America’s Army fails at “securing our homeland”
I was too busy to post this earlier, but you know how I love to point out insecure systems? This story begins back in 2005, when I registered to play America's Army. As I have noted in the past, I do such things with a unique email address that is tied to the site in question. So I played the game for a year or so, and then eventually lost interest.
Fast forward to this last Thursday, when I get a spam email that is sent to the address that only America's Army should have had! I'm sure you're itching to see message headers, so here you go:
X-Original-To: TheUniqueEmailAddress Delivered-To: email@example.com Received: from www.dehjahvew-marketing.com (unknown [22.214.171.124]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by homiemail-mx8.g.dreamhost.com (Postfix) with ESMTPS id 73C2F72C493 for TheUniqueEmailAddress; Thu, 21 Jul 2011 14:57:35 -0700 (PDT) Received: (qmail 13636 invoked by uid 0); 21 Jul 2011 21:42:14 -0000 Date: Thu, 21 Jul 2011 14:42:14 -0700 To: TheUniqueEmailAddress From: Dehjahvew Online Marketing Reply-To: Do Not Reply Subject: Discover the best of Cancun with special offers from the Villa Group Message-ID: <firstname.lastname@example.org> X-Priority: 3 X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_714bd4ff4c721c0ddc0611a28a896348"
I'm sure you'll notice the domain dehjahvew-marketing.com mixed in there. That is not a forgery; many of the links in the body (HTML, but stupidly specified as text/plain) do indeed go there. Although the server is in Germany, the domain registration is hidden behind a proxy. Also listed in the spam is villagroupresorts.com, which is clearly the party hoping to profit from all this. Doman registration places them in Mexico, with their web host being in California.
But the real question remains. How did these people get access to America's Army servers to extract the email address in the first place? Are other people who have registered with America's Army getting the same spam? What other personal information has been compromised? What other servers in their network have been compromised? Let's see if anyone else notices a pattern in the coming days/weeks.