Tuesday, December 12, 2006

More illegal activity from FinestRX

This summary is not available. Please click here to view the post.

Monday, December 11, 2006

Spam = Criminals. Always

In the past week since starting this blog, I have discovered a disturbing trend towards more and more obviously criminal activity being perpetrated by idiot spammers than has ever been seen in the past five years.

This should come as absolutely no surprise to anyone. Spammers are almost always tied to fraudulent activity, whether it's something seemingly innocuous like click fraud or something much more dangerous such as sales of fake pharmaceuticals or DDOS'ing a competitor's website off the map.

Last thursday, we started seeing several spam messages making the rounds touting a so-called "russian children's fund" under the domain "savechilds.net" (Nice choice of illiterate domain, assholes.)

The email contained nonsensical text and featured an attached gif which told you to merely type the "savechilds" domain into your browser. The image looked like this:



You'll notice it looks EXTREMELY similar to the following two spammed images as well, both of which were received the same day:






So we're clearly definitely dealing with a repeat, career spammer with obviously fraudulent background. If this same individual suddenly started telling me to start using FedEx I would immediately question the security of FedEx as well. Who would ever assume that this was legitimate when it's coming from an unsolicited source who is apparently also trying to sell you penis pills and attempting to pump and dump an obviously failing stock to you?

The site featured no security (of course) but claimed that all transactions were secure. Then went on to recommend sending your donation via Western Union, possibly the most obvious indication that these people were out to steal your money wholesale. Nobody should EVER send money via Western Union in my opinion and that of others. Lots of Nigerian scammers out there rely solely on WU for the receipt of fraudulent funds from hapless victims.

Then today I noticed that an old standby, Pharma Shop, was suddenly using slightly more JavaScript than usual on its site. That turned into a bit of a lengthy trail of breadcrumbs which ultimately led to evidence that they were actually attempting to perform a malicious install of a Windows virus in the background. (It failed, of course, because these idiots don't have a single brain cell that could cause them to write code that would not obviously expose their intentions.)

Pharma Shop domains have also been used as the mail domains for numerous 419 emails (nigerian scams, "sweetheart" scams, donation scams to fake religious groups, always located in either Romania or Nigeria.)

I am sick of these assholes constantly being given authorization to register their domains. Is nobody out there doing any kind of background check into these idiots and their stupid domain names? Isn't *anyone* paying any attention to this crap? Why does it always fall to an independent citizen like myself to expose these criminals' operations?

To whoever is behind those ridiculous Pharma Shop spam runs: your days are fucking numbered. Count on it. You are exposing more and more of your operation and you're probably thinking that you're pretty sneaky when in fact the whole world is really getting prepared to track you down, lock you up, and throw away the key so you can spend the rest of your days wondering why you boasted to so many people about how fabulously wealthy you were.

Die you ignorant scum bastards.

IKS / SiL

Wednesday, December 6, 2006

The most retarded spam attempt evarrr

Just got this beauty in a hotmail account:


Wow. I am teh so fooled! Using Apple's own header and footer - and then presenting me with a so-called "EDPills" layout.

Link in the email goes to a fetish / contortionist video website which has been hacked to provide a redirect to one of the thousands of Health Nation websites (a Leo Kuvayev property. We'll talk about him eventually also.)

This looks pathetic, stupid, and desperate. Not necessarily in that order.

Fetish video website has been notified, as has Apple's legal team.

We're seeing more and more stupid spam this month. By stupid I mean genuinely un-smart. Several stock messages I've received have featured no payload or mention of the stock itself. Other times the message claims to be about a hot stock tip, only they include a link that points to a site like Pharma Shop or Discount Pharma. It's a sign that they're precisely what I think they are: stupid, desperate, and possibly running out of options.

IKS/SiL

Why are stock spammers such horrendous liars?

Recently seeing lots of craptacular text spam (I guess those images aren't working like you thought they would are they?) touting stocks, but worded as though it's someone's mistaken update to a family member. Two examples:

hi

Dad called and said he will be coming a day late now. So I will pick him up at the airport. oh, and before i forget he is that company i told you about.

