The NFL: Fostering Social Engineering?

So, yesterday I wrote this blog entry talking about some social engineering tactics enabled by an American fascination with the NFL.

While looking at the email spam received from a Storm malware distribution campaign, I’m thinking, who in their right mind would ever click on such a link? Two such sample spam we received are included below.

Storm-drvien NFL Tracker Spam Emails

Well, apparently, the folks behind this thought the same, and, as mentioned, they cleaned things up a bit, and went out and got themselves an actual domain name. For those of you that didn’t receive the more appealing version of the spam, the Trend folks provided a graphic of one version in their blog. One domain name registered for this purpose was, intuitively enough,

GeekTools Whois Proxy v5.0.4 Ready.

Checking server []

Checking server []
Registration Service Provided By: LOMTI INC.
Contact: +351.3456712


Garry Bark (
Tel. +1.3235112327

Creation Date: 13-Sep-2007
Expiration Date: 13-Sep-2008

Domain servers in listed order:
No NameServers Defined.

Administrative Contact:

Technical Contact:

Billing Contact:

Note: This Domain Name is Suspended. In this status the domain name is
InActive and will not function.

Well, not surprisingly, that domain has since been suspended, as indicated in the whois output above. Coincidentally, the IP addresses listed in the URLs of the email spam messages above, providing links to additional Storm malware distribution sites, in addition to several others we’ve received, have since been taken offline as well.

So, in general, folks are continuing to do a good job at reacting to Storm’s continued shenanigans.

However, that’s not what peaked my interest here. While trudging through email this morning I had another message with an NFL-related subject line:

NFL Email

I certainly don’t recall subscribing to this list, so I figure it’s another Storm scam. However, when looking at the message itself I see a From address of, as well as a Reply-To: address of So, I expand the headers and have a look at the message source to see where it came from and where the links in the message are directing me:

Received: from ( [])

And most of the images in the email are loading from files located in subdirectories on

So, I dig mx to look for MX records for and find:


And I dig mx:


And find this domain in the MX DNS RR. And then see that most of the links in the email are pointing to subdirectories here: or

And so a whois reveals that these ed*.net domains are registered by someone with an email address.

That all looks pretty reasonable, although is nowhere in the mix — unless you load the links in question and find that you land on actual servers after a few redirects:

danny@rover% wget
=> `HDQC4KL’
Resolving… done.
Connecting to[]:80… connected.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: [following]
=> `single?campaign=ma0012&refcode=nfl-ed_0918FH’
Resolving… done.
Connecting to[]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: [following]
=> `free’
Resolving… done.
Connecting to[]:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]

[ ] 68,868 344.89K/s

11:20:59 (344.89 KB/s) – `free’ saved [68868]

After checking out the URLs and sites in question, they all appear to be legit; annoying, but legit.

Which leaves me wondering. Given that it’s this annoying for an average user, what’s someone who’s worried about being compromised do when they haven’t a clue?

One Response to “The NFL: Fostering Social Engineering?”

January 11, 2008 at 12:58 pm, tyler said:


Comments are closed.