Sponsored by..

Wednesday, 19 July 2017

BizSummits / ExecSummits make legal threats over a blog posting they admit is true

I've been writing about BizSummits LLC and their former habits of being rather spammy for a few years now. In fact, the first spam I ever received from them was nearly a decade ago.

To: "James Studer" [JStuder@[redacted]]
Date: Tue, 6 Nov 2007 09:30:40 -0500
Subject: James, question.

Hi James. On behalf of our board, I wanted to personally invite you into
The CIO Summit because of your key role and experience.

The CIO Summit is an invitation-only group comprised of the very best
executives and visionaries in technology management. We meet monthly by
teleconference to exchange what is working, what is not, strategies and
ideas. It is a confidential forum with dedicated groups of other
successful IT executives whose only agenda is to help each other
outperform.

I am certain you will find the experience both enjoyable and useful in
your efforts. Here is our site as background, www.TheCIOSummit.net, if
you could take a look and please let me know of your decision. Thanks,
James.

Sincerely,

Chris Jameson
The CIO Summit
1200 Abernathy Road., 17th Fl.
Atlanta, GA 30328
404-592-9904 Ext. 81
Mail back to decline further.
Chris@TheCIOSummit.net
www.TheCIOSummit.net
I am not James Studer - that name appears on this web page and it had been harvested by BizSummits who then guessed a valid email address to send to. Over the past decade it seems that this marketing technique has not really changed that much.

Apparently after all these years, BizSummit is still in business and they seem rather cross with me about this blog posting I made some time ago.

(click to enlarge)
Let's go through this threat step-by-step.
We have written you several time sby email about one of your blog postings blow. Again could you archive it or at the very least redact the words, "It's a fake!"?
So.. they're upset about something I've written and would like me to remove it. Or change it. It seems like a reasonable proposition, but as I will come to later the suggestion of editing the post to remove words is fraught with danger.
The main issue is that web searchers see a truncated version of your blog title which makes it appear that our entire organization is, "a fake" and most do not click/read further to see that your complaint is actually just referring to unlicensed photos that were incorrectly used as placeholder images by our past marketing director (corrected within days of your blog posting). Here is what most web searchers see:

Now it must be said that I can't get the snippet to display exactly like that, but Google does display a similar snippet. But if BizSummits / ExecSummits think that this it not accurate, then the complaint must be made to Google. Crucially, it also confirms the accuracy of the blog posting.

As far as I can tell the website was designed in 2012 and I wrote my post about the "placeholders" in 2014, but you know I've probably had pages somewhere that have been under construction for 20 years or so, so I'm not going to criticise the length of time that "placeholder" photos may have been there.
In addition, you then approved multiple postings by a past employee of our TechSummits.org division who had been terminated for theft shortly before the postings. Michael H[redacted], both in his own name and in the name of multiple newly created aliases and friends, posted false allegations and experiences to that he could use your blog to steer our clients to competing events. We terminated him when we discovered that he was a convicted felon ( https://goo.gl/[redacted]), that he had stolen money from our TechSummits.org division by telling our clients that our company name had changed and to send checks to his home address ( https://goo.gl/wj6uxq ), and once you approved his false posts he then sent your blog link to every prospect of ours asking that they switch to his own company now out of business ([redacted]) while you did not post some of our posts. Note that in the second link we took legal action against  him in US Federal Courts and he consented in writing to have all the false blog postings in his and alias names (including you approved) stricken.
I redacted the other parties name here (although it is obvious from the court documents linked to below) for a few reasons. Firstly they allege that Mr H was previously convicted of a felony, and they sent a link about an indictment of somebody of the same name as Mr H, but residing in a different state. So the allegations do not prove anything, and even if they were true they do not mean that Mr H conducted a felony in this case.

Crucially, this case (1:15-cv-03199-MHC) which can be found here: [Docket] [01-Main] [01-1] [02-main] [02-1] [02-2] [02-3] [02-4] [02-5] [02-6] [02-7] [02-8] [03] [04] [05] [06] [08] [10-Main] [10-1] was settled out-of-court with no admission of wrongdoing from either party, but an undertaking was made by Mr H to remove anything he may have posted that was in scope of the agreement. The case itself makes quite interesting reading, but of course you must always remember that allegations made in a court of law are not necessarily true.

