Security – Page 9 – SYSMGR in the attic

18-Aug-200718-Aug-2007

The price of being famous?

Once again, somone tries to get credentials using EBay-style messages.

As usual, you should be alarmed by the full header:

Return-Path: member@ebay.com Received: from mail.neel.net (71.165.245.13) by xxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Sat, 18 Aug 2007 20:18:13 +0100 (CET) Received: from User ([202.28.4.25]) by mail.neel.net (Merak 7.6.2) with ASMTP id EAA74438; Thu, 16 Aug 2007 13:13:34 -0700 From: "ebay"<member@ebay.com> Subject: confirm your email address on file at eBay Date: Thu, 16 Aug 2007 11:15:32 +0700 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Outlook Express – so BASIC Internet Explorer – I’m not fooled by such stupidity.
no TO line, and the message actually states:
For security reasons your registered name and email is not included.
Makes sense – since they don’t know it. They want you to supply it to them – and your password….

The mailserver has little or nothing to do with EBay: it’s a Verizon address:

$ dig -x 71.165.245.13

; < <>> DiG 9.3.1 < <>> -x 71.165.245.13 ;; global options: printcmd ;; Got answer: ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 17107 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;13.245.165.71.in-addr.arpa. IN PTR ;; ANSWER SECTION: 13.245.165.71.in-addr.arpa. 69628 IN PTR mail.neel.net. ;; AUTHORITY SECTION: 245.165.71.in-addr.arpa. 69628 IN NS ns2.verizon.net. 245.165.71.in-addr.arpa. 69628 IN NS ns2.bellatlantic.net. 245.165.71.in-addr.arpa. 69628 IN NS ns4.verizon.net. 245.165.71.in-addr.arpa. 69628 IN NS ns1.bellatlantic.net.

EBay may relay over Verizon or Bell Atlantic, but given the sender is from Thailand:

$ dig -x 202.28.4.25

; < <>> DiG 9.3.1 < <>> -x 202.28.4.25 ;; global options: printcmd ;; Got answer: ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 15689 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;25.4.28.202.in-addr.arpa. IN PTR ;; ANSWER SECTION: 25.4.28.202.in-addr.arpa. 86400 IN PTR libmod25.lib.kmutt.ac.th. ;; AUTHORITY SECTION: 4.28.202.in-addr.arpa. 86400 IN NS libmod.lib.kmutt.ac.th.

I have my doubts.

More important: the links for your email contain a link that is NOT Ebay at all:
<div><FONT face="Arial, Verdana" size=2>To confirm your email address on file at eBay, just click the button to the right: </FONT></div> <div><FONT face="Arial, Verdana" size=2>You can also copy and paste the following link into your web browser: <BR><A onclick="return top.js.OpenExtLink(window,event,this)" href="http://0xcfead15b/signin.ebay.com/ws/index.htm" target=_blank>http://cgi4.ebay.com/ws<WBR>/eBayISAPI.dll?ChangeEmailConfi<WBR>rm</A>
The address is coded in HEX: 0xcfead15b, and this translates to 207.234.209.91. This is the owner of the addres:
Affinity Internet, Inc AFFINITY-207-234-128-0 (NET-207-234-128-0-1) 207.234.128.0 - 207.234.255.255 Affinity Internet, Inc AFFINITY-DEDIATED-207-234-209-0 (NET-207-234-209-0-1) 207.234.209.0 - 207.234.209.255

14-Aug-200718-Aug-2007

Kevin tries to be smart…

A message received today, said from account(paypal.com,with subject “Cancel Your Payment” just states the refererence – exactly as shown:

<A HREF=”http://qcp.rice.edu/ganglia/addons/.cgi-bin/cmd=_login-run.html”>
<IMG SRC=”http://www.myspacks.de/uploads/.x/scirosare2.jpg” border=”0″>
</A>

The raw message reads:

Return-Path: kevin@simon-tech.homelinux.com
Received: from 61-219-84-147.HINET-IP.hinet.net (61.219.84.147)
by XXXXXXXXXX.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Tue, 14 Aug 2007 12:36:11 +0100 (CET)
Received: (from kevin@localhost)
by simon-tech.homelinux.com (8.11.6/8.11.6) id l7EAPOh14797;
Tue, 14 Aug 2007 18:25:25 +0800
Date: Tue, 14 Aug 2007 18:25:25 +0800
Message-Id: <200708141025.l7EAPOh14797@simon-tech.homelinux.com>
To: XXXXXXXXXX@grootersnet.nl
Subject: Cancel Your Payment
From: “PayPal Inc.” <account@paypal.com>
Content-Type: text/html

<A HREF=”http://qcp.rice.edu/ganglia/addons/.cgi-bin/cmd=_login-run.html”>
<IMG SRC=”http://www.myspacks.de/uploads/.x/scirosare2.jpg” border=”0″>
</A>

NO hiding of links – just this.

You won’t get very far with this…

(Will be continued. I’ll check the image links tonight – from Diana, of course)

One day earlier, a similar message was received. The header:

Return-Path: account@paypal.com Received: from 80.114.97.2.ip.onderwijs.casematelecom.nl (80.114.97.2) by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Mon, 13 Aug 2007 04:14:06 +0100 (CET) Received: from 116.0.68.84 by ; Mon, 13 Aug 2007 04:13:15 +0100 Message-ID: <SOXRQQULKMMBFKVTWBHAOR@msn.com> From: "PayPal Inc." <account@paypal.com> Reply-To: "PayPal Inc." <account@paypal.com&g'; To: xxxxxxxxxx@grootersnet.nl Subject: Cancel The Payment Date: Mon, 13 Aug 2007 06:11:15 +0300 X-Mailer: AOL 7.0 for Windows US sub 118 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--716555016311414036" X-Priority: 1 X-MSMail-Priority: High
and the contents again just an URL, just as shown here:

<http://qcp.rice.edu/ganglia/addons/.cgi-bin/cmd=_login-run.html>

This Dutch educational server has been abused – as well as MSN. It’s to be seen if something can be arranged…

UPDATE
It seems rice.edu has taken action. qcp.rice.edu is valid:
$ dig qcp.rice.edu


; <<>> DiG 9.3.1 <<>> qcp.rice.edu

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17552

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:

;qcp.rice.edu.                  IN      A

;; ANSWER SECTION: qcp.rice.edu. 3266 IN A 128.42.130.5

but theer is no answer accessing it with a browser.

7-Aug-2007

Etrade Financial

Received today:

I’m not a customer, so this is moset definetly a phing attempt, doomed to fail.

The header shows it didn’t come from the bank at all:
Return-Path: service@etrade.us.com Received: from yyy.yyy.net (203.1.13.7) by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Tue, 7 Aug 2007 18:24:37 +0100 (CET) Received: from zzz.yyy.net (localhost [127.0.0.1]) by yyy.yyy.net (Postfix) with ESMTP id 442F19BBF5; Wed, 8 Aug 2007 02:24:31 +1000 (EST) Received: from zzz.yyy.net (unknown [192.168.0.1]) by ryyy.yyy.net (Postfix) with ESMTP id 267869BBF2; Wed, 8 Aug 2007 02:24:31 +1000 (EST) Received: from User ([86.107.232.208] unverified) by yyy.yyy.net with Microsoft SMTPSVC(5.0.2195.6713); Wed, 8 Aug 2007 02:24:30 +1000 Reply-To: From: "service@etrade.us.com" Subject: Account Locked ! Date: Tue, 7 Aug 2007 19:24:26 +0300 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: <ROJANglUQgbKhR43Cdz00000e75@rojan.rojan.net%gt; X-OriginalArrivalTime: 07 Aug 2007 16:24:30.0690 (UTC) FILETIME=[6E9D7C20:01C7D90F] To: undisclosed-recipients:; X-Virus-Scanned: ClamAV using ClamSMTP

and the single link in it shows a bogus address as well:
<a href="http://paperart.ro/new/etrade.us.com.php" class="style2">Click Here to Unlock your account </a>
Either a bad domain, or a kacked server? The relay is an Autralian IT company – and they have been informed (their server names and domain have been obscured)

