PC Speedy Phone Scam

Monday Monday! Got a call this morning from “PC Speedy” 🙂

Not a lot of time to play today so here is an example of a “Go away quickly” script. They get discouraged fairly fast when there doesn’t appear to be a good mark on the line…

If you get one of these calls and have some time, keep them on the line as long as you can. You will be doing your part to help prevent other more vulnerable people from being robbed. Seriously. hanging up has no effect and sometimes they just call right back. Identify yourself as an unprofitable target and they won’t call back. If you can, record the call, toy with them (that typically angers them once they catch on). If you have the time, waste their time. It takes time away from them for other calls and can help prevent others from being robbed.

PS: IF you record one of these calls please share it with Engineer LLC to help keep people informed.

The state of Malware: Mid 2014

My family participates in a Community Supported Agriculture (CSA) program where we pay a Quarterly Membership Fee and receive a basket of fresh locally grown vegetables and fruit every two weeks. Apparently, their mailing list was also recently “harvested” for what appears to be less legitimate purposes.

I received the message below this morning (6/27/2014). The timing was such that my initial reaction was “Good, it’s an announcement on the July 4th holiday CSA schedule adjustment”. But then I saw the link text and the fact that the link was pretty much all that was in the message body. Alarm bells went off… So, out of curiosity, I did an analysis of where this thing is coming from. See that below the original message, if interested.

From: My CSA [mailto:redactedRealAttorney@Redacted-Real-Law-Firm.com]
Sent: Friday, June 27, 2014 5:17 AM
To: RecipientYouShouldntHaveSpammed; numerous other recipients…
Subject: from CSA

News: http://blog.carpediem.in/xxx/@@@@@@@.php


So what was the payload? The link above was pasted (unredacted) into a private browser on a secure remote server and it produced an application window that looked like an Internet Explorer browser full of phony “Diet News” and suspicious related as content. An attempt to close the window with the upper right red X brought up a new window with an “Are you sure… blah blah blah and an OK button that would likely install the mailware. Some other time maybe.


The first clue it’s a malicious message is the link URL. The domain carpediem.in just doesn’t equate with my CSA and the TLD (top level domain) of .in means it is a registration originating in India. Furthermore the file type (the .php) of the page in the link indicates it is a dynamic page and possibly some sort of application that seeks to do something malicious.

Analyzing the header of the message reveals more clues…

The alleged sender email address indicated in the header is redactedRealAttorney@Redacted-Real-Law-Firm.com. Probably spoofed at random and likely another stolen piece of identity. This person apparently actually exists and has a law firm according to an internet search.

The last hop before my ISP was… Received: from maui.mirahost.com ([]) For the non geeks out there this means the last known place the message came from before my service provider got it. According to http://whatismyipaddress.com/ip/ it is a server at Softlayer in Texas.
Before Softlayer it came from… Received: from Redacted-Real-Law-Firm.com (unknown []) The word “unknown” in there is another indication that the association of the domain Redacted-Real-Law-Firm.com with this address was not resolved by known legitimate DNS servers. Looking up the numeric address reveals (no surprise) that it resolves to Morocco, a low enforcement region for internet concerns http://whatismyipaddress.com/ip/

Below is the message with an abridged full header…

Received: from eastrmimpi109 ([]) by RecipientISP.Redacted
(InterMail vM. 201-2260-151-145-20131218) with ESMTP
id 20140627111709.YCVC18287.RecipientISP.Redatced@RecipientISP.Redacted
for redacted@redacted.com; Fri, 27 Jun 2014 07:17:09 -0400
Received: from maui.mirahost.com ([])
by RecipientISP.redacted with
id KPH71o0052qsbMn01PH8tv; Fri, 27 Jun 2014 07:17:08 -0400
Message-Id: KPH71o0052qsbMn01PH8ua
Received: from maui.mirahost.com (unknown [])
by maui.mirahost.com (Postfix) with ESMTP id B307993E286E;
Fri, 27 Jun 2014 11:17:00 +0000 (UTC)
Received: from Redacted-Real-Law-Firm.com (unknown [])
by maui.mirahost.com (Postfix) with ESMTP;
Fri, 27 Jun 2014 11:17:00 +0000 (UTC)
Message-ID: <90cf96820dc5$315b9241$750189c6$@Redacted-Real-Law-Firm.com>
From: My CSA
Subject: from My CSA
Date: Thu, 27 Jun 2014 12:17:00 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: iPad Mail (11D201)

News: http://blog.carpediem.in/xxx/@@@@@@@.php


In Conclusion: This is what they do these days. It’s a blended threat with a portion old fashioned Identity Theft, a bit of deception and social engineering. If you fall for it and your device isn’t protected and secure you may end up running a malicious application on your system before you know it.