This paragraph also makes an incorrect assertion against me: "and once you approved his false posts he then sent your blog link to every prospect of ours .. while you did not post some of our posts.". In fact TechSummits / BizSummits / Michael Price and his employees have never had comments blocked unless they were duplicates (which can happen). They've always had a full right of reply, and furthermore the comments belong to those who wrote them, not to me. It goes on..
Given the misleading blog title truncation that appears in all search engines, all the corruption/abuse above, and the fact that your blog posting is rife with inaccurate postings that you approved we respectfully ask you to archive it so that it is no longer searchable or at the very least make the title edit above and strike his false direct and alias posting where the falsities you approved are causing us great reputational damage. I am sure it was never your intention to aid and abet a known felon, nor be an accessory to any libel by approving false postings especially now that you are aware they are false, not were you aware of the approved US Federal Court Motion to have such false blog postings removed.
So this is the point of the threat where the established facts, possible facts and assertions made so far are synthesised into something vaguely threatening.

Again, search engines are blamed for truncating the blog and making it appear to be misleading. This is a problem with the search engine. Of course they would like the blog removing as it highlights past wrongdoing, or they would like it to be edited (and I will come to that part shortly).

BizSummits alleges that the comments made by Mr H are false, but in the case in question does not actually have a US Federal Court Motion to have postings removed, there is merely an agreement to do so between the plaintiff and the defendant. If the defendant did not take those actions, then it is a matter for the plaintiff and defendant to resolve directly. It is worth noting as well that this case was administratively closed by the court.

BizSummits also stretches the definition of a "felon" to include Mr H's supposed past transgressions and implying that this civil case also found Mr H guilty of a felony. It did not.

No libel has been proven, no felony has been proven and furthermore BizSummits / ExecSummits have not even specified the comments in question. As such, BizSummits fall way short under UK law of establishing any cause or valid complaint.

In my personal opinion, this argument is hypocritical anyway. BizSummits / ExecSummits are arguing that Mr H should be forever judged against his [unproven] wrongdoings in the past, and  yet they should not be judged for theirs. Hmmm.
Please let us know your decision (email is fine) so that we can decide if your changes resolve the matter or if additional steps must be taken in the UK to make this right. We are required per UK law to provide you with 30 days written notice. Thank you for your consideration.
BizSummits admit here that UK law is the proper venue, and that means the Defamation Act of 2013.  In fact this is not the first time they have mentioned the Act. In November 2016 they threatened the use of it as well:
Hi Conrad, could we kindly ask you to archive the "It's a Fake!..." blog post or at the very least edit out the defamatory "It's a Fake" words in the title which is highly misleading and libelous? We have offered you definitive proof in our 4/10/2014, 1/21/2015, and 6/5/2015 replies. You can also pick out any past speaker or meeting date on any of our sites and we can provide you with both the recording of the meeting and the pdf summary of the meeting and even the speaker's contact info if you wish to independently verify which would be impossible to do if "It's a Fake" as you wrote.  A majority of the negative postings on your blog were from a terminated employee/contractor who launched a competing company while we were paying him then used fictitious profiles created the day of each posting in other's names to appear as if multiple people were complaining. We addressed the unlicensed photos issue within days of your original posting and confirmed back to you at that time (taking corrective action based on your feedback). When executives research us before joining they come across your blog title "It's a Fake" and then opt not to join that group which causes our group serious economic harm (some of our group members are in the UK) and deprives those who elect not to join of some really good speakers and ideas. We have provided you with absolute proof that your blog title "It's a Fake" is untrue, libelous, and violates the UK Defamation Act of 2013. You definitely made your point about the unlicensed photos oversight and we corrected it in days. Thank you very much for your kind consideration. 
This email from Kristin Johnston specifically mentions that Act, and although it somewhat contradicts the letter from Shelly Fitzgerald, it does assert the point that they have been given free reign to comment on the posts I made. This rather makes the two communications contradictory, and again Ms Johnston admits that the content of the blog posting in question was true.

