Franklin Veaux (tacit) wrote,
Franklin Veaux
tacit

  • Mood:

The election is over...

...and not even twelve hours after Obama's acceptance speech, Eastern European organized crime are using America's feelings about this historic moment to spread computer viruses.

A little while ago, I posted about a gang of computer criminals who, while building a network of hacked computers to use to spread viruses and fake bank sites, had hacked a system belonging to the US Department of Defense.

Those very same criminals are now hitting my inbox with messages attempting me to visit a server that downloads a computer virus disguised as a news story about Barack Obama's victory.

I've received two of the emails so far. Both are formatted the same way, and are identical in formatting to the phish emails that masqueraded as a bank "security update." The first carries a subject line reading "Obama win sets stage for showdown;" the second, "Priorities for the New President - TIME". Both come from the forged email address "news@unitedstates.com".



As before, each contains a link that has been formatted to appear confusing (and sooner or later, I need to write a tutorial about how not to be fooled by long, confusing-looking URLs). The link in one of the emails looks like this:

http://servletdologin.encrypted.configlogin.yUkYbU7OQ.verification.cfmaster.ZmRx9aavP.bfiinwach.com/president.htm?/onlineupdate/communitypage/OSL.htm?LOGIN=OtxjLyUkYb&VERIFY=U7OQIrZmRx9aavP

*** WARNING *** WARNING *** WARNING ***
This link is live as of the time of this writing. It WILL take you to a site that will try to download a Windows computer virus. DO NOT click on this link if you do not know what you are doing!




Okay, so, further down the rabbit hole...

The server name in this link is ervletdologin.encrypted.configlogin.yUkYbU7OQ.verification.cfmaster.ZmRx9aavP.bfiinwach.com. The only part of this long meaningless string that matters is the part at the end, where it says "bfiinwach.com". The stuff before that part is just rubbish.

The long string of rubbish is surprisingly effective at tricking people. Folks are slowly becoming savvy enough to know to glance up at the top of a browser window to see what Web site they're on, and smart enough to know to look for the name of their bank if they're on a banking site, or to look for "ebay.com" if they want to be on eBay. Unfortunately, a lot of people still aren't savvy enough to look at the entire string; if they see something that looks like

onlineservices.bankofamerica.com.secure-ssl.russianmafia.ru

or

ebay.com.ws.secure.dll.russianmafia.ru

they don't really realize that they're actually on russianmafia.ru, not bankofamerica.com or ebay.com.

The hostile sites in this scam, like the ones used in the phishing scams I wrote about earlier, are registered by a corrupt Chinese registrar called bizcn. I gotta hand it to the Chinese; they're really figuring this capitalism shit out. The registrar of choice for organized crime used to be ESTdomains; however, now that ESTdomains and ESThosts have lost their upstream provider and are facing revocation of their registrar status after their president was convicted of identity theft and other related crimes, it looks like bizcn has stepped in to fill the needs of Russian mafia that are currently going unserved.

The criminals register a domain, such as bfiinwach.com, using a corrupt Chinese domain registrar. They then set up Web sites designed to steal bank account information and spread viruses. These Web sites are running on many different compromised computers all over the world. They then set up their own private network of domain name servers, also running on hacked computers, and use their own domain name servers to resolve their Web sites.

At the moment, bfiinwach.com is hosted on five different IP addresses:

tacits-computer:~ tacit$ dig bfiinwach.com

; <<>> DiG 9.3.5-P2 <<>> bfiinwach.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5435
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bfiinwach.com. IN A

;; ANSWER SECTION:
bfiinwach.com. 1800 IN A 89.137.210.212 (in Romania)
bfiinwach.com. 1800 IN A 84.109.7.195 (in Israel)
bfiinwach.com. 1800 IN A 85.178.195.97 (in Germany)
bfiinwach.com. 1800 IN A 86.124.65.201 (in Romania)
bfiinwach.com. 1800 IN A 87.207.9.23 (in Poland)

Name server services for bfiinwach.com are provided by NS1.SPRITSONLINE.NET and NS2.SPRITSONLINE.NET. The server at ns1.spritsonline.net lives on a network belonging to a company called Limestone Networks, in Dallas, Texas. The server at ns2.spritsonline.net lives on a hacked PC connected to BellSouth's residential high-speed Internet service.

Most likely, the computers hosting this virus dropper, and the computers hosting name server services for this network of criminal sites, all belong to innocent home computer users who don't know that their computers are infected and can be controlled at will by Eastern European organized crime.


Okay, so that's the technical angle. The social angle is more interesting.

In the past, this particular group of criminals has contented itself with your standard, garden-variety phishing scams. They send out emails that read, for example,

"Attention all Bank of America Consumers.

At Bank of America, the security of your information is paramount. Our systems and security procedures are designed to keep your personal and financial data confidential at all times.
You also have a significant role to play and should adopt the following practices to help keep your personal and financial information protected from unauthorized use - Keep Your Internet Banking Session Secure and set up SSL Certificate."

The site that you go to when you click the link looks just like the Bank of America site, but of course it's not; and the "security certificate update" it downloads to your computer is, of course, a computer virus.

The new emails, though, have been branching out a little. They've been experimenting with using come-ons not related to banks, like this one:

"Dear Classmates customer.

Classmates Day 2009 soon! Video Invitation from your Classmates "2009 Classmates Day Announcement!" prepared to view.
Reunite Your High School Classmates and Celebrate This Day! Your Classmates Are Waiting to Hear From You!"

And, natch, the "video invitation" is actually a computer virus.

Today, Barack Obama's victory has given them a new angle:

"Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!"

The "video" of his amazing speech is--you guessed it--actually a computer virus.

The Russian criminals behind this have demonstrated themselves to be adept at keeping track of hot-button issues and using them to exploit those folks who are inclined to believe every email they read.

It's interesting that these scams succeed, in part because the Web sites set up by the criminals have telltale markers of fakery all over them. The people responsible for these scams do not speak English as a first language, so the Web sites masquerading as banking sites or news sites tend to be replete with spelling and grammar errors.

Yet folks don't seem to notice.

I wonder if this isn't a side effect of America's culture of anti-intellectualism; learning and knowledge are so despised that people either expect their bank's Web site to be covered with spelling mistakes and grammar errors...or, worse yet, people don't notice the spelling mistakes and grammar errors.

The site that tries to download a virus disguised as Barack Obama's speech, claims to be "America.gov: Telling America's Story" and then says "Introduction America.gov. Look amazing speech of new president."
Tags: computer security, computer viruses
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 13 comments