Banking Scam Revealed

1 Overview

Not all people that send undesirable email (spam) are the same. Their motives differ as greatly as their tools and technical abilities. This document uncovers a spam gang who seeks to acquire your banking information, and the response from one of the targeted victims: Citibank.

This document describes the unique bulk-mailing tool used for recent rash of financial email scams. These scams target financial entities such as Citibank, Wells Fargo, Halifax Bank, eBay, and Yahoo. Only one specific spam gang uses this tool for these financial scams. This spam gang started slow with only a few members, but has increased in both gang membership and spam volume.

All emails and headers are provided unmodified with the following exception: all personal information has been modified to protect the identity of the recipient. These modifications are denoted with bold and underlined typeset. Every effort has been made to retain the same data format without disclosing personal information. For data taken from the public domain, such as newsgroup postings and messages from open forums, no effort has been made to modify the data or protect the publicly disclosed recipient.

2 The Citibank Scam

With the growth of online banking comes online fraud. These schemes vary from web sites that "look" like the actual financial institution to email asking for personal banking information. At first glance, the email below (Fig. 1) looks like just another one of these simple bank fraud schemes.

 Received: from host70-72.pool80117.interbusiness.it ([80.117.72.70])           by mailserver with SMTP           		  id <20030929021659s1200646q1e>; Mon, 29 Sep 2003 02:17:00 +0000 Received: from sharif.edu [83.104.131.38] by host70-72.pool80117.interbusiness.it (Postfix) with  ESMTP id EAC74E21484B for <e-response@securescience.net>; Mon, 29 Sep 2003 11:15:38 +0000 Date: Mon, 29 Sep 2003 11:15:38 +0000 From: Verify <verify@citibank.com> Subject: Citibank E-mail Verification: e-response@securescience.net To: E-Response <e-response@securescience.net> References: <F5B12412EAC2131E@securescience.net> In-Reply-To: <F5B12412EAC2131E@securescience.net> Message-ID: <EC2B7431BE0A6F48@citibank.com> Reply-To: Verify <verify@citibank.com> Sender: Verify <verify@citibank.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Dear Citibank Member, This email was sent by the Citibank server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit Card number and PIN that you use on ATM. This is done for your protection -t- becaurse some of our members no longer have access to their email addresses and we must verify it. To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL)K, copy and paste the link into the address bar of your web browser. http://www.citibank.com:ac=piUq3027qcHw003nfuJ2@sd96V.pIsEm.NeT/3/?3X6CMW2I2uPOVQW y---------------------------------------------            Thank you for using Citibank! C--------------------------------------------- This automatic email sent to: e-response@securescience.net Do not reply to this email. R_CODE: ulG1115mkdC54cbJT469

At a quick glance, this email appears to be from Citibank, as it contains a Citibank URL. But a closer inspection indicates a financial scam:

• The email contains multiple misspellings and grammatical errors, such as "becaurse" and "This automatic email sent to:".
• The content contains hash-busters (unique characters in the contents that are used to bypass hash-based spam filters). For example, the "-t-" and "K" in the main paragraphs, and the "y" and "C" before the long lines of hyphens. Different recipients received the message with different hash-buster characters.
• Although the included URL begins with "www.citibank.com", it actually goes to "sd96v.pisem.net" [ref 1]. This server is hosted in Moscow, Russia and is not part of Citibank.
• The email header does not originate from Citibank. Instead, it originated from a DSL system in Italy. Network scans of this host (Appendix A) indicate that the system was likely compromised.

People who clicked on the link saw the Citibank web page and a popup that prompts for login information (Fig. 2, Fig. 3). Although the Citibank web page actually came from Citibank, the popup came from a non-Citibank server. Victims that entered banking information in the popup essentially gave their accounts to an unknown scam artist.

Figure 2: Trojan login popup from 29-Sep-2003.[ref 2]

Figure 3: Reply screen after entering login information.

2.1 Mass Mailing Revisions

The 29-Sep-2003 mass mailing (Fig. 1, Fig. 2, and Fig. 3) is actually the second revision of the fraudulent bank emails. The first revision appeared on 16-Aug-2003 and asked the recipient to view new banking terms and conditions. Users who clicked on the link were redirected to a server in China. The first revision included the recipient's email address as a field in the URL. The second revision replaced the address field with a series of random characters. The popup for the second revision only asked for the user's Card and PIN numbers. The third release on 25-Oct-2003 (Fig. 4) was revised to prompt for the user's Card number, PIN number, and expiration date.

