Spam And Social Engineering

(Please see a subsequent post on this: Apologies for getting it wrong and thanks to everyone for writing in)

Spam always surprises.

This morning I got an HTML email from seemingly credible email address with just one line in it: http://drs.yahoo.com/jeremywagstaff.com/NEWS

Hmmm, I thought, my name! I was almost going to click it, but then decided to forward it to Daniel McNamara, who monitors this kind of thing on his website Code Fish. He called it “really weird porn spam”. The link in the HTML in fact goes to:
http://drs.yahoo.com/jeremywagstaff.com/NEWS/
*http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/#http://drs.yahoo.com/
jeremywagstaff.com/NEWS

My browser, Daniel says, will ignore anything before the * so the remaining link is:
http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/#http://drs.yahoo.com/
jeremywagstaff.com/NEWS

Everything after the # symbol is just an internal page reference so we can ignore that as well, leaving: http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/

Daniel says going to that page will redirect us to:
http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/terra.html

Buried in that page is a small graphic that is a simple counter. This page then opens a pop up window that goes to Danni’s Hard drive (apparently a well known porn site). Daniel writes: “This redirect includes the linker’s ID so they get cash from Danni’s for each referal. So, weird but effective. They don’t care if you hang around on the site just that you followed the link and made them money.”

Ugh. One final point from Daniel: The spam script inserts the recipient’s domain into the link to make it appear more relevant – in this case, jeremywagstaff.com. It was nearly enough for me.

A good example of how social engineering doesn’t need to be fancy to work.

11. May 2004 by jeremy
Categories: Spam | Tags: , , , , , , , | 4 comments

Comments (4)

  1. i think this “drs.yahoo.com” is not just a spam, but a worm: it also sends itself to all people in your address book.
    i can’t find any info about this worm, can you?

  2. Here you can find more about that worm (added to virus pattern yesterday):

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WALLON.A

    Scan your drive…

  3. The link also copies two files (alpha.exe and cool.exe)to the user’s root directory. Alpha.exe a delphi executable is a phone dialer and cool.exe is a pop up creator. Alpha.exe is executed and you can see it in your task manager. IE HomePage and StartPage are changed.