Current Status

This blog is not frequently updated because most case-by-case scam reports are now listed in subordinate blogs. At this point in time, most of my efforts are targeted at documenting employment scams in the Suckers Wanted blog.

2006-07-25

Hijack Alert: Dangerous tuna with increased mercury levels on your local market

Here's another spam which is intended to lure the victim to a hostile website armed with Web-Attacker. The modus operandi is identical to that used in the recent "World-Soccer news" attack: the spam contains sensational news, and a link to a website; the website itself is a hastily cobbled-together facade of relevant snippets plagiarised from somewhere or other, heavily obfuscated with Javascript, and includes an IFRAME reference to something that loads Web-Attacker. If you browse this site using a computer that runs Microsoft Windows, you should assume that it has been compromised and have it checked up.

The spam "lure" was as follows (links defanged). Note that the key link is to http://www.protectinnocent.org/register.htm.

We are struggling for the future of our planet, please help us.
Only together we can stand for our nature!

Send a message to the "Environmental Protection Agency and Food and Drug Administration" to improve mercury testing so we can keep tuna safe for our families and for dolphins.

Some of the tuna producers -- particularly in Ecuador and Mexico -- use practices that can hurt or kill dolphins and catch tuna with increased mercury levels.

Sign for it - help yourself and thousands of other lives.

One another way you can help us is to send this letter or the link to our website: http://protectinnocent.org/register.htm- to all people you know.


2006 Help Dolphins

The domain "protectinnocent.org" is a ruse: it was registered on 20-Jul-2006 at 09:57:27 UTC. The domain name configuration for this is unusual, and worth mentioning in passing. There are five nameservers, named "dnsN.name-services.com", where N ranges from 1 to 5. At time of writing, these have the following addresses.

dns1.name-services.com. 3600    IN      A       69.25.142.1
dns2.name-services.com. 3600    IN      A       216.52.184.230
dns3.name-services.com. 3600    IN      A       63.251.92.193
dns4.name-services.com. 3600    IN      A       64.74.96.242
dns5.name-services.com. 3600    IN      A       70.42.37.1

Each of them is reporting SOA serial number 2002050701, so they should all contain identical records, but when queried for "A" records for "www.protectinnocent.org", they respond with five different answers: 69.25.142.3, 216.52.184.240, 63.251.92.195, 64.74.96.243, and 216.52.184.240 respectively. With the exception of the fifth response (which is a repeat of the second), all the address records are close neighbours of their respective nameservers. None of the address records have corresponding PTR entries, but all are ultimately under the control of eNom, which is also the registrar through which "protectinnocent.org" was registered.

I think that all we can learn from this is that eNom uses dodgy DNS tricks to distribute load on their mirrored webservers.

Ultimately "protectinnocent.org" is just a side-show, anyhow. The real "sting" comes from the IFRAME which loads http://www.web12.ws/go.php. That, in turn, is just a "302" redirect to http://www.web12.ws/cgi-bin/ie0606.cgi?homepage, which is a "302" redirect to http://www.web12.ws/demo.php, which is a hideously obfuscated piece of Javascript that expands out to the Web-Attacker "which browser with what exploitable security holes am I running on?" script. From there, other scripts are launched to actually exploit whatever security holes are available, if any.

It will come as no surprise that "web12.ws" was also registered through eNom, on 2006-07-21 08:47:45. The address for "www.web12.ws" is currently 66.36.231.123, which doesn't have a PTR record, and WHOIS reports as allocated to HopOne Internet Corp.

I have to admit that the technique used by the culprits here is pretty sly. If I complain to HopOne that they are sheltering a Web-Attacker user, they might close down the account. (In my stern opinion, they should be pro-active enough about detecting this sort of abuse that I shouldn't need to complain, but the operators of such businesses tend to be concerned with profits, not the general welfare of mankind.) Should the account be closed, however, the culprits can simply adjust their "protectinnocent.org" site to just wrap another target -- one which may already be set up and ready to go.

It's probably more effective to complain about the "protectinnocent.org" site itself, since the closure of that domain name would result in the need for a fresh spam run. Persuading a registrar that a domain name is being used maliciously is no simple task, unfortunately. Even so, eNom seem to have a decent web-interface for submitting such complaints, so I've done my duty.

No comments: