Sponsored by..

Wednesday, 19 July 2017

BizSummits / ExecSummits make legal threats over a blog posting they admit is true

I've been writing about BizSummits LLC and their former habits of being rather spammy for a few years now. In fact, the first spam I ever received from them was nearly a decade ago.

To: "James Studer" [JStuder@[redacted]]
Date: Tue, 6 Nov 2007 09:30:40 -0500
Subject: James, question.

Hi James. On behalf of our board, I wanted to personally invite you into
The CIO Summit because of your key role and experience.

The CIO Summit is an invitation-only group comprised of the very best
executives and visionaries in technology management. We meet monthly by
teleconference to exchange what is working, what is not, strategies and
ideas. It is a confidential forum with dedicated groups of other
successful IT executives whose only agenda is to help each other
outperform.

I am certain you will find the experience both enjoyable and useful in
your efforts. Here is our site as background, www.TheCIOSummit.net, if
you could take a look and please let me know of your decision. Thanks,
James.

Sincerely,

Chris Jameson
The CIO Summit
1200 Abernathy Road., 17th Fl.
Atlanta, GA 30328
404-592-9904 Ext. 81
Mail back to decline further.
Chris@TheCIOSummit.net
www.TheCIOSummit.net
I am not James Studer - that name appears on this web page and it had been harvested by BizSummits who then guessed a valid email address to send to. Over the past decade it seems that this marketing technique has not really changed that much.

Apparently after all these years, BizSummit is still in business and they seem rather cross with me about this blog posting I made some time ago.

(click to enlarge)
Let's go through this threat step-by-step.
We have written you several time sby email about one of your blog postings blow. Again could you archive it or at the very least redact the words, "It's a fake!"?
So.. they're upset about something I've written and would like me to remove it. Or change it. It seems like a reasonable proposition, but as I will come to later the suggestion of editing the post to remove words is fraught with danger.
The main issue is that web searchers see a truncated version of your blog title which makes it appear that our entire organization is, "a fake" and most do not click/read further to see that your complaint is actually just referring to unlicensed photos that were incorrectly used as placeholder images by our past marketing director (corrected within days of your blog posting). Here is what most web searchers see:

Now it must be said that I can't get the snippet to display exactly like that, but Google does display a similar snippet. But if BizSummits / ExecSummits think that this it not accurate, then the complaint must be made to Google. Crucially, it also confirms the accuracy of the blog posting.

As far as I can tell the website was designed in 2012 and I wrote my post about the "placeholders" in 2014, but you know I've probably had pages somewhere that have been under construction for 20 years or so, so I'm not going to criticise the length of time that "placeholder" photos may have been there.
In addition, you then approved multiple postings by a past employee of our TechSummits.org division who had been terminated for theft shortly before the postings. Michael H[redacted], both in his own name and in the name of multiple newly created aliases and friends, posted false allegations and experiences to that he could use your blog to steer our clients to competing events. We terminated him when we discovered that he was a convicted felon ( https://goo.gl/[redacted]), that he had stolen money from our TechSummits.org division by telling our clients that our company name had changed and to send checks to his home address ( https://goo.gl/wj6uxq ), and once you approved his false posts he then sent your blog link to every prospect of ours asking that they switch to his own company now out of business ([redacted]) while you did not post some of our posts. Note that in the second link we took legal action against  him in US Federal Courts and he consented in writing to have all the false blog postings in his and alias names (including you approved) stricken.
I redacted the other parties name here (although it is obvious from the court documents linked to below) for a few reasons. Firstly they allege that Mr H was previously convicted of a felony, and they sent a link about an indictment of somebody of the same name as Mr H, but residing in a different state. So the allegations do not prove anything, and even if they were true they do not mean that Mr H conducted a felony in this case.

Crucially, this case (1:15-cv-03199-MHC) which can be found here: [Docket] [01-Main] [01-1] [02-main] [02-1] [02-2] [02-3] [02-4] [02-5] [02-6] [02-7] [02-8] [03] [04] [05] [06] [08] [10-Main] [10-1] was settled out-of-court with no admission of wrongdoing from either party, but an undertaking was made by Mr H to remove anything he may have posted that was in scope of the agreement. The case itself makes quite interesting reading, but of course you must always remember that allegations made in a court of law are not necessarily true.

