Category Archives: spam

Anti-Fraud sites under attack

Posted on by
3

Several of the main sites dedicated to fighting online scams are currently inaccessible because of a “Denial of service” (DoS) attack.

Fraudwatchers.com, aa419.org, 419eater.com and occassionally thescambaiter.com have been offline. Thescambaiter.com and 419eater.com are two of the oldest sites that fight “419” scams (named of the section in the Nigerian penal code that prohibits fraud). Fraudwatchers.org and aa419.org deal with a wider range of online scams, Nigerian scams as well as Escrow and commercial scams often run by Eastern European crime rings.

It is still unclear who is behind the attack. The selection of websites for this concurrent attack suggests Nigerian scammers, but technically the type of attack is more typical for Eastern European scammers. It may well be a sign of increased cooperation between both crime communities.

The exposure of websites to the danger of cyber attacks in a more and more net-centric world was highlighted earlier in the year when websites in Estonia were crippled for several days in large scale attacks, many of which originated from next-door Russia, with which Estonia has had a strained political relationsship.

Throughout this year criminals have been building the Storm botnet, a network of remote-controlled zombie computers infected with Malware that lets the criminal masters download and run any software on them that they chose. So far the Storm botnet has been used primarily fo sending pump-and-dump penny stock spams (see here). However, experts estimate the network as being comprised of between 1 and 10 million computers, far larger than needed to spam every computer on the planet. It’s probably the only peer-to-peer network comparable in size to eBay’s voice-over-IP giant Skype, which currently has 4 to 7 million concurrent online users.

Botnets have the potential to cripple the information infrastructure that countries increasingly rely on. Greater efforts need to be made to prevent infections, clean up or quarantaine infected computers and to track down the criminals who control them.

Denial-of-service attacks hit anti-spam sites

Posted on by
1

If you’re a regular vistor to some of our websites you may have noticed that the server was down for much of the last 48 hours. This was due to an online attack known as a ‘distributed denial of service attack’ (DDoS). In the first two hours alone computers with over 1000 different IP addresses worldwide were involved. At the peak 3.6 GB of requests per hour (i.e. 1 MB per second) were sent to the server, which was unable to keep up with the load and became unresponsive.

We took several countermeasures and managed to bring some websites online again. As of today it appears the attacks have ceased.

Concurrent with this attack on our main server several other anti-spam servers underwent similar attacks. The website of URIBL.com was offline for some time. Several servers that are of the SURBL project were affected by attacks.

The large number of IPs involved suggests that the attack involved a botnet, a large number of remote controlled zombie computers infected with malware. This criminal abuse of stolen internet resources illustrates the dangers that infected computers pose to others, against which there are few effective defenses.

It also shows that anti-spam tools such as SURBL and URIBL are effective against the spammers, or they wouldn’t be trying so hard to sabotage our legitimate efforts.

(Update 2007-06-12): SpamHaus was also affected by the attack, according to an article by Ryan Naraine (ZDNet), which quotes a usenet posting by Steve Linford of SpamHaus. According to this information the DDoS was carried out using a variant of the ”Storm” malware by the same gang that also launched a DDoS attack against BlueSecurity last year.

SEC takes action against stock spammers

Posted on by
2

On March 8 the US Securities and Exchange Commission annonunced a 10-day trading suspension for securities of 35 companies quoted on the Pink Sheets quotation service. The suspensions aims at protecting the public from fraudulent stock price manipulation by stock spammers.

All of these stocks have been advertised to millions of email users via pam, usually sent from “botnet” zombie computers. Buyers are tempted into purchasing penny stock already held by the spammers or their paying customers and as soon as prices start inflate due to rising demand, the criminals sell at a profit, leaving the new buyers to take a loss when the stock price deflates back to pre-spam levels or below.

This practise is widely known as “pump and dump”. The SEC welcomes information about such stock scams at email address 35suspensions(at)sec(dot)gov.

We have already reported 14 other companies to them whose stock has been advertised via “pump and dump” spams during the course of the past week.

A tale of two abuse departments

Posted on by
3

In the last two days I was in contact with two abuse departments at webhosters. Though the reasons for contacting them were similar, I came away with impressions that were as opposite as could be. I called because of two websites, both highly illegal. Both were advertised in spam and I encountered them when checking suspect domains found by my spam filter.

The first encounter was prompted by a phishing site, a clone of a Wachovia bank website designed to obtain account information to steal money via online banking. The email, subject line “Update Your Account Now!” claimed to be from Wachovia Bank, but predictably the links to the site that asks for your password led elsewhere, to a domain named (Wa-) “choviainfo.com”. The domain resolved to an IP address that, according to a WHOIS lookup, belonged to Hetzner, a leading webhosting company in South Africa.

