Taking a Peek in the Bulk Mail Folder

Phishing 102.

Get It Try It

It's not often you get the time - or have the inclination - to peek into a bulk mail folder to see what the haX0rs are up to.

Dear user,

On Wed, 29 Oct 2008 22:50:35 +0800 we received a third party complaint of invalid domain contact information in the Whois database for this domain. Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.

The contact information for the domain which displayed in the Whois database was indeed invalid. On Wed, 29 Oct 2008 22:50:35 +0800 we sent a notice to you at the admin/tech contact email address and the account email address informing you of invalid data in breach of the domain registration agreement and advising you to update the information or risk cancellation of the domain. The contact information was not updated within the specified period of time and we canceled the domain. The domain has subsequently been purchased by another party. You will need to contact them for any further inquiries regarding the domain.

PLEASE VERIFY YOUR CONTACT INFORMATION - http://www.enom.com

If you find any invalid contact information for this domain, please respond to this email with evidence of the specific contact information you have found to be invalid on the Whois record for the domain name. Examples would be a bounced email or returned postal mail. If you have a bounced email, please attach or forward with your reply or in the case of returned postal mail, scan the returned letter and attach to your email reply or please send it to:

Attn: Domain Services 14455 N Hayden Rd Suite 219 Scottsdale, AZ 85260


LINK TO CHANGE INFORMATION - http://www.enom.com


Thank you,
Domain Services

[IncidentID:52624]

What a hack. The address is to GoDaddy. That stands out right away.

OrgName:    GoDaddy.com, Inc.
OrgID:      GODAD
Address:    14455 N Hayden Road
Address:    Suite 226
City:       Scottsdale
StateProv:  AZ
PostalCode: 85260
Country:    US

The links actually to go http://www.enom.com.sys53.biz/. If you bother to look.

It's a very slick job. Very slick.



Naturally all the links except the one the hackers are after go to the real site. And all the images come from the real site too.

<base href="https://www.enom.com/Login.asp">

Even the meta tags are ripped right from the real site. In fact everything's ripped - except the login.

<meta name="keywords" content="domain name, web hosting, email, web site hosting, domain name registration">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

Here's the real site masquerading as eNom.

Name:
    www.enom.com.sys53.biz

Aliases:

Addresses:
    85.49.229.169
    98.196.196.236
    79.70.148.235
    98.216.91.22
    71.230.88.68
    76.30.53.186
    96.18.4.210
    98.209.207.77
    4.131.40.220
    70.68.199.207

Address Type:
    AF_INET

That's quite the array of disparate IPs. Leave that for now - what's the story on sys53.biz?

Checking server [whois.neulevel.biz]
Results:
Domain Name:                                 SYS53.BIZ
Domain ID:                                   D27920097-BIZ
Sponsoring Registrar:                        ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Sponsoring Registrar IANA ID:                82
Domain Status:                               clientTransferProhibited
Registrant ID:                               OLNI_175346_0_2
Registrant Name:                             Shestakov Yuriy
Registrant Organization:                     Shestakov Yuriy
Registrant Address1:                         Lenina 21 16
Registrant City:                             Mirniy
Registrant State/Province:                   MSK
Registrant Postal Code:                      102422
Registrant Country:                          Afghanistan
Registrant Country Code:                     AF
Registrant Phone Number:                     +7.9218839910
Registrant Facsimile Number:                 +7.9218839910
Registrant Email:                            alexeyvas@safe-mail.net
Administrative Contact ID:                   OLNI_175346_1_2
Administrative Contact Name:                 Shestakov Yuriy
Administrative Contact Organization:         Shestakov Yuriy
Administrative Contact Address1:             Lenina 21 16
Administrative Contact City:                 Mirniy
Administrative Contact State/Province:       MSK
Administrative Contact Postal Code:          102422
Administrative Contact Country:              Afghanistan
Administrative Contact Country Code:         AF
Administrative Contact Phone Number:         +7.9218839910
Administrative Contact Facsimile Number:     +7.9218839910
Administrative Contact Email:                alexeyvas@safe-mail.net
Billing Contact ID:                          OLNI_175346_3_2
Billing Contact Name:                        Shestakov Yuriy
Billing Contact Organization:                Shestakov Yuriy
Billing Contact Address1:                    Lenina 21 16
Billing Contact City:                        Mirniy
Billing Contact State/Province:              MSK
Billing Contact Postal Code:                 102422
Billing Contact Country:                     Afghanistan
Billing Contact Country Code:                AF
Billing Contact Phone Number:                +7.9218839910
Billing Contact Facsimile Number:            +7.9218839910
Billing Contact Email:                       alexeyvas@safe-mail.net
Technical Contact ID:                        OLNI_175346_2_2
Technical Contact Name:                      Shestakov Yuriy
Technical Contact Organization:              Shestakov Yuriy
Technical Contact Address1:                  Lenina 21 16
Technical Contact City:                      Mirniy
Technical Contact State/Province:            MSK
Technical Contact Postal Code:               102422
Technical Contact Country:                   Afghanistan
Technical Contact Country Code:              AF
Technical Contact Phone Number:              +7.9218839910
Technical Contact Facsimile Number:          +7.9218839910
Technical Contact Email:                     alexeyvas@safe-mail.net
Name Server:                                 NS2.FACEBOOKMANAGER2007.HK
Name Server:                                 NS1.FACEBOOKMANAGER2007.HK
Created by Registrar:                        ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Last Updated by Registrar:                   ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Domain Registration Date:                    Wed Oct 29 13:18:16 GMT 2008
Domain Expiration Date:                      Wed Oct 28 23:59:59 GMT 2009
Domain Last Updated Date:                    Wed Oct 29 18:04:59 GMT 2008

