GhettoWebmaster.com

Pretty neat (in an evil way) SEO spam making the rounds on craigslist at the moment…

1. Someone posts an ad on craigslist without using the anonymous email option
2. They start getting emails claiming they can get free/easy money from the government by Googling “Gov Benefaction” for more information.
3. All of the sites currently in the top of the results in Google for that term are controlled by one guy who’s using those sites to promote a typical Gov Grant scam.

So… The spammer simply optimized a handful of sites to rank for a term that had zero competition, once ranked in the top spots he began spamming away without any fears of getting blocked by spam filters since he doesn’t use any URLs in those emails. Pretty neat. I imagine we will be seeing a lot more of this in the future.

Email I just received:

Dear LoLo,

We recently learned that certain Elance user information was accessed without authorization, including potentially yours. The data accessed was contact information — specifically name, email address, telephone number, city location and Elance login information (passwords were protected with encryption). This incident did NOT involve any credit card, bank account, social security or tax ID numbers.

We have remedied the cause of the breach and are working with appropriate authorities. We have also implemented additional security measures and have strengthened password requirements to protect all of our users.

We sincerely regret any inconvenience or disruption this may cause.

If you have any unanswered questions and for ongoing information about this matter, please visit this page in our Trust & Safety center: http://www.elance.com/p/trust/account_security.html

For information on re-setting your password, visit: http://help.elance.com/forums/30969/entries/47262

Thank you for your understanding,

Michael Culver
Vice President
Elance

————————————-

From their page with info on the hack:

“The hackers accessed a user data table that contained contact information including name, email address, telephone number, city location, and log-in information.”

^^ Always use different passwords for every site reason number 10,467.

I imagine someone is working on a little data scraping script to get the demographic information associated with all of those Elance accounts. They will likely break the emails up into niche lists and then sell them off to email spammers. If you see any email lists for say 6,000+ ASP developers you can have one guess on where it came from.

Additional coverage:
TechCrunch: Elance Hit By Security Breach

Seriously…

Here’s an email that was just forwarded to me from my hosting provider (Oxeo):

Dear ISPrime, Inc.,

We have just learned that your service is being used to violate PayPal trademarks and/or copyrights. Specifically, it appears that an ISPrime, Inc. user is hosting a page at 64.111.214.22 – http://www.ghettowebmaster.com/images/paypal-phishing-email.gif which uses our trademarks inappropriately.

While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user’s unauthorized reproduction of PayPal trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from PayPal an eBay, Inc. company, the owner of the copyrighted materials. Accordingly, the information below serves as PayPal’s notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A):

I, the undersigned, CERTIFY UNDER PENALTY OF PERJURY that I am the agent authorized to act on behalf of the owner of certain intellectual property rights, said owner being named PayPal Inc. I have a good faith belief that the website located at URL http://www.ghettowebmaster.com/images/paypal-phishing-email.gif has its copyright in each page of its website and associated source code.

Please act expeditiously to remove or disable access to the material or items claimed to be infringing.

We sincerely appreciate your immediate attention to this important matter. We would also appreciate if you would take steps to confirm the accuracy of any contact information that your user may have provided to you in establishing the account. Should you have any accurate information that could assist PayPal and law enforcement in tracking this individual, we greatly appreciate your assistance, as we know that you do not condone the use of your services for such criminal purposes.

Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. ? 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well.

eBay/PayPal Inc.
Audit and Investigations
securityalerts@ebay.com

Wow. Looks like a message I would expect to get at a throwaway email address that goes with a bogus identity used to purchase some hosting if I were running a PayPal phishing scheme. It was totally unexpected, however, to get as a person who blogs about IT Security related stuff and used the image as a real life phishing email example in a blog entry posted over a year ago.

