WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruses)

Discussion in 'other security issues & news' started by javacool, Aug 29, 2002.

Thread Status:
Not open for further replies.
  1. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    You can consider this a public service announcement - or, at the least, a potentially interesting read.

    I placed this here, because it really doesn't fit completely in ANY of the other forums.

    I received an e-mail from a friend that said I had received an Online Comedy E-card from him through the "ImageComedy Network". Clicking on the link, which looked innocent enough, I arrived at a page telling me the following:

    Well, I smelled a rat, so I create 5 new hotmail e-mail accounts just to see what this would do - I figured since I had already clicked on the link, they probably already had my e-mail address.

    It showed a semi-amusing picture of a gas station sign (which turns out is the same for everyone, but more on that later). It also said that I could get free prizes myself - nothing about winning them for my friend (which, of course, I hadn't assumed was the case anyway). Then, I went to check one of the new hotmail accounts...

    Inside was a message COMING FROM MY E-MAIL ADDRESS with the same contents as the one I received. Now this enraged me, because the web site spoofed my e-mail address, and then had a web page asking the users to enter 5 e-mail addresses to "help me win". Of course, as I mentioned above, I had already "won" some free prizes (minus shipping and handling) - but that's not the last of it...

    Today, I received 5 e-mails - all from different people, but some containing viruses, and the other asking me to "click on a button to activate frames so you can see this message" (UPDATE: This is hotmail's built-in protection mechanism - these e-mails, which I will probably never view, contain a "pif" file and a "HTML" file - typical characteristics of a virus-laden e-mail). The problem was, I have never, EVER, gotten spam in that inbox - until I went to the ImageComedy network.

    However, the thing that scares me the most is the fact that I received another e-mail, from a business, saying that AN E-MAIL I SENT HAD BEEN REJECTED BECAUSE THE ATTACHMENT CONTAINED A VIRUS. Now, obviously, I had never contacted this business in any way (they sell dental products I believe). I can only come to the conclusion that the ImageComedy Network spoofed an e-mail to make it seem as if it came from me, and attached a virus to it. (See a couple posts down - ImageComedy Network *may* be infected with Klez - but again, it is still definitely an e-mail harvester).

    (Obviously, I don't send out e-mails with the title "Look, my beautiful girl friend" <-- NOTE: This is a typical Klez.H subject title.)

    [hr]

    Obviously, the ImageComedy network is some front for e-mail address collection, so please, DONT GO THERE - but also, it has sent out AT LEAST ONE E-MAIL, looking like it came from MY E-MAIL ADDRESS, with a VIRAL ATTACHMENT (probably Klez - that is the virus I got from a couple of the spam e-mails this morning). They have shown they spoof e-mails (in the 5 hotmail e-mail addresses I registered), and this activity is not only malicious, but almost definitely illegal.

    Any ways to shut them down would be appreciated.

    UPDATE: It is always possible that the ImageComedy Network is actually INFECTED with Klez, but from what I've seen, I'm guessing otherwise (they've already shown a willingness, and ability, to spoof e-mails even WITHOUT the virus - and at the least, this is an e-mail harvesting operation).

    -Javacool

    P.S. Long story short, PLEASE do not open any e-mails from the ImageComedy Network - I would like to hope by getting this out to people, that their distribution of viruses is brought to a halt, or at least fewer people will receive them - whether or not their distribution of viruses is purposeful or an accident.
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails with viruses

    Oh man, thats nasty! :mad:
    Sometimes these bozos come up with some pretty inventive ideas. This one is not up there with the invention fo ice cream, but it has some thought behind it.

    Thanks for the heads up on this. I can see how this could have a tremendous exponential infection rate if it hits the right crowd in hotmail and yahoo. You know the click, send gigglers.
    Is this a worm, as such, or what do you call this?
     
  3. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails with viruses

    I wouldn't call it a worm - nothing is physically residing on my computer, apart from the encrypted copies of the e-mails I was sent (for proof).

    It is, at the least, an e-mail harvesting operation - but (see update to original post above):
    I do have to agree that this operation definitely has a lot of thought behind it - any sane, non-paranoid person might simply enter 5 e-mail addresses of their friends ;)...and the cycle will continue (plus, I forgot to mention, it doesn't let you continue until you enter 5 COMPLETE names and e-mail addresses). :doubt:

    -Javacool
     
    Last edited by a moderator: Apr 11, 2004
  4. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails with viruses

    Attached, is a screenshot of the message you get (after you click through a link to show the page).

