You can consider this a public service announcement - or, at the least, a potentially interesting read.

I placed this here, because it really doesn't fit completely in ANY of the other forums.

I received an e-mail from a friend that said I had received an Online Comedy E-card from him through the "ImageComedy Network". Clicking on the link, which looked innocent enough, I arrived at a page telling me the following:

-{ Quote: "
From: <friend - name removed> <email address removed>
To: <me> <email address removed>
Subject: can you do me a favor?

Hi <me>, I'm sending you this funny picture for two reasons - first, because it's hysterical (you'll see what I mean in a second!)...and second, I need you to do me a favor - can you fill out five different people who can verify that they know you? i only need 5 more referrals to win a prize...thanx! - <friend>
" }-

-{ Quote: "
Before viewing your funny picture, <friend> has urgently requested your help in earning their final 5 ComedyPoints. To do this, please enter a few people (below) who can verify that they know you. Then click below to view your funny picture.
" }-

Well, I smelled a rat, so I create 5 new hotmail e-mail accounts just to see what this would do - I figured since I had already clicked on the link, they probably already had my e-mail address.

It showed a semi-amusing picture of a gas station sign (which turns out is the same for everyone, but more on that later). It also said that I could get free prizes myself - nothing about winning them for my friend (which, of course, I hadn't assumed was the case anyway). Then, I went to check one of the new hotmail accounts...

Inside was a message COMING FROM MY E-MAIL ADDRESS with the same contents as the one I received. Now this enraged me, because the web site spoofed my e-mail address, and then had a web page asking the users to enter 5 e-mail addresses to "help me win". Of course, as I mentioned above, I had already "won" some free prizes (minus shipping and handling) - but that's not the last of it...

Today, I received 5 e-mails - all from different people, but some containing viruses, and the other asking me to "click on a button to activate frames so you can see this message" (UPDATE: This is hotmail's built-in protection mechanism - these e-mails, which I will probably never view, contain a "pif" file and a "HTML" file - typical characteristics of a virus-laden e-mail). The problem was, I have never, EVER, gotten spam in that inbox - until I went to the ImageComedy network.

However, the thing that scares me the most is the fact that I received another e-mail, from a business, saying that AN E-MAIL I SENT HAD BEEN REJECTED BECAUSE THE ATTACHMENT CONTAINED A VIRUS. Now, obviously, I had never contacted this business in any way (they sell dental products I believe). I can only come to the conclusion that the ImageComedy Network spoofed an e-mail to make it seem as if it came from me, and attached a virus to it. (See a couple posts down - ImageComedy Network *may* be infected with Klez - but again, it is still definitely an e-mail harvester).

-{ Quote: "

From: NAV for Microsoft Exchange-NTBEXCH
To: <me>
Subject: Norton AntiVirus detected a virus in a message you sent. The infected attachment was deleted.

Recipient of the infected attachment: <name removed>\Inbox
Subject of the message: Look,my beautiful girl friend
One or more attachments were deleted
Attachment Km.scr was Deleted for the following reasons:
Virus UNAUTHORIZED FILE was found." }-
(Obviously, I don't send out e-mails with the title "Look, my beautiful girl friend" <-- NOTE: This is a typical Klez.H subject title.)

[hr]

Obviously, the ImageComedy network is some front for e-mail address collection, so please, DONT GO THERE - but also, it has sent out AT LEAST ONE E-MAIL, looking like it came from MY E-MAIL ADDRESS, with a VIRAL ATTACHMENT (probably Klez - that is the virus I got from a couple of the spam e-mails this morning). They have shown they spoof e-mails (in the 5 hotmail e-mail addresses I registered), and this activity is not only malicious, but almost definitely illegal.

Any ways to shut them down would be appreciated.

UPDATE: It is always possible that the ImageComedy Network is actually INFECTED with Klez, but from what I've seen, I'm guessing otherwise (they've already shown a willingness, and ability, to spoof e-mails even WITHOUT the virus - and at the least, this is an e-mail harvesting operation).

-Javacool

P.S. Long story short, PLEASE do not open any e-mails from the ImageComedy Network - I would like to hope by getting this out to people, that their distribution of viruses is brought to a halt, or at least fewer people will receive them - whether or not their distribution of viruses is purposeful or an accident.

Oh man, thats nasty! >:(
Sometimes these bozos come up with some pretty inventive ideas. This one is not up there with the invention fo ice cream, but it has some thought behind it.

Thanks for the heads up on this. I can see how this could have a tremendous exponential infection rate if it hits the right crowd in hotmail and yahoo. You know the click, send gigglers.
Is this a worm, as such, or what do you call this?

-{ Quote: "
Oh man, thats nasty! >:(
Sometimes these bozos come up with some pretty inventive ideas. This one is not up there with the invention fo ice cream, but it has some thought behind it.

