10/30/2007

There's a war going on

It's been a while since my last post. Nothing have changed much in the world of the scams in general. But an incredible event took place during the first week of October and is still going on.
The Storm Botnet started an attack against anti scam sites like 419Eater, Scamwarners and Artist Against 419.

To understand the meaning of this news I'll give you a brief about the Storm Botnet. It may seem to you like a science fiction tale but it's true. A botnet is a network of computers under a centralized control. It seems the description of almost any network of computers belonging to a particular organization. The main difference is that the computers in the botnet have been hijacked to take part of it. The second difference is that the botnets like the Storm have many millions of computers.

The Storm Botnet, also known as Zhelatin, is the largest known botnet ever. It's estimated in many millions because there's no way to know how many computers were infected since its creation in January of 2007. The objective of the botnet is to allow its owner to open as many sessions with different origin IPs as computers it has and do with that sessions virtually anything its owner wishes. Botnets are mainly used to spam, generating mail connections from many different IPs that the mail servers can't block (blocking all of them would be like blocking everyone out of email), or DOS (denial of service) attacks. The DOS attack simply open connections to the target server rendering it unusable. It doesn't matter how big is your network structure, you only have resources for a limited number of connections and to serve a limited number of requests. You can put more resources to increase that number but it's going to be a finite number anyway. When one user has the power to generate many millions of connections at the SAME time there's little chance your structure is going to stand it.

The first line of defense for a network/server structure is the firewall. My own connection suffers attacks from time to time, not really dangerous but sometimes they take too much bandwidth trying over and over again the same old tricks that they know didn't work before. I can block the IP of the attacker and forget about it. If it bothers me too much, I can call my ISP and request him to block it on the next router and he can make the decision of blocking the IP even further up in the net. But we're talking about one IP, maybe two, maybe a dozen.
How do you deal with many millions? You can't.
You can't block that many IP numbers and, even if you could, your firewall is going to to respond very very slow with a list of many million rules to check for every packet. It's not practical. And the packets are not easy to identify. A request for a session is the same coming from a botnet or a regular user.

A typical zombie PC is a computer belonging to a common user connected to a broadband service. He may spend his whole life as a member of the botnet without knowing it. And this makes an important difference with any other virus, worm or trojan. The botnet doesn't want your computer to fail, it doesn't want to take a look at your personal information, it doesn't want your computer to loose performance. Quite the contrary, the dream zombie for a botnet is a healthy high performance computer with a high speed connection. This makes very difficult to detect the infiltration. Most virus are reported due to the effect they have in the victim, when you don't have a problem you don't have anything to report. Some of the variants of the Storm worm are known and included in anti virus databases. But not all of them have been found, the botnet itself is being used to spread its own worm in new versions and millions of computers are being used without any kind of protection.

Eventually, a zombie can be identified (millions) and, once you get to it, it should be easy to watch it closely and trace the commands to the owner of the botnet, shouldn't it?
No, it's not like that. The Storm Botnet is using p2p technology to communicate to its members. Meaning that once you get to one zombie you can watch closely, you're going to see traffic to other zombies. And when you get to them, you're going to see more zombies. The number grows fast and by the time you have one connection that may lead to the owner, the number is so high you have no way to check them all. P2p is the technology used by BitTorrent and other file sharing systems that allows you to get the files from many different sources. It changes the concept from a client/server structure (connections many to one or one to many) to a distributed structure (connections many to many). Older botnets were not successful due to this small difference. They were traced to its owners pretty soon while this one probably never will be.

Here you can find more information about this attack. The Slashdot report (pretty small...), Spamnation, The High Weirdness Project. And for more on the Botnet, here's a rather technical video of how it spreads from Help Net Security and a video showing a surge in the spread of the worm (that may or may not be related to this attack) from FSLabs.


It's known who owns the Storm Botnet. Maybe not identified to the person or persons themselves, but to the group handling it. They are devoted mostly to spam services and banking fraud over the net. Their "formats" are mostly cell phone sales and service and overpaying for auctions. The reason for the attack is that they know that 419Eater is a place where baiters are coordinating activities against them, Scamwarners is warning and giving advice to their victims and Artist Against 419 is researching, reporting and shutting down their sites.
It's bad news and good news too, in a way. It shows that their activities are making a dent on the gang's operations.

