That brought the fog and mist.
I get a fair amount of spam. Actually, I get a really enormous amount of spam, hundreds of messages a day, but I hardly see any of it before it’s auto filtered and all that stuff. Now and then, however, a piece slips through the filters and I see it in one of my real mail folders. Usually I take a look at the message, more out of curiosity than anything else. Sometimes if it looks like an interesting scam message, I will investigate it a little more to see how they’re trying to fool people.
Most scams try to look like a legitimate email from a real service, like eBay or amazon or a bank or whatever. They generally try to look like some kind of warning message, like authorizing a large transfer from your paypal account, or a warning about account expiration or a fraud alert, etc. They then tell you click a link to verify / update / cancel whatever they’re lying to you about. The page they link to looks just like the site you think you’re on, but it’s actually at some other site, and when you enter your username / password, you’re now screwed. These are very easy to detect: the links you click on usually look something like this:
(This URL is from a fake email about a security problem with Chase)
http://64.310.180.28/chaseonline.chase.com/colappmgr/colportal/prospect_nfpb=true_pageLabel=page_logon/How%20We%20Protect%20You.htm
With a very cursory examination we see that it looks to be linking to “chaseonline.chase.com”, but the actual host in this URL is just some random IP address. (In this case, a random IP address in Georgia. If I had to guess, I’d say it was a hijacked PC.)
Now the scam I just got, tricked me for almost a full second, and as such impressed me. It was a fake eBay email, claiming to be an urgent question from someone interested in buying one of my eBay items (of which I have none). I hovered the URLs in the email, as I usually do when they slip through, and was shocked to see that they were actually links to eBay! I thought at first that it was some kind of misconfigured spam that wasn’t sending me off to the wrong place, until I looked a little more closely at the URLs:
http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?RedirectEnter&partner=25047&loc=http%3A%2F%2Fus.ebayobjects.com%2F2c%3B47586106%3B12593038%3Bl%3Fhttp://www.aol.com/redir.adp?_url=http://265.128.166.295:82/httpsiginin.ebay.com/reg.php
That’s actually a link to a function on eBay’s site to redirect people off of their site. In this case it’s redirecting to this URL:
http://us.ebayobjects.com/2c;47927106;12587238;l?http://www.aol.com/redir.adp?_url=http://265.128.166.295:82/httpsiginin.ebay.com/reg.php
Which is then redirecting to this URL:
http://www.aol.com/redir.adp?_url=http://265.128.166.295:82/httpsiginin.ebay.com/reg.php
Which is actually a URL at AOL, which finally redirects to this URL:
http://265.128.166.295:82/httpsiginin.ebay.com/reg.php
Which is your basic scammer’s site. (And in this case, is an IP address in Florida.)
Why so convoluted? Well, at first they want to do this to make the URL look like it’s a real eBay URL, in order to fool spam detectors (which it did) and, secondarily, people like me (which it also did, for a very short period of time). However, redirectors like this, at least on good websites, will only allow themselves to be used to redirect to a certain list of sites. In this case, we see that the eBay redirector will only allow redirections to ebayobjects.com. However, there’s a redirector on ebayobjects.com which allows redirections to aol.com. And then, clearly, the AOL redirector is stupid, and allows redirection anywhere. This is a fairly clever setup. You could have some fun writing some code to find these “open relays” with some clever google searches, and then finding paths between them, to make all kinds of multi-redirect URLs like this.
Please don’t visit any of the URLs in this post. I’ve modified them so that they don’t actually go anywhere any more, but it’s still a bad idea, and it’s better to be safe than sorry.
I ‘ve been getting, and ignoring, e-mail from my dsl provider (AT&T) about new security stuff. I finally looked at it and it actually seemed real,but all the urls were .net instead of .com. I’m not the savviest internet person so I figured better be safe. I went to the main site and tried to find this info and it wasn’t anywhere. Plus they’ve changed their customer service to make it really hard to e-mail with questions.
I finally deduced that it was 100% real but I was so frustrated with trying to verify the info because the fake ones look nearly as good. You’d think they’d make it easier.
Thanks for the heads up.
There are a few US govt sites that the spammers use that way; they have unprotected redirects. Whoops.
Sounds about right. And who wouldn’t trust email with a link to nsa.gov?
For the most part, if the actual host of the URL looks even halfway reasonable, you’re probably safe. Sometimes *very* specific scams are set up (like once someone registered “somethinqawful.com” and tricked users of somethingawful.com to give him passwords), but mostly these password stealing-scammers have to move very quickly, so they rarely even have time to set up DNS.
That is, don’t be too worried if the hostname is att.net instead of att.com. Be worried if the host name is just numbers, or if it’s thorm.squant.cx or something crazy like that. Be especially careful to be sure you’re looking at the real hostname and not something they’re trying to trick you into thinking is the hostname.
Unfortunately, the internet is getting to be more and more complicated, and it’s just not feasible for non-technical users to be aware of all the tricks these people can pull. It’s a tough nut to crack.