Afghanistan? Servers in Hong Kong? And China?

Who runs Safe-mail.net?

Registrant:
almond systerms international Ltd.
   2-26-23-701 Minami-Otsuka,Toshima-ku
   Tokyo 170-0005
   JP

   Domain Name: SAFE-MAIL.NET

'Systerms'? But back to the IPs. They are indeed strange.

85.49.229.169       169.pool85-49-229.dynamic.orange.es
98.196.196.236      c-98-196-196-236.hsd1.tx.comcast.net
79.70.148.235       79-70-148-235.dynamic.dsl.as9105.com
98.216.91.22        c-98-216-91-22.hsd1.ct.comcast.net
71.230.88.68        c-71-230-88-68.hsd1.pa.comcast.net
76.30.53.186        c-76-30-53-186.hsd1.tx.comcast.net
96.18.4.210         [cableone.net]
98.209.207.77       c-98-209-207-77.hsd1.mi.comcast.net
4.131.40.220        dialup-4.131.40.220.Dial1.Cincinnati1.Level3.net
70.68.199.207       S01060016765d55f8.vf.shawcable.net

And half come from Comcast and seven come from NA? Some would call that 'expected'.

But these ordinary ADSL subscribers are all running - Apache? Yeah right. But that's what they report back!

85.49.229.169       169.pool85-49-229.dynamic.orange.es

HTTP/1.1 200 OK
Date: Wed, 29 Oct 2008 21:59:30 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=so-8859-1

98.196.196.236      c-98-196-196-236.hsd1.tx.comcast.net

HTTP/1.1 200 OK
Date: Wed, 29 Oct 2008 22:00:04 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=so-8859-1

79.70.148.235       79-70-148-235.dynamic.dsl.as9105.com

HTTP/1.1 200 OK
Date: Wed, 29 Oct 2008 21:57:06 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=so-8859-1

98.216.91.22        c-98-216-91-22.hsd1.ct.comcast.net

HTTP/1.1 200 OK
Date: Wed, 29 Oct 2008 22:01:31 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=so-8859-1

71.230.88.68        c-71-230-88-68.hsd1.pa.comcast.net

HTTP/1.1 200 OK
Date: Wed, 29 Oct 2008 22:01:50 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=so-8859-1

76.30.53.186        c-76-30-53-186.hsd1.tx.comcast.net

HTTP/1.1 200 OK
Date: Wed, 29 Oct 2008 22:02:09 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=so-8859-1

[96.18.4.210 - Connection fails.]

98.209.207.77       c-98-209-207-77.hsd1.mi.comcast.net

HTTP/1.1 200 OK
Date: Wed, 29 Oct 2008 22:02:44 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=so-8859-1

4.131.40.220        dialup-4.131.40.220.Dial1.Cincinnati1.Level3.net

HTTP/1.1 200 OK
Date: Wed, 29 Oct 2008 22:03:55 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=so-8859-1

70.68.199.207       S01060016765d55f8.vf.shawcable.net

HTTP/1.1 200 OK
Date: Wed, 29 Oct 2008 22:03:26 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=so-8859-1

So we seem to have Victoria Falls in Canada; Cincinnati Ohio; Michigan, Pennsylvania, Connecticut, and two connections in Texas; Britain and Spain. And they're all running Apache?

Yeah right.

