Spammers Suck
I’ve got my old Blogger blog back from the spammers. I wouldn’t go looking through the archives though. I’ve removed my nasty files, but they had inserted an image on the front page from this site http://fuckgia.goldbananas.com. it’s probably best that you don’t go there… But the registrant’s details are:
Registrant:
N/A
Alexey Polyakov ****@chaser.ru)
Arkhangelsky, 10
Moscow
Moskovskaya oblast,101000
RU
Tel. +007.9168982435
Creation Date: 09-Feb-2006
Expiration Date: 09-Feb-2007
Domain servers in listed order:
ns2.addyour.net
ns1.addyour.net
Administrative Contact:
N/A
Alexey Polyakov ****@chaser.ru)
Arkhangelsky, 10
Moscow
Moskovskaya oblast,101000
RU
Tel. +007.9168982435
Technical Contact:
N/A
Alexey Polyakov ****@chaser.ru)
Arkhangelsky, 10
Moscow
Moskovskaya oblast,101000
RU
Tel. +007.9168982435
Billing Contact:
N/A
Alexey Polyakov ****@chaser.ru)
Arkhangelsky, 10
Moscow
Moskovskaya oblast,101000
RU
Tel. +007.9168982435
Status:ACTIVE
Spammer scum.
Dear Gia – I’m sure you just want to get on with your life now, but I for one would be interested to know as much as possible about exactly what happened here. I have been trying to make a study of the ever-evolving dark side of the net – malware, spammers, scammers… – precisely because it’s a thing that one tends to tune out, unless one is professionally involved. So if I could ask a few tedious questions–
1) You wrote that first you couldn’t log in, then when you did log in, all the blogs associated with that profile were gone; but your main(?) blog, giagia, was still there and in the hands of Polyakov, which suggests that it was associated with a different “profile”. So my first question is, is there one profile per account, at Blogger? I have a Blogger account – just one, little-used – which is associated with two blogs, but there’s only one profile, and I don’t see any way to have multiple profiles for the one account. So I tentatively deduce from this that you had at least two Blogger accounts, one of which had all its associated blogs deleted, and the other of which hosted a blog (giagia) which was hijacked. Is all that correct?
2) Next question: do you know yet how your account(s) might have been hacked? Did they just guess your passwords? Or is it possible that the passwords were retrieved from your own PC? If my deduction above is correct, and you had two Blogger accounts, both of which were hacked, I would be concerned that your home systems have been invaded.
3) What did Polyakov actually do to the giagia blog? Did he add text or links? It seems clear that he left a lot of the existing text in place, or else your trick with the embedded images would not have worked.
Polyakov is reportedly the world’s number one spammer, “responsible for one fourth of all reported spam” (April 2006).
Mitchell-
I’ll try to clarify. Everything was written in such haste.
I first noticed a strange referral in Technorati linking to this blog. The title of the blog was some meta tags from my Blogger blog. I went to look at my Blogger blog- which though I’d moved from it, I still would log-in to reguarly so Blogger didn’t think it was abandoned. All of my content was still there – bar my final ‘I’ve moved’ post – plus Google ads and some links to Casinos and Dating sites. Any new visitor to the site would think it was a real blog, not a splog.
I tried logging into my *one* account at Blogger and was greeted with ‘This account doesn’t exist’. I created a *new* account at Blogger inorder to alert them to my problem (one has to be a memeber before contacting them).
A little while later – maybe an hour- I was able to log into my original account again, but all of the blogs were gone.
I don’t believe my password was taken from my computer. I use a router at home and a Mac (so no Trojan Horses). I believe it was brute forced. The password I was using was a combination of numbers and letters, but not random.
He got rid of all links on the front page in the posts and added Google ads and links to Casino/Dating sites.
I’m proud that I pissed off one of the world’s biggest spammers enough to create a subdomain in my honor! :)
It’s darkly fascinating, trying to sort through the different tactics blogosphere spammers are using. They will comment-spam existing blogs. They’ll create de-novo blogs which exist solely as link farms. They will grab the namespace of recently deleted blogs, in order to capitalize on their residual page-rank credit in the search engines. And now, apparently, they’re hacking into existing but neglected blogs (and probably using zombie botnets to do the password guessing… thus one stage evolves into the next…). It’s ominous that we barely have the vocabulary to distinguish precisely between all these tactics.
This hijacking of an existing blog, to which you fell victim, seems to be very new. So far I’ve only found one web page talking about it – and your case is the second most-recent example listed!
I’m sure there are more that haven’t been reported. Blogger is going to have to sort something out and quick because it seems like the whole place is imploding…
Gia,
you’d be surprised at how much malwebware can affect a Mac. Did you see my posting about EdF’s foray into cross-site scripting? Chilling.
