They go good together...Batman is the Dark Knight and Bobo is the Dork Knight.

Please allow me to ramble on a bit about the technical nature of this type of attack.  Note that I have not spoken directly to Larry about this, so nothing I'm going to say is based on any direct knowledge of his situation.  However, I know a lot about this industry, and I bet I can guess pretty darn accurately what happened.  Larry, feel free to correct me where I'm wrong =)

Attacks like this are NOT "clever" or "sophisticated".  They are, however, very very common.  It's the natural evolution of a phishing attack.  The first phase of the attack is rarely, if ever, actually targeted at the user who gets his email account bonked.  It's typically accomplished through some type of malicious website, most of which take advantage of security holes in Adobe Reader and/or Flash, or older versions of Internet Explorer.  Through technical means that I won't get into here (typically through something called a "buffer overflow" in software on your computer - Google "Phrack 49" for details), unscrupulous people who gain control of websites (either their own, or that of a third party) can install software on your computer without your noticing.  Sometimes antivirus software picks up on this, sometimes it doesn't.  This "malware" can do any of a number of things - one of the more popular tricks lately is to pop up fake warning messages ("Your computer has been hacked!  Click here to fix it") and then promise to fix your computer for only $20.  Google "Malware Doctor" for an example of this one.  One of the other things that it can do is install a keylogger on your computer.  This is automated software that records all of your keystrokes and sends them off to a remote location.  Bad keyloggers record everything - good ones can tell when you're entering a password and just grab that.  Once that software is installed, you're basically toast.  If they catch a bank account password, they can swipe your money.  If they catch an email password, they can send out a phishing email like this one (note that this is often called "spear-phishing" because the phishing attack itself is customized/targeted and relies on the trust of people in your address book).  It's simply a numbers game.  If they can get .01% of people to fall for this and send $100 (or whatever), then they need to send out 10,000 emails in order to get paid.  That may sound like a lot, but I have well north of 500 people in my address book, because GMail automatically adds everybody I've ever emailed to it.  If everybody has a similar number, then the bad guys only need to access 20 email accounts to send their 10,000 emails and get paid.  Those economics ain't too bad =)  For an entertaining, and educational, view of the "blackhat" economy, and how easy it is to make money maliciously on the web, check out this presentation by Jeremiah Grossman, who's one of the thought leaders in the web application security space: http://www.youtube.com/watch?v=SIMF8bp5-qg

There's lots of other ways to get your password snarfed, none of which involve any exceptional degree of attacker skill.  Using any kind of internet kiosk/library computer/other public system is a bad idea - they probably already have keyloggers/other malware on them.  So is any kind of open wifi connection (e.g., Starbucks), as this traffic can be easily "sniffed".  Even if you don't browse to malicious websites, which are usually in the "dark corners" of the web, you can still get nailed - either through something called Cross-Site Scripting, where a bad guy can use a "good" website to force you to a bad one, or by directly hacking a "good" site so that it hosts the malware.  There were even examples of big websites (I think one was Myspace, but I can't remember off the top of my head right now) about a year ago who were hosting malicious files.......in their advertising systems.  Basically, a bad guy was able to submit an Adobe Flash banner ad through their system that automagically attempted to "hack" the system of anybody who viewed the ad.  It's things like this that cause companies to make "exit pages" - if you click from the company's site to a third party, there's a warning page in the middle telling you "ANYTHING BAD THAT HAPPENS BEYOND THIS POINT ISN'T OUR FAULT".  I've had clients who have linked to third party sites, then the owner of that site lets the domain registration lapse and it gets bought up by someone who wants to peddle hardcore adult content....once that happens, it looks like the company is endorsing that adult content.  Not good times.

Anyways, that's a lot of ranting - the tl;dr is that it's easy to get your password snarfed, and there's nothing advanced or clever about the attack.  It's simply a numbers game.  And Slager's still making stuff up  - he even admitted in a comment on his site that he googled for the first sentence of Larry's email, so he has seen for himself the multitude of other examples of the same thing happening. 

If people think it would be helpful, I'd be happy to answer any computer security questions you have.  Either in here, or I can start a new thread.  Just cut me some slack if my responses are slow...I'm too focused on baby care!!

Bobo you jerk you are so transparent. Your mistake is thinking that people are as stupid as you are. Darkknight sounds like your chat version of Paul Shooter. Your style of writing is instantly recognizable even when you try to hide your style of writing. You know you screwed up and now you introduce some new tinfoil member to defend your unethical behavior. You are an idiot. You need to seek serious mental health help.

By: robertslager on 5/17/10 

And you're right, Darkknight. I probably should have played dumb and asked how to send money to whomever sent that e-mail to me. I didn't think of it at the time. I wish I had.



