Tag Archive: mouse

Estonian Spammer Forges CBS and The Guardian

Get Rich Quick Scam Forges Genuine News Agencies Web Pages

Gmail Spam

Gmail Spam

I recently received two emails from a friend’s old Hotmail account, but to two of my email addresses.

Email Spam

Email Spam

Probably, the account has been hacked as I could detect no spoofing in the emails’ headers.  These are the emails, with the email addresses blacked out.

Initial Email Investigations

The text is similar in that they try to entice a user using pretty poor English to click on the shortened URL links, which are active.

Here’s how the links work:
To my Email address;
cbsbusiness9

cbsbusiness9

I had http://cbsbusiness9.com/index2.php?/5260 which then goes to

http://cbsbusiness9.com/uk.html?/partners/the-guardian/small-business/5672-9782-67834/making-money-online/

 

To my GMail address;
cbsnews-article

cbsnews-article

I had http://cbsnews-article.com/index2.php?/4032 which then goes to

http://cbsnews-article.com/uk.html?/partners/the-guardian/small-business/5672-9782-67834/making-money-online/

 

The screenshots show the results using a neat Firefox plugin, Flagfox, which displays the source IP address and country on mouse-over.

The WHOIS’s of each domain are almost identical.  These are screenshots.

whois.domaintools.com screen capture 2012-12-12-17-12-26 whois.domaintools.com screen capture 2012-12-12-17-13-17 That Arthor Brown’s a one, eh?  Notice the Ukrainian, Russian and New York connections?   Who is/are  or what is:

TNew line ave 172 95
NY, 18274
UNITED STATES
+1.7343541732

Google Search on +1.7343541732

Google Search on +1.7343541732

Googling the phone number pulls out a heap of (not)surprises including an awful cesspit of scamminess that’s now starting to rival Pacific Webworks’ Google Treasure Chest and Jesse Willms’ Colon cleansing efforts!  (We saw these scams a few years back – check the links)

Just check out the fake news and dodgy sounding sites in the search results….  These are the first couple of pages of current search results:

  • Com-news8.net
  • Bcnews8.com
  • Dildobigg.com
  • Raspberry-Ketone24.com
  • BigGgEts.com
  • HurtGuys.com
  • GrowsPeniss.com
  • HugerAss.com
  • Com-news9.net
  • Com-nbcnews9.net
  • coloncleanse-extreme.com
  • nbc9news.com
  • nbc1news.com

Arthor Brown is in most of them with his Yahoo! email address as [email protected]   Please don’t confuse him with this Arthur Brown, but yes, handle all of these websites like Fire!

Forged Webpages of The Guardian Newspaper

cbsnews-article.com screen capture 2012-12-12-16-3-51

cbsnews-article.com screen capture 2012-12-12-16-3-51

cbsbusiness9.com screen capture 2012-12-12-16-3-23

cbsbusiness9.com screen capture 2012-12-12-16-3-23

The Guardian, is an old and respected news organisation in the UK.  CBS is a long-established US media network.

They, and the purported author of both webpages, Sirena Bergman, must be pretty pissed off about the hijacking of their names.

Also to be annoyed, is Lloyds TSB Bank who apparently are “in association” with this get rich quick scheme for work at home moms!

Completely Forged News Articles!

Indeed they are.

  • The articles are dated “December, 11:41”, which is odd since there’s no day, just month and time!
  • Both articles are embedded in genuine Guardian web-pages, with all the links surrounding the article going to genuine Guardian web-pages or genuine advertiser websites!
  • The hook links in both forged webpages go to http://workinghome22.com/go.php

The forgery is done in the same manner as the well-known phishing scams done for banks and on-line finance and insurance.

Apart from the images sourced from The Guardian, the scammer’s images are sourced from:

  • ddmcdn.com which is HowStuffWorks.com!
  • localconsumeralerts.com
  • prosperadtracker.com
  • ophan.co.uk

So, Who Is workinghome22.com

Bad Gateway

Bad Gateway

The first link was dead, opening a bad gateway so the expected redirect didn’t work.  The tracking pointed back to Ireland!

Bad Gateway

Bad Gateway

The second link worked, but the sweetly named workingfromhome22.com wasn’t the destination.   No, the link immediate re-directed to http://onlineincnow.com/2/?aff_sub=72

Well, at least the affiliate number 72 is getting paid….

