6/29/2006

Big Brother - Part II

So, you came back for more?

Today, I'll start with the good news. There's privacy on the Internet. It's called encryption.
Encryption does exactly that, converts each packet with an algorithm before sending them and decode them as they arrive. Plain and simple. In general, not the algorithms. As you can imagine the algorithms are complex and require passwords, passphrases, certificates. Basically, all passwords with different formats and sizes.
The way to use it is to agree between the two parties that encryption will be used and which algorithm and certificates will be used. From that point, all packets will be encrypted and unreadable through its transit.
Encryption can be aplied at many levels, files, packets, sessions or a whole network. You can type a text message in a code previously agreed with you friend and that message will be unreadable for everyone else. Or you can open a session with a secure protocol like HTTPS and keep all packets in that sessions away from prying eyes. Or you can setup a VPN (Virtual Private Network) and keep all the sessions in that network hidden.
The most common case for Internet users is HTTPS, an encryption wrapper for HTTP protocol. Servers using HTTPS keep their traffic with their clients private. You can see it in action in Gmail's login page, when you go to its page it redirects automatically to the secure HTTPS server.
But does this means that the sessions with HTTPS are 100% secure? Not even close but I think they're good enough.
The main problem is the certificate itself. There are many ways to implement a secure channel between computers using certificates. In the case I mentioned, you turn up into a secure session with a server, but where the certificate came from? You didn't have any at that time. Well, the certificate was sent to you at the beginning of the session. And, most likely, replaced by a new one that is also sent to you but through the session secured by the first certificate. Either way, the key to open all the packets for that session was exposed trough all the transit time. Doesn't seem to make much sense. But, as I said before, is good enough. The only way to get information from that session is to capture absolutely all the session, all of it, because in fact it is a sequence of several different sessions with different addresses. This is not something anyone can do, not something easy to do, so it has to be worth it. Certainly not to access your free email account. At least I hope not, because if someone is after you at this level I want you to walk away from this blog. I don't want them (whoever they are) to get to me through you.
To overcome this problem, people that really really want to have a secure session exchange certificates in private. In that case, you have your certificate beforehand and capturing all the traffic for your session is useless.
This is what's done to setup up a private network, the certificates are generated by a certification authority (public or private) and, hopefully, exchanged using means other than a public network.

And now that you're happy with your privacy, let's go back to the bad news.
The transit of the packets is not the only weak point for your privacy. Let's talk about e-mail. Not all mail servers have secure sessions, and I'm not talking about the free ones, most of the private mail servers don't. But let's say that you use one that has it, some use it only for the login, after that you're dealing with a plain open session meaning that the content of your messages can be seen. And even if the whole session is secure, where are your messages stored?
Think about it, it's not your server, it belongs to someone else. Your messages are stored in there available for anyone with access to that server.
But again, who cares about your free mail account? You.
The average Internet user cares about his mail account, trust it and expect it to be private and secure. And they are in a broad sense. They work fine and nobody is going through them, really, at least I'm not worried about it. And I'm not worried because that's not the point, I'm aware that the Internet is a like public place and that it has to be used with that image in mind. So, my question is what are you storing in your account? what are you sending and receiving?
In a way, the Internet distorted the sense of reality for most people. It's hard to believe the things people write in e-mail, the kind of things they send in pictures, video. And the stuff they save in mailboxes.
And that's exactly the point, e-mail boxes are not secure places. They're controlled by people you know nothing about, people that owe you nothing, people that have no responsibility over the content of your mailbox. Of course they all say that they're responsble, that you're mail is safe, that nobody is looking your stuff, an I'm sure they mean it, I trust them and I've never seen evidence that they lie. But you have no way to know, no binding contract, no technical means to verify the integrity of the content in your mailbox. With real life mail, you put your letter inside an envelope and seal it. This way, the letter can't be seen by third parties and if they open the envelope you can tell. With email, the letter is in plain view for anyone to see. Even if you use encryption, the digital envelope, it can be open without you knowing it. And this is one of the main problems of assimiliating the real world and the virtual one. In the real world, things have a physical nature that make them unique. Even if they're made in series, each piece is unique. In the virtual world, there are no physical things. The packets you send are replicated over and over until they reach its destination and all of them are exactly the same as the first one (not exactly, but the difference goes beyond the reach of this article). At each relay, the packet is destroyed and recreated. The same way, they could have been replicated, stored, recreated and sent without leaving a hint of a trace.
With all this in mind, what would you use your e-mail account for?
E-mail is great, is usefull, is fast, is easy. But is not something where you can put all your hopes and dreams. Not something where all your assets can be managed. Not the key to your bank account.
Going back to the phishing thing, you can see how easy is to get access to your bank online service, your Paypal or eBay account, etc, all things with value, monetary value. And it doesn't stop here. I'm sure that if 90% of those that fell for a phishing scam are using the same password for everything. Now the phisher has the mail address or the user name for that service, if it's just the user name he can get the mail address from the settings of the account. He has the pasword for the service and chances are the same password works for the mail address. Once inside the mailbox, chances are some other valuable services are linked to the same account and the traces of those services are in there, newsletters, subscription confirmations, etc. He just has to try them one by one with the same password, check the messages for the passwords because many of them will send the passwords in plain text over e-mail, or go to the login page and request the password to be sent to the mailbox. Scary, isn't it? Just one little hole in the wall and your whole world is invaded.
The problem is not that we're helpless in the virtual world of the Internet, the problem is that we've lost the perspective of the true meaning of the Internet. I said in a previous article that the main thing that keeps the Intermet togheter is a set of technical rules, and there's nothing in that set trying to make the Internet secure for your privacy or your assets. This is not a flaw on the Internet, it's a flaw in our perception of the Internet. Because it wasn't created for all this, nobody at that time was thinking about it, nobody was able to imagine the incredible growth of the last 20 years, nobody was able to predict that .
The Internet is a great thing, it was meant as a way to connect several computer networks online in order to exchange information fast and easily, to allow access to papers and other files to people in remote locations, to communicate people by means of e-mail, to connect computers that share information to do a job togheter and many other things. It fullfilled al its goals, gave us a lot more than that and keeps delivering.
The Internet is not the problem, we are.

6/28/2006

Big Brother - Part I

Haved you had the nagging feeling that someone's looking over your shoulder while your're browsing the net?

In a way, someone is. But don't get crazy just yet. The first part of the article is a brief (very brief) description of what's the Internet so you can understand the second part.