In nearly every case, a Russian server was used, either to host the requests, or to act as a web-bug and count the number of hits. For example, the web bug from the first revision can be found here. According to this web-log, there were 107,274 hits on 16-Aug-2003, and 91,573 hits on 17-Aug-2003 (Fig. 5). These were primarily due to responses to the first spam message. In contrast, the day before the mass mailing, there was only one web-log entry, from "68.82.62.191" - a cable modem in Tybouts Corner, Delaware. The Delaware system was used 8 out of 10 times in the week prior to the mass mailing [ref 3] (Fig. 6) and was likely used for testing the web server. It is unclear whether this is the IP address of the actual perpetrator or a compromised host. Network scans of the host suggest the presence of a firewall and no open proxy services, so it is unlikely that the host previously provided an open proxy [ref 4].

Figure 4: The third revision of the Citibank trojan login, from 25-Oct-2003. A server in Moscow, Russia provides the popup but the main window actually is the Citibank home page.

Figure 5: Number of daily web hits recorded by the Russian web bug from the 16-Aug-2003 Citibank mailing.

Figure 6: IP addresses from the week preceding the 16-Aug-2003 mailing. A Delaware address repeatedly accessed the web bug prior to the mass mailing. This likely indicates someone testing before the public release.

3 Linking Scams

In order to operate a spam-based financial scam, three items are required: (1) a bulk mailing tool, (2) an individual or group to operate the tool, and (3) a method to collect victim information. By identifying these items, we can identify related scams by the same spam group, and distinguish these scams from scams initiated by other groups.

3.1 Bulk Mailing Tool

People that send spam operate with millions of email addresses. To generate the emails within a reasonable amount of time, an automated email tool is used. Different tools have different unique traits. In the case of this Citibank scam, the tool has a unique "Message-ID" value in the email header: 16 to 17 characters consisting of "A-Z" and "0-9", followed by "@" and the forged sender's domain. Comparing this unique sequence to a large spam collection such as the Great Spam Archive [ref 5] (GSA) and the newsgroup news.admin.net-abuse.sightings (NANAS), we can identify similar messages. For example, between 11-Nov-1997 and 21-Aug-2003 the GSA recorded 17,867 spam messages. Of those, only 16 messages matched the unique signature of this specific bulk-mailing tool. All 16 matches were found clustered in the last five (5) months of the archive.

24 Apr 2003 13:01:55

0JJ9H7JGA03EI8A7I@att.net

Rich, Hello! My name is John Turner....

15 Jun 2003 12:41:00

D4CI74IDH3FKH13D@att.net

Dear Rich! I've been scammed over...

07 Jul 2003 07:43:51

2EF98ADD2HG3CJ54@att.net

Rich, Any software just for 15$ - 40$

17 Jul 2003 10:39:28

76E7A5HFIJIHK63C@e-loan.com

[Ftpserver] Re: Your E-Loan Refinance..

17 Jul 2003 10:46:08

6J76H1B289HCC313@e-loan.com

Re: Your E-Loan Refinance Application..

22 Jul 2003 01:21:52

77EGJ4AGC1F3AIB5@wellsfargo.com

Re: Wells Fargo Bank New Business... 

26 Jul 2003 09:43:59

JFHAL1CJIB78IFA8@security.org

Newsletter

26 Jul 2003 23:00:46

H8HFB0BB06232180@e-gold.com

The Great E-Gold Giveaway!

29 Jul 2003 18:39:15

4K63GFHLE8FJ1GK7@utp.edu.co

Rich, software for you

30 Jul 2003 19:03:38

3FHG03G0I213JJ92@yahoo.com

I want to introduce Stock Cruiser

31 Jul 2003 05:26:44

BG5L3CAI6J586EK0@headgear.org

new mail            p1QwvfpX

02 Aug 2003 10:21:12

J9D9GK1H1IJ47920@hotmail.com

Rich,Want sex <rndmx>

09 Aug 2003 11:59:24

50LJ6D9B4EK320HD@annexia.org

Ïëÿæíûé îòäûõ

17 Aug 2003 07:58:36

2J73600018ECI75J@virtualitas.net

Re: mail                       e4AXAvl8

17 Aug 2003 17:49:39

FBE6962ED2FJFK58@hotmail.com

Rich, Instant Pleasures,

20 Aug 2003 19:37:45

A60I9A7D890FL51L@cbshost-68-111-42-31.sbcox.net

Re: mail                       3CPVQp5E 

Although we expect the GSA to contain more entries by this bulk-mailing tool, the GSA is only updated periodically. The current archive ends on 21-Aug-2003, so more information will not be available until the GSA is updated.

