Phishing messages hiding in Internal Revenue Service clothing are nothing new (see here [2006] and here [2008]), so I barely gave one that arrived today much thought at first:

After verifying that the destination of the link (to a free web hosting service) wasn't going to blow up my computer, I checked out the page in a web browser to see how this crook was going to try to pry personal identity info from visitors. In the past, IRS phishing scams have aimed at Social Security numbers (the primary way the IRS distinguishes one private citizen from another) and credit card data (where the refunds are supposedly to be credited—what a joke!).

The destination page, however, was not something I had seen before:

This one doesn't ask for any personal ID info on the landing page. Instead it presents a popup list of banks from which to choose where you want your refund posted (like the IRS offers for regular tax refunds):

When you click the Submit button, you are presented with a facsimile of the chosen bank's online banking login page, like this one:

Yes, friends, this guy had set up bogus login pages for every one of the banks in the list. In other words, by way of a single style of phishing message from an organization that would get every U.S. citizen's attention, this crook has found a way to phish for fourteen financial institutions! No more confusion for recipients who are, say, Bank of America customers but who receive a phishing message about Washington Mutual. One scam fits (nearly) all!

So, this really isn't an IRS scam. It's a Massively Multibank Online Phish, or MMOP for short.

To freehostia.com's credit, the entire site was taken down within a couple hours of my phishing message having been sent. A lot of work went into creating all that content—I mean, this guy had to rip off login screens from 14 bank web sites—so I fully expect the full package to resurrect itself elsewhere in the future. It seems that to Ben Franklin's precious list, "death and taxes," we must add "scammers."

Storm-like malware lures are flowing now with subjects and message bodies referring to an imaginary currency to replace the (sagging) U.S. Dollar, Canadian Dollar, and Mexican Peso. They call it the Amero (get it, an American Euro?).

The landing page has a picture of a supposed 20 Amero coin:

You have to admit that these crooks sometimes go to a fair amount of effort to make their clickable lures appealing to the unwary.

In addition to telling visitors to click on the false site image to download amero.exe, the page also includes a hidden iframe element, which loads the same obfuscated JavaScript (via ind.php) discussed here.

These guys keep pushing the Outrageous meter into the red zone with their email messages and phony sites (case in point, one that just arrived—Subject: Police open fire on elderly in Iowa). Pretty soon, you won't be able to believe anything that arrives in an unsolicited email. Heh heh.

I love it when a spammer screws up such that any spam that gets through filters is bereft of meaningful content—there is no action that the user can take to benefit the spammer. It means that the spammer has expended something of value that is guaranteed to generate zero return.

<glee>Woo hoo!</glee>

Such has been the case over the past several weeks. A rather persistent medz spammer continues to spew empty messages with forged From: addresses mentioning well-known drug companies:

From: Pfizer Plans
From: Pfizer Market
From: Pfizer Promotions
From: Pfizer Discount
From: Pfizer Ltd.
From: Lilly Notice
From: Lilly Online
From: Lilly Group
From: Lilly Value

Most of the Subject: lines suggest that the message is about an order renewal. Of course there was never any original order to renew, but he hopes that mention of a renewal will get recipients to open the message.

Something in either the spam-sending bots or the way he's commanding the bot senders is cutting off the message part way through the email header.

<sarcasm>Boo hoo!</sarcasm>

I hadn't even heard of Digital Insight until I started getting a series of phishing emails like the following:

From: account-updates@digitalinsight.com
Subject: Read carefully - Important Notification

Dear Administrator,

We inform you that your account is about to expire. It is strongly recommended to update it immediately. Update form is located here <http://digitalinsight.ebanking-[removed].com/onlineserv/CM/> . However, failure to confirm your records may result in account suspension.

Confidential: Please be advised that the information contained in this email message, including all attached documents or files, is privileged and confidential and is intended only for the use of the individual or individuals addressed. Any other use, dissemination, distribution or copying of this communication is strictly prohibited. This is the automated message. Please don't reply.

From what I can gather at the legitimate web site for the company, it provides software and services to financial institutions so that those institutions can offer online banking. In other words, the customers aren't consumers, but financial institutions. The company claims to have nearly 1800 customers, almost all of which must have at least a modicum of interest in online security.

Thus, it seems odd to me for a phisher to try to spew phishing spam willy-nilly in the hopes of finding not only one of the 1800 customers, but to also find one who is gullible enough to fall for a phishing message. On the other hand, I've received phishing emails for tiny regional banks in the past, so this isn't completely out of the ordinary.

Perhaps the phisher is under the impression that because Digital Insight is an Intuit company that the login credentials might also work at an Intuit account. Kind of a stretch to me, but then I'm not a crook (jowls wobbling Nixonesquely).

The links for the several phishing messages I've seen lead to freshly minted domains whose (gotta be bogus) whois records list a variety of Russian and neighboring country addresses. The phisher is also having a helluva time getting the sites to work, or work for long. But he's still trying.