Blackhat SEO

There’s a reason you don’t see spam comments on this blog. It is moderated for all comments, that’s why.

I do notice after each new post is made, a flurry of irrelevant comments appear in the cue awaiting moderation. Invariably some sort of spam (automated) attempts at link farming to boost some other site’s backlink array, blah blah blah.

After a recent very sparse post, 2 such comments appeared in the cue and the backlink address in one of them caught my eye (gscraper.com) so I decided to investigate…

Black Hat SEO Spam

As you can see in the image above, the backlink in one of these comments is gscraper.com. A search on Google brings up a number of links to the domain but I didn’t bite right away since I was skeptical that what appears to be the perpetrator’s resource holds an unbiased answer. Next, I searched on “what is gscraper”. Behold one of the top returns was a youtube video promoting a fairly new application called gscraper.

The video is quite revealing. While the promoter is clearly touting the capabilities of the application to the target audience (Blackhat SEO users), it also has the effect of revealing the current state of their dubious craft to everyone else as well.

Basically the program is used to automate several tasks:
• harvest hundreds of thousands of URLs of blogs with new and recent posts
• spam them all with a generic comment that includes a backlink
• search the list to reveal the comments that got through unhindered
• harvest all of the active posts from the shorter list of open blog URLs
• spam the new filtered list for maximum spam density

Woah! Welcome to the world of “Blackhat SEO”. Sorry pal, oops you’ve scraped the wrong blog.

No doubt, this post will quickly get spammed. Advice to anyone who has a blog out there… “Batten down the hatches”!

Another Entertaining Blog for Engineers

I was watching the latest “Mailbag” episode on Dave (That Crazy Australian Bloke) Jones’ EEVBlog wherein he mentions another Video Blog (VLOG?) “ToddFun.com”. Todd sent in a Chinese market Fluke meter for Dave to “analyze”. Buyer beware, the meter doesn’t stand up so well to Dave’s first impression. He hinted at fun future plans for it though, I think the magic smoke may be released soon!

By all means check out “ToddFun.com”. as well…


While Todd may not be quite as “Energetic” as Dave, if you like nuts & bolts it’s definitely one for your favorites.

This site “Engineer LLC” is proud to be hosted by Dreamhost.

Notice the clean composition and lack of blinking ads for the latest fad diet? Thinking, how is that possible in 2012? Actually, it’s a no-brainer.

This website Engineer LLC is hosted by Dreamhost. I have been using them for over 8 years now (ever since I started publishing public web content) and must say I am a very satisfied customer. This blog you are reading right now is hosted on Dreamhost. If you are considering opening a new web Hosting account, I strongly recommend Dreamhost. Should you choose to use their services, use the promo code NEWUSER2012 and you will get an additional discount when you create a new account with Dreamhost.

Full Disclosure: I do receive a small referral fee for referring new customers.

That’s it no hard sell, just pure internet goodness for all.

Vernon Johnson, Engineer LLC

August 22, 2012

My view on SOPA

SOPA, the Stop Online Piracy Act is another ill conceived proposed regulation before the US House of representatives in the first Quarter of 2012. It seeks to suppress illegal copying and distribution of Protected content by applying a blanket approach and further restrictions.

As history often repeats itself I am reminded of “Once upon a time” when I received very little SPAM through email.  Then along came the CAN-SPAM act and suddenly my SPAM volume increased 100 fold!  Heck of a Job, Congress!  In that case, Congress was lobbied by some of the most egregious offenders who had already made a lot of money spewing SPAM to craft the legislation in their favor.

Now we have people telling Congress that to save the integrity of Internet, we must add further restrictions.  Well for one the major ISPs are all for it.  It can serve as a justification to further stratify the levels of service to restrict the volume of information to those who cannot afford to pay more.  Most are already doing this, by the way.

Hey Congress!!!  It’s already like the Wild West on ROIDS in cyberspace.  Restricting facets of what is currently accepted practice will most assuredly only make things worse.  The cyber criminals out there are not going to play by your rules.  If you narrow what is allowed, it will only effectively be a handing over what was and is no longer allowed to them.  In my work I do battle with the evildoers on the Internet almost every day.  I sure don’t lack for work of this nature, so thanks but no thanks.  Please don’t make my job even harder.

Vernon Johnson, Engineer LLC