How to Spot a Psychopath

The file at this URL...

http://0xd1130a9c/eBayISAPI.dll

...opens just fine as a fake eBay login page in Internet Explorer, but triggers a file download in Firefox.

It's not just because of the .dll suffix. EBayISAPI.dll actually is the name of the eBay login page. You normally see it followed by a question mark and then miles of login cruft, without which it redirects to a you-screwed-up page. I don't know exactly how this copy of it is broken, but it clearly is, in Firefox at least.

(The obfuscated URL is, by the way, actually http://209.19.10.156/eBayISAPI.dll. I've received many copies of this phish, though, and they probably use lots of different servers; it's just that I've only now bothered to look at one in more detail.)

I suppose it's possible that the broken Firefox behaviour is by design, to constrain this phish's audience to the drooling masses in the IE world. The integrated Google Safe Browsing phish indicator in Firefox 2 works fine with this URL, but you have to manually cut the URL out of the phish e-mail and paste it into the Safe Browsing submit box if you want to submit it. Enough people have bothered to do that that that site does indeed have the ominous darkened look that Firefox gives suspected fakes, if you manage to trick it into loading. But Firefox users normally never get to see it - they just go straight to the confusing (and, at least, harmless), download box.

If you're using a browser that's quirk-friendly enough that it recognises that this file is renderable HTML (it's the usual code cut-and-pasted from eBay's real login page, with strategic edits), you get the fake login form, which submits (in this case at least) to http://members.lycos.co.uk/ineedmoney2/dukyy.php. That, at the moment, seems to redirect to another, already-shut-down, phish page.

You'd really think that ISPs would have some basic search bots scanning their hosted sites for pages called eBayISAPI-dot-anything, or titled "Sign In" or "BankName Internet Banking". There really can't be that many of those pages, and it'd be simplicity itself to set up an arrangement that lets a human scan through fifty of them a minute, see which ones look like phish pages, and disable the accounts that're hosting said pages.

(I dare say quite a few phishes are hosted on actual discrete privately owned servers sitting in the corner of a business office. But most of them are on servers that can be cut off by a hosting company.)

Perhaps some hosts are doing that already, but it's clear that most aren't. Because, of course, it'd cost money. Most phish pages are hosted on unsuspecting servers whose administrators left security holes open, and nobody wants their hosting cut off just because some miscreant happened to host a fake Amazon login page on their server for a while. That's the kind of thing that might cause the hosts to lose customers.

So, instead, we get the current situation, where the phish pages get to hang around for at least a day or two as the ISPs receive complaints and/or notice their IPs on phish lists, then tell the unwitting phish-hosting customer, then go back and forth for a while figuring out who has to fix the problem and how.

In the meantime, people get robbed.

As Bruce Schneier's pointed out so many times (talking about software, but hosting companies are in the software business too), the way to make businesses implement security is to force them to do it, financially. If they're not liable, if it doesn't cost more to be insecure than it costs to be secure, they'll stay insecure, no matter how many other people's lives are ruined by their unconcern.

You wouldn't get far by suing HostyPlace for the security misdeeds of its clients. But if you started suing the clients, they'd probably share the joy.

I hate to tell you this, but the international money transfer tax for legal entities (companies) versus individuals in $SCAMCOUNTRY is not, in fact, (a) what they say it is or (b) a path to rapid riches.

(My own copy of this scam came, today, from someone who mistakenly thought I was in the USA and might be interested in an Australian-flavoured version. The nonexistent company was alleged to be in the macadamia nut business.)

Sometimes these scammers do the mail merge wrong and insert their company name where the spurious country name's meant to go, which makes things especially entertaining.

This is another permutation of the situation in which one scam might work, but many near-identical attempts are more likely to fail.

Of course, the target market for these scammers is people who don't think to Google a sentence of what they've been sent. So what we could actually be seeing here is a sieve to filter out the people who wouldn't follow through with this foolishness anyway.

I remember when Lycos was the Web search engine of choice. I remember Excite, Infoseek, Inktomi, Northern Light and AltaVista. And I remember that none of those early search engines were terribly good, and the total page count on the Web wasn't that huge back then. And so people's "Links" pages were of real value when you wanted to find interesting and/or useful stuff on the Web.

Today, of course, nearly all of the Web's Links pages are just Google PageRank scams, promoted by unsolicited e-mail. They do a search for keywords, they find contact addresses for the (usually hilariously irrelevant) pages they find, they send off link-exchange spam.

I get a lot of that stuff.

Today, in quick succession, the following two showed up.

First, the less funny one:

From: Rodney Thomas
Subject: Can We Exchange Links!!!
Date: Mon, 6 Nov 2006 1:59:21 -0500

Hello, My name is Rodney Thomas. I have visited your site http://www.dansdata.com/personal/quacks2.htm and found it to be a great resource for our visitors. I would like to add a link to your website, to our. Would this be possible? If so, please add our link to your website and tell us the location you have added our link. I hope to hear from you very soon!!!

P.S. If you would like to view our site click here: http://www.dontforgettotakeyourvitamins.com/[his affiliate number]

Thanks

Wow, "The Greatest Vitamin In The World"?! How could I lose?

Oh, that's right, because it's a great big scam, that's how.

The FDA's only warned them to knock it off twice, though (direct PDF links: here and here), so I suppose The Greatest Vitamin is actually quite a good product, by multi-level-marketed-dietary-supplement standards. You'd still think they'd spend five seconds to see whether the content of the page that tripped their auto-spam software suggested that they were about to e-mail someone who would in return publicise them, specifically, Rodney Thomas, Greatest Vitamin affiliate #1523, as an assistant in a well-known and despicable scam who deserves to contract an ironic disease.

