INeedAttention.com

Rants on business, science, technology, society, politics, police, and justice, plus life hacks and tricks, since 2003.

INeedAttention.com header image 2

Advanced AIM Spam-bots

November 12th, 2007 · 43 Comments

“I make myself very available.” This attitude leads to both opportunities and annoyances. More often than not, it leads to annoyances. Once of the key annoyances it leads to is spam. Spam arrives in my mail box, my PO box, my email inbox, and now in my AOL Instant Messenger client. But the spam I’ve been receiving isn’t your typical spam that offers cheap prescription drugs, a larger penis, a second mortgage, or an opportunity to help a former Nigerian prince disburse his father’s estate. This was much different.

I woke up this morning to this message, at least the third of this type that I’ve received:

(4:39:17 AM) shoppink141: hey

IM from screenname shoppink141

First, in case you’re wondering why my copy of AIM doesn’t have a million animated wacky smileys and advertisements with sound playing on my screen, it’s because I’m using Pidgin, the free, open-source alternative to not just AIM, but MSN messenger, Yahoo messenger, and a host of other popular chat programs. If you use more than one messaging service, Pidgin is the way to go. Try it.

Anyway, I looked at the user profile, and I recognized it immediately as being nearly identical to the other messages I’ve received like this. The away message and profile read:

be back in a bit...
---
I once wanted to kill the most beautful girl in the world... and then i realized, suicide is a sin :-*
my profile holla at cha girl ;)

The spam-bot’s AIM profile

The thing about this that I find most interesting is that the screen name was apparently registered at some time in 2006. This leads me to believe this was at some point a legitimate AIM account that was hijacked by the spam-bot, probably because of a trojan horse virus or phishing attack. But the entire reason that I received this message is apparent right here: there is a prominent link to “my profile”.

The spammer uses a number of psychological tactics to entice the user to click the link.

  • The profile uses “girly” colors — no self-respecting man would ever use such a color scheme.
  • There is an overtly visceral quote that implies the message’s sender is in fact a beautiful woman and not a computer program.
  • The link is followed by the imperative phrase “holla at cha girl”, directing the user to click the link so that they can contact this user.

And as we all know, online advertisers love to use images of women because there are simply so many desperate men on the internet. You could try to contact the user directly by sending them an instant message, of course. This is perhaps the most clever psychological tactic used by this bot. If you send the bot a message, it sends back a “buddy typing” signal, but never sends a message (note the keyboard icon in the upper-right corner of the IM window, next to the red ‘X’):A message from the spam-bot shows a status of “buddy typing”

The bot will never change status, it will seem to type to you in perpetuity. Can you see how this would lead unsuspecting users to click the link in the bot’s profile?

You receive a message, purporting to be from a good-looking girl, saying hello, but they seem to be having trouble replying to you. Perhaps you would check their profile and try and view their “other” profile.

If you were to, you would be linked to http://perfspot.bigtracking.com/. I had never heard of this URL, and a quick Google search revealed that basically, neither had anyone else. In fact, it seems that BigTracking.com is just a parked page, and therefore that “perfspot.bigtracking.com” is just a front for something. PerfSpot was actually the first site I was linked to by these spam messages. It made it seem as if PerfSpot itself was being promoted. PerfSpot appears to be a legitimate but unpopular social networking site, however since I didn’t sign up, I can’t confirm that’s what it actually is.

That page, perfspot.bigtracking.com, contains only a JavaScript redirect to the URL “http://perfspot.bigtracking.com/fw.redirect”, which then contains an HTTP redirect to “http://generousgenie.com/”. Generous Genie contains numerous hot-linked references to a site called rewardsgateway.com, which unsurprisingly is in the business of selling advertisements and leads to online marketers. As is the hallmark of all illegal, out-of-compliance operations, this site’s contact page is completely blank (try it). This is not to say Rewards Gateway is directly responsible for the spam messages. Here’s how this works:

Rewards Gateway operates its own shady advertising ring. But they only make money when people actually see the ads. So they get “affiliates” — third party spammers, err, publishers — to spread the word for a fee. Usually that fee is dependent on sign-ups for some kind of offer (e.g., we pay you for each person you get to not only click the ads, but sign up for the advertiser’s product). Thus, the spammers, err, publishers, go out and find creative ways to get people to sign up for their affiliate network offers. In this case, someone’s created a rather nifty AIM spam bot to do that. Of course, how they are harvesting screen names is still a bit of a mystery to me, but frankly I’ve spread my screen name out there so much it would be hard to miss it.

