Nastynerds.com

This is the first email I have ever seen of this kind. But my email addresses may not be on many scammers lists. In any case I thought the idea was different. Targeting victims of Nigerian 419 scams suggests that the scammers believe their victims are ripe for a second harvesting and have not smartened up from being scammed the first time around.

This is what dropped into my inbox:

REF/PAYMENTS CODE:06654

This is to officially inform you that we have verified your payment,100 Nigerian 419 scam victims where Arested you are listed and approved for this payments as one of the scam victims,get back to me as soon as possible.

Yours faithfully,

Dr.John Odey

- ministry of information

As usual the yahoo.co.jp from address, unintelligible English and the other red herrings are there. I'll be sure to get onto that as soon as I have collected my 13 billions in lottery winnings from obscure lotteries I have never entered into.

I stumbled onto some comment spam in a blog today. Some of the entries did attract my attention however, they appeared to be spamming youtube links flogging viagra and cialis;




Curiosity roused I wondered, do they actually have videos posted that flog viagra, or cialis? Better have a looksie...

The links leads to user pages similar to this one:




Notice the user's homepage url being a spammer supplied url. I haven't seen many of these in the wild. I guess it's a "rather new" technique. I say "new" since the user account has been present since September 1st. Almost 3 months. Luckily for us youtube employs nofollow links so the links do not (should not) get indexed by search engines. I guess this spammer forgot to check the html source. I will save my speech on why nofollow detracts from the silver bullet of web 2.0 link safety, but does hurt SEO spammers for another day.

I came across this one on youtube and it's just brilliant:

Not literally, but in an attempt at cough productivity cough I stubled across this quiz in a blog an decided to try it out. Can't say the result surprised me much....



Which Programming Language are You?

Sorry in advance for the captivating title, but this was too funny.
We all know that phishers often target users lacking tech savvy skills as it is simply quicker and easier for them and still works (tm). But I had to laugh when one of my email traps received a paypal phishing email starting with the following lines:

Dear Valued Paypal Member
Your account has been randomly flagged in our system as a part of our routine security measures.

As far as sophisticated phishing goes this one certainly hits the bottom line, but it sure is funny. Randomly locking account for no reason apart from the account being randomly selected offers what exactly in security terms? A mob of irate customers that can be released upon unsuspecting phishers who's location is known is my best guess. Luckily we have yet to see these alleged security enhancements implemented in any real world application.

A spammer managed to open a support ticket at my work with the following subject:
Buy impotence drugs with us much cheaper!
And there I was, selecting the delete option for the ticket thinking to myself, who the hell would want to pay good money to become impotent? Any takers?

Tomorrow is the Mornington Cup, this racing event is not well known outside of the peninsula it seems, but "we" who live here certainly enjoy it. I say "we" as this is the first year I attend. I have a suitably flamboyant outfit ready and intend to have a punt or two.
Yesterday my girlfriend called me from work to ask me to check this site that she thought was causing an issue on her computer as a popup window had opened and would not close again. So I fired up tamper data and just looked at the urls it requested. And there is was, http://happy81.9966.org/hxw/errorgm.js which had been inserted in to a hidden iframe of http://www.mrc.net.au/mrc/index.htm. A quick look at the content of the javascript file shows encrypted javascript typical of browser based exploits in the wild. Decoding the javascript shows references to an .exe file and further javascript. The downloaded executable was flagged as a trojan. Case closed. I told my girlfriend to recommend changing the anti-virus software to the IT department and emailed the Mornington race club informing them that their website was spreading malware.

Edit: I have just spoken on the phone with Mr. Michael Browell who informed me that they would remove the offending code immediately.

Edit2: The malware has been removed, you should still check your computer if you have recently visited the site.

In the spirit of the recent trend of targeted bug releases, "The Month of PHP bugs" has been chosen. Stefan Esser is going to release a new PHP bug every day during the month of March.

As he announced when he retired from security@php.net:
It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP.
A number of the bugs that will be released during the Month of PHP bugs will not have patches readily available. To quote the announcement directly:
Today PHP 5.2.1 was released which fixes some (but not all) of the bugs I will cover in the "Month of PHP bugs". Actually the release announcement already gives a list of bugs that were fixed. As usual the release announcement gives too little information about the bugs, does describe several bugs wrongly, forgets some security bugs that were fixed, downplays the seriousness of the bugs and does not give a single line of credit.

I am also looking forward to the heap protection circumvention to deliver exploit payloads. It looks like there is some frantic patching on the horizon.