The recent DDOS attacks against Korean and US government sites is well known, with calls for reprisals ranging from "cyber-attacks" to the occasional nutjob suggesting that real bombs are used.
Unfortunately, it turns out that the C&C server for the botnet carrying out the attack may well be in the UK. So perhaps we can expect a rush of malformed packets and/or Tomahawk cruise missiles heading the the UK soon..
via
Tuesday, 14 July 2009
Monday, 6 July 2009
Phorm: hahahahah
With a bit of luck, it appears that Phorm may be going down the toilet, as BT announce that they are not going to deploy Phorm's deep packet inspection technology. More at the BBC News site.
With a bit of luck, Phorm's share price will end up as a penny stock very soon.
With a bit of luck, Phorm's share price will end up as a penny stock very soon.
Labels:
Phorm
Thursday, 2 July 2009
Domain scam: ntwifinetwork.com / js-wifi.cn
The old Chinese domain scam has been around for years, but these guys are getting lazy because they haven't changed their domains for months, this is esentially unchanged from April.
Originating IP is 122.193.216.10.
As ever, legitimate domain registrars do not send out this type of email because they are NOT responsible for this activity. Sometimes the Chinese domains get registered, sometimes they are ALREADY registered, and often they never get registered. But before you panic and pay money to these scammers, consider this: there are hundreds of top-level domains in the world. Do you really want to buy your domain for all of them? The answer is probably "no".
The best advice is to ignore this email completely.
Subject: Domain Dispute and Registration
From: "Sunny"
Date: Thu, July 2, 2009 4:07 am
To whom it may concern: 2009-7-2
We are a domain name registration service company in Asia,
Last week we received a formal application submited by Justin Lin who wanted to use the keyword "REDACTED" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.
After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren¡¯t sure whether you have any relation with him. Because these domain names would produce possible dispute, now we have hold down his registration, but if we do not get your company¡¯s an reply in the next 5 working days, we will approve his company's application
In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.
Yours sincerely
Sunny
Checking Department
Tel: 86 513 8532 1087
Fax: 86 513 8532 2065
Email:Sunny@ntwifinetwork.com
Website: www.js-wifi.cn
Our File No.:2272363
Originating IP is 122.193.216.10.
As ever, legitimate domain registrars do not send out this type of email because they are NOT responsible for this activity. Sometimes the Chinese domains get registered, sometimes they are ALREADY registered, and often they never get registered. But before you panic and pay money to these scammers, consider this: there are hundreds of top-level domains in the world. Do you really want to buy your domain for all of them? The answer is probably "no".
The best advice is to ignore this email completely.
Tuesday, 30 June 2009
%SI_subj: miserable spam failure
Possibly one of the most miserable spam failures I have ever seen - the idiot spammer somehow forgot to populate the % fields with actual data. It just goes to reinforce that spammers are stupid.
The hypertext link goes to %SI_link3 rather than a valid address.
Presumably this is a penile enhancement product. By the looks of it, the spammer you do with an intelligence enhancement product.
Subject: %SI_subj
From: "Lily Lovett"
Date: Tue, June 30, 2009 2:47 pm
You don’t need to %SI3_rnd10
rod’s %SI3_rnd11 and %SI3_rnd12 %SI3_rnd13’ jokes!
This is a %SI3_rnd14 for
%SI3_rnd15 your
%SI3_rnd16! It will
%SI3_rnd17 in seconds after she %SI3_rnd18 and %SI3_rnd19 as good as if it was
a %SI3_rnd20 rod!
No more jokes – you will always get %SI3_rnd21 and moans! The huge pack
costs less than 30 %SI3_rnd22!
%SI3_rnd23 can be a %SI3_rnd24! No one will know about your %SI3_rnd25!
%SI3_rnd26 now and save more than $10 regardless of
your order’s size!
The hypertext link goes to %SI_link3 rather than a valid address.
Presumably this is a penile enhancement product. By the looks of it, the spammer you do with an intelligence enhancement product.
Password masking facepalm
A bizarre shot in the security vs usability argument, as reported by El Reg: Masked passwords must go which reports on research saying that masked passwords are more trouble than they are worth.
