The Great Years: 2004-2010
Hat tip to Kevin Church for pointing this one out to me.
Every now and again 419 scammers will use YouSendIt to send out their “please help me / send me money / travel to another country and be horribly beaten” missives to the masses.
Here’s an example of one currently in circulation:
Click to Enlarge
Here’s the YouSendIt version, stored for all time. Or at least until July 21st, 2010.
Click to Enlarge
Christopher Boyd
We recently investigated a “Work from home” recruitment spam email. A trail of web links revealed an interesting labyrinth of sites peddling expensive “training” courses that suggest they can teach you can make huge amounts of money with very little effort.
And, while not being overtly illegal, they feature:
— disclaimers that say, in effect, everything on the page is fiction
— phony site-security certification seals
— blocked Whois information
For the inexperienced Web user who might be looking for a high-paying job, we’re going to walk through these sites and list eight clues that should make anyone suspicious.
The spam email
Yahoo! Mail
How would you like to make $75 hour working from home?
From: “Immediate Placement” ImmediatePlacement@hith757upfront.com
To: mailto: Undisclosed-Recipient@yahoo.com
(click to enlarge)
(A business advertised by spam email – this is your clue #1 that this should be avoided.)
The site
Clicking the link in the spam email (don’t try this at home) leads to:
http://www.workathomepositionplacement.com/index/
On the Work At Home Position Placement site “Elizabeth Jackson, America’s top work-at-home consultant” tells you in just 7,000 breathless words about how you can make $75 per hour posting merchandise on eBay, The (inferred) premise is that major companies are doing away with their bricks and mortar stores, selling on eBay and they need lots of people like you to work from home.
“All you have to do is spend a little time online cruising around eBay’s website, and you’ll soon see what I mean. Huge and successful companies like Apple, Coleman, Adidas and Compaq routinely list their products on eBay auctions…”
The cost of the training program: $197.
(A sales pitch that is too good to be true – this is clue #2 – with a lot of bold face type and colorful heads – clue #3)
Whois info is blocked
The Whois information for the domain is blocked. (clue #4) and the site has been registered only since April (clue #5). Legitimate businesses identify themselves and usually they’ve been in business (and had a domain registered) for more than a few days or weeks. Malicious or fraudulent sites are taken down quickly.
Domain name: workathomepositionplacement.com
Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()
Fax:
PMB 368, 14150 NE 20th St – F1
C/O workathomepositionplacement.com
Bellevue, WA 98007
US
Creation date: 07 Apr 2010 19:02:47
Expiration date: 07 Apr 2012 19:02:00
The site’s privacy policy lists what appears to be an attorney’s office in Henderson, Nevada.
Disclaimer
Disclaimers are a great view of the truth of the claims that these Web hucksters are making. They think they can skirt truth-in-advertising laws by drastically qualifying in their disclaimer everything they emphasize on their Web pages.
There is a disclaimer at the bottom of the Work At Home Position Placement Web page. It’s grayed out and clearly designed to be ignored (clue #6):
(click to enlarge)
You can cut and paste the text into a word processing application to make it readable. It’s interesting. Here are the highlights:
— “INCOME CLAIM WARNING: Testimonials are not typical of most results.”
— “All Testimonials are 100% Real and Accurate and the attestants have been remunerated for allowing Work At Home Position Placement’s use of the same.” (That means the “attestants” were paid for their testimonial.)
— “Photographs or images are a depiction of individuals and payment methods.” (That means the pictures with the testimonials are not of the people who SOLD their testimonials.)
— “Some individuals purchasing the program may make little or NO MONEY AT ALL.” (emphasis mine.)
— AND, Elizabeth Jackson isn’t even REAL: “For purposes of privacy, the creator of Work At Home Position Placement is using the name Elizabeth Jackson.” (We’re disappointed. She sounded so sincere.)
— “Work At Home Position Placement is not affiliated with, endorsed by or in any way associated with Apple, Coleman, Adidas, Compaq, The New York Times, Esquire, America Online, CNN, USA Today, Forbes, Yahoo. Work At Home Position Placement does not have the express permission of Apple, Coleman, Adidas, Compaq, The New York Times, Esquire, America Online, CNN, USA Today, Forbes, or Yahoo logo.” And that leads one to wonder why those logos are on the Work At Home Position Placement page. (Clue #7)
Security certifications?
