Tag Archives: Bad Guys

PC Speedy Phone Scam

Posted on by

Monday Monday! Got a call this morning from “PC Speedy” 🙂

Not a lot of time to play today so here is an example of a “Go away quickly” script. They get discouraged fairly fast when there doesn’t appear to be a good mark on the line…

If you get one of these calls and have some time, keep them on the line as long as you can. You will be doing your part to help prevent other more vulnerable people from being robbed. Seriously. hanging up has no effect and sometimes they just call right back. Identify yourself as an unprofitable target and they won’t call back. If you can, record the call, toy with them (that typically angers them once they catch on). If you have the time, waste their time. It takes time away from them for other calls and can help prevent others from being robbed.

PS: IF you record one of these calls please share it with Engineer LLC to help keep people informed.

The state of Malware: Mid 2014

Posted on by

My family participates in a Community Supported Agriculture (CSA) program where we pay a Quarterly Membership Fee and receive a basket of fresh locally grown vegetables and fruit every two weeks. Apparently, their mailing list was also recently “harvested” for what appears to be less legitimate purposes.

I received the message below this morning (6/27/2014). The timing was such that my initial reaction was “Good, it’s an announcement on the July 4th holiday CSA schedule adjustment”. But then I saw the link text and the fact that the link was pretty much all that was in the message body. Alarm bells went off… So, out of curiosity, I did an analysis of where this thing is coming from. See that below the original message, if interested.

From: My CSA [mailto:redactedRealAttorney@Redacted-Real-Law-Firm.com]
Sent: Friday, June 27, 2014 5:17 AM
To: RecipientYouShouldntHaveSpammed; numerous other recipients…
Subject: from CSA
Hi!

News: http://blog.carpediem.in/xxx/@@@@@@@.php

My CSA

So what was the payload? The link above was pasted (unredacted) into a private browser on a secure remote server and it produced an application window that looked like an Internet Explorer browser full of phony “Diet News” and suspicious related as content. An attempt to close the window with the upper right red X brought up a new window with an “Are you sure… blah blah blah and an OK button that would likely install the mailware. Some other time maybe.

Analysis:

The first clue it’s a malicious message is the link URL. The domain carpediem.in just doesn’t equate with my CSA and the TLD (top level domain) of .in means it is a registration originating in India. Furthermore the file type (the .php) of the page in the link indicates it is a dynamic page and possibly some sort of application that seeks to do something malicious.

Analyzing the header of the message reveals more clues…

The alleged sender email address indicated in the header is redactedRealAttorney@Redacted-Real-Law-Firm.com. Probably spoofed at random and likely another stolen piece of identity. This person apparently actually exists and has a law firm according to an internet search.

The last hop before my ISP was… Received: from maui.mirahost.com ([75.126.255.131]) For the non geeks out there this means the last known place the message came from before my service provider got it. According to http://whatismyipaddress.com/ip/75.126.255.131 it is a server at Softlayer in Texas.
Before Softlayer it came from… Received: from Redacted-Real-Law-Firm.com (unknown [41.141.0.85]) The word “unknown” in there is another indication that the association of the domain Redacted-Real-Law-Firm.com with this address was not resolved by known legitimate DNS servers. Looking up the numeric address reveals (no surprise) that it resolves to Morocco, a low enforcement region for internet concerns http://whatismyipaddress.com/ip/41.141.0.85

Below is the message with an abridged full header…

Return-Path:
Received: from eastrmimpi109 ([68.230.240.49]) by RecipientISP.Redacted
(InterMail vM.8.01.05.15 201-2260-151-145-20131218) with ESMTP
id 20140627111709.YCVC18287.RecipientISP.Redatced@RecipientISP.Redacted
for redacted@redacted.com; Fri, 27 Jun 2014 07:17:09 -0400
Received: from maui.mirahost.com ([75.126.255.131])
by RecipientISP.redacted with
id KPH71o0052qsbMn01PH8tv; Fri, 27 Jun 2014 07:17:08 -0400
Message-Id: KPH71o0052qsbMn01PH8ua
Received: from maui.mirahost.com (unknown [127.0.0.1])
by maui.mirahost.com (Postfix) with ESMTP id B307993E286E;
Fri, 27 Jun 2014 11:17:00 +0000 (UTC)
Received: from Redacted-Real-Law-Firm.com (unknown [41.141.0.85])
by maui.mirahost.com (Postfix) with ESMTP;
Fri, 27 Jun 2014 11:17:00 +0000 (UTC)
Message-ID: <90cf96820dc5$315b9241$750189c6$@Redacted-Real-Law-Firm.com>
From: My CSA
Subject: from My CSA
Date: Thu, 27 Jun 2014 12:17:00 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_B777_9B6157E3.01563C3F”
X-Mailer: iPad Mail (11D201)
Hi!

News: http://blog.carpediem.in/xxx/@@@@@@@.php

My CSA

In Conclusion: This is what they do these days. It’s a blended threat with a portion old fashioned Identity Theft, a bit of deception and social engineering. If you fall for it and your device isn’t protected and secure you may end up running a malicious application on your system before you know it.

Blackhat SEO

Posted on by

There’s a reason you don’t see spam comments on this blog. It is moderated for all comments, that’s why.

I do notice after each new post is made, a flurry of irrelevant comments appear in the cue awaiting moderation. Invariably some sort of spam (automated) attempts at link farming to boost some other site’s backlink array, blah blah blah.

After a recent very sparse post, 2 such comments appeared in the cue and the backlink address in one of them caught my eye (gscraper.com) so I decided to investigate…

Black Hat SEO Spam

As you can see in the image above, the backlink in one of these comments is gscraper.com. A search on Google brings up a number of links to the domain but I didn’t bite right away since I was skeptical that what appears to be the perpetrator’s resource holds an unbiased answer. Next, I searched on “what is gscraper”. Behold one of the top returns was a youtube video promoting a fairly new application called gscraper.

The video is quite revealing. While the promoter is clearly touting the capabilities of the application to the target audience (Blackhat SEO users), it also has the effect of revealing the current state of their dubious craft to everyone else as well.

Basically the program is used to automate several tasks:
• harvest hundreds of thousands of URLs of blogs with new and recent posts
• spam them all with a generic comment that includes a backlink
• search the list to reveal the comments that got through unhindered
• harvest all of the active posts from the shorter list of open blog URLs
• spam the new filtered list for maximum spam density

Woah! Welcome to the world of “Blackhat SEO”. Sorry pal, oops you’ve scraped the wrong blog.

No doubt, this post will quickly get spammed. Advice to anyone who has a blog out there… “Batten down the hatches”!