New Spam Retaliation Tool

Discussion in 'other security issues & news' started by Paranoid2000, Nov 8, 2006.

Thread Status:
Not open for further replies.
  1. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Hey there

    Hm. Well that's odd. :/ Only case I've heard of. Maybe you've disabled javascript on FF?

    I was seeing 30+ a day to one seed account I monitor. Those were just for these products, out of a total of 50 total spams per day, with the rest being mostly for stocks. That dropped to - no joke - zero (0) since I launched this tool. Not even a single stock spam. Seeing one today though so something is in the works.

    There is no such thing. :)

    Oh god no. Nothing that complex. This is purely javascript, and only exists when you run it locally on your machine. It doesn't "report back" anywhere. The order counter is only local to your machine, and resets when you close and then re-open the kill.html file. If you want another Blue Security style function, maybe contribute to or monitor the Okopipi project (search for it, it's pretty well known), though in my opinion it's not going fast enough and is becoming far too bloated to be effective in any meaningful way.

    Life-cycle: until we see a "domain not found" or some other error in the window to which this utility posts. This is posting to a very specific target, in a very highly customized way based on data I gathered from a poorly-configured PHP setup which exposed this spammer's entire back-end setup.

    Several people have reported that after posting 30,000+ orders (!!) they feel that that's enough. That's only a handful of people though. By and large people are just running it all day, every day.

    I don't really feel there is a life cycle to this tool specifically. I'm not even certain the spammers have caught on as to what's happening. They will eventually and when they do they'll more than likely just shut these three domains down and start spamming again. At that time I will be hunting for more evidence and exposed web server setups (though it's unlikely they'll allow such a mistake to be repeated.)

    As an aside: I have never seen a utility last so long (ie: the domains are still active and they definitely appear to still be accepting postings.) The average attack I've launched has lasted a matter of hours because it typically hits the front end website which the spammers monitor much more closely, so they shut those down immediately or start banning ip's once a breech is discovered. Since this targeted a back-end, non-consumer-facing set of domains: I'm not sure they're capable of switching it over so quickly. Something like 3000 domains were talking specifically to these three domains for order processing.

    I'd also like to add that there are a couple of invaluable firefox extensions which I heartily recommend, and which work on the front end of several regularly-spamvertised domains:

    http://fightspam.thecarpcstore.com/formfiller/

    I recommend reading up on those. If you visit the forum on thecarpcstore.com/phpbb2, you'll see a targets section which reports on domains which are susceptible to these formfiller utilities. The more people install and use these tools, the less spam we'll all get eventually.

    Hope that helps.

    Thanx for keeping up the pressure and providing feedback.

    SiL
     
  2. fleamailman

    fleamailman Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    3
    I see a drawback to this idea, suppose I didn't the want information but only wanted the victim to become more aware of a product, so I would first make a bad product called, for exmaple, crappy cola, knowing that the victim will dismiss it as a sham but in the victim's mind remains the fact that there is a drink(a morgage, a sex inhanser, etc.) so the same campany distancing itself form bad cola then comes up with a good cola because the victim is now receptive to the idea of the product, crappy cola was worth it then since, in a nutshell, spam is advertisement to boast product awareness, it does not need to make money directly, it only needs to remind you that a product exsists, but if there are fools that fall for crappy cola, good, but it is not the goal here I believe, if you see the amount of money spent on advertisement at a loss this is really peanuts, selective and in one face too, great for the spammers today, their products though dismissed are still known by us

    conclusion, if we send back the spam, they are not going to mind since I believe that after a while their intention is to revamp as a good product in due course, by then we will know all about cola's.
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This isn't about sending back spam - it is about filling a spammers' system with fake orders. This does mean they incur a cost since if they have too many bad credit-card numbers going through, they could lose their account.

    Not too sure where the idea of this being a marketing test comes from either - this spam has been going on for at least a year and a half (according to news.admin.net-abuse.sightings) and while one can certainly say that only an idiot would go for it, there are apparently enough out there to make it profitable.

    Ultimately, spam is about trying to sell products that cannot be marketed in any other fashion, due to them being illegal, hazardous to health or outright frauds. The only prospect of anything better from a spammer that I have seen was, quoting literally from their email "dun beleave me.. well.. will check and I will make myself harakiri :)" - if that spammer put a video of himself committing hara-kiri on YouTube it would likely be a number one download.
     
