I'd been watching the antics of a 20 year old girl from Malaysia who had a serious thing for Phishing. I couldn't have predicted the direction the investigation would take when, quite randomly, I came across the following post with regards one of her former identities:
...."Ribut", eh? Interesting. A quick Google search later, and we find some interesting Ribut-related Phish pages:
...don't bother to look for it, I already had it killed off. What really intrigued me here was if she had any more pages floating around under her "old" username. Using a few search strings that tend to reveal some of the more "obvious" password-stealing fake logins via Google, I stumbled across a rather unusual way of keeping an eye on Phish pages:
There she is, buried in a pile of other phish pages. What is that a screenshot of, I hear you ask? And why exactly is she buried in a wall of phish? Well, note the title - "Where can I find these ads?"
This is a page from advertising network Adbrite, who the host of all these phish pages (2222mb.com) has an account with. If someone wants to host an advert on 2222mb.com, they make their selection and purchase ad space:
However, this isn't the part of the page we're interested in. You've already seen it, above, listing the "most trafficked pages" from the site in question. That's right, it appears that the most popular pages on 2222mb.com are phish pages, going off the information presented to us by Adbrite.
In fact, here's a snapshot of the current set of pages listed by Adbrite as "most trafficked pages":
...is anyone else faintly disturbed that EVERYTHING being listed for this webhost is almost always a phish page?
At this point, you normally contact the host and (depending on a whole range of factors) they kill off the rogue pages in a few days or so. My hopes were high, seeing as another host (110mb.com) with the same Admin contact (a person called Tycho Luyben, more on him later) had previously removed phish pages for me in as little as six minutes.
My first mistake, as it turns out, was getting my hopes up.
The above is the frontpage of 2222mb.com. At the bottom of the page, it mentions Terms of Service, but you can't click into it. There is no contact email address anywhere on site, and no mention of what to do when finding evidence of abuse on the network.
Uh-oh.
As it turns out, the only way to try and get someones attention was to register for the hosting service, then submit a ticket which......was completely ignored by whoever received it.
> http://dustyd34th.2222mb.com/myspace.php
> http://ribut.2222mb.com/myspace.php
> http://najn.2222mb.com/
> http://tjt1991.2222mb.com/myspace.php
> http://darktornadic.2222mb.com/myspace/myspace.php
> http://english-naats.2222mb.com/index.htm
> http://titan7.2222mb.com/myspace.php
....were all reported on the 21st of January, and a few days later, nobody had replied to my ticket. So much for the "24 / 7" support - I added to the ticket a few days later (with words to the effect of, "these pages still appear to be live"?) and that was ignored too.
Okay, change of plan. Let's go to the guy who must be providing these reseller accounts to these webhosts in the first place. A quick check of the whois data for 2222mb reveals....something weird, actually. The other hosting services that are presumably reseller accounts provided to individuals by "Tycho" have different addresses listed, as you would expect (110mb.com, for example, is owned by someone in Australia). With 2222mb.com though, Tychos own "Admin Contact" address is listed as the main contact address for this domain.
owner-contact: O-EZL21
owner-organization: E-lab BV
owner-street: Weverstede 27 b
owner-city: Nieuwegein
owner-zip: 3431 JS
owner-country: NL
owner-phone: +31 615065229
owner-email: tycho@e-lab.nl
Is the owner of this reseller account living with Tycho or something? Could it be Tycho himself? It seems unlikely, given that Tycho replied to my first email to him (sent on the Tenth of February) with the following:
"Dear,
I will tell my client to remove these asap.
Regards,
Tycho"
...."My Client"? Okay, so why is his own Admin address listed as the primary contact point for this domain when someone else apparently owns it?
Anyway, all of the above phish pages were deleted - but I had a second, final batch of pages that needed to be deleted too. As anything and everything sent to abuse@2222mb.com and postmaster@2222mb.com went unanswered, I thought I'd better send Tycho another email. He'd fix those too, right?
Wrong.
Three more emails, sent on the 11th, 13th and 15th of February went unanswered - as did the second round of tickets raised inside the 2222mb system:
Two of the above phish pages have since gone offline, but it seems unlikely that I had anything to do with it, given that all the rest are still online and happily phishing away. I thought I'd check out the E-Lab site attached to Tychos email address - here's where things spiral into madness:
Note the "www" at the start of the web address. So far, so good - nothing out of the ordinary. Just a page that talks about helping people "start out" online with regards technology based ventures and the like.