The thing we call Internet, THE net, is not really a network. In a broad sense it is, but actually is a huge number of networks interconnected between them. Sounds confusing because, after all, a group of networks interconnected forms a network, a bigger one but a network all the same. The difference is that the Internet has no identity of its own, no owner, no ruler.
Internet is controlled by two things. One is a set of rules, technical rules, and we should be glad they are technical. The other is commercial agreements at every single point where two networks are linked.
Let's start from your own computer, wheter is alone in your house or part of a LAN in your office, it's on a network. It has one IP address, meaning it has an identity on that network, and a phisical connection. If you're on a private network, at some point that network is connected to the public network. If you're a home user, most likely your computer is on the public network already. The main difference is that from a private network you have to connect at least on point of it to a public network. But one way or the other, at that point you have an agreement with an ISP (Internet Service Provider) that lets you access the Internet. The ISP provides you an IP public address and from there you can open sessions with any other public address. I may add, most likely you can and you'll see why in a minute.
Your ISP is basically another network, without a connection to other networks the only thing you're allowed to do is connect to other public address on your ISP network. At some point, your ISP is connected to other or others, and those are also conneted to others. All they need to make the whole Internet work is to know where each public address is. They don't actually, every network knows about their own public addresses, some addresses of the networks directly connected to them and one or more connections where they send every packet not included in the previous groups.
Of course the lists of IP addresses are not extensive, they don't have to store information for each one. They're handled by blocks, groups of IP addresses that can be masked easily. This way every time they have to route a packet, all they do is to identify the block it belongs to and take the action assigned to that particular block.
Let's say that the Internet is like a city. If you live in an apartment building, you have a private address, the number on your door. All traffic to your door is handled by the doorman, if it's between apartments he can do it all by itself inside the building, if it's to or from another place outside the building he has to go to the front door and interface with the rest of the world. The front door of the building is public, it has a public address and is "connected" to the street, your ISP. If you live in a house, you have a public address and don't need the doorman to handle your traffic.
The street, your ISP, has a postman going up and down exchanging packets with every public address on the street. He's not allowed to go anywhere else. The traffic bewtween public addresses on the street are handled directly by him but packets to another street, city or country have to be handled to someone else. The street, crosses other streets, one or many, and the postman has a routing instruction saying at which intersection drop each packet and one or more last resource intersection where he drops all packets without specific routing rules. At those intersections, he also picks up packets addressed to his own street. The last resource intersections allows the postman to reach every address on the net without knowing where is it. That intersection could be served by a bigger postman, like one in an avenue with more intersections, or a high speed postman serving a highway, where there are no home or buildings, only intersections with streets, avenues or other highways. One thing that you may be wondering about is how postmen deliver when they have alternative routes for a packet. As you can imagine, postmen are not humans but computers, and they need precise non ambiguous instructions. The alternative routes can be used as a backup in case the main one fails or to balance load. In the last case, the postmen uses one or the other based on a measureof the traffic.
The beauty of all this is that there's no central control, manager or government. All the postman and doormans agree in the technical aspects, proper addressing and uniform instructions sheets. This way everyone knows what to do with each packet without knowing what's beyond their own bailiwick.
I want to add a small note here, the system is not perfect. Eventually you may find that certain address is unavailable to you while your friend, who's in an address available to you, can reach it. The routing istructions change everyday either for technical reasons or commercial ones. Sometimes the changes on a network requires its neighbors to change too, and that may take some time. Sometimes there's no routing intruction at all for a combination of addresses, oversight, commercial restriction (it's not worth to pay for, no traffic expected, etc) or just a technical problem.
The other side of what keeps the net togheter is the commercial agreement between postmen and doormen at each intersection. The agreement could be of any kind, pay by packet size, pay by speed, just pay. The agreement could also include address restrictions, alternative routes, guaranteed uptime, etc.
But the bottom line is it works, believe it or not the fact is the Internet works and if you're reading it you have all the evidence you need.
Now going back to the subject of this article, is somebody looking over your shoulder?
Every single packet that you send or receive is handled by many doormen and postmen. They're not human but they're ran by some and they're all independent. What stops them from snooping into you packets?
The answer is simple, nothing.
Let's say that I'm a major carrier, a highway in the city analogy, and for some reason I want to look at all the packets going through one of my intersections. It's my equipment, it's my wire, and even if I have a non snooping clause in my agreement with other networks (there's nosuch clause), nobody is controlling me, there's no way to know that I'm doing it from the outside.
And now that I've freaked you out, I'll put you back togheter. Because now you're thinking that everyone knows what you read, what you see and who you talk to. Forget it, is not happening. But what if it is?
Have you ever been in a mall? Were you worried that someone may note which displays you see? While you were having a drink, someone checking what you have, how, what you were reading? At the post office, the postman checking who you write to or who writes you?
At this point, you either turned into a complete paranoid or realized that the Internet is a public place like a mall or even the street. More like a mall I'd say, because is owned by many private parties. But the point is Internet is public not because of the ownership but because of its nature, its history and its technical limitations. Internet wasn't designed for security, security was insured phisically by not allowing access to equipment and wires. But once it grew into a network too large to be confined, with too many players to be controlled, physical security became impossible.

But is it such a big deal? All your packets in the hands of people you know nothing about?
Let's go back to the mall analogy, you're going through a public place, do you expect privacy? Why do you expect privacy on the Internet then?
The structure of the net makes it impossible to control if someone takes a look at your traffic, I'm sure your ISP will say that no one is doing it, but I'm pretty sure that they won't give you a signed warranty. Even if they're to be trusted, once they pass the packet to the next network is out of their control and yours too.
But are they doing it? Is someone out there checking all your traffic?
I think not, I'm sure not. At least not in that sense. I mean, there's no way to check every single packet, no way to store it for later analysis, no way to keep up with the constant flow. I know that because I do that frequently. I'm in control of the doorman in my building and from time to time I have to check the traffic. Because something is not working or I suspect foul play from the outside or the inside or anything else. And is not a huge building. However I have no way to check it all and there's no automated system able to do it. You can try by yourself if you want, go get a sniffer, a program that allows you to see all the traffic in your network connection. There are some nice sniffers for free out there like NetworkActiv or Ethereal. Once you have it, let it go for one hour and do your regular use of the Internet. Then try to make some sense of the traffic for one hour. How far can you go?
It's a trick test because you probably don't know enough to understand what's in there. But besides that, nobody can check in one hour a one hour traffic file (average traffic). Even with a machine doing it, there are too many variables and the kind of information that would make sense to a human like text, pictures, sound and video can't be properly evaluated by a machine. Imagine that if it can't be done with the traffic of one machine, is a lot more difficult with thousands or millions. So, I can say for sure that nobody is checking the traffic of the Internet sistematically.
However, I can imagine someone looking for something very specific. Let's say that I want to know who's using a specific mail server from my building, my network. I can set my doorman to report connections to that server. The amount of information would be easy to handle. I can do that by content too, specific words, even by media type.
And if you think that your government is able to do it, think again. I can do it because I have just one door in my building. Imagine how many different access points are in one country and how much traffic is going through them, it's impossible to handle.
In conclusion, I wouldn't worry about someone looking at my traffic. However, the Internet is like a public place and I have to assume that my activity may be seen. Do what you do in public, don't do things you don't want others to see.

Of course there's privacy on the Internet but that's for part II where I'll tell you about more scary things. Relax, enjoy.