For anyone interested in adding me to more spam lists, my screen name is “ImCoolandTough”. Have you received similar AIM message spam? Do you know anything more about these spammers? Comment below and share!

Tags: Computers · Spam and Telemarketing · Technology

43 responses so far ↓

  • 1 jason // Nov 27, 2007 at 8:36 am

    don’t forget about the screennames lildevil90182,mysterychick2812,jasmine405951,
    jasmine65199,LilJkiddBaller6,SuperSexySteph32,
    thefaithiscream,xxoxalyoopxoxx,verywetsitesk and about 20 more that i’ve allready blocked. i thought i knew exactly who it was because of the some of the names and when i started getting the messages. but now you page makes me second guess that. do you have any ties to michigan?
    or to denso?

  • 2 peteru // Nov 28, 2007 at 2:41 pm

    Sorry Jason, I’m not from Michigan nor tied to Denso. Thanks for the other names, I’m sure I’ve seen some of them before.

  • 3 Nick // Nov 29, 2007 at 10:55 pm

    sn’s that keep bugging me, mx55kx and jasmine461815

    meh

  • 4 Annamarie // Dec 4, 2007 at 11:01 am

    I have had jade207726 as well. Blocked that and jasmine461815.

  • 5 Shawn // Dec 6, 2007 at 8:07 pm

    I’ve been messaged by jasmine135520 and smeggy120213. I clicked on the link and actually signed up for the facebook-like website, it seems legit. I haven’t seen any adverse effects, so I guess (hopefully) it didn’t install anything on my computer.

  • 6 Joe // Dec 28, 2007 at 10:49 am

    I just got a slightly different one– from a CrushAlert96965. It leaves me a “blast” from the BuddyBulletin feature of AIM, says nothing to me when I type, but has a link in its profile saying “Click here to reveal your crush.” Upon hovering, the hyperlink is http://alinks.bigtracking.com/?5
    Yes, a question mark, it’s not an unknown character.

  • 7 Karl // Jan 2, 2008 at 10:08 am

    Thanks for posting something about how fake these bots and website are–yours is the only result I get on google when I searched “alinks.bigtracking.com”. My bot was CrushAlert73865.

  • 8 peteru // Jan 2, 2008 at 4:33 pm

    Got another one from CrushAlert4844 today. It read: “You’ve received a buddy crush from someone on your buddy list!”

  • 9 Mike // Jan 4, 2008 at 1:12 pm

    Yes, I got one from “CrushAlert18520: You’ve received a buddy crush from someone on your buddy list!” today.

    They don’t respond and In the bot’s profile, it reads the same “Click here to reveal your crush.” with click here as a link to
    http://alinks.bigtracking.com/?5 .

    O.k. I’ll just warn this idiot ad and be on my way, nope. Aim Bots can’t be warned… it has the AIM Icon that every other Aim Bot, trying to gain your trust.

    This site just redirects the user to a sub-site of yourcrush.net which is another ad trying to get people to sign up for an “imatch gold membership”

    I just used another p.o.s. computer to find out where the links went. I google searched the screenname and found nothing, but another google search of “alinks bigtracking” brought me to this site.

  • 10 dave // Jan 5, 2008 at 9:42 pm

    jellagurl2148 is one i got at like 4:30 am.

  • 11 Kristen // Jan 8, 2008 at 4:13 pm

    I got an im just now from CrushAlert75939
    I am usually really good with avoiding spam and viruses that are from aim “bots” and such but I was dumb this time.. is this a virus or just spam? All it did was send me to a blank page and I ex’ed out because i realized that it was fake.

  • 12 Michael // Jan 11, 2008 at 3:44 pm

    I got a, jade836746 talking about a crush alert from someone on my buddy list.