This paragraph also makes an incorrect assertion against me: "and once you approved his false posts he then sent your blog link to every prospect of ours .. while you did not post some of our posts.". In fact TechSummits / BizSummits / Michael Price and his employees have never had comments blocked unless they were duplicates (which can happen). They've always had a full right of reply, and furthermore the comments belong to those who wrote them, not to me. It goes on..
Given the misleading blog title truncation that appears in all search engines, all the corruption/abuse above, and the fact that your blog posting is rife with inaccurate postings that you approved we respectfully ask you to archive it so that it is no longer searchable or at the very least make the title edit above and strike his false direct and alias posting where the falsities you approved are causing us great reputational damage. I am sure it was never your intention to aid and abet a known felon, nor be an accessory to any libel by approving false postings especially now that you are aware they are false, not were you aware of the approved US Federal Court Motion to have such false blog postings removed.
So this is the point of the threat where the established facts, possible facts and assertions made so far are synthesised into something vaguely threatening.

Again, search engines are blamed for truncating the blog and making it appear to be misleading. This is a problem with the search engine. Of course they would like the blog removing as it highlights past wrongdoing, or they would like it to be edited (and I will come to that part shortly).

BizSummits alleges that the comments made by Mr H are false, but in the case in question does not actually have a US Federal Court Motion to have postings removed, there is merely an agreement to do so between the plaintiff and the defendant. If the defendant did not take those actions, then it is a matter for the plaintiff and defendant to resolve directly. It is worth noting as well that this case was administratively closed by the court.

BizSummits also stretches the definition of a "felon" to include Mr H's supposed past transgressions and implying that this civil case also found Mr H guilty of a felony. It did not.

No libel has been proven, no felony has been proven and furthermore BizSummits / ExecSummits have not even specified the comments in question. As such, BizSummits fall way short under UK law of establishing any cause or valid complaint.

In my personal opinion, this argument is hypocritical anyway. BizSummits / ExecSummits are arguing that Mr H should be forever judged against his [unproven] wrongdoings in the past, and  yet they should not be judged for theirs. Hmmm.
Please let us know your decision (email is fine) so that we can decide if your changes resolve the matter or if additional steps must be taken in the UK to make this right. We are required per UK law to provide you with 30 days written notice. Thank you for your consideration.
BizSummits admit here that UK law is the proper venue, and that means the Defamation Act of 2013.  In fact this is not the first time they have mentioned the Act. In November 2016 they threatened the use of it as well:
Hi Conrad, could we kindly ask you to archive the "It's a Fake!..." blog post or at the very least edit out the defamatory "It's a Fake" words in the title which is highly misleading and libelous? We have offered you definitive proof in our 4/10/2014, 1/21/2015, and 6/5/2015 replies. You can also pick out any past speaker or meeting date on any of our sites and we can provide you with both the recording of the meeting and the pdf summary of the meeting and even the speaker's contact info if you wish to independently verify which would be impossible to do if "It's a Fake" as you wrote.  A majority of the negative postings on your blog were from a terminated employee/contractor who launched a competing company while we were paying him then used fictitious profiles created the day of each posting in other's names to appear as if multiple people were complaining. We addressed the unlicensed photos issue within days of your original posting and confirmed back to you at that time (taking corrective action based on your feedback). When executives research us before joining they come across your blog title "It's a Fake" and then opt not to join that group which causes our group serious economic harm (some of our group members are in the UK) and deprives those who elect not to join of some really good speakers and ideas. We have provided you with absolute proof that your blog title "It's a Fake" is untrue, libelous, and violates the UK Defamation Act of 2013. You definitely made your point about the unlicensed photos oversight and we corrected it in days. Thank you very much for your kind consideration. 
This email from Kristin Johnston specifically mentions that Act, and although it somewhat contradicts the letter from Shelly Fitzgerald, it does assert the point that they have been given free reign to comment on the posts I made. This rather makes the two communications contradictory, and again Ms Johnston admits that the content of the blog posting in question was true.

Regardless of any assertions by BizSummits, the whole point is moot because under UK law there is a 12 month limit on pursuing a libel claim from the date of publication, and that limit expired on 30th March 2015 (more than two year ago). BizSummits were certainly aware of the post in April 2014. Furthermore, the last comment that could be ascribed to Mr H was made in August 2015 which is clearly more than 12 months ago. And in any case, BizSummits / ExecSummits themselves admit that the post is true. That's a pretty weak position to threaten a libel action from.

So let's go back to the options that are being offered, change the posting or remove it. Well, for the former Admiral Akbar probably says it best..


