One more spammer caught…

Well, it seems that a message about spam attracts other spammers. Fortunately you can also report spammers who try to spam through comments at SpamKlacht. And if the spammer or company mentioned by the spammer is located in the Netherlands, then they can take actions against them.

So, let’s display part of the report at the end of this post that I’ve received from SpamKlacht, which happens to be written in Dutch. (Sorry, but maybe Google Translate can help?)

In short, a french website has posted a Dutch message on a blog that’s mostly written in english. It’s likely that the servers from society26.com are hacked and misused to send this kind of spam. These spammers know that forum and blog spam is harder to trace and stop than regular spam by email. They also know that many blogs and forums don’t have very good systems against this kind of spam, although WordPress does an incredible job in stopping them.

What’s more interesting is that this message doesn’t contain an email address, phone number or even a URL to their own site. Most likely, that link would be www.euromovers.nl or that of one of their members. It’s not really helping much, unless people like me decide to look for them by using Google.

What actually happens is that the spammers are smart. They just pick up random texts from the Internet, in this case the About-page from Euromovers, they just shorten some of the paragraphs and use the text as their comment, hoping it somehow makes sense for the forum or blog administrators to let it pass. They know that if an administrator passes one spam message, it’s likely that the spammers account has become whitelisted and thus is allowed to post more comments. When that happens, the spammer will flood the blog or forum with spam.

With WordPress, it’s actually a practical way to bypass the spam filters. Fortunately, even though my site operates under a dutch domain name, its main language is english. As a result, I tend to consider comments in dutch a bit suspicious. But I also learned to just trust it’s spam filter, which hasn’t failed me yet.

The report from SpamKlacht:

U heeft een spam-melding geplaatst op spamklacht.nl, een website van de Autoriteit Consument & Markt. Dit document geeft een samenvatting van uw melding.

Spamklacht gemeld op  : 20-01-2014 09:43
Uw gegevens
Naam  : W.A. ten Brink
Adres  : xxxxxxxxxx
Postcode / plaats  : xxxx xx Amsterdam
Telefoonnummer  : xxxxxxxxxx
Gegevens van het mogelijke spambericht
Bericht ontvangen per  : Social Media, namelijk https://blog.wimtenbrink.nl/
Ontvangen op datum / tijd  : 19-01-2014 13:53
Ontvangen op adres  : Spamfilter heeft het tegengehouden.
Ontvangen van adres  : Verhuisbedrijf Euromovers uit Vlaardingen
Genoemd adres  : marita-cockett@gmail.com Www.solution26.com 87.98.172.16
Onderwerp  : Het betreft een bericht dat in mijn spamfilter van WordPress terecht is gekomen. Het bestaat uit drie delen, te weten de auteur, het bericht en een URL naar het bericht waar de spammer het probeerde te plaatsen.

[Author start]
Www.solution26.com
solution26.com/liens/?page=824
marita-cockett(at)gmail.com
87.98.172.16
[Author eind]

[Bericht start]
…… Verhuisbedrijf Euromovers uit VlaardingenVerhuisbedrijf
Euromovers uit Vlaardingen maakt deel uit van
het internationale netwerk van Euromovers International.
Dit netwerk bestaat uit hoog gekwalificeerde en betrouwbare
verhuisondernemingen in geheel Europa, de VS, Rusland, China, Australië
en Nieuw Zeeland. In Nederland is elk…….Bent u opzoek naar een professioneel
verhuisbedrijf dat werkt met ervaren verhuizers, professionele materialen, zelf vervoer
op maat regelt en werkt met een goede motivatie aan elke klus?
Kies dan voor de Verhuisbeweging, hét ideale verhuisbedrijf van Rotterdam en
omstreken. Wij zijn een erkent verhuisbedrijf dat zich door de jaren heen
heeft bewezen als betrouwbare en professionele verhuizer, daarom hebben wij ook een schadeverzekering gekregen, dus mocht er eventueel schade oplopen tijdens het verhuizen, geen punt!
Onze verzekering dekt de schade en betaald het aan u uit!
[Bericht eind]

Let’s talk about social media…

When I was a kid, there just wasn’t any internet. If you wanted to speak with someone else, you’d had to pick up the phone or just go visit them. Being social was complex because it involved plenty of travel to meet others. And even when the Internet was born, being social was still something that people did in real life, not behind a computer screen. Still, things slowly changed about 15 years ago, when people started to use the Internet for all kinds of fun things. It also helped that proper internet tools became more popular. (And free!) The increased speed and the change from the 33k6 modem to ADSL or Cable also helped a lot. And now, just one generation further, being social is something we do online, with bits and bytes.

But enough history. And no, I won’t explain what social media are because now, you’re reading stuff I wrote on such a social media website. (Yeah, a Hosted WordPress site, but I could have used Blogger or Tumblr too..) This discussion is about the complexity of all those social media, not their history.

Most people will be familiar with both Twitter and Facebook. On Twitter you post a message that you’ve just pooped and on Facebook you post the picture of the result. And if you’re a professional, you might also post it on LinkedIn, if you’ve pooped during office hours. Since you can connect these three together, you will start to build a practical resource with all kinds of personal information about you online. Twitter will be used to send small but important updates about yourself, your company or your products to every subscriber while Facebook is practical to connect with the consumers at home. But if you’re looking for a new job or need to hire or find some experts, you use LinkedIn for your search.

Search? That reminds me. There’s also Google Plus although not many people use it as a social platform. Still, people like it because you can use your Google Plus account to log in many other websites. (Facebook, LinkedIn and Twitter also support this.) Google also provides email accounts and document management tools, plus plenty of online storage, so it’s a very attractive site to use, even if people still are less social on Google Plus than they are elsewhere.

Yahoo also used to be a great social media center, but the competition with other sites has lessened its influence considerably. Many things that Yahoo offers is also available on other sites. Yahoo also used to be great with their email services until they decided to drop support for email through POP/SMTP, just when Google decided to start increasing their email services. By doing so, Yahoo lost much if it’s influence and never really managed to get some back, although their photo-service Flickr still holds plenty of value. (But here too, the competition becomes murderous.)

