The Scariest Type of Spam

I got an email this evening from Bank of America. My email client at work, Mozilla for Linux, brought it right to me. At home, Popfile thought it was spam.

Dear valued Bank of America Customer!

As part of our continuing commitment to

protect your account and to reduce the instance

of fraud on our website, we are undertaking a

period review of our member accounts. You are

requested to visit our site by following the link

given below. This is required for us to continue

to offer you a safe and risk free environment to

send and receive money online, and maintain the

Bank of America Experience. After verification you will be

redirected to the Bank of America home page. Thank you.

http://www.bankofamerica.com/state.cgi?section=generic&update=&cookiecheck=yes&destination=nba/signin

Copyright 2003 Bank of America Corporation. All rights reserved.

That’s what it looked like – but looks can be deceiving. The link to www.bankofamerica.com was really just text. The actual web link, hidden in the source code of the email, was different (I’m going to change a few characters so it will show up here, as it is specifically formatted to be invisible!&#185):

http://www.bankofamerica.com %01%01%01%01%01%01%01%01%01%01%01%01%01….. %34:%38%30/%77%77%77/%62%6F%61/%73%74%61%74%65%5F%63%67%69%2E%70%68%70

So, what have we here? It’s an exploit, taking advantage of the way Internet Explorer (and possibly other browsers) treat what they see. You’re not being sent to a Bank of America website but actually:

http://www.bankofamerica.com/state.cgi?section=generic”>http://www.bankofamerica.com +stuff_snipped+

@211.23.65.84:80/www/boa/state_cgi.php”>http://www.bankofamerica.com/state.cgi?section=generic

In other words, the info you see is treated as if it were a username or password and the real destination is a directory on 211.23.65.84. That IP address, 211.23.65.84 is nothing out of the ordinary. Every website has a numerical address hiding behind its URL. This site, www.geofffox.com, is really 66.225.220.189.

So, who is 211.23.65.84? It’s a website, hosted by Chungwa Telecom Co, Ltd.

netname: HINET-TW

descr: CHTD, Chunghwa Telecom Co.,Ltd.

descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.

descr: Taipei Taiwan 100

country: TW

Are you confused yet?

Let’s get very simple. Someone sent out emails, looking like they were coming from Bank of America, asking people to log in and provide account details. What looked like a Bank of America website was really a website located in Taiwan.

The normal user of this IP address is Spectrum Research and Testing Laboratory, Inc. More than likely, they had no clue what was going on, and one of their computers had been hijacked for this exploit.

What’s even stranger is that the actual email was mailed from a Comcast home customer! It’s possible that the Comcast subscriber was a conspirator, but more often than not some piece of ‘malware’ has invaded that home machine and it’s now a ‘zombie’ doing the bidding of these potential identity thieves!

It just sounds too weird, doesn’t it? But this kind of stuff is going on all the time! Many people, maybe most people, who get this kind of email will bite and enter their info. Everything looks legit. Everything seems on the up-and-up.

As of this evening, the site mentioned in the email is down. How many user names and passwords were gotten before it was stopped? Your guess is as good as mine.

Catching the crooks is going to be tough. The miscreants who devised this probably aren’t in Taiwan, or using a Comcast cable modem. They could be anywhere in the world, getting ready to go on the shopping spree of a lifetime. On the Internet, there’s really no difference between Brooklyn or Bulgaria or Buenos Aires.

This is the cancer that has invaded the Internet. I have mentioned this before, but it bears repeating. The Internet in general, and email in particular, will become devalued unless a method is devised to accurately verify who is the sender. This will mean a total reconfiguration of email protocols – but it’s got to be done. And, it’s got to be done sooner rather than later.

Tonight, there’s someone, somewhere, who suddenly has the money to mount the research into writing that new email protocol – but that’s the last thing he wants.

I could not have begun to tell this story without the help of Spamcop and SamSpade. Both are top notch in getting to the bottom of spam.

&#185 – (01-10-04 3:33 PM) I just got a call from Mike, at the Cingular Store, who was reading my webpage. It seems even including the altered code from this email was enough to set off McAffee Virus Scanner! I have changed the code again and McAffee now passes it. This just goes to show how nefarious these ‘phishing’ emailers are!