I get a fair amount of spam. Actually, I get a really enormous amount of spam, hundreds of messages a day, but I hardly see any of it before it’s auto filtered and all that stuff. Now and then, however, a piece slips through the filters and I see it in one of my real mail folders. Usually I take a look at the message, more out of curiosity than anything else. Sometimes if it looks like an interesting scam message, I will investigate it a little more to see how they’re trying to fool people.
Most scams try to look like a legitimate email from a real service, like eBay or amazon or a bank or whatever. They generally try to look like some kind of warning message, like authorizing a large transfer from your paypal account, or a warning about account expiration or a fraud alert, etc. They then tell you click a link to verify / update / cancel whatever they’re lying to you about. The page they link to looks just like the site you think you’re on, but it’s actually at some other site, and when you enter your username / password, you’re now screwed. These are very easy to detect: the links you click on usually look something like this:
(This URL is from a fake email about a security problem with Chase)
http://64.310.180.28/chaseonline.chase.com/colappmgr/colportal/prospect_nfpb=true_pageLabel=page_logon/How%20We%20Protect%20You.htm
With a very cursory examination we see that it looks to be linking to “chaseonline.chase.com”, but the actual host in this URL is just some random IP address. (In this case, a random IP address in Georgia. If I had to guess, I’d say it was a hijacked PC.)
Now the scam I just got, tricked me for almost a full second, and as such impressed me. It was a fake eBay email, claiming to be an urgent question from someone interested in buying one of my eBay items (of which I have none). I hovered the URLs in the email, as I usually do when they slip through, and was shocked to see that they were actually links to eBay! I thought at first that it was some kind of misconfigured spam that wasn’t sending me off to the wrong place, until I looked a little more closely at the URLs:
http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?RedirectEnter&partner=25047&loc=http%3A%2F%2Fus.ebayobjects.com%2F2c%3B47586106%3B12593038%3Bl%3Fhttp://www.aol.com/redir.adp?_url=http://265.128.166.295:82/httpsiginin.ebay.com/reg.php
That’s actually a link to a function on eBay’s site to redirect people off of their site. In this case it’s redirecting to this URL:
http://us.ebayobjects.com/2c;47927106;12587238;l?http://www.aol.com/redir.adp?_url=http://265.128.166.295:82/httpsiginin.ebay.com/reg.php
Which is then redirecting to this URL:
http://www.aol.com/redir.adp?_url=http://265.128.166.295:82/httpsiginin.ebay.com/reg.php
Which is actually a URL at AOL, which finally redirects to this URL:
http://265.128.166.295:82/httpsiginin.ebay.com/reg.php
Which is your basic scammer’s site. (And in this case, is an IP address in Florida.)
Why so convoluted? Well, at first they want to do this to make the URL look like it’s a real eBay URL, in order to fool spam detectors (which it did) and, secondarily, people like me (which it also did, for a very short period of time). However, redirectors like this, at least on good websites, will only allow themselves to be used to redirect to a certain list of sites. In this case, we see that the eBay redirector will only allow redirections to ebayobjects.com. However, there’s a redirector on ebayobjects.com which allows redirections to aol.com. And then, clearly, the AOL redirector is stupid, and allows redirection anywhere. This is a fairly clever setup. You could have some fun writing some code to find these “open relays” with some clever google searches, and then finding paths between them, to make all kinds of multi-redirect URLs like this.
Please don’t visit any of the URLs in this post. I’ve modified them so that they don’t actually go anywhere any more, but it’s still a bad idea, and it’s better to be safe than sorry.