If your password really is a random assortment fo letters and numbers, it’s extremely unlikely that it was bruteforced. Have you used it anywhere else? Typed it into a login name field by mistake?
Blogger’s not imploding by any means- all of these services have a problem with spammers and it looks like you got hit. It sucks, but until we manage to exterminate the “selfish, evil fucker” gene, I don’t think there’s any real 100% solution.
Jasmine- my password wasn’t random letters and numbers but it wasn’t quite ‘pa55word’ either… I have about 6 different passwords that I use in various places (and I can never remember which one I use where). It’s possible that they could have got it from elsewhere, but then that means they’d have to be tracking *my* movements online, picking up passwords as I go and trying them in my Blogger account (knowing first, that I have a Blogger account)… which seems unlikely.
There seems to be loads and loads of people whose blogs ‘disappear’ or are ‘hijacked’ on Blogger now. It was never like that before as far as I knew.
The “selfish, evil fucker” gene will be with us forever. In a controlled state, it encourages creativity.
I wrote in Hacking Redefined:
…t’s hard NOT sometimes to (objectively) admire how professionally it’s designed and deployed…
Early viruses were initially detected by the system crashing. Now, malware uses rootkits technology to protect itself, so you need a rootkit detector to identify it. Assholes like Polyakov pay folks to distribute malware, to produce botnets, for the assholes to use, to distribute their product.
That’s creativity.
Mitchell, you are doing a study of this dark nature. I’m trying to help figure out what is going on here, from the Blogger perspective, because I use Blogger for my website host. Have you setup a blog or website, or maybe a public blogroll? I suspect we could help each other.
Gia, does any of the content in my latest article, Is Your Blog Getting Hijacked Thru YOUR Computer?, give you any ideas about how Polyakov’s crew might have attacked you?
What I don’t quite get about the ‘hacking my blog through my computer’ thing is that they’d have to a) find my blog b) consider it’s got a high enough Google rank to be remotely worth it c) find me d) follow me around in the real world until I happen to use my computer on a slightly unstable network e) I have to log into Blogger OR a) find an unstable network b) watch every movement through it until someone logs onto Blogger c) find someone with a blog with a high enough Googleranking for their purposes…
It seems more likely to me that the issue is with Blogger otherwise the spammers would be wasting a huge amount of time…
The exploitation of a known security hole can be automated and pursued in massively parallel fashion. Unprotected Windows machines can be invisibly hijacked within minutes of going online – the net is now that thick with hijacked machines, systematically and autonomously probing thousands of IP addresses in search of known insecurities. So it’s really no effort at all for system crackers in the pay of spammers to do this. If you ever once connected to Blogger on a compromised machine (perhaps in a library, or in a net-cafe), it must be possible that some password-capturing trojan sent your details to Moscow. But I wouldn’t yet conclude that that’s what happened…
Charles, my “study” is a whole lot less engaged than yours (nice instant guide to contemporary malware, by the way), but I can say that I’m reading SpywareGuide’s Greynets Blog and Paperghost’s blog for news. It was when I read, on the latter blog, about people getting pay-per-click revenue through botnet-controlled trojan adware, that I realized we’re evolving beyond spam-as-we-know-it into whole new territories of force and fraud, and that I’d better make a serious study of this if I wanted to have the slightest clue about the online world today.
I have another idea about what might have happened, one that doesn’t actually require password theft. As we’ve already discussed, grabbing the namespace left by recently departed blogs is already common practice. Is it possible that your old blog did expire, and that Polyakov’s crew grabbed the name and domain, and reinserted most of the old posts (drawing on the Google cache, or on a database of their own) before adding the links they wished to promote? It seems a little unlikely, but an aggressively mimetic strategy like this does have the virtue of delaying detection, and they wouldn’t need to guess your password to do it.
Hi Gia *_*
Geesh….I go away for a while, come back to find all hell has broken loose. Sorry to hear about all of this. I wish people would just stop fucking things up for others.
I’ll be around more as I have finally gotten DSL service along with a new laptop. Yes…I’m very, very happy about that. Dial up sucks…I never realized how incredibly slow it was until I got Dsl…now i’m amazed I put up with it for all those years. *_* Ignorance is bliss, and patient.
I hope all is well with you and your family. Take care of yourself and don’t let the idiots get to you…they are just SO not worth it.
Mitchell, Blogger blogs don’t expire. They can be deleted, intentionally. But Gia would have told us if she deleted her blog. See this post by Blogger Employee about non-expiry of blogspot addresses.
Gia, it is awfully strange that so many hijacking are being reported at the same time. I have to consider the alternatives:
1) The bad guys have some new trojan installed on Bloggers computers.
2) A lot of Bloggers have coincidentally managed to expose their computers, thru unsafe use (ie public blogging).
3) The bad guys have brute forced into Bloggers computers.