A key bit of the argument? "Shoulder surfing is largely a phantom problem".. umm yeah, because people's passwords usually just show as blobs or stars so there's no point. If your damned password comes up as plaintext then you can betcha that it WILL be a problem.
Facepalm
A key bit of the argument? "Shoulder surfing is largely a phantom problem".. umm yeah, because people's passwords usually just show as blobs or stars so there's no point. If your damned password comes up as plaintext then you can betcha that it WILL be a problem.
Facepalm
Saturday, 27 June 2009
flyrating.com scam
Flyrating.com is a re-run of the flyappraisals.com scam - a fake domain name evaluation service that is spamvertised through a bogus offer to buy a domain.
Although the servers are hosted in Malaysia, there is strong evidence linking these to a person of German origin living in Canada. More information here.
Although the servers are hosted in Malaysia, there is strong evidence linking these to a person of German origin living in Canada. More information here.
Labels:
Appraisals,
Domains,
PayPal,
Scams,
Spam
Saturday, 20 June 2009
Mystery mibug-credit.com / wiremouse.com spam
This is one of those "wft" spams.
Yes, you'd think that there's a malware payload or something, but there isn't. Let's check out the domain registrations details - hosted at 213.208.134.154 in Austria:
owner-contact: P-GFB634
owner-organization: MIBUG CREDIT UG
owner-fname: Georg
owner-lname: BENDL
owner-street: Menzingerstrasse 130
owner-city: MUENCHEN
owner-zip: D80997
owner-country: DE
owner-phone: +49.180523363313143
owner-email: wmt18703@kunde.webmachine.eu
This is meant to be some sort of financial services site, but it was only registered on 8th June 2009.
The site does very little, you can try to open an account (which requires you handing over a bunch of personal information), but there's no way of getting this "refund". There are a few links to wiremouse.com on the site, something that's hosted on the same server.. so let's have a look at what else is on 213.208.134.154:
Registrant ID: C6565959-B-CO
Registrant Name: Georg BENDL
Registrant Address1: Bacherstrasse 7
Registrant City: GRIES
Registrant Postal Code: A5662
Registrant Country: Austria
Registrant Country Code: AT
Registrant Phone Number: +43.66492436352
Registrant Email: WMT5549@kunde.wmtech.net
Hmmm.. OK, well what about wiremouse.com?
owner-contact: P-NVM192
owner-organization: Managed Offshore Payment Services Limited
owner-fname: Nikolas owner-lname: MAKIN
owner-street: Cariocca Business Park 2 Sawley Road
owner-city: MANCHESTER
owner-zip: GM40 8BB
owner-country: GB
owner-phone: +44.7031887152
owner-email: wmt8464@kunde.webmachine.eu
So, it's based in the UK? Well, the postcode is incorrect.. but in fact, Companies House does have a firm of the name Managed Offshore Payment Services Limited registered. But its accounts are overdue and there is a proposal to "strike off" the firm:
Let's look at bmc-london.co.uk on the same server:
Domain name:
bmc-london.co.uk
Registrant:
Bendl Georg
Registrant type:
Unknown
Registrant's address:
38 Homer Street
LONDON
GW1H 4NH
GB
Registrar:
Key-Systems GmbH [Tag = KEY-SYSTEMS-DE]
URL: http://www.Key-Systems.net
Relevant dates:
Registered on: 04-Sep-2008
Renewal date: 04-Sep-2010
Registration status:
Registered until renewal date.
Name servers:
ns1.webmachine.at
ns2.webmachine.at
This Georg Bendl chap moves around a lot. The address is valid although it's hard to verify if there's a real company operating from that address.
In fact, most domains seem to be registered to "Georg Bendl", but the address is different in almost every case (although Salzburg features more than once).
It's hard to fathom what this spam is about, although these sites do consistently link back to wiremouse.com. Some sort of SEO? A Joe Job? A phish? Email marketing gone horribly wrong? I don't know.
The final clue is the the sending IP address is 62.47.184.176 which is an ADSL subscriber in Austria. Draw your own conclusions, but I would be tempted to give all of these domains a wide berth.
