*** WARNING *** WARNING *** WARNING ***
This attack is currently live. DO NOT attempt to visit the URLS in this email if you do not know what you are doing!
The emails come from a phony From: address that is system@[thewebsitename.com]. Each email takes the form:
Attention!
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http://updates.[thenameofthewebsite.com]
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
So for example if you have a Web site called "theweaselstore.com" and your email address is "headweasel@theweaselstore.com" you may receive an email claiming to be from: system@theweaselstore.com, which tells you to click a link that looks like
http://updates.theweaselstore.com.secure.s
Needless to say, the "patch" you download from this address is a computer virus.
This is one of the most sophisticated social engineering attempts I've seen to date. It seems to be going after a very specific group of people: people who own secure Web sites. The email itself is custom-tailored to look as much as possible like it comes from the system operators of the Web site in question, and the payload is delivered from a hostile server with a URL that has the address of the target site owner's Web site embedded within it.
My suspicion, though I have not taken the time to analyze the payload, is that it is a key logger, and that the virus writers are attempting to get FTP credentials for the target Web site.
Being able to hack secure Web sites would offer the hacker a treasure trove of advantages. First, secure Web sites may contain customer information, transaction records, payment histories, and credit card numbers for the site's customers.
Second, a phony bank or eBay site placed on a secure server is more convincing, because the phony site can be accessed using "https://" and will have the browser padlock indicating that the site is secure, which may help it to fool more people.
I've mentioned in this post how a Web address can be designed to fool people. It does not matter what's in the address except for the part in front of the very first / character; so for example if you see a Web address that looks like
http://www.ebay.com.ws.eBayISAPI.dll.sig
you are not on eBay. You can see where you are by looking at the part just before the first / which in this case is
http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345
a site called signin.ru in Russia.
Similarly, in the URLs in these hacker emails, the key part of the URL is
http://updates.theweaselstore.com.secure.
The computer virus is being distributed from a site called "ssl-datacontrol.com".
ssl-datacontrol.com lives on servers belonging to an ISP called trouble-free.net, which is now a subsidiary of another ISP called interserver.net.
Trouble-free.net is an ISP I'm very familiar with. As near as I can tell, the "trouble" they are free of is meddling trouble such as legal issues, or those pesky problems you might have with having your spam or phish site shut down; they have, in my experience, a long and ignoble history of hosting viruses, spammers, pirate software sites (notorious credit card fraudster and pirate Art Schwartz has been hosted on trouble-free.net for over five years), and other criminal content.
The whois for ssl-datacontrol.com is, unsurprisingly, Russian:
whois ssl-datacontrol.com
Whois Server Version 2.0
Domain Name: SSL-DATACONTROL.COM
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.CEDNS.RU
Name Server: NS2.CEDNS.RU
Status: clientTransferProhibited
Updated Date: 05-oct-2009
Creation Date: 05-oct-2009
Expiration Date: 05-oct-2010
>>> Last update of whois database: Mon, 12 Oct 2009 21:44:52 UTC <<<
Registrant ID: HEIGAAS-RU
Registrant Name: Elena V Zhuravlyova
Registrant Organization: Elena V Zhuravlyova
Registrant Street1: Orekhovyi boulevard
Registrant Street1: d.31 kv.72
Registrant City: Moscow
Registrant State: Moscow
Registrant Postal Code: 115573
Registrant Country: RU
Administrative, Technical Contact
Contact ID: HEIGAAS-RU
Contact Name: Elena V Zhuravlyova
Contact Organization: Elena V Zhuravlyova
Contact Street1: Orekhovyi boulevard
Contact Street1: d.31 kv.72
Contact City: Moscow
Contact State: Moscow
Contact Postal Code: 115573
Contact Country: RU
Contact Phone: +7 499 2678638
Contact E-mail: awoke@co5.ru
Registrar: ANO Regional Network Information Center dba RU-CENTER
So in short what we have is a very sophisticated, highly directed attack targeted at Web site owners who are using SSL security certificates on their Web sites, being conducted through emails which create a custom From address and custom attack URL for each specific victim.
The same rules apply to this as to all emails:
- DO NOT believe the From: address of an email. Ever.
- DO NOT respond to ANY security alert, question, or prompt you receive in ANY email. Ever. No matter who it appears to be from.
- Learn to read Web site URLs. DO NOT trust any part of a URL except the part immediately in front of the first slash.
- Mood:
annoyed
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
the_xtina for the fact that I discovered this evening what appears to be a large, coordinated, and widespread attack on multiple Web hosting providers.I hadn't actually intended to do any computer security stuff today; my plans for the evening involved playing WoW.
the_xtina speculated during an IM conversation this evening about the existence of Viking porn, so naturally I did a Google search, and got rather more than I expected.A Google search for "viking porn" turns up a few hits with a Google "this site may harm your computer" tag. Both of the first two I looked at--because I can't stay away from the "this site may harm your computer" tag--had a couple of interesting things in common: they were hosted on iPower Web, the notoriously insecure Web host I've written about on several occasions in the past; both had malicious redirection files in a directory named /backup/, both used a complex series of traffic redirectors before ending up at the malware site proper, and both were heavily seeded throughout Google using a very large number of popular pornographic and non-pornographic keywords.