However - type in the address minus the "www" and look what happens:
...you're redirected to a site called "Stoopidsh*t.com" that contains links to numerous "extreme / crazy" videos, and also a number of videos that require you to install Zango to play them (they're the ones with the red "play video" buttons).
Apart from the fact that it's a little odd for a site acting as some kind of provider for web services to redirect to something like that, can you guess who the site is registered to?
I have no idea what's going on with that whois data, but it looks a little strange, right? S4V 3C5 is merely a postcode - where is the rest of the address?
Actually, that's not the only website connected to Tycho that looks a little odd in a whois search. Take, for example, the whois for a site called "Riddleman.net":
....I'm sure you'll agree, that's a pretty strange looking contact address. At any rate, I think we're done poking around the weird and wonderful world of domain registrations. Time to contact Adbrite and let them know anyone going looking for either
a) 2222mb.com information via Google or
b) more information regarding Myspace phish pages on 2222mb.com via Google
are (more often than not) going to see Adbrite pages appear before anything else, usually listing some phishing pages in their own "most trafficked pages results:
Now to me, having your own pages pop up when searching for someone else's phish pages is a form of negative association you could do without - both in terms of not wanting to be associated with such a thing, and also not wanting to be seen to be providing a way to generate money for webhosts that don't seem to be overly speedy with regards removing network abuse.
Surely, when notified about such antics you'd be quick to take action, right? At the very least, you might want to drop the person running your ads a note and suggest that a housecleaning might be in order, lest your account be canceled?
Well, that's what I thought too. However, the emails sent to Adbrite on both the 17th and the 22nd of February have (so far) not had a response from either pr@adbrite.com or support@adbrite.com (note that I only sent Adbrite details of 2222mb.com and the way that requests for phishing pages to be removed were seemingly ignored - they were not sent any additional information regarding other domains, which although interesting, were irrelevant to the point I wanted to raise with Adbrite).
I would hope that Adbrite will take a second look at this and take appropriate action if needed - 2222mb.com has already gained a form of notoriety on hacking / cracking forums as a good place to host phishing pages. Indeed, look at the results from this search...there are many hacking sites distributing tutorials recommending 2222mb.com for phish hosting.
Take those tutorials and combine them with the experiences I had simply trying to get a handful of phish pages taken offline and you have the makings of a problem that is going to grow and grow unless something is done about it.
The question is, is anybody listening and do they actually care?
(Note - I don't normally publish the exact same article to both Vital and SPG, but I thought this one might be important enough to warrant it).
Yesterday, I had an Email sitting in the mailbox that looked like this:
"CONFERENCE/INVITATION
Dear Sir/Madam
We are cordially inviting you to our Twin Combined Conference which will be
held. From the 21st - 23rd of March 2008 In Anaheim California and in Dakar
Senegal from the 27th -30th of March 2008.
If you are interested to participate and want to represent your country,
You may contact the secretariat of the organizing committee for details and
information. You should also inform them that you were invited to participate
by a friend (Miss Precious Wright ), Who is a member of the American Youths
for Peace and a staff of (WORLD YOUTH ORGANIZATION FOR HUMAN RIGHTS).
The benevolent donors of the Organizing Committee will provide round trip air
tickets and accommodation for the period of participants Stay in the U.S, to
all registered participants.You will only be responsible for your own hotel
booking in Dakar where the second phase of the conference will be held.
If you are a holder of an international passport that may require visa to
enter the United States you may inform the conference secretariat at the time
of Application , as the organizing committee is responsible for all visa
arrangements and travel assistances.
Email// info@worldyouthsorganization.org OR
secretariat@worldyouthsorganization.org
By TEL: +1 (516) 303-0022 or By FAX +1 (718)-228-8213
http://www.worldyouthsorganization.org/
Sincerely,
Precious Wright
my email: ( p.wright@worldyouthsorganization.org )
.....uh, yeah, okay. Now, even before I start thinking about this I can see some serious problems here:
1) Random email. Important conferences randomly mail anyone they feel like to come along?
2) It takes place in California AND Senegal in the space of a few days? That's some pretty messed up, jetlagged people at the second event, right there.