Regardless of any assertions by BizSummits, the whole point is moot because under UK law there is a 12 month limit on pursuing a libel claim from the date of publication, and that limit expired on 30th March 2015 (more than two year ago). BizSummits were certainly aware of the post in April 2014. Furthermore, the last comment that could be ascribed to Mr H was made in August 2015 which is clearly more than 12 months ago. And in any case, BizSummits / ExecSummits themselves admit that the post is true. That's a pretty weak position to threaten a libel action from.

So let's go back to the options that are being offered, change the posting or remove it. Well, for the former Admiral Akbar probably says it best..


Altering a blog post may seem like a reasonable compromise, but altering it effectively means republishing it. And if you are dealing with a vexatious litigant, then republishing can effectively reset the 12 months statute of limitations. I'm not saying necessarily that this is BizSummits intent, but its definitely a pitfall worth avoiding.

It isn't the first time that BizSummits have threatened legal action either. A case here documents not only the threat but also catalogues several other similar threats. Indeed, a simple search for "BizSummits" comes up with a large amount of uncomplimentary material from independent sources.

In my opinion, BizSummits's assertions are without merit, unfair and stretch legal arguments to their breaking points. Of course, if Mr H or anyone else verifiable would like their own comments removing then I will see what I can do. At the moment, that is the offer on the table.

Postscript

While poking around PACER I found a case from 2005-06 where Mr Price and BizSummits LLC were the defendant in a case 2:05-cv-02257-KHV-JPO - Graceland College Center for Professional Development and Lifelong Learning Inc v. Price. That case was settled out of court when the two parties compromised (i.e. again there was no admission or assignment of wrongdoing). There are a lot of documents but the crux of the complaint makes interesting reading, found here [21] [21-1] [21-2] [21-3] [21-4] [21-5] but bear in mid that the case was dismissed without prejudice [40].

For legal masochists and what with PACER fees being what they are, all the other documents are here (and for some reason the docket numbers don't quite seem to match the downloaded documents): [Docket] [01-Main] [01-1] [01-2] [01-3] [02] [03] [05] [06] [07-Main] [07-1] [08] [09] [10] [12] [13] [15] [17-Main] [17-1] [18] [22] [25] [26] [27] [28] [29] [31] [32] [33] [34] [36] [38].


Necurs oddity II: avto111222@bigmir.net

Yesterday I saw a series spam emails from Necurs apparently attempting to collect replies to super.testtesttest2018@yahoo.com. Although that campaign is continuing today, a new spam run with similar characteristics has started this morning. For example:

From:    jKX Soto [ingmanz@redacted]
Reply-To:    jKX Soto [avto111222@bigmir.net]
Date:    19 July 2017 at 06:43
Subject:    CQJP

hDYNOX

TC
Subject, body text and vendor seem to be randomly generated. But in all cases, the Reply-To address is avto111222@bigmir.net (Bigmir is basically a Ukrainian version of Yahoo from what I can tell).

The purpose of this spam run is unclear, but spammers do sometimes launch probing attacks to see what kind of response they get from servers. This could be an attempt to clean up the Necurs email address database perhaps, perhaps for resale.

Tuesday, 18 July 2017

Necurs oddity: super.testtesttest2018@yahoo.com / "hi test"

This email is sent from the Necurs botnet and appears to be collecting automatic replies, using a Reply-To email address of super.testtesttest2018@yahoo.com.

From:    Randi Collier [zegrtocbjez@hometelco.net]
Reply-To:    Randi Collier [super.testtesttest2018@yahoo.com]
Date:    18 July 2017 at 10:08
Subject:    hi

hi test 

The name of the sender and the "From" email vary, however the "Reply-To" email is consistent, as is the subject and body text. The sending IP varies, but this does look like Necurs from the patterns I can see.

I can't see any particular purpose in harvesting bounce messages in this way. From Necurs samples I see, the bulk of the recipient addresses are invalid in any case.

