?

Log in

No account? Create an account

Previous Entry | Next Entry

Computer security: Down the rabbit hole

So a couple weeks back, I get an email in my mailbox telling me that there is a problem with my PayPal account, and asking me to click a link to verify my account information.

Since I don't have a PayPal account, it didn't take a great deal of intellectual prowess to figure out that it was a "phish" email--an email designed to trick the credulous and unwary into going to a phony site and handing over their PayPal password. I get about a half-dozen of them a day, and I fired off emails to the appropriate Web hosts and forgot about it.

Next day, I got another phish asking me to validate my Bank of America account information. I don't have an account with Bank of America, naturally. Again, a standard phish.

The only weird part was that the phony Bank of America site was hosted on the same Web server as the phony PayPal site. Fired off another email to the ISP hosting the fake sites and forgot it.

And got another phish email. And another, and another after that, and another after that. All advertising phony Web sites hosted on the same server.

"Huh," I thought. "This is weird."


The phish emails keep rolling in. I got four of them today. All of them advertising various phony sites hosted on the same server.

The server is at http://78.110.170.227/~hewar/. If you go there (which I don't recommend), you'll see that it is an open server directory. Right now, as I type this, it has three phish sites living on it--a phony Bank of America page and two phony PayPal pages in French.

It's also got a bunch of other stuff living there:



If you go to the directory called "bankofamerica.com" you end up at a phony Bank of America site. The "fr" and "paypal.fr" directories each contain a phony copy of the PayPal signin page. The file you see called "france2009.zip" contains everything the budding criminal needs to set up his own phony PayPal page on a hacked Web server.

There are two other files there, called "x.php" and "foxMailer.php". Each of those is a bulk spamming program. You connect to the server, upload a list of email addresses, upload a spam message, and press "go" and off it goes, sending the spam email to all the addresses.

Now, it's pretty clear that this server at 78.110.170.227 is entirely 100% owned and operated by a group of criminals who are in the spam and theft business. They send out spam from this server, and they host phony sites on this server which are designed to steal banking information.




The server is hosted by a British ISP called a2b2.com. The ISP a2b2.com is in turn a subsidiary of an outfit called vaserv.com. The a2b2.com Web site advertises cheap Web hosting, and the parent company vaserv.com offers cheap Web hosting and cheap VPS hosting.

My first impulse was that a2b2.com is a dirty, corrupt ISP, knowingly hosting Web sites for organized crime. You see them popping up from time to time, McColo, Calpop, and other unethical businesses which profit from hosting Web sites for criminals and quietly looking the other way.

But I've been taking a look at a2b2.com and vaserv.com more closely, and I don't think they're corrupt--I just think they're clueless.

Or perhaps I should say, I think he's clueless.




As near as I can tell, both of these ISPs are owned and run by just one guy. The whois information for both ISPs lists the contact as a guy named "Russell Foster." The parent company at vaserv.com has a WordPress blog, which hasn't been updated in months, whose posts are signed "Rus". This place very much gives the impression of a hobby business whose owner doesn't pay very close attention; the lights are on, but nobody's home.

Hell, even the security on the official WordPress blog sucks.

So this guy is hosting Web sites for organized crime, and far from profiting by it, I don't even think he knows about it. For that matter, I don't even think he reads his email!

Unfortunately, the upstream from a2b2/vaserv is the Italian outfit Tiscali, which is listed in the "I" section of the dictionary under "incompetent." Tiscali is so slow to act against spammers and abusers of their network that they've actually ended up on spam blacklists; as near as I can tell, the only way to get the folks at Tiscali to take action of any sort is to fuck the CEO's daughter on the CEO's desk. During a business meeting.

So it seems that the criminals responsible for these phish sites have found a perfect storm of incompetence and fail, which effectively means they can host their sites on servers in the UK with impunity. The people responsible for these phish sites are so confident that they haven't even bothered to cover their tracks or secure their Web servers.

