A penis pill purveyor has been sending out messages that have two short sentences of clearly visible text, all of which is a clickable link. That text reads:

Your IT department has been paid to allow us to send you these mails. Check out the results

The messages also include light grey hash-busting text in the hope of bypassing whatever spam filtering "your IT department" has installed to keep this type of crap out of your inbox.

I wasn't born yesterday, but the domain for the link was. In a double joke, the registrant used a domain registration service that doesn't reveal any information about the registrant beyond his name: SUNMM in this case. As if spammers use real info in their domain tasting scams!

No one reading this blog, of course, would believe for an instant that this spammer had greased the palms of the IT department to get past the barricades. But it wouldn't surprise me to find non-techie employees at decent-sized companies taking this at face value. They either fear or dislike the IT department. In the first case, they obey anything that has an "IT" stamp on it—fake or real—and will immediately click the link; in the second case, they'll get angry that those nerds in the IT department are getting rich off spammers, and will check out the link to see what the pitch is all about. If the spammer—the one doing the mailing, not necessarily the one selling the pills—gets paid for hits on the spamvertised web site, he wins. He now has verifiable statistics that his botnet emailing system works (delivering suckers potential customers), meaning he can pitch it to other sellers.

Many of these messages naturally arrive at servers like mine, where I am the IT department. If only they'd offer me some coin to spam me. I could use the dough, and I have Dave Null's inbox ready to receive in large quantities.

Ah, it's a new month, and here in the U.S., we have the Labor Day holiday. Except for those whose holiday is being stolen by the Gustav hurricane, there will be lots of picnics, ball games, and end-of-summer parties. In the meantime, your email inbox is filling up with the usual crappage.

On the malware lure front, a long-running e-card scam is continuing, as the perps take over additional web sites to host their downloadable deliveries. New this morning are a couple of strange malware lure samples whose Subject: lines drop the names of—ta-da—Obama and McCain. The actual Subject: lines I've seen don't make much sense, but what else is new?

• Obama Announces for President -- In Hit Show '24'
• McCain, Obama: Cosmo Cover Also Tasteless, Offensive
• Obama Promises Change for a Nation, Change For a Twenty

The messages encourage you to follow a link to a hijacked web site, where the crooks have inserted a page named index98.html. A visit to the page automatically downloads video98.exe (for which VirusTotal shows a very high recognition rate). Whether or not the auto-download works, a visitor to the page (why are you doing that?) sees the following:

What looks like a dialog box is actually an absolute-positioned div element—a Dynamic HTML technique used by some to create content that is draggable around the browser window. Unlike a real dialog box, however, if you try to drag this one beyond the edge of the browser window, it is clipped by the browser window. In the meantime, the image of the video viewer—and that's all it is: an image—is an animated .gif image with the spinner spinning away, as if the player is "tapping its foot" waiting for the visitor to act.

What strikes me most about this page, however, is the choice of page title, which appears in the browser window's titlebar. It's either a leftover from some other campaign, or it's the final "grabber" to encourage visitors to download that malware loader...I mean, video codec.

But the email messages were about politics. As if politics and porn are somehow related....

The good folks at the SANS Internet Storm Center have reported (here and here) that domain names containing the string "gustav" are being gobbled up in anticipation of Hurricane Gustav coming ashore along the Gulf coast. A lot of these domain names blend "gustav" with words like "relief," "charity," and "donation."

It's possible that some of this domain name parking is being done by individuals or organizations who will set up legitimate web sites if this storm does a Katrina-esque number on the same region. Make that remotely possible.

My bet is that the parking spot owners will either try to resell the domains to legitimate organizations or the domains will be used directly by phony fund raising scams. Let any tragedy occur, and there will be plenty of scum out there trying to take advantage of generous folks who truly want to help.

Remember that there are safe places to find out where you can help. The first place I tend to look is at cnn.com, where a click of the IMPACT button (near the top right corner of the home page) will bring you lists of charities and other outlets where you can help.