7-Aug-20077-Aug-2007

Ebay again…

Again: this is fake since my name is not shown at the top. The message header shows the mail never had its origin at Ebay:
Return-Path: member@eday.com Received: from datumarchitects.us (69.36.176.162) by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Mon, 6 Aug 2007 19:29:02 +0100 (CET) Received: from User ([195.84.14.70]) (authenticated bits=0) by yyyyyyyyyy.us (8.12.11.20060308/8.12.11) with ESMTP id l76HIw5B001374; Mon, 6 Aug 2007 11:19:00 -0600 Message-Id: <200708061719.l76HIw5B001374@yyyyyyyyyy.us> Reply-To: From: "member" Subject: message from en eBay memeber Date: Mon, 6 Aug 2007 19:19:13 +0200 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by yyyyyyyyyy.us id l76HIw5B001374
(I have removed the references to innocent addresses – My guess is that the mailserver of the company mentioned as “yyyyyyyyyy.us” has been hacked, abused as a relay of that one or more machines have been infected. They have been informed.)
Besides sloppy typing (member@eDay) I don’t think Ebay will use Outlook Express.
All links in thius message lead to
<A href="http://yhandros.com/convoca/test/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank>&lr;FONT color=#003399>https://pages.ebay.com/education/spooftutorial</FONT></A>
http://yhandros.com leads to a Spanish blog – in bad need for an update:
<meta name="generator" content="WordPress 2.0.1" />
Getting on with the URL: “…/convoca” leads to a form for updating files. “…/convoca/test” and, below that, “…/ws” are not accessable (Forbidden) and “…eBay_com_Verify_your_eBay_account_files/” shows an “Ebay” page to login – sending username and password to — Well, I couldn’t find out. Assuming the owner of the site has the right attitude: Either the site is hacked – or someone has uploaded the bad page up there. I did some examination of that page but couldn’t find out exactly where the submit-button leads to – it gets a cookie but I couldn’t locate it.
But when this is done deliberately – you’re warned.
UPDATE
The message to the company who’s mailserver was abused bounced back from RoadRunner .com – stating a very different address that seems to be blocked completely. That system may be abused as wel and there is no way to contact them that way.

27-Jul-2007

Another fake Ebay

Looks impressive, doesn’t it?
Ebay has nothing to do with it: Where’s my name????

The message text is crappy as well – Ebay wouldn;t be as dunb as this.

It originates from Japan. If the two links are scrutenized, you see a non-ebay address:

<p>If you feel you have been suspended in error or want to appeal this decision by providing additional information, please <a href=3D"http://ns.maple-soft.co.jp/eBay">click here</a>.</font></p> <p><tt><font size=3D"2" face=3D"Arial">Due to recent activity, including possible unauthorized listings, we have temporarily suspended activity on your account in order to allow us to investigate this matter further. If you believe that this action may have been taken in error, or, if you feel that your account may have been tampered with, please <a href=3D"http://ns.maple-soft.co.jp/eBay">click here</a> to provide additional information and regain your full access on eBay.

Even on the bottom link, it’s this same link.

The header reveals some detail as well:

Return-Path: support@ebay.com Received: from ftp.pcw.pcw.net (66.70.223.111) by *** my server *** (V5.6-9, OpenVMS V8.3 Alpha); Fri, 27 Jul 2007 00:12:32 +0100 (CET) Received: from User (cable-62-205-81-65.upc.chello.be [62.205.81.65]) (authenticated (0 bits)) by pcw.pcw.net (8.12.10/8.11.6) with ESMTP id l6QJTnR5009737; Thu, 26 Jul 2007 15:29:50 -0400

This could be the originator, or some dude that has his mailserver set as an open relay.
I haven’t tried the link to ns.maple-soft.co.jp yet.

May 2024
M	T	W	T	F	S	S
« Nov
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31