VSUS Announces New MyOneScreen Application & New Market strategy.Price & Volume Go Through the Roof!


yo

Duuuuuuude, lol! this christmas is going to be so much fun. I have made a killing on these things. here check it out. this is the newest one I got.

V S U S Announces New MyOneScreen Application & New Market strategy.Price & Volume Go Through the Roof!


Yeah. Great. "Duuuuuude" lol indeed. That is so hilarious. You sure got me.

For the record: all of my spam filters are still stopping this spam, and rightly so. Furthermore, everytime I get these, I immediately blab about it on several investment forums, so nobody who actually has the motivation to participate in your stupid schemes is likely to actually drop the cash on your fake fucking stocks okay assholes?

Spammers really are idiots. At the end of the day they are desperate little cowards who like to boast about how wealthy they are. That is until they finally get caught.

IKS/SiL

On the subject of Alex Polyakov

This is going to be long so bear with me.

Alex Poloyakov. Here's a guy I think pretty much everybody who uses the internet on a daily basis should despise very deeply.

I personally question whether that's even his real name. But that's the one that most spam trackers out there have somehow discovered (no idea how) and so it's the one I'll use to refer to him. Well: that and other names of my own devising ("asshole" springs immediately to mind.)

Let's start with the basics. I'll rely on SpamHaus since they are without question the leading authority on spammers.

Spamhaus maintains a list of all the known spammer identities in the world. The really bad ones make their so-called "ROKSO" list (note: many people mis-spell or mis-pronounce that term as "ROSKO". That is incorrect.) It stands for the "The Register of Known Spam Operations" and it even has its own top 10 list:

http://www.spamhaus.org/statistics/spammers.lasso

The list is based on individuals, who spam, which results in complaints, and getting kicked off at least three (3) - or more! - ISP hosts. To get kicked off an isp for spamming: there has to be some pretty solid evidence. It usually takes weeks to months of evidence gathering due to the legalities of relationships between ISP's and their users. To get kicked off of THREE ISP'S?! You'd have to be an unapologetic asshole, spamming day and night, and not care that people find out about it. That's what this lists consists of: people like that.

As I write this, Alex Polyakov is still right at #1:

Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov

Congratulations, Alex, you stupid moron spammer. He's been #1 for several months now. His competitor, Leo Kuvayev / BadCow (currently #2) was #1 for almost four full years. That's some tough competition.

So what can we discover about this charming individual? I'll go point form and it will be based mostly on evidence from SpamHaus.


  • He's based in Ukraine, but apparently lives somewhere in North America.

  • Alex Polyakov may not be his real name (duh)

  • He may be part of the Pavka/Artofit and Leo Kuvayev spam gangs

  • He is definitely a part of the Yambo Financials spam gang, responsible for the My Canadian Pharmacy umbrella of websites (some 14 different types of sites, all hosted on hijacked unix machines.)

  • He somehow has ties to a group known as Regpay, an international child pornography ring which was busted in January of 2004. Many people investigating his activities assume that he helped with technical infrastructure.

  • He spams using botnets, for websites which are hosted on hijacked computers which he does not own.

  • His operation is responsible for a great deal of the trojans, viruses and worms which have been created for the Windows operating system.

  • He is responsible for numerous phishing attempts posing as a variety of job offer scams in Australia in September of 2005.

  • Some people believe he is the one responsible for DDOS-ing Blue Security in May of 2006. (calling himself "PharmaMaster".)

  • He's run several businesses and even been quite public about their operation. Examples include Jungle Ventures (his role: CEO) and Pilot Holding (Owner and Operator.)



Wow. What a charmer! Child porn! Illegal pharmaceuticals! Viruses! Just sounds like an awesome guy doesn't he?

My main focus has been on investigating the My Canadian Pharmacy sites. You've probably seen them. You've DEFINITELY gotten mail from them. All of these sites claim to sell pharmaceuticals but many in law enforcement believe they are actually identity theft operations, as nobody has ever received a single product upon ordering from them.

