Category Archives: Spam and scams

Internet, Internet crime, Spam and scams

Reporting hack attempts, phishing and spam

Leave a comment

Over the years, I’ve tried to be a good Internet citizen and report abuse (hack attempts, spam, etc.) This can be a daunting task, and the results are often less than satisfactory. For most people, the time wasted on spotting and deleting spam is bad enough; the extra work of reporting spam can seem like a tedious chore.

Reporting abuse can produce wildly varying results. Here are a few examples from my own recent experience:

BT Italy

Over the past couple of months, one of the WordPress sites I manage has seen a steady stream of ‘admin’ login attempts from computers in Italy, most of which connect to the Internet via the ISPs albacom.net and fastweb.it. Literally thousands of different albacom.net and fastweb.it IP addresses were being used in the attacks.

Since the majority of these login attempts were from albacom.net, I initially focused on Albacom. I discovered that most of the devices at the other end of these attacks were Aethra BG1242W ISDN modem/routers. These appear to be the standard modem/router provided by Albacom to their customers. I was horrified to find that I could log into these devices via their web interface. Clearly Albacom’s dedication to security is severely lacking. Of course it’s difficult to know for sure whether the attacks were coming directly from these (presumably hacked) routers, or from (also presumably hacked) computers connected to them.

Apparently, British Telecom (BT Italy) is in the process of acquiring Albacom. This is undoubtedly creating some confusion there, but that’s really no excuse for any of this.

I tried various methods for reporting this to Albacom:

  • sent email to the abuse address on record for albacom.net, but every attempt bounced, saying that the user’s mailbox was full;
  • sent email to the technical contact on record for albacom.net, but this was ignored;
  • tweeted about the problem on the main BT Twitter account, but my tweets were immediately deleted.

This is a terrific example of how not to handle abuse reports. I don’t know what’s going on with BT ITaly, but clearly they are having serious issues.

I also reported this on the Wordfence support forum, to see if anyone else might be seeing this problem. Wordfence is an excellent WordPress security plugin, and it was Wordfence that was detecting (and blocking) these login attempts. Sure enough, several other people reported seeing this problem on their sites.

A few weeks later, the login attempts from Italy stopped – for my own site and for others. Then they started up again for some sites, but luckily not for mine.

SpamCop

I recently signed up at SpamCop.net and started submitting the numerous spam messages I receive daily for one particular address. SpamCop’s submission process analyzes submitted email and makes recommendations about where to report it. Note: you must configure your email client so that you can see the entire message source, including all headers, for this to work.

The submission process is well explained at each stage, and provides useful warnings to the submitter about making sure that the submission is actually spam, and so on. A lot of technical information is displayed with the analysis, but much of that can be hidden if you prefer to concentrate on the basics.

SpamCop uses spam submissions to create a block list, which is used in conjunction with similar lists from other sources, by ISPs and other mail providers, to help filter out spam before it reaches user inboxes.

If you’re willing to put in the effort, I highly recommend signing up.

Moonfruit

A few days ago, I received this (admittedly very lame) phishing attempt in my inbox:

Your mailbox is full of, 00.1 GB, Please reduce your mailbox size.
Delete any items you don't need from your mailbox and expand your
email quota (size) with the below web links: CLICK HERE
http://REMOVED.moonfruit.com/
Thank you for your understanding.
©2015 Helpdesk

I went to the site in question (with NoScript enabled and blocking all scripts) and confirmed that this was indeed an attempt to con me into entering private information into a form.

A bit of searching revealed that Moonfruit is a web-based service that allows clients to set up web sites with minimal effort. It’s a totally legitimate company. Customer web sites hosted by Moonfruit have URLs like this: whatever.moonfruit.com. Whoever set up the phishing site just happened to use Moonfruit as the host.

So I decided to try reporting this to Moonfruit support. I easily found the contact page on their web site and submitted a general query about the phishing attempt, including the text of the email. I wasn’t sure this would amount to anything, especially since I’m not a Moonfruit customer. I immediately received a confirmation of my submission, and was then delighted to receive the following response from Moonfruit, within an hour of my submission:

Thanks for bringing this to our attention.
We have closed the site and the associated accounts, and banned the user.

Now THAT’S how you deal with abuse reports. Nice work, Moonfruit!

Adware, Chrome, Google, Internet, Malware, Security, Spam and scams

Google beefs up protection against unwanted software

Leave a comment

A recent post on Google’s Online Security Blog describes security improvements to the Chrome browser, Google’s search engine, and Google’s advertising platform. The changes should make it easier for users to stay away from web sites known to contain unwanted (and presumed harmful) software.

Chrome now detects when you are about to visit a web site known to contain unwanted software, and displays a large red warning message.

Google’s search engine now decreases ranking for sites known to contain unwanted software. That means these kinds of sites should be less likely to appear in the first few pages of Google search results.

Google now checks all advertisements provided by its AdWords system, and disables any with links to sites with unwanted software. Additional details are available on Google’s Advertising Policies site. Google’s primary source of income is AdWords, so it’s comforting to see that they’re willing to take a financial hit (however small) to protect users.