  • 13 Ash // Jan 13, 2008 at 12:49 pm

    i just got the jade836746 one too

  • 14 David // Mar 9, 2008 at 5:03 pm

    I got one some time yesterday from a crush alert. I have something to add to this though, and you may find this interesting…

    A couple months ago one of those bots sent me a message on AIM, and I replied to the bot. Shortly thereafter, I got a message from a random person asking who I was. So I asked this person who he/she. I don’t remember the details but somehow he got a message from my screen name telling him to click one of those potentially malicious links.
    I believe the message he got was somewhere along the lines of, but not necessarily exactly,
    “AIM Forward: MyScreenName has sent you a message. “Hey, check out this cool new site! click here!”
    So he got a message from a bot that used my own screen name. That’s rather crafty…. because if he checked my info he would find that I am in fact, a real person.
    Also, sites like perfspot ask for your e-mail address and password so that they can retrieve your address book. If you allow them to do that, then they automatically send out an invite from you to everyone in your address book to join the site.

  • 15 Joe // Mar 12, 2008 at 5:36 pm

    i got the CrushAlert4844 today…these things are really stupid.

  • 16 Jillian // Mar 12, 2008 at 6:59 pm

    I just got an IM “CrushAlert21443 (9:03:48 PM): hey” then the IMer signed off, signed back on, and went away. Kinda confused me, I was a little thrown off but I googled and found this site. I did click the “revealcrush.com” that was in the profile, I admit I was curious an extremely bad move, but nothing happened but was sent to an actually crush website where they ask for name and number and they will send information to your phone. Howeever, the rates are $10 a month.

  • 17 li // Apr 28, 2008 at 3:32 pm

    i got 1 from blueeyeser saying “You’ve got a aim crush alert click to find out who you’ll never beleive it!!” and they say be4 i got 1 from clkpamela

  • 18 cp // May 12, 2008 at 5:27 pm

    well It seems that i’m getting an advanced version of this bot. every day or so i get at least 1 message from a differnt bot. they all look automade though… because sometimes its like (name)001…002…0003 etc…
    so they are getting better at this..

  • 19 Cresh // May 18, 2008 at 10:13 pm

    Someone has an AIM CRUSH on you! Click here – to find out who it is

    I get this message once every couple hours, always from a random name. I must admit, it’s getting kind of annoying, (especially considering how quiet i keep my IM name to prevent this kind of junk)

  • 20 Jenni // May 31, 2008 at 6:40 am

    Yeah….I’ve been getting crush alerts too. I don’t even use AIM…I use Trillian. But they still managed to Spam IM me……it’s a real pain in the butt…..

    I don’t even think I can keep track of the screen names…..they’re always different. I tried warning and blocking, so I’ve never got the same one twice….but since they’re computers, I guess they’ll just keep IMing me from different accounts….

  • 21 Norm // Jun 4, 2008 at 5:24 pm

    My screen name has been replicated as an AIM bot, and my profile in AIM gets altered to represent a spam link to a porno site. How can I get rid of this? Apparently, there is a flesh person behind it because he/she went into a chat room that I go to on occasion and becomes nasty to people on my buddy list. This seems illegal. I don’t, something such as defamation of character comes to mind. Is there a way that AOL can track this replicator down. I’m sure that if I was a pedifile, AOL or the FBI would be able to find me. What are my options?

  • 22 Mels // Jun 15, 2008 at 8:54 pm

    I usually get AIM crush spams…. but I just got this message… and i feel like its definitely gotta be spam:

    AIM (11:46:44 PM): Hey! Good news! Somebody says they are your buddy and wants you to show up on their AIM Profile. Click here now to see the 1 request(s) you have waiting.

    Yea… I’m not clicking it. Screw AIMs spam.

  • 23 Jenna // Jun 15, 2008 at 11:02 pm

    I mostly get blatant advertising bots from those lame-ass crush sites. “_____, YOU’LL NEVER GUESS WHO HAS A CRUSH ON YOU! CLICK HERE TO FIND OUT!”

