[vox-tech] OT: one of the most pernicious spams i've ever seen.

Larry Ozeran vox-tech@lists.lugod.org
Fri, 26 Sep 2003 22:28:05 -0700


Thanks to all who commented on this thread. I had 3 requests to post my
summary, and no complaints (though the 3 days I promised aren't up yet).
Here is what I have to date. Please keep in mind it is intended for the
general public as part of a letter to the editor of our local paper. I left
in some technical issues which are critical to the explanation, but left
out much of the URI / URN / URL discussion which also occurred.

"
P@dirac.org started a message thread about email / internet scams with:
"when you feed a browser the given url, the citibank page comes up.  but
you also get a small page with a form that asks for your bank account
number and PIN.

http://www.citibank.com:ac=VybznNffNxknAUxPrfE2jYaQUptJ@a3ksd.PiSeM.NeT/3/?I
YTEw4eVTtbH1w6CpDrT

Rob@wizardstower.net responded: "It's immediately redirecting you to the
citibank page, and telling your browser to give you the popup [to the bogus
web site] at the same time.  This method of trying to steal personal info
by trying to appear as coming from a legitimate company is called phishing."

Subsequent posts discussed other schemes for stealing (and safeguards for
protecting) personal information:

1) The entire message (supposedly) from ebay was actually an image/link,
not just the blue underlined text

2) The "URL" was actually inside another <a href=...> </a> tag
Suggestion: ask yourself "Why would my bank send me an email asking for my
PIN, especially since I didn't give them this email address?"

3) Most phishing schemes just steal the company logos to display on their
own bogus site

4) The most common cases of phishing do seem to go after ebay [as eboy] /
paypal [with the L replaced by a one], and the larger ISPs (mainly AOL and
MSN). One recent [scam] posing as an MSN page came as an email saying your
credit card charge didn't go through, and your MSN account would be
canceled if you didn't update your info. On the page it asked for:
Name, CC#, CCV (that 3 digit number at the end of the signature panel), Pin
#, Mother's maiden name, MSN Acct name, MSN password, Social security #
Suggestion: be wary of giving out ANY personal info online no matter what
the circumstances.

5) from an HTTP/URI and JavaScript point of view, this scam is clever

6) consider using a bank that allows you choose two different PINs, one for
online, one for ATM

Other comments and actions:

This fraudulent site was reported to abuse@citibank.com

There is a Sacramento Valley Hi-Tech Crimes Task Force (
http://www.sachitechcops.org/ ), this group of 66 people includes
representatives from: City Police Departments [including Yuba City],
Sheriff Departments [including Sutter], State Agencies, Federal Agencies
[including FBI & Secret Service], & District Attorneys

The redirected web site, pisem.net was found to be based in russia

A message was sent to Netnation because the post on the dubious account/PIN
form gets transmitted to blades.netnation.com

The site appears to have been removed from operation within 48 hours of it
being noticed and reported to authorities."

The Yuba City / Sutter references are for the locals in my area. Before
submission to the newspaper, it will be further wrapped with some
introductory and closing comments. Feel free to comment publicly or
privately. Thanks again.

- Larry

At 12:26 PM 9/25/03 -0700, you wrote:
>Hi all -
>
>This is really interesting and really concerning. I would like to take
>selected parts of the discussion (for brevity and clarity) and send it to
>my local paper. Please indicate (offline is fine) if you would prefer to be
>named or kept anonymous.
>
>If you do not want your comments included, or you want to see what I plan
>to send to the paper before I send it, please note that. I would prefer
>"opt-in", but if I don't hear anything negative for 3 days, I'll assume
>it's OK. If there is a preponderance of interest in seeing my summary, I'll
>post it back to this thread.
>
>Thanks,
>
>- Larry
>
>At 02:23 PM 9/25/03 -0400, you wrote:
>>On Thu, Sep 25, 2003 at 11:04:54AM -0700, Michael J Wenk wrote:
>>> On Thu, Sep 25, 2003 at 10:23:11AM -0700, Mitch Patenaude wrote:
>>> > On Thu, Sep 25, 2003 at 06:30:32AM -0700, p@dirac.org wrote:
>>> > >http:// 
>>> > >www.citibank.com:ac=VybznNffNxknAUxPrfE2jYaQUptJ@a3ksd.PiSeM.NeT/3/ 
>>> > >?IYTEw
>>> > >4eVTtbH1w6CpDrT
>>> > 
>>> > Maybe a way for places like Citibank, Paypal and other fraud prone sites
>>> > to help prevent this would be to check the referer, and if it's a  
>>> > strangely
>>> > formed url that looks like it might be fraudulent (uses username, lots  
>>> > of
>>> > encoded characters, etc), put up a fraud warning instead of the main  
>>> > page.
>>> > 
>>> > What do you guys think?
>>> 
>>> My only question/concern would be... What controls the referrer?  Is it
>>> mutable?  If so, its just another layer for a cracker to hit.  I guess
>>> for every layer added, some lazy crackers stop doing it is probably a
>>> good enough reason... 
>>
>>The referrer is controlled by the browser (and is definitely not
>>required). It was brought up at a LUGOD meeting a while back (the Don
>>Marti DMCA meeting) that doing a 302 redirect (page has temporarily
>>moved) was one way of avoiding sending a referer. I don't know if that
>>was specific to any certain browser, but it wouldn't be hard to test for
>>anyone who is running a webserver.
>>
>>I see a couple other problems with this idea too. First, this is the
>>first phishing scheme I've seen that loaded the actual homepage. Most
>>just steal their logos. Secondly, I'm almost potitive that your browser
>>wouldn't send encoded characters in the referer. Your browser would have
>>already decoded them, and it would send them unencoded. As for
>>usernames, I don't think your browser would EVER send that as part of
>>the referer. That would be a MAJOR security flaw.
>>_______________________________________________
>>vox-tech mailing list
>>vox-tech@lists.lugod.org
>>http://lists.lugod.org/mailman/listinfo/vox-tech
>>
>>
>
>_______________________________________________
>vox-tech mailing list
>vox-tech@lists.lugod.org
>http://lists.lugod.org/mailman/listinfo/vox-tech
>
>