In other words, all the hallmarks of the Russian Zlob gang. God, how I hate those people.
I widened the Google search using both common keywords (like "porn") and keywords I know the Zlob gang favors, and specifying inurl:/backup/ as part of the search.
What I ended up with was a VERY long list of compromised Web sites, each with a directory named /backup/ containing large numbers of files stuffed full of keywords and each of which redirects through a series of redirectors to a site that attempts a drive-by malware download.
( Click here for more technical details (down the rabbit hole we go!) )
Edited to add: Many, but not all, of the hacked sites also have invisible iFrames placed on them which load content from http://microsotf.cn/ or http://updatedate.cn/.
The first isn't resolving for me at the moment. The second is, but returns a blank page when loaded directly; again, it's probably checking the browser for exploits and attempting to download malware in the background.
- Mood: aggravated
This morning I received an email telling me (in Spanish) that there was a YouTube video of Michael's death on the Internet, and I could see it (oh boy!) by visiting
http://youtubemichaelj.com
*** WARNING *** WARNING *** WARNING ***
This site is live as of the time of this writing. DO NOT visit this site if you don't know what you're doing. This site WILL attempt to download a Windows virus onto your computer.
The Web site looks just like YouTube, and presents a phony blank movie player image with a "An error occurred, please try again later" message in it, then attempts a drive-by download from
http://youtubemichaelj.com/Codec/120.exe
The download is a bit unwieldy for malware (1.8 MB in size)--much too large to be a variant on Zlob, Asprox, or any of the other malware commonly distributed as phony movie-player CODECs. I don't believe I've seen this particular malware before.
The registration information is most likely bogus. The site was registered yesterday:
whois youtubemichaelj.com
Whois Server Version 2.0
Domain Name: YOUTUBEMICHAELJ.COM
Registrar: DOMAINPEOPLE, INC.
Whois Server: whois.domainpeople.com
Referral URL: http://www.domainpeople.com
Name Server: A.DNS.HOSTWAY.NET
Name Server: B.DNS.HOSTWAY.NET
Status: clientTransferProhibited
Updated Date: 29-jun-2009
Creation Date: 29-jun-2009
Expiration Date: 29-jun-2010
Registrant:
T---- G---- (youtubemichaelj.com)
(WHOIS information redacted)
US
Registrar: DomainPeople Inc.
Domain Name: youtubemichaelj.com
Created on .............2009-06-29-14.36.03.127000
Expires on .............2010-06-29-14.36.03.000000
Record last updated on .
Status .................ACTIVE
Administrative Contact:
T---- G----
(WHOIS information redacted)
The site's hosted on Hostway. Hostway is an unusual choice for a virus dropping site; they're fairly clean, and a bit pricey. I suspect that the site will be disabled soon.
Given the choice of hosting companies and the size of the malware download, I am wondering if the people responsible for this malware aren't fairly new to the game. More experienced malware and virus writers, like the Zlob gang, prefer to host on hacked sites, screen their hosts behind a network of redirectors, and store the actual payload itself on servers in Eastern Europe.
- Mood: annoyed
A short time later, that particular server went offline, only to come back a few days later as a site that sold and distributed software for hacking Web servers and setting up phony bank and PayPal sites.
Well, now things take a turn for the strange. It appears that Web host has been hacked, and every Web site running on the entire Web host has been wiped.
Hm. When you go to bed with monsters...
- Mood: surprised
Pricewert operated as a Web host under a bunch of different names--3FN.net, Triple Fiber, APS Communications, and a bunch of others.
I first became aware of 3FN back in February of 2008, when I started seeing spam for all kinds of porn sites hosted on their IP space. The spam I saw generally involved URLs hosted on 3FN that redirected to the affiliate sites of large pay-for-access porn sites--a common spam tactic I've seen before, especially from big-name offenders like Streamate.com.
Pricewert/3FN's business extended well beyond spam, though, and into hosting for botnet command and control servers, virus droppers, malware distribution, and even kiddie porn. In other words, about business as usual for an ISP in a place like the Ukraine or Latvia, but somewhat surprising for an ISP in the US. (Somewhat surprising, at least, until you consider that the founder of Pricewert/3FN was from the Ukraine, where the business culture is such that hosting malware, child porn, and botnet control servers is part of any ISP's normal revenue stream.)
And here's the part where I get all Ranty McRanterson.
What's really, really, really disappointing to me is how poor the US ISPs and backbone providers are at policing themselves, and how even egregiously illegal activity is tolerated by the vast majority of Internet service providers.
3FN's upstream providers knew that 3FN was a rogue ISP hosting criminals involved in spam, viruses, and malware. I know for a fact that they knew this, because I told them myself, with detailed evidence. In February of 2008. And in March of 2008 (four times). And in June of 2008. And in July of 2008. And in...well, you get the idea.
There is, in the world of ISPs and Internet connectivity, a tacit understanding that any sort of illegal activity, including identity theft, malware, fraud, and computer virus distribution, will be tolerated so long as it doesn't create too big an uproar and so long as ISPs occasionally move the offenders around from one IP address to another. Even child pornography is not going to create a problem so long as the hosting ISP removes or moves the child porn if they receive complaints.
ISP abuse employees do not generate revenue for an Internet company. In fact, they cost a company revenue. For that reason, ISPs will often hobble their own abuse teams (I sent seven complaints to one ISP about a hacked server on their network over a period of two months, only to be told that the abuse people were not permitted to take down the server until eight weeks after they had notified the owner to fix the problem--which is about like calling the fire department because your neighbor's house is on fire and the flames are spreading to your house, only to be told that the fire department would mail a notice to your neighbors, and would send the trucks out in eight weeks if the neighbors hadn't taken care of the problem themselves by then).
ISPs make money by selling hosting and bandwidth to people. Every site they take down is lost revenue; every downstream service provider they cut off is a lot of lost revenue. They're not going to lose that revenue unless they're forced to.
Case in point: The rogue hosting provider McColo, which was notorious for hosting child porn, computer viruses (they were a preferred host for the Russian Zlob gang and for the Asprox virus gang), and credit card identity theft rings (Fraudcrew hosted sites on McColo), yet remained merrily in business, with no problems from their upstream providers, for four years in spite of the fact that it was widely known and publicized that McColo catered exclusively to criminal clientele.
And, sadly, that's the norm, not the exception. Upstream and backbone providers will cheerfully provide connectivity to known-rogue ISPs even though the rogue ISPs violate not only the law but also the upstream providers' Terms of Service. Global Crossing, a mainstream, respectable business, knew that McColo was hosting computer viruses and child porn; they simply didn't care. The money of organized crime spends just as well as the money of honest businesses, and often there's more of it.
In the ISP world, often government intervention is the only way to shut down these operators. History has proven, conclusively, beyond all shadow of doubt, that ISPs and connectivity providers absolutely, positively can not be counted on to police themselves; left to their own devices, they will permit just about anything to happen on their networks. The ongoing corrupt business practices of US ISP Calpop, for example, is ample proof of that.
It pisses me off to no end to see an entire industry that has, for all intents and purposes, quietly agreed to permit organized crime, identity theft, and child pornography on their networks as long as there's not too much of a fuss about it, and to take action only against the one or two most extreme offenders after many years of operation. While I do not normally see government intervention as a good way to solve business problems, in this case I do not believe the ISPs will ever police themselves effectively, or even want to; there's too much money in allowing this sort of network abuse. Given how widespread the problem is, I do not think there is any solution other than tighter regulation of criminal activity on the backs of ISPs' networks.
- Mood: aggravated
It's rare to see one computer hosting multiple different fake sites, and rarer still to see them hosted for an extended period of time. Usually, the way it works is that hackers break into a poorly secured Web server (for example, in today's crop of phish emails there's a fake PayPal page that's on a Web site running an outdated, insecure WordPress install, and a fake Abbey Bank page running on a hacked Web site that's using an old, unpatched copy of the Joomla content management software.)
The fake PayPal and bank sites I discovered a couple of weeks ago were running on a server belonging to an ISP called a2b2.com, which at the time I believed wasn't actually a corrupt ISP, but rather a single clueless individual. The ISP a2b2.com is located in Great Britain and seems to be run by just one person.
A day after I posted about that site, I received an email from the guy who runs that ISP, telling me that the server had been taken offline and the fake bank and PayPal sites were gone.
I thought that was the end of it. I was wrong.
( We're about to get technical here! )
- Mood: infuriated
But two hours after I make a LiveJournal post about it, the site is knocked offline and I get the following email in my mailbox:
HI
We are aware of this but can't comment further at this time however please be assured that it is being handeled inline with the local police
--
Rus
It's possible the timing was a coincidence, of course, and the site being knocked offline had nothing to do with talking about the phish fraud openly. It's possible, but it seems pretty weird to me.
- Mood: tired
Since I don't have a PayPal account, it didn't take a great deal of intellectual prowess to figure out that it was a "phish" email--an email designed to trick the credulous and unwary into going to a phony site and handing over their PayPal password. I get about a half-dozen of them a day, and I fired off emails to the appropriate Web hosts and forgot about it.
Next day, I got another phish asking me to validate my Bank of America account information. I don't have an account with Bank of America, naturally. Again, a standard phish.
The only weird part was that the phony Bank of America site was hosted on the same Web server as the phony PayPal site. Fired off another email to the ISP hosting the fake sites and forgot it.
And got another phish email. And another, and another after that, and another after that. All advertising phony Web sites hosted on the same server.
"Huh," I thought. "This is weird."