Subject: Refund of Duplicate Payment
From: "Customer Care Center" <2712@mibug-credit.com>
Date: Sat, June 20, 2009 8:12 pm
Dear Business Partner!
Enclosed is our e-check in the amount of EURO 1,750.00 which represents a refund for your inadvertent duplicate
remittance for payment of transaction no. 267.
We are pleased that our bookkeeping department discovered this overpayment so quickly.
Thank you.
Instant Number Accounts
Credit Cards Bulk and Wholesale
http://mibug-credit.com
Yes, you'd think that there's a malware payload or something, but there isn't. Let's check out the domain registrations details - hosted at 213.208.134.154 in Austria:
owner-contact: P-GFB634
owner-organization: MIBUG CREDIT UG
owner-fname: Georg
owner-lname: BENDL
owner-street: Menzingerstrasse 130
owner-city: MUENCHEN
owner-zip: D80997
owner-country: DE
owner-phone: +49.180523363313143
owner-email: wmt18703@kunde.webmachine.eu
This is meant to be some sort of financial services site, but it was only registered on 8th June 2009.
The site does very little, you can try to open an account (which requires you handing over a bunch of personal information), but there's no way of getting this "refund". There are a few links to wiremouse.com on the site, something that's hosted on the same server.. so let's have a look at what else is on 213.208.134.154:
- Afrohair.at
- Altkatholiken.net
- Bankparadies.com
- Bmc-london.co.uk
- Bmc-shop.co.uk
- Cocodonia.com
- Firmenparadies.com
- Jr-austria.com
- Mibug-credit.com
- Quotum.at
- Schmeissfliegen.com
- Server1.biz
- Sofortbetrieb.com
- Tiefpreiszentrum.com
- Turi-landhaus.com
- Wiremouse.com
Registrant ID: C6565959-B-CO
Registrant Name: Georg BENDL
Registrant Address1: Bacherstrasse 7
Registrant City: GRIES
Registrant Postal Code: A5662
Registrant Country: Austria
Registrant Country Code: AT
Registrant Phone Number: +43.66492436352
Registrant Email: WMT5549@kunde.wmtech.net
Hmmm.. OK, well what about wiremouse.com?
owner-contact: P-NVM192
owner-organization: Managed Offshore Payment Services Limited
owner-fname: Nikolas owner-lname: MAKIN
owner-street: Cariocca Business Park 2 Sawley Road
owner-city: MANCHESTER
owner-zip: GM40 8BB
owner-country: GB
owner-phone: +44.7031887152
owner-email: wmt8464@kunde.webmachine.eu
So, it's based in the UK? Well, the postcode is incorrect.. but in fact, Companies House does have a firm of the name Managed Offshore Payment Services Limited registered. But its accounts are overdue and there is a proposal to "strike off" the firm:
Let's look at bmc-london.co.uk on the same server:
Domain name:
bmc-london.co.uk
Registrant:
Bendl Georg
Registrant type:
Unknown
Registrant's address:
38 Homer Street
LONDON
GW1H 4NH
GB
Registrar:
Key-Systems GmbH [Tag = KEY-SYSTEMS-DE]
URL: http://www.Key-Systems.net
Relevant dates:
Registered on: 04-Sep-2008
Renewal date: 04-Sep-2010
Registration status:
Registered until renewal date.
Name servers:
ns1.webmachine.at
ns2.webmachine.at
This Georg Bendl chap moves around a lot. The address is valid although it's hard to verify if there's a real company operating from that address.
In fact, most domains seem to be registered to "Georg Bendl", but the address is different in almost every case (although Salzburg features more than once).
It's hard to fathom what this spam is about, although these sites do consistently link back to wiremouse.com. Some sort of SEO? A Joe Job? A phish? Email marketing gone horribly wrong? I don't know.
The final clue is the the sending IP address is 62.47.184.176 which is an ADSL subscriber in Austria. Draw your own conclusions, but I would be tempted to give all of these domains a wide berth.