The narrow timeframe and near weekly appearance of spam from this bulk-mailing tool by the GSA recipient indicates a number of factors. First, there is likely only one or two senders using the tool; this tool does not have a large distribution. Second, the tool takes between 3 days and a week to cycle through the entire address list. Because the same email recipient does not receive every mass mailing, the spam gang is likely using subsets from their mailing list. The subsets may be due to a slow network connection (e.g., DSL or dialup) rather than an intentional selection of recipients. Finally, the minor change from 17 to 16 characters in the Message-ID, between the first and second observed messages, indicates that the sender is likely also the developer.

3.2 Scam Content Analysis

Most of the email messages sent by this group contain grammatical errors and spelling errors (Fig. 7). For example, "I am the customer" is correct in Spanish, German, and other Slavic- and Latin-based languages, but proper English would be, "I am a customer." The errors are similar to those made by Europeans who have English as a second language. In addition, the currency notations match European notations ("300$" instead of "$300").

 Hello. My name is John Turner....  I am the customer of AURUM INVESTMENT   There is nothing like this program. At first I spent 800$ and in 4 weeks I have  earned more than 300$ of profit    I am really impressed. You doesnt get any better than this.  Just follow the link http://am-it.biz//sign.php?ref_id=28934887 There is only one honest way to get money: to invest them wisely Money and you must keep a good company, right? 

Although the spam topics used by this bulk-mailing tool rotate, there appears to be two distinct content types (Fig. 8, Fig. 9). The first type indicates a spam sender that delivers content for bulk-message customers (spammer for hire). The contents offer everything from discount software to penis enhancements. Other bulk-mailing tools have been observed delivering similar messages, but with western currency notations and common American grammatical errors. The grammatical errors and currency notations associated with this specific bulk-mailing tool suggests a European.

The second content type is more interesting: many messages show a desire for banking and credit card information, or for users to download software. These messages do not have the same style of grammatical errors nor the European currency notation. This suggests a different sender than the bulk-message individual. This different sender is likely in the United States or Canada.

Besides the GSA, other spam archives have been analyzed. Some archives only contain the "bulk-messages" from this particular spam tool, other archives only contain the "financial fraud" messages, and many archives contain both types of messages. Based on the distinct differences in content, we can conclude that multiple groups use this specific bulk-mailing tool. However, the non-overlapping sending dates, independent mailing lists, and content text that is specific and unique to this tool indicates that (1) the group operating the financial fraud emails are different than the general bulk-message senders, and (2) the financial fraud emails are generated by a single spam gang.

3.3 Collecting Victim Information

3.3.1 Use of Malware

Trojan.Download.Berbew was not the only malware used by this group. On 26-Jul-2003, an email claiming to come from "admin@security.org" was observed. The text contents contained poor grammar and appeared to have been written in haste. The attachment contained the Exploit-Codebase [ref 7] malware. According to Network Associates:

"[Exploit-Codebase] is a generic detection of malware which tries to exploit a Microsoft Internet Explorer vulnerability, which was discovered February 25, 2002. This exploit could result in an executable file being run without the user's permission or knowledge, when visiting a web page or viewing HTML email message. This affects Internet Explorer 4.x and higher, Microsoft Outlook, and Microsoft Outlook Express." [ref 8]

Exploit-Codebase malware appears to have been written in C, similar to Trojan.Download.Berbew. While it is probable that the same individual created the Trojan.Download.Berbew and Exploit-Codebase malwares, it is unlikely that the malware author actually discovered the Expoit-Codebase vulnerability nearly a year prior.

3.3.2 Web Impersonations

3.4 Related Financial Scams

Although this spam gang has targeted other financial groups, there is a strong emphasis on eBay and Citibank. This apparent preference may indicate a grudge, familiarity, specific knowledge, or specific access. The recent increase in banking targets may indicate a rush to capture more victims before being blacklisted, caught, or ignored.