    -Javacool
     

    Attached Files:

  5. Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails with viruses

    I have posted a link to your thread here at DSLR and I thank you>
     
  6. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails with viruses

    ANOTHER UPDATE:

    Either the ImageComedy Network is infected with Klez (in which case, don't use it just because you'll get tons of e-mails with Klez) - or it is sending out these e-mails purposefully.

    I am now leaning towards the first option - as it seems all the e-mails I have received have the typical Klez.H@mm subject titles.

    NOTE: I would still not recommend using the ImageComedy Network just for the fact that you will have e-mails with Klez sent out in your name.

    Also, the ImageComedy Network is definitely an e-mail harvesting site - the first e-mail it sends out has no help from Klez in spoofing your e-mail address. If you have visited the site now, or a while back, you should be warned you will probably be getting many e-mails with Klez, if you haven't already.

    -Javacool
     
  7. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    Excellent work Javacool!

    You have done a most thourough job of exposing these scallywags. Making 5 new hotmail accounts to test was a good idea (although monotonous I'm sure)

    You definately deserve an applaud for that one, so here ya go ~cha-ching~


    I have made this topic sticky for a while, 'til it becomes common knowledge.
     
  8. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    :) Hi Guys! Boy am I glad I don't have a Hotmail account! You could try reporting it to D-Shield. You could also try SecurityUnit at the Incident Report page. I'm going to check around further. I'll be back.

    SecurityUnit is definitely the one to go to report this incident! I fixed the above link to take you directly to their Incident Report page.

     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    Now, that's javacool! :cool:. Nice catch an a very good job done indeed.

    regards.

    paul
     
  10. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    Perhaps...perhaps your five email addresses should not have been Hotmail accounts.

    • tim.thick@imagecomedy.net
    • abuse@imagecomedy.net
    • ...etcetera...
    How nice it would be to watch them screaming into a loop...
     
  11. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    Maybe so, but it wouldn't have verified that it spoofed your e-mail address to those 5 "friends". :doubt:

    Although I may have another go at it. ;)

    -Javacool
     
    Last edited by a moderator: Apr 11, 2004
  12. Just_Bob

    Just_Bob Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    1
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    You REALLY don't want to go there:

    From Google:

    Did you mean:image comedy network

    Note from FanJ:
    All links deleted.
    We try not to post such links here.
    Would you please also try not to post those links?
    Thanks.
     
  13. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    Hmm - Well I'm rather lucky that the "funny image" I saw was only of a gas station sign then...it sounds as if it could have been a lot worse.

    -Javacool
     
    Last edited by a moderator: Apr 11, 2004
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    Hi Bob,

    Welcome!

    As for:

    Just another security board ;)

    ..calculated guess: Gibson's GRC? ;)

    regards.

    paul
     
  15. NMF5@aol.com

    NMF5@aol.com Guest

    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    Hey I fell for this same scam. I hope I don't have a virus now. How do I check? Tell me what to do! I've warned everyone that I gave the addresses of, as well as the guy who sent it to me. I don't normally open e-mails from addresses that I don't know, and I usually delete forwards just because I hate them. But I'm really dissappointed that my name was used in a quote that I didn't say. Thanks for doing the research! Well done!
     
  16. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    Hmm.. regarding that Klez thing.. remember that Klez use a random e-mail address as sender.... So, anyone infected with Klez, that has your e-mail address, could have unknowingly sent that mail, that ended up bouncing back to the faked sender (you).

    I don't think that the Klez mail was sent from ImageComedy. Then again, I'm only guessing, and I'm too tired to really read all the thread ;)

    Best regards,
    Anders
     
  17. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    Yes this virus has very good searching too doesn't it ? So any email address in a HTML file in your temporary internet folders could be used as the spoofed address..

    When I went looking into this, I concluded that really, its almost untraceable where it came from. The address you see in the from field could have been determined by the worm in one of many ways, or be completely faked and not a valid address. Lots of blame has been directed at innocent users over this worm in its long history :rolleyes:
     
  18. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Re:WARNING: Do NOT use the ImageComedy Network! - It spoofs e-mails (with viruse

    True. But again - I created new Hotmail accounts that had never received a message before (and they were random enough that they probably wouldn't be hit without being listed somewhere), followed a link to the ImageComedy network, and voila - spam received in my inbox, and Klez also.

