Fake news headlines
The latest trend (and it isn’t caught by my spam filters yet) is spam e-mails with fake news headlines. I’ve seen Tom Cruise killed in an airplane crash, and Nicole Kidman losing her baby (after it was born, even!).
Inside the e-mail, there’s another fake news headline. For example OJ Simpson admitting to murder (like that’s going to happen).
I tried one of the links, and it ended in a 404. Another ended in a page that serves up watch.exe under movie.gif.
I didn’t try it, but for the foolhardy, here’s the link:
fretga.es/about.html
You’ll need to add www. in front of the link, or you’ll get a 404 error.
Another domain used this way is weertevents.com. Lots of Google hits from the spam e-mails. Looks like it’s now possible to web spam by sending spam e-mails because of all the list archives. Also check SiteAdvisor’s page on it.
Check out vnunet’s analysis that it’s the Storm worm that’s cranking out these spam e-mails.
Right now I’m wondering about the domains used to host the malware - the places the links are pointing. The domain registrations are old, and appear to belong to the original owners of the domain. I found pages on archive.org dating from last year on one of the domains, and the main page still has the same content. IP numbers are pointing all over the place. So I’m wondering - have the original owners sold the domains with the content, and haven’t gotten around to changing the domain registration? Or are the websites hacked?
Another domain (crucis.es) has had it’s original content removed, and you only see what appears to be a flash video player similar to youtube. Hello movie.gif…The old site was an empty wordpress installation. Google indexed it as late as July, 10.
Update July 18: I’ve seen several examples of one page used by spammers inside what appears to be a working website. I’ve also seen a few examples of websites suspended by the webhost. I’ve seen a few examples of sites that appear to have been completely erased - presumably by an owner trying to remove the way the hackers got in.
July 16th, 2008 at 11:25 am
What really makes me scratch my head is how utterly pointless these emails are. I mean, even if I fell for the headline in the subject - when I open the email, there is a completely different headline. And people still click on those links?
It’s almost like a wasted opportunity. Here, the spammers have found a successful way around the spam filters - and then they blow it by sticking that second headline into the email.
July 17th, 2008 at 2:30 pm
There’s another efficient way to get past spam filters:
Just search for pages that have a “recommend x to y” or “send link x to y” feature included and check whether they allow a custom message to be added. My tests have shown that often there are no content filters or restrictions regarding the length in one’s way, so you can actually squeeze your advertising message into the boilerplate wrapping. The advantage is, that your message is carried with an unsuspecting subject line and - more important - transmitted by MTA’s with a reasonably good reputation. Also, since this is a HTTP transaction, any http proxy will do to obscure the sending source.
Strangely, these site features rarely come with any kind of protection so I reckon automation may work as well to a certain degree. I don’t want to mention specifics, but there are really huge sites that do not seem to care about the potential for abuse their user interaction offers. For instance you can freely specify the sender field and no notification whatsoever is being sent into that direction. So whatever address you’re using the real owner won’t get to know it, unless it incidentally turns up in NANAS
Or even better, no authentification is required (user login), so that any random twit(~ess) can blast her/his spew.
In my opinion this “recommend” feature is essentially useless and dangerous, because it always provides the freedom of specifying the target. By posing as an trusted authority you could even mislead people doing silly things like running nasty exe files that should rather be left untouched. Ok, it’s - unless coded by a clueless idiot [1] - usually 1:1 communication, but since spammers think in bulk, they could make effective use of it by applying comment spam tactics: thousands of vulnerable forms at the same time will result in a nice volume of messages sent, too. And who says it’s just about affiliate marketing? You could also abuse it for joe jobbing competitors.
[1] i.e. invoking php’s mail() without sanitising user input so that via line breaks bcc headers can be added (419ers love these broken forms…)
July 18th, 2008 at 2:15 am
Most of the sites they use are Zombie servers they hacked. If you look at the spoofed site emails some times you can see the files in there collecting the info in a text file. They are usually in some forgotten area on a web server that the owners never check.
Let it a lesson to all those setting up web space.
July 18th, 2008 at 6:10 am
What’s vexing me at the moment is that I suspect the webpages the spammers use for serving up the trojans are hidden within working websites belonging to innocent third parties.
July 20th, 2008 at 8:12 pm
I am getting a lot of trackback and comment spam using thoughts.com and sourceware.org
eg thoughts. com/seroquel, sourceware. org/bugzilla/attachment.cgi?id=2823&REBOXETINE
Trackback excerpt
ANy Idea how to block an URL directly in wordpress?
July 21st, 2008 at 10:46 pm
The most amazing part is people still click on these. You can say it time and time again, DON’T click no the spam links, but people never listen.
August 6th, 2008 at 12:29 pm
They are attention grabbing. Being in the IBM world, this one caught my attention:
“IBM to file for bankruptcy”. But the body had some Andre Agassi headline, which really did not make any sense:
http://blog.maysoft.org/blog.nsf/d6plinks/FPAO-7H3J2L