Pinterest, for example, can also be used to share photo’s with others, although Pinterest is mostly used to share pictures from others, to promote those people. Basically, it’s a site for fans. DeviantArt is a bigger challenge for Flickr and has a huge amount of graphics. Especially cartoons and CGI next to pictures. But DeviantArt is missing an easy way to connect your other social media to your DeviantArt account.

So Behance is another interesting photo site where you can build your gallery and, more importantly, allow people to contact you and offer you jobs and other career opportunities. It also connects better with other social media and if it was free, it would definitely kill Flickr. Unfortunately, the free version has limitations and the commercial version is a bit expensive if you just want to share a bit of your work. Or maybe you’d prefer Bitpine.

Then again, if you’re into the art of images and photo’s, you might like to try to make some profit by selling merchandise. Cafepress is known for this and allows you to upload pictures and put it on all kinds of things, including the cape for your dog or panties for your girlfriend. There are plenty of other sites that allow simpler merchandise like t-shirts but Cafepress just has a huge collection of things you don’t need but which still look nice with your picture on them.

There are more social media sites, of course. Including sites that will combine all your social media sites into a single reference for all your friends to know where you hang around. About.me will combine your bio, your résumé and all kinds of social media connections. Mine tends to have plenty of connections. Connect.me is also practical to connect with other people and allows you to build up your online reputation. TrustCloud is another medium that links people you know to your account. (Or mine.) Or go to Visify and tell others how active you are online.

An oldie is Reddit which is more like an online forum. However, it has so many users that all discussions go very fast. Vimeo can be used to share videos, just like YouTube. Or use GitHub if you’re a software developer and want to share your code with others. Or Society3 for those who need social media for their marketing strategies. Or, the simples one: FourSquare, where you can tell where you are and where you went.

Well, I’ve mentioned plenty of social media sites and it’s all great to share your personal information with the World and get your 15 minutes of fame. And they all connect to one another, often via ID providers from Google, Facebook, Twitter or LinkedIn and lately also from Adobe. (Although Adobe is mostly using its ID provider to have others connect to the Creative Cloud.) If you’re connected to even a third of these sites, then there’s a lot of information about you online. And this is where it starts to become creepy and dangerous.

First of all, the amount of personal information that people share is huge. The joke I started with that people tell others on Twitter that they’ve just pooped isn’t just a joke. It happens! But when people are on a holiday, they also tend to use Twitter, FourSquare and TwitPic to tell the World where they are. With more information on Facebook, thieves can try to find where those people live and rob those empty homes. They might also check LinkedIn to see if someone might have some interesting stuff at home. For example, a CEO of a company who’s on holiday in Italy is a more interesting target than a teacher visiting his aunt in Almelo. And this is just a few different media that can be abused by others without the need to hack anything.

So beware of your privacy and avoid sharing sensitive information online. Or at least be less interesting than the other online people.

But getting robbed is just one risk. You can protect your home, make sure there’s at least one person there when you’re on holiday. The problem is that all these media are connected to one another. And in general, you have given them permission to combine their information. And systems are as strong as their weakest links.

Take, for example, Facebook. Many websites use your Facebook ID to let you log in to those websites. Thus, if someone hacks your Facebook account, they also have access to those other websites. And if one of those sites has your credit card information, your bank account information or your PayPal information. They might not even need this information to make purchases in your name, simply because those connected sites remember this internally. I checked which all I use that are connected to Facebook and it turns out that I’m connected with over a hundred other websites! I know a few friends of mine have an average of around 40 other sites connected to their Facebook account and it’s easy to increase that number since plenty of sites want to connect to Facebook.

Fortunately, I have created several websites that connect to Facebook so several of those connected apps are actually my own sites. Still, it’s a lot. It means that you have to be aware that anyone who hacks my Facebook account will be able to use these other sites. What they can do on those sites depends on how those other sites have implemented their security. And the same applies with apps connected to Google Plus, Twitter or LinkedIn.

If you use Flickr or Yahoo then you might have connected that account with Facebook or Google Plus. Since Yahoo is used as ID provider for even more websites, you can see a complete chain fall down once your Facebook account is taken over. This makes Yahoo less reliable than the others. With Facebook, Twitter, LinkedIn and Google you can try to add more security. For example, only copy the ID key from the provider plus the email address and force the user to generate a new password for your site. Thus, if Facebook is hacked, they still need a password for your site.

Which causes another problem. When people have a few dozens of social media accounts, they start having troubles remembering all the passwords. I use an email alias for every site. Websites tend to allow visitors to log in with email address and password so I can use the same password for many sites, because the user email address is different for every site. (I still use different passwords too, though.) Most people just use the same address and password for many sites, though. And that’s a big risk, because if one of the sites is hacked, the hackers will be able to use that information for all the other sites.

The bigger websites do have a proper security. At least, that’s what most people think. However, both Adobe and LinkedIn have had some serious trouble with their user databases and users of both websites have received a notice in the past urging them to change their password immediately, because of the hacks. And these were just the bigger sites who dared to publicly admit they’ve been hacked. Smaller social media sites can be a bigger risk if their security isn’t strong enough. Which is why it’s actually better that they use ID providers from the bigger sites instead of implementing their own systems.

Developers often ignore security, thinking that what they’re making isn’t very interesting for hackers. But I can’t say it often enough and remind people that social media are just chained together. One weak link exposes all.

When you want to build your own social media website then be very aware of the security. Don’t build your own version unless you have an expert in your team. And even then have the code audited by another expert. Since social media chain together, a weak link in this chain will take it all down. Which reminds me of this xkcd comic:

xkcd

When you create your own ID provider, you’re just adding to the competing standards that already exist. What would make your system better than those others? Your site will be more secure by using an existing provider but if that provider has a weakness, your site will fall too unless you require more information.