Altering a blog post may seem like a reasonable compromise, but altering it effectively means republishing it. And if you are dealing with a vexatious litigant, then republishing can effectively reset the 12 months statute of limitations. I'm not saying necessarily that this is BizSummits intent, but its definitely a pitfall worth avoiding.

It isn't the first time that BizSummits have threatened legal action either. A case here documents not only the threat but also catalogues several other similar threats. Indeed, a simple search for "BizSummits" comes up with a large amount of uncomplimentary material from independent sources.

In my opinion, BizSummits's assertions are without merit, unfair and stretch legal arguments to their breaking points. Of course, if Mr H or anyone else verifiable would like their own comments removing then I will see what I can do. At the moment, that is the offer on the table.

Postscript

While poking around PACER I found a case from 2005-06 where Mr Price and BizSummits LLC were the defendant in a case 2:05-cv-02257-KHV-JPO - Graceland College Center for Professional Development and Lifelong Learning Inc v. Price. That case was settled out of court when the two parties compromised (i.e. again there was no admission or assignment of wrongdoing). There are a lot of documents but the crux of the complaint makes interesting reading, found here [21] [21-1] [21-2] [21-3] [21-4] [21-5] but bear in mid that the case was dismissed without prejudice [40].

For legal masochists and what with PACER fees being what they are, all the other documents are here (and for some reason the docket numbers don't quite seem to match the downloaded documents): [Docket] [01-Main] [01-1] [01-2] [01-3] [02] [03] [05] [06] [07-Main] [07-1] [08] [09] [10] [12] [13] [15] [17-Main] [17-1] [18] [22] [25] [26] [27] [28] [29] [31] [32] [33] [34] [36] [38].


Necurs oddity II: avto111222@bigmir.net

Yesterday I saw a series spam emails from Necurs apparently attempting to collect replies to super.testtesttest2018@yahoo.com. Although that campaign is continuing today, a new spam run with similar characteristics has started this morning. For example:

From:    jKX Soto [ingmanz@redacted]
Reply-To:    jKX Soto [avto111222@bigmir.net]
Date:    19 July 2017 at 06:43
Subject:    CQJP

hDYNOX

TC
Subject, body text and vendor seem to be randomly generated. But in all cases, the Reply-To address is avto111222@bigmir.net (Bigmir is basically a Ukrainian version of Yahoo from what I can tell).

The purpose of this spam run is unclear, but spammers do sometimes launch probing attacks to see what kind of response they get from servers. This could be an attempt to clean up the Necurs email address database perhaps, perhaps for resale.

Tuesday, 18 July 2017

Necurs oddity: super.testtesttest2018@yahoo.com / "hi test"

This email is sent from the Necurs botnet and appears to be collecting automatic replies, using a Reply-To email address of super.testtesttest2018@yahoo.com.

From:    Randi Collier [zegrtocbjez@hometelco.net]
Reply-To:    Randi Collier [super.testtesttest2018@yahoo.com]
Date:    18 July 2017 at 10:08
Subject:    hi

hi test 

The name of the sender and the "From" email vary, however the "Reply-To" email is consistent, as is the subject and body text. The sending IP varies, but this does look like Necurs from the patterns I can see.

I can't see any particular purpose in harvesting bounce messages in this way. From Necurs samples I see, the bulk of the recipient addresses are invalid in any case.

Malware spam: UK Fuels Collection / "invoices@ebillinvoice.com"

This fake invoice comes with a malicious attachment:

From:    invoices@ebillinvoice.com
Date:    18 July 2017 at 09:37
Subject:    UK Fuels Collection

Velocity
   
   
ACCOUNT NO
******969    
   
Dear CUSTOMER,
Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.

How to view your invoices

Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy

We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.

       
    Your safety is our priority

Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.
   
       
If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com

Thank you for using this service.
Yours sincerely,

UK Fuels Limited Customer Services

   
Spam Policy   |  Customer Services: 0344 880 2468

This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.


In the sample I saw there were two attachments, one was a simple text file that looked like this:

Filetype: Microsoft Office Word
Filename: 11969_201727.doc
Creation date: Tue, 18 Jul 2017 14:07:26 +0530
Modification date: Tue, 18 Jul 2017 14:07:26 +0530
To: [redacted]
The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.

Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to:

37.120.182.208 (Netcup, Germany)
186.103.161.204 (Telefonica , Chile)
194.87.235.155 (Mediasoft Ekspert, Russia)
195.2.253.95 (Sphere Ltd, Russia)


Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.

Recommended blocklist:
37.120.182.208
186.103.161.204
194.87.235.155
195.2.253.95