2012-11-21

I thought I would share this even though it is not Python related, it is web related and a very interesting story and getting more weirder by the minute...

Let me start at the beginning of it all. It started with my second cousin forwarding me a message about this work at home thing, which had him completely believing it was real. I must admit that the spammers did craft something really well here, and did awesome job at hiding their tracks too. I am still tracing through many servers and IP addresses to locate the point of origin, which is more difficult than I originally thought, and along the way, things are getting awfully weird.

I am not going to post a link to the actual spam link, but will post a partial to get the point across. My second cousin received this link in his email, and I immediately know it's not too safe: ecotecturecanada.org / backup / old%20site / includes / phpmailer / o1znxaet.php. At first glance, it appears that someone's phpmailer script has become hijacked. Also note the insecurity which this webmaster has. This backup directory should not be located in public, and should be placed somewhere else. I contacted the owner of this website to inform them of this hack, so the script should be removed shortly.

This PHP script does little as far as I can see, besides direct to another website, which uses a very popular social engineering trick to make users believe that the domain name is the one they think it is: www foxnews com newnextonline1market com. I removed the dots so that it doesn't cause any SEO or other issues with search engines. The website itself is very interesting, as it is a copy of a CNBC news article which uses GeoIP to locate and insert the victims home city into the article itself. I have to say, this is very interesting to social engineer something, as to use the victims city right inside your fake news article. I cannot say that all spammers are stupid script kiddies now that I've seen this interest piece of social engineering. Another interesting things this page does is rewrite all the links to a recently shutdown domain(I figure it was shutdown due to spam abuse), the links are rewritten from the recently killed domain name to the new domain name being used now. Another interesting trick, although couldn't they have just used a simple find and replace... I guess they wanted to show off their DOM editing skills. The funny part, and one part that makes this page appear more like a spam, is that every single link points to the next domain, the one which will ultimately collect the info from the innocent user. I figure this was done, so that CNBC doesn't see this page in their referrals, since the domain name has the word foxnews plastered on it, it may raise an eyebrow.

Then we come to the final page which collects the users information, for what purpose I'll never know. This page uses some interesting JavaScript to submit a form and tell the user something when they are about to leave the page. It was odd that they use JavaScript and an iframe to submit a form... Really... This screams script kiddie, the coding for this page is absolutely a programmers nightmare. The spammer appears to be more knowledgeable in JavaScript than PHP, or any server-side language for that matter.

Now, on to the weird...

When I attempted to investigate all of this, I stumbled upon the weirdest stuff. I first use my local whois command to see who owned these domains, I first start with the one with foxnews in it's tittle. It's funny that the spammer provided his real information to the whois directory, so here it is for the entire world to shun:

This is the first mistake the spammer did, of course this could be the name of someone who credit card was stolen recently in order to register the domain name. The domain was registered just a few days ago on the 17th. Here's where it gets interesting. The registrar is ownregistrar.com, and as of the time of writing this, their home page says Under Construction. Hmmm... The company who apparently runs this registrar is Trunkoz, which I will get to in a moment. The DNS provider appears to be more legit, they are dnsexit.com.

The first thing I do, after I notice that the registrar page was under construction was to see who owned this domain name. Of course it was owned by the same people, but now here's the weird, the contact information is saying another company, QuantumPages. A whois of QuantumPages says it's registrar is ownregistrar.com. QuantumPages is also under construction, just like ownregistrar.

Since I am unable to easily contact someone for a spam abuse report, I do the next step, a reverse DNS to see just who owns these IP addresses. The hosting provider was QuadraNet. I proceeded to contact them and report the spam abuse. This also shows how stupid some spammers can be, most providers allow you to change the reverse DNS, if you have a dedicated IP address, which in this case, it was a dedicated IP address. If they changed their reverse DNS, it would have made it a little more difficult to find out more about them. However, I can also do a reverse on the subnet to see which hosting provider owns it. I guess there's always a way to be caught online.

I was still itching to contact the domain registrar, so I go and attempt to make contact with trunkoz, and they actually provide a form to report abuse, and this is where things get REALLY odd. So, I go and submit the abuse form, the success link has a link to the home page on it. I click it, but... I'm not transferred to the home page, I'm moved over to the index.php file of the contact-us directory, and see a copied version of the jet-airways.co.uk... What the heck! So, not only was this spam hosted on this provider, the provider themselves appeared to have been hacked themselves, or they are purposely hosting this and their sole purpose is to host spammer websites.

After seeing this, I think well, it appears I need to report this as abuse on their own website, so I go back to the hosting providers abuse page and fill in the info... To my surprise, the submit button which only just worked a few moments ago, is now utterly broken with the following error message:

Warning: Header may not contain more than a single header, new line detected in /home/betatru/public_html/contact-us/contactus.php on line 28

Hmm, for a hosting provider to not be-able to correctly secure their own server, and properly disable the PHP debugging system to display a proper 500 error page, is not a very reputable service provider in my eyes.

Something else which struck me as weird, is that the captcha in the jet-airways page form was fully operational, and that the form looked very similar to that of the abuse form. I just sent a message to JetAirways about this page as well to inform them about the situation, and to prepare them for any possible scammers targeting their customers.

Because of how the Internet is today, I suspect the Internet of the future is going to be very tough. Many laws will come into effect because of some sort of abuse or problem. Just because some idiot does something wrong, it makes it harder on the rest of the world. This is how a similar saying goes. I suspect that within at least a decade, we will all require some sort of license or something to actually go online, as these types of abuses will be brought to the attention of our world leaders.

I believe in privacy, but when it comes to individuals or companies attempting to scam or violate peoples rights, I am all for our governments locking down the internet and monitoring it's overall users much more closely. Unless your doing stupid or illegal things online, what do you really have to hide? Are privacy advocates really the worlds top spammers and illegal file sharers, or are they just people like me, who do only legal things online? I've got nothing to hide but my personal identity when it comes to malicious websites. How about you?

Show more