3) Two oddly disjointed topics: Child abuse and racism? Uhh...okay...I guess? Seems more like they randomly picked two worthy topics than anything else.
3) Never heard of them and it looks like a 419 mail. Shall we take a look at their breathtakingly fake website?
....wow, 1995 has entered the building. Also: "Come and lets join hands and wage this global stigma against racism and chid abuse"?
Well, that's the first time I've been asked to "wage a global stigma" against something. Now let's all go save a "chid".
Sigh. Shall we look at some more? How about the "recent photographs" page? They have a whole bunch up:
Look at that - Jesse Jackson AND Fidel Castro have taken part in previous events held by this organisation!
I guess I'd be somewhat more impressed if the photograph in question hadn't just been lifted from a series of shots taken at the World Conference Against Racism, Durban South Africa 2001:
...and so it goes for the other images on the site - seemingly culled from other sources (how does GEORGE BUSH take part in one of these things without the whole world knowing who this organisation is?)
Check it out:
This is supposedly the Conference "Come join hands with us wage global war against racism" (which is simultaneously taking place in both 2007 and 2008...maybe it was a New Year's thing).
Sadly, this image has been lifted from this site:
...whoops. They're even willing to stoop to swiping pictures from the Eurovision Song Contest - compare and contrast:
The "Con-Vision" (appropriate!) Media Center is actually taken from here:
...the 2006 Eurovision Press Center.
From their "Staff Page":
Someone needs to report their "staff" for moonlighting, because this is actually the registration desk of the 2005 Environmental Monitoring, Evaluation and Protection Conference.
Why am I spending so much time on the images? Well, it's important to debunk this stuff as it's the images that ultimately go a long way to convincing people to fall for this kind of thing. The best example of this I can think of is one that even a newcomer to scams should be able to spot - the images from the speakers page. Bear in mind, they could have called their fake speakers anything at all - imagine the hilarity, then, of having to listen to...
....that well known expert on the causes of racism, Mr GEORGE WASHINGTON.
Incidentally, the below picture is supposed to be George Washington too:
....there are two problems with this. One, he doesn't appear to be bald and white anymore. Two, he's speaking at a presentation for the International Congress of Nanotechnology (check the banner below the podium).
I think we've covered the "this is completely fake" bases, so who are they and what are they after?
Well, as far as the "who" part goes, the Whois data is quite probably fake:
Domain Name:WORLDYOUTHSORGANIZATION.ORG
Created On:15-Nov-2007 09:56:38 UTC
Last Updated On:15-Jan-2008 03:48:47 UTC
Expiration Date:15-Nov-2008 09:56:38 UTC
Sponsoring Registrar:Wild West Domains, Inc. (R120-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:GODA-039910427
Registrant Name:Jesse Rocha
Registrant Organization:World Youths Organization
Registrant Street1:3710 airport blvd
Registrant Street2:
Registrant Street3:
Registrant City:Austin
Registrant State/Province:Texas
Registrant Postal Code:78722
Registrant Country:US
Apparently, the "World Youths Organisation" operates out of an address
associated with Tire and Car Brake repairs.
With regards what they're actually after, I fired them an Email to "confirm my interest in this wonderful event" and this is what I got back:
"Dear Sir,
By recommendation, we accept you to participate in the forth-coming conferences,
which will now be held at the DISNEYLAND CONVENTION CENTER , ANAHEIM , C.A ,USA
and at OLYMPIC STADIUM HALL, DAKAR-SENEGAL, West - Africa.
The theme of the forth coming International Conferences is to equip participants
with the strategies and policies to wage a global war against Racism & Child
Abuse. The conference organizing committee in conjunction with the donor
sponsoring committee has mapped out some financial rewards to group
participants that distinguished themselves in their areas of discipline......
Panel of Judges has been appointed to oversee and to select participants of
merit.
(1) Group participant NO.1 Winner is entitled to the sum of $150,000.00 Dollars
( HUNDRED AND FIFTY THOUSAND DOLLARS)..
(2) Group participant NO .2 Winner is entitled to the sum of $100,000.00 (ONE
HUNDRED THOUSAND DOLLARS).
(3) Group participant NO..3 Winner is entitled to the sum of $75,000.00 (SEVENTY
FIVE THOUSAND DOLLARS)"
Wait....wouldn't it be more useful to, you know, give that money to all those starving people they're trying to help as opposed a bunch of well off conference flunkies? You'd be amazed how many people would see something like that and be packing their suitcase within minutes. They continue:
"REGISTRATION OF PARTICIPANTS: A minimum of five (5) or a maximum of ten (10)
people are expected to participate together as a group or organization to
represent their Country in the forth-coming events. None of them should be less
than eighteen years of age and must participate in both Conferences."
....HAHAHA. Okay, they now want you to round up five to ten more victims, presumably so you can take a thorough beating once they've all lost piles of money.
"They should be in possession of their international passports to enable them
participate in this conferences. For registration to participate in this event,
you may forward the names and passport numbers of your group members to us, as
soon as possible, as all participants visa assistance request will be forwarded
to the U.S Department of State for same day visa Authorization which shall be
sent by fax to the consular section of the U.S. Embassy, in your country of
residence.
Delegates will only be responsible for their own hotel booking in Dakar-Senegal
for the second pharce of the event due to the inability of our partner
organizations to mobilize enough funds to sponsor the number of expected
delegates to attend both conferences... All registered participants are
entitled to a round trip air tickets, meals and accommodation during their stay
in the U.S.
If you are interested to participate in the forth-coming International
Conferences, You must send to us the following information :
1) Names exactly as in passport.
2) Passport Numbers.
3) Date of Birth.
4) Place of Birth..
5) Country of Residence.
6) Tel/cell Number
To our registration desk by email: registrationdesk@worldyouthsorganization.org
OR info@worldyouthsorganization.org
Phone: +1-516-303-0022
Fax: +1 (714) 276-0119
http://www.worldyouthsorganization.org/
Mrs. Rose Dixion
Conference Secretariat"
...yes, send us your passport details, hurry! They didn't reply to my follow up about me not needing Visas due to UK Citizens being able to travel to the States on the Visa Waiver program, but if they did, I guarantee the subject of sending them money via Western Union to cover the cost of the Senegal hotel would have been raised.
If you go looking around for these fake conferences, there's a fair amount of them lurking - all using parts of the same information / names / photographs:
wyf.org.tripod.com/index.html
wyforg.tripod.com/
gyfma.tripod.com/
conference.up-a.com/
agecare-organization.tripod.com/index.html ("Age Care Organisation" presents "Child Trafficking and Sex Exploitation" - whaaa??)
Here's one that's been canceled due to violating ToS. In a nutshell, they move from domain to domain once the date for their supposedly current "conference" has passed - sort of like a plague of money making locusts. There's already a number of red flags for the main .org domain on various 419 scamfighter websites.
It seems sort of pointless to finish this off with a dire warning of Internet badness, but here we go - do NOT be suckered by these random "too good to be true" offers to fly to some fancy conference somewhere. It's highly likely to be fake, and could cost you a whole lot of money (and broken bones, after your friends have beaten you up). We're currently trying to have all related domains taken offline, and will post updates as / when they come in.
In Internet News Week our V.P. of Marketing Frank Cabri makes a notable quote along the lines of our usual rapier wit-wielding MVP- Chris Boyd. (e.g. describing IM safety along that "Ben Stiller and Circle of Trust Kind of Thing".)
"Some organizations' ears are ringing from this consumerization of an IT trend and the fact that employees are bringing in unsanctioned applications through the back door," Cabri said. "Organizations are hearing about it from us, from some of the industry analysts, and in many cases, seeing it first hand on their networks."And yet there are still many that aren't aware of the issue and usage continues to grow. The recent Mark Foley case in the U.S. Congress where, in which Instant Messaging was used to send inappropriate messages to a teenage congressional page, is a case in point.
"Sometimes it takes a Mark Foley-like situation to happen in your own organization to raise awareness of the risk and the impact," Cabri noted. "Obviously, our goal is to help customers before this happens."
"Lets face it, no business wants to get 'Foley'ed' on a national level -- the business consequences of this could be extremely negative."
Ouch- "Foley'ed"- adapt coinage indeed. Frank is, of course, referring to the recent Mark Foley Scandal that recently emerged in IM.
Learn More: See a brief video of Kailash Ambwani, our CEO at Facetime Communications...as he covers why words like "guarantee", "rumor" or incidents like the Mark Foley Scandal and failing to monitor IM (or other greynets) can lead to big problems, especially if you are a big company.]