My suggestion would be that people should be able to log in using Google Plus, Facebook, Twitter or LinkedIn but combine it with some extra security. You know, for example, the IP address from the visitor thus you can remember it. As long as it’s the same as in your history, it’s unlikely that the account is hacked. Once it changes, you should ask for one more extra piece of information like a separate password. The visitor should know this, since he might have had to enter it during registration.

Another option would be by asking the visitor for his mobile phone number during registration so you can send an SMS message as part of the authentication process. Thus, if a user is using a different computer, you can send an SMS with a security code. The user will have to enter that code and then you know you can trust that system. Add it to the list of trusted computers for this user and you can keep the visitor safe. (Microsoft is doing something like this with Windows Live.)

So, a long story just to start a discussion about the best way to secure social media, reminding everyone that there are actually a lot of sites chained together through all of this.

One more spammer: Adobe!

I like to use email aliases for every online subscription and registration I have to fill out. I like this because it allows me to recognise if companies are going to spam me or not. I also make sure that any checkbox for extra mails that is checked will be unchecked. Unfortunately, not all companies care about that.

One of them is Adobe, well-known from it’s PFD reader but I also happen to use Adobe Lightroom, which requires an online registration. Which I had to fill in, else I would not be able to use the software properly. Okay, so I did. And I used an alias.

Today, I received an unreadable email because the images inside are blocked by my mail reader.  They seem to have given or sold my address to kieseentablet.nl who likes to spam many people with all kinds of garbage. I think they’re trying to sell me a DVD box in this message, but I’m not sure and don’t want to know. Viewing those images would mean that my mail reader has to contact their servers with a special code, and that code will validate my address.

I have reported it to SpamKlacht and I hope they will take action against this spammer and against Adobe. Adobe is just as guilty for not keeping my address safe. They violated my privacy by sharing that address with others.

I will show the headers of this email, though. And I hope most spam-filters will pick this up and add this spammer to the blacklist. They should blacklist Adobe too, in my opinion, because this pisses me off! I expect some small internet-companies will leak my address but Adobe is supposed to be a serious, big international company. They just don’t care about their customers, that is clear…

Delivered-To: xxxxxxxx@xxxxxxxx
Received: by 10.50.173.36 with SMTP id bh4csp113728igc;
        Mon, 13 Jan 2014 00:38:24 -0800 (PST)
X-Received: by 10.194.104.66 with SMTP id gc2mr1505781wjb.75.1389602303789;
        Mon, 13 Jan 2014 00:38:23 -0800 (PST)
Return-Path: <bnc-24-data_sendout_1389545845_715_57-74@bounce.kieseentablet.nl>
Received: from mta2.parfumvandaag-mail.nl (mta2.parfumvandaag-mail.nl. [178.32.7.217])
        by mx.google.com with ESMTP id md15si7043232wic.62.2014.01.13.00.38.23
        for <xxxxxxxx@xxxxxxxx>;
        Mon, 13 Jan 2014 00:38:23 -0800 (PST)
Received-SPF: pass (google.com: domain of bnc-24-data_sendout_1389545845_715_57-74@bounce.kieseentablet.nl designates 178.32.7.217 as permitted sender) client-ip=178.32.7.217;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of bnc-24-data_sendout_1389545845_715_57-74@bounce.kieseentablet.nl designates 178.32.7.217 as permitted sender) smtp.mail=bnc-24-data_sendout_1389545845_715_57-74@bounce.kieseentablet.nl;
       dkim=pass header.i=@kieseentablet.nl;
       dmarc=pass (p=REJECT dis=NONE) header.from=kieseentablet.nl
Received: from localhost (localhost [127.0.0.1])
    by mta2.parfumvandaag-mail.nl (Postfix) with ESMTP id 16895163B348
    for <xxxxxxxx@xxxxxxxx>; Mon, 13 Jan 2014 09:38:23 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=kieseentablet.nl;
    s=default; t=1389602303; bh=Z5MpxKWITtojtkQ1ghnUMKSgLY4=;
    h=From:Reply-To:Subject:List-Unsubscribe:To:Date;
    b=o30KntUOp1TaT2j506DJmyK7Ak0hC2iWnPtEk+hDr6apIyYZyP3C1km805OO9c0Tb
     XnmzMnoyYn4XjgiFCStU2qKXZurqGGnr5dy2+J0b62I1dyHSISEVwvb2rfYW+3KRrX
     /dlIBtWM5mxPu7pencyad+BB8b9N+1coafAi6J/8=
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_cc78254c8040f1935d8f257c8e3ed1ee"
From: "Welkomstgeschenken Kies een Tablet" <nieuwsbrief@kieseentablet.nl>
Reply-To: leden@kieseentablet.nl
Subject: U ontvangt de complete Penoza DVD box
List-Unsubscribe: ,<mailto:unsubscribe_data_sendout_29865@bounce.kieseentablet.nl?subject=unsubscribe_29865>
X-Slip-uID: 2011425
X-Slip-active: N
X-BeverlyMail-Recipient: xxxxxxxx@xxxxxxxx
To: xxxxxxxx@xxxxxxxx
Date: Mon, 13 Jan 2014 08:38:23 +0000
X-BeverlyMail-MTA: 74
Message-ID: <1389602303-567845345AB@kieseentablet.nl>

One week of spam…

Yesterday, I posted about comment spam in blogs. Today, I’m going to mention a few topics of spam messages I’ve received in just one week. Ti begin, I’ve received an email from the “Microsoft Partner Awareness Team” who doesn’t seem to have a Microsoft mail account but some address in Nicaragua. The topic is “Confirm Receipt” and in it they tell me that they celebrate some 30th anniversary and as a result, this team is giving away £1,864,000.00GBP to six lucky recipients. And I’m one of them and need to reply with name, address, telephone number, email address and nationality. A nice example of phishing.

Next, a message about Canadian Pharmacy Online, where I don’t need prescriptions. Well, I don’t need these drugs either.