But hang on, who exactly is workingfromhome22.com?
workinghome22.com screen capture 2012-12-12-16-31-44

workinghome22.com screen capture 2012-12-12-16-31-44

Well, typing the URL directly takes me to workingfromhome22.com!  This is it!

Cunningly, you’ll note that it’s pulled out my home-town as Bournemouth (where I live) with that awful “mom” Americanism!  No-one in the UK addresses their mother as mom…  I mean, FFS?

The webpage links, containing the disreputably used graphics of Thomson, Reuters, CNBC and NBC Universal all point to http://workinghome22.com/go.php, which is of course in this domain.  So let’s click it, shall we?

Well, pctrck.com is trying to load, but not much else.

Reversing then trying to exit workinghome22.com produces a pop-up of dubious functionality!  Check the words – there’s no cancel button!

workinghoome22_Popup

workinghoome22_Popup

I did however manage to successfully close this page following that.  Whew!

Now Back to onlineincnow.com

OnlineIncNow Location

OnlineIncNow Location

The previously mentioned http://onlineincnow.com/2/?aff_sub=72 is located in the USA.

So What Is It Up To?

OnlineIncNow.com Whois Record

OnlineIncNow.com Whois Record

Good Question!   A WHOIS puts the registrant in China with the DNS servers in Russia!

As I mentioned earlier, the similarity of the scamminess of this thing is just like the Google Treasure Chest/ Google Money Tree / PWW scams of old.

The site is plastered with the logos of well known businesses to ad an air of authenticity to things (just as the original hook sites used The Guardian Newspaper and CBS in the same way) yet at the bottom of the page they disingenuously ad:

This site and the products and services offered on this site are not associated, affiliated, endorsed, or sponsored by NBCNEWS, ABC, USA Today, CNN or Fox News, nor have they been reviewed tested or certified by NBCNEWS, ABC, USA Today, CNN or Fox News.

onlineincnow.com T&C Screenshot

onlineincnow.com T&C Screenshot

Despite all this, it is of course bollox set to deceive.  In fact, it now appears that it’s the well known negative option scam, used by Pacific Webworks (PWW) and Jesse Willms to good effect until they were found out.

Let’s see how this pans out, shall we?…..

Check out the T&C page from the tiny link in the page footer – screenshot on the right.

  • They say that the applicable law is the State of Florida.
  • You will become a “member” and the key phrases are here:

You must register as a “Member” with Online Income Now to access certain functions of the website. You must provide current, complete and accurate information about yourself (the “Registration Data”) when registering as a Member. You agree that such information is truthful and complete. You agree to maintain and keep your Registration Data current and to update your Registration Data as soon as it changes. You are responsible for maintaining the security of your password. Online Income Now is not liable for any loss that you suffer through the use of your password by others. You agree to notify Online Income Now immediately of any unauthorized use of your account or other breach of security known to you. You also, by becoming a Member, agree to report violations of these Terms and Conditions by others to Online Income Now.

For a limited time only, the cost of this product is $97.00 ( usual price $299.95 ) and every 32 days thereafter you will be billed the member’s only price of $9.95 for the monthly use.

MATERIALS PROVIDED TO Online Income Now OR POSTED AT ANY Online Income Now’s WEB SITE

Online Income Now does not claim ownership of the materials you provide to Online Income Now (including feedback and suggestions) or post, upload, input or submit to any Online Income Now Web Site or its associated services (collectively “Submissions”). However, by posting, uploading, inputting, providing or submitting your Submission you are granting Online Income Now, its affiliated companies and necessary sublicensees, permission to use your Submission in connection with the operation of their Internet businesses including, without limitation, the rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; and to publish your name in connection with your Submission.

You’ll see that “Online Income Now” will:

  • make you a “member” (of what?)
  • and you will be regularly billed, (why?)
  • and that for anything you post, upload etc (wah?  whadya mean?  Where is this uploading?),  “Online Income Now” will take no responsibility for what you do!

…………….which is curious as you don’t know what you’ll be doing and they have invited you to do it in the first place!!!

Now Lets Click The Link!  Follow that Opportunity!

onlineincnow.com screen capture 2012-12-12-17-46-50

2 Spots Left!

Amazingly (sarcasm alert) there are two “spots” left in my area!  This is the page… http://onlineincnow.com/2/index2.php

Michelle Johnson is the “guru” who will tell me everything!  So what do I do?  I have two options:

  • Back out
  • Sign up

Let’s Try Backing Out, Shall We?

