The NFL: Fostering Social Engineering?
So, yesterday I wrote this blog entry talking about some social engineering tactics enabled by an American fascination with the NFL.
While looking at the email spam received from a Storm malware distribution campaign, I’m thinking, who in their right mind would ever click on such a link? Two such sample spam we received are included below.
Well, apparently, the folks behind this thought the same, and, as mentioned, they cleaned things up a bit, and went out and got themselves an actual domain name. For those of you that didn’t receive the more appealing version of the spam, the Trend folks provided a graphic of one version in their blog. One domain name registered for this purpose was, intuitively enough, freeNFLtracker.com.
GeekTools Whois Proxy v5.0.4 Ready.
Checking server [whois.crsnic.net]
Checking server [whois.estdomains.com]
Registration Service Provided By: LOMTI INC.
Domain Name: FREENFLTRACKER.COM
Garry Bark (firstname.lastname@example.org)
Creation Date: 13-Sep-2007
Expiration Date: 13-Sep-2008
Domain servers in listed order:
No NameServers Defined.
Note: This Domain Name is Suspended. In this status the domain name is
InActive and will not function.
Well, not surprisingly, that domain has since been suspended, as indicated in the whois output above. Coincidentally, the IP addresses listed in the URLs of the email spam messages above, providing links to additional Storm malware distribution sites, in addition to several others we’ve received, have since been taken offline as well.
So, in general, folks are continuing to do a good job at reacting to Storm’s continued shenanigans.
However, that’s not what peaked my interest here. While trudging through email this morning I had another message with an NFL-related subject line:
I certainly don’t recall subscribing to this list, so I figure it’s another Storm scam. However, when looking at the message itself I see a From address of email@example.com, as well as a Reply-To: address of firstname.lastname@example.org. So, I expand the headers and have a look at the message source to see where it came from and where the links in the message are directing me:
Received: from nfl.outbound.ed10.net (nfl.outbound.ed10.net [18.104.22.168])
And most of the images in the email are loading from files located in subdirectories on images.ed4.net:
So, I dig nfl.com mx to look for MX records for nfl.com and find:
;; ANSWER SECTION:
nfl.com. 206 IN MX 5 mail.nfl.net.
And I dig mail.nfl.com mx:
;; ANSWER SECTION:
mail.nfl.com. 300 IN MX 50 mail-router.e-dialog.com.
And find this e-dialog.com domain in the mail.nfl.com MX DNS RR. And then see that most of the links in the email are pointing to subdirectories here:
http://nfl.ed10.net or http://view.ed4.net
And so a whois reveals that these ed*.net domains are registered by someone with an @e-dialog.com email address.
That all looks pretty reasonable, although NFL.com is nowhere in the mix — unless you load the links in question and find that you land on actual nfl.com servers after a few redirects:
danny@rover% wget http://nfl.ed10.net/h/D4URH3/C532AS/36/HDQC4KL
Resolving nfl.ed10.net… done.
Connecting to nfl.ed10.net[22.214.171.124]:80… connected.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: http://football.nfl.com/splash/football/nfl/single?campaign=ma0012&refcode=nfl-ed_0918FH [following]
Resolving football.nfl.com… done.
Connecting to football.nfl.com[126.96.36.199]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://www.nfl.com/fantasy/free [following]
Resolving www.nfl.com… done.
Connecting to www.nfl.com[188.8.131.52]:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]
[ ] 68,868 344.89K/s
11:20:59 (344.89 KB/s) – `free’ saved 
After checking out the URLs and sites in question, they all appear to be legit; annoying, but legit.
Which leaves me wondering. Given that it’s this annoying for an average user, what’s someone who’s worried about being compromised do when they haven’t a clue?