Tag Archive: PASSWORD

Estonian Spammer Forges CBS and The Guardian

Get Rich Quick Scam Forges Genuine News Agencies Web Pages

Gmail Spam

Gmail Spam

I recently received two emails from a friend’s old Hotmail account, but to two of my email addresses.

Email Spam

Email Spam

Probably, the account has been hacked as I could detect no spoofing in the emails’ headers.  These are the emails, with the email addresses blacked out.

Initial Email Investigations

The text is similar in that they try to entice a user using pretty poor English to click on the shortened URL links, which are active.

Here’s how the links work:
To my Email address;
cbsbusiness9

cbsbusiness9

I had http://cbsbusiness9.com/index2.php?/5260 which then goes to

http://cbsbusiness9.com/uk.html?/partners/the-guardian/small-business/5672-9782-67834/making-money-online/

 

To my GMail address;
cbsnews-article

cbsnews-article

I had http://cbsnews-article.com/index2.php?/4032 which then goes to

http://cbsnews-article.com/uk.html?/partners/the-guardian/small-business/5672-9782-67834/making-money-online/

 

The screenshots show the results using a neat Firefox plugin, Flagfox, which displays the source IP address and country on mouse-over.

The WHOIS’s of each domain are almost identical.  These are screenshots.

whois.domaintools.com screen capture 2012-12-12-17-12-26 whois.domaintools.com screen capture 2012-12-12-17-13-17 That Arthor Brown’s a one, eh?  Notice the Ukrainian, Russian and New York connections?   Who is/are  or what is:

TNew line ave 172 95
NY, 18274
UNITED STATES
+1.7343541732

Google Search on +1.7343541732

Google Search on +1.7343541732

Googling the phone number pulls out a heap of (not)surprises including an awful cesspit of scamminess that’s now starting to rival Pacific Webworks’ Google Treasure Chest and Jesse Willms’ Colon cleansing efforts!  (We saw these scams a few years back – check the links)

Just check out the fake news and dodgy sounding sites in the search results….  These are the first couple of pages of current search results:

  • Com-news8.net
  • Bcnews8.com
  • Dildobigg.com
  • Raspberry-Ketone24.com
  • BigGgEts.com
  • HurtGuys.com
  • GrowsPeniss.com
  • HugerAss.com
  • Com-news9.net
  • Com-nbcnews9.net
  • coloncleanse-extreme.com
  • nbc9news.com
  • nbc1news.com

Arthor Brown is in most of them with his Yahoo! email address as [email protected]   Please don’t confuse him with this Arthur Brown, but yes, handle all of these websites like Fire!

Forged Webpages of The Guardian Newspaper

cbsnews-article.com screen capture 2012-12-12-16-3-51

cbsnews-article.com screen capture 2012-12-12-16-3-51

cbsbusiness9.com screen capture 2012-12-12-16-3-23

cbsbusiness9.com screen capture 2012-12-12-16-3-23

The Guardian, is an old and respected news organisation in the UK.  CBS is a long-established US media network.

They, and the purported author of both webpages, Sirena Bergman, must be pretty pissed off about the hijacking of their names.

Also to be annoyed, is Lloyds TSB Bank who apparently are “in association” with this get rich quick scheme for work at home moms!

Completely Forged News Articles!

Indeed they are.

  • The articles are dated “December, 11:41”, which is odd since there’s no day, just month and time!
  • Both articles are embedded in genuine Guardian web-pages, with all the links surrounding the article going to genuine Guardian web-pages or genuine advertiser websites!
  • The hook links in both forged webpages go to http://workinghome22.com/go.php

The forgery is done in the same manner as the well-known phishing scams done for banks and on-line finance and insurance.

Apart from the images sourced from The Guardian, the scammer’s images are sourced from:

  • ddmcdn.com which is HowStuffWorks.com!
  • localconsumeralerts.com
  • prosperadtracker.com
  • ophan.co.uk

So, Who Is workinghome22.com

Bad Gateway

Bad Gateway

The first link was dead, opening a bad gateway so the expected redirect didn’t work.  The tracking pointed back to Ireland!

