gonzo
04-18-2010, 01:18 PM
a few days ago I got this message posted anonymously to my Formspring:
Hey, I am posting anonymous because I don't want you to know who I am but I found a nude image of you online.You may have to login to see it, but here's the link: nudeimagedatabase(DOT)t35(DOT)(DOT)com/nude_image_549(DOT)html replace all the (DOT) with .
Now, first thing I thought was Russian mob spreading computer malware--Zlob or Asprox or something, right? I mean, seriously, it's got their thumbprint all over it.
Turns out that's not what it was, though. What it was is something a little more convoluted, and it exposes a weakness in Web sites that have a pay-for-signups affiliate program business model.
The Web site at http://nudeimagedatabase.t35.com/nude_image_549.html, which has since been taken down after I dropped an email to the Web host, was hosted on a free Web hosting site. The Web site itself was nothing but a redirector to another Web site, located at
http://x.azjmp.com/3vWZz?sub=test.
Now that Web site, which is still active, is in turn a redirector itself to yet another Web site, which is at
http://www.perfectmatch.com/pltrk.asp?CID=69726&ptnr=azoogle&PID=45638-test
$ wget http://x.azjmp.com/3vWZz?sub=test
--2010-03-14 23:25:42-- http://x.azjmp.com/3vWZz?sub=test
Resolving x.azjmp.com... 209.167.6.16
Connecting to x.azjmp.com|209.167.6.16|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.perfectmatch.com/pltrk.asp?CID=69726&ptnr=azoogle&PID=45638-test [following]
--2010-03-14 23:25:42-- http://www.perfectmatch.com/pltrk.asp?CID=69726&ptnr=azoogle&PID=45638-test
Resolving www.perfectmatch.com... 67.212.133.100
Connecting to www.perfectmatch.com|67.212.133.100|:80... connected.
HTTP request sent, awaiting response... 302 Object moved
Location: trk.asp?CID=69726&AMID=AZoogleID:%2045638-test [following]
--2010-03-14 23:25:42-- http://www.perfectmatch.com/trk.asp?CID=69726&AMID=AZoogleID:%2045638-test
Reusing existing connection to www.perfectmatch.com:80.
HTTP request sent, awaiting response... 302 Object moved
Location: amap.asp?CID=69726&AMID=AZoogleID:%2045638-test [following]
--2010-03-14 23:25:42-- http://www.perfectmatch.com/amap.asp?CID=69726&AMID=AZoogleID:%2045638-test
Reusing existing connection to www.perfectmatch.com:80.
HTTP request sent, awaiting response... 302 Object moved
Location: /trk.asp?CID=91939 [following]
--2010-03-14 23:25:42-- http://www.perfectmatch.com/trk.asp?CID=91939
Reusing existing connection to www.perfectmatch.com:80.
HTTP request sent, awaiting response... 302 Object moved
Location: /?p=n [following]
--2010-03-14 23:25:42-- http://www.perfectmatch.com/?p=n
Reusing existing connection to www.perfectmatch.com:80.
HTTP request sent, awaiting response... 200 OK
The Web site azjmp.com belongs to Epic Advertising, which as near as I can tell is just another direct email advertising company. Epic Advertising creates email ads that contain an azjmp.com URL in them, so as to track response rates.
The azjmp.com URL leads to Perfectmatch, which is a dating Web site. You can, if you want, become a Perfectmatch affiliate, and they pay you a small amount of money each time you get someone to sign up.
So basically, here's what's happening. The spammer is slamming Formspring (and Myspace and Facebook and Tumblr and God knows who else) with a message saying "there are nude pics of you online, go here to see them." Those gullible to take the bait end up at, or used to end up at, a Web site that says "Sign up here to see the nude pics that someone has posted of you." Any time someone signs up, they don't see nude pics of themselves; instead, they have just signed up for a dating site, and the spammer makes a small amount of money.
