How a Fox-linked hacker failed to fool Fark
Last week, Drew Curtis, left, the founder of Fark.com, the outrageous social-news website, accused Darrell Phillips, to his right, an employee at a News Corp.-owned Fox TV station in Memphis, Tenn., of attempting to hack into Fark.
Curtis told Valleywag that electronic evidence pointed nearly conclusively to Phillips and that he was pursuing legal action to obtain records and eliminate any doubt. Since then, Phillips and Fox have not commented publicly on the incident. Many observers have expressed disbelief, or suspected satire, given Fark users' reputation for sarcasm and tomfoolery. But Curtis, in sharing the incident, was deadly serious. Curtis today told me he plans to "file a civil claim in federal court to get subpoenas sent." Equally serious is the evidence he's assembled. After the jump, I'm sharing the timeline Curtis's team put together, as well as some other observations tipsters have shared.
In Mediaverse Memphis, a local news blog, a commenter left the following comment to a follow-up story on Valleywag's exclusive:
Has Darrell ever asked you to open a suspicious email attachment?
I hope you thought twice about it.
I think a lot of people who Darrell has screwed in the past are going to enjoy this.
As with any Internet comment, it's impossible to know the validity of the observation, but it's interesting to note that someone bothered to take the time to allege that Phillips has a history of sending "suspicious email attachments" — a common way of delivering "trojans," or software that contains malicious code. And a former employee at WHBQ, the station where Phillips works, believes Phillips was behind the hack, writing:
The investigative news team at WHBQ was usually very well intentioned and thorough. I am sure the actions are those of Phillips and whatever idiots he thought could help him pull off a hacking scheme. This is in the Memphis market. Not exactly reaching out to the best and brightest with the most upstanding journalistic integrity. Phillips was hoping to make a name and move to a larger market.
That, of course, is just speculation. Here are the hard facts, in the form of a detailed log below, prepared by Fark employees, of the attempted break-ins.
One caveat: It's possible, of course, that Phillips's machine was compromised by an outside hacker. But is Fox's corporate network that insecure? And would a hacker, having access to a machine inside the Fox network, and control of Phillips's PayPal account, merely use them to implicate Phillips, rather than conducting larger mischief? I'll let you be the judge, after you review the evidence. (Note: I've redacted staff email addresses and logins, as well as full IP addresses, to avoid giving amateur hackers obvious targets.)
Subject: early August 2007 hack/trojan summary
——- Short version of what's happened:
On August 8, several Fark staff received suspicious email encouraging us to visit a particular website. Through August 12, more similar emails continued to arrive for other Fark volunteer staff, most pretending to be *from* other staff. Three websites were given in these emails, and the sites all contained links to two different trojan horse programs (effectively viruses that don't replicate themselves). If the trojan .EXE files were downloaded and run, the computer would be infected.
The emails all came from a computer in Australia (or in three cases, from Gmail.com). An infected computer would try to communicate with a computer in Tennessee. Antivirus programs did not always find the infection, but researching the behavior suggested they were modified versions of existing trojans, whose purpose was to steal passwords and send them to the Tennessee computer.
Searching Fark's logs for both computers' IP addresses returned no matches on the Australia computer, but revealed many matches for the Tennessee computer. The latter showed multiple attempts to break into Fark accounts belonging to both staff and end-users, and in the latter case was successful once.
They also used other existing accounts, at least two of which might belong to the actual owner of the Tennessee computer. Following logs to find activity on those accounts from other IP addresses, we found identical break-in attempts from elsewhere. Based on their attack patterns, we strongly suspect a Fark staff's Gmail.com account was also broken into.
Based on the other non-malicious behavior of those accounts, including the legit purchase of a Totalfark subscription, we believe our guy is in Memphis, Tennessee, and is probably a Fox13 television journalist named Darrell Phillips; however it's all circumstantial evidence without subpoening records from the ISP's owning all the IP addresses, and trojan-hosting websites, in question.
——- Longer version of what happened:Between August 8 and 12, Fark staff received some suspicious emails trying to get us to visit these three websites:
http://clipsmoke.com/diggtracker.html
http://h1.ripway.com/jumpstart/videomailer-3225.html
http://tinyurl.com/37prcsso really there are two webhosting companies involved.
Each site contained a link to download an .EXE file, though it pretended to be something else. Three different .EXE files, all of which turned out to be trojan horse programs (though only two distinct programs; #3 was the same as #2). If run, the computer would be infected.
The emails were sent from a computer hosted in or near Melbourne, Australia (or in three cases, from gmail.com), but most of the emails were forged so they'd appear to be from other Fark staff or friends or relatives of Fark staff.
Infected computers would attempt to send data to computers named "fromage.no-ip.info" and "salad5.no-ip.info". In the August 8 to 12 timeframe, those names were aliases for "c-XX-XX-XX-105.hsd1.tn.comcast.net" which is likely a Comcast cable modem customer in Tennessee.
Numerous attempts to hack Fark accounts were found in the same time frame from that same Comcast address. No malicious activity was found from the Australia address, other than the forged emails. This is why the Comcast subpoena is at the top of the list.
I'm not sure any of our staff actually got their computers infected. At the present time, neither no-ip.info hosts works any more — meaning the trojan doesn't really work any more either.
Anyway... The first site (clipsmoke) had a link to a "diggtracker.exe" tool, which was the trojan. There was also a signup form to create an account that would allegedly give you stats on digg.com and notify of new stories or something, according to the emails we got about it. One staffer filled this form out, and a few hours later got a "thanks for signing up" email — from the same Australian IP address. I think the purpose of the form was really to steal emails and passwords rather than provide any real service.
The ripway site emails said that the site had a funny video on it. If you went there, there was a fake Flash movie (meaning the movie file was too small to contain actual video), and a link below it saying "click to download movie plugin". This link went to http://h1.ripway.com/jumpstart/jumpplayer.exe which was the first trojan.
The tinyurl site just redirects immediately to http://h1.ripway.com/jumpstart/boypics(compressed).exe — a direct link to the second trojan back on the ripway site.
All of these sites no longer work. I saved a copy of the ripway site before it was removed. Meg got a partial copy of the clipsmoke site.
While all this was going on, the computer at the Tennessee Comcast address was trying to hack into Fark accounts. Other accounts were in use by that same address, possibly the real account of the computer's owner, and we followed the logs of other computers used by that account to find other computers, and the logs from those computer IP's showed strikingly similar breakin attempt patterns. They also used the probably-legit account to submit a lot of links to news websites in Memphis.
I am still collecting three or four sets of different logs together into one cohesive set. Until then, here is a summary and event timeline of all of them:
Notes:
"clipsmoke/diggtracker" means an email trying to get us to click
http://clipsmoke.com/diggtracker.html
"ripway" means an email trying to get us to click
http://h1.ripway.com/jumpstart/videomailer-3225.html
"tinyurl" means an email with http://tinyurl.com/37prcs
This site simply redirects to
http://h1.ripway.com/jumpstart/boypics(compressed).exeSource IP notes:
XX.XX.XX.247 is the Australian source of the phishing emails
XX.XX.XX.105 is Comcast Tennessee, destination of the trojan output and source
of most of the Fark password hack attempts.
XX.XX.XX.225 is an IP that seems to encompass multiple Fox TV sites
nationally — probably a corporate-wide proxy server.
Many many users coming from there submitting links to sites like
myfoxdc, myfoxatlanta, etc.
XX.XX.XX.172 is Verizon Wireless
XX.XX.XX.2xx is an anonymizing service at upsideout.comI suspect the Comcast address is his home, Fox TV is his work, and upsideout was him trying to hide his real source IP.
DATE/TIME SOURCE IP EVENT
—————— ——————-
—————————————————————————————————————
Aug 8 22:32 XX.XX.XX.247 Email from "Cindy Dolan" gmail account to [REDACTED]@fark.com advertising the ripway site. [REDACTED]@fark.com also got one of these, and probably [REDACTED]@fark.com too. Source IP is in Australia. Cindy Dolan likely doesn't exist.Aug 9 14:26 (gmail.com) Email from "Laurie Dobbins" gmail account to [REDACTED]@fark.com advertising the clipsmoke.com/diggtracker.html site. This one comes direct from gmail.com, not Australia. Laurie Dobbins is probably also a fake name. They claim to be a journalist, which is interesting given what comes next...
Aug 9 19:04 66.193.225.40 The computer logged into Fark account "jsp2000" logs into "dphillips" account. This IP belongs to foxtv.com; it appears to be a corporate proxy used by Fox TV stations across the country, so many accounts are seen coming from this IP address, mostly submitting links to whoever their local Fox TV affiliate site is.
Aug 10 11:25 XX.XX.XX.225 Fark account "dphillips" submits a link to a Memphis media site.
Aug 10 12:11 (gmail.com) Another email from "Laurie Dobbins" gmail account, this one to [REDACTED]@fark.com, again advertising the clipsmoke.com/diggtracker.html site.
Aug 10 13:?? (approx) One of us fills out the signup form on the diggtracker site.
Aug 10 14:31 (approx) Meg asks on our Fark moderator email mailing list if anyone knows anything about diggtracker
Aug 10 ??:?? The one that filled the signup form out thinks their gmail account was broken into between 13:00 and 18:24; we're still investigating this possibility
Aug 10 17:31 XX.XX.XX.247 Email from admin@dgtrk.com to [REDACTED]@yahoo.com: "You signed up for diggtracker". Note source IP is the same Australia one.
Aug 10 18:24 XX.XX.XX.247 Forged email from [REDACTED]@hotmail.com to [REDACTED]@[REDACTED] advertising the ripway site. Source is Australia again. The two addresses are Drew's sister and wife they might have obtained them from the compromised gmail account (we're still investigating that possibility). Fark's spam filter blocks this message.
Aug 11 00:00 XX.XX.XX.105 Someone started poking around Fark's webmail setup. They tried to log into some email accounts, but failed because our webmail doesn't actually work at all due to a configuration mistake on my part. Source IP is Comcast in Tennessee, using IE6 on Windows XP.
Aug 11 00:35 XX.XX.XX.105 Five failed attempts to log into Fark as users '[REDACTED]' and '[REDACTED]'. (The latter doesn't exist)
Aug 11 00:37 XX.XX.XX.105 View the Fark user proflies for '[REDACTED]' (not there) and [REDACTED] profile. They have suddenly switched to using Firefox, but still Windows XP.
Aug 11 00:54 XX.XX.XX.105 Logs into Fark as "[REDACTED]", getting the password right immediately. This name/password may have come from the maybe-compromised gmail also. Tries to log into TotalFark right after that as [REDACTED], but fails because [REDACTED] isn't a TotalFark subscriber.
Aug 11 00:54 XX.XX.XX.105 Viewed [REDACTED]'s user profile.
Aug 11 01:59 XX.XX.XX.105 Tried to use the Fark Moderator version of the user profile viewer to look at user "[REDACTED]" (Fark's contract web designer); attempts to use [REDACTED]'s moderator account to get in, but can't get the password right.
Aug 11 06:19 ? Forged email from [REDACTED]@gmail.com to [REDACTED]@gmail.com advertising ripway site. Source unknown, but probably Australia. These are both Fark moderators. Interestingly, they misspell "[REDACTED]", which tips off the recipient that something's not right.
Aug 11 08:49 XX.XX.XX.105 Tries again to use the Fark Moderator version of the profile viewer to look at [REDACTED]'s profile, which again asks for a moderator account first: he again tries "[REDACTED]" 5 times, "[REDACTED]@fark.com 4 times, "[REDACTED]" 2 times (note [REDACTED] is not actually a moderator), "[REDACTED]" 5 times, "[REDACTED]" again 3 times. This all lasts til 09:31. All unsuccessful. First 5 tries were IE6, then switches to Firefox.
Aug 11 09:20 XX.XX.XX.247 Forged email from [REDACTED]@gmail.com to [REDACTED]@gmail.com re ripway site; note continued misspelling of "[REDACTED]". [REDACTED] is an older address of another Fark moderator.
Aug 11 11:42 XX.XX.XX.247 Forged email from [REDACTED]@gmail.com to [REDACTED]@gmail.com advertising the site http://tinyurl.com/37prcs — which is really just a redirect to ripway. Yet another misspelling; it should have been [REDACTED].
Aug 11 16:49 XX.XX.XX.105 Attempt to view Fark user profile "[REDACTED]". It doesn't exist, but [REDACTED]'s dad has a similarly named account that he doesn't find...
Aug 11 22:41 XX.XX.XX.105 Attempt to view Fark user profile "DanAndJenn". That account is a spammer that we banned, possibly from Dallas. Friend? Accomplice? We don't know so I won't speculate further. Curiously, while the IP address is the same, he's now using IE7 from a Windows Vista computer. I suspect the Vista machine is his home desktop computer, and the XP machine is a laptop; you'll see why shortly...
Aug 11 22:43 XX.XX.XX.105 Tried once to log into the Fark profile viewer as Meg with a blank password
Aug 12 0?:?? The owner of the possibly-compromised gmail account changes the password after getting suspicious about all this.
