Sponsored by..

Monday, 27 January 2014

"Carnival Cruise Line Australia" fake job offer

This fake job offer does NOT come from Carnival Cruise lines:

From:     Mrs Vivian Mrs Vivian carnjob80@wp.pl
Date:     27 January 2014 09:59
Subject:     JOB ID: AU/CCL/AMPM/359/14-00
Signed by:     wp.pl

Carnival Cruise Line Australia
15 Mount Street North Sydney
NSW 2060, Australia
Tel (2) 8424 88000

JOB ID: AU/CCL/AMPM/359/14-00

What is your idea of a great career? Is it a job that allows you to travel to beautiful destinations on a spectacular floating resort, being part of a multi-cultural team with co-workers from more than 120 different nationalities? Or is it a job that allows you to earn great money while you learn, grow and fulfill your dreams and career ambitions?
It’s Carnival Cruise Line policy not to discriminate against any employee or applicant for employment because of RACE, COLOR, RELIGION, SEX, NATIONAL ORIGIN, AGE, DISABILITY, MARITAL OR VETERAN STATUS.
PLEASE NOTE THESE FOLLOWING: 
Employment Type:               Full-Time/Part-Time
Salary:                                  USD $45,000/ USD $125,000 per annual
Preferred Language of Resume/Application: English
Type of work:            Permanent / Temporary
Status:                        All Vacancies
Job Location:              Australia
Contract Period:          6 Months, 1 Year, 2 Years and 3 Years
Visa Type:                  Three Years working permit


The management will secure a visa/working permit for any qualified applicant. VISA FEE, ACCOMMODATION & FLIGHT TICKET will be paid by the company
We have more than 320 different positions available, interested applicants should forward their RESUME/CV or application letter to Mrs Vivian Oshea via email on (carnivalcareer@globomail.comso we can forward the list of positions available and our employment application form
Note: Applicants from AMERICA, EUROPE, ASIAN, CARIBBEAN and AFRICA can apply for these vacancies.

Regards
Management
Carnival Cruise Line Australia

Despite the appearance of Carnival's actual web sites in the email, the reply address is NOT a genuine Carnival address and is instead a free email account. The email actually originates from 212.77.101.7 in Poland.

The basic idea behind this scam is to offer a job and then charge the applicant for some sort of processing fees or police check or come up with some other reason why the applicant needs to pay money. Once the money has been taken (and perhaps even the victim's passport or other personal documents stolen) then the job offer will evaporate.

More information on this type of scam can be found here and here.

Saturday, 25 January 2014

"MVL Company" fake job offer

This job offer is a fake, and in reality probably involves money laundering or handling stolen goods:

From: Downard Bergstrom [downardkrjbergstrom@outlook.com]
Subject: Longmore
Date: Fri, 24 Jan 2014 18:52:49 +0000

Hello,
Today our Company, MVL Company, is in need of sales representatives in United Kingdom.

Our Company deals with designer goods and branded items. We've been providing our customers with exclusive products for more than five years, and we believe that the applicant for the position must have great communication skills, motivation, desire to earn money and will to go up the ladder. All charges related to this opening are covered by the Company. Your main duties include administrative support on orders and correspondence, controlling purchase orders and expense reports.

Part-time job salary constitutes 460GBP a week.
Full-time job is up to 750GBP per week .
Plus we have bonus system for the best workers!

To apply for the vacancy or to get more details about it, please email us directly back to this email.

Hope to hear from you soon!
Best regards,
Downard Bergstrom
The spam is somewhat unusual in that it addresses me by my surname, indicating that the email data might have been stolen from a data breach (Adobe perhaps). The email originates from a freee Microsoft Outlook.com account and gives no clues as to its real origins. A look at Companies House Webcheck confirms that there is no company of this exact name, although there are several innocent companies with similar names.

Avoid.

Friday, 24 January 2014

Somnath Bharti: when a spammer becomes a government minister

More than a decade ago I came across an outfit called TopSites LLC which was running a spam operation which was pestering webmasters to renew their listings in the Topsites directory which was basically an unlicensed rip-off of the Open Directory Project in what was basically a business directory scam.

