Last night, I received a phishing email wanting my university email account information.  Whenever I’m picking through email headers, or any other kind of network forensics, I find it useful to punch the IP addresses I find into Google.  You can often build a good image of what that particular system or network is used for, by reading abuse reports, exposed log files, logs of Wiki edits, and all sorts of other situations where an IP address might be indexed by a search engine.  

This particular bad-guy IP is a great example of an IP address that has really made its mark on Google, so I’ll link the results here:

* Google search results for “196.3.61.4″

Off the eastern coast of Madagascar, there’s an island called Mauritius.  On this island there’s the city of Ebene.  In this city, there’s this building, the “Cyber Tower”.  According to Whois, on the third floor of this building, there’s a computer being used for all sorts of phishing and fraud.  

It would be “just another scammer”, but this one has a great sense of humor.  Check out this diff on an edit made from that IP address on the Wikipedia entry for Advance fee fraud:

Very nice.

I’ve posted about this before, regarding Twitter’s signup process, although Facebook’s signup process is probably the most well-known example. Now, I see it on Slideshare. For future reference, when you see this:

Please do this:

I’m sure most of my readers can imagine what a bad idea it is to hand their email password over to a third party. What’s more dangerous is that this functionality might become more common. If every social-networking-site-of-the-week integrates something similar into their signup process (and it is attractive for them), then it will become more natural for users to expect it, making them less likely to question it. Overall, it makes phishing a lot easier, as now you have a wider choice of sites you can mimic, or you can just make up something completely new.

Also, at least in this specific case, the credentials you’re handing over are not going over SSL. Who knows what precautions are being taken on the other side of this web application, where it’s actually signing into your email and harvesting out the information. You might be carefully using GMail only over SSL for your sessions with it, but there’s no guarantee that SlideShare/Twitter/Facebook will be doing the same. There’s also no real assurance that your credentials haven’t been cached or stored in some way.

You may make yourself out to be a bad Internet citizen if you utilize these features, as well. I know of at least one case where a user signed up, the site automatically picked up all of his contacts, and immediately spammed out a referral email to every one of them, including mailing lists. Your friends and other contacts might not like this very much.

I think it’s a bad idea, and I hope that it doesn’t become more widespread trend than it already is.

A week ago on the BinRev forums, a link was posted to a site that advertised the ability of the owners to hack any web-based email account. The link was to crackmails.net, however the same site was also available at yourhackers.net and hackpasswords.net (and perhaps more). The cost of this service was $100 per account, and (this is the great part) they would provide proof to you that they had hacked the target account with a screenshot of the inbox. Only then would you have to pay to receive the . You probably know what I was thinking when I read this already ;) .

Here’s what the main page looked like:

I created a new email address on Gmail, with the name of a recent, but inactive, troll on the forums (so there’d be a few things in Google if they decided to do their research). Then, I filled out their order form with the information in the screenshot below, asking them to attack my own Gmail account, wesleymcgrew@gmail.com . I had to give them something that didn’t look as much like a dummy account. Besides, it’s funnier this way. I had a lot of fun filling out the form asking why they should hack my Gmail account ;) :

A short while later, I received an automated mail confirming my order (very professional!) in my dummy account’s inbox:

A full day later, I received the following phishing mail in my own Gmail account:

A plaintext copy of this email with full headers is available here for those who love to dig :). I suppose they got around Gmail’s filters by being such a small operation. Does anyone really trust 123greetings-type emails anymore? I guess they must. Notice the domain name 123greetingsline.com, and the just-for-me unique URL. I tried modifying the URL, however it seems like they just generate the files as-needed when they receive an order.

Clicking on the link takes you to the phishing site itself:

Here’s the source for the login form:

For all the domain names they have, and all the web hosts they’ve been using, they had to resort to using a form mail script and leave the email addresses they use for harvesting out in the open. Hilarious.

If you’re a regular reader of this blog, you already know what I like to do with phishing sites (read up here if you’re not familiar with the technique I use to set up web bugs for catching phishers unaware). This one is no exception, so I set up a unique image and page on my site here to use with a web bug. Then I fill out the form fields with the html needed to try and render the image and link to the unique URL:

Once that was submitted, it actually went through the trouble of redirecting me to the real 123greetings for a nice card:

I set up tail and grep to look for a hit to either of the unique URLs I set up, and a day later I got the hit:

81.129.180.36 - - [23/Oct/2007:12:23:19 -0400]
"GET /XXXXXXXXXXXXXXX>HAY</a&gt HTTP/1.1" 404 245
"http://desigubshup.com:2095/horde/imp/message.php?index=245"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506;
InfoPath.2)"

So, here you have the IP address (resolves to one of btcentralplus.com’s customers), which at a glance didn’t appear to be running any sort of open proxy, a referral URL revealing where and how they’re checking their mail (there might be somewhere around 244 other victims, judging from the mail ID), and a nice long user agent string. Judging by the mangled end of the request, my web bugs didn’t render very well within IMP, however the phisher was dumb enough to click on the link anyway. This is the reason I try to put HTML links in along with normal image-based web bugs, and you’d be amazed at how often this happens.

I sent a couple of emails to them inquiring about the status of my order. Unfortunately, I haven’t heard back from them. As of a day or two ago, the sites they were advertising their services on look like this:

I’m sure they’re not very happy about that. Maybe they’ll find this post and leave us a comment bringing us up to speed on their situation ;) .

I’ve neglected this blog a little bit for the past few days while I’ve been playing with my new toy (a Cingular 8125, basically a re-branded HTC Wizard). I should be back soon, with a neat post or two about the sort of tools a security geek might want on his or her Windows Mobile phone. I’ve had a lot of fun with it so far.

To tide you over until then, I ran across this post, by HD Moore, on the Full-Disclosure list today:

[Full-disclosure] You shady bastards.

This is interesting for a couple reasons. One, it gets you thinking about the potential value ex-employee email addresses have to a company. The temptation to continue monitor incoming mail on these addresses is high. Is it legal? As you can tell by the discussion already on the list, it all depends on the agreements the employee has signed. Pretty soon you’ll start seeing clauses about post-employment on consent-to-monitoring agreements, if you haven’t already seen it.

Another reason this is interesting is that HDM pulled a neat, low-tech trick to verify that someone was reading mail to the address he was sending mail to. I’ve done this before, and it works fairly well :) . In a way it’s similar to the phish-baiting techniques that I’ve written about before on here. This is something you can add to your bag of tricks (also works well for other protocols: IM, IRC, etc.), and it’s something you can keep in mind when you’re given a link by someone in a situation like this.