Aug 12 12:16 XX.XX.XX.105 Logs out of the [REDACTED] account and into the dphillips account, and submits a link to a Memphis news site
Aug 12 16:48 XX.XX.XX.105 Logs out and then logs into account "lafollette.will". This one has the same password as "dphillips".
Aug 12 17:18 XX.XX.XX.105 Tried logging into Totalfark as [REDACTED] and [REDACTED] again, and fails. Logs out of lafollette.wil, then logs into Fark as [REDACTED] successfully.
Aug 12 17:24 XX.XX.XX.247 Forged email from [REDACTED]@bitO.com to [REDACTED]@fark.com with tinyurl URL. Yet another misspelling: [REDACTED]@[REDACTED]0.com (that's [REDACTED]-zero) is me, but they used [REDACTED]O (that's [REDACTED]-capital-letter-O). They did get around their inability to spell [REDACTED]@gmail.com by using [REDACTED]@fark.com this time — they're the same person, a Fark moderator.
Aug 13 14:35 XX.XX.XX.172 Next day. Jumps to Verizon Wireless and views the "dphillips" Fark profile. This is IE6 on Windows XP again; use of Verizon Wireless strongly suggests (but doesn't prove) that they're using a laptop.
Aug 13 14:36 XX.XX.XX.172 Switches to Firefox, and goes to profile viewer; the session cookie indicates that [REDACTED] had previously been logged into that computer. This and the viewing of "dphillips" implies that this Verizon Wireless IP is the same computer that was at Comcast IP XX.XX.XX.105 yesterday.
Aug 13 14:38 (Paypal) Less than 2 mins later, logs in as dphillips and buys a $5 Totalfark subscription for himself. In the transaction, Paypal gives us his name as Darrell Phillips and an email of [REDACTED]@dnphillips.com. (He also had darrell.phillips@[REDACTED] on his Fark account.)
Aug 13 14:44 XX.XX.XX.172 Still using Firefox, goes to Fark's headline search tool.
Aug 13 15:12 XX.XX.XX.225 30 minutes after that, they're on a foxtv.com address, logged in as dphillips.
Aug 13 15:39 XX.XX.XX.225 Does headline search again (for "animation")
Aug 13 16:10 XX.XX.XX.247 Email from admin@dgtrk.com to [REDACTED]@yahoo.com: "your Diggtracker account is inactive, please log in to reactivate it" email from Australia.
Aug 13 16:50 XX.XX.XX.225 dphillips submits a link to Fark
Aug 13 17:08 XX.XX.XX.225 dphillips submits a link to Fark
Aug 13 17:40 XX.XX.XX.22x While logged in as dphillips, tries to log into Fark 'motherh' using his own password, then two totally different passwords, and fails. In between attempts, he tries logging out of his own account, presumably thinking it would help (but it doesn't). New source IP's for this session, all starting with XX.XX.XX. and ending in .223 .232 .236 .219 — these IP's all belong to the "upsideout.com" anonymizing service. (Hosted in Houston by ev1.net who hosts a lot of popular anonymizing services.) Presumably trying to cover his tracks now, but not doing a very good job of it...
Aug 13 17:47 XX.XX.XX.225 A "forgot my password" request comes into Farkback from user "motherh".
Aug 13 17:48 XX.XX.XX.225 Views motherh profile — we're back on foxtv.com's network now, using IE6 / XP.
Aug 13 17:48 XX.XX.XX.225 View TotalFark page using "dphillips" Totalfark account.
Aug 13 17:53 XX.XX.XX.235 Tries to submit a link as "motherh" but can't get password right — back on the anonymizing service 6 minutes after the previous hit.
Aug 13 18:13 XX.XX.XX.213 Another "forgot my password" request from 'motherh' except they were logged into Fark as "lafollette.will" when they sent it. Oops.
Aug 13 18:16 XX.XX.XX.218 Logs in as lafollette.will to submit link
Aug 13 19:04 XX.XX.XX.225 Back to foxtv network, a computer that was logged in as "jsp2000" logs in as "dphillips"
Aug 13 21:37 XX.XX.XX.105 Back to Comcast IP 2.5 hours later: Logs out of [REDACTED] and into lafollette.will
Aug 13 21:38 XX.XX.XX.105 Looks at [REDACTED] profile. They're using IE7 on Windows Vista now.
Aug 13 21:39 XX.XX.XX.105 Hits logout button.