The page uses the following graphics, which don’t seem to mean anything, but do leave the impression that there some kind of certification body approving their security/privacy policies/business (Clue #8):
Link to “training” site number two
A web searches for these “Web Guard” graphics above (with the unique file name wahr_order_webguard.jpg) leads to a second “training” site:
https://internetcareerbuilder.com/jobs/order2_files/wahr_order_webguard.jpg
Oddly, this site has the “Web Guard” graphics (above) on what appears to be an unused page and it carries other meaningless seals that state “Security Verified” and “Privacy Verified.”
They don’t link to any organization (the way legitimate certification seals do) and don’t offer any other information.
https://internetcareerbuilder.com/jobs/images/seals.gif
On InternetCareerBuilder.Com a visitor also is presented with:
“Special Report from Michelle Miller, the #1 work at home consultant in America”
Michelle’s pitch is just as wordy and enthusiastic as the fictitious “Elizabeth Jackson, America’s top work-at-home consultant” at workathomepositionplacement.com. And the cost of Michelle’s program: a familiar $197.
In the privacy policy, the site lists Las Vegas Navada, address:
Internet Career Builder
11136 Ferragamo CT
Las Vegas, NV 89141
Effective Date: August 25, 2009.
At least they didn’t deflate your enthusiasm by revealing that Michelle Miller is a fiction like Elizabeth Jackson just when you start to really like her.
Link to training site number three
Doing an image search for “seals.gif” – the “Security Verified” and “Privacy Verified” seals above oddly turns up the same graphic of the WebGuard seals on yet another “work from home” site:
http://www.auctiontrainingarea.com (caution)
Here the shill is “Joseph Delafont” and he wants you to know (in a succinct 5,800 words):
And the cost of the training is – you guessed it – $197.
The “earnings disclaimer” is in all caps and the central sentence:
“. . .WE DO NOT GUARANTEE OR IMPLY THAT YOU WILL WIN ANY INCENTIVES OR PRIZES THAT MAY BE OFFERED, GET RICH, THAT YOU WILL DO AS WELL, OR MAKE ANY MONEY AT ALL.”
The site’s Whois info is blocked
Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (vkytynhr@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St – F1
C/O auctiontrainingarea.com
Bellevue, WA 98007
US
Creation date: 05 Dec 2008 23:37:17
Expiration date: 05 Dec 2010 23:37:00
The address listed on the bottom of the page:
Olympiad Inc – C/O Nisbetts Chamber, Charlestown, St Kitts
The disclaimer, however, claims:
“This Agreement shall be governed by and construed in accordance with the laws of Cyprus, without regard to its conflict of laws rules.”
Bogus security certifications can be very insecure
Interestingly enough, the “Web Guard” graphics on the sites we discussed are good imitations of the seals of a questionable “Trust Guard” certification provided by:
http://www.1automationwiz.com/trust-guard.html (only go there with caution.)
Which apparently nobody on the web has heard of and on Tuesday was infected with an iFrame Trojan: Trojan-Clicker.HTML.IFrame.fh (v)
(click to enlarge)
Conclusion:
We’ve listed eight clues that let you know that this flavor of work-from-home-training scheme is probably not something you want to spend almost $200 for. Two of the sites, Work at Home Position Placement and InternetCareerBuilder, share most design elements and a probably a Nevada connection. Obviously they’re part of the same business. The third, AuctionTrainingArea which has the same graphic file on its site, is the same idea, possibly different owner.
And what about the bogus security certifications? Whoever designed the Work at Home Position Placement site obviously lifted the design of the certification graphics from 1automationwiz.com and that site either intentionally contains an iFrame exploit designed to download malware on your machine or has such bad security it got infected itself. That is not a “security” provider with any credibility.
Tom Kelchner
The AppleInsider site (not part of Apple) is reporting that Apple says about 400 iTunes accounts were involved Sunday when a Vietnamese developer’s applications were pushed to the top levels in the Apple App Store by fraudulent credit card purchases.
Developer Thuat Nguyen was banned from the store and his applications removed.
Observers believe that the victims’ credit card information was stolen, possibly by phishing, then used to make the fraudulent purchases. Apple has said its systems were not hacked.
Apple said App Store users should check their iTunes and credit card accounts for evidence of fraudulent transactions. The company also said it was ramping up security procedures.
Story here: “Only 400 iTunes accounts compromised in fraud, Apple says”
On Sunday, AppleInsider reported: “Apple’s iTunes Store users are increasingly being targeted in a number of fraud cases, some of which appear to be orchestrated by iOS app developers seeking to boost their sales rankings, and others which appear to be a widespread hack of user accounts.”
