The NFL: Fostering Social Engineering?

So, yesterday I wrote this blog entry talking about some social engineering tactics enabled by an American fascination with the NFL.

While looking at the email spam received from a Storm malware distribution campaign, I’m thinking, who in their right mind would ever click on such a link? Two such sample spam we received are included below.

Storm-drvien NFL Tracker Spam Emails

Well, apparently, the folks behind this thought the same, and, as mentioned, they cleaned things up a bit, and went out and got themselves an actual domain name. For those of you that didn’t receive the more appealing version of the spam, the Trend folks provided a graphic of one version in their blog. One domain name registered for this purpose was, intuitively enough, freeNFLtracker.com.

GeekTools Whois Proxy v5.0.4 Ready.

Checking server [whois.crsnic.net]

Checking server [whois.estdomains.com]
Results:
Registration Service Provided By: LOMTI INC.
Contact: +351.3456712

Domain Name: FREENFLTRACKER.COM

Registrant:
NA
Garry Bark (binokular15@yahoo.com)
N/A
Los-Angeles
CALI,53113
US
Tel. +1.3235112327

Creation Date: 13-Sep-2007
Expiration Date: 13-Sep-2008

Domain servers in listed order:
No NameServers Defined.

Administrative Contact:
[snip]

Technical Contact:
[snip]

Billing Contact:
[snip]

Status:SUSPENDED
Note: This Domain Name is Suspended. In this status the domain name is
InActive and will not function.

Well, not surprisingly, that domain has since been suspended, as indicated in the whois output above. Coincidentally, the IP addresses listed in the URLs of the email spam messages above, providing links to additional Storm malware distribution sites, in addition to several others we’ve received, have since been taken offline as well.

So, in general, folks are continuing to do a good job at reacting to Storm’s continued shenanigans.

However, that’s not what peaked my interest here. While trudging through email this morning I had another message with an NFL-related subject line:

NFL Email

I certainly don’t recall subscribing to this list, so I figure it’s another Storm scam. However, when looking at the message itself I see a From address of nfl@mail.nfl.com, as well as a Reply-To: address of some_token@mail.nfl.com. So, I expand the headers and have a look at the message source to see where it came from and where the links in the message are directing me:

Received: from nfl.outbound.ed10.net (nfl.outbound.ed10.net [64.14.86.196])

And most of the images in the email are loading from files located in subdirectories on images.ed4.net:

http://images.ed4.net/images/htdocs/nfl/2007/

So, I dig nfl.com mx to look for MX records for nfl.com and find:

;; ANSWER SECTION:
nfl.com. 206 IN MX 5 mail.nfl.net.

And I dig mail.nfl.com mx:

;; ANSWER SECTION:
mail.nfl.com. 300 IN MX 50 mail-router.e-dialog.com.

And find this e-dialog.com domain in the mail.nfl.com MX DNS RR. And then see that most of the links in the email are pointing to subdirectories here:

http://nfl.ed10.net or http://view.ed4.net

And so a whois reveals that these ed*.net domains are registered by someone with an @e-dialog.com email address.

That all looks pretty reasonable, although NFL.com is nowhere in the mix — unless you load the links in question and find that you land on actual nfl.com servers after a few redirects:

danny@rover% wget http://nfl.ed10.net/h/D4URH3/C532AS/36/HDQC4KL
–11:20:57– http://nfl.ed10.net/h/D4URH3/C532AS/36/HDQC4KL
=> `HDQC4KL’
Resolving nfl.ed10.net… done.
Connecting to nfl.ed10.net[64.28.75.210]:80… connected.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: http://football.nfl.com/splash/football/nfl/single?campaign=ma0012&refcode=nfl-ed_0918FH [following]
–11:20:57– http://football.nfl.com/splash/football/nfl/single?campaign=ma0012&refcode=nfl-ed_0918FH
=> `single?campaign=ma0012&refcode=nfl-ed_0918FH’
Resolving football.nfl.com… done.
Connecting to football.nfl.com[64.30.236.33]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://www.nfl.com/fantasy/free [following]
–11:20:58– http://www.nfl.com/fantasy/free
=> `free’
Resolving www.nfl.com… done.
Connecting to www.nfl.com[63.236.1.147]:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]

[ ] 68,868 344.89K/s

11:20:59 (344.89 KB/s) – `free’ saved [68868]

After checking out the URLs and sites in question, they all appear to be legit; annoying, but legit.

Which leaves me wondering. Given that it’s this annoying for an average user, what’s someone who’s worried about being compromised do when they haven’t a clue?

One Response to “The NFL: Fostering Social Engineering?”

January 11, 2008 at 12:58 pm, tyler said:

0

Comments are closed.