Vanity Search Attacks

“How did you two meet? Did you mark her, or was it the other way around?”

- Robert Redford to Brad Pit, Spy Game

Con man 101: The best way to gain someone’s confidence is to make them think they contacted you. Scammers just love having potential victims contacting them.

Now, it seems they figured an interesting way to draw potential victims to their web site, in a way that is much easier than sending billions of spam email messages.
The idea is simple: take the person’s name (real people’s names are available for harvesting in places like linkedin, facebook, and other social networks) and put it in a web page. Doesn’t really matter where, as long as google indexes it.

Wait a while, and have that person google himself. Many people (myself included) have a ‘google alert’ on their name which sends them updated list of links to new pages where their name is mentioned.

Everyone likes to see where they are mentioned, so they will click on the link. And voila! They arrive to the spammer’s page. In some cases I’ve seen, the name was already gone from the page (but was still in the google cache). But all this doesn’t matter: as soon as the person reached the page, the web spammer’s job is done – he got his message in front of you, and maybe you’ll even dig deeper into his web site trying to figure out what the connection is to you.

There are many advantages to this method. First, you are not restricted by the message: the web page can openly have the words Viagra, Credit card debt and mortgage assistance without the fear of triggering anti-spam software. Also, people will pay more attention to the page since they think it has to do with them.

I don’t get the spammers’ marketing statistics, but I’m sure that the infamous spam text “it came to our attention that you’re in dire need of financial help” which sounds very much like a sincere, personal message, is a huge success. But this message has to get through the spam filters and include a real email address and a correct first/last name. The spam web page doesn’t need to bypass spam filters, and already has the correct name. In addition, you gain interesting information about the visitor: browser version, IP location and of course, the name he was searching for (that would be in the ‘referrer’ that is sent automatically by the browser to the web site). Oh, and of course – it’s cheap. You only need to put together a nice looking web page, and wait for google to do the rest. No buying of email lists and no cost of sending spam (which is nowadays the cost of hiring a zombie botnet for a couple of days).

For those aspiring scammers who are reading this, you should understand that it’s not a foolproof method. Obviously, it requires people to do a vanity search to reach you in the first place (though it also works on people who google their dates, their parents or their teachers). It also requires time – days, weeks or months (which may be difficult if your web site is on a zombie computer that might disappear by the time google indexes and the user comes to the site). But due to the fact the costs are very small, and there are no effective countermeasures at the moment, I think we will see more and more such attacks in the near future.


Google calendar as a spam platform

Apparently Google’s calendar has been elected to become a new spam platform.

I started receiving these a few days ago, at first I thought it to be a fluke but not it has become a flood.

Someone in Google should probably start looking at this and getting it fixed, as this isn’t a “fake” Google calendar invitation but rather a legit Google generated one.

In essence the invitation contains the subject of what can be considered good by most :) good news:

When I read “Cheque” I am happy :)

But that is just me, maybe someone else will become sad, maybe the guy who is giving the cheque :)

And then this is followed by:

My Dear friend

How are you today together with your family,i thank God almighty for his infinity mercy upon my life for latter making this business to work out sucessfull.
I’m happy to inform you about my success in getting the fund transferred under the cooperation of the new partner from LUXMBURG . Presently i’m in LUXMBURG for investment projects with my own share of the total sum. meanwhile,i didn’t forget your past efforts and attempts to assist me in transferring those funds despite that it failed us some how.

Out of my sincere heart i have deceided to show gratuted to you and i have signed a Cheque on your behalf for your compasation,now contact my secretary in Cotonou, Republic of Benin,his name is Mr. Santex Romack  and his email address ; in and ask him to send you the total amount of $1.5,M Cheque which i kept for your compensation for all the past efforts and attempts to assist me in this matter.and instruct him where to send the amount to you.I appreciated your efforts to assist that time despite that you later disappointed me.

so feel free and get in touch to my secretary Mr Santex Romack Please do let me know immediately you receive it so that we can share the joy together after all the sufferness at that time. in the moment, i am very busy here because of the investment projects which i and the new partner are having at hand, finally, remember that I had forwarded instruction to my secretary on your behalf to receive that money, so feel free to get in touch with Mr.Santex Romack  and he will send the Cheque to you without any delay.

Sincerely Yours
Mr,John Max

And finally of course the meeting details in both iCal and vCal, which asks me to meet with them or just reply so that they can tell me exactly where we should meet :)

The headers of the email show that it was sent by Google’s internal SMTP server and was auto-generated by Google’s calendar service


Spam term turned 15 years this week

And it was

…almost 30 years since the first spam message was sent.

We can read more here:


New linkedin ‘status’ feature now used for donation spam

My wife has just received this email via linkedin:

Subject: Equity Needed

[name deleted] has sent you a message.
Date: 3/01/2008
Subject: Equity Needed
May I kindly accept a donation of $100 on your behalf? [url to donation page]

Thank you for understanding.