And a message from “WhatsApp Messaging Service” notifying me about a new voicemail, even though I don’t have a WhatsApp account for this specific email address. Since the sender is from Russia, I’m not interested in listening. Even though they’ve sent me this message twice…

The next one is a very good one, since it’s from the Google+ Team and uses mail-noreply@googlemail.com as address. Seems legit, doesn’t it? Too bad Google Mail happens to be the same as GMail, so the spammer is using this free service to pretend to be Google. The attached PDF promises £ 950.000 to me as an award and all I have to do is fill in a form with name, address, telephone number, nationality, birth date, gender, occupation and email address. Definitely phishing!

Of course, most phishing emails will promise huge rewards to people, as the one I’ve received from Italy. Some investors have 375 million euro which they want to give away. These huge amounts just make it very clear it’s just fake.

Then some more pharmacy messages and other offers for all kinds of medicines and certain ‘blue pills’. Of course, this kind of spam is also very popular, apparently because one in a million people still decide to buy their drugs this way…

But there are more ways than offering money or selling drugs. I also received a spam message with a pretty woman in bikini. Her name is Valeriya and she lives in Russia and is rather shy at first. And she wants to be pen pals with me. Oh, my… Dating spam! Another trick to get people to offer personal details or even to trick them into sending money to this pretty girl. Or maybe just a fat guy who pretends to be a pretty girl, since that’s more common. Still, even if this girl was real, chances are that she’s just out to steal your wallet and everything else you have. By the way, Irina also wants to chat with me. She enjoys hiking and pottery.

Then an email in the German language offering me a method to win at roulette in some online casinos. Ah, the old gambling site spam. Fits with the other spam message which is written in Dutch and offers me a chance to win the jackpot. They even promise me 100 euro as a bonus when I subscribe. Or the one where they’ll give me 20 free lottery tickets while they claim I’ve officially subscribed to their mailing lists in the past. (Which I never did, since the specific account that received the spam isn’t used to subscribe to anything.)

Then some message which advises me which stocks I should buy on the stock market, since they’re about to become valuable. Sure, for the person who is selling them right now! If plenty of people start bidding, the price will go up from nearly worthless to a few pennies per stock. If they then manage to sell a million stocks, it’s easy money with a huge profit, in a way that’s mostly legal.

And sometimes you receive an email that looks just a bit gibberish, yet makes you curious. People tend to reply to those kinds of messages, asking the sender what’s going on here and what they meant by this message. And thus they confirm their email address is correct. And since many people add a signature to their emails, the sender will get to know a bit more about the recipient. If the recipient happens to work for some company and the company adds signatures, then the spammer might have enough information to pretend he’s that employee!

The emails from “USA TODAY News” are also interesting. Sent from an outlook.com address, it provides me information about losing weight. Apparently I’ve subscribed to their newsletter too (NOT!) and I can unsubscribe and thus confirm the correctness of my email address. Strangely enough, the unsubscribe link points to a Russian website. USA Today seems to be in Russia?

In short, I have three email accounts on my domain and an infinite number of aliases on my domain and a few other domains. I also have two old GMail accounts that I barely use but in total, I receive about 20 spam messages per day over all accounts, which Google nicely detects and filters for me. They’re annoying but Google takes much of the annoyance away. Handy, because I also receive about 60 to 100 legitimate emails per day, mostly from mailing lists.

All these spam messages were easily detected by Google and you can wonder if spam is really as profitable as it seems. But it’s the magic of big numbers that’s in the favor of spammers. If they’re sending one million messages, and only one percent reads the message then it’s still read by ten thousand people. If only one percent of those are responding with some information then they’ve collected the information of 100 people. And if one percent of those fall for their traps and the spammers earns a few thousands of euro’s then they’ve probably made a nice profit.

Basically, people should not respond to spam. They should recognise what spam looks like, which is why I’ve written this post. Do not even open spam just to check the contents since your mail reader might already offer spammers with some information. I am a trained professional and I know what I’m doing when I check spam. My browser is set up in a secure way, my antivirus software is always up-to-date and I am really careful with spam messages and I avoid mail readers that might send information back to the sender. Then again, I have more than 20 years of experience dealing with malware, viruses and spam. Don’t expect that you can do that even someone with 20 years of experience tries to avoid! Because I think education is important but I would have preferred to throw away all those messages without even a single look!

And another stupid spammer…

Many people complain about all the spam in their mailboxes but when you’re running a blog, forum or even a simple contact page where visitors can leave messages, you can still receive spam in some other forms. With Facebook and Twitter, for example, you might get invitations by people you don’t even know. With LinkedIn, this is a bit more difficult but it still has people attempting to connect to you so they can make all kinds of “interesting” offers to you.

But today I’ve received a comment spam on my post called “Dealing with deadlines” and it started like this:

{I have|I’ve} been {surfing|browsing} online more than {three|3|2|4} hours today,
yet I never found any interesting article like yours.
{It’s|It is} pretty worth enough for me. {In
my opinion|Personally|In my view},if all {webmasters|site owners|website owners|web
owners} and bloggers made good content as you did, the {internet|net|web} will be {much more|a
lot more} useful than ever before.|
I {couldn’t|could not} {resist|refrain from} commenting.
{Very well|Perfectly|Well|Exceptionally well} written!|
{I will|I’ll} {right away|immediately} {take hold of|grab|clutch|grasp|seize|snatch} your {rss|rssfeed} as I {can not|can’t} {in finding|find|to find}
your {email|e-mail} subscription {link|hyperlink} or {newsletter|e-newsletter} service.
Do {you have|you’ve} any? {Please|Kindly} {allow|permit|let} me {realize|recognize|understand|recognise|know}
{so that|in order that} I {may just|may|could} subscribe.

Well, that’s an interesting comment. (Full text here…) Basically, this is a script file that’s used by spammers to create random comments for blogs and forums. And normally, spammers will just use a selection of words and sentences from these script files to generate something a visitor might have written. And the many variants make it harder to detect as spam. Unless you’re giving the master script, of course, like this stupid spammer has done.