I documented the saga in a five-part series (plus a couple of follow-ups) and eventually TopSites shut up shop, with the main person behind it (Paul Aunger) cashing out from the business and buying into another firm called Inova Technology instead. There's a long story to that particular business and its I won't cover it here, but if you're really interested a trip to InvestorsHub is kind of interesting.

Part way through the TopSites spamming operation, they picked up a partner in India called Somnath Bharti. India was an ideal place to send spam from because it had no anti-spam laws at the time (and is still very lax in this area), so the act of spamming by itself was not illegal.. although the act of selling paid directory listings when they were actually free is a lot more questionable.


Mr Bharti denied any involvement, but since I had a copy of his business card it was pretty clear that he was lying. After I identified him, Mr Bharti was listed in the Spamhaus ROKSO list which is basically a list of the world's worst spammers. An example of the spam can be found here, linking Topsites to Mr Bharti's Madgen Solutions.

I didn't really pay much attention to Mr Bharti after that, although for a long time my site was the number one result in Google for Somnath Bharti which must have irritated him, and I did learn that he moved from IT to become a lawyer.

So I was rather surprised to find that Mr Bharti is now a government minister at the centre of a growing political storm in India, and now journalists are beginning to check his background, which is leading some of them back to what I wrote a decade ago.

Now, I'm not an expert in Indian law (and detractors of Mr Bharti say that he isn't either) but anti-spam laws in India basically do not exist, and certainly a decade ago I don't think that there was anything under Indian law that Mr Bharti was doing wrong. Even so, he was successfully sued in California [doc] for those same spam emails. Rather more seriously, being involved in a business that sells worthless directory listings is certainly legally questionable, although no case about that aspect was ever brought against Topsites or Mr Bharti.

One thing is certain - Mr Bharti lied about his involvement with TopSites. After I published details of his connection, he sent a somewhat threatening email denying involvement but inadventendly confirming it at the same time:
    Subject: surprising and serious
    From: Somnath [somnath.bharti@gmail.com]

     
    Hi Conrad,
    I was taken by surprise to find you listing my name, one of my properties address and my picture in an article on a company named "TopSites LLC" on your site. I don't know on what basis you have been talking so emphatic without cross verifying with the person you are talking about. To my utter surprise, you have been having this article on your site accusing me of being related to a company I have heard only through your article. Please have the same removed ASAP and explain to me what made you write all this about a person, not even remotely attached to any such company.
    Please acknowledge of this email and have any and everything related my name, my pic and c-28 address removed. I am available at +91-9891819893, if you have anything to talk about. Also, post on the same page an apology for this grievous mistake on your part.
    --
    Regards,
    Somnath Bharti

In that email, Mr Bharti emphatically denies involvement, but confirms that the photograph and address I published of him are correct.

What Mr Bharti didn't know was that I had a copy of his business card, not only confirming his connection, but listing him as CEO.


If you are interested in researching the topic for youself, a good place to start is Google Groups, especially searches relating Topsites, Bharti and Madgen Solutions (Bharti's IT company). I don't know if Mr Bharti is still denying his involvement in Topsites, but the evidence is damning if you look for it.

By TopSites LLC's own admission, they were turning in $1.8 million a year by 2005. How much of that money made its way to Mr Bharti is a mystery. And quite how Mr Bharti reconciles his questionable past business practices with his membership of an anti-corruption political party is also a mystery.

I don't know if Mr Bharti accepts or denies his role as a spammer for TopSites LLC, but his name is all over several public records and I also have private unpublished data that places him firmly near the centre of the operation. Perhaps he thinks that selling something that should be free is also an ethical way to do business, I don't know. And how does he explain a blatant and rather pathetic lie about involvement? That's something I don't know either. But I would certainly be interested in seeing what he has to say for himself..

Update:  after being exposed in the Times of India, Mr Bharti denies being reponsible.. but I look deeper at his involvment with the spamming operation here.

