|
|
Do you ever wonder what is at the other end of the SPAM email that you
receive in your inbox? You often see emails advertising cheap software, hot
stock tips, and various pharmaceuticals. I think that we have all gotten the
v1gra and Cialis emails. One day I decided I would investigate and see just
where this little message would take me. So, if you are ready for an
adventure, follow me on a virtual trip that will take you all the way around
the world. Don’t forget your passport, you will need it.
Our journey begins outside of Washington, DC. I am sitting at my desk,
going through my SPAM filtered email, when I see one that catches my eye,
“Dreams can cost less repl1ca w4tches from r0lex here”. Sounds interesting I
thought, and I could use a new watch. Knowing the harmful effects of opening
unsolicited email, I decided to open the email in a controlled virtualized
environment. Below is the content of the email:
A T4g Heuer w4tch is a luxury statement on its own. Unfortunately, that
luxury comes with a price... Except when you visit Prest1ge Repl1cas, the
web's most comprehensive collection of brand name repl1ca w4tches. In
Prest1ge Repl1cas, any T4g Heuer is available for just over $200. htxp://www.lagetyo.com
I also opened several other emails with similar subject lines. Each
email had the same message, but contained different websites to visit. From
the sampling of emails I found nine different URLs. As you can see from the
list of URLs, the names seemed to be randomly generated:
- www.sueyhhb.com
- www.sueywhhn.com
- www.aueiwmm.com
- www.syewthhw.com
- www.soiekkj.com
- www.suewywtt.com
- www.ytrueujj.com
- www.slejenbb.com
- www.aeiwkee.com
According to Whois.net these websites are still listed as active,
however they no longer resolve. All are registered in NanChang China, and
all but 3 are registered to a Liu Tao who, according to Wikipedia, happens
to be a famous Chinese actress. I am sure there is no relation.
Going back to the original email I received, I decided to look at who
the email was from and who it was actually sent to. According the spam
filter email headers, the email was sent from “cherylc@hisplacechurch.com”.
I did a quick search on the domain, “hisplacechurch.com”. This led me to a
small church in Burlington, Washington. That is Washington state, not
Washington, DC. So I peruse the site and find the church staff link where I
find Cheryl Neff, the Sr. Pastor’s Assistant. Sure enough, her email was the
same. While you might think that Cheryl Neff’s computer is the origin of the
email selling prestigious watches, it is actually not. Unfortunately for us,
and you the reader, we will never know where the actual email came from. We
can be pretty sure that Cheryl’s computer had some kind of Malware on it
that contained a mail engine that sent out hundreds or even thousands of
emails all around the world promoting these luxurious watches. Unfortunately
Cheryl is not alone in this. I received the same email message from many
other unsuspecting senders, ranging from various home users to Fortune 500
companies. I have also seen the same email content blindly posted on
numerous blogs. Hopefully for Cheryl and the His Place Church, they got
their computer systems cleaned up.
So, let’s get back to the email, because I still need a new watch. The
first thing I did was start a packet sniffer on my local network to see if
the web site was downloading any unwanted software (malware) to my system,
or if the site was sending any of my personal information to
some third-party destination. With my packet sniffer running, I opened up a
web browser, I entered the www.lagetyo.com website, and off I went. It was a
very nice site. There were lots of nice looking watches, bracelets, and
earrings for sale. There was a shopping cart built into the site, a privacy
policy, a testimonial section (which I can’t wait to read later), and a
Contact Us link.
I viewed the source code from the site to see if there were any
behind-the-scenes deceptions, such as any malicious iFrames. The site looked
pretty clean.
I decided to read their privacy policy and see what they had to say. One
thing that caught my eye was the use of SSL (Secure Socket Layer), which is
good because it sends important information over the Internet in an
encrypted state, and when you are sending your credit card across the
Internet, you want it safe from prying eyes.
Next I decided to read the “About Us” link on their site. The owners
mention that they have been the leading online retailer of quality luxury
timepieces since 2003. Oddly enough, every one of the aforementioned
websites was only in operation for one or two weeks. As a matter of fact,
from the start of this investigation the http://www.lagetyo.com/ website was
no longer up and operational. Since my work was not done and I still needed
a watch, I went to another one of the websites that was still active. I
picked www.aeiwkee.com. Just like the previous site, it was up for a few
days, then down just long enough to change the IP address from
218.53.147.152 to 116.199.128.6. I found out that both IP addresses resolve
to different companies, Hananet in Korea, and newpower-cn in China. If you
enter http://218.53.147.152 in a web browser, you get the message “site not
found on our server!” This is a common practice for these types of
operations.
Now that I have a site that is up, I think that it’s time to make a
purchase. Regardless of their four-year track record of being the #1 online
retailer, and Sara Berry’s raving testimonial, I was still leery about using
my credit card to make a purchase. In following my gut, I decided to go
undercover to make the purchase. I made trip to my local CVS store and
purchased a GreenDot Visa debit card. I put $100.00 dollars on the card and
proceeded back to the office. For safety precautions, I decided not to use
my real name and address when registering the card. So I took on an alias,
Alain Tibberman. I needed to find something that cost under a $100.00
dollars. I was not able to find a watch for under that price. Knowing that I
could always buy my wife a gift, I decided to look at their selection of
earrings. I found a nice pair for only $52.00 (plus $29.00 for shipping and
handling). First, I made sure that my trusty packet sniffer was running so I
could see everything that was going on behind the scenes. I input all of my
personal information - name, address, credit card number, etc. I was really
curious where my credit card information was going to be sent. After the
transaction was complete, I started going through the packet sniffer logs.