This really has Eastern european organized crime written all over it, or someone has taken a page from their playbook. Automated forum spam, multiple hops between source and destination, redirectors hosted on free Web sites--it's all taken right out of the Zlob gang's playbook. The only element missing is multiple payload sites that are chosen at random by a traffic handler, but in this case, there's only one payload (a signup with Perfectmatch), so that's to be expected.
The unusual bit, to me, is that the spammers have signed up with Epic Advertising to track the number of folks who bite at the bait. Somewhere along the line, Epic Advertising needs to get paid by the spammers, and Pefectmatch needs to pay the spammers, so that means both Epic Advertising and Perfectmatch know the real identities of the spammers (or at least how to transfer money to and from them).
So far, both Perfectmatch and Epic Advertising have not yet cut the spammer off. It is possible that the spammer is Perfectmatch, and that they have created a bogus affiliate ID for themselves so as to disclaim responsibility if they are caught--which would be unusual but not unprecedented (Adult Friend Finder has been known to do this in the past, for example). If that were the case, though, I would expect that email spam would be more effective.
The thing about duping people to sign up for a dating site this way is that those signups are likely to be worthless. I can't imagine folks are going to be all "Hey, I was tricked into signing up for this dating site, without even knowing that I was signing up for a dating site...but hey, as long as I'm here, I think I'll buy a subscription!" So my hunch is that it's a real affiliate scamming Perfectmatch to bilk them out of money by creating worthless bogus signups from people who are not likely to be interested in their service.
What's interesting about this to me is that it points to a weakness in the pay-for-signup business model. Software can usually detect out and out phony signups; if I am an affiliate for a pay-per-signup Web site, I can't just sit at my computer all day typing in bogus names and get paid.
But if I dupe people into signing up, say by creating a Web site that has a frameset redirector in it that tells people they're signing up for something completely different, I can still get paid, and the Web site that's paying me gets traffic that's worse than worthless. It's a way to drain money away from people who run pay-per-signup affiliate programs.
The crudeness of the hook in this case suggests to me that it's a trial balloon, and that we can probably expect to see more sophisticated attacks of this kind against the operators of pay-per-signup Web sites in the future.
http://tacit.livejournal.com/324147.html#cutid1
Hey, I am posting anonymous because I don't want you to know who I am but I found a nude image of you online.You may have to login to see it, but here's the link: nudeimagedatabase(DOT)t35(DOT)(DOT)com/nude_image_549(DOT)html replace all the (DOT) with .
Now, first thing I thought was Russian mob spreading computer malware--Zlob or Asprox or something, right? I mean, seriously, it's got their thumbprint all over it.
Turns out that's not what it was, though. What it was is something a little more convoluted, and it exposes a weakness in Web sites that have a pay-for-signups affiliate program business model.
The Web site at http://nudeimagedatabase.t35.com/nude_image_549.html, which has since been taken down after I dropped an email to the Web host, was hosted on a free Web hosting site. The Web site itself was nothing but a redirector to another Web site, located at
http://x.azjmp.com/3vWZz?sub=test.
Now that Web site, which is still active, is in turn a redirector itself to yet another Web site, which is at
http://www.perfectmatch.com/pltrk.asp?CID=69726&ptnr=azoogle&PID=45638-test
$ wget http://x.azjmp.com/3vWZz?sub=test
--2010-03-14 23:25:42-- http://x.azjmp.com/3vWZz?sub=test
Resolving x.azjmp.com... 209.167.6.16
Connecting to x.azjmp.com|209.167.6.16|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.perfectmatch.com/pltrk.asp?CID=69726&ptnr=azoogle&PID=45638-test [following]
--2010-03-14 23:25:42-- http://www.perfectmatch.com/pltrk.asp?CID=69726&ptnr=azoogle&PID=45638-test
Resolving www.perfectmatch.com... 67.212.133.100
Connecting to www.perfectmatch.com|67.212.133.100|:80... connected.
HTTP request sent, awaiting response... 302 Object moved
Location: trk.asp?CID=69726&AMID=AZoogleID:%2045638-test [following]
--2010-03-14 23:25:42-- http://www.perfectmatch.com/trk.asp?CID=69726&AMID=AZoogleID:%2045638-test
Reusing existing connection to www.perfectmatch.com:80.
