Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 30 November 2011

Eset: Support-Scammer Tricks

Having been blogging this topic for quite a while, I figure this might be a good time to highlight some of the snippets of information that people have posted on some of those blogs (anonymized, of course). You might also be interested in a resource page I've started here at AVIEN.

One prospective victim instructed to connect via the Run window to This turns out to belong to, the home of one of the (legitimate) remote access tools used by scammers to "fix" their victim's computer, install "better" antivirus or antispyware, and so on. ( is another, apparently more favoured by scammers calling victims in the US.) If anyone goes as far as getting a box like this, it would be interesting to know what code they are instructed to enter, since this may help in tracking scam sites.

Read more


PC Support Scam Resources

Facebook Likes and cold-call scams

Microsoft Support Scam (again)

Info: Telephone scammers still coming to a phone near you!

Support Scams: Even More Personal

Fake Support: the War Drags On

Marketing Misusing ESET’s Name,, SupportOnClick revisited

SupportOnClick: Phoned by Malwarebytes? BigPond? Anyone else?

SupportOnClick Update scamming you by telephone!

Fake tech support call scam - prefetch virus

New scam - They call you by phone!

Staffordshire Council - Telephone computer support warning (PDF)*/*

Cold call scam warns of virus infection

Scareware scammers adopt cold call tactics

Monday, 21 November 2011

hpHOSTS - UPDATED November 21st, 2011

The hpHOSTS Hosts file has been updated. There is now a total of 216,044 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 21/11/2011 18:30
  2. Last Verified: 21/11/2011 19:00
Download hpHosts now!

Tuesday, 15 November 2011 - Here we go again

I thought I'd made this clear, but apparently not. I got an e-mail earlier, from a RoadRunner IP (residential US ISP), using an address.

There's two problems here however;

1. It's an invalid address, so can't reply
2. The e-mail houses a childish threat, without actually telling me what I did to deserve it

Ref: PI0076181149255
Reason for message: Feedback Notification
Sent from Server:
Date submitted: 16 November 2011
Time submitted: 00:26:37
Submitted by:

Name: Up yours
How did you find us?: Search engine
... Other: Not provided
Site navigation: Very difficult

Your scam is soon to be exposed my friend.


Sunday, 13 November 2011

Lavasoft gone dodgy?

According to a post at my favorite news site, it looks like Lavasoft' new owners are the infamous chaps behind the well known "Interactive Brands". Should've seen this coming really, given they de-listed the well known malware player, WhenU, some time ago - I know that was 6 years ago, but it can't just be a coincidence, especially given who the new owners are.

Anti-spyware company Lavasoft AB is now owned by a set of online entrepreneurs who have been linked with misleading websites.

The Montreal-based entrepreneurs, who purchased the company's assets in January, have previously been accused of selling the free versions of Lavasoft products to unwitting internet users as recently as 2007 via cyber-squatting sites.

Lavasoft, originally based in Sweden, was purchased by an investment fund called Solaria in January, but no other holdings can be found for Solaria. In fact, the only ties that Solaria has are to the founders of Upclick, an affiliate marketing company. The founders of this company have also founded companies that sold online porn, reskinned peer-to-peer filesharing software, and allegedly "skimmed" online sales, charging customers for software that they did not order.

Friday, 11 November 2011 still not accepting abuse reports

You may remember, in September I blogged about Internet.BS, well known as a bulletproof provider for domain registrations.

Sadly, neither Verisign nor ICANN have done anything, and are still refusing reports (I say refusing because whilst the error is a 450, they were notified months ago and it's still producing the same error, preventing reports going through), courtesy of the Gmail address their abuse@ address leads to (

Interesting tidbit for those interested - has also been seen spamming. (login required to view it).


What is curious, is looking at (acts as a mirror for various Unix/Linux distributions), Marco Rinaudo seems to want to claim to be located in Panama, but with a US phone number.