( We are, of course, about to get technical here )
- Mood: aggravated
Just discovered a server being used to spread Mac malware from
http://brakeplayer.net/download/get7003.d
*** WARNING *** WARNING *** WARNING *** This link is live as of the time of this writing. The payload, named get7003.dmg, contains a new version of the Mac DNSchanger, aka OSX.RSplug.A, OSX.RSplugin.A, or OSX/Zlob, computer malware.
The malicious server brakeplayer.net is brand new and is hosted in Latvia, on an ISP called "zlkon.lv".
whois brakeplayer.net
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: BRAKEPLAYER.NET
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Name Server: NS1.BRAKEPLAYER.NET
Name Server: NS2.BRAKEPLAYER.NET
Status: ok
Updated Date: 26-dec-2008
Creation Date: 15-dec-2008
Expiration Date: 15-dec-2009
Name servers:
ns1.brakeplayer.net
ns2.brakeplayer.net
Registrar: Regtime Ltd.
Creation date: 2008-12-15
Expiration date: 2009-12-15
Registrant:
Nikolaj Selivestrov
Email: paul.aspen111@gmail.com
Organization: Private person
Address: ul. kosmonavtov, 132-13
City: Moskva
State: Moskovskaya
ZIP: 129301
Country: RU
Phone: +7.4957854978
I've also noticed an uptick in the number of hacked Web sites hosted by iPower Web lately. As I've talked about extensively here, here, here, and here, iPower is basically a mess. For more than a year now, hackers have been walking all over their servers, planting virus redirectors in sites that are hosted by iPower or their subsidiaries.
For a while, the number of attacks against iPower dropped to next to nothing, and I thought that they'd fixed their security problem. Now, Im not so sure--now, I think that iPower is as compromised as it always has been, but the hackers toned down the attacks when they started getting attention. Can't prove it, but my hunch is there's a long-standing zero-day exploit in vDeck, iPower Web's home-grown Web control panel software.
I think we're going to be seeing more Mac malware in the near future.
- Mood: aggravated
Last night, I found an open redirector on the usa.gov site, which was being used in Google links to spread malware. I fired off an email to the usa.gov Webmaster explaining the problem. This morning I got a very nice email reply saying they'd verified the problem and fixed it; the redirector now does referrer checking and refuses to redirect for non-local requests. Checked it out, and sure enough, it was fixed.
Woot! They had a patched script up within hours. Who says the government is always slow and inefficient?
- Mood: energetic
Along the way, they've changed tactics a number of times. The hacks against iPowerWeb are still ongoing, though they seem to have slowed; at the height of the attack, iPower was hosting tens of thousands of newly-hacked Web sites per day, though now it's slowed to a paltry trickle...at any given time these days, there are only a couple hundred hacked Web sites living on iPower's servers. When the post about iPower first went live last December, I was flooded with emails from folks saying "My Web site is hosted by iPower and I've been hacked!" and I even got two phone calls from iPowewr customers whose Web sites had been penetrated. (Yes, my phone number is out there, for folks who want to dig it up. No, I'm not gonna tell you what it is.)
The interesting thing about this particular computer gang is their adaptability. They're constantly changing targets, and as time goes on their underground network grows larger and more resilient.
In the past, they've planted redirectors to malware sites on hacked Web servers, they've exploited security flaws in software like phpBB and WordPress to redirect traffic to virus droppers, they've set up fake FaceBook profiles that redirect visitors to virus-infected sites, and they've even created fake Google Groups to direct traffic to virus sites.
In the past couple of weeks, though, I've seen a whole new approach, and it's all about exploiting open redirectors.
( We're going to get technical under here! )
Now comes the rant.
Folks, if you use a redirector anywhere on your site, it is *** ABSOLUTELY *** ***IMPERATIVE *** that your redirection script checks the browser referrer to make sure the referrer is your domain.
I can not stress this enough. This is easy to do; takes one, or, at the most, two lines of code. You MUST do this
That way, if someone clicks on a Google link to your redirector, it won't work.
This is a simple, easy thing to do. Yet many, many people do not do it, and as a result, they unwittingly allow their redirectors to be hijacked to poison Google results and spread computer viruses. One particularly notorious offender here, which I've seen abused in exactly this way, is the WordPress plugin called OZH Click Counter. The purpose of the plugin is to track link popularity, but it is vulnerable to this kind of abuse.
If you own a WordPress blog, I strongly, strongly recommend that you DO NOT install the OZH Click Counter plugin, or any similar plugin hat uses an insecure redirector. I've seen many examples of Google links to malware droppers that take the form
www.somewordpressblog.com/content/go.php?h
It doesn't matter how obscure your site is. If you have an open redirector on your site, sooner or later it will be abused; the hackers use automated tools to search the Web for such redirectors.
- Mood: aggravated
Let's start by talking about one of the most common kinds of email fraud: a "phish" email.
A typical phish email--you've probably received at least one, I know I get about twelve a day--is an email that comes from an official-looking email address. It says it's from your bank, or from eBay, or from Amazon, or from Google, or from some other company you do business with. It tells you there's a problem. It says that in order to fix the problem, you have to click on a link in the email and then type in your bank account number, or your eBay password, or your credit card number, or something like that.