HTTP request sent, awaiting response... 302 Object moved
Location: amap.asp?CID=69726&AMID=AZoogleID:%2045638-test [following]
--2010-03-14 23:25:42-- http://www.perfectmatch.com/amap.asp?CID=69726&AMID=AZoogleID:%2045638-test
Reusing existing connection to www.perfectmatch.com:80.
HTTP request sent, awaiting response... 302 Object moved
Location: /trk.asp?CID=91939 [following]
--2010-03-14 23:25:42-- http://www.perfectmatch.com/trk.asp?CID=91939
Reusing existing connection to www.perfectmatch.com:80.
HTTP request sent, awaiting response... 302 Object moved
Location: /?p=n [following]
--2010-03-14 23:25:42-- http://www.perfectmatch.com/?p=n
Reusing existing connection to www.perfectmatch.com:80.
HTTP request sent, awaiting response... 200 OK
The Web site azjmp.com belongs to Epic Advertising, which as near as I can tell is just another direct email advertising company. Epic Advertising creates email ads that contain an azjmp.com URL in them, so as to track response rates.
The azjmp.com URL leads to Perfectmatch, which is a dating Web site. You can, if you want, become a Perfectmatch affiliate, and they pay you a small amount of money each time you get someone to sign up.
So basically, here's what's happening. The spammer is slamming Formspring (and Myspace and Facebook and Tumblr and God knows who else) with a message saying "there are nude pics of you online, go here to see them." Those gullible to take the bait end up at, or used to end up at, a Web site that says "Sign up here to see the nude pics that someone has posted of you." Any time someone signs up, they don't see nude pics of themselves; instead, they have just signed up for a dating site, and the spammer makes a small amount of money.
This really has Eastern european organized crime written all over it, or someone has taken a page from their playbook. Automated forum spam, multiple hops between source and destination, redirectors hosted on free Web sites--it's all taken right out of the Zlob gang's playbook. The only element missing is multiple payload sites that are chosen at random by a traffic handler, but in this case, there's only one payload (a signup with Perfectmatch), so that's to be expected.
The unusual bit, to me, is that the spammers have signed up with Epic Advertising to track the number of folks who bite at the bait. Somewhere along the line, Epic Advertising needs to get paid by the spammers, and Pefectmatch needs to pay the spammers, so that means both Epic Advertising and Perfectmatch know the real identities of the spammers (or at least how to transfer money to and from them).
So far, both Perfectmatch and Epic Advertising have not yet cut the spammer off. It is possible that the spammer is Perfectmatch, and that they have created a bogus affiliate ID for themselves so as to disclaim responsibility if they are caught--which would be unusual but not unprecedented (Adult Friend Finder has been known to do this in the past, for example). If that were the case, though, I would expect that email spam would be more effective.
The thing about duping people to sign up for a dating site this way is that those signups are likely to be worthless. I can't imagine folks are going to be all "Hey, I was tricked into signing up for this dating site, without even knowing that I was signing up for a dating site...but hey, as long as I'm here, I think I'll buy a subscription!" So my hunch is that it's a real affiliate scamming Perfectmatch to bilk them out of money by creating worthless bogus signups from people who are not likely to be interested in their service.
What's interesting about this to me is that it points to a weakness in the pay-for-signup business model. Software can usually detect out and out phony signups; if I am an affiliate for a pay-per-signup Web site, I can't just sit at my computer all day typing in bogus names and get paid.
But if I dupe people into signing up, say by creating a Web site that has a frameset redirector in it that tells people they're signing up for something completely different, I can still get paid, and the Web site that's paying me gets traffic that's worse than worthless. It's a way to drain money away from people who run pay-per-signup affiliate programs.
The crudeness of the hook in this case suggests to me that it's a trial balloon, and that we can probably expect to see more sophisticated attacks of this kind against the operators of pay-per-signup Web sites in the future.
http://tacit.livejournal.com/324147.html#cutid1