6/16/2006

What can be done about phishing

Yesterday I was upset about the attitude of everyone about phishing, the same attitude that everyone has about scams and spam and fake banks, etc. Two main reasons for this are the problem is too big and those who fall for it are gullible people that everyone else deem as stupid and worthless of consideration. Yes, I know it sounds harsh but that's the way most people think.
They have the right to think anyway the want but from a practical point of view, don't the service providers want the gullible people as customers? Gullible people make a great market, they support shopping TV channels. Who wouldn't want to sell to them?
But this is a blog about phishing and other things around the Internet, gullible people and market place is theme for another blog.
What I want to write about today is ways to reduce phishing, ways that can be implemented by the service providers whoever they are. None of this recomendations are technically impossible nor complicated. In fact some of them are out there right now, someone is using them already.
Here they are

First of all we have to understand how phishing works. The phisher goes to the original login page and save a copy, then download the copy to a server somewhere else. The original page takes the username and password, checks against a database and grants or denies access. The phisher changes this, stores the username and password and, in most of them, directs the user to a page where his/her personal information has to be verified for security reasons. There is where you have to put your address, credit card number, PINs, etc. Then it forwards you to the original home page, an error page (try again in a couple minutes), or any other he can think of. It doesn't matter, by that time your personal information is compromised already.
I'd like to start from the email, but there's a lot of stuff that I have in another article about spam and I don't want to duplicate it. So I'm going to start from the phishing page.
The first problem here is that the page looks like the original one, in fact most of the components of the page are the originals.
A web page is basically a file with instructions to build the page, it says what text is included, how it should be organized, format information, etc. It doesn't include the images, it just says what images are required to build the page, how to put them in the page and the link where the images are stored. Your browser asks the server for the image. In fact there's an option in your web browser to prevent it, it was included many years ago for people using low speed dial up access so they could see the content of the page without downloading all the images.
The phisher can download all the images and set a server just like the original, is easier now that any browser has the ability to save a full web page in one command. Before that you'd have to save them one by one. But they don't, I think the reason is that is a lot easier to keep the links and let the original server to do the job. Having the images stored on their own servers won't help finding them, they're not more incriminating that the page itself, so I have to assume that the main reason is because they're lazy.
On the other hand, we have the original server. Its serving the images for the offending site for free, keeping them and paying for the bandwidth everytime a mark falls in the trap. It doesn't make sense to me.
Why aren't they doing something about it? And here's a list of simple silly things that can be done.

- Don't serve images if they're referred from another server. Even when the session itself is from your browser to the server, your browser tells the server where the link comes from, this is something that the phisher can avoid. A lot of sites are doing this, it's a simple solution. I'm not saying that you can do that just checking a flag on a configuration, someone has to work it out. But it's worth it.

- Serve the images but with a twist. When you ask for an image to a web server, it sends you the file. All the URL that you see is basically a directory path just like the ones you use in your own machine. The server goes through the path, finds the file you want and sends it. An alternative to this is to use an image serving script, an active page that checks what file are you asking for and serves it. The difference is that this scripts can check the referral and decides wheter to serve the file or not or serve another. And that option is a very good one, they can serve an image file that, instead of the original logo, bears one that's obviously fake. Better yet, an image with a text saying "you're about to login into a fake server". Eventually the phishers will copy all the images and serve them from their own sites but it will make things harder for them, they'll need more time, they'll need more resources, it will give the hosts a good way to detect the phishing pages automatically, at least it will reduce the problem. Yahoo is doing even more, they change the images of their webmail login page. And not only the images, they're changing the look of it frequently. If you're a frequent user, you probably got used to it by now. The idea (I guess) is that if the user sees an old page he'll suspect that something's wrong and won't login.

- While they're not doing it, having the log of referrals they can identify without a shadow of a doubt any phishing page as it's being accessed. The second someone opens that page and request the image file, the server is able to tell that it was referred from a site other than the original. Maybe they're not logging that but I'm sure they can, any web server has a log service. The logs are or would be huge surely, but they don't have to read them line by line. A computer can do that, and even if they have to set a computer to do just that all day everyday is worth it. All they need is to compile a list of the sites from where a reference to the images is done other than their own servers. And that's it, they'd have the most efficient early warning system ever. Every page I've seen lately is using the original image files, every single one. The phishers are literally ringing a bell every time they set up a page. However, the service providers are sitting there waiting for you to report a phishing page. And in return you have a nice preformated thank you message with tips to recognize phishing pages and protect yourself, what for? You're reporting the page, you don't need that. "Common sense is the less common of the senses", I don't know if it makes any sense in english but never before that phrase was more appropiate. - In adition to the image problem, most of these services are using links to other services. Doubleclick, Omniture, BBOnline, Verisign, etc. Each one with an specific purpose. Doubleclick manages targeted advertising, BBOnline and Verising do certification of the site, Omniture runs statistical analysis. I'm making a complete article about Omniture, don't miss it. They can apply the same criteria if some elements are referred from that page. But they can also certify that you're connected to the right server. The verification that Verisign or BBOnline do is useless for the final user, the seal at the bottom of the page has an ID code assigned to the original site and you can use it anywhere you want. In fact you can try these:

https://seal.verisign.com/splash?form_file=fdf/splash.fdf&dn=WWW.AMERICARX.COM〈=en

http://www.bbbonline.org/cks.asp?id=20111061155818568


You can try them from here, copy and paste in your browser or do your own page with the link. Anyway they won't certify that the site from where you're clicking it is the real one. They certify security (internal), business standards, etc of the site whose ID you're asking about. Why aren't they certifying the site from where you're clicking? Why aren't they selling that service? As a user I'd like to have that service, the other certification is fine too but I want one to help me know that I'm on the right site. And I know that it can be fooled, I wouldn't sell it as a 100% safe method because I know is not, but at least it can tell you 100% sure that it isn't the right site.

- Research more each phishing case. I don't think they're doing it. At most they're requesting the closure of the offending site and I don't think they're doing it either. I closed more sites last week than they did ever. Closing the site itself is good but not enough, each phisher opens many of them at the same time and doesn't expect them to live for long. If they do, great, but just a couple days is more than good enough. People that fall for this do it almost immediatly, they get the message, they click, they login, it's done. Even one day is good enough, half a day or less too. Heck, I bet the phisher is happy if he gets one good hit. But they're doing a lot better than that, if you've read the previous article you may have seen that I found one page with less than a day of life and close to 10 good logins. Today I've just found another, half a day of life and almost 10 good logins. By the time the page is close, most likely the phisher already cropped it. Add to that all the pages that have been running for weeks, months. The phisher now can keep sending messages linking to them forever. And the worse part is that even if the page is closed fast most of them are not storing the information in the same server. I want to explain this in detail because it seems simple but is not. The page itself is weak, the phisher knows that it will be closed (most likely) and that it won't last much. He has two choices, check it out often enough to make it worth before is closed or store the data somewhere else. The last option has many advantages, he can stay away from the page for a long period of time without risking his position, the information is safe meanwhile is the page is closed, all his pages report to only one site and, best of all, he knows that nobody cares, the host of the page will shut it down, erase all the content and move on. After that, there's no link between the phishing message, the phishing page and the site holding the database. I'm seeing this set up often lately, the pages holding a local file with the logins are uncommon now. Getting the database down would make all the pages linked to it worthless, and we're talking about almost all of them linked to a relatively small number of servers. And, again, I know it takes time and resources to do it. But I think that I can do it by myself if I want to, and once you get to the server it should be easy to take any measures to close it, block it, take legal action, anything. But is worth it, is something that the service providers owe their customers.