Bobo you don't have to play dumb

TAKEBACKWAREHAM
P-SPAN

After thinking about this some more, and seeing Slager's comments upthread, there's two additional things that I forgot to address:

1. Getting access to the account without first compromising a computer - I made the big (and possibly wrong) assumption above that the compromise started because of an incident on a computer of Larry's.  It's also possible that an attacker simply went after his account, likely either with some sort of dictionary attack, or after seeing the account name online somewhere.  Let's face it - the AOL user community is probably the least-tec hnically-inclined group of Internet users out there (no offense, Larry).  As such, they're the least likely to have strong passwords/security questions, and most likely to fall victim to phishing/other attacks.  The attacker(s) could have either guessed Larry's password outright, or abused the password reset process to retrieve or reset the password.  If you think this is far-fetched, that password-reset-abuse is exactly how Sarah Palin got her email account hacked in 2008.  As for password guessing, it's often not hard.  In my time, I've seen movie companies use famous character names as passwords, banks use "money", EVERYBODY use "password", variations of "redsox" and "patriots" and other local sports teams...and you'd be shocked at how often 4-letter-words are used (passwords like "f***thisjob!" were not uncommon for normal office users).  I don't know if it was through this method that Larry lost his password, but it's entirely possible.

2. How does the bad guy actually get money out of this?  A suspicious mind might say "but Cas, there was no direct way to send money from the email - why wouldn't a real bad guy have put something else in there?  That obviously means it was Larry who sent the email."  BZZZZ!  Wrong!!  Remember, Mr. Badguy has control of Larry's email account - he may or may not have actually locked Larry out, but if I were doing this, I would NOT lock Larry out...no reason to raise suspicion.  Since they have access to the account, they would simply monitor for replies.  If anybody responds, they interject a little human touch to finish off the con.  Depending on the amount they're looking for, they would typically ask for the money to be transferred via Western Union to some international location, or via a less-than-reputable version of paypal such as eGold.  Once the transfer is complete, they disappear, likely wiping out all of the messages in the inbox as well as the address book.  This type of attack works best on older, unused accounts, specifically because the account owner would be less likely to notice the compromise. 

And, not that I'm awesome at Google or anything, but here's a blow-by-blow of someone else who got hit with a very similar email scam(same idea - stuck in Wales with no money - but somewhat different wording).  The guy responded to the initial email, and eventually got a request to wire over 2,300 GBP via western union.  Note that this is on the first page of google results when you search for the opening line of the attacker's email.  Not exactly rocket science/super journalism to find it.  Just basic research before you go and smear somebody (which I guess is why we shouldn't have expected Slager to do it...)

EDIT: typo

Last edited by acasualobserver (2010-05-18 00:40:57)

IT WAS SAID BEFORE BUT IT IS ABSOLUTE PROOF THAT IT WAS A SCAM. WHY WOULD ANYONE WHO KNOWS ROBERT SLAGER SOLICITE HIM FOR MONEY???????? THE GUY DOESNT HAVE A POT TO PISS IN. AND STILL SILENCE ON PAYING BACK HIS RENT THAT HE PROMISED TO DO IN APRIL.

Bobo everyone knows you are broke why would anyone send you an email asking for money?

I don't know Larry and I don't want to suggest that I do. If you go back and read his posts you get the impression that he is articulate, educated, and funny. He also gives his email address if anyone wants to contact him. I might take him up on that offer. Isn't it odd that all these experts weighing in haven't taken the time to talk to him? Maybe Batman could pick up the batphone and give him a call? I would be willing to bet that legal team of Slager & Jones do not have all the facts and probably do not care to get all the facts. Why ruin a good smear campaign with the facts and truth?

Larry are you out there?

Holy Bobo, Batman!!


TAKEBACKWAREHAM
P-SPAN

TAKEBACKWAREHAM
P-SPAN

BEHOLD, THE DORK KNIGHT'S FAVORITE SNACK:



THE BAT BAGEL!

Hamatron5000 wrote:

Bahhh ha...his first "holy" in that video is "Holy Barracuda!"

I noticed that too..the vid after is the "Dark Knight" having a conversation with himself..Hey Assclown..the ridiculous "script" that is your life was written already for a cheesy 60's "action" comedy..Bam! Splash!! Boom!! Tune in next week, folks..Same Bobo time..same Bobo channel..

TAKEBACKWAREHAM
P-SPAN

TAKEBACKWAREHAM
P-SPAN

Last edited by P-SPAN (2010-05-18 17:36:46)

In case Mr. Slager needs step by step instructions...



Auto-edited on 2020-08-11 to update URLs