Thanks for the heads up on this. I can see how this could have a tremendous exponential infection rate if it hits the right crowd in hotmail and yahoo. You know the click, send gigglers.
Is this a worm, as such, or what do you call this?
" }-

I wouldn't call it a worm - nothing is physically residing on my computer, apart from the encrypted copies of the e-mails I was sent (for proof).

It is, at the least, an e-mail harvesting operation - but (see update to original post above):
-{ Quote: "UPDATE: It is always possible that the ImageComedy Network is actually INFECTED with Klez, but from what I've seen, I'm guessing otherwise (they've already shown a willingness, and ability, to spoof e-mails even WITHOUT the virus - and at the least, this is an e-mail harvesting operation).
" }-

I do have to agree that this operation definitely has a lot of thought behind it - any sane, non-paranoid person might simply enter 5 e-mail addresses of their friends ;)...and the cycle will continue (plus, I forgot to mention, it doesn't let you continue until you enter 5 COMPLETE names and e-mail addresses). :-\

-Javacool

Attached, is a screenshot of the message you get (after you click through a link to show the page).

-Javacool

I have posted a link to your thread here at DSLR and I thank you>

ANOTHER UPDATE:

Either the ImageComedy Network is infected with Klez (in which case, don't use it just because you'll get tons of e-mails with Klez) - or it is sending out these e-mails purposefully.

I am now leaning towards the first option - as it seems all the e-mails I have received have the typical Klez.H@mm subject titles.

NOTE: I would still not recommend using the ImageComedy Network just for the fact that you will have e-mails with Klez sent out in your name.

Also, the ImageComedy Network is definitely an e-mail harvesting site - the first e-mail it sends out has no help from Klez in spoofing your e-mail address. If you have visited the site now, or a while back, you should be warned you will probably be getting many e-mails with Klez, if you haven't already.

-Javacool

Excellent work Javacool!

You have done a most thourough job of exposing these scallywags. Making 5 new hotmail accounts to test was a good idea (although monotonous I'm sure)

You definately deserve an applaud for that one, so here ya go ~cha-ching~


I have made this topic sticky for a while, 'til it becomes common knowledge.

:) Hi Guys! Boy am I glad I don't have a Hotmail account! You could try reporting it to D-Shield (http://www.dshield.org/index.html). You could also try SecurityUnit (http://www.securityunit.com/incidents/index.htm) at the Incident Report page. I'm going to check around further. I'll be back.

SecurityUnit is definitely the one to go to report this incident! I fixed the above link to take you directly to their Incident Report page.

-{ Quote: "SecurityUnit provides 24x7 Computer Security Incident Response Services to any user, company, government agency or organization. SecurityUnit provides a reliable and trusted single point of contact for reporting computer security incidents worldwide. " }-

Now, that's javacool! 8). Nice catch an a very good job done indeed.

regards.

paul

Perhaps...perhaps your five email addresses should not have been Hotmail accounts.

tim.thick@imagecomedy.net abuse@imagecomedy.net ...etcetera...
How nice it would be to watch them screaming into a loop...

-{ Quote: "
Perhaps...perhaps your five email addresses should not have been Hotmail accounts.

tim.thick@imagecomedy.net abuse@imagecomedy.net ...etcetera...
How nice it would be to watch them screaming into a loop...
" }-

Maybe so, but it wouldn't have verified that it spoofed your e-mail address to those 5 "friends". :-\

Although I may have another go at it. ;)

-Javacool

You REALLY don't want to go there:

From Google:

Did you mean:image comedy network

Note from FanJ:
All links deleted.
We try not to post such links here.
Would you please also try not to post those links?
Thanks.

-{ Quote: "
You REALLY don't want to go there:

From Google:

Did you mean:image comedy network

<links removed> ...
101k - Cached - Similar pages

Did you mean to search for:image comedy network

" }-

Hmm - Well I'm rather lucky that the "funny image" I saw was only of a gas station sign then...it sounds as if it could have been a lot worse.

-Javacool

Hi Bob,

Welcome!

As for:

-{ Quote: "Where am I" }-

Just another security board ;)

-{ Quote: "and how did I get here?" }-

..calculated guess: Gibson's GRC? ;)

regards.

paul

Hey I fell for this same scam. I hope I don't have a virus now. How do I check? Tell me what to do! I've warned everyone that I gave the addresses of, as well as the guy who sent it to me. I don't normally open e-mails from addresses that I don't know, and I usually delete forwards just because I hate them. But I'm really dissappointed that my name was used in a quote that I didn't say. Thanks for doing the research! Well done!

