Friday, November 16, 2007

Lonely Polina's Secret

Just as I've been monitoring lots of spam that's using Geocities redirectors, yesterday Nicholas posted some details on a malware campaign using Geocities pages as redirectors, and Roderick Ordonez acknowledged the same. Original Geocities URLs used : (active) ; (down) ; (down). Original message of the spam campaign :

"Hallo! Meine Name ist Polina. Ich bin Studentin und Ich habe zur Germany zu lernen angekommen . Ich suche mich den Freund und der Sex-Partner. Aller dass Ich will es ist ein guter Mann. Sie sollen ernst, sicher, klug sein. Geben Sie mich zu wissen wenn Sie wollen mit mir treffen. Ebenso konnen Sie einfach mein Freund sein. Sie konnen meine Fotos auf meiner Seite sehen: BITTE, NURR DIE ERNSTE Vorschlages. KUSSE, POLINA"

The fake lonely German student Polina was also accessible from other URLs as well -;, both now down as well as the main URL which is forwarding to in an attempt to cover up the campaign -- you wish. Internal pages within the IP are still accessible -;, and so is the malware itself -

Malware campaigners are not just setting objectives and achieving them, they're also evaluating the results and drawing conclusions on how to improve the next campaign. Back in January, 2006, I emphasized on the emerging trend of localization in respect to malware, take for instance the release of a trojan in an open source form so that hacking groups from different countries could localize it by translating to their native language and making it even more easy to use, as well as the localization of MPack and IcePack malware kits to Chinese. In this campaign, a localized URL was also available targeting Dutch speaking visitors, so you you have a German and Dutch languages included, and as we've seen the ongoing consolidation of malware authors and spammers serves well to both sides, spammers will on one hand segment all the German and Dutch emails, and the malware authors will mass mail using localized message templates. Great social engineering abusing a common stereotype that for instance German users were definitely flooded with English messages courtesy of Storm Worm targeting U.S citizens, which is like a Chinese user who's receiving a phishing email from the Royal Bank of Scotland - it's obvious both of these are easy to detect. Which is what localization is all about, the malware and spam speaks your local language. One downsize of this campaign is that Polina doesn't really look like a lonely German student, in fact she's a model and these are some of her portfolio shots.

Let's discuss how are the malware campaigners coming up with these Geocities accounts at the first place. Are the people behind the campaign manually registering them, outsourcing the registration process to someone else, or directly breaking the CAPTCHA? Could be even worse - they may be buying the already registered Geocities accounts from another group that's specializes in registering these, a group which like a previously covered concept of Proprietary Malware Tools is earning revenues based on higher profit margins given they don't distribute the product, but provide the service thereby keeping the automatic registration process know-how to themselves. Once the authentication details are known, the process of anything starting from blackhat SEO, direct spamming, malware hosting, and embedding such scripts, even IFRAMEs in a fully automated fashion.

Meanwhile, what are the chances there's another scammy ecosystem on the same netblock? But of course. fake watches, malware C&C, spammers, a phishing url.