Labels:
Spam
Friday, 19 June 2009
FAIL: "Microsoft has released an update for Microsoft Outlook"
This email looks like it's from Microsoft, but it is really intended to load a trojan onto your PC:
Although the link appears to be for the Microsoft web site, underneath is a hidden URL which is quite different. From samples I have plus some scraped from teh interwebs, I came up with the following samples:
hxxp:||update.microsoft.com.ijlijji.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijj1hjf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijjh.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijj1.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijji.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
The reason why this is a FAIL? None of the domains are registered apart from the .com.mx one, so clicking the links will do precisely nothing. il1if1.com.mx is hosted on a botnet with presumably fake registration details, but it seems to be quite unreliable.
Even though this attack doesn't work, it might be a good idea to keep an eye out for it and advise any end users you have. Also checking your proxy logs for update.microsoft.com.i may well be useful.
From: Microsoft Customer Support [mailto:no-reply@microsoft.com]
Sent: 18 June 2009 22:47
Subject: Microsoft has released an update for Microsoft Outlook
Critical Update
Update for Microsoft Outlook / Outlook Express (KB910721)
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.
Instructions
• To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:
http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
Quick Details
• File Name: officexp-KB910721-FullFile-ENU.exe
• Version: 1.4
• Date Published: Thu, 18 Jun 2009 16:46:55 -0500
• Language: English
• File Size: 81 KB
System Requirements
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
• This update applies to the following product: Microsoft Outlook / Outlook Express
Contact Us
© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement
Although the link appears to be for the Microsoft web site, underneath is a hidden URL which is quite different. From samples I have plus some scraped from teh interwebs, I came up with the following samples:
hxxp:||update.microsoft.com.ijlijji.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijj1hjf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijjh.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijj1.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijji.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
The reason why this is a FAIL? None of the domains are registered apart from the .com.mx one, so clicking the links will do precisely nothing. il1if1.com.mx is hosted on a botnet with presumably fake registration details, but it seems to be quite unreliable.
Even though this attack doesn't work, it might be a good idea to keep an eye out for it and advise any end users you have. Also checking your proxy logs for update.microsoft.com.i may well be useful.
Tuesday, 16 June 2009
WebTrends just doesn't get it
WebTrends is a service I used to run a few years ago for web analytics, until the hundreds of dollars per month it was charging for analytics which I could get cheaper elsewere (or now even free) became ridiculous.
So, I stopped using the service and opted out of all email communications as I was no longer interested. So, this bizarre email from WebTrends plops into my mailbox today:
WebTrends is not the worst offender - some companies simply do not understand the meaning of the word "unsubscribe". Doesn't it mean "don't send me anything unless I change my mind"? It seems it now means "don't send me anything unless you really want to" instead.
So, I stopped using the service and opted out of all email communications as I was no longer interested. So, this bizarre email from WebTrends plops into my mailbox today:
Thank you for taking a moment to look at this email. We know you've unsubscribed from Marketing Communications from us and respect your request, but wanted to let you know that we're making some much-needed changes to our email programming. Our new approach lets you tell us what messages you want. Tell us which of these topics are most valuable to you and we'll limit what we send to what you're interested in. Simply click on the link below to personalise your email subscription. Still not interested? Ignore this message, it'll be the last email you receive from us.Let's read that again.. "We know you've unsubscribed from Marketing Communications from us and respect your request".. well, clearly you bloody aren't respecting my request, are you?
WebTrends is not the worst offender - some companies simply do not understand the meaning of the word "unsubscribe". Doesn't it mean "don't send me anything unless I change my mind"? It seems it now means "don't send me anything unless you really want to" instead.
Thursday, 11 June 2009
Personal Computer World to close
Noooo! According to the Guardian, Personal Computer World is to close after 31 years of publication. I've read it for 29 of those 31 years. A damned shame, and the only paper-based IT magazine I still read.
Mind you, I'm still upset about BYTE closing and that was 11 years ago!
The last issue of PCW is out on the 18th June. Sniff.
Mind you, I'm still upset about BYTE closing and that was 11 years ago!
The last issue of PCW is out on the 18th June. Sniff.
Wednesday, 3 June 2009
mediahousenamemartmovie.cn / nonfathighestlocate.cn injection attack
Another set of injection attacks seem to be doing the rounds, possibly related to the recent Gumblar attack.