The blog entry that image is (legally) used in:
Porn Site Hacked, 16K Emails Snatched, Epic Fail at PayPal Phishing Attempt

Here’s the email I sent to my host in response to the email they forwarded over:

Hey,

That image is being legally used (“fair use”) on this blog entry:

http://www.ghettowebmaster.com/spam/porn-site-hacked-16k-emails/

Please tell eBay/PayPal Inc. to piss off.

^^^ That’s really cute. It’s as if they think I’m using the image for a phishing scheme vs. as an example of one. I’m forwarding this over to some IT Security contacts. This is total BS.

Please call me if you guys have any questions:
[phone number removed]

Thanks in advance,

Loren J. Williams

Their response:

Hello,
You may want to convey this directly to paypal at ftsteam@paypal.com, if you would like though I can relay your message to them, just let me know.

Me again:

Hey,

I’ll message them in a bit with the url to a new blog entry where I’ll use the image again and kindly (lol) tell them to piss off. Thanks for forwarding the message over to me and not acting like an irresponsible host by pulling the image or anything goofy like that.

- Loren

The image in question:

So… What we obviously have here is eBay/PayPal Inc. trying to be proactive in getting their insanely huge phishing issues under control. What we don’t have is a reasonably sane team actually researching the images they are likely finding via a Google image search. This is insane at best and has my nerd blood boiling to nerd rage levels. I wonder how many other people have gotten similar messages from their hosts or simply had their sites shut down without warning.

Proactive = Good
Proactive + Retarded = Bad

Dear eBay/PayPal Inc.,

Piss off.

- Loren J. Williams (LoLo)

Update (7/15/09 – 6:15am-ish)
Here’s the email I ended up sending eBay/PayPal yesterday:

Hello,

Your message to my host was anything but cute. The image in question is being used as a real world example of a paypal phishing email on a blog entry from January of 2008.

Here’s that entry’s url:

http://www.ghettowebmaster.com/spam/porn-site-hacked-16k-emails/

And, here’s a new entry with my formal response to you:

http://www.ghettowebmaster.com/legal/ebay-paypal-reported-me-to-the-fbi/

You guys need to get your head on straight. I can only imagine how many other security researchers got a similar email.

Here’s my contact info in case you would like to pursue things further legally:

Loren J. Williams
[address / phone # removed]

Email addresses:
[removed]

P.S. That new blog entry will likely be making the rounds all over the internet this week. Congrats on making your company look like a bunch of retards.

- Loren J. Williams
Ghettowebmaster.com. etc…

That last line is already haunting them…

When shit hits the fan it’s always best to pick up the bat phone, light up the sky with the bat signal, or in my case: run to Twitter and send PaperGhost a message asking for “serious nerd rage backup”. His nerd rage also went into full fury after being forwarded the messages I had gotten. That resulted in a post on FaceTime’s Blog.Spyware.com: EBay / Paypal Reports Security Blog To FBI For Phish Screenshot and a tweet to pimp out that blog entry. And, that tweet has received a metric ton of retweets – thanks for the support everyone.

It’s pretty obvious that this story will make the rounds on the tech blogs and whatnot today. So, I repeat: Congrats on making your company look like a bunch of retards.

In other news… In order to avoid a shootout and prolonged hostage situation I went ahead and surrendered to the FBI this morning…

…via Twitter. lolz

Update (7/20/09 – 10pm-ish)
This story made the front page of reddit and is getting a bunch of comments here and there that pretty much demand some kinda response from me.

“Please don’t call them ‘retarded.’ It’s childish and counterproductive.”
“damn you’re an arrogant geek.”
“…they do NOT deserve the abuse you are heaping on them. Show you are the better man…”
“You would do yourself a world of good by using more formal language in your communication with your ISP, eBay/Paypal, and your blog readership.”
Etc, etc, etc…

Did you guys bother to read the name of the domain you’re on? Childish & immature is what I do. Could I be more formal and not come off as a prick? Sure. That wouldn’t capture the demographic I aim for though. There are plenty of IT security blogs that IT security people and other nerds read. I write in a way that appeals to the Joe the Plumbers of the world. And, let’s face it: they seriously need the info more than you. Telling me to be more professional is like telling Jon Stewart that he needs to take a cue from Wolf Blitzer.