Remember earlier when I said that I was happy to see that the web sites
shopping cart was using SSL to encrypt the traffic? As you can see from the
image below, there is my credit card number and CVV number in plain text. My
name, address and email address were also sent in clear text. Good thing
Alain Tibberman was a fictitious name.
The order has been placed. I hope that I get my earrings and I hope that
my card information has not been intercepted along the way. I am pretty sure
that the end site is storing all user information in an encrypted database,
so it should be safe from hackers there.
I checked my newly created email account to see if I have received
anything from the vendor. Sure enough, I have received a confirmation
thanking me for my purchase and informing me that my order has been
successfully processed, also providing an order number. It even provided me
with an email address to contact if I need help.
Hmmm, very interesting. I went to domain from the support email, top-esupport.com,
and the domain is not longer resolving. Through the Whois database, the top-esupport.com
site is registered to a group called CSMJBS Enterprise, located in Las
Vegas, NV. So I decided to conduct a Google search on CSMJBS Enterprise to
see what I could find. The first site returned in my search was referencing
Fake Sites Database, with a WARNING: “Please be aware that the fake banks,
lotteries and companies on the list are used by dangerous criminals. We
don’t encourage anyone to engage in any form of communication with them. If
you chose to communicate them for whatever reason, you will be doing so at
your own risk”. I decided to do a little poking around. I called the City of
North Las Vegas and inquired about CSMJBS Enterprise. First of all the
address that was listed in the Whois database was false. The company went
into default in April of 2007. Jeremy Stamper, the head of the company
resides in Seattle, Washington and has recently been accused by the
Department of Financial Institutions Securities Division as running several
fraudulent financial websites that has tricked numerous numbers of people
into sending in money. Over $2 million dollars have been seized by Las Vegas
police.
So let’s get back to my earrings. I was pretty sure that the vendor was
going to charge my card, so I logged into my GreenDot Online account to see
what transactions had occurred. Sure enough, there was a charge for $77.00
for the earrings, with the vendor name ElegantReplica.com and a phone
number. Ah, another lead. Well, conducting a search on the
ElegantReplicate.com led me nowhere. I found a few dead links, but mostly
sites complaining about the domain being a part of a spam operation. So then
I searched on the phone number. That lead was a little more promising. Out
of 5 search results returned, two of them led to websites that resembled
www.aeiwkee.com where I purchased the earrings. The other three results lead
to web sites that no longer resolved. No surprise there. I did find out that
the number is registered to a group called TwoBucks Trading Ltd. located in
Nicosia, Cyprus.
So on our virtual tour we started off in Washington state, with the poor
church lady; then to Herndon Virginia, where a nosy research started
investigating; then to NanChang, China, where the websites were registered.
From there it was a short hop to Shenzhen, China, & Seoul, Korea, where the
two IP addresses were registered; back to the United State where a
suspicious shell company in Las Vegas, Nevada, was registered as the
registrant to the support email; back up to Seattle Washington and Jeremy
Stamper’s shell companies; then finally to Nicosia, Cyprus, where my money
was ultimately collected. That took you across America and got you 3
different stamps in your passport.
I was still wondering if I was going to get my earrings. So I called the
phone number in Cyprus, and after calling 5-6 different times I finally got
a live person on the other end of the phone who was able to provide me with
a tracking number. I plugged my tracking number into the shipper’s website
and obtained the following transaction log.
Foreign
Acceptance, August 22, 2007, 7:35 pm, CHINA PEOPLES REPForeign International
Dispatch, August 23, 2007, 4:09 pm, BEIJING., CHINA PEOPLES REP Foreign
Acceptance, August 22, 2007, 7:35 pm, CHINA PEOPLES REPInbound International
Arrival, August 25, 2007, 9:58 pm, KENNEDY AMC In route, August 26, 2007,
9:21 am, MERRIFIELD, VA 22081 Arrival at Unit, August 26, 2007, 12:52 pm,
RESTON, VA 20190Notice Left, August 26, 2007, 2:19 pm, HERNDON, VA 20171
Unfortunately I never got the shipment. I called the post office and
they were not able to locate the package. I guess my post office could have
lost it.
As I was wrapping this article I wanted to go back to the
www.aeiwkee.com website to see if it was still up and operational, and poof,
just like that the site is gone. This is the method of operation for these
businesses. They will register many different websites and each site will
only be up for a certain amount of time, only long enough to get some
business before the Internet SPAM groups and other vigilante groups use the
Internet as a public forum and expose the sites. It very well could be that
these sites are just recycled and will be selling something else in a few
months.
At the end of the day, the things to remember the most about this story
is that there are a lot of shady corners on the Internet. If you are about
to use your credit card and purchase something online double check to make
sure that it is your intended website. There are a lot of replica sites used
to fool people. Also ensure that your personal information is really being
sent over the Internet by SSL. Both Internet Explorer and Firefox will
present a little pad lock indicating that the connection between the client
browser and the server are encrypted. And last of all do not believe
everything you read or get in an email, even if they are from nice church
ladies.
This article kindly
supplied by Computer Associates
CA Security Advisor Research Blog
http://community.ca.com/blogs/securityadvisor/archive/2007/10/23/operation-greendot-following-the-spam.aspx
Good Luck and buy wise
YourDomainUK Team
 |
|