    More than anything, I’d like to know where they’re getting my screenname from, so that I can take it off of said site. :/

  • 24 Ralph // Jun 29, 2008 at 8:58 am

    I see a lot of ‘Hey! I got one too … ‘ chatter here but not a lot of constructive advice. Simply blocking IDs of spambots as you get hit is ineffective because as one the spammers use multiple IDs and simply replace the ones that stop working with new ones.

    For those of you using Pidgin (a multi-service IM client for Yahoo, MSN, AIM, … yadda yadda yadda) I found an anti-bot plugin, Bot Sentry, that shows some promise. I’m installing it today. Check out this article:

    http://xabbott.wordpress.com/2008/03/16/instant-message-spam-and-pidgin/

    Good luck.

  • 25 Ralph // Jun 29, 2008 at 9:01 am

    GAWD! I hate it when I get in a hurry and fail to proof my posts or e-mails properly. Please excuse the editting errors in my previous post. 🙂

  • 26 OldFart // Aug 31, 2008 at 11:20 am

    I found this forum/blog while trying to Google for “AIM Crush”. Very interesting information, and thank you! Keep up the good work!

    A few notes: to Mike (posted Jan 4, 2008), while it’s technically true that you can’t warn AIM-Bots, these spIM bots are not official AIM-Bots{tm}. They are simply bots on AIM, and they CAN be warned. In fact, I do so to each and every one, knowing it won’t do anything but eventually impose rate-limits on how much more traffic they can blast across the wire. ( http://en.wikipedia.org/wiki/AOL_Instant_Messenger#Terminology )

    To Norm (posted Jun 4, 2008), what you describe is not possible. Each screen name is unique and what it sounds like is that someone else now has your password. But… before you change your password, that’s PROBABLY because your machine is infected with a trojan horse which will send your new password to the scammer. Follow the instructions on AIM.com to remove viruses and trojan horses ( http://www.aim.com/help_faq/security/trojan.adp ) and then don’t click on any suspicious links from porn sites, lottery winning notifications, notices from AOL/AIM that direct you to sites OTHER than AOL/AIM, etc. If the hyperlink looks too good to be true, it is.

    For your collection and analysis, here are 68 more screen names who have sent my screen names variants on this AIM Crush spIM: abdulnakae77, aehsdalilaaehs, akikof2, alexasuncion, armadillo08, batapasa28415, bergetgattis18, berylesarno26, bloodred14, boricualuv0381, britanisimo26, bryantlanders31, bubosapo92900, cmecham, cointondevine77, corlydalal10, cyrusorsi84, davidator, debbramugnai63, derwilde1052545, Deuxame2, deweyvermeule40, dilanprodromou7, domenicodarst77, durmitten48, elainavignali42, enriqueredsun2, esewkylynnesew, garelehar87, gastonsecor12, gwenethstager60, hastysahl95, hurlingbricks, ivory7342, justenkressin1, lchaisson925, lewha96, liliankirkman78, lishebloom89, livsteiker8, lopuduzi35914, lurafago28918, margauxrent98, mayetecilla41, mowexefovy30686, obadiasmelton9, othobochnak5, pablostern2, paigemartens39, paxarihym95383, raesouthwick7, rogerslem36, rothsamoggia59, saritabramble3, sokidoto51405, tempmcevoy65, tisuryno67596, trulafauth69, tudjdarlatudj, tugylyko99552, vannichamplin21, vonosawypa69053, wainelagakos34, wiwutunu30403, Xezeseky48377, yoninapossolo53, zolutolok71986, zopymehy15110

  • 27 Rebekkah // Dec 28, 2008 at 6:48 am

    I’ve been getting alot from “BeardOfGorbachev” and other weird names like it. Most all of my friends have oddball names like this one… so most of the time I assume it is someone I know.

    Most all the messages go something like this:
    BeardOfGorbachev (2:52:51 AM): Excuse me.
    BeardOfGorbachev (2:53:04 AM): May I have the screen name of your ex that messaged you for sex?

    Then when I wake up in the morning, they are offline.

    AIM needs to figure out some way to hault all this, or I will be stopping my usage of their product.

