<![CDATA[[SecurityRatty] tag: dissect]]> http://securityratty.com/tag/dissect Wed, 09 Apr 2008 20:00:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Dissecting a Managed Spamming Service]]> http://securityratty.com/article/a86a7c12b2395b3c5ee8667c3a4d13e0 http://securityratty.com/article/a86a7c12b2395b3c5ee8667c3a4d13e0 With cybercrime getting easier to outsource these days, and with the overall underground economy's natural maturity from products to services, "managed spamming appliances" and managed spamming services are becoming rather common. Increasingly, these "vendors" are starting to "vertically integrate", namely, start diversifying the portfolio of services they offer in order to steal market share from other "vendors" offering related services like, email database cleaning, segmentation of email databases, email servers or botnets whose hosts have a pre-checked and relatively clean IP reputation, namely they're not blacklisted yet.

How much does it cost to send 1 million spam emails these days? According to a random spamming service, $100 excluding the discounts based on the speed of sending desired, namely 10-20 per second or 20-30 per second. Let's dissect the service, and emphasize on its key differentiation factors, as well as the customerization offered in the form of a dedicated server if the customer would like to send billions of emails :

"-- High quality and percentage of spam delivery 
-- Fast speed of delivery
-- Spam database on behalf of the vendor, or using your own database of harvested emails
-- Easily obtainable and segmented spam databases on per country basis
-- Randomization of the spam email's body and headers in order to achieve a higher delivery rate
-- Support for attachments, executables, and image files

The cost - $100 for a million for letters delivered spam, with the large volume of spam discounts 20% -30% -40% based on the value-added Do-it-yourself customer interfare based on a multi-user botnet command and control interface :
 
-- Automatic RBL verification
-- Support for many subjects, headers,
-- Total customization of the email sending process
-- Autogenerating junk content next to the spammers email/link in order to bypass filtering
-- Faking Outlook Message ID / Boundary / Content-ID
-- Interface added. Now do not necessarily understand all the features into the system to start the list.
-- Convenient management tasks.
-- A high percentage of punching, on the basis of good europe - 40-60% (For the United States - less because there aol and others).
-- Improved metrics, whether or not the emails have been sent, lost, unknown receipt, or have been RBL-ed

With the weight of a billion - even discounts and the possibility of making a personal server. "

Rather surprising, they state that European email users have a higher probability of receiving the spam message compared the U.S due to AOL. What they're actually trying to say is due to AOL's use of Domain Keys Identified Mail (DKIM). As far as localization of the spam to the email owner's native language is concerned, this segmentation concept has been take place for over an year now.

This service, like the majority of others rely entirely on malware infected hosts, which due to the multi-user nature of most of the malware command and control interfaces, allows them to easily add customers and set their privileges based on the type of service that they purchase. This leaves a countless number of opportunities for targeted spamming, and yes, spear phishing attacks made possible due to the segmentation of the emails based on a country, city, even company.

In the long term, the people behind spamming providers, web malware exploitation kits and DIY phishing kits, will inevitably start introducing built-in features which were once available through third-party services. For instance, hosting infrastructure for the spam/phishing/live exploit URLs, or even managed fast-flux infrastructure, have the potential to become widely available if such optional features get built-in phishing kits, or start getting offered by the spamming provider itself. And since the affiliate based model seems to be working just fine, the ongoing underground consolidation will converge providers of different underground goods and services, where everyone would be driving customers to one another's services and earning revenue in the process.
]]> Wed, 30 Jul 2008 01:32:44 +0000 spam spam message spam discounts spam database spam databases spam email email emails based email servers Dissecting a Managed Spamming Service <![CDATA[Mobile Malware Scam iSexPlayer Wants Your Money]]> http://securityratty.com/article/2e181320354dd6dbef7263b149510ae5 http://securityratty.com/article/2e181320354dd6dbef7263b149510ae5
A bogus media player (iSexPlayer.jar) targeting Symbian S60 3rd edition devices according to several affected parties, is currently being spammed through blackhat search engine optimization. Once infected upon confirming its execution since it's doesn't seem to be exploiting a specific vulnerability besides "bargain hunters" desire for free adult material, the malware attempts to trick the user into participating by becoming a member, however, a quick peek the source code reveals interesting facts about the scam.

For instance, once providing them with your credit card details and basically wanting to try out the service, it appears that there's no way out of it which is a problem since "Trial membership recur at $US 29.95 unless cancelled, Monthly membership recur unless cancelled" and also, "Do you want full access to all pictures and videos? Cost is 2 Euros, charged 100% descreet on your phone bill over SMS. Please allow iSexPlayer to send SMS".