It reminds me of a story that Dr. Murray Banks, a comedian-psychiatrist, used to tell about a child who was unstintingly optimistic. When his parents gave him a box of horse dung as a Christmas present, he dove headlong into the contents and clawed his way through the muck, yelling, "You can't fool me...I know there's a pony in here somewhere!"

I don't know if the following Subject: line for an ED medz spam was a slip of English translation or intentional:

Improve your organism state.

At least he didn't make any references to a microorgan-ism.

I've been busy today away from the spam world, but I just wanted to comment briefly on a couple of items I saw in circulation.

The first is a modern variation on the 419 advance-fee scam. Instead of some prince bequeathing millions to me because he died in a car accident while on vacation without a will or living heirs (sheesh), this is a short and sweet invitation to the gullible and greedy:

From: <david@[removed].com>
Subject: ATM CARD

This is to officially inform you that ATM Card with a fund worth $6.8 Million Dollars has been accredited in your favor, Please Contact Mrs. Linda Hill (lindhill@[removed].net) With the following,

Full Name:
Delivery Address:
Age:
Occupation:
Phone Number:
Country:

Best Regards.
Senator David Mark

Needless to say, the email address of my supposed contact person is at a free email hosting service. And a Google search of "Senator David Mark" shows it to be a longtime email scam name for a variety of 419 and other "offers."

Too bad. I could use $6.8 mill about now. What I'd really like to do is take that card and try to empty it in one visit...and watch the ATM implode.

Second, and more bizarre is the following:

Subject: Cheap fuel available in Texas

Magic Johnson dies of AIDS at 49
http://[removed].ru/main.html

Aside from the disconnect between Subject: and body, the message displays a level of cruelty that is downright sick. The destination Russian web site uses no fewer than three ways to try to download view.exe:

1. Through a clickable link on the page surrounding an image (only) of a YouTube knock-off video player (complete with added animated .gif spinner and words encouraging you to click to play the video).
2. An automatic <META> refresh tag.
3. A hidden iframe that loads and runs a JavaScript script to exploit old Internet Explorer vulnerabilities as a way to download and then run the file.

Obviously, the execution of this campaign is rather slapdash—not something usually associated with the Storm business. The scripting isn't anything interesting, and the view.exe file is already recognized by over 70% of the VirusTotal tests. Even so, those who might fall for this sick gag would be least likely to have up-to-date PCs—or know to check with real news sites.

Well, back to the grindstone to see if I can ever catch up on my behind.

UPDATE (14Jul2008/11:00PDT): The second item above has some company. Not as sick content-wise, but perhaps even more alluring to the unaware:

Subject: New Star Wars movie to be released

Your friends have requested you to join them online
http://[removed].org/main.html

Same malware loading scheme as above. I suppose we'll see a ton of unrelated variations on the theme. The only thing that the email messages have in common is the URL to a page named main.html.

UPDATE (16Jul2008/09:25PDT): The campaign continues, with additional disconnects between Subject: line and message body, probably just selected at random from lists inside the bot's spamming program. Things like:

Subject: Rat poison found in bottled waters

Our boss just screwed her real good
http://www.[removed].com.br/about.html

The destination URL for this one now ends in about.html. The page, itself, tries to load watch.exe via the same three methods described above. On the other hand, the crook has now attempted to obfuscate the JavaScript delivered to the hidden iframe. He managed to find a huge obfuscation library, and uses 400 lines of JavaScript code ultimately to generate a very simple script—the same one described above to exploit woefully unpatched PCs.

Several days ago, I posted about someone apparently trying to hack into my Apple ID account. Today there was a more directed attack, as I received a notice from Apple (yes, a real, unphishy notice) that someone had made too many invalid attempts to answer my account's security questions.

Security questions come in all shapes and sizes. Typically, they ask you to enter your favorite this or that. On the one hand, you want to choose questions that have answers you'll remember three years from now; on the other hand, you don't want to supply answers that everyone on the planet knows. For instance, Charlie Brown might be tempted to select the "favorite pet's name" question because he'll know to answer "Snoopy" even when approaching senility. But everyone on his block also knows that answer because it's something widely known—including to a worldwide audience who reads the cartoon strip (blog precursor). Charlie must either choose a different security question, concoct a memorable (but undiscoverable) system for weaving numbers into the letters of the name, or intentionally submit a radically different name to throw off the thieves. Snoopy's relatives aren't candidates because they, too, are known and would be guessed by crooks.

With so many social networking and personal web sites on the Internet these days, it's all too easy for trusting souls to reveal everything they like—their favorites, their coolest vacations, their house paint colors—to try to hook up with like-minded people. Unfortunately, it can be dangerous to use this kind of public information to try to secure something as valuable as your various internet accounts.

And to the clown who's trying to get into my Apple ID account, I repeat that my web site writings, books, and Usenet postings dating back to the Stone Age offer no clues to my secret questions and the strings of characters used for answers. Allow me to offer you the words of Bender Bending Rodríguez: Bite my shiny metal ass!