The attack is still going on. It won't last, they never do that for long periods of time. This is the kind of attack that's done in waves, but even the waves have to slow down and dtop eventually. Every packet sent gives more information that can be used to block them automatically. Every second the botnet is active, it opens the opportunity for a trace. It's unlikely that a trace is going to succeed, the odds seem to be on the gang's side but the stakes are too high. The botnet is a very valuable asset and they're going to so anything to protect it, including giving up on this attack.

The good side is that the activities of the attacked sits are not going to stop. The attack may have damaged some baiting activities temporarily but the warnings, the serious research, the scam sites identification and reporting and other activities kept going on throughout the attacks. It's been more difficult at times but not to the point of stopping it all. Most of the people I've contacted during the attacks felt encouraged by it. There are no feelings of defeat, nobody wants to quit, nobody wants a truce, nobody wants to take one step back. The scammers didn't win this battle and they never will. If something changes for them, it's going to be for the worse.

Visit the sites, support them, spread the word. If you're aware of the scam there's no way they're going to get you. Everyone who's warned about this is one less potential victim in the market. I hope someday we can take the whole market down.

Meanwhile, be careful out there because it's getting dangerous...

419 Eater
Scamwarners
Artists Against 419

3/23/2007

A Sunday magazine

Today I'm going to go through a lot of stuff. Consider this the Sunday magazine (or Saturday depending on your location), one issue with enough material to read all week long.

First of all, I want to thank Software and Music Downloads Blog who mentioned this blog last week. The post wasn't exactly about hacking but he liked it and that's what matters.

On the dark side, I'm not reporting scammers' mail addresses to Yahoo anymore. I've noted that they're not answering nor closing the accounts. So it's a waste of time. I don't blame them, this is not a complaint. They own the server, they offer the service for free, they're entitled to apply any policy they want. Besides, Yahoo was the only one of the mayor players closing the scammers' accounts. Hotmail, Gmail seems to require CSI grade evidence to do something against them. Yet, again, I respect their decisions.

However, I think that they could be a little more concern about the problem. They're proffiting from the Internet and this kind of stuff is hurting their marketplace. And there are numbers of affordable solutions to the problem. To start with they can establish a method for questionable accounts. Once they're found to be questionable by observation or report, they can block access to the user and offer a form at login time where he can answer to the claims and provide evidence if needed. If the answer is satisfactory, the user can recover access to the account. But I know that the form would be unnecessary, scammer never complain about blocked accounts, they move to another one. If Yahoo close all the accounts of Mariam Abachas, Charles Soludos, barristers, banks of Nigeria, banks HSBC, banks of any kind, etc. nobody is going to claim them. Yahoo could recover hundreds of thousands of accounts plus all the related disk space. Eventually, one account would be closed that belongs to a decent user. But it wouldn't be so hard to confirm and reinstate.

On the other hand, minor players are more concern. I understand that it could be because their resources are more limited and the missuse of the service hurts them more economically. But the truth is that mot of them go beyond closing of the account. This is a typical answer to an abuse report from Outblaze:

The account you reported is now terminated, along with
today's quota of sundry other Nigerian generals, bankers,
engineers, attorneys and relatives of dead dictators.
They acknowledge the problem (with some humour I may add) instead of giving a crappy corporative legal "violation of TOS" answer.
This is another one worth mentioning related to a phishing page hosted at 2ya.com. Check the phishing site. The site is gone and that's what most big hosters are doing, closing the site. But 2ya.com keeps the site open with a warning in case someone falls for the phishing message. The good thing is that if you fall for it and the page fails, you may fall for the next one. But if you fall for it and you see the warning, you won't fall ever again. And that's the real thing, education, spread the knowledge. Because the only way to protect yourself is to be aware, to have the knowledge.

And that's the idea of this blog. So let's move on to some educational stuff and some fun stuff too.

Here's a video from the BBCabout the EFCC (Economic and Financial Crimes Commission) raiding a cyber cafe in Lagos, Nigeria. At some point, there's this dialog between the journalist and an EFCC agent

-Do people fall for this?
-If they don't we wouldn't be here, would we?
This is a key fact of this problem. People do fall for scams. For most of us is obvious that the offers are not real, it's hard to believe that someone could fall for it. But they do and that's why scammers keep doing it.