You probably think you're too smart to be suckered by one of these, and who knows? You might be right. But they're deceptive and written with a good understanding of human psychology, they tend to look pretty damn convincing (often, they resemble an official email perfectly, right down to the logos and formatting), and they prey on surprise and fear. Nobody wants to be locked out of his bank account, or banned from eBay.
They might even tell you that there is no problem at all--everything's fine, there's no need to take any action. The $3,714 has been charged to your credit card for the giant flat-screen TV that you ordered to be shipped to a house in Wisconsin; nothing's wrong, the transaction went smoothly.
But, you know, just in case you didn't order a $3,714 flat-screen TV for your friend in Wisconsin, there's a helpful little box:
"Hell, yeah I'm gonna dispute that transaction! I'm beig robbed! Someone just stole my credit card and used it to buy a flat-screen TV! I'm have to stop this RIGHT NOW!!" Your heart is pumping, your adrenaline is going, you're so upset you can hardly think straight...
See? That's what I mean when I say these guys are really good at psychology. You're one click away from voluntarily handing your eBay account to Russian organized crime.
Let's backtrack a little bit and talk about something boring: Links.
Now, you know what a link is, and you use them all the time. It's okay; bear with me for a minute.
I can turn any word I want to into a link, and make the link go anywhere I want to. It's easy to do, and we all take Web links for granted. For example, I can do this:
The word Elephant, if you click on it, will take you to Google. All pretty simple, right? Stay with me; I'm really not trying to insult your intelligence, I'm just illustrating a point. This is going somewhere, I promise.
I can make the word Elephant be anything I want it to. I could change it to a different very large gray animal, for instance:
Like before, if you click on the word Rhinoceros, you'll go to Google.
Of course, a link called "Rhinoceros" isn't very useful. Most folks use more descriptive words in their links, like "Google," for example. So I could do this
So you click on the word Google and you go to Google. Nothing special here.
But let's think for a minute about the implications. I can make the word say anything I want to. Anything. Anything. Anything at all. Have you got it yet?
No?
Well, suppose I want to lie to you? Check this out:
Where do you think you will go if you click on the link that says "http://www.yahoo.com"? I'll give you a hint: You won't go to Yahoo. Try it and see!
Yep, that's right, just because you see a link in your email that says something like http://www.yahoo.com or http://www.ebay.com or something like that, it doesn't necessarily mean that clicking on the link will take you there. The words can be anything that a Russian gangster can imagine. Links can lie.
So here's Lesson 1: Never, ever, EVER assume that if you click on the words www.yahoo.com you will go to Yahoo. The words can be anything that anyone wants them to be.
There is some good news. Most email programs will show you where a link actually goes if you sit your mouse pointer over the link and just leave it there without clicking on it:
And, fortunately, you can always tell what Web site you're on. Unfortunately, if you have been tricked and you think that you're going to Yahoo, you may not bother to check.
Every Web browser has an address bar. And the address bar shows you where you are. The address bar is at the top of the browser window, like so.
Most people get a sense of where they are by looking in the middle of the page. If they see familiar logos and familiar words, they assume they are where they want to be.
But a Web page is easy peasy to fake. All those professional-looking logos can be copied in a computer in a couple fo seconds with a few clicks of a mouse.
And remember how I said these guys know human psychology? They really, really know human psychology. And they use psychological tricks to confuse you with the URL.
You know how your bank and eBay and all of those places always tell you to make sure your browser address bar shows the right address when you go to their page? It's worthless advice. You know why?
You're lazy.
Yes, that's right. I don't even know you and I know you're lazy. I'm lazy. Everyone is lazy. Human brains are designed and optimized to make rapid evaluations and rapid decisions with a minimum of effort. You're lazy, and the hackers know it.
When you look at a Web site address--if you look at a Web site address--your eye begins reading it, and then you stop reading if you see something that looks familiar.
It's how your brain works, and the hackers are very well aware of that.
So here's what your brain does when you see a Web address:
You read the URL until you see something that you recognize. Then you stop. Your brain says "Yes, I recognize this; all the gobbledygook at the end doesn't matter. I know where I am; I'm at adwords.google.com."
WRONG!
You've just been suckered.
When you read a URL, the only part that matters is the part right before the FIRST slash after the http:// part. Here is the RIGHT way to read a URL:
Step 1: Look for the very first slash after the http:// part:
Step 2: Read the part right before that slash.
Got it? This Web site is not adwords.google.com. This Web site is sys56.ru. The ".ru" part means "russia". You are at looking at a confusing URL designed to trick you into not noticing that you're at www.sys56.ru.
See how it works? Let's try again, with a fake Web site pretending to be Wachovia Bank.
Step 1: Look for the very first slash after the http:// part:
Step 2: Read the part right before that slash.
Where is this URL? This URL is at winnerresult.com. Not Wachovia; winnerresult.com.