Bad Gateway

Bad Gateway

The second link worked, but the sweetly named workingfromhome22.com wasn’t the destination.   No, the link immediate re-directed to http://onlineincnow.com/2/?aff_sub=72

Well, at least the affiliate number 72 is getting paid….

But hang on, who exactly is workingfromhome22.com?
workinghome22.com screen capture 2012-12-12-16-31-44

workinghome22.com screen capture 2012-12-12-16-31-44

Well, typing the URL directly takes me to workingfromhome22.com!  This is it!

Cunningly, you’ll note that it’s pulled out my home-town as Bournemouth (where I live) with that awful “mom” Americanism!  No-one in the UK addresses their mother as mom…  I mean, FFS?

The webpage links, containing the disreputably used graphics of Thomson, Reuters, CNBC and NBC Universal all point to http://workinghome22.com/go.php, which is of course in this domain.  So let’s click it, shall we?

Well, pctrck.com is trying to load, but not much else.

Reversing then trying to exit workinghome22.com produces a pop-up of dubious functionality!  Check the words – there’s no cancel button!

workinghoome22_Popup

workinghoome22_Popup

I did however manage to successfully close this page following that.  Whew!

Now Back to onlineincnow.com

OnlineIncNow Location

OnlineIncNow Location

The previously mentioned http://onlineincnow.com/2/?aff_sub=72 is located in the USA.

So What Is It Up To?

OnlineIncNow.com Whois Record

OnlineIncNow.com Whois Record

Good Question!   A WHOIS puts the registrant in China with the DNS servers in Russia!

As I mentioned earlier, the similarity of the scamminess of this thing is just like the Google Treasure Chest/ Google Money Tree / PWW scams of old.

The site is plastered with the logos of well known businesses to ad an air of authenticity to things (just as the original hook sites used The Guardian Newspaper and CBS in the same way) yet at the bottom of the page they disingenuously ad:

This site and the products and services offered on this site are not associated, affiliated, endorsed, or sponsored by NBCNEWS, ABC, USA Today, CNN or Fox News, nor have they been reviewed tested or certified by NBCNEWS, ABC, USA Today, CNN or Fox News.

onlineincnow.com T&C Screenshot

onlineincnow.com T&C Screenshot

Despite all this, it is of course bollox set to deceive.  In fact, it now appears that it’s the well known negative option scam, used by Pacific Webworks (PWW) and Jesse Willms to good effect until they were found out.

Let’s see how this pans out, shall we?…..

Check out the T&C page from the tiny link in the page footer – screenshot on the right.

  • They say that the applicable law is the State of Florida.
  • You will become a “member” and the key phrases are here:

You must register as a “Member” with Online Income Now to access certain functions of the website. You must provide current, complete and accurate information about yourself (the “Registration Data”) when registering as a Member. You agree that such information is truthful and complete. You agree to maintain and keep your Registration Data current and to update your Registration Data as soon as it changes. You are responsible for maintaining the security of your password. Online Income Now is not liable for any loss that you suffer through the use of your password by others. You agree to notify Online Income Now immediately of any unauthorized use of your account or other breach of security known to you. You also, by becoming a Member, agree to report violations of these Terms and Conditions by others to Online Income Now.

For a limited time only, the cost of this product is $97.00 ( usual price $299.95 ) and every 32 days thereafter you will be billed the member’s only price of $9.95 for the monthly use.

MATERIALS PROVIDED TO Online Income Now OR POSTED AT ANY Online Income Now’s WEB SITE

Online Income Now does not claim ownership of the materials you provide to Online Income Now (including feedback and suggestions) or post, upload, input or submit to any Online Income Now Web Site or its associated services (collectively “Submissions”). However, by posting, uploading, inputting, providing or submitting your Submission you are granting Online Income Now, its affiliated companies and necessary sublicensees, permission to use your Submission in connection with the operation of their Internet businesses including, without limitation, the rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; and to publish your name in connection with your Submission.

You’ll see that “Online Income Now” will:

  • make you a “member” (of what?)
  • and you will be regularly billed, (why?)
  • and that for anything you post, upload etc (wah?  whadya mean?  Where is this uploading?),  “Online Income Now” will take no responsibility for what you do!