“The books in question are a low-quality series of mostly Japanese manga titles all published by ‘developer’ Thuat Nguyen, whose publishing company is listed by Apple as “mycompany” with a website of “Home.com.” It’s impossibly unlikely that 80% of the American App Store’s book sales were legitimately dominated by sales of shoddy anime book apps that are not localized, appear to violate intellectual property rights, and were all dumped into the App Store at once over a period of a couple days.”
Story here: “iTunes App Store hit by developer and account fraud”
Tom Kelchner
You’ve probably already heard about what happened with Youtube yesterday – an XSS vulnerability allowed people to perform all manner of, er, interesting things on videopages (mostly involving Justin Bieber, but quickly spreading to random videos). It started with the ability to block fresh comments, but quickly moved into the realms of scrolling text (the red “Come to Korea”):
Click to Enlarge
…then delved into everything from Goatse redirects (if you don’t know, don’t ask – and don’t go Googling it in work, either) and text overlays to particularly nasty shock sites such as this one:
Click to Enlarge
You REALLY do not want to go searching for the above. Trust me on this.
Google patched it up relatively quickly – however, I was more interested by other aspects of the attack.
Incorrect information filled sites such as Twitter and quickly took on a life of its own. This was on the frontpage of Twitter with over 100+ retweets shortly after the cut and paste code action took place:
Click to Enlarge
Advising people to steer clear until the problem is fixed? That’s good. Lots of people running around telling lots more people that there’s a “virus”? That’s not so good.
The “virus” talk went viral, and you can see a huge slice of people amplifying the “virus” talk here. Even hours after it’s been fixed, people continue to talk about “getting infected” by a nonexistent virus and there’s a lot of unscheduled scans now taking place:
This next chap took a swing at the “common folk”, which inevitably resulted in him having to apologise for something else afterwards:
Here’s a popup on one of the videos, courtesy of 0ph3lia:
Click to Enlarge
“Malware has been detected. Please go to my computer, C Drive, Windows and delete the folder named System32 to correct this error”.
Of course, by the time the story had appeared on various news sites something like the above (a piece of self inflicted computer destruction) had become an honest-to-goodness exploit:
That is indeed “scary stuff”, but for entirely different reasons. Despite the attack having been fixed, there’s going to be a lot of screenshots like this doing the rounds for some time.
Anyway, I just thought the Chinese Whispers style misinformation clouding the actual attack was pretty interesting.
Something else to think about: if this exploit had been discovered by a professional moneymaking outfit, there could have been all sorts of subtle attacks taking place for a long time – not good, given the apparent simplicity of the attack.
In the time it took to launch all the popups, messages involving Bieber dying horribly and porno redirects I did see some small evidence of “the usual suspects” getting in on the act.
A collection of Youtube videos were obscured by a large, black overlay – if you held down your mouse button and highlighted inside it, you’d reveal some text:
Click to Enlarge
You’ll never guess what kind of scam artist jumped on the bandwagon:
Click to Enlarge
Yes, one of those wonderful “fill in the survey to watch a film” portals that never actually seem to give you the promised reward – although in this case the reward is a Twilight movie so we’ll let them off with it this time.
Christopher Boyd
Oh dear.
And when a writeup starts with that as an opener, you know you’ve got problems.
This is a facebook page, with a rather happy cow on it:
Click to Enlarge
The cow is happy because it knows people like to click on things. In fact, they just can’t help themselves. 31,769 have clicked the “Like” button for this, and that doesn’t appear to be automated – after jumping through hoops, my test account hasn’t given this the “Thumbs up” so it seems like they’re just hitting “Like” because they like being scammed.
Click to Enlarge
If you want to “Adopt the secret cow”, you’ll have to move fast – you only have 1 hour and 18 minutes before the offer expires! Or at least, you would if it wasn’t a static image that is absolutely without any sort of timer. There’s also a mention of a FarmVille Game Bar underneath, but that doesn’t put in an appearance. Click the box, and…
Click to Enlarge
Yes, you’re going to have to spam them with this in order to get your Secret Cow. Click the “Skip” button, and you’ll see a popup like this one:
Oh no! You’ll never get the ultra rare secret cow! A spamming we will go, then. Can you guess the reward for shunting the below spam to all and sundry?
Click to Enlarge
Of course you can. It’s one of these things:
Click to Enlarge
Spamtacular.