Visiting the donation page brings up the following explanation:
“With the new status update feature on LinkedIn I thought we should have some fun and in the process help me make my first million to jump start my new companies. I would like you to set your status on LinkedIn to “wants you to help [me] make [my] 1st million via LinkedIn: [url]“”


Google as an RBL

For those not familiar with RBL, the term means Real-time Blackhole List, it is mainly used for SPAM fighting. I have recently started playing around with Google as an RBL engine, the idea is that if the search term I use hits too many hits it is likely to be SPAM :)

The danger of course is that the term could be simply popular – but the trick here is that I’m using something very special as the search term – the IP address of the poster.

The IP address shouldn’t be popular; except for a few rare cases, IP addresses listed on Google are directly related to SPAM – either they are listed under wiki-like sites as being banned, or they appear as mass-comment posters. Simply put, if your IP is listed in Google you must be up to no good.

How good is this method? Nothing is bullet proof, but if you have a suspicion of something being SPAM, put the IP in Google and see there are hits; Almost all the comment SPAM I filtered out this month had more than 100 hits in Google, all non-SPAM had either 0 or below the 10 hits mark.

BTW: A good advantage of Google is that it is quick – a few seconds to get a respond – a disadvantage is that you cannot just “hammer” them with searches or they will block you – maybe someone can pickup this idea and make an RBL from IP addresses using Google as a back-engine.


Pushdo analysis

Joe has a nice write up on the inner working of the Pushdo Trojan.

Pushdo is interesting since it was written for “future use” – i.e. it updates itself to obey his master’s latest needs and requests. It also has intelligence-collecting routines and in general shows how sophisticated the bad guys are getting.


Fake blogs and search engines

urls in this post should be considered as unsafe.

fake sites and se poisoning are nothing new. the use of blogs for this is far from new, either. thousands of new fake blogs pop up every day on blogspot, livejournal, etc.

web spam is a subject i have written about in the past, and some of you may be familiar with it regardless of me (no kidding), especially if you run a blog yourself.

a new fake blog which looks like blogspot, but has its own “domain”, recently popped up in a google alert on my name.

i get hits on these fake pages all the time as my name is a key word used by some of these spammers to grab attention to their pages.
this time around they really over-did it.

the page has a blogspot layout, and continues with ads to pornographic sites or malware (is there any difference anymore?)

then the site shows the youtube video which can be found under my name.
following that is a post i made to a mailing list recently (poorly formatted).
then we have a few pictures of girls, linking once more either to pornographic sites or malware drive-by sites (if there is a difference, again).

they finish the page off by adding comments, which are actually some old securiteam posts by me.

heck, it looks fake, but it is obvious the bad guys are investing more in their fake web pages. their auto-creation tools seem to be getting more impressive, and i believe we will see much improved believable sites, soon.

google blog search displays this site as (nasty words replaced with beep):

gadi evron
2 sep 2007
gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your head, asian virgins.asts. teen cherry action – nice brunette teen beeped hard on the bed and getting a beepy beepshot. beep beeping boy beep teen legs, …
untitled – h ttp://n

h ttp://n

again, i am unsure if these urls are safe.

for those of you wondering if these web pages mean anything to the bad guys, the answer is absolutely yes. search engine ranking, indexing, etc. helps them advance their own sites (or their clients’). then of course, there is advertising and google ads.
it works. and the advertising space on unrelated key words is a plus.

the concept is very similar to comment spam. comment spam may not contribute to se ranking anymore due to the nofollow tag attached to links in comments, but these get indexed and that’s all the bad guys care about. nofollow is crap, and what shows up when you search is what matters.

as an example of how these things work, in a recent blog post of mine a buddy left a comment (see here for the example).

he left a url for his legitimate python/math/music/origami blog in his comment, and now when you search for his blog you find my post placed in the 4th place with the title ‘a jew in a german camp’ (about the ccc camp in germany). he is not pleased, but it is obvious how the bad guys abuse this, and infect millions of computers just because their owners surf the net.

gadi evron,


ISOI 3 is on, and Washington DC is hot

following up on that strange title, isoi 3 (internet security operations and intelligence), a workshop for do-ers who work on the security of the internet and its users, is happening monday and tuesday in washington, dc.

this time around we have even more government participation (we’re in dc, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

i am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. i am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

if you are interested in this realm of internet security operations, take a look at isoi 3′s schedule, and perhaps submit something for the next workshop.

some reporters are somewhat annoyed that entrance is barred to them, but i hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

the third isoi is here because after dhs ended up unable to host it, sponsors emerged who were happy to assist:

afilias ltd.:
the internet society:
shinkuro, inc.:

it’s going to be an interesting next week here at the swamp. atendees better show up with their two forms of id. :)

gadi evron,


Ciaaaaaaliiis Viaaaaaagraaa – Nooo thaaanks!

Some of the spam e-mails in my Inbox today are really funny, when looking the basic information of the messages.

From: Isabelle Hammer

Subject: Re[05]: Ciaaaaaaliiis Viaaaaaagraaa Leeeeeevitra. Preise die keine Konkurrenz kennen
Message body: Hallo , jonleht !Meinung von unserem Kunden:
Ich nehme jedes Mal 10 mg….