Starting Nmap 4.20 ( http://insecure.org ) at 2008-10-29 18:29 EDT
Interesting ports on 169.pool85-49-229.dynamic.orange.es (85.49.229.169):
Not shown: 1674 closed ports
PORT     STATE    SERVICE
80/tcp   open     http
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
524/tcp  filtered ncp
539/tcp  filtered apertus-ldp
593/tcp  filtered http-rpc-epmap
996/tcp  filtered xtreelic
997/tcp  filtered maitrd
998/tcp  filtered busboy
999/tcp  filtered garcon
1214/tcp filtered fasttrack
1434/tcp filtered ms-sql-m
3333/tcp filtered dec-notes
3531/tcp filtered peerenabler
4444/tcp filtered krb524
4662/tcp filtered edonkey
6346/tcp filtered gnutella
6347/tcp filtered gnutella2
6667/tcp filtered irc
6699/tcp filtered napster
6881/tcp filtered bittorent-tracker

All 1697 scanned ports on c-98-196-196-236.hsd1.tx.comcast.net
(98.196.196.236) are filtered (1051) or closed (646)

Interesting ports on c-98-216-91-22.hsd1.ct.comcast.net (98.216.91.22):
Not shown: 1684 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
6003/tcp closed X11:3
6004/tcp closed X11:4
6005/tcp closed X11:5
6006/tcp closed X11:6
6007/tcp closed X11:7
6008/tcp closed X11:8
6009/tcp closed X11:9
6017/tcp closed xmail-ctrl
6050/tcp closed arcserve

Interesting ports on c-71-230-88-68.hsd1.pa.comcast.net (71.230.88.68):
Not shown: 1669 closed ports
PORT     STATE    SERVICE
25/tcp   filtered smtp
80/tcp   open     http
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
524/tcp  filtered ncp
539/tcp  filtered apertus-ldp
996/tcp  filtered xtreelic
997/tcp  filtered maitrd
998/tcp  filtered busboy
999/tcp  filtered garcon
1025/tcp open     NFS-or-IIS
1026/tcp open     LSA-or-nterm
1027/tcp open     IIS
1080/tcp filtered socks
1214/tcp filtered fasttrack
1434/tcp filtered ms-sql-m
3531/tcp filtered peerenabler
4662/tcp filtered edonkey
5000/tcp open     UPnP
6346/tcp filtered gnutella
6347/tcp filtered gnutella2
6667/tcp filtered irc
6699/tcp filtered napster
6881/tcp filtered bittorent-tracker

Interesting ports on 96.18.4.210:
Not shown: 1672 closed ports
PORT     STATE    SERVICE
80/tcp   open     http
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
524/tcp  filtered ncp
539/tcp  filtered apertus-ldp
996/tcp  filtered xtreelic
997/tcp  filtered maitrd
998/tcp  filtered busboy
999/tcp  filtered garcon
1025/tcp open     NFS-or-IIS
1026/tcp open     LSA-or-nterm
1214/tcp filtered fasttrack
1434/tcp filtered ms-sql-m
3531/tcp filtered peerenabler
4662/tcp filtered edonkey
5000/tcp open     UPnP
6346/tcp filtered gnutella
6347/tcp filtered gnutella2
6667/tcp filtered irc
6699/tcp filtered napster
6881/tcp filtered bittorent-tracker

Interesting ports on c-98-209-207-77.hsd1.mi.comcast.net (98.209.207.77):
Not shown: 1676 filtered ports
PORT      STATE  SERVICE
80/tcp    open   http
1025/tcp  open   NFS-or-IIS
1178/tcp  closed skkserv
1354/tcp  closed rightbrain
1480/tcp  closed pacerforum
1533/tcp  closed virtual-places
3333/tcp  closed dec-notes
6000/tcp  closed X11
6001/tcp  closed X11:1
6002/tcp  closed X11:2
6003/tcp  closed X11:3
6004/tcp  closed X11:4
6005/tcp  closed X11:5
6006/tcp  closed X11:6
6007/tcp  closed X11:7
6008/tcp  closed X11:8
6009/tcp  closed X11:9
6017/tcp  closed xmail-ctrl
6050/tcp  closed arcserve
9991/tcp  closed issa
17007/tcp closed isode-dua

Interesting ports on S01060016765d55f8.vf.shawcable.net (70.68.199.207):
Not shown: 1684 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
6003/tcp closed X11:3
6004/tcp closed X11:4
6005/tcp closed X11:5
6006/tcp closed X11:6
6007/tcp closed X11:7
6008/tcp closed X11:8
6009/tcp closed X11:9
6017/tcp closed xmail-ctrl
6050/tcp closed arcserve

Nmap finished: 10 IP addresses (7 hosts up) scanned in 136.246 seconds

Note the NETBIOS, Microsoft RPC, Microsoft SQL, Napster, and BitTorrent ports.