On 20-Oct-2003 the group attempted a 419 scam [ref 9]. Individuals rarely attempt the 419, or Nigerian scam, because this Ponzi scheme requires a noticeable amount of manpower and resources. The appearance of a 419 by this particular bulk-mailing tool indicates a likely increase in scam operators. There are many different groups that operate 419 scams; the text from this particular email was a poor copy of the 419 scam - other 419 gangs have better contents and better methods to identify themselves as the person in need. Due to the high volume of 419-style scams since April 2003, these approaches have become relatively common, easy to spot, and regularly ignored. In all likelihood, this financial fraud gang's attempt on 20-Oct-2003 was likely a failure. This may also account for the sudden increase in bank impersonations in the following days (5 banks targeted in 3 days). The group may have applied their additional manpower to their proven-successful strategy and simply branched out. In addition, the sudden focus change from USA financial sources to British banks (Barclays, Halifax, Nationwide, and Lloyds) at the end of October likely indicates new spam gang members with familiarity of the UK.

3.5 Unrelated Financial Scams

4 Reporting to Citibank

Figure 10: The Citibank online fraud reporting system.

A few hours later, a response from Citibank was received (Fig. 11). Unfortunately, this reply has a significant number of questionable aspects. In particular:

• The reply discusses fraudulent email content that differs from the submitted email. The submitted content did not discuss money transfers, include a virus, nor contain an attachment, as suggested by the response. This could be due to specific content in a generic form letter.
• The reply concludes with a static string of odd characters. These appear to be a hash-buster (used by spam senders to bypass hash-based spam filters) but never change. Strings such as this have not been observed with other official Citibank email communications.
• The content directs further questions to a toll-free number: 1-877-4-MYCITI. Unfortunately, this toll-free number is not correct. People who call this number receive the following short message: "The number you dialed is invalid." The correct number, according to the Citibank web site, is different than the invalid number provided in the automated reply.
• The content directs future fraud emails to be sent to a non-Citibank email address: hatsu1@aol.com. The owner of this email address is unknown. In no other Citibank web page or official Citibank email is a non-Citibank email address provided. Editor's note: as of 12-Nov-03, this email address is still used in Citibank's response.
• "Cleatis Hawkins" signed the email. According to an operator at Citibank?s correct toll-free number, Cleatis is a real person, but has not worked at Citibank for a few months. There is no evidence to suggest that "Cleatis Hawkins" is responsible or involved with the email scam or possible system compromise. It is unclear how his name became attached to the reply.

No aspect of the email headers appears forged. The reply from Citibank originated from the Citibank Development Center in Los Angeles, California (CDCLA). It is now left to the reader to draw his own conclusions from this email.

 Received: from mango2-a.citicorp.com (HELO mango2.citicorp.com) ([192.193.196.141]) (envelope-sender ) by smtp-1-2a.secureserver.net (qmail-ldap-1.03) with SMTP for <e-response@securescience.net>; 29 Sep 2003 19:03:14 -0000 Received: from myrtle1.citicorp.com (imta.citicorp.com [192.193.195.186]) by mango2.citicorp.com (8.12.10/8.12.9) with ESMTP id h8TIvn3v029897 for <e-response@securescience.net>; Mon, 29 Sep 2003 14:57:49 -0400 (EDT) Received: from iewa.cdcla.citicorp.com (localhost [127.0.0.1]) by myrtle1.citicorp.com (8.12.10/8.12.10) with ESMTP id h8TJ3BA4014816 for ; Mon, 29 Sep 2003 15:03:11 -0400 (EDT) Delivered-To: sqrl@mydomain Subject: Citibank Email Verification Reply-To: autoreply.iewa@citicorp.com To: <e-response@securescience.net> Date: Mon, 29 Sep 2003 11:00:00 -0800 X-MIMETrack: Serialize by Router on DOMINO13/ADG-LA(Release 6.0.1|February 07, 2003) at 09/29/2003 11:00:02 AM Dear e-response@securescience.net, Thank you for your message regarding an Email asking for our Citicard and PIN number and or to wire $500.00. This is a fraud Email and it is not an official communication from Citibank. We strongly recommend that you delete the Email and should not attempt to reply to the message or open the attachment. Citibank is aggressively investigating this fraudulent Email that has been sent to numerous Email addresses. Citibank is also working with law enforcement on the issue. However, if you did open the attachment, we recommend that you run your virus protection software. You may need to download an updated version of the Anti-Virus Software from your vendor. We advise that you change all Passwords used online, after your Anti-Virus Software has certified that all malicious programs have been cleared from your system. You can contact your local technical support for options on removing the malicious program if you did open the attachment and do not have an Anti-Virus Software. However, we recommend that you not log on to any site that requires a User ID and Password until the system is cleaned. You should also change any Passwords which you have entered online after opening the attachment. These changes will need to be performed with the institution and not online. You can forward the fraud Email to hatsu1@aol.com. If you have further questions concerning Myciti.com, please send another email or call us at 1- 877-4-MYCITI and we will be happy to assist you. Thank you for using MyCiti.com, Cleatis Hawkins &3925000440863888ZSU@L6<G<"@L6<G<ECT&