And… I’m an arrogant and immature prick so this arrangement works out fine.

One comment did rightfully slam me…

Hey thanks a lot- I’m an email scammer and thanks to you hosting that image, now I can send out as many phishing emails as I want. All I have to do is link that image to my phishing site and plenty of morons will click it. Trust me, the date won’t stop anyone who’s dumb enough to fall for a phishing scam.

Most spam filters won’t let phishing text through, and when I send out emails with images linked to MY sites, it gets caught by URIBL- but yours is a nice, clean domain and with your blind rage (and lack of common sense) I’m sure it will stay that way for a looooong time- or at least long enough for me to rip off a few hundred unsuspecting old people. But who cares about them, they’re old! Like they’re going to spend that money anyway.

Thanks again!

I would be majorly pwned if someone used that image in a phishing campaign. And, it would likely slip through spam filters. So, I’m going to add some text to it right now.

Remember when HotOrNot.com left their site wide open to attacks and I schooled them on it? I just came across a site with similar security issues. I’m not going to post the site in question just yet though. It’s a huge financial site that could really be hurt if they were attacked so I’m just giving them the heads up for now.

Message I sent them:

Your member profile and listing pages are likely open to cross site scripting (XSS) attacks and other hacks at the moment. You can take a look at my profile and current listing to see that I did some light CSS tweaking to customize those pages. I didn’t test any potentially malicious stuff since this is a financial site. I’ll be blogging about this on GhettoWebmaster.com fairly soon. I just wanted to give you guys a heads up so you can get this place secured up.

[Profile Page URL Removed]

[Listing Page URL Removed]

I found similar security holes on HotOrNot.com a while back. Info about that can be found via the below link:

http://www.ghettowebmaster.com/code/hot-or-not/

^^^ Those findings ended up getting plugged by Mashable.com here:

http://mashable.com/2007/05/02/hot-or-not-2/

I love your site / the concept of the whole thing. I’d hate to see you guys suffer through any malicious attacks.

Best regards,
Loren J. Williams (LoLo)

It will be interesting to see how this plays out. Stay tuned ;-)

Update (3/8/08):
Well, the cat is out of the bag. The site in question is Prosper.com….

• ‘Ninja’ hacks Prosper
• Ninja Stealths Prosper, Prosper Responds

That second link has an official reply from Prosper about the issue…

We were contacted by this blogger about this vulnerability in Prosper’s site on February 15, 2008. Since we were contacted, we have made the code change that will eliminate this vulnerability; although it has not yet been rolled out (a release is expected this weekend). We appreciate the blogger’s help in finding these vulnerabilities.

XSS attacks can introduce significant security issues. We are investigating right now whether this kind of attack can actually do anything malicious on the Prosper site (many security mechanisms are already in place). Nonetheless, there are no known cases of hackers exploiting these vulnerabilities to date. As I mentioned, we are planning to release a fix shortly.

I’ll post all the details after I get word that the “expected this weekend” patching is done.

In the meantime, you can check-out my borrower listing over there:
Ninjas Need Funding for Anti-Pirate Propaganda Campaign

^^^ Fo’ realz :P

Another good idea is proving to be problematic when put into action on MySpace. They have an image filtering solution in place which (in theory) converts TOS violating images into a little image which simply has the text “Terms of Service Violation” on it. It does so by checking urls within image tags against a blacklist and replacing blacklisted image urls with the url to their TOS image.

Example:
If a MySpace admin adds http://www.ghettowebmaster.com/images/naked-dead-hooker.gif to the blacklist…

this…
<img src="http://www.ghettowebmaster.com/images/naked-dead-hooker.gif" />

will be converted into this…<img src="http://x.myspace.com/images/tos.gif" />
…every time someone attempts to post it.