Here's another report, part 1 and part 2. Brian Ross from 20/20 was also invited to a raid by the EFCC plus he played the part of a victim and followed the trail to the scammer all the way to Lagos. Pay attention to this bit:

One of the first people to be arrested by the EFCC's squad was its boss, the head of the Nigerian police, who was sent to prison for taking bribes from top 419 scammers.
You may have noticed that he mentions a music video, you can find it in YouTube. It's a very popular one in Nigeria performed by Osuofia, a nigerian comedian. The name of the song is "I chop your dollar" meaning "I'm going to get your money". It's about a scammer telling his mark how (and why) is he going to fool him. Here's the original lyrics:

I don suffer no be small
Upon say I get sense
Poverty no good at all, no
Na im make I join this business
419 no be thief, its just a game
Everybody dey play am
if anybody fall mugu, ha! my brother I go chop am

Chorus
National Airport na me get am
National Stadium na me build am
President na my sister brother
You be the mugu, I be the master
Oyinbo I go chop your dollar, I go take your money dissapear
Video Clip from: Osuofia - I Go Chop Your Dollar - A clip from the video. 419 is just a game, you are the loser I am the winner
The refinery na me get am,
The contract, na you I go give am
But you go pay me small money make I bring am
you be the mugu, I be the master… na me be the master ooo!!!!

When Oyinbo play wayo, them go say na new style
When country man do im own, them go de shout bring am, kill am, die!
Oyinbo people greedy, I say them greedy
I don see them tire thats why when them fall enter my trap o!
I dey show them fire
And here, the english version (translated by Azuka Nzegwu and Adeolu Ademoyo)

I am suffering greatly
and I get this idea (or wise)
poverty is not good at all
and I decide to join this business (scam)

419 is not a criminal act but a game
Everybody will play
but if you are fool
I will chop your money

Chorus:

I own the National Airport
I built the National Stadium
The president is my sister's brother
You are the fool and I am the master

White man, I will eat your dollar
I will take your money and disappear
419 is just a game, you are the loser and I am the winner

I own the refinery
I will give you the contract
But you will have to pay me a small fee before I bring them
You are the fool, I am the master
I am the master!!!!

When whites scam
it is said that it is a new style
But when the country man does the same
White people shout: bring them, kill them, die!

White people are greedy, I say they are greedy
I have seen through them deeply (or very well)
So, when they fall into my trap
I will show them fire (or showing someone who is the real boss by treating them harshly)
Here's another Brian Ross' report. This time he exposes a "wash-wash", a scam where you get your money painted in black and are sold the chemicals to clean it up. Listen carefully, the victims says that he's lost approximately 340,000 us$. And he's not just a grammar school droupout with money. He's a highly educated person, a heart surgeon.

And one more report. Here's Keith Olbermann exposing another one where scammers impersonate the head of the FBI.

Now let's move on to the fun. The music video was posted by one of the top scambaiters. If you want to know him and know what a scambaiter is, here's the Fox's interview to Butch Driveshaft. You can find more about him and his group at The Scambaiter (registration required). Be aware that Butch is extremely loud and use abusive language. Here's a bit someone made with a compilation of Butch's phone calls and photo trophies and a brief of the Cole bait, a bait where Butch keeps sending trash to Cole and Cole keeps paying for delivery. Again, be aware that Butch is no suitable for a young audience. The great thing about Butch is that he punishes the scammers where it really hurt, their wallets. He also makes them do stupid things for fun but taking their money has a long term effect on the scammers. They will think twice everytime they're on a scam. They'll doubt every victim, they'll be afraid of falling again. Every second wasted, every phone call, every cheque sent, every dollar spent on a scambaiter won't hurt a real victim.

Another top scambaiter is Shiver Metimbers. You can read about him and his group's baits in 419 Eater (registration required for the forums). And here's a video of a scammer waiting for him to show up to get £18,000. I guess you figured it out by yourself, but just in case, he didn't showed up. This one went back home empty handed and really bored. Others had some fun while being abused by scambaiters. The next videos show what are the scammers willing to do in order to get some money. Just in case you don't figure it out by yourself, they never get it. I think that most of this videos (if not all) are from 419 Eater's members.

A scambaiter named Bombardier offers his "pet" (the scammer) an opportunity to be a stunt man and make big money.

Here, Stargatebaiter's "pet" Richard auditions for a role in Stargate. And then he does it again. And again. Though I think that the last one is for another role...

Here, a scammer performs a ceremony to become a "twat" for Tainenterprises.

Another audition, this time Monty Python's dead parrot sketch.

And it goes on and on and on.

