I am currently reading a read me from a recent .rar that I downloaded and extracted over at Tubnut (that is a pet name for  my virtual station that analyzes files.)  The one question in the read me that consistently catches my attention is —How can I get somebody to login to my phisher— The answer: “That’s for you to find out, use your mind. Probably the simplest way is Social Engineering and some phishing skill. Here is an example : hXXp://imgdevil.com/pfiles/11140/munged”

The one commonality between affiliate marketers and cyber-criminals is that they are both highly adept in the art of social engineering. Michigan.gov defines social engineering as “an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals.”

Most affiliate marketers remain in the gray area of social engineering.  They also hold a strong emphasis on scam-type marketing campaigns in order to promote traffic to their website, specifically for the purpose of financial gain.  In comparison, Cyber-criminals fully embark in blackhat social engineering techniques, developing fake “phishing” sites in order to gain access to financial accounts.

Today I found an affiliate marketer on Twitter who participates in both forms of social engineering.  Though his account is not listed in Twitter search, I assume that he is from Pakistan and that he only uses anonymous accounts/sites to post content.  I am not posting his information here at the Tekblog.  For the purpose of this post I will refer to the affiliate marketer/phisher as P-man. So lets now move on to disclose some of the findings from P-mans phishing .rar.

I was 100% amazed to not find a Twitter Phisher here!

The major points that P-man promotes is that a phisher must:

1- Find a web host that supports php
2- Have a plan in place to send victims to the Index page
3- Learn how to hide links in forums
4- Seek free hosting/free domains (all anonymous)
5- What email spamming service to use
6- The use of URL shortening services to hide the phish
7- Proxies

There are also text files in many of the phishing folders that direct you to other underground technology websites.  You will be instructed to register at these sites before you are allowed access.  I believe that these underground sites will also be looking at your IP, OS vulnerabilities, etc in order to asses your intentions in registering.  You can anticipate that there will be many sites that will also redirect you to set up a meeting in mIRC, regarding more complex phishing site configurations.

Paypal

While perusing the Paypal directory I noticed that there was a possible paypal phishing tutorial located at  the free domain of DaveDaDon.  His motto: Touch ME? Neva. His domain is now suspended…

Ironically Touch ME? Neva guy who goes by the online name of DAVEDADON,  had the balls last year to post at the Microsoft Fóruns do Visual Studio.  Perhaps ego rides a wild donkey too?

Freewebs

DAVEDADON also allegedly provided a Freewebs phishing tutorial at his now defunct site. This was the one and only folder in the .rar that included a WARNING.

This warning, apparently intended to pose as a disclaimer against holding DaveDaDon liable for anything that smacked of criminal intent:

DaveDaDon is not playing nice with his phishing students either!

P-man is anonymous…He uses Twitter and Facebook to push traffic back to an anonymous website.  P-man has myriad Pakistani friends.  P-man affiliates with phishers, may be phishing,  and emulates  viral marketing.

Online age: 13-21

Country: Pakistan

Twitter: 1007 followers (affiliate marketer, filtered from Twitter search)

Facebook: Fan page, 104 followers (most download links lead back to P-mans blog)

Until Next time — Stay safe online!

Majority of spam I have been receiving for the past two weeks:
From: software_innovations5@setuta.com
Canonical name: lice.powatih.com
Addresses:
38.103.164.130

Some of the URLs in these campaigns attempt to immediately download the file after a few redirects to other sites. The majority of software download sites have shifty or no company information and remain secretive about their identity. Most sites push affiliate programs with 65%+ earnings.

Today I will briefly examine Spyware Nuker
8,646,618 registered users as of 08/16/2009, 5:46:59pm PST
None of the IPs listed are in the SBL.

I received this email last week:

New Update to fix Windows File Errors [software_innovations5@setuta.com]

File Error Notification – Instructions To fix File Errors in your Registry:
Your PC may be suffering from serious file errors in your WINDOWS registry which may be the reason why your PC is running so slow, or crashing and freezing from time to time. Also, these can lead to major system problems and possible memory leaks.

Below are instructions that will enable you to Increase Your Computer’s Speed, Power, Stability and Reliability in just a few minutes.

Press below to launch the Diagnostics Test download for no cost at all:
This URL instantly attempts to load errornukerinstaller.exe

Spam Path

Email URL: setupa.com [IP: 75.127.82.10 Error: 302] redirects to flxclick.com. [IP: 209.124.80.94 Error: 302]
flxclick.com redirects to 123.fluxads.com. [IP: 207.67.0.17 Error: 301]
The cookie from 123.fluxads.com attempts to set domain to:
directtrack.com (Online marketing and tracking systems)

Final Destination:

Open download from: Resolving hxxp://www.nukerdownloads.com IP: 64.18.156.154

When you check out “about us” at hxxp://www.nuker.com/ you are directed to hxxp://www.trekblue.com/about/

I think we should also go after the affiliates of these spam campaigns and make them responsible for trying to profit at our expense!

1. Make the company liable for the spam actions of affiliates – they must monitor their affiliates closely.
2. Provide name, address, references, and a working phone number of affiliate for public preview if the affiliate is involved in found to be involved in a spam campaign.
3. Two weeks prior to an affiliate sending out an email campaign bundle, the affiliate must certify with their company and with the state regarding how each email address was obtained.
4. Create a BAB (Better Affiliate Bureau) to rate affiliates along with their company. This would also be a place to lodge complaints.
5. No redirecting or disguising URLs and all domains must be fully disclosed in a whois: lookup. If redirects are used (for click purposes) this must be disclosed in the footnotes of the originating email.

Spamhaus.org has an excellent write up about how we should be controlling affiliate spammers.

Until next time — Stay safe online!