Thursday, 23 January 2014

"Legal Business Proposal" spam has a malicious attachment

This email looks like it should be an advanced fee fraud, but instead it comes with a malicious attachment. I love the fact that this is a Legal Business Proposal as opposed to an Illegal one.
Date:      Thu, 23 Jan 2014 12:45:11 +0000 [07:45:11 EST]
From:      Webster Bank [WebsterWeb-LinkNotifications@WebsterBank.com]
Subject:      Legal Business Proposal

Hello, I'm Norman Chan Tak-Lam, S.B.S., J.P, Chief Executive, Hong Kong Monetary Authority (HKMA).

I have a Business worth $47.1M USD for you to handle with me.

 Detailed scheme of business can be seen in the attached file.
Attached is a file business-info.zip which in turn contains a malicious executable business-info.exe with a VirusTotal detection rate of 16/49.

Automated analysis tools [1] [2] [3] show attempted connections to dallasautoinsurance1.com on 38.102.226.239 and wiwab.com on 38.102.226.82. Both those IPs are Cogent Communications ones that appear to be rented out to a small web hosting firm called HostTheName.com. For information only, that host has these other IPs in the same range:
38.102.226.82
38.102.226.5
38.102.226.7
38.102.226.10
38.102.226.12
38.102.226.14
38.102.226.17
38.102.226.19
38.102.226.21

Wednesday, 22 January 2014

Password hand-wringing misses the point

Recently doing the rounds of news outlets is a list compiled by SplashData of weak passwords found in data breaches in 2013. There's nothing wrong with this list, but as ever, the media completely miss the point.

SplashData's list is as follows:


Rank
Password
Change from 2012
1
123456
Up 1
2
password
Down 1
3
12345678
Unchanged
4
qwerty
Up 1
5
abc123
Down 1
6
123456789
New
7
111111
Up 2
8
1234567
Up 5
9
iloveyou
Up 2
10
adobe123
New
11
123123
Up 5
12
admin
New
13
1234567890
New
14
letmein
Down 7
15
photoshop
New
16
1234
New
17
monkey
Down 11
18
shadow
Unchanged
19
sunshine
Down 5
20
12345
New
21
password1
Up 4
22
princess
New
23
azerty
New
24
trustno1
Down 12
25
000000
New


The presence of "adobe123" and "photoshop" as passwords show the influence of the Adobe data breach on the list. Back in 2010 when Gawker was breached, one of the popular passwords was.. you guessed it.. "gawker".

The media has a habit of picking up the wrong point.. they look at a password of "123456" and ask how can anyone be so stupid to use it? But my somewhat NSFW response is what the fuck does it matter?

Almost everything these days requires registration for which you need to supply an email address and password, and often for trivial things. One of the reasons that gawker featured so highly in the Gawker breach was that to the vast majority of users it matters not one jot if someone hacks into their account. The same is true for a lot of Adobe users.. in most cases the accounts are of absolutely no value to an attacker, so it really doesn't matter if you have adobe123 as a password or not.

So, the media (or at least some of it) says that you should choose a secure password such as fJ4C62GY0I8C15D but their advice is misleading because the real problem is password re-use and not the security of the password per se.

Despite the obvious security problems in doing so, many sites store passwords in plain text or in an insufficiently encrypted format. In these cases, it doesn't matter how secure your password is because the attackers will just be able to read it. Even in cases where the password is encrypted, with enough time and/or rainbow tables the password can often be determined, even it is a complex one.

And if you have re-used that email address and password on other sites.. well, you're buggered basically.

In an ideal world, you would have a nicely secure password for each site and you would remember it in your head. But of course, that's practically impossible, so one option is to use a password manager (SplashData themselves make these) to remember them all for you. There are several different password managers available, but of course there is always the possibility that one of these tools might get hacked itself which could be catastrophic for users.

If you don't want to use a password manager, then you'll have to do it the old-fashioned way, and either remember your passwords or store them in some other manner. You should always have a secure and unique password for your web mail, banking/finance, work and major shopping sites. But for all the cruft that you have to register, there's probably little harm in using a password that it easy to remember. Does it matter if the password I use for ranting at the BBC is abc123? Perhaps it doesn't.

But perhaps one problem is that there are simply too many times that you have to create an account in the first place. Sometimes it is nice to come across a retailer (for example) that will allow you to order stuff without creating a damned account.. something that seems to go against the grain, but it does mean that there's one less password to worry about..