…………….which is curious as you don’t know what you’ll be doing and they have invited you to do it in the first place!!!

Now Lets Click The Link!  Follow that Opportunity!

onlineincnow.com screen capture 2012-12-12-17-46-50

2 Spots Left!

Amazingly (sarcasm alert) there are two “spots” left in my area!  This is the page… http://onlineincnow.com/2/index2.php

Michelle Johnson is the “guru” who will tell me everything!  So what do I do?  I have two options:

  • Back out
  • Sign up

Let’s Try Backing Out, Shall We?

CannotBackoutFromOnlineIncNow2

Cannot Backout From OnlineIncNow 2

CannotBackoutFromOnlineIncNow

Cannot Backout From OnlineIncNow

Well of course, they won’t let me.  It takes two goes to get out and the first one completely takes over the browser!  Bad.  This is B.A.D.

Ah, well.  Finally escaped.

Let’s Try Clicking to the Signup Page, Shall We?

secure.onlineincnow.com Data Entry Screen

secure.onlineincnow.com Data Entry Screen

I decide on my name, “Jobless Jake” and a random phone number…. The website is now https://secure.onlineincnow.com/2/cc_97.php

What I see is bad, really bad, and any attempt by this pack of jokers at saying they don’t run a negative option scam is now revealed on this sign-up page!

The scam is now revealed for what it is – a negative option scam!        Read it carefully…..  They expressly say;

By enrolling, you will be charged a one-time fee of $97.00

In teeny-tiny letters, note!

But remember, right back buried in the T&C’s they say;

every 32 days thereafter you will be billed the member’s only price of $9.95 for the monthly use.

This is expressly against the FTC code and laws in most countries.  If any extra charges are to be levied for any service or goods, they should be expressly stated on the sign-up page where the customer first enters their financial details.

Gotcha! You Bastards!

Okay, I’ve Had Enough of This. I’m Off!

“Not so fast, young Jobless Jake”, say onlineincnow.com……!

CannotBackoutFromOnlineIncNow3

Cannot Backout From OnlineIncNow 3

They’ve an extra 20% off plus and extra bit of webpage-erese!  The screenshot says it all, though it wasn’t the end of it.  I had one more “Leave Page” option like the earlier one above.

Conclusion

Negative Options are banned by law in most countries.  If you get collared by one, you’ll have a job stopping the bastards taking money from your account for ages.  The only sure way to stop this once you’ve been sucked in is through….

  • Chargebacks.   Get your bank or card company to get a charge-back saying the terms of trade or purchase were hidden (as seen in my screenshot above).

So………………….

  • It’s a scam.
  • Stay away from it.


Enhanced by Zemanta

Related Posts:

Rapidshare WordPress Comment Spam

I got an unusual (for me) comment spam this morning at 01:58 from a Kuala Lumpur spammer.  His modus operandi is to trawl WordPress blogs looking for the word “RapidShare” and then dump a deliberately malformed warez-type URL to a zip file promising unlimited super-fast Rapidshare accounts that have been compromised.

I had such a posting quite a while ago here, view-of-local-network-from-rapidshare-a-black-hole, so I’ll be letting the comment through because it’s got no active backlinks and such like.

RapidShare

It’s a file sharing website where users can share files of their own creation or where there isn’t a valid copyright. In the real world, of course, I guess about 99% of it is cracked software and copyright video and music. Some of it is my own and others under the Crawling Chaos moniker.  Bizarrely, you can actually pay a premium if you want better downloads of the ‘free’ stuff in the “premium” service.  But that’s the point, isn’t it?  ;-)

Comment Spammer

And this is where the spammer comes in. The comment and malformed URL is this;

Hey guy's! Check it out.HURRY!
JUST DONT CHANGE THE PASSWORD COZ EVERYBODY ALSO USING IT . Enjoyyyy.

h t t p://rapidshare.com/files/203145031/Rapidshare_Premium_Accounts_-_Latest_Issue.zip

Content

I checked the zip.  There’s a lot of Spanish and English in some text files as word docs in both old and new formats as well as plain text files.  There’s also an MP3 file.  In my sandbox they checked as clean!!  I haven’t gone any deeper into testing the passwords as Rapidshare, while being good in principle, is actually theft and deception in practice.