In this case, the injected code is an IFRAME pointing to hxxp:||mediahousenamemartmovie.cn:8080/ts/in.cgi?pepsi27 and redirecting to hxxp:||nonfathighestlocate.cn:8080/index.php which attempts to load a Flash exploit (VirusTotal results) and PDF exploit (VirusTotal results). The payload includes a DLL (perhaps C:\WindowsSystem32\1028T.DLL although it may vary) that offers some sort of backdoor functionality (VirusTotal results).
The malware domains are on 89.149.240.64 in Germany, all domains on that server seem to be malware related and should be blocked. The server identifies itself via RDNS as "fuckingl33t.eu" although that proves nothing.
If this is related to Gumblar, then the problem could be down to compromised FTP passwords. If your site has been infected with this attack, then you need to carefully check each machine that has FTP access to your website, clean them up and then change your FTP password to something secure.
In this case, the injected code is an IFRAME pointing to hxxp:||mediahousenamemartmovie.cn:8080/ts/in.cgi?pepsi27 and redirecting to hxxp:||nonfathighestlocate.cn:8080/index.php which attempts to load a Flash exploit (VirusTotal results) and PDF exploit (VirusTotal results). The payload includes a DLL (perhaps C:\WindowsSystem32\1028T.DLL although it may vary) that offers some sort of backdoor functionality (VirusTotal results).
The malware domains are on 89.149.240.64 in Germany, all domains on that server seem to be malware related and should be blocked. The server identifies itself via RDNS as "fuckingl33t.eu" although that proves nothing.
- Autobestwestern.cn
- Bestlitediscover.cn
- Bestwebfind.cn
- Bigbestfind.cn
- Bigtopartists.cn
- Giantnonfat.cn
- Greatbethere.cn
- Homenameworld.cn
- Hugebest.cn
- Hugebestbuys.cn
- Hugepremium.cn
- Hugetopdiscover.cn
- Litepremium.cn
- Litetopfinddirect.cn
- Litetopseeksite.cn
- Lotbetsite.cn
- Mediahomenameshoppicture.cn
- Mediahousenamemartmovie.cn
- Nameforshop.cn
- Nanotopdiscover.cn
- Nonfathighestlocate.cn
- Thebestyoucanfind.cn
- Topfindworld.cn
- Toplitesite.cn
- Tvnameshop.cn
- Yourlitetopfind.cn
If this is related to Gumblar, then the problem could be down to compromised FTP passwords. If your site has been infected with this attack, then you need to carefully check each machine that has FTP access to your website, clean them up and then change your FTP password to something secure.
Labels:
Gumblar,
Injection Attacks,
Malware,
Viruses
Monday, 1 June 2009
flyappraisals.com scam
Part of an ongoing domain name scam, flyappraisals.com is a fake domain name appraisal used in conjunction with a bogus unsolicited offer to buy a domain, similar to the following:
It looks like this scam is being run out of Canada, and we have covered it many times before: here, here, here and here. If you live in Canada and have been ripped off, then reporting it to the RCMP may get some results. You should also raise a dispute with PayPal to get a refund.
This particular site has a jolly bit of flash on it, unlike the plain HTML of the old sites. It is hosted on 124.217.231.209 in Malaysia.
We are interested to buy your domain name [redacted] and offer to buy it from you for 65% of the appraised market value.Out of these three "appraisal" companies, flyappraisals.com is the cheapest. So, naturally a lot of people will part with some money for an appraisal. Of course, the offer to buy the domain name never comes through and the domain name owner is out of pocket.
As of now we accept appraisals from either one of the following leading appraisal companies:
sedo.com
flyappraisals.com
accuratedomains.com
If you already have an appraisal please forward it to us.
As soon as we have received your appraisal we will send you our payment (we use Paypal for amounts less than $2,000 and escrow.com for amounts above $2,000) as well as further instructions on how to complete the transfer of the domain name.
We appreciate your business,
It looks like this scam is being run out of Canada, and we have covered it many times before: here, here, here and here. If you live in Canada and have been ripped off, then reporting it to the RCMP may get some results. You should also raise a dispute with PayPal to get a refund.