If I would allow this message, someone with a Canadian IP address (142.4.208.160) would be able to add more comment spams on my blog and might even flood fill it with spam, once they got their first approval. Of course, the spammer also used an email account (augustuscolangelo@freenet.de) from the German provider called Freenet and they have been used many times by spammers. They’ve taken steps to prevent spammers to send mass emails but that doesn’t stop spammers from doing comment spams like this one.

Also interesting is the fact that the spammer added a link to foot-en-direct-gratuit.sixsigmadss.com (Links to main site, not the spammers blog) which happens to be some blog on the site of an Indian company called “Six Sigma”. I wonder if this company even knows about this blog, that’s written in French. I guess they don’t know about it, but that their DNS information has been hijacked. Or maybe their servers are hacked.

So, what I like to do is visit RobTex to collect more information about what I’ve found. So far, it’s an interesting international spammer. Mail in Germany, spamming from Canada with a web server that’s owned by a company in India. RobTex tells me the shared host they use for the site is Enzu in the USA, which provides cloud services and more. They also use the DNS services of GoDaddy which does confuse me a bit. Why not use the DNS servers of Enzu?

Well, some further research tells me why. While Six Sigma uses GoDaddy as their host, the spammers have instead used Enzu to create their own website, which makes them appear legitimate. They’ve also moved the regular site to Enzu, and are probably redirecting visitors from there to the original website. (Or Six Sigma is supporting the spammer, which is also an option. I just don’t want to accuse them of this crime.) When I visit the Six Sigma website, it does seem as if someone has taken over control over their site. Much of it looks disabled, as if the hacker is just misusing the site for their own purposes. It looks like it’s been taken over two days ago by the hacker, yet they did not detect the hack at this moment. I hope they will be able to fix this fast, though.

Of course, there’s an even bigger risk here. Since the spammer seems to have hijacked their home site, he can play a man-in-the-middle attack. Every customer of them who enters their credentials to log in will tell this hacker about their credentials too. This is a serious thing. Spammers are often trying to do more than just send spam. They will try to collect more information to allow them to hack even more accounts.

There are a few things here that worry me. First of all, this Indian company that doesn’t seem to realize their site is hacked. Also, GoDaddy, who is supposed to be their host, isn’t hosting their main site. Also, Enzu doesn’t seem to realize that they’re hosting a site for an Indian company that uses the French language for a blog that seems filled with random articles from French/Canadian news sites. You could wonder if hosting companies should be able to check if strange things are happening to the accounts of their customers.

Yeah, I think you can blame hosting companies for all the spam on the Internet, simply because they’re not pro-active when suspicious changes are made to the accounts of their clients. If hosting companies take more care in selecting their clients, validating any account changes and don’t even tell their customers when their accounts seem to be hacked, then spam will just continue to cause problems.

Continue reading

Rabo Phishing

Katje Mail - 2013 Rabo Bank Algemene voorwaarden en informatieIt’s always interesting to see a bank like the Rabo warning me about the possible dangers of their systems by using emails like these. It’s even more interesting when you realise that I don’t have a Rabo account thus there’s no reason for me to use their software. So, yeah… It’s a phishing email, but for GMail it’s still a reasonable new attack so I don’t get an automated warning. (McAfee did detect a potential unsafe link, so that’s a second warning.)

Roughly translated, the message is telling me the bank is using a new security system which is supposed to keep me safe from any malicious software. All I have to do is link my system to theirs, offer some more information and then I won’t have to worry about my bank account. (Probably because they will plunder it to the last penny.) After providing my information, they will contact me by phone and update my account so they can collect even more sensitive data from me.

Well, this is a nice example of a phishing email. First of all, my bank should already know all information about me that they need. If not, I should receive a link to their official website with the proper logo’s and stuff, plus a secure SSL connection. By providing a “special link” that would allow me to add my information, they’re actually making me more suspicious. Normally, a bank would tell you to log in to the regular website and then select option X from the list of options to give more information.

Also, since modern banks will handle almost all client interactions through secure webpages, there should never be a need to install software that your bank provides! I even become suspicious when the ING started to offer an extra malware checker to all their customers, because even though this was a legit offer, it encourages people to install anything the bank tells them. This is bad, real bad! So, to all banks: please stop telling us which software we need to install and where to download it.

Basically, the mail is telling me to do things no ‘real’ bank would even ask of me. (If they did, I’d leave them for another bank.) But they’ve also sent this email to someone with no Rabo account, which is plain stupid since those people should recognise this as spam immediately and thus report it immediately. Gmail, for example, has a nice feature allowing you to mark the email as a phishing attempt. If a few people report this as phishing, it will be automatically sent to the spam folder for everyone.

But there’s more and for this I will have to look at the email header:

Received: by 10.50.78.199 with SMTP id d7csp60995igx;
Fri, 16 Aug 2013 01:08:54 -0700 (PDT)
X-Received: by 10.180.9.203 with SMTP id c11mr114146wib.64.1376640534320;
Fri, 16 Aug 2013 01:08:54 -0700 (PDT)
Return-Path: <informatie@rabo.nl>
Received: from web017.kontent.com (web017.kontent.com. [81.88.40.153])
by mx.google.com with ESMTP id vl2si80185wjc.138.1969.12.31.16.00.00;
Fri, 16 Aug 2013 01:08:54 -0700 (PDT)
Received-SPF: neutral (google.com: 81.88.40.153 is neither permitted nor denied by best guess record for domain of informatie@rabo.nl) client-ip=81.88.40.153;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 81.88.40.153 is neither permitted nor denied by best guess record for domain of informatie@rabo.nl) smtp.mail=informatie@rabo.nl
Received: from 123salonmagie-pittelkow.de (localhost [127.0.0.1])
by web017.kontent.com (Postfix) with SMTP id 48F4C1906F
for <xxxxx@xxxxxxxx.xx>; Fri, 16 Aug 2013 10:08:53 +0200 (CEST)
Received: by 123salonmagie-pittelkow.de (KT-sendmail/237034); Fri, 16 Aug 2013 10:08:53 +0200
Date: Fri, 16 Aug 2013 10:08:53 +0200
X-Kontent-Script: http://123salonmagie-pittelkow.de/images/hdds/gtr/mailer1.php
X-Kontent-Sender: 41.137.57.141
To:xxxxx@xxxxxxxx.xx
Subject: 2013 Rabo Bank Algemene voorwaarden en informatie
From: Rabo Bank <informatie@rabo.nl>
Reply-To: informatie@rabo.nl
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <20130816080853.48F4C1906F@web017.kontent.com>