CannotBackoutFromOnlineIncNow2

Cannot Backout From OnlineIncNow 2

CannotBackoutFromOnlineIncNow

Cannot Backout From OnlineIncNow

Well of course, they won’t let me.  It takes two goes to get out and the first one completely takes over the browser!  Bad.  This is B.A.D.

Ah, well.  Finally escaped.

Let’s Try Clicking to the Signup Page, Shall We?

secure.onlineincnow.com Data Entry Screen

secure.onlineincnow.com Data Entry Screen

I decide on my name, “Jobless Jake” and a random phone number…. The website is now https://secure.onlineincnow.com/2/cc_97.php

What I see is bad, really bad, and any attempt by this pack of jokers at saying they don’t run a negative option scam is now revealed on this sign-up page!

The scam is now revealed for what it is – a negative option scam!        Read it carefully…..  They expressly say;

By enrolling, you will be charged a one-time fee of $97.00

In teeny-tiny letters, note!

But remember, right back buried in the T&C’s they say;

every 32 days thereafter you will be billed the member’s only price of $9.95 for the monthly use.

This is expressly against the FTC code and laws in most countries.  If any extra charges are to be levied for any service or goods, they should be expressly stated on the sign-up page where the customer first enters their financial details.

Gotcha! You Bastards!

Okay, I’ve Had Enough of This. I’m Off!

“Not so fast, young Jobless Jake”, say onlineincnow.com……!

CannotBackoutFromOnlineIncNow3

Cannot Backout From OnlineIncNow 3

They’ve an extra 20% off plus and extra bit of webpage-erese!  The screenshot says it all, though it wasn’t the end of it.  I had one more “Leave Page” option like the earlier one above.

Conclusion

Negative Options are banned by law in most countries.  If you get collared by one, you’ll have a job stopping the bastards taking money from your account for ages.  The only sure way to stop this once you’ve been sucked in is through….

  • Chargebacks.   Get your bank or card company to get a charge-back saying the terms of trade or purchase were hidden (as seen in my screenshot above).

So………………….

  • It’s a scam.
  • Stay away from it.


Enhanced by Zemanta

Related Posts:

Turkish Hacker-Crackers, perhaps?

A Cracking Week Off?

I had a week’s holiday of sorts last week.  On returning I found that this website had been cracked. (I already had intimations that something was wrong because of site stat failures and an email from @Justin Asking, sometime commenter to this website and others).  Anyway, so it was.  Unfortunately, I didn’t have good web access so was unable to correct things properly.

The main screen, viewable on zone-h here, was replaced by this,

Site Hack Aug 2011

Site Hack Aug 2011

A neat little JavaScript mouse trailer was part of the package!

The cause was my own – a wide-open directory made so as part of an image upload plugin for my WordPress installation.  This plugin makes it easy and neat for any commenter to add material to the website……unfortunately for me, it allowed any file, with active content or not, to be uploaded.

Needless to say, the plugin is now disabled and the directory is locked down to the specific  file types that I’ll accept.  No more active content allowed there matey!

Unwanted Extras

Once the nasty files were uploaded, the internal site privileges allowed the install of a swathe of .htm files to the site root and uploads folder.  These had various names like f.htm, g.htm etc.  Index.htm was the file on show.

Alongside these, apart from files needed to run the previously mentioned JavaScript, were another swathe of .phtml files, such as joker.phtml, which are actually php code shining as html.  A couple of plain text files had also been uploaded.  These had lists of files, sites and persons.

All .htaccess files were okay as well as the WordPress installation files.  To be sure, I redid the WordPress install from scratch with fresh downloaded files..

Finale

All told, about fifty files were dumped on my website.  I’ve hopefully removed the lot and have them downloaded for analysis at a later date.  The screen content and internal code all points to Turkish or S.E. Asian (Vietnam or Indonesia) Muslim crackers (I refuse to use the hacker term except to clarify the cracking of security by it’s now-common usage).  Saying this, the culprits (the code points to several authors who used freely downloadable files from cracking websites and then proudly expected a pat on the back for their extreme skill at doing a download…like….der….), the culprits could have come from anywhere.

Fifth columnists and agent-provocateurs are nothing new.

Interestingly, being cracked puts me in the same company as at least 186 well-known multinational businesses, such as Acer, Vodaphone, BetFair, The Daily Telegraph, The Register, Spam.Org, Victoria Beckham and Destiny’s Child.

Even System of a Down dot com, was down!

Zone-h’s full list is here.  The Register reports it here, The Guardian here.

