I follow the Bitninja blog because we use this service as an external firewall at Reclaim Hosting, and they are pretty awesome. We run it on all of our shared hosting servers, and many of our bigger schools, and it often can identify and prevents problems before they even reach out servers—it’s beautiful.
Anyway, the other day they shared a story about a recent attack that was trying to take advantage of a vulnerability on contact form to sent spam. Pretty common type of attack, but what was different about this one was while it’s message was targeted at a Chinese audience pushing a a finance product, in order to get past automated spam checkers they needed to include English (a whitelisted language) in the message—so they appended passages from Upton Sinclair’s 1906 classic The Jungle to every message. In fact, you could actually read the book from beginning to end if you following the spam messages chronologically—which is how the system analyst watching the attack picked it up.
Date: 2018-01-18 08:52:52
Victim domain: www.######.hu
Attacker ip: 117.70.173.46
Url: [www.#####.hu/de/kontact]
Remote connection [117.70.173.46:51668]
Agent: [Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)]
Post data: [Array
(
[jform[contact_name]] => ???
[jform[contact_email]] => ###635271@qq.com
[jform[contact_subject]] => [Shared Post] Glory In The Mountains of WV?? ###635271@qq.com
[jform[contact_message]] => ????28???????????????????????www.601204.com/?
??????????????“?”????“???”????155555??1??????????1.0%?????30??????
??????“????”???10??18?????50???28?.
------------------------------------------
o’me wouldn’t be let hear’em.Not but what I did hear,as how could I help it?There’ll be no good come of it.Who’s to be axed to the wake,I’d like to
[jform[contact_email_copy]] => 1
[option] => com_contact
[task] => contact.submit
[return] =>
[id] => 1:mast-shake-shingle-information
[] => 1
)
]
Date: 2018-01-18 08:51:47
Victim domain: www.#####.hu
Attacker ip: 60.174.17.29
Url: [www.#####.hu/de/kontact]
Remote connection [60.174.17.29:59218]
Agent: [Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)]
Post data: [Array
(
[jform[contact_name]] => ???
[jform[contact_email]] => ###80474@qq.com
[jform[contact_subject]] => ACT - Campanha Trabalho em Espa?os Confinados??? ###80474@qq.com
[jform[contact_message]] => ?????????????28?www.601641.com/?
??????????“?”????????????1??????30?????????????+V??love9191love ??????.
------------------------------------------
boys annoyed me.Finally Dan said musingly:“Some gentlemen don’t know how to put on kid gloves at all,but some do.”And the doctor said(to the moon,I
[jform[contact_email_copy]] => 1
[option] => com_contact
[task] => contact.submit
[return] =>
[id] => 1:mast-shake-shingle-information
[] => 1
)
]
Date: 2018-01-18 08:51:16
Victim domain: www.#####.hu
Attacker ip: 60.174.17.29
Url: [www.#####.hu/de/kontact]
Remote connection [60.174.17.29:58943]
Agent: [Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)]
Post data: [Array
(
[jform[contact_name]] => ???
[jform[contact_email]] => ###3579@qq.com
[jform[contact_subject]] => ACT - Campanha Trabalho em Espa?os Confinados??? ###3579@qq.com
[jform[contact_message]] => ?????????????28?www.601641.com/?
??????????“?”????????????1??????30?????????????+V??love9191love ??????.
------------------------------------------
still that sound of lonely weeping came from over the hill.Listening,but looking at those wild,mourning eyes that never moved from him,he lay.Once he
[jform[contact_email_copy]] => 1
[option] => com_contact
[task] => contact.submit
[return] =>
[id] => 1:mast-shake-shingle-information
[] => 1
)
]
Crazy on so many levels. I wonder if this ostensibly Chinese spam attacker was cognizant of all the levels. First the “whitelisting” of the email by including the dominant language of the web, and the strange twist of advertising finance products to the “communist” Chinese consumer—it’s like flash fiction about geopolitical change over the last 25 years written into a server log. But then, the kicker, using Upton Sinclair’s muckraking novel about regulating the meat packing industry as the trojan horse for sending spam. The irony is too brilliant not to think this attacker was having a laugh.
