Spamhuntress

I got two spam e-mails (to two of my main addresses) advertizing pokerloco, a Swedish (they say Costa Rica, but nobody’s fooled by that) owned poker site.

The spam originated from Ukraine and Russia:

81.21.14.3
78.85.26.6

But here’s the wrinkle. The HTML in the file was a bit tricky, and I wasn’t sure the images would load. So I checked, and found that when viewed in an HTML browser/viewer, you’d only see an image flogging a stock (CHINA YOUTV CORP) from one of these sites:

mediapix.ru
imgnation.net
The pokerloco e-mail looks as though it’s an e-mail sent from them to one of their customers, somebody by the name of Anders. And it was written in Swedish. It might have been cribbed from somewhere, then used to confuse spam hunters.

I just got this e-mail, twice to the same address:

Dear Customer,

Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.

We recommend you to install this patch to remove worm files
and stop email sending, otherwise your account will be blocked.

Customer Support Robot

Under the text “this patch”, there’s a link to an IP address with some encrypted looking URL. Different IP addresses for each mail. Both of them already have socket error, so I can’t check out what it contained.

Shaking head… There’s a discussion on “alt.madcrew” about this. Some people who appear to have taken the e-mail at face value. One of them writes:

installed the patch too but now my computer has become very slow and
even when I am not doing anything on my computer my hard drive makes a
lot of noise as if there is a lot of activity, I don’t understand

I just received two copies of a pointless spam. It appears to be a Spamhaus joejob. I received two spams to the same address even. Here’s a discussion about the incident:

Google Groups 

Someone e-mailed me an example of a hacked site (the hack is currently offline, with the hacked version set up on a hidden page for me to check).

Update: Lots of homepages affected. Check this google search.

It was the homepage of the company that was hacked, with a few links added at the bottom. In addition to those two visible links, there are some hidden links that are identical to the links you’ll find if you follow the .txt links. The links are only visible if you check the source code, so I believe the txt files are meant as includes in the hacked php file.

The first link is: buybeer4me.info/scr/18.txt

It’s got some obfuscated javascript that actually points to the second link:

bestrezult.com/scr/1.txt

The links in that document point to another hacked site:

dinuba.ca.gov/minutes/agendas/.~ss/

When I loaded one of the pages referenced in the spam, I got this. Keep in mind that I had images disabled, so the page might look somewhat …different in reality:

It’s obviously malicious, and I found a post referring to the site it’s loaded from:

mvsps

I wondered what the heck this was about. Had myself half convinced it was a Firefox issue, then saw the same behavior in IE. Check out this Myspace profile: April. The only thing on there that points anywhere is the “view” on the extra music player.
The whole profile is obscured by an image from toironorfold.com, which is owned by the band Making April, which also has a Myspace profile. Even the domain name points to the myspace profile. They have an amazing number of friends.

I don’t know what the heck the point is, but I don’t like being played.

Whatever their point is, they’re misusing the system.

Yep, I know I sound like a spoil sport…

I maintain a “sleeper profile” on myspace for a friend of mine, who’s a guy. It’s not yet in use, except for sending the occasional message.

Today I got a friend request from Edda, who had a Gorilla for a profile picture. I checked the profile out, thinking it was legit.

At first it looked unremarkable - she had 16 friends. But then a gif file loaded, saying she’d moved her profile to Adultfriendfinder.

The file was on Photobucket (see here), but was served through a 302 redirect from this domain:

synchrism.info

The image links to that website as well. The domain was registered yesterday, and although it worked a few hours ago, by now it only serves up a socket error. I didn’t have a look at the website when I first found this, and the whois data is protected.

Either way, this is spam, pure and simple.

Tom just announced that they’d employed solutions against the spam on myspace a few days ago, but this might be rather hard to fight against. I’m sure other guys have seen it before, but since I’m female, and that profile is rather hard to find, this was my first time to see the “fake myspace profile”. And get this, she had 17 friends now, so people are unfortunately falling for this.

Well, in case the spammers read this, here’s another report (from Tom), about the legal success Myspace has in fighting spammers.

I went by a website today that had a rather nasty payload. After a search on the site that delivered a search result, the page disappeared and a page from amaena.com loaded instead. I’m always very careful when those appear. I close the windows that pop up (I use Firefox with pop up protection) with Alt-F4. Even so, the Winfixer exe file started downloading and was caught by my anti-virus.

