Sunday, January 23, 2011
Following a Spammer's Trail
Yesterday, a friend posted an odd message to my Facebook wall. As soon as I read it I realized that her account was highjacked, probably by visiting a nefarious website.
This can happen when you click on a link that takes you to a website while you're still logged into Facebook. At this point, the nefarious website will exploit a vulnerability in your web browser and post something to Facebook on your behalf.
I decided to follow the trail. It started with a post that took me to allfreeipad.com (to be on the safe side, don't visit these websites).
AllFreeiPad.com redirected my web browser to www.ipadfree4me.com which lead me to www.ipadfree4me.com/freeipad.htm.
This is where things got interesting, at least from a technical point. Most people know that you can view a web page's HTML source code to see its details (View -> Page Source). This is the first step to finding out the "where and how" a webpage was created, and the source code is almost always human readable unless you're trying to hide something. Instead of normal HTML, the actual source of this page uses JavaScript encoding (called escaping).
This is what you get if you decode (unescape) the JavaScript:
This escaped JavaScript tells your web browser to create an HTML frame and display the contents of elitesiteemporium.com/ipad-for-testers/?mn=54321.
After all these hops, you're now at elitesiteemporium.com. This domain name is private, so you can't see who actually owns it, but you can find out that its IP address (92.241.169.14) reveals that it's located in Russia. However, this isn't the end of the line, after a few more hops, you'll end up at a web page that wants you to enter your e-mail address so that they can send you a free iPad.
The trail ends at yourrewardinside.com's servers (IP address 204.51.78.152) running on a network leased to MPC Systems LLC which could be based in Delaware or perhaps Texas, depending who you ask.
Keep in mind that there are two parties (confederates) involved in this scheme which could be unrelated, but that's usually not the case. One party created the nefarious web page which posted their message to your Facebook wall, without you knowing, and the second party is located at the destination website (yourrewardinside.com) which claims that it will give you an iPad for the low (free) price of giving them your e-mail address.
I wouldn't recommend giving them your e-mail address.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.