  4. charincol

    charincol Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    113
    Where can I find this video?:eek::D
     
  5. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    I flatly disagree with what you're saying here. Pardon the length but this is not a cut-and-dried operation by any means.

    a) These sites, all of them, for all of these products, have been relentlessly spammed with absolutely no means of opting out.
    b) There are several people in law enforcement who feel that these sites do not even exist to sell a product, but in fact are there to steal and re-sell credit card information on the black market. I don't think I buy that since a lot of effort is made to tie a specific price, including conversion into Rubels, plus shipping cost, to each product. There also appears to be a pretty rigorous affiliate system in place. These people definitely do intend to profit from their spamming.
    c) Spur-M has been verified by real pharmacists as a dangerous product which they would never recommend any patient ingest. It's ingredients are a mixture of several diuretics and hormonal enhancers which have very serious side effects if not properly monitored or prescribed by a licensed pharmacist.
    d) If all these spammers wanted to do was get the Spur-M "brand" out there in the hopes of prepping for a secondary "real" brand, that would take, at most, six or seven spam runs to the average 35 million people assumed to have been spammed with these specific emails. At the time I wrote this utility, Spur-M (as only one example) had been spammed to several of my inboxes, over the course of five and a half (5.5) years! Exactly how long did they need to keep that going before suddenly unleashing this amazing "brand x" replacement?! Keep in mind that Spur-M is only one of six (or probably more) products that they routinely blast out to everyone's email address whether they want it or not.
    e) Spur-M's exact chemical makeup is also present in at least three other products which these spammers blast out to the public: Vigramax, More-Size and Extra-Time. They make spurrious medicinal claims in the advertising for all of these products, none of which (verifiably) are true.

    I refuse to associate wholesale spamming in the amounts these malicious individuals participate with the actual, legitimate marketing attempts put behind real, verifiable products. Nobody accuses Pfizer of spamming, because they spend billions (with a "b") of dollars every single year on TV ads, radio ads, print ads, bus placards, counter talkers, probably hundreds of other legitimate advertising methods. They stand behind their product because they put several years and billions (with a "b") of dollars into the research and development of their products. They can't be held accountable for spamming because they have a real product, backed up with real research. They aren't trying to sully the market by putting an alternative brand out there (and in fact they don't allow any infringement of their patents, so there can be no "generic" viagra. Their patent has several years to go before that's even possible.) They're a real company. You can go to their offices and find out about their products, advertising, etc.

    Further: Pfizer does a lot of research into how best to refine which market sees their ads. They want to hit an older demographic so they tend to advertise on TV during shows that people over the age of 40 have an affinity with. (Gilmore Girls and 60 Minutes are only two examples.) They only want those who really want to know about their product to get in touch with their pharmacists and possibly purchase it. They do not want just anybody using it given the potential health risks involved.

    These spammers: they never show any real identity to anyone. They register their domains using fake identities, usually via stolen credit cards. They "advertise" fake products with either no medicinal ingredient whatsoever, or with a very dangerous mix of them as is the case here. They lie. They lie consistently. They lie about everything from the "134 bit" security their websites claim to have (they feature absolutely no security of any sort) to the testimonials for their "products" (all fake) to their claims that you can contact them about any of the products they advertise (no opt out, no contact address, and their contact forms process absolutely no incoming data and end up sending no messages to anybody.)

    They "advertise" to a majority who absolutely have zero interest in their products. They don't care who gets it as long as it turns into money in their pockets (or credit card data, which they can sell.)

    Also: We are not "sending back the spam." We are instead giving them a taste of slightly different medicine. They don't care who gets their ads, so we don't care that we fill their database with 100% fake information, right down to the credit card number. (Which, while of valid format, is completely unusable.) We're not sending them spam. We're sending them precisely what they asked for: orders. If we were spamming them I would merely have created a function that posted encoded data to all fields, possibly choking their databases or causing system outages. I'd have it refresh at a much faster rate so I could get as much of the encoded large-size data into their db's as possible. That's essentially what these spammers do by sending me 50 messages a day for a product I don't want. Those 50 are the attempts that make it through the filters so the number is usually quite a bit higher.

    I don't buy this hypothesis. These spammers are criminals, not marketeers. There are known task forces in place to hunt them down. They care as much about marketing a real product (cola or otherwise) as I do about animal husbandry.

    Sorry to run off at the mouth here, but it appears you're not familiar with the extensive criminal nature of these miscreants.

    SiL
     
  6. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Newest version

    A new, updated version to reflect the spammer's modifications:

    http://www.mytempdir.com/1059710

    New affiliate id's.
    Now also targets the ManXL product line.
    Dynamically selects an icon to show you which product is being "ordered".
    Randomly selected 6 second refresh.
    Updated "what does it do?" page.
    New logo thanx to Veka.