5 Conclusion

A single spam gang, using a unique bulk-mailing tool, appears responsible for the recent rash of financial fraud emails. This gang has targeted over a dozen financial sources, had dabbled in malware, and has struck over 20 times, showing what appears to be a serial pattern.

Attempts to report these findings to Citibank were unsuccessful, and Citibank was unavailable for comment. Citibank has publicly stated that they do not know who has been victimized by the Citibank scams, nor do they know how many victims [ref 10]. In truth, their web logs very likely indicate exactly who fell victim to the 16-Aug-2003 fraudulent Citibank scheme. In addition, Citibank may not be able to identify "who" fell victim on 25-Sep-2003 and 25-Oct-2003 to the second and third revisions of the fraud scheme, but Citibank can identify "how many" victims are likely. This is because the fraudulent web sites used HTML links that directly referenced the financial institution's web site.

6 About the Author

Secure Science Corporation is a professional services and software company that develops advanced technology dedicated to protecting online assets. Clients of Secure Science Corp. are provided with in-depth security evaluations, as well as cost-effective solutions, that are seamless in both deployment and maintenance. Secure Science Corp. is pioneering innovative ways to transform the Internet into a secure environment for both online communications and transactions.

Comments on this article can be sent to e-response@securescience.net or to the SF editor.

7 Appendix A: Network Scans

The initial fraudulent Citibank email that we received, leading toward this investigation, originated from "80.117.72.70". [Editor's note: this host is now down.] Network scans of host were conducted within five (5) minutes of receipt of the email. The scans indicate that the sending host was likely compromised. It is unclear whether the email sender was responsible for the compromise, or simply found a system with an open proxy server.

7.1 Italy DNS and Whois Scan

Based on the IP address, we can identify the hosting company, country, and often the city. In addition, many service providers indicate the type of network connection. In this case, the host is located in Italy and provided by Telecom Italia. The host is on an ADSL connection.

 ping: 80.117.72.70 IS ALIVE!  70.72.117.80.in-addr.arpa domain name pointer host70-72.pool80117.interbusiness.it. % This is the RIPE Whois server. % The objects are in RPSL format. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum:      80.117.0.0 - 80.117.255.255 netname:      TINIT-ADSL-LITE descr:        Telecom Italia descr:        Accesso ADSL BBB country:      IT admin-c:      BS104-RIPE tech-c:       BS104-RIPE status:       ASSIGNED PA remarks:      Please send abuse notification to abuse@telecomitalia.it notify:       ripe-staff@telecomitalia.it mnt-by:       TIWS-MNT changed:      net_ti@telecomitalia.it 20020927 source:       RIPE

7.2 Italy Nmap Results

Nmap is a system utility for determining open services and operating system on a remote host. Nmap is available from http://www.insecure.org/nmap/.

 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Insufficient responses for TCP sequencing (2), OS detection may be less accurate Interesting ports on host70-72.pool80117.interbusiness.it (80.117.72.70): (The 1617 ports scanned but not shown below are in state: closed) Port       State       Service 1025/tcp   open        NFS-or-IIS 1026/tcp   open        LSA-or-nterm 1027/tcp   open        IIS 5555/tcp   open        freeciv 6666/tcp   open        irc-serv 6699/tcp   open        napster 8888/tcp   open        sun-answerbook Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXPN map run completed -- 1 IP address (1 host up) scanned in 88 seconds

7.3 Italy Nessus Results

Nessus is a vulnerability scanner and can be used to determine if a host as unspecified services, or known system compromises. Nessus is available from http://www.nessus.org/.