One thing I immediately notice is that the email has an email address from the sender (informatie@rabo.nl) which seems suspicious valid. Most banks will have a no-reply address as sender since they don’t want their clients corresponding with them by email. Why? Because email is less secure. Thus this too is a warning signal.

The reference to ‘kontent.com’ is also suspicious. But when you visit this domain (it’s safe) you will see a domain hosting company that also provides web mail options. It tells me that the email has been sent through their servers. But the trail goes further. A german domain provider, which is strange since the Rabo is a Dutch bank. The domain registered at this provider is 123salonmagie-pittelkow.de and it seems to be down already. The WhoIs information makes it clear that the persons behind it want to be anonymous, so it’s registered by ‘Kontent’.

An IP address (41.137.57.141) is also noticeable. RobTex tells me this is an address in Morocco. An added descriptions shows “This prefix is dedicated to mobile 3G Internet users on the capital Rabat and its surroundings” which tells me someone is using a mobile phone or tablet to send these phishing emails from Rabat, Morocco.

Back to the domain I’ve found. Again, RobTex shows me it shares its site with dozens of other sites. Many of them look suspicious or are gambling or porn-related. That doesn’t really surprise me. These are all just hosted sites, with small sizes and not too many visitors. An ideal provider for a phishing attack. Especially since this provider allows their customers to send emails from a domain name (rabo.nl) that doesn’t belong to them.

The phishing attack is done in a smart way. Since the frauds are working on an international level, the risk of getting caught is reasonable small. They do seem to understand the Dutch and German language, but then again, these two countries have a lot of immigrants from Morocco. The fraud might even be in Morocco for a holiday, returning in a few weeks and thus removing his traces in Rabat.

To pay the provider, he probably used a hacked bank account or credit card. In Rabat, he could have stolen an iPad with 3G connection and used that to send the emails. On his domain name he probably used a simple script allowing him to send a huge amount of emails through the provider without warning bells going off. Then again, similar Rabo phishing emails are going around for two years already, with just a few minor changes. This fraud is probably doing this for a while now. It tells me that he has escaped being captured for quite a while.

But would he really profit from this? Well, the risks are small since he misuses systems in two different continents and is probably using fake names and stolen bank information to get the things he needs. With about 15 million people in the Netherlands, he might just mail 10% of them, hoping that 1% of those will click the link and offer at least some information. If 1% of this information is valid, he will have collected 150 valid bank accounts. If he can “steal” 500 euro’s from each of these accounts, he will have earned 75.000 euro’s, which happens to be a very nice amount. If he can keep 10% of this amount and spend the rest on expenses, it would still keep him well-paid for two months. Longer if he lives in Morocco.

Basically, people who fall for this fraud will be sponsoring some criminal in Morocco. When you realise that several muslim-extremists have ties with Morocco then this kind of fraud might even be sponsoring terrorism. Thus it’s very important that people are very careful with these kinds of emails. And even more important: never communicate with your bank by email, since it’s unsafe. You can use their website, if it uses SSL. Otherwise, use the phone to call the bank when you receive emails like this and ask them what to do. Don’t use the phone number from the email but from your bank statements or from their official website. Also, keep in mind that no sane bank will ask you to install any specific product, nor should they offer you an email address for your replies. If a bank does do these stupid things, complain to them! Switch banks if you have to, since those banks are taking too many risks.

Nigerian bankers are from China?

I just can’t help posting one more spam message here, as an example of how spammers run. This time, a very well-known Nigerian 419 spam message where the spammer is trying to collect sensitive information about those whom he’s spamming.

Interestingly enough, many people tend to share this information freely on the Internet already. With sites as Facebook and LinkedIn I would think spammers would not even need this information. Well, except for the bank account numbers, of course. And maybe the phone number.

So let’s look at this message, that seems to be Nigeria. Or China. Or Russia, if I read the mail headers.Nigerian SpamWell, what does it say? It’s about a contract or inheritance file that’s at some desk in Nigeria. I don’t have a clue what it’s supposed to do there, but they have it. Who? Well, The Central Bank of Nigeria, of course. (Yeah, that link goes to the real site!) It seems that I am dealing with some non-officials about this case and that’s supposed to be illegal. The Board of Directors held a meeting to give me a solution, though. They’re willing to pay me the $950,000.00 that’s in some online account which is supposed to be mine. I need to give some details to them which would allow me to log in to my account so I can transfer the money to a different account. And I must stop discussing about this with anyone else, so this post on my blog must be illegal.

Okay, I’m not stupid. The fact that Google dumped this in my spam folder is the first warning. The red warning above the post is the second warning. Even if I’m a complete idiot (and I sometimes am one) then these two warnings should trigger plenty of alarm bells, making sure I won’t respond to this. But I’m interested in the mail header too.

Nigerian Spam HeaderSure, first thing I’ve noticed is another warning: “domain of infocbn@cbn.com does not designate 178.75.0.110 as permitted sender“.

It was sent from Webasto, which happens to be a Russian company that creates air conditioning systems for automobiles. Maybe the Nigerian Board of Directors is in Russia?

And I need to send a reply back to an email address provided by the email services of the Chinese Yahoo website.