Why the sender’s name differs from the visible name, why they are fighting against spam filters with thooose terrible wooords, why they send German language spam to Finland, why they call me jonleht – again?

Hey, we saw these non-working methods hundreds of times already!


Buy stuff from spam mail

Finally after years of receiving it I tried to buy something out of the spam I got, but damn it is difficult, and who is to blame? the spam killers – filters, finders and removers, because of them I can no longer read what the spammer is actually trying to sell me :) even worse when I do call the guy up he is so amazed to hear someone call him that he asks me to call again as he is in his car – kudos to lev here :) .

Here is a sample of what I mean:

Subject: The MFC library shipping with Visual C++ 4.


u){e} [N](e)[w][s] To I^mpact {C}{V}
C^hina You.TV {C}{r}

Sym*bol: [C]{T}[V]
We (a)(v) alre-ady {s}[e]{n} CYT+V’s m,arket i+mpact befor#e climbi_n.g to {o}[v][r] $2^.00 {w}{i}(t){h} (n)[e][s]< .>
P^ress Relea`se:
C-hina YouTV’_s Cn^Boo {e} (S){i}[t][e] R+anks [N][o]< .>[1] on M.icr*osoft {i}{v}[e] S+earch E-ngine
CnBo*o Traff.ic Increa,se*s [4]<9>< %> {O}[v] (T)(o) M+onths
{R}[a][d] [t][h](e), th_ink a*bout {t}(h)(e) impa`ct, and

on {h}{i}(s) f+irst thin`g Tomo#r+row m^*orning! $0*.42 is a (g)(i)[f][t] at (t)[h]{s} pr_#ice…..
Do (y)[o][u] homew+or-k (n)(d) w_atch (t){h}{i}(s) tra*de Mo,nday mo,rning.

What is this? :P I can’t read this! even if I tried I wouldn’t spend so much time trying to read it, as I don’t spend much time reading other types of perfectly legal advertisements :P .


Using honeypots to fight comment spam

The guys at rustylime describe how they are using a honey pot form fields to detect spam bots.

This method is interesting, since the false positive rate will be close to zero – any decent browser will not show the ‘honey pot’ fields and a human won’t be able to enter information there accidentally. The false negative will be low, since most spam bots will enter information on those fields. The problem, of course, is that the spam bots can be adjusted specifically for rustylime (now that they outlined their spam comment fighting technique), either by looking for these specific field names or by calibrating their spam bots to render the page and filter out invisible parts (this would be a serious technical challenge for the spammers).

Of course, a post on SecuriTeam blogs, a web site that is probably frequently read by spammers, is not going to help them keep a low profile against spammers – so my apologies to the rustylime people. Lets hope their comment spam queue remains clean, and maybe someone can pick this up and find a more generic way to fight comment spam using browser-invisible fields.


DOC spam

Just weeks after we started getting PDF spam, this morning I received my very first DOC spam. The document spam talks about the usual “I am Barrister Musa Adams a Solicitor. I am the Personal Attorney to MR. Harry Edward Cook a national of your country, who used to work with CADBURY NIGERIA LIMITED, on the 21st of April 2004, my client, his wife and their three children were involved in a car accident along Shagamu Lagos Express Road.” which makes it very uninteresting, but unlike “regular” (non-DOC) spam of this sort, it doesn’t get filtered as documents aren’t currently being scanned for spam.

Now that we are done with PDF and DOC, what is left? :) RTF?


Genius Twist on Nigerian Scams

1. phish an hotmail acount.
2. send email from the stolen acount to all the friends listed for the person, saying you are stuck in nigeria and are in an emergency, asking your friends for money to be wired.

(thanks suresh)

gadi evron,


Ecards and email filtering

in the past two weeks, ecards became a major threat.

ecards (or electronic greeting cards) were always a perfect social engineering scheme, open for abuse. with the storm worm and massive exploitation, i believe it has become prudent to filter out all ecard messages in your email systems.

further, some training or awareness information on this subject distributed to your organizations could be very useful.

gadi evron,


Alternative Botnet C&Cs – free chapter from Botnets: The Killer Web App

syngress was kind enough to allow me to post the chapter i wrote for botnets: the killer web application here as a free sample.

it is the third chapter in the book, and requires some prior knowledge of what a botnet c&c (command and control) is. it is basic, short, and to my belief covers quite a bit. it had to be short, as i had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion. ;)

you can download it from this link:

for the full book, you would need to spend the cash.


gadi evron,


PDF spam

I have been getting lately more and more PDF based spam, the PDF itself appears to be just a cover for the normal image spam. The idea I believe is that PDF is not investigated by most spam filtering agents, and is not regarded by spam filtering as a “score giver” (i.e. what makes the email look more spamish than others).

BTW: At first glance I though it was a malware or a exploit that uses PDF as its carrying bag, but after a days work of investigating, and probing the file with various PDF readers (non-standard ones), I concluded that it had nothing to do with a malware or an exploit :) kudos to me :P