This particular site has a jolly bit of flash on it, unlike the plain HTML of the old sites. It is hosted on 124.217.231.209 in Malaysia.
Labels:
Appraisals,
Domains,
PayPal,
Scams,
Spam
Friday, 29 May 2009
Bing.com is coming. W00t!
Microsoft is launching a new search engine called bing.com on Monday. Given the current fashion for "reboots" in movies and TV shows, bing.com can be considered a reboot of live.com which is turn was a reboot of MSN Search, and it follows in the great traditions of Google Killers such as.. errr... Cuil.
Microsoft say:
Anyway, we fixed Bing's logo for them.
According the the Internet Archive, the bing.com domain already has a substantial history of fail. Including a bizarre scheme to turn email messages into snail mail post. Hmmmm.
Microsoft say:
We took a new approach to go beyond search to build what we call a decision engine. With a powerful set of intuitive tools on top of a world class search service, Bing will help you make smarter, faster decisions. We included features that deliver the best results, presented in a more organized way to simplify key tasks and help you make important decisions faster.I say:
And features like cashback, where we actually give you money back on great products, and Price Predictor, which actually tells you when to buy an airline ticket in order to help get you the best price — help you make smarter decisions, and put money back in your pocket.
Meh.Microsoft have never been any good at search, and it's hard to see how this will beat Google when all people want to do is find stuff and move on. Heck, even Google struggles to get people to use more than search - according to Alexa, 90% of Google traffic is for search, image search and mail. If people really wanted more, they would probably use it.
Anyway, we fixed Bing's logo for them.
According the the Internet Archive, the bing.com domain already has a substantial history of fail. Including a bizarre scheme to turn email messages into snail mail post. Hmmmm.
Thursday, 28 May 2009
Podzz.com domain scam
Podzz.com is the latest incarnation of a fraudulent domain appraisal scam being run out of Canada. The basic pitch is that you receive an unsolicited offer for a domain name, with a list of three or more possible appraisal services to evaluate it. In this case, podzz.com is the cheapest, and the most likely for the victim to choose.
Of course, what then happens is that the offer disappears and the victim is out of pocket. We have covered this scam and the people behind it here, here and here. Avoid.
Of course, what then happens is that the offer disappears and the victim is out of pocket. We have covered this scam and the people behind it here, here and here. Avoid.
Wednesday, 27 May 2009
"Dealer warning as police investigate security imposters"
I don't usually recycle press releases, but this one is of interest. It's really aimed at mobile phone dealers and details the possibility of customer poaching through stolen paperwork, but it seems to have good general guidance that applies to most companies.
While you might think to challenge someone coming into your business premises, how often do you check that people taking waste away are really who they say they are?
Dealer warning as police investigate security imposters
CRIMINAL gangs posing as security staff are targeting mobile phone dealers, according to experts.
Scammers are trying to trick staff into handing over confidential data by pretending to be from shredding companies according to one of the UK’s largest operators.
Competitors are even reported to be raiding the bins of dealer with lax security at their premises to uncover useful details about contract expiry dates.
Jim Watson, managing director of Shred Easy, which destroys confidential data for mobile phone dealers, said:
“Scammers are targeting dealers to get their hands on valuable paperwork. There has been a spate of people pretending to be working for Shred Easy and our competitors by trying to trick staff into handing over bags of confidential data that has been safely kept within a store.
“Mobile phone dealers are vigilant in terms of securely storing their data but when it comes to the disposal of that information they must be alert to con artists trying to trick them into handing it over.
“Major operators will suffer dearly and some independent dealers could even be put out of business if the data fell into the wrong hands. The loss of confidential phone numbers, contact details as well as details about contracts and customers would be devastating.
“We have already been in contact with the police and made them aware of the details. I can’t go into details about who was targeted for legal reasons but it was a major mobile phone retailer and we’ve ensured their staff are alert and follow the official policy for dealing with confidential waste.
“Dealers must be also be alert to the fact that their competitors are fighting tooth and nail to get their hands on data and in some cases we’ve heard reports of competitors sifting the bins outside dealerships to get confidential customer details so they can be poached at a later date”
Shred Easy offers five top tips for mobile phone dealers:
1) Always ask for identification
2) Only deal with an accredited shredding company
3) Make use of professional ‘onsite shredding vehicles’
4) Store confidential data securely in store
5) Don’t throw paperwork in the bin
See www.shreadeasy.com
While you might think to challenge someone coming into your business premises, how often do you check that people taking waste away are really who they say they are?