I dialled the customer service number listed in the WHOIS entry and spent less than three minutes on the phone altogether. After stating that I found a phishing site on a Hetzner server, I was transfered to the technical department. There I repeated my quick explanation and was transfered to the abuse desk. I explained the problem and spelled the domain name to technician, who immediately checked the site and confirmed the existing of the phishing site on the machine. Using the Linux tool “chmod” he then disabled all access to the site. The website stopped working and the phishing gang was prevented from uploading another set of files. I was impressed how quickly Hetzner had resolved the problem and mentioned to the technician that I was a customer of Hetzner in Germany (their parent company) and was pleased to see their service was as efficient in South Africa as in Germany 🙂

Today I came across another site I found worth reporting, a child pornography site hosted on a GoDaddy server. Phishing is done by unscrupulous criminals who steal millions of dollars, but child pornography is far worse. It’s about small, helpless children getting raped and others making money out of that.

This site, created by a criminal gang calling itself “CP COMPANY” and claiming to be based in Ukraine, was advertised in spam in the following way:

Hello pedo lover!
We present to you NEW PEDO COLLECTION!
High Quality h^rd CP content! Low Prices on the net!
See free preview now and get instant access!
THOUSANDS OF HQ CP PICS and MOVIES…
+ BONUSES AND UPDATES!
LOTS OF FUN FOR CP LOVERS:

http://www.fulldbcollection.info

(I only added the actual domain name in this blog posting after the site was finally shut down).

Again, I looked up the IP address and then the WHOIS record for the IP, which included the phone number of the GoDaddy abuse desk.

I called the number and explained I had come across a child pornography site on one of their servers. The representative replied that I would have to put my request in writing because otherwise “you won’t get any action on this.” They needed to be notified in a way that creates a record. I should put the details in an email to abuse (at) godaddy (dot) com.

I said I would do that, but I would like to give him the URL anyway, which I did. The call was finished in less than a minute, but without the desired result.

Checking the details on the domain again, I found it was one of the child pornography sites I had already reported by email as part of my daily spam domain verification procedure, some 15 minutes earlier. So I could only wait, checking at iregular intervals if the site still responded by using the Linux “wget” program that lets me download the text portions without having to retrieve the pictures as a browser would.

It is now more than four hours since I reported the site to GoDaddy by email and more than 3 1/2 hours since I told them by phone. The criminal site is still offering pictures and videos of raped children to willing customers with a credit card.

In the index.html I downloaded with “wget” the criminals explain to their prospective customers:

Buying production at us you support creation of new kids porn films.

I only wish a company as large as GoDaddy was able to take action against criminal abuse of their services as quickly as Hetzner.

P.S. The child porn site was still active 29 hours after reporting it, despite two emails, one phone call and one voicemail left. I have contacted a US law enforcement officer about this.

P.P.S. When the site was still active 56 hours after reporting it, I filed a criminal report with the German police. When I checked again on the following day I found that the site had finally been disabled by GoDaddy.

Botnets meet “Nigerian” spam

Posted on by
5

Today I received an email which was a familiar scam sent from West Africa. I receive literally hundreds of them every day. What made this one different was that it carried a link to a malware site.

Any Windows user foolish enough to click the link and run the executable would get his machine infected with “trojan horse” software that gives others access to their computer.

I found five different domains all used to host the same trojan and all the emails to spread them were sent from countries in Africa.

Here is an example:

Dear friend,

I’m Mr.Alfred Kodjo from Lome Togo the only son of late Mr. David Kodjo.My father was poisoned to death on Dec 23, 2005 by his fellow diamond/gold business associate in Accra Ghana.

My father told me my mother suffered high blood pressure and died when I was 3 years old, but now I’m 24 years. In the light of the above, I have contacted you to assist me to transfer out of Togo the sum of $12 million US dollars, which my father deposited in one box as family treasure with a safety company for my future, I would like the fund to get to you so that you safe-keep it for me after which I will come over to your country in due course to live and school. You will invest this money for me in commercial estate or any other business of your choice you deem healthy.

For your effort, I am prepared to give you 20% of the total funds. I am looking forward to hearing from you while thanking you for your anticipated cooperation in this regard.

Please give me also your phone numbers for better communication between us.

Kind Regards,
Mr Alfred Kodjo
just look http://postcardsbargain . com/clip.html

(spaces inserted by me, to make sure it doesn’t show as a clickable link).