 + 80.117.72.70 :  . List of open ports :     o NFS-or-IIS (1025/tcp) (Security notes found)    	o LSA-or-nterm (1026/tcp)    	o IIS (1027/tcp)    	o unknown (4455/tcp) (Security hole found)    	o freeciv (5555/tcp) (Security hole found)    	o unknown (6186/tcp)    	o irc-serv (6666/tcp) (Security hole found)    	o unknown (6699/tcp)    	o loc-srv (135/udp)    	o profile (136/udp)    	o netbios-ns (137/udp)    	o netbios-dgm (138/udp)    	o netbios-ssn (139/udp)    	o microsoft-ds (445/udp)    	o isakmp (500/udp)    	o route (520/udp)    	o general/tcp (Security notes found)    	o general/udp (Security notes found)  . Information found on port NFS-or-IIS (1025/tcp)     An unknown service runs on this port. 	    It is sometimes opened by this/these Trojan horse(s): 		     Fraggle Rock      			 md5 Backdoor 			 NetSpy 			 Remote Storm 			  	        Unless you know for sure what is behind it, you'd better 		    check your system 			 	        Solution: if a trojan horse is running, run a good antivirus scanner 		    Risk factor : Low  			 . Vulnerability found on port unknown (4455/tcp) :      The 'Count.cgi' cgi is installed. This CGI has     	 a well known security flaw that lets anyone execute arbitrary     	 commands with the privileges of the http daemon (root or nobody).         	  	 Solution : remove it from /cgi-bin.     	 Risk factor : Serious     	 CVE : CVE-1999-0021     	 BID : 128  . Vulnerability found on port unknown (4455/tcp) :      The 'upload.cgi' cgi is installed. This CGI has     	 a well known security flaw that lets anyone upload arbitrary     	 files on the remote web server.         	  	 Solution : remove it from /cgi-bin.     	 Risk factor : Serious  	  . Vulnerability found on port unknown (4455/tcp) :      The Cobalt 'siteUserMod' CGI is installed.      	 Older versions of this CGI allow any user to change the     	 administrator password.         	  	 Make sure you are running the latest version.     	 Solution :          	  	 RaQ 1 Users, download :     	 ftp://ftp.cobaltnet.com/      	  pub/experimental/security/siteUserMod/RaQ1-Security-3.6.pkg         	   	 RaQ 2 Users, download  :     	 ftp://ftp.cobaltnet.com/      	  pub/experimental/security/siteUserMod/RaQ2-Security-2.94.pkg         	   	 RaQ 3 Users, download :     	 ftp://ftp.cobaltnet.com/      	  pub/experimental/security/siteUserMod/RaQ3-Security-2.2.pkg         	   	 Risk factor : High     	 CVE : CVE-2000-0117     	 BID : 951  	  . Vulnerability found on port unknown (4455/tcp) :      /cgi-bin/.cobalt/overflow/overflow.cgi was detected.     	 Some versions of this CGI allow remote users to execute arbitrary commands     	 with the privileges of the web server.         	  	 *** Nessus just checked the presence of this file      	 *** but did not try to exploit the flaw, so this might     	 *** be a false positive            	  	 See: http://www.cert.org/advisories/CA-2002-35.html     	 Solution : get a newer software from Cobalt     	 Risk factor : High  	  . Information found on port unknown (4455/tcp)     A web server is running on this port  	 . Information found on port unknown (4455/tcp)     The remote  web servers is [mis]configured in that it     	does not return '404 Not Found' error codes when     	a non-existent file is requested, perhaps returning     	a site map or search page instead.         	 	Nessus enabled some counter measures for that, however     	they might be insufficient. If a great number of security     	holes are produced for this port, they might not all be accurate  	 . Information found on port unknown (4455/tcp)     The remote web server type is :     	Apache/1.3.22         	 	Solution : You can set the directive 'ServerTokens Prod' to limit     	the information emanating from the server in its response headers.  	 . Vulnerability found on port freeciv (5555/tcp) :    The 'guestbook.cgi' is installed. This CGI has          a well known security flaw that lets anyone execute arbitrary      	commands with the privileges of the http daemon (root or nobody).         	 	Solution :  remove it from /cgi-bin.     	Risk factor : Serious     	CVE : CVE-1999-0237     	BID : 776  	 . Vulnerability found on port freeciv (5555/tcp) :      The 'webdist.cgi' cgi is installed. This CGI has     	 a well known security flaw that lets anyone execute arbitrary     	 commands with the privileges of the http daemon (root or nobody).         	  	 *** Nessus reports this vulnerability using only     	 *** information that was gathered. Use caution     	 *** when testing without safe checks enabled.         	  	 Solution : remove it from /cgi-bin.     	 Risk factor : Serious     	 CVE : CVE-1999-0039     	 BID : 374  	  . Warning found on port freeciv (5555/tcp)     The 'printenv' CGI is installed.     	printenv normally returns all environment variables.     	This gives an attacker valuable information about the     	configuration of your web server.         	 	Solution : Remove it from /cgi-bin.     	Risk factor : Medium  	 . Information found on port freeciv (5555/tcp)        A web server is running on this port      . Information found on port freeciv (5555/tcp)     The remote  web servers is [mis]configured in that it     	does not return '404 Not Found' error codes when     	a non-existent file is requested, perhaps returning     	a site map or search page instead.         	 	Nessus enabled some counter measures for that, however     	they might be insufficient. If a great number of security     	holes are produced for this port, they might not all be accurate  	 . Information found on port freeciv (5555/tcp)     The remote web server type is :    Apache/1.3.22         	 	Solution : You can set the directive 'ServerTokens Prod' to limit     	the information emanating from the server in its response headers.  	 . Vulnerability found on port irc-serv (6666/tcp) :    The file /wwwboard/passwd.txt exists.         This file is installed by default with Matt's Script wwwboard      	software.  This can be a high risk vulnerability if the      	password used is the same for other services.  An attacker      	can easily take over the board by cracking the passwd.         	 	Solution : Configure the wwwadmin.pl script to put 	           the passwd.txt file somewhere else.         Risk factor : High     	CVE : CVE-1999-0953     	BID : 649  	 . Vulnerability found on port irc-serv (6666/tcp) :      The CGI /scripts/tools/newdsn.exe is present.     	 This CGI allows any attacker to create files     	 anywhere on your system if your NTFS permissions     	 are not tight enough, and can be used to overwrite     	 DSNs of existing databases.         	  	 Solution : Remove newdsn.exe     	 Risk factor : High     	 CVE : CVE-1999-0191     	 BID : 1818  	  . Warning found on port irc-serv (6666/tcp)    The 'mailnews' cgi is installed. This CGI has        a well known security flaw that lets an attacker execute arbitrary        commands with the privileges of the http daemon (usually root or nobody).         	    Solution : remove it from /cgi-bin.        Risk factor : Serious        CVE : CAN-2001-0271        BID : 2391  	 . Warning found on port irc-serv (6666/tcp)    The 'nph-test-cgi' CGI is installed. This CGI has        a well known security flaw that lets an attacker get a listing        of the /cgi-bin directory, thus discovering which CGIs are installed        on the remote host.                Solution : remove it from /cgi-bin.        Risk factor : Serious        CVE : CVE-1999-0045        BID : 686      . Information found on port irc-serv (6666/tcp)    A web server is running on this port      . Information found on port irc-serv (6666/tcp)    The remote  web servers is [mis]configured in that it        does not return '404 Not Found' error codes when        a non-existent file is requested, perhaps returning        a site map or search page instead.                Nessus enabled some counter measures for that, however        they might be insufficient. If a great number of security        holes are produced for this port, they might not all be accurate     . Information found on port irc-serv (6666/tcp)     The remote web server type is :    Apache/1.3.22         	 	Solution : You can set the directive 'ServerTokens Prod' to limit     	the information emanating from the server in its response headers.  	 . Information found on port general/tcp        Nmap found that this host is running Windows Millennium Edition (Me), Win          2000, or WinXP  . Information found on port general/tcp    Remote OS guess : Windows Millennium Edition (Me), Win 2000, or WinXP        CVE : CAN-1999-0454

8 Appendix B: GSA Email Message Summary

The following table summarizes the email message from the Great Spam Archive that were sent by this group's unique bulk-mailing tool.