All the email looks genuine, and the image source tags all point to the right place?
Should I click on the link kids?
(Cries of “Yes!”, “No!”, “Its behind you!”, etc. – well it is panto season after all.)
I logged onto eBay using a separate browser window and checked my messages. Nothing. I felt fairly clean. So I opened up the HTML of the email (and yes, this is why HTML emails are dangerous, they look cute and cuddly, but have unexpected nasties inside.)
I found this:
If you want to unsuspend your account now click the link below:
WARNING: IF YOU FOLLOW THAT LINK YOU MAY WELL DOWNLOAD
MALWARE, LOSE YOUR CREDIT CARD INFORMATION, OR BE SHOWN
OFFENSIVE AND GRAPHIC IMAGES. NOTHING GOOD.
So don’t. Still with me? Good, there’s more.
For us gentle souls who don’t eat HTML for breakfast (and you are wise, it will make you burp), what this means is that if I were to click on that nice inviting link offering to unsuspend my account now (why suspend my account for only 7 days, then offer to unsuspend it?) I then get to go to a password protected page on a machine indicated only by its IP address.
Where’s that machine?
Curious soul that I am, I checked out the IP address. It’s listed in the DNS as:
220.127.116.11.IN-ADDR.ARPA, PTR, cpe-066-026-069-024.nc.res.rr.com
which means that someone somewhere has downloaded a piece of malware which has taken over their machine and is quietly and happily using it to serve out viruses, trojans, and other nasties.
Where’s the sender?
Looking at the headers of the email, I gathered the following juicy bits:
Received: from mail.bick.com ([18.104.22.168] helo=saturn.Bickford.com)
by faraday.net.versatilia.com with esmtp (Exim 4.43)
Tue, 18 Dec 2007 16:30:15 +0000
Received: from User ([22.214.171.124]) by saturn.Bickford.com with
Tue, 18 Dec 2007 10:19:10 -0600
Versatilia are my ISP, and a thoroughly nice bunch and very sharp. It looks like mail.bick.com is running an open mail relay. They’re a firm of architects by the way, based in Kansas. So, using the abuse.net mail tester, we see:
>>> MAIL FROM:
>>> RCPT TO:
>>> (message body)
<<<> Queued mail for delivery
The sender (listed as "User" above, in bright green - 126.96.36.199) looks like its an IP address in the former Yugoslav republic of Macedonia. They have evidently found more worlds to conquer!
inetnum: 188.8.131.52 - 184.108.40.206
descr: UltraNet d.o.o.
status: ALLOCATED PA
source: RIPE # Filtered
The router offering its route is shaper.unet.com.mk (220.127.116.11)
Law officers, if you read this, there's some work there for you. If by chance the machine owner of 18.104.22.168 logs onto my blog from Raleigh, USA and reads this, then go look at Get Safe Online. Change your passwords, backup your information, and reinstall your OS. You're done.
And folks, this took 5 minutes to check on, and by doing so my personal information lives to fight another day.