Labels:
security
Tuesday, 26 May 2009
"Norton Finance" fraudulent loan offer
Norton Finance are a real company that offers loans, typically to people with poor credit ratings. This lazy scam email is not from Norton Finance, but is instead is a scam, routed through IP address 209.226.175.134 in Canada which is well known for fraudulent emails. Avoid.
Subject: home loan or loan for any legitimate reason
From: "NORTON FINANCE COMPANY" bengalfinancial@bellnet.ca
Date: Tue, May 26, 2009 9:48 pm
For further enquires and to apply for a loan from us,please feel free to contact our application desk with details.Send us an email
Mr. Tony White
norton.finance@btinternet.com
Regards,
Stanke Kathryn
(Online Advertiser)
NORTON FINANCE COMPANY (NFC)
Wednesday, 20 May 2009
mig-design.com fraudulent job offer
A straightforward pitch for what is probably a money mule operation.
Let's look at mig-design.com.. actually, don't - it's never a good idea to poke at spamvertised sites unless you know what you are doing. There's not much to see apart from a snazzy logo saying "MIG International Design Group".
The logo has clearly been professionally designed. But it also appears to have been stolen from this site although amusingly the spammers have corrected the obvious spelling error.
Let's check out the WHOIS details:
Name : Michell
Organization : Michell
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
Country :
Postal Code : 85230
Phone Number : 86--56343365
Fax : 86--56343365
Email : Michell.Gregory2009@yahoo.com
A quick Google search for that email address shows several hits.. indeed, it has been used before for the luxgroupnz.com scam.
The IP address of the site is 61.150.91.136 in China and usually in these circumstances it is safe to assume that ALL sites on the same server are suspect:
A flashy logo does not mean that it's a legitimate site. In this case the spammers have just ripped off someone else's identity. Avoid.
Subject: Looking for a job? More info here
From: "Shirley Schafer" boss@adabillur.com
Greetings,
If you are still looking for a well-paid part time job (2-4 hours a day) with possible full-time promotion opportunities at one of top-echelon Management Companies, please e-mail your resume/CV or a short description of your former activities.
Use ONLY corporative e-mail address below for all further correspondence:
office@mig-design.com
Necessary information concerning working and cooperation opportunities, financial benefits and advantages is sent by your request.
Yours faithfully,
Recruiting Office,
MIG Management and Design
Let's look at mig-design.com.. actually, don't - it's never a good idea to poke at spamvertised sites unless you know what you are doing. There's not much to see apart from a snazzy logo saying "MIG International Design Group".
The logo has clearly been professionally designed. But it also appears to have been stolen from this site although amusingly the spammers have corrected the obvious spelling error.
Let's check out the WHOIS details:
Name : Michell
Organization : Michell
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
Country :
Postal Code : 85230
Phone Number : 86--56343365
Fax : 86--56343365
Email : Michell.Gregory2009@yahoo.com
A quick Google search for that email address shows several hits.. indeed, it has been used before for the luxgroupnz.com scam.
The IP address of the site is 61.150.91.136 in China and usually in these circumstances it is safe to assume that ALL sites on the same server are suspect:
- Bsi-investment.com
- Bsibanksingapore.com
- Ckinter.cn
- Ckinter.ru
- Freeadulttube.com.cn
- Importfinanceinc.com
- Intdgroup.com
- Lloydsinsurer.com
- Luxgroupww.com
- Majordesigngroup.net
- Medikmenty.com
- Mens-health.com.cn
- Mig-design.com
- Mig-disign.com
- Teentube.com.cn
- Vsehorosho.info
- W-trabajo.com
- Wploy-empleo.com
- Wtrabajo.com
A flashy logo does not mean that it's a legitimate site. In this case the spammers have just ripped off someone else's identity. Avoid.