Where did this batch of spam come from? Ostensibly 220.136.244.77.

Name:
    220-136-244-77.dynamic.hinet.net

Aliases:

Addresses:
    220.136.244.77

Address Type:
    AF_INET

Registrant:
Internet Dept., DCBG, Chunghwa Telecom Co., Ltd.
   Data-Bldg, No. 21 Sec.1, Hsin-Yi Rd.
   Taipei, Taiwan 100
   TW

   Domain Name: HINET.NET

The mail headers.

Return-Path: 
Received: from [220.136.244.77] by mx01.1and1.com; Wed, 29 Oct 2008 22:50:35 +0800
From: "eNomCentral Tech Support" 
Subject: Attention: Inaccurate whois information.
Date: Wed, 29 Oct 2008 22:50:35 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=
"----=_NextPart_000_0007_01C93A18.C1186F80"
Content-Length: 4651

1and1 are a huge (and inexpensive) European bulk hosting company.

More results from the scans.

169.pool85-49-229.dynamic.orange.es (85.49.229.169):
Running (JUST GUESSING) : Microsoft Windows XP|2003|2000 (91%)
Aggressive OS guesses:
    Microsoft Windows XP Professional SP2 (French) (91%),
    Microsoft Windows Server 2003 SP1 or SP2 (91%),
    Microsoft Windows Server 2003 SP0 or Windows XP SP2 (91%),
    Microsoft Windows Server 2003 SP2 (89%),
    Microsoft Windows XP SP2 (89%),
    Microsoft Windows 2000 Server SP4 (87%),
    Microsoft Windows Server 2003 SP1 (87%),
    Microsoft Windows XP Professional SP2 (firewall enabled) (86%),
    Microsoft Windows 2003 Small Business Server (85%),
    Microsoft Windows XP Professional SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops

c-71-230-88-68.hsd1.pa.comcast.net (71.230.88.68):
Running (JUST GUESSING) : Microsoft Windows 2000|2003|XP (95%)
Aggressive OS guesses:
    Microsoft Windows 2000 Server SP4 (95%),
    Microsoft Windows Server 2003 SP0 or Windows XP SP2 (92%),
    Microsoft Windows Server 2003 SP1 or SP2 (90%),
    Microsoft Windows 2000 SP4 (89%),
    Microsoft Windows 2000 SP4 or Windows XP SP2 (89%),
    Microsoft Windows XP SP2 (88%),
    Microsoft Windows XP Professional SP2 (French) (87%),
    Microsoft Windows XP Professional SP2 (firewall enabled) (87%),
    Microsoft Windows Server 2003 SP2 (86%),
    Microsoft Windows 2003 Small Business Server (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops

96.18.4.210:
Running (JUST GUESSING) : Microsoft Windows 2000|2003|XP (95%)
Aggressive OS guesses:
    Microsoft Windows 2000 Server SP4 (95%),
    Microsoft Windows Server 2003 SP0 or Windows XP SP2 (92%),
    Microsoft Windows Server 2003 SP1 or SP2 (90%),
    Microsoft Windows 2000 SP4 (89%),
    Microsoft Windows 2000 SP4 or Windows XP SP2 (89%),
    Microsoft Windows XP SP2 (88%),
    Microsoft Windows XP Professional SP2 (French) (87%),
    Microsoft Windows XP Professional SP2 (firewall enabled) (87%),
    Microsoft Windows Server 2003 SP2 (86%),
    Microsoft Windows 2003 Small Business Server (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 18 hops

OS detection performed.
Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 10 IP addresses (3 hosts up) scanned in 139.756 seconds

But only three of the ten IPs responded. Have the IPs for the domain changed?

Name:
    www.enom.com.sys53.biz

Aliases:

Addresses:
    76.30.7.188
    98.195.45.85
    24.72.186.233
    24.0.221.127
    71.230.88.68
    98.229.69.62
    24.139.168.102
    24.196.169.44
    75.185.182.235
    68.58.58.151

Address Type:
    AF_INET

A whole new batch all in the space of a few minutes. The content at the old IPs is still up. No one cares about that. But the phish won't go to their computers anymore. The Afghan strain's moved on.

One site's already got a notice up about it. But their letter reads 'On Wed, 29 Oct 2008 18:32:20 +0100'. Different zones, different times.

eNom's caught on too.

Translation

So let's see if we can translate this for people ambitious enough to read but not educated enough yet to grasp.

Surely you've heard people speak in woeful tones about the deplorable security on Windows?

Perhaps you've heard Sun Microsystems cofounder Bill Joy lament that Microsoft took a 'standalone system' totally lacking in defences and put it on the Internet?