Malware spam: UK Fuels Collection / "invoices@ebillinvoice.com"

This fake invoice comes with a malicious attachment:

From:    invoices@ebillinvoice.com
Date:    18 July 2017 at 09:37
Subject:    UK Fuels Collection

Velocity
   
   
ACCOUNT NO
******969    
   
Dear CUSTOMER,
Your latest invoice for your fuel card account is now available for you to view online, download or print through our Velocity online management system.

How to view your invoices

Viewing your invoice is easy
1. Log into Velocity at velocityfleet.com
2. Select 'Invoices' from the menu option
3. Select the invoice you wish to view. You can also print or download a copy

We want to ensure we are protecting your information and providing you with a simple, straightforward and secure way to access your account information. Velocity could not be simpler to use, you will not only have access to download all of your invoices, you will also be able to order cards, run reports on transactions and get to view your PIN reminder online.

       
    Your safety is our priority

Please do not reply to this email, it has been sent from an email address that does not accept incoming emails. Velocity will never ask you to supply personal information such as passwords or other security information via email.
   
       
If you are experiencing difficulties in accessing Velocity, please do not hesitate to call us on 0344 880 2468 or email us at admin@groupcustomerservices.com

Thank you for using this service.
Yours sincerely,

UK Fuels Limited Customer Services

   
Spam Policy   |  Customer Services: 0344 880 2468

This email does not come from UK Fuels or Velocity, but is in fact a simple forgery sent from the Necurs botnet.


In the sample I saw there were two attachments, one was a simple text file that looked like this:

Filetype: Microsoft Office Word
Filename: 11969_201727.doc
Creation date: Tue, 18 Jul 2017 14:07:26 +0530
Modification date: Tue, 18 Jul 2017 14:07:26 +0530
To: [redacted]
The secondis a malicious Word document, in this case named 11969_201727.doc. Opening it comes up with a screen asking you to enable active content (not a good idea!). The VirusTotal detection rate is 10/59.

Automated analysis [1] [2] shows that the malicious document downloads a binary from dielandy-garage.de/56evcxv (although there are probably other locations), downloading a file proshuto8.exe which itself has a detection rate of 11/63. Additional automated analysis [3] [4] with the others shows potentialy malicious traffic to:

37.120.182.208 (Netcup, Germany)
186.103.161.204 (Telefonica , Chile)
194.87.235.155 (Mediasoft Ekspert, Russia)
195.2.253.95 (Sphere Ltd, Russia)


Malware delivered in this was is usually ransomware or a banking trojan. UPDATE: this is the Trickbot trojan.

Recommended blocklist:
37.120.182.208
186.103.161.204
194.87.235.155
195.2.253.95




Tuesday, 13 June 2017

Bellatora Inc (ECGR) pump-and-dump spam

It's been a little while since we've since an illegal pump-and-dump spam from the Necurs botnet, but here is a new one pushing a company called Bellatora Inc (stock ticker ECGR)
From:    Lillie Maynard
Date:    13 June 2017 at 09:37
Subject:    Here's why this company's shares are about to go up tenfold next week.

Yes, it's been some time since I reached out to you with something good but trust me… the wait will have been worth it.

I promised you that I'd only give you a tip if I had something spectacular, and today I do.

Remember my buddy in California who works at Accel? I had lunch with him yesterday and he told me that he firm is about to invest 50 million bucks into a small Marijuana company.

Basically they make weed vaporizers and their stuff is flying off the shelf because both weed, and vaporizers are all the craze right now.

Anyway, long story short, they're putting all that cash in the company at a price of $1.17 per share and yes you guessed it… it's way higher than where the stock price is as we speak.

The price is at just over 10 cents right now. This means that when they announce their involvement in a few days it should go up about tenfold overnight.

In fact, if you look at the chart, the price was at a little over 2 dollars a few weeks ago. My buddy tells me that his firm ‘crashed' it artificially so that they'd have more bargaining power at the table and it makes sense... They're coming in at just $1.17 instead of over 2 dollars.

Nonetheless this is a really rare chance for us to get in. I'll pick up at least 50,000 shares today and I think you should do the same.

The name of the company is Bellatora Inc. and its ticker is ECGR. If you do decide to tell a couple of your friends, please do me a favor and don't mention me by name.