    I recommend running this version as it reflects the newest id's this spammer is using. I'm writing a breakdown of this operation to be as detailed as possible and expose the affiliate company for the spammers they are. That's taking some time but this should tide you over in the meanwhile. :)

    Thanx again for your support.

    SiL
     
  7. borat

    borat Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    3
    SiL, thanks for your very detailed answers, very appreciated. :thumb:

    What I meant by the SETI / Folding question was is the tool to be used indefinately for the forseeable future, which you answered.

    So far my count's upto c. 7,800 :D
     
  8. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Ah. Yes. :) Glad I could assist.

    Several people are now into the tens of thousands of orders per day. I noticed my spam intake this morning was exactly two (2), and both seemed to be quite amateur. (Missing links, broken images or other broken data that would actually deliver what they were hoping to promote.)

    This is the quietest it's been in ages. I'm sure it won't last of course...

    Also: I have several requests in with the company GenBucks - who I believe to be behind this spam run - asking why they allow spamming when their alleged terms of service claims to have a zero-tolerance policy against it?

    A thorough synopsis (as much as I could come up with based on the evidence) is available on thecarpcstore.comat the following url:

    http://thecarpcstore.com/phpbb2/viewtopic.php?t=395

    I fully expect them to shrug off any accusations of spamming. GenBucks has been notoriously linked to large-scale spamming for many years.

    SiL
     
  9. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Latest version

    I'm not sure how effective this version will be but... it couldn't hurt! :)

    http://www.mytempdir.com/1065131

    Adds the latest affiliate id, "gall3". Only while I was attempting to ensure it's carry-over across all products, the domain stopped responding! :) Which may mean that the site which was hijacked finally got my eighth (8th) message.

    Either way: they appear to still want these orders. Let's not let them down.

    Thanx!

    SiL
     
  10. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Two week update...

    I dunno about anyone else but... I haven't seen *any* spam lately for Spur-M! :)

    I'd like to thank everyone for running this, and voting for it on Digg.

    It's probably not over yet (and indeed I continue to see the occasional new site trickle in from folks out there) but I'd have to say this has been an extremely effective campaign against these spammers, and their affiliate program: GenBucks.

    As an addendum: GenBucks remain 100% mute about all of this. Not one single response about their spamming activities, or the mass orders. I haven't seen any further complaints on their affiliate forum either, but I'm sure some fairly big questions have been raised.

    As we speak a total of at LEAST 429 copies of the Spur-M-Enator(TM) are being run in the wild. (That's based solely on downloads, the actual number is probably quite a bit higher.) That must be resulting in some rather hefty daily (or hell: hourly) order numbers on the GenBucks system. :)

    Thanx again, and let's not give up. GenBucks has yet to say anything about this and they owe it to us. Until they do I don't care if another 400+ people download and use this utility against them: they're spammers, plain and simple, and they don't seem to care.

    SiL
     
  11. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    Re: Two week update...

    SiL,

    we have to thank you!:thumb:

    And you know: i never give up the battle against spammers and other cyber-criminals;)
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Re: Two week update...

    Seconded - it's good to see a stop to this particular type of spam (I have received just a couple during the last week). May GenBucks and their affiliates choke on their own merchandise...
     
  13. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    This is what all of the servers are showing today. :)

    SiL
     
  14. herbalist

    herbalist Guest

    spamislame,
    If you could come up with a more modular version of that tool, one where the core ordering/credit card component is basically constant but new address or site modules could be easily added, it could also be used to attack phising sites.
    Rick
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    There are some tools already for this - see the Barclays Phishing thread for an example.
     
  16. herbalist

    herbalist Guest

    I'd like to see it turned into a Mozilla/Firefox extension. Park it on a phising site and let it run.
    Rick
     
  17. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Believe me that was the goal. However spammers do nice tricks like randomizing the parameter names or completely changing the order of several variables within the form. They'll do it daily. So no standardized approach is possible.

    I've written several phisherators(tm) which have been extreeeemely effective against phishers. I've noticed that several others have taken them and modified them for new phishing attacks, which is good. :) The more the merrier.

    Even the formfillers we have made, which are FireFox extensions, require nearly daily updates just to account for all the various modifications the spammers keep making to counter this retaliation.