In the time it took me to put this writeup together, the amount of “Likes” has risen from 31,769 to 32,215 – an increase of 446 people in around 20 minutes. I wonder how many have realised the horrible secret of the secret cow:
It doesn’t exist. Sorry, kids.
Christopher Boyd
These links have been popping up over the last day or so, and seem to be related to the Twitter PDF spam run from a week or so ago. In all cases, the spam comes from accounts with names with no spaces between first and last name, with two random letters at the end.
The one sent to me just now redirected me to a fake antivirus page:
Click to Enlarge
Click to Enlarge
I’ve seen other links taking me to pages that tried to do something with Java, and another one that involved lots of women jumping around who apparently forgot to put some clothes on when they got up. I’ve no doubt there are all kinds of horrible things lurking on some of the pages linked to from this spamrun, so please do try to avoid anything that looks like this:
Something particularly interesting where this spamrun is concerned is the retweeting going on. There’s a couple in the above shot, but look at this:
Not sure why some of them show up as “zero retweet”, but there’s a lot of spam posts with 1 or 2 sitting underneath. The spammers are evolving! Run for the hills!
Well, it’s either that or regular users are happily retweeting the spam. Not sure I want to think about that possibility too much…
Christopher Boyd
Here’s a Facebook phish that claims you’ve won $200,000,000 from “Zynga Special Gifts”, while displaying elements from the legit Texas Holdem Poker App page. It also pastes a popup box over the top:
Click to Enlarge
As I’m logged into Facebook, you can see a little picture of my head as Texas Holdem asks for permission to access my information. All of this is going to seem very convincing to a Facebook user unfamiliar with dubious popups and other nonsense. Let’s see where we go from here after clicking the popup:
Click to Enlarge
“Welcome to Winner’s Circle”, it says – along with a request for your email, password and “code” to prove you’re a legitimate winner. I’ve no idea what the Code is all about, but entering your data into the box and hitting the “Claim Gifts” button sends your login to the phisher.
Where this gets really interesting is the state of play this morning.
Visit the phish now, and Facebook redirects you to the following page:
Click to Enlarge
“Warning, the website that directed you here was not a Facebook page. If you entered your Facebook login information on the previous site, you will need to reset your password”.
While this is pretty clever, there is one small problem. The warning appears underneath the phish popup, which is still alive and kicking:
Click to Enlarge
Performing a password reset depends upon the victim paying enough attention to notice the warning message once they’ve been phished – otherwise there won’t be any account reclaiming action taking place.
Still, it’s better than no warning at all. This one starts with a redirection link – bit(dot)ly/braovG, which now takes you to a Bit.ly warning page, and winner-gift(dot)110mb(dot)com/welcome(dot)htm, which is currently flagged as a phish by both Firefox and IE.
Christopher Boyd
Advertising is to make money. And, as we’ve all seen in the onslaught of paper in snail mail boxes and the email jam in Internet spam filters, there is a vast army of people and companies out there advertising their products, advertising FOR someone with products to sell and even advertising advertising. Some are now using automated tools to advertise automated Twitter spamming agents — on Twitter.
The first thing to notice in this ad deluge: some of the trolls for getting more Twitter followers will take you to malicious sites – a phishing operation by the looks of this one:
We checked out one of the grayware sales campaigns on Twitter and tested a software agent that claims to be able boost your Twitter following. It appeared to be legal, assuming they don’t misuse your credit card data or steal your Twitter login.
Its flaw, however, is that its entire method seems to be based on the shaky premise that if you subscribe to a huge number of Twitter accounts that have tweeted something similar to your interests, then they will subscribe to YOUR Twitter feed. And then you can spam them to oblivion.
I’m not sure anybody thought this one through. Assuming it works, as the number of spamming agents builds, eventually the bulk of Twitter traffic is going to come from automated agents spamming each other.
Getting more followers INSTANTLY seems a bit of a stretch. TweetAdder didn’t attract any new followers in 24 hours in our test.
It has an attractive graphic interface, although it’s far from intuitive. If you have the patience to read through the 10 mb pdf help file it becomes apparent that TweetAdder automates all the things you can do on Twitter, starting with a key-word search for tweets containing search terms you select, and ending with a mechanism to schedule automated tweets that you can send out as frequently as one per minute. And, of course, it IS for sale:
There is line in the Tweet Adder End User Licensing Agreement that seems to be a tip off about their confidence in their own product:
“If you dispute a charge to your credit card issuer or take any action that results in a payment being reversed that, in our sole discretion is a valid charge under the provisions of the TOS, you agree to pay us an Administrative Fee” of $100.“
If you dispute the original credit card charge and they charge you another $100, I wonder why they think you’re not going to contest that too.