The email was sent from an IP address in Togo:

Received: from [80.248.70.177] by web58607.mail.re3.yahoo.com
via HTTP; Tue, 27 Feb 2007 20:29:42 ICT
Date: Tue, 27 Feb 2007 20:29:42 +0700 (ICT)
From: alfred kodjo
Subject: {Spam!} ``Erwin co-operation from Mr. Alfred
To: kodja12@yahoo.co.th

The domain postcardsbargain.com was recently registered:

Domain Name: POSTCARDSBARGAIN.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: MANAGEDNS1.ESTBOXES.COM
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Status: clientTransferProhibited
Updated Date: 13-feb-2007
Creation Date: 13-feb-2007
Expiration Date: 13-feb-2008

Other domains in the same series were bestnetpostcards.com, freewebpostcards.com, ecolorpostcards.com and mailfreepostcards.com, which were also registered through Estdomains. Here are the details for the emails in which they were spotted:

212.60.73.44 (Gambia) – moceesay@hotmail.com:
mailfreepostcards.com / show.exe

196.28.250.11 (Nigeria) – mr_ban0x19@hotmail.com:
ecolorpostcards.com / winner.html

196.201.156.161 (Kenya) – info_jabrattofood@yahoo.co.uk:
freewebpostcards.com / show.exe

196.3.63.252 (Nigeria) – william_franca_fw2@yahoo.com.hk:
bestnetpostcards.com / show.exe

80.248.70.177 (Togo) – kodja12@yahoo.co.th:
postcardsbargain.com / clip.html

41.243.148.204 (South Africa) – den_ma006@hotmail.com:
nuclearworldaction.com / video.html / clip.exe

196.3.63.252 (Nigeria) – annahoffmanhome@yahoo.com
nuclearwarinusa.com / news.html

Malicious programs installed via links in emails can log keyboard input to steal passwords and online banking details. They can turn your computer into a remote-controlled spam sending zombie.

Such programs have been used primarily by Eastern European spam gangs for sending spam and for hosting illegal websites, such as for phishing scams. However, until recently the Nigerian gangs made virtually no use of malware.

A few months ago I started seeing a trend where spam for Nigerian “419” scams sent through Webmailers traced to IP addresses of broadband hosts in North America (bellsouth.net, adelphia.net, cox.net, comcast.net, shaw.ca), which was highly unusual at the time. I was wondering if the “lads” (Nigerian scammers) were renting botnets from Russian gangs to evade spam filters that were treating West African Internet cafe IP addresses as suspect.

With the latest malware spam from West Africa it appears the cooperation goes much deeper. While it is possible that the malware links were automatically inserted by a very clever trojan running on PCs in Internet cafes, it seems too much of a coincidence that all of the samples we’ve come across so far originated from Africa.

Close cooperation between the manpower of Nigerian and other advance fee fraud gangs and the brains of high tech crime rings in Eastern Europe is indeed a frightening perspective.

Child pornography hosted by Yahoo

Posted on by
14

On an average day I come across 4 new child pornography sites that are hosted at Yahoo. Shocking? It was to me when it started, but it’s been going on for a long time. Finally, at the end of June 2006 I started keeping track of them in detail. Between July 1 and December 31, 2006 I counted 744 such sites hosted at Yahoo and the flood is continuing to this day. To give you a taste, here is one I received on 2006-01-14:

Feel new emotions, taste new experience,
a very HARD and HOT YEAAAAHH!!!

5-10y.o. kids starring as porn models.

Innocent, virgin, naive and so sexy.
Pervert porn.
True effect.

http://yahoo-domain

Download your free CP pics and movie samples.
Limited offer.

As you may know, a few years ago I started publishing names of domains (websites) that were advertised via spam. For more than two years I have been one of the principal data suppliers for SURBL.org. It’s a Spam URL Blocklist that enables people to block spam based on the websites advertised. This type of spam blocking works even when spam advertising a spammer’s site is sent from a thousand different computers using a thousand different fake sender addresses.

About a decade ago, when the World Wide Web was just taking off there were a lot of headlines about child pornographers lurking in Cyberspace, but very little such material could actually be found. Nowadays most people have the perception that child pornography is tackled seriously by law enforcement, but in actual fact the criminals who sell pictures of child rape go about it more blatantly than ever. It is sickening.

Now how could a major reputable company such as Yahoo host repulsive, clearly-illegal material? They provide a legitimate service to register and host websites, like many other companies do. They are neither the cheapest nor the best webhoster, but a lot of people use them for personal websites.

All it takes is access to the Internet and a credit card.

The criminals use Yahoo for hosting illegal sites ranging from fake bank sites (phishing) to child pornography sites. They are not easy to track down since they use other people’s credit card data to register domains and sign up for site hosting. Then they upload websites and send out spam to advertise these sites. From amongst the millions of spam recipients, several thousand people will respond and sign up for more of this stuff, presumably hosted on others servers that are not closed down so quickly. They pay by credit card, handing their card data to the criminals. Repeat ad nauseam.