I have suggestions more complicated, not impossible but more difficult to implement. I think I can do them, that's why I know that they can be done, but the complexity is such that some are impossible to do with the resources the phishers use to host their pages and some would put out of business a good part of them.
Like dynamically generated images. How about the logo with the date and time? The image can be generated dinamically but if you have access only to a web server, even with scripting capabilities, is close to impossible. The phisher will have to move to more complex setups that would be easier to find and shutdown, even worse, they'd give more evidence to track the phisher.

And the best of all, they can hire me. After all, among all those who are talking and talking and talking about phishing, I'm the one who can show results... just a though.

6/14/2006

The surreal world we're living in

Today I was planning to post something about spam and the constant fight between spammers and filters, but something happened that changed my day completely.
Well, not really, my day hasn't changed at all, only the time I had reserved for the blog. Is just that the events developed in a way that I think now I have something more interesting to write about.
It began at lunch time while I was doing my spam/scam/phishing mail check and, as usual, a Paypal phishing message was there waiting for me. I have almost an automated procedure for them, I report to the owner of the IP where the message comes from, the host of the phishing page and the owner of the IP block where the page is. I can get over with it in less than a minute and usually the page is gone by the end of the day. Unless is hosted in Romania, China and some other places where they really don't care about it. Anyway, this page was hosted somewhere in Comcast. I reported it through their web page and received a pre-formated response saying that an IP number is not enough to report the incident and asking for a log from my firewall. The answer didn't apply to this case, I guess is one they have for intrusion reports that have not enough information. But is this case there was no intrusion, the phishing page is a pasive trap, is the victim who goes to it so no firewall can have that recorded properly. But the point is I was upset because they didn't even care to read the report, they assumed that it was about intrusion, not enough information was included, sent the preformated answer, went back to coffee. At least that's how I felt at that time, so I went back to the phishing site to see what else can be reported. Sometimes is a site with a "legal" page on it and it can help to identify the owner, sometimes there's more than one phishing page in the same site, etc.
And I was in for a big surprise, while I was looking around I found out that the server had directory browsing enabled. This means that you can see the content of the site like you see the content of your own disk. The site was pretty simple, I didn't find other phishing page nor another page of any kind, I dind't want to go inside the code of the page and it wouldn't have helped to prove it was phishing. Then I fell into a text file that I though it may contain useful info. And it did. It was the file where the page stored all the data gathered from the page.
I was shocked, there in front of my eyes I had mail addresses, passwords, credit card numbers and PINs from all those who fell into that trap. Of course some were just garbage, people aware of the trap filled it with non sense. But some other looked real.
But now I had a huge problem, what to do?
My first reaction was to close the file and I did, but what's next?
I knew that Comcast eventually would close the page, actually they did after (I have to say almost inmediatly to be fair) I sent them another message explaining the previous report. But meanwhile the file was sitting there for everyone to see. Of course is not like it was published in the front page of a popular site, but the same way I fell into it anyone could. Plus, the one who was ready to use it, the phisher, knew where if was and how to get to it.
I was unable to erase it, I hope Comcast did, and I had no way to know if the phisher had taken it already.
It was a terrible situation because while I didn't want to know about the content, the same content was the only way to do something for the victims of the phisher. Comcast wouldn't warn them, they'd shutdown the site and that's it.
I though about Paypal and report to them too, usually is an exercise in futility because they have no control over the page. I guess they report to the same people I do to close the page or block the sender of the messages. But in this case they had a chance to get the file and protect their users.
Then I started to have second thoughs. I don't know what Paypal did, they sent me a thank you answer, "we'll contact you if we need more information", and that's all. I don't think they warned the victims and I don't think they will. And the problem here is not only their Paypal accounts were on the line, their credit cards too.
So, I had no choice (I did but I didn't want to take it). I went back to the site, opened the file and took note of the mail accounts ONLY. Then I erased my browser cache and sent a warning to each and everyone in that list. Not many, they were about 10. I tried to make the message as clear as posible, not scary but enough to make them react and move fast before the damage is done. I don't know what's the right thing to do in a case like this. Of course you have to change your password, now! But what about the credit card? The information they take from you, is enough to go and do some shopping over the net? If that's so, it should be treated the same way you do when you loose your card and that's not easy nor painless. Anyway, I feel sorry for them and for me too, being the messenger carrying the bad news is not nice.
Some things that surprised me today

How fast this thing works. From the reception of the message to the time I ran into that file it couldn't be more than 2 to 3 hours. Maybe the site had been running for a longer period, I din't check the dates of the files and directories (take a mental note for the next time). But I have to asssume that in that short period of time about 20 persons logged in and 10 of them used their real personal data. Amazing.

How clueless some people are. After I sent the warnings, one of the victims answered asking me to close his Paypal account. So you have this person that gets a forged message asking him to login and provide all his personal data and complies, then when he gets a warning message automatically assumes that is from Paypal without even looking at the address of the sender. Amazing again.

And yet again, how clueless some people are. Some other sent me this:

What's that supposed to mean? That all the Paypal security letters I've been receiving have been fradulent?

And I swear is a cut and paste of the original message. I was in total awe thinking that this person was login in to the phishing pages every single time posting all the information over and over again. But it was worse than that, and I know, how could it be worse?

For weeks I've been receving alerts from Paypal, saying my account is in danger. After many urgent responses I concluded that perhaps there's somebody trying to get into my account..."

So, instead of thinking that so many messages from Paypal were a sign that something was wrong, she took it as a confirmation that everything was right. And to top all this, she suspected me but at the same time asked me what to do. Instead of going to those she believes (at much as you believe your account officer, I don't trust mine at all), she goes to the total stranger who she thinks is the fraudster. Amazing, amazing, amazing.

I don't blame her or any other. When you face one of those messages or the page it takes technical knowledge to recognize the signs that something. The page look just like the original, the images, the look, the text, the form. In fact is taken from the original, how could it looks different. But on the other hand, with all the media coverage of this issue, with all the mouth to mouth around you, is hard to believe they didn't see it coming. Internet grew up to be popular before we were ready for it. It's not like other technologies that exceeds our comprehension but are manageable. Internet exceeds the comprehension of each and everyone and nobody can manage it.

They say live and learn but I think we have come to times where if you want to live, you'll have to learn first.


PS: One think that Paypal, eBay and others can do to help, or at least to make the work of the phishers harder, is to block external referrals of their images. All the phishing pages are taking images from the original sites. They don't even have to store the images, they just use the links and Paypal provides the images, pay for the storage and the bandwidth. It's insane. Because avoiding it is not something so complicated that can't be done. It's work, it takes time, for sure. But is doable and makes sense.