As we said, some people make money advertising advertising and that now includes selling the tools you can use to clog Twitter and advertise the Twitter Fail Whale, who seems to be in great evidence around the middle of every day in the Eastern Standard time zone.
Twitter has a place to get information on fighting spam: http://twitter.com/SPAM
It has 234,760 followers.
Twitter’s page “How to Report Spam on Twitter” here.
Tom Kelchner
Microsoft has said it’s seeing an escalating number of attacks exploiting the unpatched Windows Help and Support Center vulnerability that was publicized last month.
Tavis Ormandy, a Google research, has drawn criticism for releasing details of the vulnerability and proof-of-concept exploit code on the Full Disclosure security list less than a week after he told Microsoft of it.
The vulnerability allows the remote installation of malcode on Windows XP and Server 2003 machines by drive-by downloads from malicious web sites.
Microsoft said it had monitored attacks on 10,000 machines with the volumes largest in United States, Russia, Portugal, Germany, and Brazil.
Microsoft said: “At first, the attacks seemed to focus on downloading Obitel, which is malware that simply downloads other malware. However, most recently, downloads have run the gamut, varying in methodology (some direct downloads, but also some downloads involving single or double script redirects, which our products detect as TrojanDownloader:JS/Adodb.F and TrojanDownloader:JS/Adodb.G, and also varying in payload.”
They also said, “Starting last week, we started seeing seemingly-automated, randomly-generated html and php pages hosting this exploit. This attack methodology constitutes the bulk of attacks that have continued to flourish into this week.”
There is no word on when Microsoft expects to fix the vulnerability.
Microsoft Malware Protection Center blog here: “Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885)”
Microsoft advisory with work-around here: Microsoft Security Advisory (2219475)
I think Tavis Ormandy just made himself the poster boy for responsible disclosure.
Tom Kelchner
Firmware update fixes the problem
Sony has issued a recall for its F11 and CW2 series notebook PCs and is offering a firmware update to fix an overheating problem.
According to the company’s notice today: “In rare instances, these notebook computers may overheat due to a potential malfunction of the internal temperature management system, resulting in deformation of the product’s keyboard or external casing, and a potential burn hazard to consumers.”
The FAQ in the notification said: “Certain units within the VPCF11 and VPCCW2 notebook series are affected by this potential overheating issue. Sony recommends that all units in the VPCF11 and VPCCW2 series be updated with the firmware download.”
Notification here: “Important Notification for the Sony VAIO® F11 and CW2 Series”
Tom Kelchner
Here’s another one of those “paste Javascript into your browser” scams that wants to make significant changes to the appearance of your Orkut account. The site in question here is 500-rs-recharge(dot)minhahomepage(dot)com.
Click to Enlarge
It’s just out of shot, but there’s a little “How many people are on this site” doodah (technical term) at the bottom of the page which veered between around 35 and 60 visitors while I was there.
Will we get some more Javascript code to paste into the browser? Yep.
This one gives you the usual popup about the fact that your “recharge” is on the way, while making some updates to your Orkut page.
Click to Enlarge
“You’ll have your free recharge in 24 hours”. Funnily enough, it’s been 24 hours since the first attempt at running Javascript from the original page and I don’t have any recharging action taking place! Anyway, you’re taken to this URL:
500-rs-recharge(dot)minhapagina(dot)info
The website refuses to load for me at the moment, but it has been submitted to PhishTank by somebody so we’ll have to wait and see if it turns out to be a Phish. I certainly wouldn’t advise logging in on there given what we’ve seen so far, though.
If we take a look at the test profile, there are now a whole bunch of random people staring out at me from the “Friends” section:
Click to Enlarge
Even better, take a look at my “About” section:
Click to Enlarge
“Free recharge version of Orkut, this version was introduced to all Orkut users as a gift from Google services”.
Uh…call me suspicious, but I’m going to chalk this one up as a “not buy”.
Christopher Boyd
Here’s a curious scam putting users of Google’s Orkut in the crosshairs. There’s a number of sites out there claiming a “free recharge code” (presumably they mean call credits) will be posted to your Orkut scrapbook, but only if you take some random Javascript code – oh dear – and paste it into your browser.
We’ve seen that particular wheeze before, but let’s see what they’re doing with it here. This is one of the sites in question:
Click to Enlarge
Shall we take a look at the Javascript?
