20061103

Bizarre Phishing Antics

Now that the spam filter is up and running, I'm looking more closely at those messages that do evade it. Rather intruigingly, the odd one or two (corresponding to a roughly 98% success rate) that do get through seem to be spam that is not very good at what it intends to do. The latest that fell through the net is from "Kerri" (why doesn't the spam filter also have a trigger for emails sent from a single first name?), although the email address is Chelsea@somewhere, and the message is signed "wbr, Hope" [with best regards?].

The message itself is "I've accidently found your photo at a flickr and i'm very interested in it. Can you tell me what place i can see in the background of it?" That immediately tells me it's rubbish since I don't have an account on flickr (similarly, given the amount of phishing attacks, I am trying to avoid having accounts on ebay, paypal and amazon so as to avoid any doubt). There's a link. In the plain text version, the link is to the implausible address:
file://localhost/home/cmf3/tasks/keeper_au_du/azY8aA/http://www.9ebeauty.com/fli
ckr.html

which isn't going to work for anyone; in the HTML version, there is a link (which doesn't even bother trying to hide where it goes to) to http://www.9ebeauty.com/flickr.html.

So, fairly sure that I can explore with no danger to myself, I take a look.

9ebeauty.com is a rather odd site that apparently sells massage tables and broken english. The /flickr.html page is an HTML version of a flickr page. And, er, that seems to be mostly it. There's no photo, just some static text saying "photo loading". There are links to login to flickr which lead to the genuine log in pages. At first glance, there seems to be nothing more suspicious than a 1x1 pixel iframe containing a counter hosted on a machine identified only by IP address. That IP address resolves to rbnnetwork, the "Russian Business Network", which apparently is associated with spammers in the past. But still, it doesn't seem to actual be anything more than a counter. Except that actually going to the URL gives an apparent 404 (a closer investigation suggests that it is actually succesfully (200) serving up a page that looks like a 404...)

So, an unconvincing spam email leading to a lame flickr rip off, with a counter. What's the point of that, then? I suppose it looks like a trial run. An attempt to see what new phishing scams are the most enticing. But really, why bother? Why not have some pay off? What would be the point of stealing Flickr log-ins? Or is it an attempt to draw people in and then infect them with spyware or zombies? It makes you wonder sometimes.

1 comment:

Anonymous said...

I've been approached by a promoter of this website. Based on your comment, it seems like they are a fraud. I can't find any other info on them online. But now their website is really more complete with pictures etc. What do u reckon?