Wow, I’ve finally made it! Angelina Jolie wants to be my friend on FaceBook. LOL — in your dreams, buddy! When something looks too good to be true, it probably is! In this case it really is.
This is the first tip-off that something’s wrong with this picture. We received a dozen or so of these emails this morning and knew immediately that they are forgeries in a phishing attack. There was a whole second set of emails, all supposedly coming from Twitter with similar messages, but leading to the same collection of compromised servers. There were also a dozen yesterday. But Angelina really caught my eye and prompted me to track this new attack to it’s source. (Here’s a screen grab of the whole email as seen in HTML mode. )
Sadly, this type of phishing attack is very seductive (no pun intended) and traps thousands of internet users who are curious, infatuated or simply uninformed that this is dangerous. The original email certainly looks innocent enough, but when you hover the mouse pointer over any of the domain links, you immediately know this is false…
So, let’s take a look at that first example “carolmontag.com” and see where it goes. This domain was registered through GoDaddy, and according to the IP Lookup and SamSpade, is hosted on servers owned by HostRocket Web Services, Clifton Park, NY. So, that’s where the phishing page was. (I say ‘was’ because they’re now blocked, and you won’t be able to get there.) Another example, http://grapevinephotography.com.au/1.htm also leads to HostRocket. We tested more and more of the domains, (another was hot-rydez.com) and no matter how different the sender or the domain was, they all seemed to lead to the same host. A disturbing discovery was when I began hunting down the ‘Sender’ of the attack.
Who sent the attack?
ALL 16 OF THE sending IP addresses – the ones the spammer / cyber criminal uses, were IP addresses reserved by Internet Assigned Numbers Authority (IANA) in Marina del Rey, CA.
The Internet Assigned Numbers Authority (IANA) is the entity that oversees global IP address allocation, AS number allocation, root zone management for the Domain Name System (DNS), media types, and other Internet Protocol related assignments. It is operated by the Internet Corporation for Assigned Names and Numbers, better known as ICANN. You might ask why they let cyber criminals and terrorists use these numbers for nothing, when we all have to pay for ours…
IANA says:
This block is used as private address space. Addresses from this block can be used by anyone without any need to coordinate with IANA or an Internet registry. Addresses from this block are used in multiple, separately operated networks.
So, in other words, anybody can use them, they’re not tracked, and they can actually be used by multiple networks. Of course, this makes them totally impossible for law enforcement to track. Hmmmmmm. They explain this practice at www.rfc-editor.org — but it does not explain why there’s no regulation or watch-dog keeping these from being used by terrorists and cyber criminals.
SpamCop says : This email originated from Korea. It also recognizes HostRocket as the spamvertised host, and has blocked that host in the Real Black Hole.
Thanks to SpamCop subscribers, and SpamCop’s diligence in tracking all the references, this cyber criminal’s emails are all blocked, and end up in HELD status for SpamCop subscribers and users. I have included the actual spam text files representative of the spam for those of you who may wish to take a more in-depth look.
But at what cost? How many unsuspecting users actually clicked on the links and provided the terrorist group in Korea to profit from gaining Facebook and Twitter IDs and passwords? How many were then extorted of financial information through cross referencing of IDs? We don’t know. All we know is that a billion dollars was extorted from U.S. citizens in 2009, according to the FTC. So someone, somewhere must be clicking those links.
DO NOT CLICK … DO NOT CLICK :
When ever any email comes from what you believe to be a trusted source — it is NOT ENOUGH TO TRUST THE LINK without first looking for the tell-tail signs of cyber crime:
1) Is the “To” address correct?
2) Is the “From” address correct?
3) When hovering over the link, does the status bar read correctly?
4) Is the “offer” too good to be true?
DO NOT CLICK on any link until you have satisfied all four of those questions. If it’s Facebook or Twitter, you could just as easily DELETE that email, and THEN navigate to your account in a separate browser window, using your proven direct link, and see the note or notice. If it’s legit, it will be there.
Protect your self at all times. Pass this along to friends and family, and help protect them as well. Post this, or re-tweet this to your own network. You cannot be too safe, or spread the caution too far.
Thanks for reading
(Please note that some of the look-ups above may have changed by the time you read this — SpamCop reports alert system administrators, who hopefully will remove the offending site.)
Help spread the word to be careful online — Purchasing “Don’t Click” buttons for family and friends supports our efforts in fighting cybercrime
You might be responsible for saving someone from becoming a cyber crime victim! 
Help support the fight against cyber crime