Sometimes, there is no slash at all after the http:// part. If there is no slash at all anywhere in the address, then you look at the end of the address:
A real eBay signin address is
http://signin.ebay.com/ws/ebayisapi.dll
See the red slashes? In the fake, they are dots, not slashes. How do you know the real one is real? Follow the two simple steps: step 1, look for the first slash after the http:// part, and step 2, read what's right in front of it.
http://signin.ebay.com/ws/ebayisapi.dll
Look for the first slash in a Web address. Check out what's right in front of the slash. Those two steps will save you from getting suckered.
In part 2, I'll cover some telltale signs that a Web site is trying to download a virus onto your computer.
- Mood: determined
A little while ago, I posted about a gang of computer criminals who, while building a network of hacked computers to use to spread viruses and fake bank sites, had hacked a system belonging to the US Department of Defense.
Those very same criminals are now hitting my inbox with messages attempting me to visit a server that downloads a computer virus disguised as a news story about Barack Obama's victory.
I've received two of the emails so far. Both are formatted the same way, and are identical in formatting to the phish emails that masqueraded as a bank "security update." The first carries a subject line reading "Obama win sets stage for showdown;" the second, "Priorities for the New President - TIME". Both come from the forged email address "news@unitedstates.com".
( First, the technical stuff about how this computer virus is being spread. )
Okay, so that's the technical angle. The social angle is more interesting.
In the past, this particular group of criminals has contented itself with your standard, garden-variety phishing scams. They send out emails that read, for example,
"Attention all Bank of America Consumers.
At Bank of America, the security of your information is paramount. Our systems and security procedures are designed to keep your personal and financial data confidential at all times.
You also have a significant role to play and should adopt the following practices to help keep your personal and financial information protected from unauthorized use - Keep Your Internet Banking Session Secure and set up SSL Certificate."
The site that you go to when you click the link looks just like the Bank of America site, but of course it's not; and the "security certificate update" it downloads to your computer is, of course, a computer virus.
The new emails, though, have been branching out a little. They've been experimenting with using come-ons not related to banks, like this one:
"Dear Classmates customer.
Classmates Day 2009 soon! Video Invitation from your Classmates "2009 Classmates Day Announcement!" prepared to view.
Reunite Your High School Classmates and Celebrate This Day! Your Classmates Are Waiting to Hear From You!"
And, natch, the "video invitation" is actually a computer virus.
Today, Barack Obama's victory has given them a new angle:
"Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!"
The "video" of his amazing speech is--you guessed it--actually a computer virus.
The Russian criminals behind this have demonstrated themselves to be adept at keeping track of hot-button issues and using them to exploit those folks who are inclined to believe every email they read.
It's interesting that these scams succeed, in part because the Web sites set up by the criminals have telltale markers of fakery all over them. The people responsible for these scams do not speak English as a first language, so the Web sites masquerading as banking sites or news sites tend to be replete with spelling and grammar errors.
Yet folks don't seem to notice.
I wonder if this isn't a side effect of America's culture of anti-intellectualism; learning and knowledge are so despised that people either expect their bank's Web site to be covered with spelling mistakes and grammar errors...or, worse yet, people don't notice the spelling mistakes and grammar errors.
The site that tries to download a virus disguised as Barack Obama's speech, claims to be "America.gov: Telling America's Story" and then says "Introduction America.gov. Look amazing speech of new president."
- Mood: aggravated
The past few weeks has seen a very specific type of phish that's relatively unusual; rather than trying to get me to type in my account number and password, these phish emails lead me to a site that tries to get me to download a "browser encryption update" to my computer. The "update" is, of course, a computer virus that records everything I do in my browser and sends it back to the hackers. A bit of a twist on the idea, but still basically the same thing.
What's surprised me is the sophistication of these phishes. The fake Web sites have really long names, such as
http://ktt.key.ktt.cmd.logonFromKey
( *** WARNING *** *** WARNING *** *** WARNING *** This site is live as of the time of this writing, and WILL try to download malware onto your computer!)
What's unusual about this is three things.
First, the hackers are registering a domain, rather than just hanging the phish off of a hacked Web site.
Second, the hackers are putting this domain on a large number of computers, probably hacked home PCs, spread out all over the world, so that if one of them is shut down the others will still work. As of the time of this typing, ttioense.com is living on ten different IP addresses in ten different parts of the world.
Third, the hackers are running their own name servers. They are hacking computers, setting up name servers on those computers, and then using those name servers to set up sites that pretend to be bank sites and try to download malware. Essentially, they are creating their own "shadow Internet"--their own Web sites set up on hacked computers, and their own domain name servers also set up on hacked computers.
Still pretty bog-standard, if technically sophisticated.
Hold on to your hat, Dorothy, because Kansas is about to go bye-bye.
As of the time of this writing, ttioense.com, the fake bank Web site that tries to download a virus, has two name servers:
Domain name: ttioense.com
Technical Contact:
Pamela Saul pamela@yahoo.com
3366810811 fax: 3366810811
5903 Shenandoah Road
Greensboro NC 27405
us
Billing Contact:
Pamela Saul pamela@yahoo.com
3366810811 fax: 3366810811
5903 Shenandoah Road
Greensboro NC 27405
us
DNS:
ns1.dabchecks.com
ns2.dabchecks.com
Created: 2008-10-15
Expires: 2009-10-15
Now, ns1.dabchecks.com is running on a server in the UK belonging to a company called UK Dedicated Servers Limited.