The ad was delivered by ad2profit.com

I’ve never in the past experienced a forced download of Winfixer, so I’m wondering what’s up?

Someone added a new page to my wiki today. The name of the page was “Alcohol Intervention”. The content of the page seemed perfectly reasonable. If it had been on topic, it would have passed superficial inspection. But the link to the page was added first, and it was added many link breaks below the content on another page. So… the method was suspect from the get go.

So, here’s someone who made an effort to write a perfectly reasonable page on alcohol addiction, with some credible links at the bottom, mainly to edu and authority sites. Yes, and the spammer’s own domain at the beginning of the article.

But here are some domains associated with this spammer - he’s got links to several at the bottom of the website he spamvertized on my wiki:

druginterventions.net - 205.234.132.159
drugrehabprogram.net - 72.34.32.176
heroin.org - 205.234.146.222
addictiontreatmentcenter.com - 205.234.140.184
floridadrugrehab.com - 205.234.253.132
helpaddicts.com - 75.126.44.60
drugrehabcenter.com - 66.113.130.222
dual-diagnosis.net - 75.126.44.69
addictionsearch.com - 66.225.219.7
detox-center.com - 75.126.44.71

All of these appear to have an 800 number as a payoff. I couldn’t figure out how that worked, until I found evidence that they have a treatment center. I suppose if you called for a free consultation, you might get a hard sell for coming to the treatment center.

This one appears to be owned by someone else, and has a different payoff, but has links to the same network of websites. Incidentally, the website is owned by someone with the same last name as a therapist employed by the same center as the other websites, and a press release about said therapist is pointing to this site:
enhancedhealing.com - 72.41.61.196

But the main bulk of websites either have whois protection, or the whois tends to point to this guy:

(Whois of two domains removed. The owner of the domains says he got scammed by someone he paid to submit to articles directories. He now says this post comes up as the number one result on Google when searching for his name. If you’re curious, his full name is associated with many of these domains anyway, but let’s just assume he’s learned his lesson, and no need to permanently embarass him)
Another domain associated with Gerald, is kgolf.net. It’s been extensively spamvertized, including one January 2006 sighting, here.
It’s a scraper site with Adsense as payoff. The site is currently owned by Gerald, though I can’t say how long he’s owned it without looking at whois history (anyone?).

And the fact that this is probably a real person, is underscored by this press release:

Drug Rehab Launches New Drug and Alcohol Addiction Talk Show

So, who did the spamming? I don’t know. The IP address is from the Phillipines. 61.9.75.136. Also associated with this spam:61.9.75.189 and the username Shamra.

I occasionally find ways to monitor IP space for spam, viruses etc. Here’s one such new way to monitor your IP space:

Project Honeypot’s IP space monitoring

You know, I once notified my neighbor that his machine was compromised because of one of those services. Turns out he had a pirated version of windows (I believe it was windows 2000?). Because of that he didn’t get updates. Let’s just say that machine was doomed. Format c: /s - or something like that.

I woke up today to a quite massive attack on my wiki. Large edits to lots of pages. The links spamvertized are all to free forums, misused forums belonging to other people and various other non-hacker exploits.

So far the exploited pages all redirect to one domain:

diving-deep.net
216.255.179.196

That’s in Intercage space - they’ve been notified.

The whois is interesting, it points to Norway. The person is allegedly:

Billy Fulkerson (geojon@care2.com)

And the address and phone number points to the Neptun hotel in Haugesund, Norway. Yep, the address and phone number is legit, but I doubt it has anything to do with the spammer. The registrar is KLIK MEDIA GMBH. Remember them?

The IP numbers used for the spam run are all proxies.

The spammer is affiliate number 35vm5c with evoplus.

—————

Update:

Intercage nullrouted them, and they immediately switched to 85.255.115.213 at inhoster. Intercage is upstream, and immediately nullrouted them again, and now they’re on 212.176.41.8 which I believe is on equant.ru. Unfortunately that website is entirely in Russian, and I have trouble figuring out who to contact. Some help would be appreciated? I sent an e-mail to the contact for the IP numbers. And then I contacted the DNS provider as well. Awaiting reply.

Update May 4:

No response from either the current webhost or the DNS provider. And the spamming has started up again - two new wiki diffs on a wiki I own today.