6/13/2006

What's in a header

The protocol we use to transmit email was created many decades ago to be used by the military and the academics who ran the net that we know today as the Internet.
I guess that having computers connected and remote access to storage, someone came up with the idea of setting a directory structure for local users where others could save a file, a message, for that particular user. Eventually, SMTP was developed to perform that job in an orderly, practical and automatic way. SMTP stands for Simple Mail Transport Protocol, and it's exactly that, a simple protocol to pass mail files.
The file is built from the text you write, once is done the rest of the information is piled on top of it. Once you're done with your text, the mail application (or the server if you're dealing directly with it) will start adding information like who are you (FROM field), who is the mail addressed to (TO field), what is the message about (SUBJECT field), timestamp (DATE field), size of the message, carbon copy, blind carbon copy, etc. None of these fields are mandatory nor enforced, in fact there's a way to send a message without a TO field, even a blank message without any field at all. But almost all the mail client applications we use, including web interfaces, take good care of it. So, if you check the source code of any of your messages, you'll see that most of the fields are there.
Here's an example

Date: Tue, 13 Jun 2006 10:30:43 -0700 (PDT)
From: Barrister jones <barristeredwardjones2@yahoo.com>
Subject: REPLY ASAP.
To: jwolfy@gmail.com
(Message follows..........)


So far this is what's contained in a message file (almost all) at the time it's stored by your SMTP mail server. From this point up, is all routing. Every line added will say who received the file, from whom, when and how. The first line should be your SMTP server saying that he's got the message from you.
Received: from [196.3.62.3] by web55407.mail.re4.yahoo.com via HTTP; Tue, 13 Jun 2006 10:30:43 PDT

In this case, web55407 is the Yahoo's web interface from where Barrister Jones sent this message. His IP address is there, 196.3.62.3, and according to AFRINIC is in Ebene, Mauritius. The user itself could be somewhere else. In this case I think he's in Nigeria because the phone number he gave me is there, probably he's using a satellite link with an earth station in Mauritius or something like that.

Once the message is complete, Yahoo will try to get to the destination server. They actually pass the message to another process

Received: (qmail 20439 invoked by uid 60001); 13 Jun 2006 17:30:44 -0000

and that process sends to the destination server

Received: from web55407.mail.re4.yahoo.com (web55407.mail.re4.yahoo.com [206.190.58.201])
 by mx.gmail.com with SMTP id 37si1451863nzf.2006.06.13.10.30.44;
 Tue, 13 Jun 2006 10:30:45 -0700 (PDT)


Then Gmail passes it through two other servers, they're all in its local network (check the IP address with first octect 10), I can't say why but it has to do with their system structure. My guess is that they have a front end connected to the Internet (mx.gmail.com, most likely more than one server) who passes the message to a hub (10.37.15.13) who knows where each mailbox is located and passes the message to its final destination (10.36.250.24 in this case).

Received: by 10.36.250.24 with SMTP id x24cs7453nzh;
 Tue, 13 Jun 2006 10:30:45 -0700 (PDT)
Received: by 10.37.15.13 with SMTP id s13mr11224004nzi;
 Tue, 13 Jun 2006 10:30:45 -0700 (PDT)


Remember that the lines are added on top, so now you're looking at them in chronological order but going through the file upward.
In the middle you'll find some other information that servers add to improve the quality of the service like a message id, a Delivered-to field in case the To field doesn't exist or the destination address is in BCC (blind carbon copy), etc.
Yahoo adds a signature to each message (DomainKey-Signature) that allows them to check that each message is valid when passed from server to server through its network and, in case of an abuse report, that the message was originated from its servers.

As you can see, SMTP is very simple but also unsafe and unreliable. No one is to blame, the people who designed it in the first place was trying to solve a problem they had at that time and safety wasn't an issue.
In this example, Yahoo verified the "identity" of the sender by means of a password. Gmail took the message from Yahoo in good faith, it's not checking if it's really Yahoo sending nor can it verify the identity of the sender inside Yahoo.
In fact, take a look at this routing

Received: (qmail 11191 invoked by uid 0); 30 May 2006 17:51:46 -0000
Received: from unknown (HELO 89-178-30-158.broadband.corbina.ru) (89.178.30.158)
 by 0 with SMTP; 30 May 2006 17:51:46 -0000
Received: by nyf15.pamico.com id 86jo739p33c9 for <user@server.com>; Tue, 30 May 2006 19:51:44 +0100 (envelope-from <BerniceClark@kertel.com>)
Received: (qmail 15334invoked from network); Tue, 30 May 2006 19:51:44 +0100
Date: Tue, 30 May 2006 19:51:44 +0100
Subject: Erection problems can be fixed Franklin
From: "Reyes" <BerniceClark@kertel.com>
To: user@server.com


There was a lot of telltale in the header to identify this as spam, but I stripped it down to focus on the routing.
user@server.com is my mail address, the message was generated and addressed to me. Reyes, with the email address BerniceClark@kertel.com, sent it and amazingly he/she knows about my erection problems though he/she doesn't know my name.
The message is timestamped and sent to a process qmail, it doesn't identify the sending node and my best guess is that they're both on the same machine.
Then the message is sent to nyf15.pamico.com, a domain hosted by GoDaddy somewhere in Arizona. Remeber this because is important.
Next, my server (unknown) receives it from 89-178-30-158.broadband.corbina.ru, Moscow Russia, and passes it to qmail, a process that stores the message in its final destination.
I know the last part by heart, is my server and I know how it's configured.
But the odd thing is how a message sent to me goes through Arizona and Russia.
The answer is it doesn't, is a fake header. The message was generated by a client of Corbina broadband service in Moscow Russia.
The mass mailer aplication creates a fake header to make it harder to trace the source, it's silly because the people that take the time to trace won't fall for it.
And the other small detail is that BerniceClark@kertel.com didn't do it. It could have been any other mail address including yours, typically the spammer takes one from the lot he's spamming to.
So, how this routing must be read to know where it came from?
The routing is a list of declarations where everyone involved in the transit of the message takes custody of it. So we have to start from the one we believe, our own server.
It can be fooled but only up to some extent.
If you check the line where unknown receives the message, there's a HELO. This is a literal copy of the declaration the sender does at the start of the SMTP session, typically HELO and its name (smtp.server.com), but it could say anything. Is up to the sending server and is not mandatory nor enforced.
Besides that, there's also the IP number. My server logged it regardless of the sending server declaration.
And this is the starting point, my server says that it received the message from 89.178.30.158 and at this point is the only one I can trust.
Checking the IP number (you can try any "whois" web page online), I see that the name declared matches the IP number. In some other cases the spammer uses a domain name, that may or may not exist but not related to the IP, or nothing at all.
Here's one with a fake domain name, the name exist but there are no server running under it, with an IP belonging to Telenet in Bulgaria

Received: from unknown (HELO coy.slivnica.com) (213.169.59.20)

In this one the server identifies itself as Yahoo Argentina but the IP belongs to Cablevision Argentina (cable TV and ISP)

Received: from unknown (HELO yahoo.com.ar) (200.114.224.55)

This one has an empty HELO

Received: from unknown (HELO) (68.161.93.166)

And this one, anything

Received: from unknown (HELO 4736EC68) (221.168.136.188)

I think that this is a good point to control spam, all the receiving server has to do is check that the HELO declaration matches the IP of the sender. That alone would cut half of the spam, and some "legal"mail too. But that's easy to fix, all they have to do is use a proper HELO.
Then we can raise the bar a notch and check that there's an MX record for the sender's IP, just to filter those who doesn't lie in the HELO declaration.
An MX record is an entry in a domain name database (DNS, the service that turns the names we understand into the IP numbers the network understands) saying where's the server handling mail for a domain.
All mail servers should have an MX record and most do. The problem is with huge mail services that have many servers and they handle either reception or delivery. Most likely the receiving servers have MX records but the sending ones don't. I still think that's easy to fix.
And then we can raise the bar yet another notch and start banning servers that don't lie their HELO declaration, that matches their IPs and that have an MX record but spam like crazy.