This is the dirty secret of Web hosting, and it's an example of where Libertarian laissez-faire ideals fail. There is little incentive for ISPs to take action against malware, frauds, spammers, and phish sites on their networks, and financial incentive for them not to. An abuse person who is doing his job costs his employer money, and as the example of iPower Web shows, hosting such sites, and playing fast and loose with its customer's Web site security, doesn't actually seem to cost an ISP any business.


Comments

( 21 comments — Leave a comment )
mantic_angel
May. 7th, 2009 08:26 am (UTC)
"the only way to get the folks at Tiscali to take action of any sort is to fuck the CEO's daughter on the CEO's desk."

Idle thought, but why is it always daughters getting fucked? Why don't sons ever get fucked like this?

(I'd assume the obvious answer is "because we don't sexualize men", IE sexism, but I've just never really thought about it until now. So, hey, thank you for making me think about it :))

---

Also, these posts are always an interesting read :)
emanix
May. 7th, 2009 12:17 pm (UTC)
Uck, lost my comment when my net crashed...

I'd flip that and say that boys are expected to be sexual (thus sexualised) from an early age, whereas girls are expected to be passive, and therefore fathers are more protective of their daughters 'virginal' status. Still sexist, slightly different reasoning. (Also, no matter what you do to them, boys can't get pregnant, so I suspect some part of this will never change!)

On the other hand, this is Tacit's journal... perhaps it's just because he prefers girls?
tacit
May. 7th, 2009 05:15 pm (UTC)
Nope, you got it the first time around. Historically, men are supposed to be the pursuers of sex and women are supposed to be the gatekeepers of sex, so there's a stereotype of the father who plays the role of "defender of his daughter's virtue". You see it sometimes in sitcoms and movies where the writer is lazy and wants an easy comic device.

In this stereotype, the father is glad when his son "becomes a man," but wants to protect his daughter's presumed virtue.
emanix
May. 8th, 2009 09:30 am (UTC)
I was going to make a further comment about buggering sons, but I think it's been at least partly already said.
It seems being on the receiving end is something to be seen as shameful still. So sad.

Incidentally, you've already met me in my Chaosbunny guise - this is my slightly more 'sensible' persona ;)

- Maxine
tacit
May. 8th, 2009 03:44 pm (UTC)
Sensible? You have one of those?? :)
polymorphism
May. 7th, 2009 12:39 pm (UTC)
According to Dan Savage's column from the other day, sons get fucked if they're gay, recasting the issue from "being a daughter" to "having a man for a partner." I'm not sure what to think about that, but at the very least it was an interesting confluence in my reading list.
awfulhorrid
May. 7th, 2009 02:41 pm (UTC)
It's a bit more difficult for guys to get randomly fucked like that. You need lube, at a minimum, and there's a bit more cleanup and "prep" involved. Really, it's much easier for the sons to just go with blowjobs on the CEO's desk.

(My Goddess wanted to take me out in the woods and use her strapon with me on Beltane, but the logistics of male ass-fucking combined with the cold rainy Illinois weather convinced us otherwise.)
musicman
May. 7th, 2009 09:39 am (UTC)
You should pass this on to the FBI's electronic crimes division. Really.
tacit
May. 7th, 2009 05:16 pm (UTC)
Done. :)
lab_jazz
May. 7th, 2009 11:33 am (UTC)
I love lurking on your journal...you have the most interesting and informative stuff.
kissmedeadly
May. 7th, 2009 11:43 am (UTC)
"the only way to get the folks at Tiscali to take action of any sort is to fuck the CEO's daughter on the CEO's desk."

We found at least one other way: telling them you will piss in their cabs in Telehouse North. This probably works better when you live in London and have machines next to theirs, mind.

This information brought to you courtesy of a random stranger who ran across your journal and friended it for sheer interest/amusement value :)
zastrazzi
May. 7th, 2009 12:21 pm (UTC)
I'd suggest submitting URL's like these to http://sitereview.bluecoat.com/

That will toss it on a their blacklist which is used by a LOT of companies as well as the free K9 app.