    Why they fail to realize that STOPPING the spamming would make all of this irrelevant is beyond me. :)

    SiL
     
  18. herbalist

    herbalist Guest

    :D :D
    Will they work with the Mozilla suite?
    Rick
     
  19. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    I am unsure what you mean. They work on FireFox, all versions past 1.4

    http://www.thecarpcstore.com/fightspam/formfiller/

    :)

    For urls to test it on, that site has a "targets" section which defines several offending spamvertised URL's and the effectiveness of these formfillers against them. An example:

    Code:
    formstrue.com
    SiL
     
  20. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    825
    Location:
    United States
    When I launch the kill.html I get one window that looks like it is generating the random form, as expected. However, I also get a blank window that has the following:
    Is this normal?

    Is it working like it is supposed to work?

    Why the invalid MySQL error?

    Also, I like your work spamislame. My concern is that you are going to go the way of Blue Security. Are you concerned that your efforts will either result in making yourself a target, or worse, making everyone that chooses to utilize your scripts a target?
     
  21. herbalist

    herbalist Guest

    It's a completely different setup than Blue Frog was. While he could well make himself a target, there's no separate application like Blue Frog or central server being used for the spammer to attack. The users e-mail accounts/addresses aren't identified here. The spammer could possibly add malicious content to the site being attacked, effectively making it strike back, but they'd be striking actual customers as well. Other than adding malware or using some exploit on the order pages, about the worst they could do would be a DDOS attack, which is more probable for the author than the users.

    Not using Firefox. I'm still running the Mozilla suite, 1.7.12. Some FF extensions don't work with it. Eventually I'll get around to trialling Sea Monkey, which is based on the Mozilla suite.
    Rick
     
  22. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Their site apparently underwent some modification in the past couple days. I believe that means they are no longer processing orders the same way. It used to be completely blank (since no consumer-facing site was ever hitting it previously.)

    As far as I'm concerned this probably means that they've modified in such a way as to render this type of attack useless. That's not stopping people from continuing to run the Spur-M-Enator(TM) however. :)

    I was DDOS'd long before Blue Security ever was, just not to the same extent (since I'm obviously not an internationally renowned corporate entity. :) At least not yet.)

    Sure I'm somewhat worried - these guys DDOS whoever they feel is an annoyance or a threat. It's sort of like a 4 year old throwing a tantrum. Lately the only retaliation I've faced is the banning of any IP address I use to snoop around.

    Having said that: I can't stress enough that if you feel at all uncertain or insecure running any of the utilities I create, I recommend possibly *not* running them. There is the very real risk of being DDOS'd yourself (which is not quite as bad if you're merely a consumer-level user of the internet, just turn your pc off.) Especially in the case of the career spammers: these are genuine criminals we're talking about here, often located in eastern europe, Romania, Russia, Ukraine, etc. They absolutely do not care about causing genuine harm to people. That's worth remembering.

    I appreciate your thoughts. :)

    SiL
     
  23. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Ah. Well to answer that then: the formfillers are only built and tested with FireFox in mind. It's a decent standardized browser and it operates identically on Unix, MacOS and Windows. Once you start straying from that, you get into longer development cycles and the goal here is to strike quickly and efficiently. Can't necessarily do that on all browsers.

    The individual retaliators (e.g.: Spur-M-Enator(TM), etc.) are written in strict JavaScript so that - again - any browser worth their salt should be able to run it with no problems. So far IE is the one problem browser (surprise.) That depends on the retaliation. IE has issues with sites that use the term "action" as a parameter (e.g.: http://[domain]/index.php?action=order) As such I have to specify to use a non-IE browser. FinestRX, Pharmacy Express and HealthSuite all use that type of setup, so it's an issue.

    SiL
     
  24. herbalist

    herbalist Guest

    Spurmenator ran good for me. Figured I'd ask about the extensions before installing one. Many FF extensions work good in Mozilla but not all. After using the Mozilla suite, FF just doesn't feel right. I might just try one of the extensions anyway. The worst that can happen is spending 20 minutes doing a system restore.

    Regarding the spammers and a potential DDOS attack, is there any reason a user couldn't just use an anonymous proxy and avoid the risk completely?
    Rick
     
  25. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Using an anonymiser like Tor is pretty much necessary since many of the sites will ban IP addresses. This does prevent the spammer from seeing your real IP address - but pay attention to the URLs you use! There are a couple (the very long ones - typically used by the ED Pharmacy/OEM Software sites) which are likely unique and possibly linked to email addresses. For these you should alter the prefixes (just change a few letters at random) to avoid any possibility of having your email Joe-Jobbed but as there is no retaliator for them, this is probably academic to most users.

    If you are going to make major use of Tor though (and risk having someone else taking retaliation on your behalf), please do consider contributing back and running an exit node server (installing Vidalia will make server configuration easier also). The more exit nodes Tor has, the harder it will be for a spammer (or anyone else) to completely block it.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.