That's basically what you're seeing here. Despite all the hype that Windows is more secure today the fact remains over 90% of all Windows PCs connected to the net are infected with 30 or more strains of malevolent trojan/virus/worm code or a lethal combination thereof. Or worse - they're also in so-called 'botnets'.

'Botnets' are 'robot' computer networks - computers that have been put under the control of hackers that found their way onto your machine because your Microsoft software doesn't want to protect you.

And yes, these are invariably Windows machines being hacked. All those other machines you saw at Best Buy, Circuit City, Dixons, and PC World? They can't be hacked that easily. They're 'secure'.

These computers then report to a so-called 'IRC channel' and wait for instructions from the hackers. When the hackers tell them to start spewing spam, they do. They're given the message to send along with a mailing spam list and off they go.

The originating IP for the above phishing scam - 220-136-244-77.dynamic.hinet.net in Taiwan - is likely part of the same botnet as the 'web servers' represented by the list of IPs. Everybody gets to participate.

The spam they spew out: it's not just advertisements for penis pills or 'get rich' investment opportunities - although the spam letters can still contain such come-ons.

They're laden with 'hacks' that compromise your Windows computer and put it under control of the botnet.

And all you notice - if you notice anything at all - is that your Internet connectivity is a bit slow at times or your general performance (speed) seems to be down a bit.

And no one tells you the truth. Your computer is an accessory to criminal activities and no one - not Microsoft, not the people in the computer store where you shop, not the hundreds of thousands of sites online dealing in combatting Windows malware - will tell you the truth.

You'll find blog articles at antivirus companies drenched in syrupy sincerity about how dangerous the Internet is and how important it is for you to subscribe to their 'fixes' but you won't find anyone telling you the simple truth.

So your bosses refuse to discuss switching to a safer platform? Keep at them. Your spouse is so obsessed with Microsoft Reversi or Excel or Word that alternatives may not be considered? Keep at them. Other members of your family want to play games and use file sharing software only found on Windows? Keep at them.

This is not a recent development: the truth about Microsoft software - Windows, Internet Explorer, Outlook, et al - has been out for almost a decade. Bill Gates personally apologised for the misery and suffering his products caused people six years ago. But of course nothing changed.

Could Microsoft have done something about this? Of course they could have. They could have run FreeBSD or NetBSD or OpenBSD free of charge with no licensing restrictions, built a new GUI atop and run legacy Windows programs in a 'sandbox' to protect you.

All that's stopped them is their greed and obsession with controlling everything and refashioning the entire Internet - and you the unwitting dupe of a consumer be damned.

Instead of using tried and true 'open' technologies known to be secure they spend billions of dollars developing their own parallel technologies. So they can strangle the market and thwart competition - and you the unwitting dupe of a consumer be damned.

There are those who'll tell you things aren't that bad anymore. Don't believe them. There are those who'll tell you everybody needs a firewall and antivirus and anti-spyware software. Don't believe them.

Firewalls are good - they stop unwanted traffic invariably being spewed out by Windows computers - but antivirus and anti-spyware are only needed on Windows. And they never protect you anyway.

The whole idea you can scramble to catch the bad guys after the fact is stupid. Think about it. Why let the bad guys onto your computer in the first place? Only Windows will let them do it.

Over 80% of all electronic mail today is malware. There are over 100,000 strains of (Windows) malware thriving on the Internet. 80% of all 'PCs' have at least 30 coexisting infections.

There are those who will tell you this is only because Windows is so popular - that if another system were to replace Windows the same thing would happen.

The 'Windows security experts' - a landed gentry of a sort - will argue with you until you're blue in the face. They don't want you to leave Windows. If you leave Windows they're out of a job.

Bill Gates certainly doesn't want you to leave Windows. For obvious reasons.

All the people you should not trust will tell you that switching to another platform is either a bad idea or pointless. Don't believe them.

It's not about the popularity of Windows. Although that certainly helps. And gives the hackers a mutant cash cow the likes of which have never been seen.

It's also because hacking Windows is so damned easy.

The hackers have the Microsoft Windows security cottage industry beat. Hands down. The game's rigged. The defenders are at an insurmountable disadvantage to start with. And the hackers are simply smarter and more resourceful. The sophistication of the phishing attack described in this article is simply stunning.

Are only Windows computers susceptible to phishing attacks? Of course not. But you wouldn't have this proliferation of phishing attacks - and all the spam, spyware, trojans, viruses, worms - without Windows computers spewing them out in the first place, would you?

You'll never be safe on Windows. Get over it, cut your losses, and move on. You're only about ten years behind the rest of the world. And it's never too late.