A colleague of mine has posted a fairly indepth website of his own which documents a great deal of their operation:

http://spamhater.zoomshare.com/

Technical earmarks of these sites:

Thousands of new domains registered each day, automatically, all unpronounceable, all using other similar domains as their DNS
Domains, once spammed, have randomized suffixes and randomized URI numeric parameters. An example:
http://ofevsc.sheathknifes.com/?63524167
Website itself is always hosted on a hijacked unix machine's IP address. Said unix machine usually has an extremely obvious root password (most commonly "root", "r00t", "password", "123", "1223456". Dude: DO NOT set your root password to something that obvious!)
That same ip can often also be the DNS server. That or it's hosted on yet another hijacked unix server.
Images for the website are always (or at least: whenever possible) hosted on yet another hijacked unix server.

Pretty complex. Lots of targets to go after. All traffic is mirrored from a "top-level" ip address actually owned and operated by the spam operation. Nobody knows what one of those are because the exploit that runs on the hijacked machines resides in RAM only. No actual files exist on the hijacked machine. It acts as a "traffic proxy" (my term) presenting pages from the top level server, through the hijacked machine, through to the user's web browser. Post an order? Reverse that stream. Images also originate on some other top-level server.

The sites themselves offer up what must be the biggest pack of lies I've certainly ever seen. They claim that you are ordering securely. That's bullshit. No SSL, no third party SSL, no encryption of any sort. Liars! They claim that they are "Listed at Better Business Bureau","Verified by Visa", are a "Verisign Secure Site", have "CIPA Certification" and are "Top Rated by Pharmacy Checker". I am now regularly in touch with all of the organizations these sites list and I can tell you for a fact: every single word is a lie. Do a search for My Canadian Pharmacy on the BBB website and you get the following:

http://www.bbbmwo.ca/commonreport.html?bid=1134034

"Based on BBB files, this company has an unsatisfactory record with the Bureau due to its failure to discontinue the use of the BBB's federally registered trademark when demands have been made to do so."

They're listed alright. Just not in the way they want consumers to think that they are.

What got me interested in tracking down their operations was the sheer volume of spam I was receiving - often 40 or more messages per day to one address - as well as the high number of registered domains. Is everyone at the authorized registrars falling asleep on the job or something? When someone registers a few thousand domains per day, all using 100% fake data, don't you think someone would notice that? Don't you think that kind of traffic should be monitored?

Then I started examining their image hosts. At the time I first started examining them, they were constantly using geocities domains. After I reported a few hundred of those per week to Geocities abuse team (very fast acting people I might add) they switched to Yahoo small business domains. They'd register thousands of THOSE every day and use them specifically for image hosting only. I reported all of those as well. Then they started using raw IP addresses. They clearly had no intention of ever stopping spamming people who didn't want to hear about this crap in the first place.

I began creating retaliation forms to seed their order forms with fake data. At first I tried just purely random characters for all fields. That didn't work so I tried "normalized" but random names from a small subset. That worked but they would not accept random data for the credit card. So I discovered a formula to generate a number that would pass what's called a "mod 10" check (used by very rinky forms to validate the format of a credit card number only.)

Success!

I got in a couple of orders, then suddenly the site wouldn't load anymore. Well that was fast. :)

Switching IP addresses on my end brought it back. So they ban after even one measly bad order. Nice.

I began investigating each of the domains after a few colleagues discovered that they were hosted on easily hijacked unix computers. Let me tell you: there are literally thousands of unix servers out there whose root password is able to login remotely (the first huge mistake, never allow that to happen people) and the root password is so easy to guess my cat could have done so. Most of the time these servers were hosted within either univeristy networks located throughout Asia and Europe, or hobbyist RedHat systems around the world. Occasionally, one or two of these servers were located in the continental US.