Labels:
Job Offer Scams,
Lapatasker,
Scams,
Spam
Tuesday, 19 May 2009
Phorm Whitewash
The British government's stance on Phorm has always been pretty supine. Despite serious allegation of criminal misconduct by Phorm and BT, the Government has again decided to whitewash the issue after politely ignoring the latest anti-phorm petition.
Conspiracy theorist like to point out that Phorm's web monitoring technology is exactly the sort of thing that the government wants to do. Fortunately, it looks like Phorm is perhaps on their last legs after launch of this bizarre foaming-at-the-mouth blog that they started recently.
The government's complete disdain for British citizens is astonishing, and will probably be reflected in a humiliating result in next month's European and local elections. But then if voting really changed anything, this government probably would make it illegal.
In other words - private companies unlawfully spying on citizens is no concern of the government.
Thank you for the e-petition on internet advertising technologies and customer privacy.
As your petition states, some Internet Service Providers (ISPs) have been looking at the use of Phorm’s Webwise and Open Internet Exchange (OIX) products. However, the only use of the technology so far has been the trials conducted by BT.
Advertisers and ISPs need to ensure that they comply with all relevant data protection and privacy laws. It is also important that consumers’ privacy is protected and that they are given sufficient information and opportunity to make a clear and informed decision whether to participate in services such as Phorm.
The Government is committed to ensuring that people’s privacy is fully protected. Legislation is in place for this purpose and is enforced by the Information Commissioner’s Office (ICO). ICO looked at this technology, to ensure that any use of Phorm or similar technology is compatible with the relevant privacy legislation. ICO has published its view on Phorm on its website:
[link]
ICO is an independent body, and it would not be appropriate for the Government to second guess its decisions. However, ICO has been clear that it will be monitoring closely all progress on this issue, and in particular any future use of Phorm’s technology. They will ensure that any such future use is done in a lawful, appropriate and transparent manner, and that consumers’ rights are fully protected.
Conspiracy theorist like to point out that Phorm's web monitoring technology is exactly the sort of thing that the government wants to do. Fortunately, it looks like Phorm is perhaps on their last legs after launch of this bizarre foaming-at-the-mouth blog that they started recently.
The government's complete disdain for British citizens is astonishing, and will probably be reflected in a humiliating result in next month's European and local elections. But then if voting really changed anything, this government probably would make it illegal.
Monday, 18 May 2009
NameOrange / nameorange.com scam
Another variant of this scam and this scam linked to a guy called Manuel Fichter - the basic pitch is that you get an email offering to buy your domain name which lists a number of "approved" domain appraisers, the one that appears to be cheapest is actually run by the scammer.
Avoid this one. If you live in Canada and believe that you have been defrauded, then contact your local RCMP and make a complaint about:
Manuel Fichter
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
Avoid this one. If you live in Canada and believe that you have been defrauded, then contact your local RCMP and make a complaint about:
Manuel Fichter
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
Labels:
Appraisals,
Domains,
Scams
martuz.cn injection attack
In the past couple of weeks, thousands of websites were hit with an injection attack pointing to gumblar.cn.. this week it has changed to martuz.cn. It's not a SQL injection attack as far as I can tell, the smart money is that it is using compromised FTP credentials, possibly harvested from end-user PCs rather than a problem with the web server itself.
A typical attack is that JS files on the victim's server are altered with an obfuscated (i.e. partly encrypted) script which might vector through martuz.cn/vid/?id=5718066 or martuz.cn/vid/?id=575730 or something similar, then leading to martuz.cn/vid/?id=3 or another similarly named page (the exact URLs may vary depending on the client software).
There's a writeup about martuz.cn here and here, in the meantime blocking traffic to the domain and the IP address 95.129.145.58 will probably be a good idea.
A typical attack is that JS files on the victim's server are altered with an obfuscated (i.e. partly encrypted) script which might vector through martuz.cn/vid/?id=5718066 or martuz.cn/vid/?id=575730 or something similar, then leading to martuz.cn/vid/?id=3 or another similarly named page (the exact URLs may vary depending on the client software).
There's a writeup about martuz.cn here and here, in the meantime blocking traffic to the domain and the IP address 95.129.145.58 will probably be a good idea.
Subscribe to:
Posts (Atom)