Thanks,
Lillie Maynard
Bellatora seems to be involved in the vaping market, including medical marijuana vaping. I've seen a couple of other P&D spam runs in the past pushing stocks in this industry [1] [2].

Over the past month, the price of ECGR stock has cratered from over $2 per share to just 10 cents today. Yesterday someone traded 455,000 shares of that stock.


According to MarketWired this company has changed names several times over the years:

Company History
- Formerly=Oncology Medical, Inc. until 9-2016
- Formerly=Vianet Technology Group, Ltd. until 4-07
- Formerly=UTTI Corp. until 2-07
- Formerly=Unitech Industries, Inc. until 1-99
- Note=12-96 state of incorporation California changed to Delaware upon emergence from Chapter XI bankruptcy under Federal Bankruptcy Code
A quick look at the financials for this company turns up.. nothing. Which is kind of odd.

Anyway, stock being pushed through illegal pump-and-dump operations such as this is not being done for YOUR benefit, but for some party who holds a lot of stock. Avoid.

The spam run has been going on for about six hours, but has slowed down in the past few hours.


Version 2 - 13th June

It didn't take long for the second version to come out.. and there could be a lot more to come.

From:    Alisa Rich
Date:    13 June 2017 at 15:39
Subject:    Let me tell you why this stock will go up 10x by next week.

Haven't heard from me in a while right? That's because I'm not one to waste your time.

Whenever I do email you, it's because I've got something good. Really good.

My good friend who works at the big VC out in NY invited me for a bite yesterday. Nothing unusual, we always eat lunch together right?

However yesterday he gave me a really amazing piece of information and I want to share that with you.

The place he works at is basically injecting more or less 50 mill into this small American company that's in the cannabis business. Apparently, they've got some really amazing distribution and even better technologies.

Anyway... to make a long story longer he said the value they are coming in at is right around 1.20 a share and that this announcement will be made public some time in the next few days.

Given that the shares are at just 12 cents right now, do you have any idea what's going to happen when the announcement is out?

Yep, you guessed right... It's going to jump up 10 times, literally overnight.

The cannabis company is: Bella tora Inc.

You can buy it if you type E C G R in your brokerage account.

Feel free to tell only your closest friends about this. I really have no clue when the next time I get a tip will be.

Take care,
Alisa Rich




Monday, 5 June 2017

Malware spam: "John Miller Limited" / "Invoice"

This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does not match the company being spoofed, and varies from message to message.

From:    Felix Holmes
Date:    5 June 2017 at 10:20
Subject:    Invoice


Regards



Felix Holmes

cid:image001.jpg@01D00F00.660A92D0
Kirkburn Ind. Estate
Lockerbie
Dumfries and Galloway
DG11 2FF

Tel – 01576 208 741 (Accounts) 01576 208 747 (Main line)
Fax – 01576 208 748
Ext – 1008/1006
‘’New Website launched 30.05.2014 – visit www.[redacted].uk’’


Attached is a PDF file with a name similar to A4 Inv_Crd 914605.pdf - opening it up (NOT recommended) displays something fairly minimal.

The attachment currently has a detection rate of about 9/56. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis shows the malicious file downloading a component from cartus-imprimanta.ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other variants possibly exist.


A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:

192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)


The payload is not clear at this time, but it will be nothing good.

Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177



Thursday, 11 May 2017

Malware spam with "nm.pdf" attachment

Currently underway is a malicious spam run with various subjects, for example:

Scan_5902
Document_10354
File_43359


Senders are random, and there is no body text. In all cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED or 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].

The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58.

Putting the .docm file back into Hybrid Analysis and Malwr [5] [6] shows the same sort of results, namely a download from:

easysupport.us/f87346b

Given that this seems to be coming from the Necurs botnet, this is probably Locky or Dridex.

UPDATE

A contact pointed out this Hybrid Analysis which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which matches this Tweet about something called "Jaff ransomware".

That report also gives two other locations to look out for:

trialinsider.com/f87346b
fkksjobnn43.org/a5/


This currently gives a recommended blocklist of:
47.91.107.213
trialinsider.com
easysupport.us