On to the funny one:

From: Deck Tiles Wholesale
Subject: Reciprocal Link Exchange Request
Date: Mon, 6 Nov 2006 00:51:33 -0500 (EST)

Dear owner of http://www.dansdata.com/deck.htm [a review of a keyboard]

I'm the webmaster of http://www.decktiles.org [not about keyboards].

We came across your site on the Internet and feel that it would fit
perfectly into our collection of quality software-related links at
http://www.decktiles.org.

The Google PR of this site is currently .

We've already placed a link to your web site along with a description
at our site on the http://www.decktiles.org/links-exterior-flooring5.html page,
which we encourage you to check for accuracy.

We'd appreciate it if you place a link back to our site using the
following HTML code (just copy and paste it into your links page):

[blah blah blah]

If you'd like the description of your site modified, the category
changed, or if you have any other cross-promotion ideas, feel free to
email us.

Please note that if you don't place a reciprocal link to us somewhere
on your site within a week, the link to your site will automatically
be removed from our directory. Please link to us using the code above,
and let us know where we can find the link.

Best regards,
Deck Tiles Wholesale
vifahwholesale@gmail.com

This is NOT SPAM -- this is a one-time reciprocal link request. We
have NO INTENTION to email you again. You can also reply to this email
with REMOVE in the subject line to make sure we'll NEVER send you any
more e-mails in the future.

-----------------------------------
Powered with LinkAssistant SEO Tool
http://www.link-assistant.com/
-----------------------------------

So much fun to be had, here.

Start with the fact that this doofus has made the standard link-exchange relevance error, which you can see in full flight on the page on which he so proudly put my link. I share real estate there with cruise-liner deck plans, the observation deck on Seattle's Smith Tower, tarot decks, fans of the Tampa Bay Buccaneers (Why? Look at their URL!), little toy skateboards... and one site that's actually about the same kind of deck which actually interests this twerp.

I suppose he's annoyed all of those people, and all of the others on the link pages before and after, with similar e-mails. Which are a one time mailing, and you can also opt out of receiving more (kettle logic!).

If you run a perfectly legitimate business, and some slick salesman or consultant has come along and promised you $$$ if you buy some Search Engine Optimisation package that's supposed to make you the number 1 Google hit for most of the words in the dictionary, please send said carpetbagger on his way, or you're going to end up doing this sort of thing too.

I don't know whether this ham-fisted mess of an e-mail is actually a fair indication of the quality of the "LinkAssistant" software, by the way. LinkAssistant is billed as "The Most Effective SEO Tool", which I suspect to be an overstatement, but the particular awfulness of this message is probably a Garbage In, Garbage Out situation. Apart from failing to vet the list of people LinkAssistant was about to spam on his behalf (I presume it allows you to do that...), this schmuck has used the default settings and a standard form letter, but failed to fill in the little box for the Google PageRank of his site (currently a magnificent zero... maybe that's why there's a blank there), or select something more from the Category menu other than "Software", because that's not the business he's in.

Oh, and he hasn't even bothered to make a link from his front page to his oh-so-terrific links pages, thereby ensuring that the only people who'll ever see them are people he's just spammed about them. Slick.

It's just barely possible that link-exchange schemes can actually provide some benefit to site owners, even in this modern age of, y'know, search engines that work.

But if you assume a piece of "only $149.95!" software can mystically discern, all by itself, the difference between the "deck" you sell and how it differs from every other "deck" in the world, then the result is going to make you look like a bit of a deck.

From: "John M. Lantier"
To: "Dan Brisebois"
Subject: Dan, are you available 11/13?
Date: Wed, 18 Oct 2006 05:55:28 -0700

Dan, hope you are well. Because of your key position, I would like you to
join us at the Boston Leaders Forum. It will be Nov. 13 at the Boston
Harbor Hotel. Details are at www.bostonleaders.org

Speakers and honorees include the CEOs of Iron Mountain, iRobot and
Benchmark. Many of Boston's top executives will be attending. This year
we also welcome a former Top Gun pilot and one of America's top experts
on leadership who will be discussing visionary ideas on developing your
team and strategy.

The meeting will be held from 9 to 4, with lunch included, and we
encourage you to invite other managers. We expect to be completely
booked, so please take a moment to view the details on the site now.
Thanks and we hope to see you there.

Regards,
John Lantier
Boston Leaders Summit
31 St. James Ave., Suite 1
Reply if you wish no further emails
Boston, MA 02116
www.bostonleaders.org

My reply:

Wow, that's great! I'm so glad that the fact that I've lived my entire life seventeen thousand kilometres away from Boston has in no way affected your appreciation of my "key position"!

I'll be needing at least a Business Class ticket, of course, and a suite at some unpretentious four star place for the week will be fine.

Wire me the money, and I'll be happy to see you at what I'm sure will be a convention every bit as well organised as your mailing list.

No reply yet. Darn.

I don't know who the "Dan Brisebois" that John meant to send this to is. Maybe a Canadian music critic, but I hope that Dan will forgive this Dan for saying that he doesn't really sound like a "Leaders Forum" (or is it "Leaders Summit"? And shouldn't there be an apostrophe somewhere?) kind of dude, either.

Of course, he actually is. Anybody with enough money for a ticket is. The actual reason for the existence of these sorts of shindigs is the same one that explains the plethora of off-brand Who's Who books; people like to be flattered, and will give you money if you make them feel important.

Invite people to a conference where a fighter pilot will make them feel manly and "leadership experts" will make them feel all pumped up and energised and, with any luck, they'll come back next year. Especially if they're executive drones who can con their company into expensing the whole thing as invaluable training.