The Guardian interview with the crackers notes that the culprits had been planning the attack for some time which obviously includes the time when my site was compromised.  I don’t know if my website was actually used as part of the above DNS server attack but it’s usual for an attack like a DDOS to use several vectors and simultaneous attack points in order to force a server to fail and dump code.  This dump then reveals passwords and the like for later use.

Addendum

WordPress.Org’s forum has a posting about this crack from last week.  A Google search in the comment by RedNeckTexan shows the attack on this website to be far from unique….!   The links I’ve followed go right to the heart of the crack and the people doing the cracking.

This is the Google Search on the “Easy Comment Uploader” plugin.  Like me, RedNeckTexan has pulled the plugin for now, which can be found in the WordPress repository here.

Related Posts:

Comments are closed

Windows 7 SP1 Install

Windows 7 Service Pack 1 Install Experience


Windows 7 Ultimate with SP1

I installed Win7 sp1 on my PC last night after spotting it in the Windows Update list.  It’s been out since 16 Feb 2011 but I’ve only just noticed!  That’s the state of my PC in the screenshot.

Hitches

Everything installed really well, actually.  The downloads and install took about an hour and included updates for the Microsoft Mouse I use.  After the SP1 had installed, a few more “optional” updates appeared, so in they went as well!  The whole thing was much better than some earlier Microsoft service pack installs on Windows XP and 95 that I’ve done!

Impressions

The PC actually feels as if it’s running better.  More stable, nicer window & application opening.

Next…?

My next task is to update the Win7 32-bit install that I run in a virtual environment.  See  .  Watch this space!

Related Posts:

Comments are closed

Virtual Box Running 32 bit Win7 inside 64 bit Win7

Introduction

These shots are primarily for the benefit of my friend.

Virtual Box

Sun’s (now Oracle’s) VirtualBox application allows computer users to run a variety of Operating Systems (OS) on virtually any computer operating system.  This is the VirtualBox homepage.

For example:

  • Windows XP on Mac
  • Solaris on Windows XP
  • Windows 7 32-bit on Windows 7 64-bit

This latter example is actually the system that I use to connect to my remote work computing system.  (We use a Citrix client which will not upgrade to 64 bit, hence the necessity of running the Citrix program in a 32-bit environment)

The two shots below show Task Manger’s “performance” tab in the two systems.  I’m showing this to demonstrate that upping the memory to 12Gb has left Windows the opportunity of using as much memory as it feels, and by not using the pagefile (much, if at all) it’s very fluid in operation now.

This screenshot shows Task Manager in the host Win7-64 system with its 12Gb of memory and four processor cores.

Win64 Processes

Win64 Processes

This screenshot shows Task Manager in the virtual Win7-32 system running inside a VirtualBox image with the 4Gb of memory and four virtual processor cores that I allocated to it.

Win32 Processes

Win32 Processes

This screenshot below shows the view across all three screens that I use.

Windows 7 across 3 screens

Windows 7 across 3 screens

In the shot you’ll see that I’ve set the VirtualBox image to run full screen on the right-hand monitor.  I’ve chosen a different background to emphasise this.

A notable feature of VirtualBox is that I have set the mouse cursor to float seamlessly between the two environments.

Previously, I’ve tried installs of several Linux flavours into their own virtual image areas.  These are all removed now, but previously I had several running concurrently – I wish I’d taken a screenshot at that time.  To demonstrate the capabilities of VirtualBox, I once had running concurrently these various operating systems inside my Win7 64-bit host:

  • Windows 7-32 bit
  • Windows XP version one
  • Windows XP version two
  • Ubuntu 10.1
  • Mandriva 10
  • Suse 11
  • Fedora

To enable this all to run in only 4Gb of memory I assigned about 300Mb to each image.  They all worked “out of the box”!

Related Posts:

Comments are closed

What? No Google! Use Robert Allen Instead!

Introduction

Spring, last year, was when I first stumbled upon Pacific WebWorks (PWW) and their nefarious schemes.  That was when I happened upon Google Treasure Chest, one of their many scams.

This then ballooned into a miasma of a web of crime which frankly astonished me.

Then, across the globe, many people fought against the scammers and there have been some small victories when the (mainly USA) authorities have used the law against them.

But as many scribes (e.g. Paul Schlegel) pointed out (e.g. here), it would, and it has all returned.

Okay Subject Please!