4) Blogger just updated their servers with vulnerable software, which the bad guys have exploited.
5) The bad guys have brute forced into Blogger servers.
6) These hijackings have been happening for some time, but since the other problems from last month appear to be resolved (OK, some of them), the noise level is lower and we are just hearing about the hijacks.
I feel another RBS post coming. This post is long enough.
Cheers,
Chuck
Mitchell-
Four years worth of blogs posts were entirely intact. The only ones which had been changed (links stripped) were on the front page… so they didn’t reconstruct my blog.
Chuck-
From what you say it seems far more likely that the spammers have got into Blogger’s servers…
Darcy-
YAY! Nice to see you!!!
Gia,
no, spammers have *not* got into Blogger’s servers. This is how they work:
i) Scan for insecure Windows machines. Crack those machines remotely and put a bot on them.
ii) Have those bots search for more insecure Windows machines, and automatically crack them and install the bot.
Repeat stages i and ii above until your “botnet” is big enough; several tens of thousands of machines is not uncommon.
iii) Have your botnet search, using dictionary words harvested from a web crawl, over as many blogs as you like.
iv) Have them try randomly generated passwords on each.
Now, this may seem like a hit-and-miss process, especially for passwords that contain digits and other spoiler characters, but you can generate those using a dictionary and a letter-to-digit substitution table. It’s still hit-and-miss, but hell, you might have a hundred thousand machines all hammering away. It’s going to break pretty quickly whatever you do. This is why it’s important that your password is *not* based on a dictionary word in any way.
Defacement crews do this in order to scribble on websites (though they tend to target web servers rather than blogs) and spammers do it in order to actually send spam. They are all fuckers, every one.
Jas, Like you, I consider it far more likely that the security breach, whatever it is, involves the individual Bloggers, or their computers. But I’m not going to rule out any possibility of breached servers.
Look at what happened to the microsoft.fr servers last week. Servers are vulnerable, even (especially) the big corporate ones.
Gia, I’m going to be open minded here. You said earlier that you don’t think that your password is (was) weak. Did you do a malware check on your computers?
I’m trying to identify all of the possibilities, in my latest blog post.
BTW, is there any possibility that your blog provide a Preview option for our posts here? My typing skillz suck.
Cheers,
Chuck
Chuck,
I am telling you for a fact that the Blogger servers are not compromised. Trust me.
Yea, trust, Jas on that one!
Can anyone (Jas?) tell me what kind of malware I’d have on a Mac? I’ve downloaded ClamXav, but it’s going to take several tens of hours to scan everything judging by the rate it’s going at…
Malware for the Mac? Anyone?
gia, just leave the clamav thing running- it’s super thorough. There’s no point guessing at what you might have- if you have more than one, and we only guessed at one, you’d be stuffed :-(
Jas, Are you a Blogger employee? Or are you maybe an employee of Mr. Polyakov? How do you know that Blogger services are not compromised? Details please. And no, I’m not going to “trust you”. LOL.
Gia, If you know more about your problem than you’re telling, that’s one thing. But letting Jas simply say “Blogger servers are not compromised” is not going to help us with the matter at hand. And if you do know more, you really should say what you know. That’s the proper community attitude.
And if you are suspecting malware infection, ClamAV is one good tool for protection. But it’s not at all the only protection that you need. And right now, you may really benefit from a thorough malware check. Don’t stop with ClamAV.
If you choose not to trust me, fine. But get expert advice, in an open forum, where the experts are available. You did that for advice for your blog, do it for your computer too.
Ran ClamXav – nothing. The last time I used a PC for *anything* was over 2 years ago…
I also don’t see why or how even if my computer had been compromised why they’d bother with just going into my Blogger account when there are surely far more interesting places to ‘visit’…
Chuck, I work at Google, designing supercomputers.
You, sir, are a paranoid lunatic.
Yeah, all kinds of things seem to happen to popular blogger blogs.. 2/3 months ago, my blog disapeared completely from the map while i was on DIGG’s front page , and, after sending a request for help at blogger support, I got my blog back almost 72 hours later.
72 hours of a 404 not found page.. I couldn’t sleep.. (yeah, I know, I’m such a geek) :)
I’m in the process of moving my blog to wordpress on a dreamhost dedicated server, but damn, I’ll be losing so much by doing that, my precious page rank, and 1000′s of linkback.
The lesson to be learned from this? If you plan to do something serious out of your blog, don’t waste your time and host it yourself.
Cheers, love your blog
Kiltak [GAS]
“I’m in the process of moving my blog to wordpress on a dreamhost dedicated server, but damn, I’ll be losing so much by doing that…”
That’s exactly what I did. I use Dreamhost. They are very, very good and the amount of storage/bandwidth you get for your money is remarkable AND their customer service and tech support and EXCELLENT… They really are *brilliant*.