This afternoon I received an email with the spammy subject “Action Required : Update Your PDF Application”.  I almost ignored it until I noticed that the link inside pointed to a domain owned by Ticketmaster. As I have shopped with Ticketmaster before, perhaps this isn’t so surprising.

My first thought was that Ticketmaster had a dodgy redirect on their site, until I looked at the email and saw that it was actually sent from Ticketmaster’s network.  I have broken my current findings down below.

Update 1 day later: See the comments at the end of this post. I have also received the same email from Ticketmaster confirming that they had a security breach. However the links are still active, which shows they possibly don’t have a proper handle on this yet.

Update 2 days later: See my followup post.

The spam email

The first part of the email body looks like this:

INTRODUCING UPGRADED ADOBE ACROBAT READER 2012
Since the Holidays are in full swing and the New Year is approaching, we've decided to unveil our latest Adobe PDF Reader/Writer 2012 Version

http://www.2012-acrobat-adobe-download.com

The link actually points to a rather long URL:

http://smr.mm.ticketmaster.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTE0MTQzNjMmbWVzc2FnZWlkPTE0NDU0MjMmZGF0YWJhc2VpZD1EQVRBQkFTRUlEJnNlcmlhbD0xNjgxNzIzMyZlbWFpbGlkPWRhdmlkQGVkZWNhLm5ldCZ1c2VyaWQ9NTM3NzYyMzE3JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiZodHRwOi8vd3d3LjIwMTItYWNyb2JhdC1hZG9iZS1kb3dubG9hZC5jb20v

The important headers (which can be faked, it is important to remember) were:

Received: from dspam by mx.lionserver.co.uk with dspam-checkedid 1RwEuO-0004HV-Re
for MYEMAIL; Sat, 11 Feb 2012 15:30:40 +0000
Received: from sms1-els203-83.mm.ticketmaster.com ([209.104.36.83])
by mx.lionserver.co.uk with esmtpid 1RwEuI-0004HJ-4v
for MYEMAIL; Sat, 11 Feb 2012 15:30:40 +0000
Received: from sms2.mm.els203.clisys.tmcs ([10.75.20.210]) by sms1-els203-83.mm.ticketmaster.com (-); Sat, 11 Feb 2012 07:29:57 -0800
X-VirtualServer: Default, sms1-els203-83.mm.ticketmaster.com, 10.75.20.213
X-VirtualServerGroup: Default
X-MailingID: 16817233::1414363::DATABASEID::1445423::537762317::202579
X-SMHeaderMap: mid="X-MailingID"
X-Destination-ID: MYEMAIL
X-SMFBL: ZGF2aWRAZWRlY2EubmV0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative;
boundary="----=_NextPart_22E_57A8_7C013F27.75C101A9"
MIME-Version: 1.0
Message-ID: <16817233.202579@TICKETWEB.CO.UK>

So there appears to be a received header indicating this came straight from Ticketmaster’s network, and a few Ticketmaster specific headers. The Ticketmaster header X-SMFBL contains my email address, base64 encoded.

Mail origins

The received headers suggest this email came from 209.104.36.83. This could have been added by a spammer, so let’s check the server logs and see where it really came from:

2012-02-11 15:30:40 [16449] 1RwEuI-0004HJ-4v <= return_smverp_.16817233.1414363.DATABASEID.1445423.537762317.202579._smverp_.david=edeca.net@ab.mm.ticketmaster.com H=sms1-els203-83.mm.ticketmaster.com [209.104.36.83] P=esmtp S=6908 id=16817233.202579@TICKETWEB.CO.UK T="Action Required : Update Your PDF Application"

The mail server confirms that it did come from 209.104.36.83. That IP address is sms1-els203-83.mm.ticketmaster.com, the netblock is registered to “Ticketmaster Online – CitySearch, Inc.”.

The embedded URL

The URL above contains a long Base64 encoded section which decodes to:

eas=1&mailingid=1414363&messageid=1445423&databaseid=DATABASEID&serial=16817233&emailid=MYEMAIL&userid=537762317&fl=&extra=MultivariateId=&&&http://www.2012-acrobat-adobe-download.com/

Much of this again seems to be Ticketmaster specific. The messageid matches with the information in the X-MailingID header above. At the end is the obvious redirect to the fake website above.

The fake website

The fake website is nothing special but does use Adobe’s trademarked logos and styles heavily. The disclaimer at the bottom probably wont get them out of this. The website only exists to point the user to an affiliate link for some PDF related software, which has nothing to do with Adobe itself. A screenshot of the website is below (click for bigger):

Conclusion

Nothing conclusively shows that Ticketmaster have been hacked. It could be an affiliate of theirs, or a customer who has permission to send emails using the Ticketmaster service. What is clear is that it definitely came from Ticketmaster and uses their service.

Four hours after this was first reported to Ticketmaster on Twitter the link still works and some spammers somewhere are still collecting the click-through cash.

Whatever transpires, I’ll be unsubscribing.

Today I forgot the password for a site I use only occasionally. This is rare, as I have a number of password schemes that I use to create a password unique to each site. After clicking the reset password link, I am confronted with the “password strength checker” below:

This list of rules doesn’t fit very well with my password scheme, primarily because what I computed in my head fails the test for uppercase characters.

Using the phrase “this is an unbelievably long password that would take a very long time to crack” fails this rule too, as well as the tests for a number and punctuation. I’m not suggesting that this is a good password, but it’s certainly better than “aA1!bcde” which passes all the rules. These 8 characters are trivial to brute force on any modern machine even if the underlying software uses a salted hash.

The offending software appears to be Jive, who perhaps need to set some more sensible defaults on their login system.

This blog can now be reached over IPv6 (or ipv6.edeca.net), which is surely the final nail in the coffin of IPv4 across the internet.
Read the rest of this entry »

Tired of seeing repeated attempts to login to a Linux server you run?  There are a number of options, all with their own benefits and disadvantages.  The easiest way is to move the port that the SSH server runs on, perhaps to 2222 instead of 22.  However. this can be annoying behind some firewalls and means that you need to specify the port each time you SSH to a host.  This post looks at denyhosts, a viable alternative.
Read the rest of this entry »