I want to make a final comment. At some point during the Brian Ross' report, he said that no matter how many scammers the police arrest, no matter how many scammers 20/20 exposes, there's always another hungry one ready to take his place. It's not the literal quote but that was the meaning. He also mentioned that the average income in Lagos is 1 us$ per WEEK. In a way, he created the idea (or at least it looked to me) that this is a problem created by poverty, that they do it to survive. And I have to totally disagree with him. Those running the scams are not hungry. They may be poor by our standards but they're not struggling to survive. I'm sure that there's poverty in Nigeria but those who are in real need are scrounging for their next meal, not scamming from a cyber cafe. They don't have access to such luxury, they don't have the education required to use a computer, let alone a keyboard. If you see carefully, the scammers on the videos are well fed, no signs of starvation. The wannabe stunt man is wearing expensive running shoes, he has a house in a residential neighborhood, he has a car (I hope is his car, otherwise his neighbor is going to get really pissed). They're not doing scams because they don't have another choice, they're doing it because it's easy money. And they don't care who they scam, they don't care who they hurt, they don't care about the consequences their acts can have on their victims' life. I'm with Butch, I don't feel sorry for them.

And, to finish this post on a more lighter mood, here's a video from Ze Frank performing a 419 letter. This is the YouTube link, I couldn't find the link to the original video. If you want to see more of him (totally worth it) visit his web page, Ze Frank - The show.

This post may come as a surprise to you...

2/02/2007

Obfuscation

This post is full of technicalities. It's about making things dark and obscure. URL basically and my mood too.
Phishers are improving their ways to avoid detection, report and closure of their web pages. It's bad news but it's also good news. It shows that reporting their sites is making a dent on their operation. But it's bad because it's going to make it more difficult for people without the knowledge to report them properly. This way the pages are going to stay up longer, more people is going to fall for it and the phisher is going to have more time to collect the information.

I'm going to dissect on that I've received this week. This is the full URL (be careful, at the time of this post it's still active)
http://0x42.0x4d.0x3f.0x6e/amazon/redirect.php?http://0x48.0x0e.0xdd.0x67
/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxg
FKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&ad
url=http://0xd1.0x55.0x7f.0x82/%77%77%77%2E%70%61%79%70%61%6C%2E%63%6F%6D
%2E%68%74%6D
Imagine all that in just one line, I formatted it to fit the blog. Believe it or not, this is a valid URL. Not the kind you're used to see daily. Let's take a look at the first part
http://0x42.0x4d.0x3f.0x6e/amazon/redirect.php
The domain is expressed as IP number in hexadecimal format. If you do the math (you can use your Windows calculator in scientific mode) the real IP number is 66.77.63.110. You can try this IP number and it will take you to Sony Pictures'web site. In that web site there's a directory called amazon, and in there a PHP script called redirect.php. Sony Pictures is not involved in the scam and, most likely, its site wasn't hacked. It's common to have such a script, in this case Sony probably uses it to redirect visitors to Amazon's web site where they can buy Sony's stuff. This redirector script is just that simple, it creates an HTML code that tells your browser to go and load some other page. Try it, pick any URL you want and use this redirector to access it. Luckily, if we piss them off enough they'll secure the script and won't be used for phishing anymore. Try this
http://0x42.0x4d.0x3f.0x6e/amazon/redirect.php?http://www.google.com
Or any other page you want. The result is the same, you're redirected to the page you set as parameter for the script. You can also try http://0x42.0x4d.0x3f.0x6e or http://66.77.63.110 or http://www.sonypictures.com/, you'll see Sony Pictures' web site. They're all different ways to link to the same site.

But the phishing page is not there nor is Sony involved in this kind of operation. They have a script they use as part of their business and it was left unsecured. The same way we used it for this examples, the phisher uses it to obfuscate the URL pointing to his page. Where's the phishing page then? Let's take a look at the second part of the URL. It's easier now that we know that the script will redirect to the second URL and this is it
http://0x48.0x0e.0xdd.0x67/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSA
ueHkArnhtWZAu-FmQWgjlkQAxg
FKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCa
pCCqkCxU7NLQH0sz4&num=5&ad
url=http://0xd1.0x55.0x7f.0x82/%77%
77%77%2E%70%61%79%70%61%6C%2E%63%6F%6D
%2E%68%74%6D
Looks complicated but let's take a look at it part by part. The first thing is the IP number, again it has been obscured by writing it in hexadecimal format. The real number is 72.14.221.103. You can try both, go on, they're both safe.

