For the last week, we’ve been tracking one set of cybercriminals who successfuly elude spam traps and filtering software. It’s NOT a pretty picture, and the hot trail leads straight to Google…
Tracking cybercrime leads us to Google
After reporting literally hundreds of abuse situations to Google, I’ve finally come to the conclusion that there’s no one there responsible for keeping watch. Here’s the way Google “Abuse” handles spam or cybercrime reports:
> If you’re reporting a spam email with a Google return address,
> please be assured that it did not originate with Google.
> Google does not permit others to send unsolicited email
> through its mail servers.
> A number of unscrupulous businesses have sent out mass mailings
> with forged Google return addresses. Google is actively pursuing
> all available legal means to stop these miscreants from
> abusing our name and your inbox.
> We appreciate your understanding, and please accept our
> sympathies for the inconvenience this may have caused.
>
> For further assistance or to report a problem with a
> Google product, please visit http://www.google.com/support/
> for a list of our Help Centers.
> Regards, The Google Team
Doesn’t matter what the subject or content of the complaint is, this is the response.
Let’s take a look:
28 of the 584 spams received in our spam traps in the past 12 hours (that’s more than 2 per hour) utilize “http://www.google.com” as the “destination” for the spamvertised, phishing, or security breach attempt. This is a bit misleading however, and designed to specifically avoid and elude spam filters and above all getting reported to SpamCop.
Here how it works:
The spammer loads their URL into Google. Here’s what it looks like
http://www.google.com/pagead/iclk?sa=l&ai=FNMWEx&num=0201=&adurl=http://salat-mosque.com/img/load/ddown.php?OziOsK
(Don’t worry, I’ve munged the domain so it won’t work. Anyone stupid enough to click on it just to see what it does, will fortunately NOT get there. )
This is an Algerian organization operating out of France advertising rated ‘X’ celebrity movies that are free for download. However, rather than getting a movie when you click, the link immediately begins downloading a nasty Trojan-Downloader.Win32.Agent which infects any Windows computer with malware known as a Trojan. (Malware Alert
CIDR Report: AS16276). The responsible domain is ovh.net, operating out of Roubaix, France.
These have been coming at a rate of one every four hours. Always from a different sender, or in a different language — but always to the SAME download address. At least that which appears in our spam traps. (Yours may be different.) So, we know that they’re not being shut down.
In our SpamCop reports, they REPORT into the bit-bucket known as “statistical tracking” because “GOOGLE refuses abuse reports”. Well, that’s because the spam tools cannot find the guilty domain. Note in the Google link the string: adurl. This puts the criminal URL deep in the link where spam trackers won’t find it — unless we look.
In this particular instance, Google is innocent of any wrong-doing other than lying about it. Google says this is “unscrupulous businesses have sent out mass mailings with forged Google return addresses.”, which as we’ve just demonstrated is completely untrue. Of course, it’s obvious this is a canned response — Google’s nice way of saying “… We’re not interested in your problems, we own the internet and can do no wrong”. I’ve often wondered if there are any humans at all in Google’s abuse department. They obviously have lots of lawyers who write their policies, but there doesn’t seem to be anyone home to keep watch.
What’s the point?
So you’re probably asking yourself why I would write such a report when Google is obviously not directly involved in this criminal activity, but merely being used as a method of obscuring the trail of the criminal.
Well, here’s another that most certainly reveals an involvement:
Of the 584 spams received in the past 12 hours there were 23 which utilized forged accounts on blogspot.com to host redirects to spam or identity theft sites. (There have been hundreds in the past weveral weeks.) Google owns Blogspot.com. They’ve even done away with Blogspot ownership, and require a Google account in order to have a blog there. (I happen to have one, so at least that step was done.)
At 7 am this morning, I reported each and every instance to the Blogspot.com “abuse” form buried deep in the “help” section. There is no email address for reporting Blogspot abuse. In fact, there doesn’t seem to be any humans at Blogspot either. So in order to even report any criminal activities on their system, one must first get an account, then drill down through dozens of screens to finally find a single, one-line entry field where you paste in the offending URL. You’re not even given a second chance to report another URL, but must re-enter the form again. Does this sound like they want to know about criminal activities on their system? Doesn’t sound like it to me.
Here’s how it works:
Criminals, or criminal operated robots register in Google and set up a Blogspot account. They launch a blog which has nothing in it except the line: “If site not apeared – Click Here.” (or similar) Moments later you are redirected to an identity theft site under the guise of free pirated software, low cost designer knock-off apparel, or herbal elixirs to add inches to a certain male body part.
Since Google nor Blogspot accept any reports of such wrongdoing, it would be a simple matter for them to code out the possibility of utilizing redirects in their code. Additionally they could easily parse the outgoing packets to detect redirects, and to whom they redirect. But they haven’t taken this security measure. Both Google and Blogspot are fully aware of this practice.
Their response to reports of this activity, so far, have been the automated reply mentioned above. Eventually the sites to get shut down. But they’re replaced by dozens of others. I’ve posted the list below, and will return here again to see how many, if any, have been shut down. Of the criminally spamvertised sites we’ve tested, 100% are outside the U.S. One Russian botnet kites thousands of domains for the sole purpose of identity theft. Another out of China, also utilized domain kiting with thousands of domains just to send spam advertising their various identity theft sites.
So, yes, Google is involved even if they say they’re not. Ignorance of or ignoring criminal activities housed, harbored, or operated under their control should usually be considered complicity.
Just because a company is huge, like Google, their responsibility to the welfare of internet users never diminishes. In fact, it should become a more important priority. If Google was, in fact, a community-minded player, they have both the influence and affluence to eliminate 85% of spam, phishing, fraud, and malware sites on the internet.
Why don’t they? That’s what I’d like to know.
Here’s a list captured in the past 8 hours.
Each instance represents a separate spam:
http://amaliabowdenkt.blogspot.com
http://amaliabowdenkt.blogspot.com
http://amaliabowdenkt.blogspot.com
http://amaliabowdenkt.blogspot.com
http://christinamcardleun.blogspot.com
http://feliciathelenec.blogspot.com
http://francescalylesos.blogspot.com
http://francescalylesos.blogspot.com
http://genaaquilarfx.blogspot.com
http://jodiesantillanps.blogspot.com
http://josephinebrassellm.blogspot.com
http://josephinebrassellm.blogspot.com
http://josephinebrassellm.blogspot.com
http://katheryneusticeon.blogspot.com
http://katinaperfettie.blogspot.com
http://kimmengeldh.blogspot.com
http://mableebersolecd.blogspot.com
http://martaeilersq.blogspot.com
http://myracybulskir.blogspot.com
http://phoebenantzgn.blogspot.com
http://phoebenantzgn.blogspot.com
http://rosannejohndrowdc.blogspot.com
http://roxanneswedberggg.blogspot.com
Get the InfoManager newsletter in your mailbox each Monday morning by subscribing at: mac-pro.net
Found something really cool?
We’d love to hear about it and pass it along to all of our readers… just contact Lynn or Fred, or post your own review at our : review input forms …
