Advertisers aren't the only ones exploiting the Windows pop-up feature to broadcast messages to Internet users. Crooks have deployed the same technology to launch an identity-theft scheme aimed at America Online users on vulnerable Windows systems.
In recent months, advertisers have broadcast a slew of messages to Internet users, many of the ads pitching software to block Windows Messenger spam.
Last Thursday a scammer sent what security experts call a "phishing" notice to AOL members through the Messenger service. A gray pop-up window appeared on AOL users' computers, allegedly from "AOL Billing," and instructed them to visit a website -- updatedp.com -- to correct problems with their credit card numbers.
According to Natalie Graham, an AOL user in Utah who received the pop-up, the scam site appeared to be "an authentic-looking AOL page." She became suspicious, however, when the site asked for her name, address, credit card number, mother's maiden name, birthday, Social Security number, driver's license number, master screen name and password.
"That seems like an awful lot of personal info for my billing," said Graham, who reported that she did not fall for the scam.
Phishing ploys, usually delivered by e-mail, are hardly new to AOL. But the updatedp.com pop-ups are a glaring indication that a blockade reportedly put in place by AOL late last year to protect its users from Windows Messenger service pop-up spam isn't working.
Back in November 2002, AOL hailed the changes it made to its network to block the new breed of pop-ups as "a big victory for our members." According to news reports, AOL filtered incoming traffic to UDP port 135, the computer port address used by the Messenger service, shortly after spammers discovered the Windows feature could be exploited to anonymously broadcast thousands of pop-up ads per hour to Internet users.
But tests conducted by Wired News and myNetWatchman -- along with numerous recent complaints from users on AOL's message boards -- indicate that the AOL service is still wide open to Messenger service spam using other port addresses.
While signed on to the AOL service over a dial-up connection, Wired News was able to receive test Messenger service pop-ups sent by myNetWatchman using UDP port 1026, whereas test messages targeted at UDP port 135 failed. While Wired News was conducting the test, real pop-up spams arrived on the test PC advertising pop-up blocking software from MessengerKiller.com and EndAds.com.
AOL spokesman Andrew Weinstein confirmed Monday that the online service's blockade is no longer fully effective. "As we expected, spammers have found a way around those filters, but we continue to investigate new possible solutions," he said.
Indeed, the website of one software program that sends Messenger spam boasts of having a "special delivery method" that bypasses AOL's filters. According to the site, "Our messages make it there; competitors' products don't."
Weinstein said AOL has posted instructions (available at AOL Keyword "Pop-Up") on how users can protect themselves from Messenger pop-up ads by downloading a free program that shuts off the Messenger service.
A recent bulletin published by Microsoft, however, says disabling the Messenger service is a last resort and Windows users should first install a software firewall to protect against the pop-ups. Weinstein said AOL believes most home users can safely disable the Messenger service without affecting bona fide applications that may need to use it.
The updatedp.com site is currently unreachable. Robert Little, the Michigan man listed as the site's registrant, did not immediately respond to interview requests.
AOL's Weinstein said he had no further information on the scam site. He noted that users of the online service are targeted by "a wide variety of scammers who go try to collect their billing information" but affirmed that AOL never asks members for such information.
Originally designed to allow network administrators to send messages to users on a Windows network, the Windows Messenger service is a potentially powerful tool for tricking gullible AOL users. While many are conditioned to identify official e-mails from AOL by their special blue color, the new pop-ups may fool some AOL users as "having an air of authenticity," Baldwin said.
Most AOL users, however, simply seem to find the Messenger service pop-ups annoying, especially since AOL 8.0 is advertised to provide protection against all kinds of pop-up advertising.
Last week, an AOL member named Evelyn was among several users of the service's message boards complaining of pop-ups.
"I want to know if the gray pop-ups (with a blue title "Messenger Service") are an AOL problem. They appear quite often in the middle of the screen inviting the Internaut to buy something or to connect to a Web service to get rid of these pop-ups.... I don't want to contact the websites of those pops-ups: They are the troublemakers," she wrote.
AOL is not the only Internet service provider currently blocking all port 135 traffic. Many ISPs began filtering the port last month to mitigate the spread of the MSBlaster computer worm, Baldwin said. While AOL also could block UDP ports 1025-1029 to fully eliminate Messenger service spams, the big ISP likely is worried about the potential "collateral damage" such a move might cause to users with legitimate programs that require those port addresses, he said.