Wouldn't it be nice?

Today we say goodbye to this users, may the ceiling fall over their heads

drmahmoudoffice@yahoo.fr
hamar1233@yahoo.co.uk
niclosedem@yahoo.co.in
john_wilson1947@yahoo.com
divinefoundation01@yahoo.com
legalmatterzng@yahoo.com


And a special dedication to my case officer, inspector Jonhson. I guess that without his e-mail account I'm free from my e-arrest

inspectorjonhson_britishpolice@yahoo.co.uk

6/12/2006

I'm in trouble

Today I had the most surreal Internet email related experience. I'm under e-arrest!!
Here's the story.

In a previous post I've been talking about check scams, but it seems I fall into a new one that I didn't know about.
The scam works like this. You're offered a part time job as a "payment representative", your job basically is to receive checks for this company, deposit them in your account, take your cut and send the remaining amount to the company by Western Union or Moneygram.
In the previous "modality" (nigerian scammers love this word), the scammer do send you a check that will bounce after you cash it and send the money. With this new "modality", they never send you one. They say they do, they scan the check for you to see and after a while they come up with this new twist: the agent in charge of sending the check has been arrested for money laundering.
At first is not a big deal, just a small missunderdstanding, everything is being worked out but there is this small problem that may get you in trouble. The agent has mentioned your name (he sang like a canary) and the police may want to investigate you, however their lawyers have everything under control, paying a small fine all will be settled. So you have to send the money for the fine and you can get it back from the next payment.
As you can imagine, I don't want to pay the fine. I had no choice but to turn myself in to the local police, I told my employer that I did and that the FBI is also interested in the case. They checked all the evidence I've got, all the email messages, etc. They are reporting to the Nigeria police department and I'm really confused about it, aren't they in the UK?
I though that they'd get at least a bit curious about it but this guys are real pros, not even the smallest reaction. They moved on with the script I guess, they put some pressure on me and I didn't gave so they called the UK police to take over. And they did, Inspector Johnson Johanson mailed me from a Yahoo free mail account and (I assume) put me under e-arrest.
The hilarious part of all this stupid story is that I've been read my Miranda rights by the UK police over email.

Dear James,
You have the right to remain silent as whatever you say will used against you.
We are working in collaboration with your government.
We are out for you. I have given an option to your partner in crime and both of you refused to cooperate.
Please be aware that Mr Imodu Innocent is right here under out custody and has made conffessional statement as regard your ilicit deal with Mr Jones.
Please cooperate and get freed.


Maybe there's a Miranda act in UK that I don't know about but my guess is that this idiotic morons are spending too much time in front of the tube.

Anyway, my plan was to get some checks and now that I see they're not going to send any is time to close shop and move on.
Darn scammers, they're not even good to have some fun.

Today we say goodbye to:

nelsonatems@yahoo.com
barristeranthony@walla.com
un.project_2006@yahoo.com
ayalasystem@yahoo.com
ecpromo1@yahoo.co.uk
linux_bankplc@linuxmail.org
emmanuel_agent044@yahoo.co.uk
emmanuel_agent04@yahoo.co.uk

May their e-souls rest in hell...

6/08/2006

I WON! I WON! Here's my wining certificate.

I'm sorry, but I've never won anything in my life. Even knowing that it's not true, I don't know, it makes me fell all excited.
Anyway, you can see that the scammers are pretty good at Photoshop (or whatever they're using, I'm into GIMP). The text usually is poorly written and utterly stupid, like a death certificate I've received once saying that "...the deceased has died...", just like that. No cause of death, no nothing. The document was as decorated as my winning certificate but in the end it only said "...the deceased has died...".
To compensate for the poor content, they do this documents huge in size. My original winning certificate is 1513 x 1169, I scaled it to avoid you a 3 minutes page download.
That's all. I'm sure I don't have to tell you that it doesn't matter how many certificates they send you, you haven't won a lottery and you never will unless you go and buy a ticket.






Today we say goodbye to:

microsoftwordgateway@yahoo.co.uk
smithnet202@yahoo.co.nz
un_lottery103@yahoo.com
haj4555@yahoo.com
suzzy2williams@yahoo.co.uk
claimsverifiercentre@yahoo.co.uk
john_55moore@yahoo.fr
ruth_garang11@yahoo.co.uk
m2_lindax@yahoo.com
engr_umaru.umar239@yahoo.com
monicagezi_7000@yahoo.com
albertgregfudiciaryagent@yahoo.com
smithnet101@yahoo.com

6/05/2006

Hook, line and sinker...

Here's a list of phishing links from the last week. This is a list of the URL where you're sent when you click on the link the phishing message offers you. This URL is hidden inside the code of the message this way

<a href="http://3417902702:12345/webscrr/index.php">
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
</a>


The second line is the text you see on the message, the href value on the first line is the URL where you're taken to.

<a href="http://provis.pbro.moph.go.th/paypalDLLUPDATE/index.html"
onmouseover="a('https://https://www.paypal.com/cgi-bin/webscr?cmd=_login-run');return true"
onmouseout="b()">
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
</a>


This is a more sophisticated version, not only you're fooled with the text of the link. When you put your mouse over a link, some browsers show the real link where you're going to. With this little java script, a tooltip appears showing you the fake URL again. The real link will show anyway (depending on your browser and its settings) in the bar at the bottom of the window. But having the tooltip open in front of your eyes will divert your attention.