The spammed through blackhat SEO sites are currently active, and perhaps a bit ironic, once you make any transaction with these people, anything that goes on at a later stage such as automatic calling or sms-sing to squeeze your bill, may be in fact legal since you authorized it.

Symbian Freak has some details, as well as an affected party :

"Last week, I had lend my N73 to one of my friends for use as he had lost his phone. I did not know what he did, but I checked my bills today and see some International calls made that amount to around 20USD. That is around 800 Indian rupees. To check, I called the number and learnt that it was a phone sex line. Now it was time for my friend to answer. The thirteen calls were made during a period spanning two days. On an average there were 7 calls a day. Now, the thing that struck me is, going by the call records, the calls on the second day were made when I had the phone with me. I am pretty sure no one dialled the numbers. I called my buddy and asked him if he had downloaded something. He then spilled the beans informing that he did go to some adult website and installed a software (I do not recall the name)."

The name of the "software" as I've already pointed out is iSexPlayer. Let's dissect the scammers and their sites currently spammed across 100,000 sites using blackhat SEO tactics. Related domains sharing the same IP and internal pages :

3g6.se
3gx.se
conn2.3g6.se
conn2.3g6.se
test.3gx.se

83.241.194.132 (83.241.194.128-83.241.194.191 DGC-DIRECT2-01 Direct2Internet AB - Internet Access Located in Johanneshov, Sweden)

3g6.se/dstream.php
3g6.se/newplayerdl.php
3g6.se/chrono/callback.php
secure.chronopay.com/index.cgi

The scammer's pitch :

"Free access to: - 500 Hardcore scenes - 100 Full lenght movies - Picture galleries Important! To install iSexplayer you must be at least 18 years old. You must install and run iSexplayer™ access module to watch the videos on Nintendo DS, You must install and run iSexplayer™ access module to watch the videos on Apple iPhone, Install iSexplayer"

Upon attempting to download the .jar file from the mobile page, the iSexPlayer.php does the magic like that :

"MIDlet-1: iSexPlayer,/icon.png,Easyloader
MIDlet-Install-Notify: http://3g6.se/install_notify.php?id=1322451
MIDlet-Jar-Size: 101313
MIDlet-Jar-URL: http://3g6.se/iSexPlayer.jar
MIDlet-Name: iSexPlayer
MIDlet-Vendor: Vendor
MIDlet-Version: 1.0
MicroEdition-Configuration: CLDC-1.0
MicroEdition-Profile: MIDP-2.0
did: 1322451
did2: 9416755"

Who's behind the scam?

"c_javax_microedition_lcdui_Form_fld.append("\niSexPlayer is owned by: ");
c_javax_microedition_lcdui_Form_fld.append("\nEnit Invest S.L. "); 
c_javax_microedition_lcdui_Form_fld.append("\nweb: enitinvest.com ");
c_javax_microedition_lcdui_Form_fld.append("\nemail: support@enitinvest.com ");
c_javax_microedition_lcdui_Form_fld.append("\nTel: 1-800-845-4951 ");"

Enit Invest S.L.
Av. Machupichu 26, S 18
28043 Madrid
email: support@enitinvest.com
Tel: 1-800-845-4951

And since I'm sure that there are more juicy details within the source code further exposing their scammy practices, which you should not authorize in any way, just like you wouldn't really like making a long call on a premium rate number thanks to having a malware infected phone, once more details are gathered, particularly its compatibility with devices, they'll be posted.
]]> Wed, 09 Jul 2008 03:42:00 +0000 isexplayer install install isexplayer access internet access isexplayer access module phone blackhat seo sites sites Mobile Malware Scam iSexPlayer Wants Your Money <![CDATA[Japan's 10 funniest tech-related ads]]> http://securityratty.com/article/a9c46a790e8b14e81601652ef2bdc067 http://securityratty.com/article/a9c46a790e8b14e81601652ef2bdc067

Succeeding with Seagate® is an Easy Decision.

Advertisement

REGISTER FOR THE SEAGATE® PARTNER PROGRAM and Win a Barracuda® 1-TB drive!

]]> Wed, 09 Apr 2008 20:00:00 +0000 barracuda 1-tb drive cannon laser copiers ads easy decision intel processors partner program dissect japans advertisement win Japan's 10 funniest tech-related ads