All instances of the original image posted before the url is added to the blacklist will remain as-is. The only exception to this is instances of the original image posted as part of a profile. In that case, the image will remain as-is until the profile is updated.

This system is currently filtering images on profiles, profile comments, groups, forums, and picture comments. MySpace blogs and their comments are still free from image and url filtering.

Good idea, right? I’ll gladly argue you into the ground if you think otherwise. So, where’s the problem? Many of the computers used by MySpace admins are infected with a serious case of the PEBKAC Virus. For those of you that don’t know and are too lazy to click that last link, PEBKAC is an acronym which stands for “Problem Exists Between Keyboard And Chair”. Some of the MySpace admins are being insanely overzealous with their magical image censorship wands.

— FAIR WARNING —

*** Scrolling Further Down Will Reveal Images MySpace Has Deemed Obscene ***

— FAIR WARNING —

*** The Below Makes Cable TV Look Like Hardcore Porn ***

— FAIR WARNING —

*** [Insert Something Witty Here] ***

— FAIR WARNING —

*** [Insert Something Here That Makes You Question My Comedic Ability] ***

— FAIR WARNING —

*** [Insert Something Here That's Hilarious When Coupled With That Last Line] ***

— FAIR WARNING —

………………………………..

……………………….

………………..

…………

…….

….

Blacklisted Image URL:

http://critiquesdemusic.canalblog.com/images/Nirvana_Nevermind_Front.jpg

Image Hosted There:

I have to agree with Kurt on this one…

Geffen prepared an alternate cover without the penis, as they were afraid that it would offend people, but relented when [Kurt] Cobain made it clear that the only compromise he would accept was a sticker covering the penis that would say “If you’re offended by this, you must be a closet pedophile.” – Wikipedia

Blacklisted Image URL:

http://img59.imageshack.us/img59/6387/velveeta7an.jpg

Image Hosted There:

That’s not an old ad by Kraft. It’s a piece by artist Mel Ramos from 1965. He was part of the artistic movement from which Andy Warhol is most famous.

The above examples were posted in this group thread.

Another Filtered Image:
I don’t have the blacklisted image url for this one.

I had an image on my profile that someone apparently took offense to, so MySpace replaced it with their “Terms Of Service Violation” picture (a gif that says Terms Of Service Violation in black letters on a white background…

Oh, I forgot to mention a couple of things about the picture. It was of a painting of Eve and the serpent representing the beginning of sin, and was in fact called “The Sin” (Die Sünde in German). It was painted by the German artist Franz Von Stuck in 1893, and is currently located in the Neue Pinakothek, a museum in Munich, Germany. The museum describes itself as, “the Neue Pinakothek is now the most important museum of art of the nineteenth century in the world”. – RaScarabous

Modern Nipples However Are Not Obscene:
What was the most popular MySpace blog entry on May 26 of 2007?

I’m glad you happened to ask…

I got a bunch of messages that day from people bitching about a nipple making an appearance in those “Hot Preview Pics”. MySpace surely got a bunch of messages about it too. They have always turned a blind eye towards the Suicide Girls though. Why? Those chicks all have TONS of friends on MySpace and produce thousands upon thousands of page views everyday. So, it’s a money thing. And, the Suicide Girls are one of the many things that helped MySpace build up traffic / members in the first place.

The picture in question is still posted on that “blog entry” (ad for their softcore porn site).

Not That It Matters:
I really don’t know why anyone would bother but the filtering can easily be circumvented. The blacklist is comprised of strict urls, so simply adding a “www” prefix to the Nirvana album cover got it through. Tossing one (or several) extra backslashes into a url will also do the trick…

http://www.ghettowebmaster.com//////////images//////naked-dead-hooker.gif

In Summary:
I think the image filtering solution is a good idea. MySpace just needs to police / train their admins better and only filter images which blatantly violate their TOS.