And here's the list

http://wmail.namliong.com.tw/~kevin/www.paypal.com/update/cgi-bin/index.htm
http://218.54.71.27/ebay/ws/eBayISAPI.dll.html
http://gheghehackingstyle.com/index.php
http://203.115.11.234/.paypal-sk/update-paypal/cgi-bin/secure/login/login.html
http://3631585476/pennfence/catalog/images/.secure/.server/.www.paypal.com/
.cgi-bin/us/webscr.php?cmd=_login-run
http://3417902702:12345/webscrr/index.php
http://164.125.38.52/webscr/cgi_bin=secure_login/
http://www.chaika-plaza.ru/icons/www.paypal.com-nRg/cgi-bin/webscrcmd_login.php http://www.aafe.cn/img/Protect.html
http://220.227.132.138/.cgi-bin/.webscr/secure-login/%20/%20/.paypal.com/index.htm
http://65.120.152.239:81/webscr/index.php
http://flykingmail.com/images/paypal/error.html
http://221.134.127.10/.paypal-sk/update-paypal/cgi-bin/secure/login/login.html
http://hsbc-uk.110mb.com/1/2/personal/pib-home/
http://24.169.138.210/fnb/


As you can see, there's a little bit of everything. Let's take a closer look at some

http://wmail.namliong.com.tw/~kevin/www.paypal.com/update/cgi-bin/index.htm
Namliong.com.tw exists and (I hope) is a legal site, the address is the one of their webmail server. We can assume that an unloyal employee named Kevin is using his system privileges to set up the phishing page under his root directory. I'll never know, the page is down now but there was no way to contact Namliong. I reported to the hosting service and the owner of the IP block, I guess one of them contacted Namliong and they deleted the page.

http://gheghehackingstyle.com/index.php
Believe it or not, this page was hosted by Yahoo. Someone actually paid to have this space available and used it for the phishing page. Why is so unbelievable? because the chances for a phishing page to survive for an extended period of time is pretty low. As a matter of fact, Yahoo took it down inmediatly. And not only the page, Yahoo was the domain name registrar and deleted the record. So, if you want the name gheghehackingstyle.com, hurry up. It's available now.
http://hsbc-uk.110mb.com/1/2/personal/pib-home/
A different case of hosting, 110Mb is a free hoster. Something more reasonable if you don't expect the page to stay up for long. But not safer than Yahoo, 110Mb acted as fast and the page is gone.

http://3631585476/pennfence/catalog/images/.secure/.server/.www.paypal.com/
.cgi-bin/us/webscr.php?cmd=_login-run
http://3417902702:12345/webscrr/index.php

Weird IP, isn't it? The IP number is there but in a format that a screening program wouldn't understand (unless is aware of this). The first page is gone but the other is still alive if you want to check it out. So how does this format work? Take the first one, 3631585476, if you turn it into hexadecimal format you'll get D87598C4. You can do that with Windows calculator in scientific mode, enter the number in Dec mode and turn to Hex mode. Any number in this format will give you 8 hexadecimal digits, now take them in groups of 2 and convert to decimal again. D8 is 216, 75 is 117, 98 is 152 and C4 is an explosive... sorry, 196. Ok, now you deobfuscated the addres and can use any of them. Try using one and then the other, this page is hosted at Geminios and if you do you'll get redirected to their 404 (page not found) page. Or try http://3631585476/pennfence, this is Penn Fencing Inc the legal owner of the site. In this case the site was hacked, most likely, due to management interface vulnerability.
The second page is inside the site of a company named Leader Smart in Hong Kong. According to them "Leader Smart (Hong Kong) Limited is a young progressive firm committed to providing information technology solutions". However, they don't seem to be good at keeping their own site safe... or it's part of the business. I've sent them many messages about this and they didn't even care to answer.
http://www.chaika-plaza.ru/icons/www.paypal.com-nRg/cgi-bin/webscrcmd_login.php
http://www.aafe.cn/img/Protect.html

Two more hacked sites, at least I think so. The first one seems to be a russian commercial building. The other is "The academy of armoured force engenering" (SIC). And even with the scary front page, with all the cannons aiming at you, it was hacked.

Today we say good bye to the following mail users

Victorialuis@yahoo.com
fudiciaryagentwilliamcole@yahoo.com
mariam4555@yahoo.com
alui_isa17@hotmail.fr
eclubspromo1@yahoo.co.uk
austlottoagentclock@yahoo.com
monicagezi_7000@yahoo.com
engr_umaruumar239@yahoo.com

6/02/2006

Money for nothing - Do you accept checks?

I love that song (Dire Straits). Is also the reason why scams work so well (for the scammers).

The key of a good scam is to make the bait tasty and easy to get. Some of the most common are:

- Some member of a government in Africa or Middle East have money (millions) stashed somewhere. He/she needs your help to transfer it to your country, you'll get xx% for your help (but you have to pay the expenses).

- Dying person repents for being so selfish all his life and wants you to take his money and give it to charities (you have to pay for the transfer).

- Religious group wants some money to build a church, feed the poors, etc. I usually forward to them the messages from the dying guy.

- Bank officer finds out that an account is about to be closed because his owner dies in a car accident with all his close family, relatives, friends and neighbors (heck of a car). The account has a balance of several millions and your last name (what a surprise) is the same of the dead guy. You can pose as a far realtive and cash all of it (paying the expenses).

- Job offer!! Who would reject a good job offer? Nothing to do but cash checks and get your cut. Sweet deal.

This is the one I want to talk about today. Because there's been an increase in the number of these offers. Is a surprise for me because is not like the other scams, you need more preparation for this one, you need the checks and they have to be good enough to be deposited.
But let's start from the begining. The trick works like this, for whatever reason they'll send you checks. They can deposit them for the lamest excuses you could imagine, it doesn't matter. The point is that is a lot better for them if you deposit them, get the money, take your cut (usually 10%, if you get this offer ask for more) and send the rest by Western Union or Moneygram.
The check will bounce (obviously) and the bank will want its money back (but we're talking about your money now). Is hard for me to understand how does it work in the USA, in my country no bank would give me the cash before the check is completely cleared. Anyway, it works and that's why they scammers are doing it. This trick is common too in online auctions, with a twist. The scammer buys from you, he sends you the money up front, not because they trust you, just because they're eager to get the scam rolling. The check exceeds the amount you asked for, he blames his secretary, wife, whatever, who mixed up the checks and sent you the one meant for Mr X. But you don't have to worry about it, he trust you so much that he'll let you cash the check without sending the goods. All he wants in return is for you to make him a little favor and send the excess to Mr X (himself). You send the money, the check bounces...

The scam is getting popular now and I wonder why, how do they get all the checks?
I've got about 10 the last 2 weeks and they were all from UK. Unfortunately I reported the mail addresses of some and lost contact with them. I'm enrolling a couple to see how it works. Not sure what to do with the checks though, if I deposit them I may be commiting a crime.
I've tried UK police, I though they would be interested. If they can see the crime in progress they can trace the scammers, be in control all the time. I have their phone numbers too, all cell phones though.
But the police said no, report to the local authorities and stay away. Something I can't do, the local authorities doesn't want to take a report of a crime not commited yet in a place outside their bailiwick. And the crime is not going to happen because I'm not going to do it. Worse yet, it will happen when and where the police is not looking, by then it will be too late. An inocent person will get hurt and turn into a guilty one, the scammer will get his money and walk away.

I'll keep trying, at least if I make them send the checks anywhere and they get lost is the scammer's loss.


Today we say good bye to the following mail users (scam mail accounts closed by Yahoo for TOS violation)

dan7000b@yahoo.fr
dianenet101@yahoo.com
gov_prof_soludo_charles_cbn01@yahoo.com
mathew_alfred2004@yahoo.it
uhunu01sandra@yahoo.co.in
db_rown@yahoo.com
barristeralexduke1@yahoo.com
fredrickalworld@yahoo.com
engr_umaruumar239@yahoo.com

Where did they get my mail address?