Domain ID:D146864410-LROR
Domain Name:KOOKEL.ORG
Created On:24-May-2007 14:30:55 UTC
Last Updated On:25-May-2011 11:00:04 UTC
Expiration Date:24-May-2012 14:30:55 UTC
Sponsoring Corp. (R1601-LROR)
Registrant ID:eu348378bbfeb655
Registrant Name:Marco Rinaudo
Registrant Street1:Av. El Penon #12
Registrant Street2:
Registrant Street3:
Registrant City:Panama
Registrant State/Province:
Registrant Postal Code:00000
Registrant Country:PA
Registrant Phone:+1.23456789
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Admin ID:eu348378bbeda205
Admin Name:Marco Rinaudo
Admin Street1:Av. El Penon #12
Admin Street2:
Admin Street3:
Admin City:Panama
Admin State/Province:
Admin Postal Code:00000
Admin Country:PA
Admin Phone:+1.23456789
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Tech ID:eu348378bbdaad56
Tech Name:Marco Rinaudo
Tech Street1:Av. El Penon #12
Tech Street2:
Tech Street3:
Tech City:Panama
Tech State/Province:
Tech Postal Code:00000
Tech Country:PA
Tech Phone:+1.23456789
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
DNSSEC:Unsigned is also one of Marco's websites;

Date Registered: 2002-9-9
Date Modified: 2011-9-3
Expiry Date: 2012-9-9


Marco Rinaudo marco (at) rinaudo dot com
Av. El Penon #12
- Panama
Tel: +1.6463831418

Administrative Contact
Marco Rinaudo marco (at) rinaudo dot com
Av. El Penon #12
- Panama
Tel: +1.6463831418

Technical Contact
Marco Rinaudo marco (at) rinaudo dot com
Av. El Penon #12
- Panama
Tel: +1.6463831418

Registrar: Corp.


Dear Internet.BS

Wednesday, 9 November 2011

Facebook Likes and cold-call scams

Following an article I wrote recently for SC Magazine, Martijn Grooten of Virus Bulletin, who shares my interest in and dislike of support desk scams, contacted me about the web site associated with eFIX, a company claiming to offer online technical support. He and I, along with Steven Burn, who has a great deal of experience of working in this area, have been able to dig out some interesting info on a slightly different aspect of flaky support desk operations.

eFIX’s web page lists an office in Glasgow under the name eFIX Ltd, at 8901 Marmora Road, Glasgow, D04 89GR. However, a search at Companies House, while it did turn up several entries with somewhat similar names, didn’t find one in Glasgow, and the address doesn’t ring true. The postcode is a fake, and we can’t find a Marmora road in Glasgow (let alone one long enough to hold nearly 9000 street addresses). In fact, the same address turns up in a great many other contexts (design consultancies, music, accountancy, even a buffet service), suggesting the use of some kind of template/boilerplate. It also suggests that it’s not only PC support companies that are suspiciously shy about their real whereabouts. Or else 8901 must be an awfully big building. Of course, it could be an accommodation address for multiple businesses, but that doesn’t explain why the street address itself is so elusive.

Tuesday, 1 November 2011 compromised

Look at the image on the left. See anything that shouldn't be there?

I'll give you a hint - it's got a black background.

I identified this whilst doing a routine enquiry on an IP housing a plethora of fake meds sites. I dropped a note to the sites owner and registrar, who informed me it most definitely should NOT be there.

The content in question, is;

<script type="text/javascript" src=""></script>
initGhost() ;

The IP ( belongs to Airtel customer, TELEMEDIA SERVICES;

inetnum: -
descr: 6th Floor, Interface, Bldg No 7,
descr: Link Road,Malad (W),
descr: Mumbai,Maharashtra
descr: India
descr: Contact Person: Manas Kaul
descr: Email:
descr: Phone:022-40034191
descr: Date of allocation:22-Dec-08
admin-c: MUM1-AP
tech-c: MUM1-AP
country: IN
changed: 20081229
source: APNIC

descr: 6th Floor, Interface, Bldg No 7,
descr: Link Road,Malad (W),
descr: Mumbai,Maharashtra
descr: INDIA
country: IN
origin: AS24560
changed: 20090331
source: APNIC

descr: 6th Floor, Interface, Bldg No 7,
descr: Link Road,Malad (W),
descr: Mumbai,Maharashtra
descr: INDIA
country: IN
origin: AS45514
changed: 20081229
source: APNIC

person: Network Administrator for ABTS MUM
address: ABTS
address: 6th Floor, Interface, Bldg No 7, Link Road,Malad (W),
address: Mumbai,Maharashtra
country: IN
phone: +91-9967667198
nic-hdl: MUM1-AP
remarks: -----------------------------
remarks: Send abuse reports to
remarks: -----------------------------
changed: 20080725
source: APNIC

The script itself, loads content that leads to (aka, which then leads unsuspecting victims to counterfeit sites such as

The server admin has been notified by the registrar, so it should be cleaned up and secured shortly.