June 20th 2008 - Looking Forward to VacationI’ve been trawling through the old posts on this website to see how the websites have changed.  True, Google Treasure Chest has sunk to the bottom of the ocean, but many of the old websites are still around.  They, the suck-in sites for the real ‘products’, divide, broadly, into two camps:

  • Fake blog sites
  • Fake News sites

Most of the fake blogs are gone, but most of the fake news sites are still around!  What has happened is with some very quick coding, all the pointers go to new, non-google type sites.  You can tell that the coding was quick because Google is still there in the hyperlink descriptions!!!

Example

Initial information on a fake News Site from @Not Kevin is here.  He said;

Clicked on the link to Easy Google Profit from this fake news story: http://www.businessgazette.net/finance/article-3910/ and about 6 different sites are loaded through some javascript thing including yoursearchprofits.com seofromhome.com bsadn.pantherssl.com and a few others.

Business Gazette

This is the fake news website here: http://www.businessgazette.net/finance/article-3910/  A screen-dump is shown on the right.
Hover your mouse over the ads or the links in the “Business Gazette” page.  They are all the same and they all point to http://www.businessgazette.net/google/ – Notice the word “GOOGLE” !!! Compared to previously, the links are now slimmed down to one!

Now click the link and it redirects to a really annoying, automatically starting  audio from someone called Ivan Fienney at this website: http://www.ivanblogsecrets.com/campaigns/rgah/IF_1_new.php?linkid=212144&subid=50519&subid2=65513   This link shows all the affiliate IDs etc.

However, if you strip them out, the page will still load from this address, http://www.ivanblogsecrets.com/campaigns/rgah/IF_1_new.php, or  if you type in or click http://www.ivanblogsecrets.com

Ivan the Terrible

If you listen to the smarmy voice, he’ll claim that it’s a real established business, is NOT MLM, is not a Pyramid scheme etc etc.  That’s him on the left.

Q. Where do his links go?

A. They go to something called a “Instant Wealth Program”.  You’ll find that the linking URL is http://212144.msicourse.com/

Q. So who could it be?

A. It’s that slimeball Robert Allen, famed for his spam, famed for his bankrupty, famed for real-estate dodgy deals.

Now Ivan Fienney, if you can stand the audio, claims that it’s not real estate or a scam, and yet, as I made plain last year, in Robert Allen’s own claims he DOES use real estate in one of his “plans”!

If you listen to Ivan until the 8:00 mark, you’ll find that the whole “plan” actually is “posting links on Google”.  Well what a surprise, I’m sure!

And there we have it.  The “Instant Wealth Scheme” is the old, old “make money with Google” scheme again.  Good ol’ Bobby Allen.  Aaah.

Robert Allen – Multiple Streams of Income

Slime Nosed DevilThe quaintly entitled website, http://212144.msicourse.com/, is indeed Robert Allen.  He’s hidden it’s WHOIS details using Moniker Privacy Services.  However, check out the screen-dump below and right (as well as Ivan’s above).

Multiple Streams of Income

He claims various things, like “as seen on TV” (the Aussie one I saw was investigative journalism where he refused to speak and the reporters were bundled out of the room!) or NY Times.  Maybe they are all investigative reports into his scam activities? Maybe they’re all a figment of ol’ Bobby’s fevered imagination?  Who knows?

But what I do know is that one of his merit badges is from “The Reader’s Digest” – who’ve just gone bust!!!  See http://news.bbc.co.uk/1/hi/business/8520243.stm Nice one, Bobby.

Perú > LimaAlso notice that his website uses the famed “countdown timer”, a tactic abrasively commented upon in recent USA court cases against scammers.  If, like me, you’ve been on the page too long, it’ll helpfully prompt you when “time runs out” – and then gives you a whole extra ten minutes to make up your mind.  Gosh.  It’ll even do it again – with another 10 minutes!

I think I’ll pass on all that, if you don’t mind.

Prosper Inc

Robert Allen proudly states that he uses Prosper Inc for his “services”.  They, of course, are from Utah, see their contacts page here: http://www.prosperlearning.com/contact.html

Erroneous statement deleted.  Too many prospers but all info gratefully accepted.. (SP)

Now see the following few examples of complaints and worries:

Further Information

Last year’s post on Robert Allen is here.   Robert G Allen, Grants, and a Credit Card Slimeball.    From all of this, you can probably tell that he’s not on my Xmas Card list!  To confirm this, see various links which expose ol’ Bobby for what he was, and still is!

Related Posts:

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me