The mail address I'm using for this blog was created solely for the purpose of catching scam mail and phishing. I was aware that some spam would show up eventually, having an address exposed does that.

I'll explain first how to get into the mailing list of the scammers. They're "farming" (collecting mail addresses by means of a computer program) from guest books mostly. Not too far ago, they did this job by hand, but they're learning the tricks of the trade and they do learn fast. All you have to do is go to a guest book, post, use your mail address and wait for it. This system was used by spammers a long time ago. But spam is now a profitable commercial activity, they want to get the most of their investment and the databases built from guest books were of poor quality. The ratio of good addresses to bad ones was low and to make matters worse a lot of the bad ones were obvious fakes. So they move to better sources of mail addresses and let the guest books alone.

For scammers, the equation is completely different. They're willing to try millions of addresses just to get one, THE ONE. Because for them one customer is good enough, is all they need to keep going for a while. So the guest books are an excellent option.
I can tell you how to defend against them but is useless, it means that you're aware already and even if they target you, you won't fall for it.

The guest books used by scammers (nigerian scammers) are marked after being sow to tell other scammers not to use it and to sow again from that point the next time. If you want to look at them, they use the words mugu and maga. Just Google for guest book mugu or maga and you'll see what I mean. Mugu is a derogatory term in Nigeria and maga is a scammer. So for a maga we are mugus and the magas are mugus for us (kind of complicated, isn't it?). I can't understand what's the meaning of mugu or its origins, but I can tell you that is really really bad for them. Once I cheer one of them with a Muguuuuu muguuuu muguuuu and he got so mad, so MAD. But I explained him that, because we were doing this business transaction togheter, I went to a nigerian forum and asked about an honorific way to address him and that was what they told me to do. True story, and if you think that's hard to believe read this, he bought it!

The funny thing about this is that they really want to keep other magas from their "crop field". If you send a message to a mugu posing as Mariam Abacha (wife of nigerian dictator Sani Abacha) and after that the same person gets another from another Mariam Abacha with a diffrent story, he'll think that something is wrong. And that's exactly what's going on today, they're taking the same addresses from the same places and sending the same scams. Whoever said that there's honor between criminals wasn't talking about the nigerian scammers.

Going back to this mail address, it was exposed on a couple guest books and the scam messages come everyday. Spam? not too much, just a couple. I started this blog at 3 PM (local time) and by 5 PM the spam started to come at a rate of 4 per hour. Are they taking addresses from here?

Introduction - Nuisances of the Internet

If you're reading this is because you're an internet user. And as an internet user you are aware of the dark side of having an email account. Spam, scams, phishing, it never ends.

Filters are not good enough to get rid of spam and, if your email address has been exposed as mine was, at some point you have to get rid of it and start all over again. And even if you do and it's your own server, the connection attempts keep coming, if you have a catch all address it will fill up your disk, no matter what you do you have to pay for the bandwidth, the processor time and the storage space plus the maintenance.

Scams and phishing are easy to spot and ignore if you're aware of it, but what about those who fall for it. You can say that most of the "victims" of nigerian scams are greedy and inmoral, even if they're not commiting a crime they think they are and fine with it. But some others are inocent victims, even good caring persons that fall just to help someone in need. And those falling for phishing are common users of internet services trying to comply with the politics of the site (or what they think is a policy of the site).

So I've decided to do something about it. Not much really, because I don't have the resources or the position to go any further. But I'll do my best with my lunch hour.

I'm taking action against all scams and phishing messages I receive.
I report the messages to mail administrators, also to the ISPs of the source node of the message (if available).
I report the links to the server administrators if there's a phishing page, to the ISP is there's no answer from the server.

And I'll keep this blog to tell the world (or the two guys that will read this... and you, mom) about how I'm doing it, the results, advice to other who may want to join and to bring awareness about the problem in general.

Today, I'm going to talk about phishing. Phishing is a way to get your personal information, mostly user names and passwords, through a web page. It all starts with a message sent to you from someone you have a service contract with. At least it looks like it comes from them, but the truth is that the phisher is fooling you. They use mass mailers, they don't know if you have an account or not and they use the format and the images that the real service provider would.

The service could be Paypal, your bank or any other service with internet access. Most of the time, the message is about a security issue. A change in the security system, your account has been under attack, the database went down, etc. To solve the problem, and to keep your access working, you have to click on the link provided, log in (with your user name and password) and fill a form (with personal data that may include all your credit card information).

The link looks like it belongs to the real server, but in the code of the message it points to another place where the phishing server is located.
You may think this is a risky business but is not. I rarely find a page in a server owned by the phisher, it has to be a very stupid one to pay for it knowing that it will be shutdown as soon as someone notice it and that he'll get no refund (if he's lucky, if he's not he may end up in jail).

Tipically the phisher hacks into someone else's server and set the page, it could be through a vulneratbility in the management software or a weak password. This is easier now that the hosting services around the world are using a limited number of management systems, once one vulnerability is found is passed around fast. Also the scripts for blogs and forums are very popular and used all around the net and they have too vulnerabilities. All these web interfaces are vulnerable because they need administrative rights to do their job, and that means that once you find the hole you can do with the server anything you want. In some other cases, someone with rightful access to the server, abuse it for his own benefit.

One way or the other, once the page is set the administrator has no easy way to find out.
The rest of the job is spam, mass mail the bait and wait for the "phish" to come.

Here's an intereting case (the page is active at this time but I'm in contact with the page admin and he's woking it out, the name of the domain is masked)
This is how a phishing link looks like in the source code of the message

http://www.xxxx.com/boards/lsr/w433/wainwright/PBI1961_ASP.htm">https://www.wainwrightonline.com/onlinebanking.asp

What you see in the message is https://www.wainwrightonline.com/onlinebanking.asp but if you click you go to http://www.xxxx.com/boards/lsr/w433/wainwright/PBI1961_ASP.htm

The site is a board for car enthusiasts, is not ran by computer experts and they were shocked to find out what was going on under their noses. To make matters worse, the one I could reach has no idea how to fix it. So the page will keep running for while.

And this is something to think about, the net is so big now, so user friendly, so open that is vulnerable to this kind of abuse. The site owner may be a responsible person and the site as clean as his owner thinks it is, but is not. Who's to blame? The phisher of course, but he's nowhere to be found, he won't take the page down even if you reach him. We need to take the page down, now, and the only one who can be reached (if) is unable to do it.

The moral of the story is, web sites should have a contact to report this problems. Form, email, whatever, it has to be published and easily accesible for a human. Use _at_ instead of @ if you're worried about your address farmed for spam. And someone has to read the reports and do something about it, I know, it's a lot of work but it's the price of the internet.

Plan B, maintain the current situation and they'll run the net. Spammers will turn all email worthless, scammers and phishers all online services useless. You may say that it's all because most of the internet users are too stupid to protect themselves, I agree (maybe not the "stupid"part). But the key word here is "most", etiher if you're running an online service or just publishing your stuff you know that they're your market. Without that market, you have no reason to be here.

Plan C, a highly regulated media. All access controlled, all sites under surveillance. The result? Astronomically high cost and poor content.

Which way do you want to go?