Sponsored by..

Wednesday 26 August 2009

Razor blade spam

Here's a new one.. razor blade spam! Gillette Mach 3 Blades are apparently the most stolen retail product in the world, so perhaps it is unsurprising to see spam for what is bound to be fake Mach 3 razor blades.


Subject: Gillette Mach 3 Razor Blades - Best Prices 28414010
Date: Wed, August 26, 2009 10:37 pm

9732866
If you have trouble viewing this email click here. You could make a gift for you boy
friend,farther or sell the items on Ebay.

7657
If you are not a member, or received this email from a friend, and would like to
join our Rewards program, click here.

You've received this message because you've registered to receive email from M3mach.
If you no longer wish to receive email from us click here.

View our privacy policy.
Please don't direct response this mail box.
Contact Us click here.
www.M3mach.com


A pack of 8 Mach 3 blades retails for about $18 in the US, these folks claim to be selling them for less than $7..


..which means that these are fakes. Fake razor blades are just fine if you don't mind facial lacerations, rashes and nasty blood diseases. Looks like they also sell fake condoms too.

This may well be the start of a new trend. Who knows what the spammers will try to sell next? Tinned meat?

Tuesday 25 August 2009

CurrencyVendor.com: can you trust it?

Another doubtful World of Warcraft site is currencyvendor.com hosted on the same server as these other WoW scam sites.

Does it look trustworthy? Well, no. It's hosted by YoHost.org on the same server as a load of WoW scams sites, phishing sites, fake internet companies, bogus pharmacies and all sorts of other things. The domain was set up a few days ago, and is hosted on an anonymous server with anonymous contact details. Given the very high number of scam sites on this server, the lack of history and the anonymous contact details we would strongly recommend that extreme caution be taken if dealing with this site.


Update: the people behind CurrencyVendor.com deny that it is a scam, but acknowledge that their web host does host scam sites. They also decline to identify themselves. Draw your own conclusions, but as a general rule doing business with someone who refuses to identity themselves is a bad idea.

$1 + $3 + $8 + $20 + $52 = $84

This is a interesting gambling spam which tries to entice you to an online casino called worldelitecasino.net hosted in China.

Subject: Re: yo mate
Date: Tue, August 25, 2009 5:19 pm

yo mate..


ok I`ll give you my trick but if you give it someone else I`ll fuckin kill you :)
you know in roulete you can bet on blacks or reds. If you bet $1 on black and it goes black you win $1 but if it goes red you loose your $1.
So I found a way you win everytime:

bet $1 on black if it goes black you win $1

now again bet $1 on black, if it goes red bet $3 on black, if it goes red again bet $8 on black, if red again bet $20 on black, red again bet $52 on black (always multiple you previous lost bet around 2.5) if now is black you win $52 so you have $104 and you bet:

$1 + $3 + $8 + $20 + $52 = $84 So you just won $20 :)

now when you won you start with $1 on blacks again etc etc. its always bound to go black eventually (it`s 50 / 50) so that way you eventually always win. But there`s a catch. If you win too much (like $800 a day) casino will finally notice something and can ban you. I was banned once on red teaching casino. So don`t be too greedy and don`t win more then $200 a day and you can do it for years. I think bigger casios know that trick so I play for real money on smaller ones, right now I play on elite world casino: www.worldelitecasino.net for more then 3 months, I win $50-$200 a day and my account still works. You`ll find roulette there when you log in go to "specialt games" - "american roulete". And don`t you dare talling about it anyone else, if too many people knows about it casinos will finally found a way to block that trick. If you have any questions just drop me a line here or on skype.

c ya

In brief, the spam is pitching a roulette "system" that guarantees that you will win, and recommends an online casino where you can use it. The target site has an executable called SmartDowload.exe which was written by RealTime Gaming, Inc.

So, in fact the "Casino" doesn't exist - it leads to a legitimate (but potentially unwanted) desktop gambling application, the executable itself looks like part of Realtime Gaming's affiliate program of something (the Download ID is 1273059)


Presumably the spammer gets some payment per signup or something.. and this can actually be a lot of money in some cases.