This cascade of events is one of the drivers that is forcing big companies to take a hard look at their corporate policies, especially with regulatory challenges like:
- Gramm-Leach-Bliley Financial Modernization Act (GLBA)
- Sarbanes-Oxley Act of 2002 (SOX)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Will the Foley Force raise awareness of the issues? Good question and more pertinent than ever now December 1st approaches. What is the big deal about December 1st? It is "E-discovery Day" when things could get more tedious and potentially more costly for the Enterprise if they are not prepared.
E-discovery refers to finding and producing documents stored in electronic form in response to litigation or regulatory requirements. Civil litigants, regulators and criminal prosecutors as a matter of course now ask for copies of selected e-mail communications or make broad requests for all electronic records. After Dec. 1, changes are set to take effect in the Federal Rules of Civil Procedure make e-discovery a standard part of federal proceedings.
So where can you start if you are a large enterprise? First, figure out how much instant messaging traffic is going on in your network-you might be surprised not only by the traffic, but the other insidious malware that rides along. Facetime has a free tool called the RTMonitor that can help with this or you can contact them for a demo.
Best Practices for Emerging Compliance Challenges: Electronic Messaging and Communications (ReymannGroup):
[Download IM Compliance and Regulations Document [PDF] This paper is a great primer on what you need to know.
Some might be wondering...just what is Instant Messaging (IM)? We use it everday, it has been around for a decase, but because of its ephemeral nature we tend to treat it differently. I consulted Archive.org for some background...
Instant Messaging (IM) is an electronic messaging service that allows users to determine whether a certain party is connected to the messaging system at the same time. IM allows them to exchange text messages with connected parties in real time.To use the service, users must have IM client software installed on their workstations. While there are many types of IM clients, they all tend to function in a similar manner. Client software may either be part of an agency's IT network and available to only registered users, or be public and available to anyone on the Internet. The client software logs into a central server to create connections with other clients logged in at that same time. Users create and exchange messages through their local client application.
Other important points:
* In addition to sending messages, users may have the ability to attach and exchange electronic files such as images, audio, video, and textual documents. This capability depends on the configuration of the individual client software as well as on protocols established at the client server.
* Depending on the software, users who are online may have the ability to respond to messages.
* Users may also block other users with whom they do not want to exchange messages.
* Users may only communicate with others using the same or a compatible client software.
How does IM differ from email?
Fundamentally, the difference between IM and email is the notion of presence. This means that users of the IM system are aware that other users have logged in and are willing to accept messages. Unlike email, IM content can only be sent to users who are logged in to the system and accepting messages. If users are not logged in, others do not have the ability to send them messages.
Because IM is not predicated upon an open standard, there is no uniformity regarding message transmission and structure.
Remember Instant Messenging will be treated like an e-mail- IM, despite its ephemeral or fleeting nature, it is a document- a document that should be factored into your archive equation if you want to cover the bases soundly and not get "Foley'ed"....let's go back to Archive.org...
Does IM content qualify as a Federal Record?The statutory definition of records (44 U.S.C. 3301) [Google Government Research Query on 44 U.S.C. 3301] includes all machine readable materials made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business. Agencies that allow IM traffic on their networks must recognize that such content may be a Federal record under that definition and must manage the records accordingly. The ephemeral nature of IM heightens the need for users to be aware that they may be creating records using this application, and to properly manage and preserve record content. Agency records management staff determine the record status of the IM content based on the overall records management policies and practices of their agency.
I think in light of the recent scandal (and how many don't we know about...) we probably will see agencies taking a new look at their IM practices- it is potentially too costly to ignore. This isn't the only scandal either, there are others, but they tend to focus around e-mail, again don't discount the ephemeral nature of IM, like the "Boy's Club Case" as reported by Baselinemag.com.
Peratis wanted WestLB to search for e-mail and Bloomberg messages from mailboxes of 19 current and former equities executives, human-resources representatives, bank managers and others, using more than 170 terms. These ranged from Quinby's name and initials, to employment-related words like "fire" and "bonus," to derogatory sexual slang...
In this case I don't know if IM was enabled or factored into discovery. However, according to our recent studies- it often is enabled, whether IT is really aware of it. Odds are after the Foley Case- e-mail will not be the only prime target for discovery- discovery that can be quite expensive to dig up if an Enterprise is not prepared.
 |
|
