Friday, October 22, 2010

Sequel to Eastwood's Hereafter: email from beyond?

Since Clint Eastwood's new movie Hereafter opens today, I couldn't resist the metaphor.

Imagine my surprise at getting email from my dead friend Jeff Menz. Did God finally allow an ISP to hook up in the great beyond? Alas, my departed pal simply wanted to recommend pills. And double drat, while the email came from my friend's Yahoo email account (great security guys; no wonder you're getting your butt handed to you by Google), the ISP was registered in China. Okay, somebody was hacking my friend's account for profit, a pretty dumb exploit by a petty criminal. So over the last week, I've had a very enlightening adventure.

I got Jeff's email on October 13th. Since there were other of his friends on the CC list, I replied to ALL with "Since Jeff Menz is dead, who the hell is using his Web site and username?" On October 19th, I clicked on the email link, only to find it was now dead. So I did a WHOIS on the domain and saw that ownership had been changed the day after the email exploit. I sent the new owner  an email with the subject line, "Your domain has been involved in criminal activity". Imagine my surprise upon checking the WHOIS data again yesterday, where the domain had been updated to be private and without an owner contact email.

Conclusions:
  • My dead friend isn't connected from beyond (what a disappointment).
  • The offending Chinese ISP is close enough to a major university that it's highly probable the culprits were taking a Hacking 101 course (for which they should get a failing grade, since they couldn't possibly erase the money trail and were too stupid to register their domain with privacy settings).
  • The China-based Internet registrar lets them be a bit too nimble for an arm's-length relationship; I can only conclude that this is part of a larger criminal effort, which brings into play possible RICO implications if the U.S. Congress ever issues Letters of Marque and Reprisal to cyber privateers. The bank accounts of the registrar might be fair game for looting.
  • It's more difficult for me to give China the benefit of any doubt about being the source of the criminal activity, like maybe criminals from some other country were using the Chinese ISP to host their email-hijacking SPAM exploits. Still not an impossibility, but in my mind not the most likely scenario.
This morning I got another note from Jeff, again suggesting a source for my pharmacy needs. The link is live (at this moment) and redirects me to a pharmacy site supposedly in Canada. However, the domain is registered in Moscow. Given the pings this blog has been getting from the Chinese ISP address, I would conclude that the student who failed his last class is trying to redirect my attentions to Mother Russia. Maybe for extra credit? Maybe to salvage a miserable grade? 

No, I haven't sent any more emails to the "Contact Us" link on the "Canadian Neighbor Pharmacy" site registered to a Moscow ISP, to the FBI, or even to Yahoo who should cancel Jeff's email address (cambriasail@yahoo.com) and let the poor guy rest in peace. But if going after petty cyber thieves ever becomes legal, I'd like to request that whoever stings these guys let me in on the details.

No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?