    I received several "bounced" e-mails with that address also - so while it is very possible that someone with my original e-mail address was infected with Klez, it is near-impossible that someone could have had this randomly created new hotmail account in their address book.

    Best regards,

    -Javacool
     
  19. bob_man_uk

    bob_man_uk Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    91
    Location:
    United Kingdom
    ive seen this type of thing happen before, recently I had to block a lot of e-mails (on our domino server) due to the fact that our mail users were getting a hell of a lot of VIRII emails ranging from netsky.A-.ZZ and mydoom@a.mm-@z.mm etc they never realy semed to have anything the same about them. So I decided to test it out, I downloaded these virii and built a test environment, letting them loose and send virii to email accounts temporarily set up. it turns out these types of virii spoof the senders address so it is nigh-on imposible to catch. which is very sly, but in the klenz case your mail will no doubt have been spoofed and sent to the dentist association or what ever it was. anyway (my fingers are sweating now) it may not be entirely imagecomedy networks fault, though it does seem highly susspicious (wrong spelling I know) not that im trying to back them up or anything. I just found myself telling users off for sending virii in mails when it was eventually clear they werent (my face was red for about a week as I had to bite the bullet)

    Anyway if any body reads this, dont jump to conclusions as more often than not the virus writer will be laughing at your expense.
     
  20. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    thanks
    ill keepthe image comedy network in mind and not open anything from them.i get emails alot from some fun site and some from a site called twisted humor which i dont open because someone said they had spyware installed on your computer if you visited the site--whether its true or not i dont know but i dont want to take any chances--thanks for the warning
    rita
     
  21. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    I understand this thread was made a while ago, however I just tried to find a website for this company and could only see forum threads. Has the company been closed down do we know?

    Jimbob
     
  22. airjrdn

    airjrdn Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    26
    I'm new here, but wanted to offer a piece of advice that would have made the initial testing of this much easier.

    If you have a domain name registered, most registrars I've been with allow you to have a catch-all address. This can be useful for a number of purposes.

    1 - You could just type in <AnyWordHere>@YourDomain.com and if they aren't setup as an actual email address, they'll go to the catch-all account. This would have allowed you to not have to setup 5 new accounts just for this test purpose.

    2 - (cool option here) Let say you buy something from NewEgg. When you register your account there, you signup using newegg@YourDomain.com as your email address. You could either start checking this account, or (like I do) just forward your catch-all address to an address you do check. However, if you start getting spam at newegg@YourDomain.com, you know it's a result of them giving it out, because obviously you wouldn't use that for any other site.

    The cool thing is, if you started getting spam at newegg@YourDomain.com and no longer wanted to see it, you could just set newegg@YourDomain.com up as an email account and never check it. That would negate it from going into your catch-all account.

    3 - This also allows you to get emails to admin@YourDomain.com, webmaster@YourDomain.com, sales@YourDomain.com, etc. without having to set those accounts up or check them.
     
  23. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    And when the mailbox for that domain ending is full, *all* accounts cease to function. There is truly only one way to deal with spam (especially when you get over 10,000 spam emails every single day like me!), and that is to write your own email client that filters out anyone *not* in your address book or your "acceptable domains" list (my solution) or to use Mozilla Thunderbird and train it (this doesn't work very well on my account since it reads all the messages off of the server, and this alone takes far longer than just downloading the headers).

    You need my proprietary solution to decide using only the header part. *All* other email products on the market retrieve the whole message and then decide if it's junk mail or not. In my case where I receive over 10,000 emails every 24 hours, and there are usually only a couple of emails I would want to read, the header method is by far the most efficient, and it only takes about 20 minutes to sort this lot out every day. With a fully trained Thunderbird on the same account, I gave up retrieving emails after 2 hours had gone by (it had gone through about 5,000 emails by this time), and I was up to 500 "not junk" messages about Viagra! Contact me for more information on my proprietary solution.

    For all of you now asking, "What about people not on your lists, who want to email you?", to which I reply, "Try my form at http://www.jacobsm.com/mjmsg.htm?Your Subject Here"
     
Loading...
Thread Status:
Not open for further replies.