Also, even though they knew my email address (helpdesk@example.com), they did not know my name. Or anything else, even. But they seem to know that I’m dealing with non-officials, though.

So, am I dealing here with Russian Nigerians who live in China? Or Chinese Nigerians living in Russia? I don’t know. This is just spam and it’s too ridiculous to even consider believing it. I can’t understand that anyone would be fooled by something stupid like this, yet it happens. At least, it happens often enough for these spammers to continue their attempts. Just send a million of these messages and hope that an Idiot will respond to it. If one in a million people are idiots, they tend to have a reasonable chance of success.

Also interesting is the reference to CBN, which isn’t the Central Bank of Nigeria. It’s the Christian Broadcasting Network. Close enough, I guess.

The true Central Bank of Nigeria has an official warning about 419 scams on their website. A check with RobTex seems to confirm this site is the real website. The fact that it’s a .ORG domain still makes me a bit suspicious but fortunately, there’s also an official gov.ng site, which happens to be a bit slower. All this spam isn’t just annoying for me and other recipients, it’s also bad for the Nigerian government and their bank.

It amazes me that these Nigerian 419 scams still continue for more than a decade. Especially since these emails seem to be so extremely fake that I just wonder if people are just fooled by these spammers simply because they try to scam the spammers themselves. And in trying to do so, they just happen to give away too much real information.

The best response to these kinds of emails is to either ignore them or by warning others about these kinds of emails.

Spam: Once more, with feelings…

Sometimes, a spam message can look very tempting to the reader. I recently received the following message that’s just too good to be true. Fortunately, my spam filter did move it to spam already…

Dear Friend,

This is a personal email directed to you.

I and my wife won a EuroMillions Jackpot Lottery of Ј148m EuroMillions in August.
We have decided to donate the sum of Ј2,000,000.00 Pounds to you as part of our own
charity project to improve the life of 5 lucky other individuals all over the world.

All you have to do is get back with us so that we can send you details to the payout bank.

You can verify this via the two link below.

http://www.dailymail.co.uk/news/article-2187999/
http://www.national-lottery.co.uk/player/p/goodcausesandwinners/winnersgallery.ftl

Adrian And Gillian Bayford
Email: adriangillian-bayfords@maildx.com

Strangely enough, the sender happens to be adrian.gillian.bayforddonationdesk@hotmail.co.uk but the email in the message claims otherwise. A check of that MailDX address shows that it’s just another free email provider, like Hotmail, Yahoo or GMail. Since the sender is also a free mail account, I just consider these throw-away accounts. They use it to get your attention and they hope to collect enough information before the free providers will close the account again. And, the trick here is that they use two providers, so one account is closed for sending spam reasonable fast, but the other will continue to work a bit longer. A simple trick, but reasonable effective.

Also interesting is that they did not include any fake URL’s or made up a fake story. The real Adrian And Gillian Bayford did win a nice amount in the national lottery. A nice 148 million in British pounds. Not bad! And sure, they could decide to give away a small part of that amount to a few lucky others, but how would they chose those people? Ask yourself: if you would give away a large sum of money, how would you decide the person who should receive it?

Right! You would not pick a random person from a mailing list. Especially not when that mailing list happens to be used by spammers to spam people. I know it’s on a spam list since I tend to receive several other spam messages on the specific mail alias that has received this message. Anything I receive on that list is most likely spam anyways. Doesn’t bother me, though. My mailbox has a powerful spam filter and the account is just an alias that I can close and discard. It’s just fun to see the kind of tricks spammers will use. And some of their tricks are very sophisticated! Besides, it helps me to recognize those spammers.

So, except for the fact that it was already marked as spam, what other things told me it was spam? And most likely a phishing mail? Well, first of all it sounded too good to be true. Also, a quick Google-search revealed an article on SpamFighter warning people about this message! It never hurts to just search on Google to check if some message is spam or not! The two different email accounts also warned me, especially since both are free accounts. Registering a domain name is not expensive. And by using Google Apps you can also add a mailbox with unlimited aliases to your domain, again for a low price. So this couple could have easily created a real domain with extra information for those people with whom they would share their price.

Also, the lack of the British Pound symbol in the email was a clear clue, since it’s supposed to be British. It tells me that it was sent by someone with a non-British keyboard! That’s very common outside the UK but people inside the UK prefer to type the proper symbol for their currency.

Sending the spam to my honey pot mail account was also a dumb move.

Blog spammers

I’m having a late lunch break and started to check all comments that needed to be moderated for my blog. And as usual, there’s a lot of spam between those comments! Fortunately, this blog is hosted by WordPress.com and they know how to detect those spammers easily! So all I have to do is empty the spam folder once in a while. It’s great! But just for the fun of it, let’s look at a few of those. 🙂

Yeah, there it is… My spam folder. I had 56 spam messages in it and was just deleting them one by one, since it’s fun seeing how spammers tend to operate. (And educational too.) But I decided at one point that it could be educational for others too, so here it is.

One thing you will notice is that most spammers will include hyperlinks to some other site. These could be malicious sites or just some obscure web shop that needs free advertisements. Most of it is in English, which makes sense since most of this blog is in English. But the Russian post in this list is noteworthy!

Another post I’ve noticed says: “Hi there would you mind letting me know which hosting company you’re using? I’ve loaded your blog in 3 different web browsers and I must say this blog loads a lot quicker then most. Can you suggest a good web hosting provider at a honest price? Thanks a lot, I appreciate it!” Definitely noteworthy since it seems to be a valid request. I do wonder why it’s considered spam. But I’m smart so I’ve Googled for that remark and it happens to appear on dozens and dozens of other websites, where webmasters have allowed the comment to pass their filters! That’s not a wise move since approving such messages means that the sender is often approved for sending more comments too. Allowing this message might mean that he will follow-up with all kinds of spam, probably trying to sell Viagra or penis enlargement herbs. So, it’s spam. The spammer tries some innocent-looking message just so I would let my guards down and approve him as a valid commentator. Well, too bad he did not fool the WordPress filter. (Most likely because they’ve recognized his IP address.) The blog he’s included in his profile is most likely just a random blog post that he misuses to make things look even less suspicious.

