[outages] Crazy amts of spoofing?

Jeremy Chadwick jdc at koitsu.org
Fri Apr 4 16:48:06 EDT 2014 

The last time I saw something like this (personally) was a few years
ago, happening to younger friends of mine who used Facebook.  The
problem wasn't Facebook itself though.  What happened:

- Some person they knew shared a link/URL on Facebook, stating "funny
  video!" or the like -- same person probably had some compromised
  system of their own
- Facebook friend visits link/URL
- Link/site contained both malicious Javascript and Flash exploits
  to install a trojan/malware.  (The exploits at the time were so new
  that anti-virus/malware software didn't detect them)
  -- The "funny video" got shown, so the visitor had no idea what was
  going on under the hood
- Trojan/malware under the hood begins scanning all address books
  (including any local browser content cache that looks like an address
  book, as well as things like Outlook address books -- pretty much
  everything under the sun), as well as tried to figure out what their
  own name was
- Same trojan/malware attempted TCP port 25 connection to whatever SMTP
  server was configured in a local Email client (I forget how it worked
  this out, but it wasn't using an open relay from what I could tell)
  and proceeded to send Email to multiple recipients as follows:
  -- SMTP-level MAIL FROM was their own Email address
  -- SMTP-level RCPT TO was to themselves (I think?)
  -- Mail header From: line was their own name + Email address
  -- Mail header To: line was to themselves
  -- Mail header Cc: line contained multiple address book recipients
  -- Body of mail contained aforementioned link/URL and nothing else (if
  I remember correctly)

I was one of the CC'd individuals.  What got my attention was the fact
that I got two mails about the same thing -- one from a younger friend
of mine, and one later from one of the people on the CC list (indicating
something was spreading).

Once I got my hands on my younger friends' laptop, I found the malware
itself actively running and ended up reformatting the entire system.

Not sure if this is what you were seeing or not; if so it may just be
another form of the same thing.  In short, yes, addressbook scanning is
something that some malwares now do.

-- 
| Jeremy Chadwick                                   jdc at koitsu.org |
| UNIX Systems Administrator                http://jdc.koitsu.org/ |
| Making life hard for others since 1977.             PGP 4BD6C0CB |

On Fri, Apr 04, 2014 at 01:17:25PM -0700, Neil Ticktin wrote:
> Anyone seeing crazy amounts of spoofing that are going out to what looks
> like address book entries?
> 
> In other words, not from your client, not from your server, but spoofing an
> email address that's yours, and going to recipients that look like your
> address book (e.g., grouped by last name and to people you know).
> 
> I don't want to point fingers, and I have no evidence of this in any way,
> but it almost looks like a social network site, that may have access to
> address book entries, got hit -- and someone is spoofing big time.
> 
> The other option would be a Mac virus hitting address book entries.
> 
> Anyone seeing anything this?
> 
> Neil

> _______________________________________________
> Outages mailing list
> Outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages

More information about the Outages mailing list