On the other hand, ns2.dabchecks.com...
ns2.dabchecks.com is running at 22.25.119.21, on an IP address belonging to the United States Department of Defense. Specifically, 22.25.119.21 belongs to the Department of Defense Network Information Center--a military network so paranoid that their main Web site won't let you log on unless you have a special access card and you're connecting from a .mil address.
whois 22.25.119.21
OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 22.0.0.0 - 22.255.255.255
CIDR: 22.0.0.0/8
NetName: NICS0175
NetHandle: NET-22-0-0-0-1
Parent:
NetType: Direct Allocation
Comment:
RegDate: 1989-06-26
Updated: 2007-07-06
OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-614-692-2708
OrgTechEmail: HOSTMASTER@nic.mil
And that isn't something you see every day.
- Mood: busy
The story starts with an Estonian company operating out of the US, called ESTdomains, and its associated Web hosting company, ESThosts. ESTdomains is the preferred domain registrar for Eastern European cybercriminals, who often host viruses and malware on its sister company ESThosts.
ESThosts relies on an upstream ISP called Intercage for its connection to the Internet. Happily, Intercage, which has long turned a blind eye to all kinds of criminal activity on the Internet, finally crossed the line and was dropped by its service provider. An new upstream provider rode to its rescue, only to have its packets dropped by an Internet backbone provider.
Why is this happy news for Mac users?
A while ago, I mapped out an underground network of virus and malware droppers, some of which were being used to spread the Mac version of the Zlob, aka OSX.DNSchanger, OSX.RSplug.A, or OSX.RSpluginA, malware.
Many of the sites that spread this malware were disguised as porn sites. Other sites were legitimate sites that had been hacked. Still other sites contained outdated, insecure versions of popular blogging or forum software such as WordPress and PHPnuke, and had been hacked to carry redirectors to the malware. Still other sites disguised the malware as antivirus software, or browser plug-ins, or any number of other things.
But--and here's the interesting part--all of these fake porn sites, hacked blogs, hacked Web sites, hacked forum sites, and bogus software sites all pulled the malware from the same repository, a server living at IP address 64.28.178.27.
Which is in Intercage's IP space, and so is currently unreachable.
Meaning that as of right now, the one server being used to spread the Mac DNSchanger malware is offline.
Now, I have no doubt that the bad guys are going to move the Mac malware to a different server at some point. But they are going to have to rejigger the rest of the network to point to the new server, which will take time. In the meantime, we should see a lot fewer infections with this malware.
- Mood: ecstatic
The first chapter of the book on polyamory is done, finished, put a fork in it. Proposals have been sent out. Chpter 2 is started. Chapter 3 is halfway done.
Downed the first two bosses in Serpentshrine Caverns and the first two bosses in Tempest Keep with my new raiding guild. My mage rocks like a rocky thing. It's just a pity she's Alliance.
Got a surprise phone call on Friday. The attacks against iPower Web, which are not only ongoing but are getting more sophisticated (since I wrote that last, the number of compromised iPower sites has surged again), are coming to the attention of iPower's customers. I received a phone call from a woman whose site had been hacked (twice!), and she had iPower on the phone when she called me.
The tech support monkeys at iPower told her that--get this--there's no vulnerability on their servers, and that her account was compromised because the attackers brute-forced her FTP password. Which was...err, sixteen characters, both letters and numbers, long.
*blink*
Anyway, she gave them the what-for and pulled all her sites off iPower. Maybe if they start losing enough customers, they'll fix their damn security.
And on the subject of Web sites, I've updated mine. I don't know what I'm going to do when I have a book in print and can't keep tinkering with it.
Last night, David and I tried playing as a team against six computer opponents in Age of Empires II. High difficulty, lowest resource setting. It was a humiliating debacle. We well and truly got our asses handed to us. Barely made it into the Imperial Age before the computer's armies closed around us and systematically scraped us off the map.
In two weeks I'll be in Chicago; planning to be there from the 19th through the 24th. Looking forward to spending time with
dayo and scathedobsidian, I know you'll be around. amorsalado, dwer, will you guys be available?In both cases, the vulnerabilities have been exploited to try to redirect surfers to a Web site at www.dota11.cn, which hosts a malicious script that tries to infect users' computers with a virus.
That's the old news.
The funny news--and believe me, I think this is fucking hysterical--is that one of the Web sites clobbered by the SQL injection attack is redmondmag.com, a Web site that is "the independent voice of the Microsoft IT community." It's a pro-Microsoft, look-how-great-we-are "news" site that has been so massively infected that...
uh...
...well, if you Google it, Google gives you a "this site may harm your computer" warning.
Many of the infected Web pages are pages about computer security--or, at least, apologies for Microsoft products masquerading as articles on computer security.