You may be able to see the URL already. Let’s clean it up a little bit:
Click to Enlarge
Can you see it yet? “Snurl(dot)com/fr33ee”.
That triggers a big page of javascript code located at orkutaddict(dot)net/freerecharge/dpd(dot)js. At this point, the path branches off depending on whether you’re logged into Orkut or not. If you’re not, you’ll see this popup:
Click to Enlarge
“We are done now, login to Orkut and you’ll have your free recharge in just 24 hours”.
You’re then dumped at the following page, located at freerecharge(dot)orkutaddict(dot)net:
Click to Enlarge
“Sign in to OrkutPorn with your Google Account”.
Yeah, right.
Now we’ll see what happens if the victim posts the javascript into their browser while logged into Orkut. First you’re asked for your mobile number:
Then you’re given a collection of popup boxes promising you wonderful “recharge codes”.
After all of that, you’re dumped at a site flagged as a Phish:
Click to Enlarge
Worse, your Orkut account has started to spam out messages galore:
Here’s another one:
Even better(!), they’ve automatically signed you up to a collection of groups.
While Orkut Codes and Orkut Tools look legit, the middle group with 1,811 “members” is clearly related to this particular shenanigan. As you’ve probably guessed, all of the spamlinks on the profiles and in the group take you to more sites asking victims to cut and paste Javascript into their browser – many of which give you rather cheeky popups like this one begging for free advert clicks:
In conclusion, then, we have a whole bunch of dodgy Javascript, phish pages, advert clicking, spammed messages on profiles and popup boxes asking for mobile phone numbers.
Is this the concluding part of the writeup where I advise you to avoid the above at all costs?
You better believe it.
Christopher Boyd
Not so long ago, I wrote about something called the Tango Toolbar. While digging around for more information, I actually came across another toolbar called “Tango” which is entirely unrelated (this one is about the dance, not…er…whatever the other one was about) yet also manages to raise some red flags:
Click to Enlarge
Turns out it was a file on Download.com, and this is what happened when I tried to grab it:
Click to Enlarge
Whoops.
This is what the description page looks like minus the “Blocked” alert box:
As you can see, it’s been available since 2006. Here’s a VirusTotal report from the 18th of June, with 21/41 vendors flagging it. Here’s an updated report from the 20th, and now 34 vendors are saying “Boom, headshot”. If you want to get into the technical side of things, a ThreatExpert summary from the 6th can be found here.
The main issues seem to be adware.component.toolbars and adware.eztracks, neither of which are mentioned in the (very short) EULA viewed when installing. Here it is:
Not the greatest EULA I’ve ever seen in my life, but there you go. below is what you’re supposed to see on install:
Click to Enlarge
However, the homepage wasn’t even online during testing so the “after install” page looked like this instead:
Click to Enlarge
Not exactly dazzling, I’m sure you’ll agree. Hardly a severe threat (and it’s certainly no Apheve), but a valuable reminder that sometimes things do slip through the cracks even on reputable download services.
I reported this on the 20th, and they took it offline the next day while mentioning their Product Management Team would “temporarily remove the product from our library and notify the publisher of the problem”. My support ticket is now flagged as “Solved” and the download is still MIA, so I’m guessing that’s the last dance for the Tango Toolbar.
Christopher Boyd
Yet another pay-money,-get-followers scheme – right.
THOUSANDS of followers!
http://letgetmorefollowers.com/index.php?pages=Home
See Chris Boyd’s Sunbelt Blog piece from earlier today: “Twitter Followers Lottery”
Tom Kelchner
READ your credit card statements – really
The U.S. Federal Trade Commission has said it brought an action in U.S. Federal court that shuts down an identity theft scheme that stole more than $10 million from victims’ credit card accounts in small amounts and sent the money out of the country.
The scammers recruited 14 money mules to set up dummy corporations and open bank accounts to receive payments of $10 or less from victims’ credit card accounts. Each account was charged only once. The FTC said it did not know how the scammers obtained the victims’ credit card information.
The money mules, recruited via spam email, sent the stolen funds to bank accounts in Bulgaria, Cyprus, Estonia, Latvia, Lithuania, and Kyrgyzstan.