So.. what about this "system" then? Well, in reality it doesn't work. It's a version of the Martingale System which basically says that you should double your bet each time you lose (in this case double-and-a-bit).. because eventually you will win your money back. That sounds fine in theory, but eventually you either:

  1. Run out of money - because the value increases expontentially, in the example in the spam the next levels to bet would be $130, $325, $813, $2031, $5078, $12,595, $31,738, $79,345, $198,364, $495,910 and then $1,239,776). You will always run out of money before the casino does.
  2. Hit the house limit - most casinos have a limit beyond which you cannot bet, usually a few thousand dollars. So, you'd hit the house limit before the Martingale system ever paid off, even if you did have nearly unlimited funds.
There's a more detailed writeup at Greg Kochanski's blog explaining the maths behind it.

Personally, I think there's only one thing to remember about casinos: the house always wins!

Friday 14 August 2009

"PD Domains": topnameappraisals.com and greatestnamesonline.com scam

Two more scam domain appraisal sites - greatestnamesonline.com and topnameappraisals.com following on from pddomains.com and countless other ones.

If you receive an unsolicited email listing either of these two companies as appraisal outfits, then it's a scam. More information here.

Update: there's also topnameappraisal.com which is another domain doing exactly the same thing.

dia-company.net scam

Another job scam from Michell.Gregory2009@yahoo.com. It's not clear exactly what "job" they are offering, but it will definitely be a scam and probably be illegal.

Subject: Job Search Results on Monster.com

Greetings,

Our Company is ready to offer full and part time work in your region. We are among top managing companies in North America and Europe.

If you are interested in career growth and good salary, send your resume ONLY to the Company?s email address: hd@dia-company.net

Reply only via corporate email, so please just use this one for further contact and
correspondence: hd@dia-company.net

With best regards,
HD department
DIAGROUP

The domain registration details are:

Domain name: dia-company.net

Registrant Contact:
NA
Gregory Michell Michell.Gregory2009@yahoo.com
+1.3023892438 fax: +1.3023892438
5215/2 SW 152 Court
Beaverton NA 97011
us

Administrative Contact:
Gregory Michell Michell.Gregory2009@yahoo.com
+1.3023892438 fax: +1.3023892438
5215/2 SW 152 Court
Beaverton NA 97011
us

Technical Contact:
Gregory Michell Michell.Gregory2009@yahoo.com
+1.3023892438 fax: +1.3023892438
5215/2 SW 152 Court
Beaverton NA 97011
us

Billing Contact:
Gregory Michell Michell.Gregory2009@yahoo.com
+1.3023892438 fax: +1.3023892438
5215/2 SW 152 Court
Beaverton NA 97011
us

DNS:
ns1.freedns.ws
ns2.freedns.ws

Created: 2009-06-25
Expires: 2010-06-25
That email address is well-known.

The site is hosted on 121.12.127.241 in China, it is probably safe to assume that every other site is similarly some sort of scam or malware site and should be avoided.

  • 00freewebhost.cn
  • Anilyclickux.com
  • Anilydclick.com
  • Anilymclicks.com
  • Armor1.info
  • Armor2.info
  • Autohitssite.com
  • Bote-abfertigung.com
  • Ckinter.cn
  • Ckinter.ru
  • Compy.info
  • Dia-company.net
  • Earntoclicklr.com
  • Festgroup.net
  • Googleautohits.com
  • Googledolis.com
  • Googledues.com
  • Googleehits.com
  • Googleipad.com
  • Googleledal.com
  • Googlepayclicks.com
  • Googlepayhits.com
  • Googlepaylr.com
  • Googlesrx.com
  • Ilos-group.com
  • Ilos-group.net
  • Inzo-group.com
  • Inzogroup.net
  • Inzo-group.net
  • Jethitclicks.com
  • Makemogoogle.com
  • Mavr-best.com
  • Medikmenty.com
  • Mybotnet.org
  • Perenils.cn
  • Prex-group.com
  • Prex-group.net
  • Resogroup.net
  • Smallclicks.net
  • Spyware-file.info
  • Spywarehome.info
  • Spywarepc.info
  • Spyware-systems.info
  • Taxvac.com
  • Thjgoogle.com
  • Tincash.cn
  • Varnagroup.net
  • Vicogroup.net
  • Viphack.ru
  • Vsehorosho.info
  • Zentin.net.cn

Thursday 13 August 2009

Some "World of Warcraft" Scam sites

I don't play WoW myself, but there are a whole bunch of bad guys out there trying to rip off player accounts for money. Here are some recent domains hosted at scam-friendly YoHost.org that you should avoid.. if you HAVE entered your password into one of these sites, then change it NOW.