I also tend to get a lot of compliments from spammers, probably hoping to play with my ego and confusing me to allow those messages. Again, WordPress isn’t fooled by them! One such spam message said: “Hey there, just became alerted to your blog through Google, and found that it is truly informative. I will be grateful if you continue this in future. Numerous people will be benefited from your writing. Cheers!” which sounds nice. It’s linked to this post where I show a CGI image I’ve just created. Didn’t consider that post very informative, though. Just fun, and a follow-up on a earlier post that was more informative. The praise is nice, but just too generic to be considered real.

One more, as a comment on my post about Stupid Spammers: “In the event you suffer from any of these circumstances or injuries, it is worth taking the time to seek advice from your physician or physical therapist concerning the use of [SNIP! Spam-link!]” I don’t see any relation between this comment and the topic of my post, except that this too happens to be a dumb spammer. Many spam comments are like this. They are often not related to the topic you’re discussing or very generic by nature. When the comment isn’t on-topic, be aware!

Anyway, one thing that most of those comment spam have in common is that they’re trying to promote all kinds of medication. Then again, that’s also true for many normal spam. But if you want to fight blog spam in your own blog then make sure that any commentator is moderated for at least a month, or 10 comments, whatever is more. Be aware of  their posts and if those comments are too generic, it’s most likely that he commentator isn’t really reading your blog but just wants to get more rights to comment without moderation. (And once they can do that, they will fill your blog with a lot of spam, just before you’ll notice what they’re doing and can put a stop to them!)

Blog spam can destroy any blog, make them unreadable for the regular visitor while also helping spammers to have their spam be found by various search engines. If I would allow spam in my blog, people who would look for common words in my blog (CGI, Poser, Grepolis, etc.) will find my blog but when visiting it, they would see just spam. So, bloggers should have a very good reason to block blog spam, or else no one will follow their blogs…

Spammers learn new tricks…

I’ve recently posted a rant about spam and today, I’m going to add another one. This one about a spammers trick that might fool a lot of people. Especially those people who don’t use a good spam filter. And I’m doing this because it might have fooled me, if there weren’t two flaws with it. First of all, it ended up in my spam folder, which suggests that something is wrong. Second of all, it was sent to the wrong email address.

First, let’s take a look at the spam itself:

What the spam looks like

Well, it looks good enough. LinkedIn does send these kinds of emails on a regular basis. I get plenty of those on my real LinkedIn account. But as I said, I received this one in my spam filter and on the wrong account. So, let’s look at the email a bit more, starting with the headers…

Delivered-To: address@example.com
Received: by 10.14.174.6 with SMTP id w6csp66709eel;
        Wed, 29 Aug 2012 08:00:37 -0700 (PDT)
Received: by 10.60.11.34 with SMTP id n2mr645244oeb.18.1346252436700;
        Wed, 29 Aug 2012 08:00:36 -0700 (PDT)
Return-Path: <heemali@snmz227.leaseweb.com>
Received: from SNMZ227.leaseweb.com ([82.192.78.107])
        by mx.google.com with SMTP id zm6si23150147obb.199.2012.08.29.08.00.35;
        Wed, 29 Aug 2012 08:00:36 -0700 (PDT)
Received-SPF: neutral (google.com: 82.192.78.107 is neither permitted nor denied by best guess record for domain of heemali@snmz227.leaseweb.com) client-ip=82.192.78.107;
Authentication-Results: mx.google.com; spf=neutral (google.com: 82.192.78.107 is neither permitted nor denied by best guess record for domain of heemali@snmz227.leaseweb.com) smtp.mail=heemali@snmz227.leaseweb.com
Date: Wed, 29 Aug 2012 11:00:36 +0000 (UTC)
From: LinkedIn Reminders <reminders-noreply@noreply-linkedin.com>
To: address@example.com
Message-ID: <52203955.7448783.1913884201422.JavaMail.app@ela4-app2581.prod> Subject: There are a total of 1 messages awaiting your response MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

I’ve replaced my address with address@example.com, a dummy address. But if I look at these headers I noticed that it’s sent from a leaseweb.com mail account, and not from LinkedIn itself. Leaseweb is a hosting provider with a bad reputation as being one of the worst hosts since they seem to host a lot of malware on their sites. So was the Bredolab botnet hosted on Leaseweb servers. Leaseweb also hosted part of MegaUpload. But Leaseweb is just one of the biggest hosts in Europe so it’s no surprise that you can find lots of malware there. Such sites are always a small percentage of sites for any host.

But why would LinkedIn use Leaseweb? Well, they would not! This is just another sign that this is a real spammer. But let’s look a bit further, which is the HTML code behind this email:

The source code behind the spam.

This shows the true intentions of this spam. The spammer wants to fool to visit some specific site. The site itself has nothing to do with the spam, except for the site has been hacked without the site owner knowing this. But it’s not a malware URL but a redirection to a Canadian pharmacy website. They want to sell Viagra and Cialis to the unsuspecting visitor. (Oh, dear! Those two words will most likely put this post in each and every spam filter!)

Well, not all spammers will send their victims to malware sites. In this case, they just want to get more visitors to buy little blue pills. They prefer to target American visitors since the sale of these pills are more limited in the USA than in Canada. In Europe, unknown to most, you can just buy similar products at the local pharmacy. That is, if you need them.

Anyways, the URL has the word “stupid” which tells us how the spammer thinks about those who are fooled by this. Well, I wasn’t fooled but instead I investigated it a bit and contacted the site where the redirect was hosted. I’ve warned them about this URL on their domain and I expect it to be gone within a few days. If not, they might be held responsible for this spam, and for the (illegal?) sale of these types of drugs. Since they are a clinic of some sorts, it could cost them their license if they don’t take additional steps against this.

But for now, let’s wait on their response on this post, and on my warning…