Once the illegal sites are reported to Yahoo, they will eventually shut them down, but by then the criminals have already had time to find new paying customers. The earlier the sites are detected and suspended, the less money the criminals make.

The credit card data abused for site hosting does not necessarily originate from child pornography customers. Phishing scams and fake internet stores are other data sources. There is reason to believe in connections between phishing gangs and child pornography gangs, as there are many common elements. Both extensively use Yahoo domains. Along with pill spammers and “warez” (software piracy) spammers they obtain credit card data in bulk and use armies of spambots to send out spam emails. These are remote controlled PCs infected with “Trojan horse” software that turn them into zombies that receive instructions from one of several hidden master servers on the Internet.

Yahoo is by no means the only company that ends up hosting illegal content. However, it is the biggest single webhosting company that we’ve come across that is hosting child pornography. No other company even comes close. There has got to be a reason for that.

The situation with phishing scams using newly registered domains is similar. Phishing sites tend to be hosted either on cracked websites, hijacked computers, computers in China or by Yahoo. There has to be a reason for why criminal spammers prefer Yahoo, even though it’s by no means the largest webhosting company.

Typically when a provider is massively abused for hosting illegal content, as for example MSN was for hosting Nigerian scam sites (419 scams), it means that either its credit card fraud detection mechanisms are inadequate or it’s technical support is not geared up to effectively handle fraud reports about hosted sites submitted by the public. Usually it’s a combination of both.

The spam gangs that host sites at Yahoo know that their sites will be shut down eventually. That’s why they launch four new sites per day and keep the mail pipeline stuffed with new spam. Every extra day that it takes a webhoster to respond is a day during which they get new credit card orders, at $99.95 a client. Some of that money finds its way to the rapists who provide the pictures.

For the last 6 months I have been reporting all Yahoo child pornography sites to the company. Trying to get a more direct connection, I contacted a friend in the USA with law enforcement contacts. My friend went as far as talking to the FBI, only to be told that the FBI wasn’t interested in this type of site. They were only after the main sites that the Yahoo sites act as a shop window for. The number of new sites is still the same as it was six months ago. Yahoo appears to have done nothing to discourage this abuse of their services.

I would be glad to hear from Yahoo directly to work out a modality to get those spam sites shut down as quickly as possible. Even more I wish for Yahoo to get its act together and tighten up its checks on new domain setups, so as to detect attempts to signup for illegal purposes by watching out for recurring patterns in the signup attempts. If I as the owner of a small software company can detect all those pornography domains to report then, why not a billion dollar company like Yahoo?

CNN reports about online scams

Posted on by
3

A recent CNN article described various online scams, including fake lotteries and other 419 scams:

As one scam-watch site pointed out, lottery companies do not organize “promotional” lotteries, they advertise. A free “promotional” lottery that you only hear about if you win would only promote the lottery to a handful of customers. That doesn’t make any sense.

If you answer the e-mail, after one or two e-mail exchanges with the so-called lottery officials or claims agent, perhaps accompanied by some official looking but fake documents, you’ll be asked to pay fees for taxes or handling or some other reason. This is the scam — you pay the fees and never see any winnings, mainly because there are none to see.

Currently fake lotteries are the most prominent of online scams. We get far more queries about fake lotteries than about all other types of scams taken together. More people fall for them than for any other scam, maybe because so many people play lotteries in “real life”, so the idea of a sudden lucky strike is not alien to them.

In case you wondered, the unnamed scam-watch site quoted by CNN is the one you’re looking at right now. It was a quote from our 419 fraud FAQ about fake lotteries. The article also prominently mentioned Fraudwatchers.org of which we’re a member and listed it as the first of several fraud-information websites.

Education is the most effective weapon against scams. People who know about scams are not easily tricked any more. If more newspaper and TV and radio stations were to talk about scams, fewer people would fall victim to them.

A strange type of spam

Posted on by
3

On June 15 I received some unusual spam. It arrived from an IP address in Turkey (88.224.75.25) that is listed by SpamHaus.

Subject: Credit card processing courtiers

Hello,

Im Adam Aministers from credit card processing company. We can offer now good rates and bi-weekly payouts. If you are still looking for credit card processing, please contact me by ICQ 192687669

With regards,
OffshoreInstantProcessing
Key account manager

A credit card processor who would handle card data for all your customers has to be trustworthy. Someone who sends spam, doesn’t have a website and can not be contacted via either e-mail nor the telephone (let alone gives a physical address) is the exact opposite. What merchant in his right mind would do business with these people?

My suspicion is that the credit card transactions these guys handle in themselves are illegal (e.g. software piracy, child pornography).

Communications via ICQ are very common in Russian spammer and online fraud circles.