  • Blizzard-battle.net
  • Blizzard-promotion.com
  • Promotions-battle.net
  • Promotions-worldofwarcraft.com
  • Worldotwarcaft.net
  • Wowmovieteaser.com
  • Wowtcgpromotion.com

Wednesday 12 August 2009

CA eTrust goes nuts with StdWin32 and other false positives

CA eTrust ITM has gone completely nuts today, with a load of seemingly random false positives mostly for StdWin32 in a large number of binaries, including some components of eTrust itself.

The core problem seems to be a signature update from 31.6.6672 to 33.3.7051, there seems to be little consistency in what is being detected as a false positive although there are multiple occurrences of Nokia software, VNC and event DLLs and EXEs belonging to eTrust's core components.

Probably the best thing to do is block the update or change the Realtime scanning behaviour to "disabled" or "report only".

Update: problem seems to have started at about 0525 GMT when the new signature pattern applied. There no consistent pattern to the infected files, it looks like it happens at random. Several other people seem to be having the same issue!

Update 2: Signature pattern 34.0.6674 appears to fix this problem. You can then enjoy repairing your faulty machines.. thanks CA!

Update 3: Amusingly, CA eTrust seems to have deleted its own key components in many cases. I don't know if this is the first recorded case of an anti-virus application mistaking itself as malware!

Update 4: CA have released a statment as follows:

Last night, CA released a new updated antimalware engine. This new release has resulted in false positive detections of a number of files. CA Threat Manager customers are the only customers being affected by this issue. This is not a result of signature updates and does not impact CA consumer Internet security products.

To resolve the issue, CA has rolled back the new engine and re-released its previous antimalware engine. CA customer support representatives are on call to answer customer questions and to provide remediation support. A remediation tool to rename the quarantined files is now available through CA support and will soon be accessible online.

CA is aggressively working to resolve the issue, assist any customers who have been affected, as well as identify the root cause of the incident. We apologize for this inconvenience and look forward to the roll out of our new antimalware engine, which will ultimately offer our customers many benefits including enhanced malware protection and improved performance.

Update 5: Got a mention on El Reg.. funny thing is that I went in to work today wearing my El Reg T-Shirt. Coincidence? Consiparacy? Cockup?

PS: Please remember to read the comments if you are still having problems!

Sunday 9 August 2009

Fleos.com and Flyappraisal.com scams

Two more domain appraisal scams following on from this one, Fleos.com has been around for a few days and is a copy of the flyappraisals.com / flyrating.com fraud.

In the same vein, the scammers have also registered Flyappraisal.com which will not doubt be used for another batch of fake domain appraisal fraud soon.



Avoid these, and if you have paid for a so-called appraisal via PayPal, then use the PayPal dispute procedure to get your money back.

pddomains.com scam

This is part of a long-running scam where you receive an unsolicited offer for a domain name.. the scam is that you are offered a choice of three appraisal services, the cheapest of which is controlled by the scammer. Once you have paid for your appraisal, the offer to buy the domain mysteriously dries up.

Subject: Offer to buy [redacted]
From: "Resale Domain" <resaledomain@gmail.com>
Date: Sun, August 9, 2009 6:00 am

Dear Sir,

we are interested to buy your domain name [redacted] and offer 65% of the appraised market value.
As of now we accept appraisals from either one of the following leading appraisal companies:

sedo.com
pddomains.com
accuratedomains.com

If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use Paypal for amounts less than $2,000 and escrow.com for amounts above $2,000) as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Thank you,

B. Phillips
Resale Domain


The site looks professional enough, but it's a cookie-cutter design that has been used for previous frauds here, here, here and here although sometimes the same crew use this design.

Email originates from 64.186.128.191 in the US and points to a domain on 124.217.231.209 in Malaysia. WHOIS details are anonymised and the domain was only registered on 7th August, nontheless the most likely perpetrator is detailed here.

If you have paid for an appraisal, then you should start a PayPal dispute to get a refund. Hopefully, that will also get the fraudster's account shut down.