)
No, actually, I just know you're a liar, because I would never say or think that. The only possible explanation I can think of would be if I were clearly being sarcastic or joking. But me seriously saying why bother with Black History Month? Not a fucking chance.

You were supposed to "BRB" with this yesterday...don't pretend that you just suddenly got too busy. You can't find it because you know you're wrong and were trying to spread lies about me.

I'm awfully eager to prove I'm right. If I knew that comment were out there, I would just shut up and hope you forget about it. If I DID delete it, there'd be proof of that as well (in the email inbox of whomever started the post).

Post the screencaps or links you supposedly have for the world to see.

For the record, you lying sack of shit, here's the link: http://community.livejournal.com/sf_drama/2756566.html?thread=458660310#t458660310

And what I ACTUALLY SAID was:

"Reread what I said, jackass. Why even bother having a Black history month IF it's just going to be a mishmash of EVERYTHING?

Black people like a lot of shit. As you can see by my user icon (which causes some confusion), Black people like all sorts of music, food, and everything else.

I think Black history month needs to celebrate things that are uniquely or traditionally Black, otherwise I don't see the point. "

claws_n_stripes
Jul. 6th, 2010 10:55 pm (UTC)
Holy crap! I was busy searching backwards through April, after having done May, and was about to hit March. Thanks for the link, you fabulous idiot!
odetomutilation
Jul. 6th, 2010 10:58 pm (UTC)
Going around saying I said that without the context makes you a liar, and you know that.

You were making it sound like I was a racist white person who didn't get the point of Black History month instead of a black person who was advocating a month that celebrates black culture and not generic American culture in general.

You were twisting my words, you liar.

I feel vindicated. Yay.
freyaw
Nov. 6th, 2008 12:29 am (UTC)
My mother drives me nuts because she doesn't. She uses netspeak.
claws_n_stripes
Nov. 6th, 2008 09:14 pm (UTC)
Hi there. I'm friends w/ Mr. and Mrs. delphinea and I lurk, but I really love it when you post on these kinds of things.

I was emptying out my Spam box, and aside from "Michael Vincent" telling me he found me a new job without my asking, I got an e-mail from Фотий Возницын with the subj. line "I donп п t have to pretend 2 be someone else". I know better than to open it, but do you think it might be related?

Edited to correct grammar/HTML fail

Edited at 2008-11-06 09:15 pm (UTC)
claws_n_stripes
Nov. 13th, 2008 02:28 pm (UTC)
Gonna miss not being able to edit my comments
You might find this amusing: As I was emptying out my Spam folder, I noticed the following title: "Barack Obama Dollar Coin."

Someone better not be familiar with U.S. currency standards, 'cause I hope they don't know something we don't. :-/
( 17 comments — Leave a comment )