The spammer’s email checks out in a few on-line mobile phone sales on a Malaysian website. It’s [email protected] but it’s probably spoofed.  With so much secrecy and nefarious activity on the web, who’s to say?

I don’t see it as a benevolent gesture of a thief in a theft based culture.  I see it more as a tester for a bigger plan.  Maybe, send a few of these ‘tasters’ out for a bit before the true malevolence is delivered?  Maybe the dodgy content is in the particular RapidShare accounts that have been compromised or deliberately set up with this purpose in mind?

You’ve been warned!

Related Posts:

Bad Passwords

Strangely post on January 22nd, 2009
Posted in Technology Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

In a follow up to my earlier post about the current rampant piece of malware, Computer Piracy on the High Seas,  I’ve found that the malware, variously called Downadup, Conficker, and Kido scans an in-built list of well-used passwords.

So if your password is on this list, change it now! :-)   Ha Ha.

123
1234
12345
123456
1234567
12345678
123456789
1234567890
123123
12321
123321
123abc
123qwe
123asd
1234abcd
1234qwer
1q2w3e
a1b2c3
admin
Admin
administrator
nimda
qwewq
qweewq
qwerty
qweasd
asdsa
asddsa
asdzxc
asdfgh
qweasdzxc
q1w2e3
qazwsx
qazwsxedc
zxcxz
zxccxz
zxcvb
zxcvbn
passwd
password
Password
login
Login
pass
mypass
mypassword
adminadmin
root
rootroot
test
testtest
temp
temptemp
foofoo
foobar
default
password1
password12
password123
admin1
admin12
admin123
pass1
pass12
pass123
root123
pw123
abc123
qwe123
test123
temp123
mypc123
home123
work123
boss123
love123
sample
example
internet
Internet
nopass
nopassword
nothing
ihavenopass
temporary
manager
business
oracle
lotus
database
backup
owner
computer
server
secret
super
share
superuser
supervisor
office
shadow
system
public
secure
security
desktop
changeme
codename
codeword
nobody
cluster
customer
exchange
explorer
campus
money
access
domain
letmein
letitbe
anything
unknown
monitor
windows
files
academia
account
student
freedom
forever
cookie
coffee
market
private
games
killer
controller
intranet
work
home
job
foo
web
file
sql
aaa
aaaa
aaaaa
qqq
qqqq
qqqqq
xxx
xxxx
xxxxx
zzz
zzzz
zzzzz
fuck
12
21
321
4321
54321
654321
7654321
87654321
987654321
0987654321
0
00
000
0000
00000
00000
0000000
00000000
1
11
111
1111
11111
111111
1111111
11111111
2
22
222
2222
22222
222222
2222222
22222222
3
33
333
3333
33333
333333
3333333
33333333
4
44
444
4444
44444
444444
4444444
44444444
5
55
555
5555
55555
555555
5555555
55555555
6
66
666
6666
66666
666666
6666666
66666666
7
77
777
7777
77777
777777
7777777
77777777
8
88
888
8888
88888
888888
8888888
88888888
9
99
999
9999
99999
999999
9999999
99999999

Related Posts:

Comments are closed

What it means to be Anonymous in Palin’s America

Relevant Links:

and finally:

  • https://www.hide-my-ip.com/

The recent furore in America over VP candidate Sarah Palin’s Yahoo! email account being cracked has missed a few points…

Briefly, here’s a recap on the events above:

  1. Palin is from Alaska and is current Governor there.
  2. Palin falls out with brother-in-law and lawsuit starts
  3. Palin refuses to release emails as part of investigation
  4. Palin uses her Yahoo! email account for government business (proved by later screenshots).
  5. All US government business must be transacted over secure US Gov email system for “Freedom of Information” purposes – to stop corruption basically, and allow “the people” to see what “their representatives” get up to.  So…
  6. Palin is using her Yahoo account for illegal activities.
  7. Palin’s Yahoo! account is cracked and details posted on the web
  8. The crack is through a “anonymous proxy service” run by cTunnel.com
  9. US Secret Service ask Associated Press(AP) for copies of emails, who refuse.
  10. Yahoo, all this time still has all emails on it’s servers as required by various laws (Patriot Act etc).  (Same in GB Inc.)
  11. cTunnel says he’s willing to check or hand over his logs to US Secret Service to determine the hacker (more correctly, a cracker – it’s called password cracking, not hacking)
  12. cTunnel is run by a guy called Gabriel Ramuglia who has over 100 other domains, mostly anonymous proxies.
  13. cTunnel opens with the tagline: Ctunnel is here to protect your anonymity online!
  14. Gabriel Ramuglia lives in Fairbanks, Alaska!