I continue to report every single hijacked unix machine I find in the hopes that one of them will monitor the activities of the infections which have been placed there by these criminals. Unfortunately my own ability to monitor them has been somewhat diminished because of course: they're on to me. :) But I'm only one guy out of literally hundreds monitoring these hijacks. Believe me: eyes are still on it. If you're reading this, and you run or maintain a unix server of any sort: change your stupid root password! Secure your machine! I can't believe the stupidity of some users out there. And it's never just one or two of them, it's hundreds! Lock down your root password now.

I'll continue to add to the info on this idiot spammer as I find it. I would hope that somebody out there knows this jackass and would be more than happy to turn him in. He deserves to rot in jail for life just for the child pornography alone. Add in everything else he's responsible for and I think it's safe to say that this guy is a menace to international society.

And Alex if you're reading this: we all hate you, and we wish you would kill yourself immediately.

Thanx for reading (if you did.)

IKS/SiL

I Kill Spammers

Welcome to my shiny new blog.

I have been posting on several antispam forums starting in around February or March of this year (2006). I have been pretty angry about the overall deterioration of the Internet at the hands of criminals for a few years. It came to a head last October of 2004 when I suddenly saw a 400% increase on one of my accounts. This is an email account I had posted precisely nowhere, given to nobody, and used specifically as a test account for my own development purposes. Somehow these assholes decided to start sending me "offers" for bullshit products and mortgage scams which I would never be interested in in the first place. They didn't care. They had a profit level to maintain.

I decided to start examining their websites, paying specific attention to their order forms. I started sending bait orders or leads. That got a pretty much instantaneous reaction. This was just me, small scale stuff, using manually entered fake details. After the first posting, my network started acting funny. I was being DDOS'd. I unplugged my ethernet and restarted my cable modem.

This surprised me. That a spammer could feel somehow threatened or throw a tantrum after only one measly fake: how old were these assholes anyway?! Ridiculous.

From that point on I've taken the mindset that I am dealing with three year olds. Baby wants bottle. Baby doesn't get bottle: baby throws tantrum. Wahhh. It's an effective analogy on so many levels, and in the years I've been doing this the idiots behind the most prevalent spamming operations have never proven that they think or act in any other way. Even the most sophisticated ones act like a bunch of stupid little brats.

So in February or March of this year, after finishing reading Spam Kings [spamkings.oreilly.com] by Brian McWilliams, I was made aware of an effort on a specific forum to go after one specific high-profile spammer: Alex Polyakov. I decided to join in. I brought a whole parcel of my own custom-written tools to this and other forums, and I noticed that people really, REALLY enjoyed running them. I compare it to that lab rat example where it can't stop pressing the button because it stimulates some portion of their brain everytime it gives them a treat. Button. Treat. Button. Treat. ButtonTreatButtonTreatButtonTreatButtonTreat... :) People ate it up. It's progressed since then.

The fuckhead spammers of course don't like that. So they've had to evolve the way their websites are built. Mortgage spammers now routinely ban an ip address after a measly single post. I guess they've never heard of anyone sharing their computer, or their network. They're clearly a bunch of braindead little morons. If certain pharmaceutical spammers start seeing me (wherever I am) snooping around their sites, they ban my ip address. That's ridiculous! I thought the whole point of spamming was to get people to come to your website in the first place?!

I'm going to attempt to maintain this blog and provide as much information as possible about these criminals, their background, their infrastructure and methods I've used to retaliate against them. My hope is that eventually you can do a search for a spammed website's product, and this site will be the first hit that you get. It shouldn't be that hard. Most of my postings on all the forums I've contributed to have become the top 3 link for most products out there (try one for "Spur-M spam" to see what I mean. The 4th hit on that list is one of my posts, or a posting about one of my utilities.)

I'll start by describing the main idiot I am gunning for (as are hundreds of others including international law enforcement): Alex Polyakov.

That's for my next post.

Thanx for reading.

IKS/SiL

P.S. Naturally since idiot spammers love to spam blog comments, it is highly likely that I will have to turn off comments at some point. Don't take it personally. Spammers are idiots and they like to ruin as many things as possible. This puny blog is no exception.