  • 28 Rebekkah // Dec 28, 2008 at 6:56 am

    I think I figured out how they get screan names:

    rokrxr2 (3:01:58 AM): Hi. Your ex-boyfriend just posted this on a site telling people to spam you:
    rokrxr2 (3:01:58 AM): [02:51]********: Hey, wanna come over and have sex?
    [02:51]RebekkahKrystine: We broke up 8 months ago fucker stop talking to me.
    [02:52]********: Is that a no?

    AIM. Fuck with her if you want.
    rokrxr2 (3:02:25 AM): May I have his AIM to post and get people to spam him instead?

    I had so many of these stupid things when I woke up that my computer took itself offline.
    Meaning they scared my antivirus so bad that it disconnected itself.
    Insane.

  • 29 tom // Mar 15, 2009 at 5:37 pm

    i got a message telling me i made this for you and after i tried to open it it said it was the trojan virus….. and its sending ti to all my friends. what do i do??

  • 30 Brent // May 5, 2009 at 10:56 pm

    ryanwek7zthomp on aim is a crush spammer. Anybody tech savvy? I will give you the url he sent me. It actually has the letters “amfu” in it; making it weird or potentially hostile. This kind of thing isn’t for the less experienced, don’t try to take on this nonsense if you’re not prepared. Predatory retards don’t deserve our attention at all unless it’s to annihilate them.

  • 31 Missy // May 7, 2009 at 1:30 am

    I didn’t get an IMs from my AIM until I had to connect to BeBo last night; and early this morning I got my first one (I took out my screen name and typed underlines):
    anthony2cbezj1: Guess who just said they had an ( -A- )im ( -C- )rush on you!!! Find out at _________.newaimmessage.net

  • 32 aaron // Jun 21, 2009 at 1:27 am

    so i did a search on perfspot.com after i had come to this site and low and behold found info with the owber of the sites name. He is Hart Cunningham and well he is a dipshit , a marketing dipshit that runs a “social network” for marketers that targets generating on line leads. if you search just perfspot.com you can find all this info

  • 33 Amit // Jul 1, 2009 at 8:39 am

    I got this one this morning: [10:26] [CrushAlert]: [email protected] has invited you to join the “CrushAlert” AIM Blast group. Reply to this message with “!1” (no quotes) to join or “!2” to decline the invitation. Or click here for more information.

    This is a copy of the link location: http://blast.aim.com/join/Y3J1c2hhbGVydC0wY2E4NTJzc2NAYmxhc3QuYWltLmNvbQ==

    I havent checked it out yet, but figured i’d post it here.

  • 34 B // Sep 10, 2009 at 1:01 am

    Yah, I hate those crush things too. I’ve been getting them intermittently for years. But you know the worst part? I have gone through EVERY SINGLE ONE and still don’t know who has a crush on me! Why? Why must you hide, secret admirer?!

    Just kidding. But you know that someone out there must think that, which makes me both sad and chuckle at the same time.

    More on topic, I feel like there are four vectors for AIM spamming around. In order of how often I see them being active:
    1. Zombie computers – Generates new random sn’s to spam away. These tend to piggyback on either a centralized list, or just on existing users’ buddy lists accessed locally. Illegal. Also horribly annoying, because you know a friend’s sn is infected but it’s hard to figure out which one (unless you want to run an algorithm to figure out which sn is always on when you get spammed..)
    2. Password collectors – Web sites or services that take your password and do what they feel like with it. Probably not illegal, if they tell you they’re going to do it up front, but definitely bad practice.
    3. Profile trojans – Only affect the profile of a user, adding an extra link to spam others. Transmissible by clicking, but seem to die out once underlying exploit bugs (in the client, browser, or the OS) are fixed.
    4. Standard bots – I don’t see these around very much anymore. There used to be bots which were clearly set up by real humans to spam, with limited sets of account names. Probably died out because zombie machines will do all this and more.

    Anybody else see new ones? The social networking seems like the most recent thing, but zombies still rule the spam world that knocks on my door.