The dummy corporations charged with credit card fraud were:
— API Trade LLC,
— ARA Auto Parts Trading LLC,
— Bend Transfer Services LLC,
— B-Texas European LLC,
— CBTC LLC, CMG Global LLC,
— Confident Incorporation,
— HDPL Trade LLC,
— Hometown Homebuyers LLC,
— IAS Group LLC,
— IHC Trade LLC,
— MZ Services LLC,
— New World Enterprizes LLC,
— Parts Imports LLC,
— SMI Imports LLC,
— SVT Services LLC
The action was brought in the U.S. District Court for the Northern District of Illinois, Eastern Division.
FTC release here: “FTC Obtains Court Order Halting International Scheme Responsible For More Than $10 Million In Unauthorized Charges On Consumers’ Credit and Debit Cards”
Tom Kelchner
This is wonderfully cheeky – a website popping up in a lot of Twitter spam called increasethefollowers(dot)info, that wants you to hand over lots of money with no real explanation as to how they’re going to make it worth your while. Example spam post:
This is the site itself:
Click to Enlarge
Prices start at $5 for 100 followers, right up to a huge total of 10,000 followers if you pay the highest price.
The more people you want them to add to your feed, the more time it takes. Anything up to 3,000 followers ($150) will take a maximum of 60 days. Beyond that, 4,000 followers ($200) is 40 to 80 days, 5,000 ($250) is “60+ days” and 10,000 Twitter followers (for $450) will take “90+ days approx”.
Their website says this:
“Refund guarantee: You can request a full refund on your Paypal account in 60 days”.
60 days is the maximum length of time the seller has to send the buyer their refund via the Refund tab inside Paypal. After that, it’s no longer available as an option for the seller and I believe they have to process the refund as a kind of “standalone” payment. Given that the only information on the site is a link to a form that says “Click here to find out more”, would you want to risk giving $450 to a total stranger (with no indication of how they’re going to work their magic), sweating it out for 90 days or more just to bump up your follower count with….real people? Bots? No idea.
Don’t think I’d advise giving this one a try, though.
Christopher Boyd
Today I saw a Youtube account with an array of random World Cup moments cobbled together. Nothing particularly unusual about that, but what did leap out at me was the likely reason the reason the account exists at all – the World Cup stuff looks like a lure to get them to watch this:
Click to Enlarge
“Facebook account hacker / Hack any Facebook”, it says. As you can see, the video has been removed – and quickly (after something like nine hours, which is remarkably fast for a Youtube script kiddie video). We’ll find out why the video was removed so quickly a little later on, but for now let’s take a look at what we’d have grabbed if the video was still there.
Click to Enlarge
A blogspot spamblog seems to be the final destination…
Click to Enlarge
142 visitors in a few hours for a spamblog with no content on it other than these “instructions” which point to a download link? The mystery deepens. Here’s what you see on the download page:
Click to Enlarge
Yes, it’s one of those surveys where you sign up to nonsense in return for something that probably wasn’t worth the time you put into it. More often than not, you’ll find you’ve signed your life away to marketers and also downloaded an infection file (you don’t honestly think the “Hack any Facebook account” program is going to do what it says on the tin, do you)?
As for why the video was pulled (and also how the spamblog has had so many hits in a few short hours), we need to take a quick jump over to the website of UK newspaper The Daily Mail. In their coverage of the England Vs Germany match, they’ve seemingly grabbed the first random Youtube clip they could get their hands on. Unfortunately for them, it was this one:
Click to Enlarge
“Want to know how to hack Facebook accounts? Click here!”
Whoops. That would explain the traffic spike for the spamblog, and also why Youtube have pulled it – looking at the comments from the article, it seems many readers with Youtube accounts have reported the video.
At time of writing, the video is still embedded – it’s pretty harmless now, but I must admit to being baffled how someone could miss the large red box with the “Hack Facebook accounts” text in it. And don’t get me started on the football match, either…
Christopher Boyd
The July print edition of PCWorld carried an (otherwise great) article “How to Stay Safe on Public Wi-Fi” (pp 94) that recommended Hotspot Shield VPN software. Unfortunately the magazine neglected to tell its readers that Hotspot Shield has some serious issues and Sunbelt’s VIPRE detects it as adware. We can’t really tell if the magazine is ignoring the issue or just didn’t notice.
Hotspot Shield “Software License and Terms of Service” states:
“9.1 Advertisements. AnchorFree may deliver third-party advertisements (‘Advertisements’) within the content of any web page accessed. Advertisements may be injected into the top of the page, inserted directly into the page content, or even displayed to overlay the page.”
