Washington Apple Pi

A Community of Apple iPad, iPhone and Mac Users

Anatomy of a Scam

By Bob Jarecke

Washington Apple Pi Journal, reprint information

On March 16, 2009, I awoke to find two copies of the following E-mail in my Mail Inbox. Mmm, what’s this?

From: "WAP Technical Support Team" <support-team@administrativos.com>
Date: March 16, 2009 2:05:34 AM EDT
Subject: E-mail Account Maintainance
Reply-To: support-team@administrativos.com

Dear E-mail Account User,

We have temporarily limited all access to
sensitive account features, in order to restore your account access, you need to reply to this
email immediately with your E-mail account
Account name:(___________) and TCS
Password:(___________)

Due to much junk/spam emails you receive daily, we are currently upgrading all email accounts spam filter to limit all unsolicited emails for security reasons and to upgrade our new and improved E-mail account features and enhancements, to ensure you do not experience service interruption.

You must reply to this email immediately and enter both your user name and password in the space provided to enable us upgrade your E-mail Account properly.

A confirmation link will be send to you for the Re-Activation of your e-mail Account, as soon as we received your response and you are to Click on the "Confirm E-mail" link on your mail Account box and then enter this confirmation number: 1265-6778-8250-8393-5727

Your failure to provide your e-mail account login details will lead to a temporarily disabled of your e-mail account or we will immediately deactivate your e-mail account from our database.

Thanks For Your Understanding.

WAP Technical Support Team

After reading the first couple of lines, the hair on the back of my neck stood up. I didn't know of any problems with our WAP E-mail program or associated server, but there could be something amiss that I was not clued-in on. I felt it prudent to look a wee bit closer.

Clues Aplenty

First, the message "From:" line said it was from “WAP Technical Support Team.” Huh? In all my dealings with the Pi and the other volunteers that help it run, I have never heard our vaunted TCS crew referred to as the WAP Technical Support Team. T he average reader might not know this though, so that first clue could be missed.

Next, I studied the "From:" line to see the E-mail address from which the E-mail originated. It said " <support-team@administrativos.com>." Now that’s strange spelling for the word "administrative," A nd where is the telltale, WAP centric “wap.org” address identifier that the Pi uses for its E-mail?

And the third mystery, the message wasn’t even addressed to me! The "To:" line was missing. Okay, there is something definitely fishy about this message.

W ith all these telltale signs of a scam E-mail, I then asked myself, what were they after? Whoa! They were asking for my account name and password! The n umber one rule for most every business that communicates via E-mail is that they will never ask for your password. The Pi is no different.

Analysis

So what was the overall scope of the problem and did anyone get burned? The short answer is that a small number of WAP E-mail accounts were tapped and four unsuspecting souls handed over the keys to their front door!

The best place to follow the drama was on the TCS. The message thread started with a member checking in at 10:26 a.m. stating he got two of the phishing electronic messages. I suffered a bit of angst, expecting that the list would grow and grow, but then another member checked in. He noted that the misspellings were not characteristic of the WAP TCS crew, and said "Anyway, I feel left out! No such spam here. Yet." You can see the blow-by-blow account at the link address below.

http://tcs.wap.org/topic?b=tcs&top=3944#3959

A couple of choice comments made included:

"Yes, the email's a clinic in how to spot a phishing attempt:
- Poor grammar, spelling, and/or usage
- Return address doesn't make sense if they're who they say they are
- No personalization identifying either you or the originator"

"Here is the (message) header.
Received: from 213.185.118.232 (proxying for 192.168.12.19)
The whois indicates the source is from Nigeria."

Jon Thomason, our TCS systems architect extraordinaire, worked feverishly through the day. B y late afternoon, he reported that the E-mails almost certainly originated in Nigeria and were dispensed by a mail server in Chile. He also said that "Other contact in the mail server suggests that this is being conducted through a bot net, since it involves IPs all over China, Vietnam and other places." Talk about a network! In any case, Jon's last sentence was reassuring:  "[W] e've at least gotten the barn door shut ~4PM."

Fortunately, the vast majority of Pi members were unaffected by, and probably unaware of, the E-mail. Only a handful of Pi members actually got the malicious E-mail. Four members who got the E-mail were too trusting, and did indeed pass along their account name and password, but thanks to Jon the damage was minimal. As he reported on the TCS:

"To our knowledge, four Pi members responded to the scam. All four have now been contacted or are being contacted by telephone, their passwords reset.

The two who responded first, at 9:35 and 9:37 AM, were later impersonated in webmail sessions from a Nigerian IP address. The two who responded later, at 11:14 AM and 12:21 PM, are not found to have been impersonated at all.

The 9:35 responder's account was used for webmail logins from 213.185.118.232 at 11:12 AM and at 12:13 PM. Neither webmail session was used to send e-mail.

The 9:37 responder's account was used for webmail logins from that same IP, and was used to spam the outside world: one message to two recipients at 11:09 AM, six messages to 2, 2, 2, 2, 2 and 36 recipients at 11:34 AM, and finally one more message to 36 recipients this morning at 6:50 AM. Sorry about that one.

That Nigerian subnet has of course now been blocked at our perimeter firewall, and the four accounts' passwords reset. But our logs only tell us who bit on the scam if the reply went through our own server. Some of you ill-advisedly send your outgoing @wap.org mail through a Comcast or Verizon SMTP server, bypassing our own, so we might be overlooking some replies. But we know that this particular Nigerian IP address only logged in as those two members."

And a short while later, Jon added:

"In all, 16 successful solicitation messages made it through our anti-spam protections. (Many others did not.) This seemed to be done by hand, using relatively unskilled labor typing away at that stolen webmail account in Chile.

Those 16 messages made their way to 32 Pi e-mail addresses. Four of these were official Pi overhead addresses leading to individuals already on the list, so make that 28 members solicited.

As I mentioned earlier, four of those 28 members took the bait, two of their accounts were breached, and one was exploited to keep the big wheel turning.

I think I'll knock it off with the forensics for now, unless somebody reports a new outbreak. I think I've seen related activity in some thwarted attempts coming from a server in Romania, but until they get through to someone it's just more of the thousands of spamming attempts we deflect every day."

Overall, it looks like we dodged a bullet with this one!

Home Work

As a final note, when the action was winding down, Lawrence Charters checked in, saying: "Well, that's not cool. And despite all my articles."

Articles — what articles?

As it happens, Lawrence and others have written extensively on computer security, and the articles are all available on the Pi Web site. It might not hurt to review these writings, which can be found at:

http://www.wap.org/journal/security

You can pick from a host of articles to refresh your memory on what to do and not do. You and I know it is just a matter of time before we will again be asked for private information that could allow the "bad guys" into our personal Web space(s).

Let's be safe out there!