Surprised? Yes, the IP number points to Google. But the phishing page is not in Google's server and they're not related to it. What the URL says is that in that server there's a directory named pagead and in there an object named iclk. No more information about iclk. Most of the time you can assume that the object is what's described by its extension (the .xxx thing at the end), in this case there's no extension. But, most likely it's a script of some kind. Then, there's a set of parameters. sa with value l, ai with a long chain of characters (the part that looks real complicated), num with value 5 and adurl with a URL. If it looks like a redirector to you, you're right. It is. This is part of Google's Adsense program and the object of the script is to count hits for a particular ad (defined by the long chain of characters) and redirect the browser to the URL assigned (defined by the adurl parameter). Try this (I just did). Go to any page with Adsense, Google Adsense or Google anything. Most likely you'll get an Adsense panel or a link to a page with one. Pick any ad you like and copy the URL (right button, copy link location or anything like that depending on your browser). Now paste the link in your browser's URL box. What you see is exactly the same as the URL we've been looking at. Same parameter names, some with different values. Change the URL for anything else and you'll be redirected to that URL of your choice. I wonder how is Adsense counting that "click"? Regardless of that, the point is that the script is out there, is not secured and it's being used to obfuscate phishing URLs (and probably other scam or spam related links).

Ok, Google's problems aside, we've finally found the phishing page. It has to be the URL passed to Adsense as adurl parameter, right? Wrong! Let's take a look at it
http://0xd1.0x55.0x7f.0x82/%77%77%77%2E%70%61%79%70%61%6C%2E
%63%6F%6D
%2E%68%74%6D
Again, the IP number has been obscured. The real IP number is 209.85.127.130 and belongs to Everyone Internet in Houston, TX. The rest of the URL is the name of an object. Looks like a very complicated object but it isn't. The same way the IP number is obscured by writing it in hexadecimal format, a text can be obscured by writing it using ASCII codes in hexadecimal format. That's what your looking at. %77 means 77 hexadecimal or 119 decimal or a "w". %2E means 2E hexadecimal or 46 decimal or a ".". I'll save you the pain of going through all this. The name of the object is www.paypal.com.htm and it's not the phishing page. It's an HTML page redirecting to somewhere else. Yes, another redirector. The difference between this one and the two previous ones is that this is a static page while the others are scripts able to generate the page dinamically based on the parameters you give them. Also, the previous ones are legal (in lack of a better term) though insecure scripts used as part of a business operation while this one was written specifically to be used as part of the phishing operation. It's hard to tell how it was set in there. It could be a hacked site or a free web site space or a web site paid from a Paypal account phished on a previous operation.

But the phishing page is not this one, this is just the redirector. It's a web page instructing your browser to ignore it and move on to another URL. I'm not going to publish the whole URL here because it's too much code to dissect. The URL is
http://0x40.0x1a.0x19.0xfa/www4.4paypal.com/cgi_bin2/webscr.php.cmd
=restore-account-login945096845098034938/webscr.php?cmd=_login-run
Again, the IP number is obscured. The real number is 64.26.25.250 and belongs to Hostway Corporation in Chicago, IL. Like the one from Everyone Internet, it's most likely a hosting server and its server is being abuse somehow. The URL looks complicated but it has been created like that to give it a more business like look. The first directory is named www4.4paypal.com to make you think you're connected to a Paypal server while you're not. The second directory name is cgi_bin2. And the third is webscr.php.cmd=restore-account-login945096845098034938. It looks like the script name is webscr.php using a parameter cmd with a complicated value. The character before the cmd should be a "?" but that would make the filename invalid. But it's just the name of another directory, the real page is webscr.php and the real parameter is cmd with value "_login-run". Probably the parameter value means nothing anyway.

The obfuscation of the URL works two ways. First, it makes it a lot more complicated to report. You have to go all the way to the phishing page and translate the URLs to find out who to report to. And second, it helps to avoid detection by mail filters. This is done by setting a huge number of different URL pointing to the same phishing page. If one mail is reported and its URL is added to the filter database, it doesn't matter because more messages with different URLs will go through undetected.

As you can see, the phishers are going that far to protect their pages. They know that the success of a page depends on the time it can survive, the more the page stays alive, more people will access it and, hopefully, post valuable information.

It's bad news that they're evolving into more complex setups but, on the other hand, it shows that the fight against them is making a dent in their operations. So, I'll keep reporting them. At least those that reach my mail box. Meanwhile, if you're a regular user be careful, if you're in charge of a web site be on the lookout for a phishing page or a redirector installed by a hacker and if you have scripts secure them.