You might also want to toss them in the direction of http://mynetwatchman.com/
winterlady
May. 7th, 2009 12:35 pm (UTC)
What about sending an email to your isp to blacklist theirs? That might stop your spam.

and then send an email to the Department of Justice. ^_^ Cuz you know, internet theft across country boundaries or some such. I'm sure that's illegal somewhere. ^_^

<---not a lawyer. (if you couldn't tell)
suzmonster
May. 7th, 2009 01:08 pm (UTC)
You just totally turned me on with this post. I had to open it in its own separate window so I could switch off of it if the boss came 'round so he'd think I was drooling and panting over my CAD program instead.
teague
May. 7th, 2009 04:23 pm (UTC)
This post reminded me of a problem I'm having at work (Noo... Not on the bosses desk, sadly). It's not the problem you are having, but kind of related. We got some viruses on the work computers, and soon discovered that there is no firewall. We've possibly even been hacked. A co-worker claims that he went to the BoA site, and found himself on the copy site, redirected I guess. Turns out that turning on the firewall would interfere with our credit card calls going out? I don't get that, but I'm not a computer tech. The explanation from the company that sold us our hotel management software was that we "bought the cheapest version." I don't go to my banking sites at work, but I do log onto emails, and twitter. Any suggestions for protecting myself?
tacit
May. 7th, 2009 05:36 pm (UTC)
If you try to go to a real site and get diverted to a fake site, odds are good you're dealing with the W32/Zlob malware or one of its variants That particular malware changes your name servers to point to name servers controlled by Russian organized crime, so you end up wherever they want to send you.

The firewall issue is a bit odd. No reasonable software vendor would ever write software that requires you to disable your firewall; you should just be able to get a list of the ports the software uses and make holes in the firewall for just those ports.
teague
May. 7th, 2009 05:44 pm (UTC)
Well, the person who told me about this, the guy who says he was redirected, *is* the night auditor I refer to as Butthead. I may call about it myself on a slow night, and see what they say. Buthead is a notorious curmudgin, and cynic.
2redpath5
May. 8th, 2009 04:17 am (UTC)
Has anyone told you lately that you're a rock star???
writerspleasure
May. 8th, 2009 09:58 pm (UTC)
> Libertarian laissez-faire ideals fail

with respect, the fail here is in this interpretation of those ideals. the libertarian laissez-faire thing to do is to have a populace not dumbed down by government schools and a hand-wringing media that interlocks with the passivity taught therein - the libertarian thing is to educate oneself and protect oneself and those one is close to - not to passively hope that ISPs/governments/FSM will somehow protect us. the decentralized, voluntary services linked-to above (e.g. here - http://tacit.livejournal.com/297618.html?thread=3750546#t3750546 ) are refutations of the claim that this is somehow a liberty-failure. libertarianism doesn't reward passivity and worrying.
tacit
May. 12th, 2009 09:18 pm (UTC)
You know, that would make an interesting experiment. If you surveyed 5,000 Webmasters with a public school education and 5,000 Webmasters with a private school education and asked them what they look for in a Web hosting provider, would there be any difference in the number of people who considered Web server security among their criteria? If you surveyed public school educated and private school educated Webmasters about Web security, would either group know more than the other group about things like cross-site scripting and SQL injection?
(Anonymous)
Nov. 23rd, 2009 09:43 pm (UTC)
CalPOP Hosting is knowingly supporting spam. They are rude if you call they refuse to help.
They are knowingly supporting spam. They are rude if you call they refuse to help. Lynn Hoover (lynn@calpop.com) is the owner. Matt Crowin (matt@calpop.com) is the sales manager.

I have been receiving spam from CalPop servers. I contact the
company and spoke with Matt Crowin (matt@calpop.com) the sales manager. He appears to be aware of the spam and is extremely rude and refused to help me. I then called and asked to speak with Lynn Hoover (lynn@calpop.com) the owner of the spamming servers and company. I was told that I could not speak to her. After some research I found that they have been spamming for a long time and do not care to stop.

According to my online research Matt Crowin (matt@calpop.com) has a history of disrespect, is aware of the spamming practices and Lynn Hoover (lynn@calpop.com) appears to be absent from the daily operations but fully aware of the spam situation.
( 21 comments — Leave a comment )