Disasters such as tsunamis and earthquakes come with little or no warning. Hurricanes, cyclones, and typhoons, on the other hand, are known well in advance of potential catastrophe. That gives profiteers plenty of time to be in place to reap rewards from others' suffering.

Similar domain names for Hurricane Hanna are already being registered.

Phishing is pretty much all the same—luring you to a web site that looks just like the login page for a financial institution or anywhere else where a username/password combination opens the gates to goodies.

If one is wary of the overt style of phishing message—the one where there is a problem with your account, and you should log in to fix it—the shields might lower for a moment when the phishing message has a bit of indirection to it. Such is the case of one I saw this morning, which tries to lure a Capital One customer to view a message within the bank's web site messaging system. The institution with which I do online banking has a Mail section of the web site, where we can communicate with each other electronically. I believe this is fairly common. And, of course, the only way you can view such messages is by logging into the site.

The phishing message wasn't particularly professional-looking, but here it is just the same:

Note that my email client, Microsoft's Entourage for the Mac, renders hidden link addresses in plain view. Most recipients of this phishing message would just see "click here" as a clickable link, with no visible URL. Thus, even if they knew what to look for, they might not recognize that the URL is to an IP address in Poland.

Now, I've heard of outsourcing, but humongo Capital One isn't going to host its login pages at a hacked server in Warsaw.

This serves as a reminder that if you receive any type of communication purporting to come from a financial institution with whom you do business, use your established bookmark to visit the site and log in through that page.

I also go one step further—even with bookmarked pages—to make sure that the login page has the correct URL in the Address bar and the SSL certificate is in force (at least as much as the browser reveals). I perform that check for every page that requests login credentials, even accounts that seem harmless in that they don't contain much personal information. Why am I so paranoid about this? Because if a crook gets hold of any one username/password combination, there is a good chance that that combo will open doors at other sites (no, I don't have individual combinations for each freakin' site that requires a login—and it seems as though you've gotta open an account at more and more sites these days just to get basic information). It's trivial for crooks to set up robots that try your credentials at thousands of sites. All it takes is one success to expose further personal or credit card data stored on those servers associated with that username/password pairing.

It's sad that we have to concern ourselves about this stuff. But taking a What, me worry? attitude puts you directly in the line of fire from way too many Bad Guys.

Legitimate universities—including those from whom you can earn a real degree—always put their best feet forward to attract students. Fancy catalogs, professionally-done web sites—whatever it takes to exude professionalism, class, and taste.

In contrast comes the Subject: line of one of those "dial-a-degree" spam messages, which promise that one's work experience (oops, they forgot to mention the money) is good enough to obtain a degree, including a Doctorate. Professionalism, class, and taste? You decide:

Subject: FW: Is your skills about to expired?

Is you is, or is you ain't college material?

The malware lure du jour advertises security software for home or business, depending on which variant of the email you receive. Here are a few Subject: lines I've seen:

• Business Security Software
• You Computer Security. For you home.
• A new standard of Internet threat protection for your home.

The first line of the messages varies, but the balance of all the messages I've seen are identical. Here's one variant:

Anti-Virus Nero Advanced Pro. 2008. Download last update! <http://[removed].com/dhl/dhl.php>

6 month free trial!

A new standard of Internet threat protection for your home or small office.
Award-winning protection against viruses and spyware, identity theft and phishing, hackers and spam.

Anti-Virus Nero Advanced Pro. 2009 antivirus software with maximum spyware protection.
Protects against viruses, Trojans, and worms, spyware and adware, rootkits, identity theft and phishing attacks.
Advanced proactive protection, unmatched system performance,
automatic hourly updates and the fastest response to the latest threats.

All URLs of the ones I've seen (all hijacked web servers) lead to a PHP program called dhl.php, which automatically downloads name.avi.exe to a visiting PC. That Trojan downloader is recognized by most legitimate antivirus software, according to a VirusTotal scan.

Accepting an invitation to download and install unknown antivirus software from an unknown sender is about as safe as French-kissing a stranger in the influenza ward. Both lead to infections that you don't really want to experience.