I know, I know, the real assholes here are the hackers, but still...goddammit, I can't stop laughing.
Actual IM transcript from a conversation with xmission.com:
Tacit: You are hosting a phish.
Tacit: ftp://webmaster:webmaster@204.228.142.40/
catalyst: chill, you could send a notification to abuse@xmission.com or to phish@ebay.com or whatever they have now
Tacit: Sent it two weeks ago.
Tacit: And a week ago.
Tacit: No response, phish still active.
Tacit: Two weeks is a long time.
Tacit: Your abuse@ address appears to be routed straight to /dev/null.
catalyst: I'm not an xmission employee, so I can't help, just thought I'd recommend some alternatives
rostrax: Abuse is a valid e-mail address and it is looked at.
rostrax: That would be my suggestion on what to do.
Tacit: Again?
Tacit: How many times do you think I should send the same email to abuse@xmission.com before I conclude that xmission supports and condones hacks and phishes on their network?
rostrax: How many times have you sent it?
Tacit: Four.
Tacit: First one two weeks ago.
rostrax: I cannot speak for our abuse team, but I'm sure they've looked into it
Tacit: If they'ved looked into it, and it's still active, what conclusion would you draw from that?
Tacit: 204.228.142.40 is on your network, yes?
rostrax: It is one of the IP's we have yes.
Tacit: And if you click on the above link, you would agree that it is definitely an eBay phish, yes?
rostrax: You have to understand business' have certain ways of handling these things. It may take some time. Please be patient with us, if you could send another e-mail I would appreciate it greatly. Also cc it to rostrax [at] xmission.com
Tacit: I do understand that businesses operate certain ways; I run one myself. Two weeks to handle a phish? Even China Netcom deals with phish sites faster...
rostrax: I'm unsure of our particular policy, but if you can send the e-mail and cc me on it, I will look into it on Tuesday
---
Edit: It gets better. Apparently, this phish has been active on Xmission's network since at least April 9th.
It seems that in the brave new world of the Intertubes, crime does pay. It pays very well indeed, in fact. The network I documented earlier has morphed and changed radically in the past few weeks, and become larger and more resilient. In addition, a new attack vector has emerged: attacks on old, outdated versions of WordPress weblog software.
I know that a lot of folks on my flist maintain their own WordPress blogs. Please, please, please, if you run WordPress or know somebody who does, update your WordPress software. It's quick (takes about five minutes) and easy, and all versions of WordPress prior to 2.5 should be considered completely insecure.
In the past couple of weeks, I've noticed a huge surge in WordPress hack attacks, to the point where last Monday there were more hacked WordPress systems than hacked iPower Web sites that were being used to redirect folks to Eastern European virus downloaders. It seems quite likely that the hackers are using automated tools to find and automatically attack old WordPress installs, though one person I've spoken with says he believes his WordPress install was attacked through an insecure FTP username and password that was brute-force guessed as well.
The network that is being used to distribute viruses is being fed from a lot of different sources: hacked iPower sites (of course), hacked WordPress installations, Google Groups set up as malicious redirectors, custom attack domains piggybacked on top of legitimate Web URLs, and hijacked phpBB and phpNuke installs seem to be the most common. For an update on what's going on in the seamy computer underground, and a new map of the computer distribution network:
( Clicky the link! (We are going to get technical here) )
MacFixIt is a very large, highly active Macintosh troubleshooting site. It offers articles, advice, commentary, and tips for all things Macintosh. Among other things, it announces new Apple security updates, and recommends that users keep on top of security patches. Good advice, right?
Err...
The forums at MacFixIt run on Web forum software called UBB.threads. To be specific, they run on UBB.threads version 6.0.2, released in 2002.
Now, let's think about that for a second.
A large, busy Web site--a Web site dedicated to, among other things, information about computer security updates--is running forum software it has not updated since 2002. I bet some folks will already be able to tell where this story is going.
Yesterday, I logged on to the forums to discover that the forum topics and message board lists had been replaced with long lists of racial epithets. A quick Google search turned up a security advisory dating back to 2005, or three years ago, reporting that versions of UBB.threads prior to 6.5.2 had a really, really big number of really, really serious security problems, including cross-site scripting vulnerabilities, SQL injection vulnerabilities1, and parameter inclusion vulnerabilities.
Turns out versions prior to 6.5.3 also have a posting vulnerability that can yield up complete control of the Web server to a malicious user.
Now, these are just the vulnerabilities that have been known and documented, and reported by UBB.threads itself, in the last three years. Even more recent versions still have some pretty significant vulnerabilities.
The current version, just for the record, is 7.2.
So I fired off an email to the administrator of the MacFixit forums, and for the last day and a half the forums have been "down for maintenance."
D'oh.
Egg, meet face. How in the name of God, in this day and age, does anyone who runs any kind of sophisticated server software on the Internet not keep on top of security updates? For six years?
1 And in this day and age, anyone who does not sanitize user input to guard against SQL injection needs to be shot.
Including you, Microsoft.