So now the circle is complete.  Proxy.org has this to say (copied verbatim):

Proxy.org is the pragmatic Web surfer’s guide to online privacy and anonymous web surfing. We give you the information and tools you need to be confident and in command of your Web surfing experience. Here you’ll find information on the latest privacy issues facing Web consumers and links to relevant privacy technology. Proxy.org has the most comprehensive list of working proxies in the most convienient form.
Your right to anonymity
Amendments 4 and 5 of The United States Bill Of Rights protect the right to be free of unwarranted and unwanted government intrusion into one’s personal and private affairs, papers, and possessions. Article 12 of The United Nations Universal Declaration of Human Rights states, “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Despite some charges to the contrary, anonymous Web surfing is not the sole province of criminals. Anonymity also serves whistle blowers, free speech advocates, and people just looking for personal privacy online. Privacy is not a crime and anonymity is not morally ambiguous or wrong, they are your right.

I’ve laboured at length on the US and UK and their loose interpretation of our rights as seen in the links above.  I’ve hammered on about ID Cards and data loss, privacy and freedom.  The US, in it’s current incarnation, seems intent on chasing the password cracker and not Palin who is doing the string of corrupt actions.

Fortunately, Jonathan Swift has come to our rescue from across time.  In his satire on corruption and stupidity in government and society Gulliver’s Travels, there are a bunch of allegorical beings representing the distasteful materialism and ignorant elitism Swift encountered in Britain at that time.  He described them like so:

[…] are primitive creatures obsessed with pretty stones they find by digging in mud […]and[…] are vile and savage creatures, filthy and with unpleasant habits, resembling human beings far too closely […]

The book has been in continuous print since 1726, fifty years older than the United States’ Constitution.!!!

The creatures Swift called Yahoos, from where we derive the term “illiterate yahoo” and in a roundabout fashion, where the email account that Sarah Palin used illegally and in a corrupt fashion, gets it’s name.

It says it all, doesn’t it?

Related Posts:

Comments are closed

What? Still no Decent Viruses!

This is just a little follow up to and earlier post.  Secunia, in their latest weekly summary to me, state this:

VIRUS ALERTS:

During the past week Secunia collected 215 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale.

====================================================
3) This Weeks Top Ten Most Read Advisories:

1. [SA31549] Opera Multiple Vulnerabilities 2. [SA31373] Trend Micro Products Web Management Authentication Bypass 3. [SA31575] Red Hat Update for Tampered OpenSSH Packages 4. [SA31579] Linux Kernel “rt6_fill_node()” Denial of Service
Vulnerability
5. [SA14652] Subdreamer Light Global Variables SQL Injection
Vulnerability
6. [SA31561] Xen “flask_op” Buffer Overflow Vulnerability 7. [SA31552] vBulletin Private Message Subject Script Insertion 8. [SA31559] Folder Lock Weak Password Encryption Security Issue 9. [SA30667] Novell iPrint Client ActiveX Control Multiple
Vulnerabilities
10. [SA31557] TimeTrex “interface/Login.php” Cross-Site Scripting

===================================================

Basically, the only really dodgy thing is the Red Hat Linux Server hack- which was rapidly fixed.  There are still no really bad, new, viruses out there.  ALL the FUD about viruses and hackers, phishing and trojans is based on old viruses, which, if people could be bothered, would all be fixed and blocked and their spread eliminated.

The solution is in the hands of big self-perpetuating monoliths like Microsoft and the vast uneducated masses with little or no computer skills and a minuscule amount of common sense.

So same old, same again then, eh?

Related Posts:

Comments are closed

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me