Hmm.. regarding that Klez thing.. remember that Klez use a random e-mail address as sender.... So, anyone infected with Klez, that has your e-mail address, could have unknowingly sent that mail, that ended up bouncing back to the faked sender (you).

I don't think that the Klez mail was sent from ImageComedy. Then again, I'm only guessing, and I'm too tired to really read all the thread ;)

Best regards,
Anders

Yes this virus has very good searching too doesn't it ? So any email address in a HTML file in your temporary internet folders could be used as the spoofed address..

When I went looking into this, I concluded that really, its almost untraceable where it came from. The address you see in the from field could have been determined by the worm in one of many ways, or be completely faked and not a valid address. Lots of blame has been directed at innocent users over this worm in its long history ::)

True. But again - I created new Hotmail accounts that had never received a message before (and they were random enough that they probably wouldn't be hit without being listed somewhere), followed a link to the ImageComedy network, and voila - spam received in my inbox, and Klez also.

I received several "bounced" e-mails with that address also - so while it is very possible that someone with my original e-mail address was infected with Klez, it is near-impossible that someone could have had this randomly created new hotmail account in their address book.

Best regards,

-Javacool

ive seen this type of thing happen before, recently I had to block a lot of e-mails (on our domino server) due to the fact that our mail users were getting a hell of a lot of VIRII emails ranging from netsky.A-.ZZ and mydoom@a.mm-@z.mm etc they never realy semed to have anything the same about them. So I decided to test it out, I downloaded these virii and built a test environment, letting them loose and send virii to email accounts temporarily set up. it turns out these types of virii spoof the senders address so it is nigh-on imposible to catch. which is very sly, but in the klenz case your mail will no doubt have been spoofed and sent to the dentist association or what ever it was. anyway (my fingers are sweating now) it may not be entirely imagecomedy networks fault, though it does seem highly susspicious (wrong spelling I know) not that im trying to back them up or anything. I just found myself telling users off for sending virii in mails when it was eventually clear they werent (my face was red for about a week as I had to bite the bullet)

Anyway if any body reads this, dont jump to conclusions as more often than not the virus writer will be laughing at your expense.

-{ Quote: "You can consider this a public service announcement - or, at the least, a potentially interesting read." }-
thanks
ill keepthe image comedy network in mind and not open anything from them.i get emails alot from some fun site and some from a site called twisted humor which i dont open because someone said they had spyware installed on your computer if you visited the site--whether its true or not i dont know but i dont want to take any chances--thanks for the warning
rita

I understand this thread was made a while ago, however I just tried to find a website for this company and could only see forum threads. Has the company been closed down do we know?

Jimbob

I'm new here, but wanted to offer a piece of advice that would have made the initial testing of this much easier.

If you have a domain name registered, most registrars I've been with allow you to have a catch-all address. This can be useful for a number of purposes.

1 - You could just type in <AnyWordHere>@YourDomain.com and if they aren't setup as an actual email address, they'll go to the catch-all account. This would have allowed you to not have to setup 5 new accounts just for this test purpose.

2 - (cool option here) Let say you buy something from NewEgg. When you register your account there, you signup using newegg@YourDomain.com as your email address. You could either start checking this account, or (like I do) just forward your catch-all address to an address you do check. However, if you start getting spam at newegg@YourDomain.com, you know it's a result of them giving it out, because obviously you wouldn't use that for any other site.

The cool thing is, if you started getting spam at newegg@YourDomain.com and no longer wanted to see it, you could just set newegg@YourDomain.com up as an email account and never check it. That would negate it from going into your catch-all account.

3 - This also allows you to get emails to admin@YourDomain.com, webmaster@YourDomain.com, sales@YourDomain.com, etc. without having to set those accounts up or check them.

And when the mailbox for that domain ending is full, *all* accounts cease to function. There is truly only one way to deal with spam (especially when you get over 10,000 spam emails every single day like me!), and that is to write your own email client that filters out anyone *not* in your address book or your "acceptable domains" list (my solution) or to use Mozilla Thunderbird and train it (this doesn't work very well on my account since it reads all the messages off of the server, and this alone takes far longer than just downloading the headers).

You need my proprietary solution to decide using only the header part. *All* other email products on the market retrieve the whole message and then decide if it's junk mail or not. In my case where I receive over 10,000 emails every 24 hours, and there are usually only a couple of emails I would want to read, the header method is by far the most efficient, and it only takes about 20 minutes to sort this lot out every day. With a fully trained Thunderbird on the same account, I gave up retrieving emails after 2 hours had gone by (it had gone through about 5,000 emails by this time), and I was up to 500 "not junk" messages about Viagra! Contact me for more information on my proprietary solution.

For all of you now asking, "What about people not on your lists, who want to email you?", to which I reply, "Try my form at http://www.jacobsm.com/mjmsg.htm?Your Subject Here"