  • 35 H // Nov 25, 2009 at 9:02 pm

    flautistsgrunt27 is a spam one too

  • 36 Uhfgood // Nov 1, 2010 at 1:26 pm

    I realize this is about a year later, but I just recently got some spam from a screen name that was on my buddy list to click. I clicked the first time and firefox seemed to catch it. I just thought that this person had really IM’d me which is why I clicked it in the first place. What happens though is I would get the IM and then the user would be offline as soon as it was sent. My guess is that their IM client wasn’t compromised, and I don’t think mine is either because I’ve done a virus scan.

    Any ideas of how to stop that (when it’s someone on your own list, even though they’re not actually spamming you)?

  • 37 Peter // Feb 27, 2011 at 2:21 pm

    Download spybot or malware byte because some virus protections cant catch up with malware. u can be infected and u might not even kno ur aim is a zombie

  • 38 Artemis // Mar 13, 2011 at 4:02 pm

    I got a really weird one from an “njworld”

    njworld: hey
    me: hi?
    njworld: im sooooooooooooooooooo boreddddddddddddddddddddddddddddddddddddddddddddddddddd
    me: who is this?
    njworld: just a lonely girl looking to chat. you interested?
    me: er…..
    njworld: so anyways, what’s up?
    me: Um, I think you should let me know how you got my sn. I don’t know you.
    njworld: Oh, cool cool. hey you wanna do something fun?
    me: …..this is a bot, isn’t it?
    njworld: lol no i’m not a bot silly
    me: then tell me how you got my sn.
    -njworld is offline-

    ….. dunno what to make of it.

  • 39 MG // Jul 15, 2011 at 5:48 pm

    Got a message from one last night: kd1greene

    kd1greene: hey
    who is this?
    kd1greene: I cant belive you dont remember me
    again, who is this?
    kd1greene: I cant belive you dont remember me
    ….great a bot
    kd1greene: A bot? not hardly babe. Are you?
    I am super awesome, but hate that some how random bots find my screen name somehow
    kd1greene: Im not a freaking bot
    then why is it so hard to say who you are?
    kd1greene: Hey what’s up? 23/F here. u?
    *facepalm*
    kd1greene: Hmm. Have we chattted before?
    *facepalm*
    kd1greene: Oh sorrrry. l waasnt sure. Butt anywayyyssss.. What r u up to?

    I blocked them after that…

  • 40 askpcguy // Aug 1, 2011 at 4:29 am

    There is one thing that could be done, and if done enough times we’d have information that could be used to turn in to law enforcement.

    Open a cmd window and using the NETSTAT command, determine the remote IP of the spam bot. Hint, try direct IM connection. You’ll see a TIME_WAIT in netstat which potentially could be the spammers public IP.

    If enough people put effort into this, a list could be complied and it’ll only be a matter of time before law enforcement might be interested.

    **Note I am passing along the high level overview of the procedure. Do research to find more details.

    [Editor’s reply: This will not work, since the bots will almost certainly not accept Direct IM connections. The “netstat” command is only able to show you the peers you are connected to, in this case, the AIM server is the peer, not the person you are messaging. The exception is during a Direct IM (hence the “direct” part).]

  • 41 askpcguy // Aug 1, 2011 at 4:36 am

    Amazing to see Artemis , I seen similar behavior from a screen name I used to talk to but tried talking to again after time had passed.

    I had the exact same false conversation only a few months ago.

    As Agent Smith said in the Matrix when Neo was going to rescue Morepheus “Find them and destroy them (aim spammers)”

  • 42 Kara // Aug 25, 2011 at 8:01 am

    I keep getting messages from jaquelyncheer about her being a 22/f who says “I’m so bored, there’s like nothing to do… Oooooooh wait, maybe there is. Have you ever watched a girl strip on cam before?” even after I call her out on it, she keeps it up, then asks about signing up at this site and entering your credit card. And the spelling gets progressively worse. I can’t seem to stop it >_<

  • 43 Chris // Aug 27, 2011 at 5:46 pm

    It might be more effective if the bots actually gave you names and stuff.

    Since most of the people I know only use AIM to talk to people they specifically know..
    The bots might be better off answering to
    me: Who is this?
    bot: Angela.
    me: who?
    bot: you dont remember me? T_T
    me: uhhh. [feel guilty] vagggueelllyyyyyyyy…

Leave a Comment