Internet crime, Spam and scams

Tax-related scam emails appearing

Leave a comment

I just received email purporting to be from Revenue Canada, telling me that I have overpaid my taxes in recent years, and urging me to claim my refund by clicking on a link.

The link actually goes to a Cloudflare-hosted web site, epathchina(.com). The site has nothing to do with Revenue Canada, and exists to trick unsuspecting people into divulging private/financial information to the site’s operators.

Currently, the site shows nothing untoward in Sucuri site check: it’s not on any blacklists and malware scans show nothing. But that’s likely to change.

With tax time nearing, we should expect email like this to appear in our inboxes. As a general rule, it’s a bad idea to click links in email. Of course, if you’re certain the source is legitimate, the risk is far less, but it’s still possible that the ‘legitimate’ source has been compromised. In this particular case, a much safer approach is to simply go to the Canada Revenue web site and log in.

Clues that this was a scam email:

  • The Return-Path address (refund AT server.whitetails.com) is unrelated to Revenue Canada.
  • The From address is to a domain that appears to be related to Revenue Canada (craarc.gc.ca), but doesn’t actually exist, as confirmed by any IP checking service like WhatMyIP.
  • Like most effective cons, it offers money for nothing.
  • The recipient is urged to act quickly.
  • The message is poorly formatted.
  • The recipient is instructed not to contact Revenue Canada by telephone.

Recommendations: configure your email client to display email in plain text format and display all headers. This will make your inbox less entertaining, but a lot safer, since it will much easier to spot suspicious links and headers.

Here’s the body of the email:

Dear Applicant:

Following an upgrade of our computer systems and review of our records we
have investigated your payments and latest tax returns over the last seven
years our calculations show you have made over payments of 226.99 CAD

Due to the high volume of refunds due you must complete the on line application,
the telephone help line is unable to assist with this application.

To access the form for your tax refund,please click here
Your refund may take up to 3 weeks to process please make sure you complete the form correctly.
As we are upgrading our records we require the completed form showing your full current details by 10 February 2015
Please complete the form to confirm the refund.
A. B. Marions
Senior Manager
Canada Revenue Agency

————————————————————–
© Copyright 2015, Canada Revenue Agency All rights reserved.
TAX REFUND ID: XXXXXXXXXXXXX

Brian Krebs recently reported on another tax-related scam affecting Americans, in which stolen credentials are used to post fraudulent tax returns.

Internet crime, Malware, Security, Spam and scams, Windows

CryptoWall update

Leave a comment

Despite the demise of CryptoLocker, ransomware is still prevalent, mostly in the form of CryptoWall, now in its ‘improved’ 2.0 version.

Security researchers recently deconstructed CryptoWall 2.0 and shared their findings in a post on a Cisco security blog.

The researchers discovered that the malware uses a variety of techniques to obfuscate itself on target systems. It’s also able to infect both 32 and 64 bit Windows systems. And it can detect whether it’s running on a virtual machine, making it more difficult to analyze. The command and control servers are apparently in Russia.

A Windows computer can become infected with CryptoWall in a variety of ways, including as part of an e-mail ‘phishing’ attack, through a malicious website, via malicious PDF files, or in a spam e-mail disguised as an ‘Incoming Fax Report’.

Ars Technica has additional details.

Internet, Internet crime, Privacy, Security, Spam and scams

Even the crappiest computer is worth hacking

Leave a comment

If you’re like a lot of other typical users, you may believe that nothing on your computer makes it a worthwhile target for malicious hackers. You may even feel that this means you’re relatively safe from hackers. Think again.

To a malicious hacker, the Internet is a vast, mostly untapped ocean of computing resources, ready for them to compromise and put to work in numerous ways to help them and hurt you.

Brian Krebs created and posted the image below to remind people of all the ways their computers can be secretly used for nefarious purposes. Although the post is a couple of years old, it’s still relevant.

Hackers can use your computer for dozens of nefarious activities.
Hackers can use your computer for dozens of nefarious activities.
Internet crime, Security, Spam and scams

Holiday season warning: beware phony ‘order confirmation’ emails

Leave a comment

Brian Krebs recently posted an excellent article about a specific kind of malicious email currently showing up in inboxes everywhere, just in time for the holiday shopping season.

Most web stores send email order confirmations when you buy something, and that’s a good thing. Unfortunately, these emails can be faked easily enough, and the unwary recipient may not notice that the sender’s address doesn’t look quite right, or that the language in the message is somewhat unprofessional. Clicking a link in one of these emails is an extremely bad idea, since it’s likely to lead to browser hijacking, malware, or both.

Internet crime, Spam and scams, Windows

Fake Windows Support companies shut down

Leave a comment

The US Federal Trade Commission, working with law enforcement in Florida, has shut down several companies offering fake computer support services.

The companies involved are PC Cleaner Inc., Netcom3 Global Inc., Inbound Call Experts LLC, Advanced Tech Supportco. LLC, PC Vitalware LLC, Super PC Support LLC, Boost Software Inc., Vast Tech Support LLC, OMG Tech Help, OMG Total Protection, and others.

These scammers made money by tricking Windows users into paying for expensive and unnecessary repairs.

Unfortunately, since this type of scam can be lucrative, similar companies are likely to appear before long, making this yet another game of ‘whac-a-mole‘ for law enforcement.