Some VIPRE users asked us recently about Hotspot Shield and we outlined the problem in the Sunbelt Blog. The company responded and we carried its comments as well. Our conclusion (written by Sunbelt Spyware Research Manager Eric Howes:
“The key test or question in this case is a simple one. AnchorFree promotes Hotspot Shield as means for ‘protecting your privacy, security, and anonymity on the web.’ What would users think if they knew that the very first thing AnchorFree does after users start a ‘private browsing session’ is hand them over to invasive advertising networks? I think they would be appalled.”
VIPRE detects it as Adware.Win32.HotspotShield.
Sunbelt Blog pieces about Hotspot Shield:
“What part of “no adware” don’t you understand?”
“AnchorFree Responds on Hotspot Shield, our response”
Tom Kelchner
Like it or hate it, ICANN approves domain for porn
PC World is reporting that the board of directors of the Internet Corporation for Assigned Names and Numbers (ICANN) today approved a dot-XXX top level domain for “adult” web sites. The decision comes after a decade of controversy over the issue.
The domain was proposed by the company ICM Registry.
PC World said, “The proposal was made under ICANN’s rules for ‘sponsored’ TLDs, through which domains have been created by interest groups including the aeronautical industry (dot-aero) and the cooperative movement (dot-coop).”
Story here: “ICANN Board Approves Dot-XXX Top-level Domain for Porn”
IBTimes said “Figures collated by Internet Pornography Statistics suggest more than $3,000 is spent on Internet pornography every second, with ‘sex’ the number one search term in the world, accounting for 25 percent of all Internet searches.
“With an estimated 370 million pornographic websites on the Internet, .xxx could become one of the largest domain name repositories, as big if not bigger than .com.
“But some members of the adult entertainment industry oppose .xxx, saying it will invite censorship and harm their business. Members of the American religious right also oppose its creation on moral grounds.”
Story here: “Internet bosses set to approve .xxx for porn sites”
This has been one of the biggest controversies connected with Internet management in the last decade because of the touchy moral issue of pornography. Anyone who has ever been connected to the Internet, however, knows that the number of porn sites out there is enormous.
It’s a good thing for everyone involved. Internet censors can filter adult sites now whether they’re government officials trying to block their entire citizenry from seeing porn or just parents trying to keep their kids from viewing it.
And anyone who thinks that URLs with a .xxx top level domain will lure the innocent into temptation never looked in his spam bucket or done a search for the word “sex” (803 million hits — this morning.)
Tom Kelchner
If you like Doctor Who, you’re probably rather excited at the prospect of the upcoming season finale. You’ve chewed over the spoilers for the penultimate episode and you really, really want to see what happens.
I bet someone on the internet has the final episode early – right?
Click to Enlarge
Well, what do you know. Somebody does! Of course, it’s all nonsense – clicking the link takes you to that most common of cookie cutter content, the “fill in the quiz to see the episode” gag (which involves you sending lots of personal information to marketers and random internet people).
I’m almost certain Alientube(dot)net does NOT have the World exclusive on the final episode of the season – sorry to disappoint! In fact, fakeout “uploads” of Doctor Who are rather common.
Click to Enlarge
As you’ve probably guessed, all of the above take you to sites that want you to sign your life away in return for very little. Another interesting phenomenon is the Doctor Who spamblog, which all pretty much look the same and also do the same thing – ask you to “Download Now!”:
Click to Enlarge
All of these spamblogs take you to sites like the one below, which claim to offer lots of “movies and TV shows, all of which are free and legal”.
Click to Enlarge
Before you can get your fix of Doctor Who, you’ll need to sign up (obviously). Here are the charges:
Click to Enlarge
Unlimited membership is $34.95, 2 years is $32.88 and 1 year is $29.88. There’s also a preticked box for “hi-speed performance”, “download protection” and the ability to “copy your downloads” for $14.95.
Sign me up!
Or, to be more accurate…don’t. Information with regards what you’re actually getting for your money is thin on the ground, but a quick check of the help section clears things up a little:
Click to Enlarge
“State of the art software will download your file from multiple users simultaneously…”
Click to Enlarge
“With more than 30 million users sharing more than 800 million files…”
Is it just me, or is the magical service they’re trying to get you to pay $35+ for nothing more than a P2P program? Sure seems like it, and that wheeze has been around for quite some time. Don’t confuse any of these sites with the official BBC iPlayer, and don’t fall for any of these offers – whether they take the form of survey spam or websites that want you to cough up for some P2P action, you’ll only regret it in the end.
Christopher Boyd