Aug 13 22:03 (gmail.com) Forged email from [REDACTED]@fark.com to multiple recipients — the To: line says [REDACTED]@gmail.com but [REDACTED]@gmail.com and maybe others get copies; all giving the tinyurl site URL again. Unlike the last tinyurl email, this comes straight from gmail and not Australia.
Aug 13 22:51 XX.XX.XX.105 Logs out of lafollette.will and into dphillips
Aug 13 23:08 XX.XX.XX.105 Submits link to Fark as dphillips
Aug 14 00:43 XX.XX.XX.247 Email from admin@dgtrk.com to [REDACTED]@yahoo.com: "there's a lot of login failures on your digg/farktracker account, you should sign in to check it". I think this is the first time it mentions "farktracker"; all previous ones had been diggtracker.
Aug 14 01:25 XX.XX.XX.210 Logs in as dphillips (using anonymizer)
Aug 14 03:00 ([Fark employee]) I lock the Fark accounts dphillips, dhphillips, lafollette.will, and change [REDACTED]'s password; I block inbound emails to Fark from Australian IP XX.XX.XX.247
Aug 14 04:00 ([Fark employee]) I discovered clipsmoke/diggtracker site had been shut down by its owner.
Aug 14 04:00 ([Fark employee]) I saved a copy of the ripway site in case it disappears later (which it does).
Aug 14 04:00 ([Fark employee]) Emailed abuse@ripway.com and abuse@no-ip.info asking sites and domains be shut off.
Aug 14 08:36 XX.XX.XX.105 Attempts logins to dphillips, lafollette.will, [REDACTED], dphillips in that order, multiple times until 09:13, all from Comcast IP
Aug 14 08:36 XX.XX.XX.105 Views dphillips profile (using Firefox / XP)
Aug 14 08:37 XX.XX.XX.105 Tries to get into his user profile
Aug 14 09:53 XX.XX.XX.225 Attempts login to dphillips, dnphillips several times
Aug 14 10:01 XX.XX.XX.225 dphillips sends Farkback saying "I forgot my password"
Aug 14 11:00 ([REDACTED]) Discovered ripway-hosted site had been shut down due to TOS violation.
Aug 14 11:33 XX.XX.XX.225 Views dphillips profile from FoxTV network (IE6/XP)
Aug 14 11:33 XX.XX.XX.225 Attempts login to dphillips
Aug 14 12:05 XX.XX.XX.225 dphillips sends Farkback saying "I think I was banned..."
Aug 14 12:23 XX.XX.XX.225 Attempts login to dphillips
Aug 14 17:39 75.203.255.69 Attempts login to motherh
Aug 14 18:23 XX.XX.XX.225 Attempts login to dphillips
Aug 14 21:35 ([REDACTED]) Discovered both no-ip.info names now resolve to 0.0.0.0, rendering the trojan ineffective
Aug 15 15:03 ([REDACTED]) Discovered ports 2000 and 2002 don't respond on XX.XX.XX.105 anymore; these were the ports the trojan attempted to connect to.
At least one other moderator got one of the suspicious emails but deleted it before they could forward it to me.
Around the same time [the dphillips account] started trying to get the 'motherh' account, he started using the anonymizer. Maybe he suspected we were on to him by then and wanted to try to cover his tracks.
——- Analysis of the trojans:
Two distinct trojan .EXE files were placed on the ripway and clipsmoke sites.
I deliberately infected a sacrificial system of mine that was disconnected from the Internet and had no useful data on it, and monitored what it was attempting to do with the network using a packet sniffer.
First, they both create a set of keys in the Windows Registry, presumably so they know not to run multiple copies of themselves.
They attempt to look up the IP address of a hostname: one uses "fromage.no-ip.info" and the other "salad5.no-ip.info". Between August 8 and 12, both names resolved to the Comcast IP XX.XX.XX.105. Since my scratch machine didn't have Internet access, I had Windows lie to the trojan and tell it the names resolved to something fake so that it could continue to the next step...
From there, they tried to connect to port 2000 (on fromage) and 2002 (on salad5). If I set up a fake server on the same machine, it transmitted what looked like garbage (probably encrypted) to the (fake) server.
Researching the registry keys created indicate that these are variants of a trojan known in antivirus circles as "Bifrose", which is known to log keystrokes in order to steal passwords. I tried two antivirus programs and neither one recognized either trojan, though. I submitted both to the ClamAV antivirus people, and their next night's software update now detects one of them. It might detect both by the time you read this.