Christopher Boyd: February 2008 Archives

Generally, if you employ an outside agency to advertise / promote / generally do things with your site in relation to potential visitors, you need to have a good idea of the methods employed by that company. I've had quite a few emails through from people who received something similar to the following:

"Subject: Advertising Inquiry
From: advertising@polimedia.us

We have reviewed your blogger.com blog on behalf of one of our
clients that would be interested in placing advertising with you.

Client profile :
DoingFine (http://doingfine.org)
New project (<1 month old) Theme A forum dedicated to those things that came out right and worked out fine.

We'd like either a 150x150 button, 160x600 skyscraper or 468x60 full banner (or footer). Alternatively, we may be interested in text-only advertising.

This would be a weekly, monthly or yearly arrangement. In either case we will require a one time, one day (24 hours) free placement in order to test the quality and quantity of traffic your website can actually provide*. Within this interval, we will make a final determination, based on the traffic volume, quality, and your asking price. Should we find your terms acceptable, this trial day will count towards the agreed interval.

Kindly let us know if you would be interested, which arrangement best suits your editorial needs, and what rates you would like to charge. We prefer using PayPal but may be able to accomodate alternative payment methods.

Thank you.

*Please note that we employ software that reliably detects autoclick and autosurf bots, pay per click and paid to surf type traffic, and other such non-human traffic. This may be a concern for you, especially if you are buying "bulk traffic", or employing the services of dubious "SEO experts"

The site in question, doingfine.org, seems to be harmless enough - a forum where people can, quite literally, tell the world that they are indeed "doing fine". However, the methods being used by the company promoting the site are veering on the side of "not doing very fine at all" and appear to be somewhat random and scattershot in their approach to web marketing. The obvious danger here is that people will simply come to associate Doingfine.org with spam-like tactics, strange emails and immediate associations with 419 scams.

For starters, the people behind the campaign are clearly sending these mails out quite randomly. Why? Well, here's someone with a Flickr account who was sent the same email. Anyone who took five minutes to check would realise that Flickr is for hosting photographs - you can't manipulate your pages to insert adverts, banners or buttons.

A quick Google reveals many more people feeling confused and puzzled by these emails - this is NOT a good feeling to generate amongst people online, as word of mouth spreads extremely quickly and these kinds of tactics are usually frowned upon.

Take a quick look at the site doing the promoting, and things don't improve:

http://blog.spywareguide.com/upload/2008/02/polimedia-thumb.gif
Click to Enlarge

...wha? At first glance I thought it was a site related to videogames involving armies and aeroplanes or something. The English version of the site isn't any more enlightening (with phrases such as "There is nobody else", "If you want something done, we'll have to do it ourselves" and "Squeaky wheels? We've got grease" all over the place). Again, all of these factors (no real substance to the information provided, bizarre phrases and a general sense of oddness) are seen in common webscams, and naturally give people pause for thought.

Of course, the negative feedback created by the approach of Polimedia has now started to flow back to Doingfine.org, with threads such as this. There are two key things said by the site owner. One is in response to a post in a thread by a Google Blogger.com employee:

"The notion that "third parties can easily install badware into your computer by asking you to put code into your template" is the sort of nonsense that appeals to otherwise uninformed people. Coming from someone who almost certainly knows better. Not to mention SOMETHING GOOGLE SHOULD BE FIXING, should it actually be true."

This makes no sense to me. There are all sorts of dubious scams out there that involve convincing people to paste code onto their website. It only takes a little bit of malicious code to launch an IFRAME, or run some Javascript, or any number of other things and then you've got a problem on your hands. As for Google somehow being responsible for "fixing" the way in which nefarious people online can use rogue code to push exploits - huh?

The second thing of note that the site owner says is this:

"For the past week or so, we've been employing this Polimedia company to handle our marketing and advertising. So far it is working really GREAT, as far as I understand these things (which admittedly isn't very far)."

This rings warning bells, for me - the site owner seemingly claims he doesn't understand "these things" very well, which presumably means the workings of having someone else handle your marketing and advertising. First of all, if I were him, I'd certainly want to know exactly what a third-party was wanting to place on other peoples websites in my name before committing to such a deal. Secondly, all is not quite as it seems here. Why? Well, here is the owner of Doingfine.org posting to a webmaster forum.

For some bizarre reason, he is posting under the username of Polimedia - more confusion. Why post under the name of the third party company you've hired to promote your site? At any rate, the post reads:

"1000$ in this thread. This is a themed pay by post job. Here's the specs :

VERY IMPORTANT : The theme for this project is "doing just fine". Please stick to it. A story about how you are happy with your computer set-up, how your dog learned a new trick, how you baked a pie and it came out just right are welcome. PRODUCT ENDORSEMENTS ARE NOT, unless the product is really mainstream. Story about how you enjoyed a drink of Coca Cola is fine. Story about some internet-based crapola will get you insta-banned.

You will be paid $10 for every 100 posts you make to my forum at http://doingfine.org. In order for you to collect, you must :

Make 100 posts, not less, using AT LEAST 15 different registered user names, starting AT LEAST 10 new threads.

All new thread posts must be AT LEAST 12 lines, 120 words, 600 characters. These length requirements are CUMMULATIVE, meaning you must satisfy ALL.

All reply posts must be AT LEAST 2 lines, 20 words, 100 characters. These length requirements are CUMMULATIVE, meaning you must satisfy ALL.

You may not copy/paste strings longer than 35 characters or 7 words from ANYWHERE. I actually use scripts to check this.

You may add AT MOST one link per post, provided it's either a completely FREE (no adds, no sale pitch, no revenue method whatsoever) website or an image link. You may NOT add more than 30 links TOTAL.

Your post must be relevant and adequate to the available themes. The forum has a broad "doing just fine" theme. Thus, please contribute posts that describe either a personal experience, or a world event/news item about something THAT'S JUST FINE. Personal experiences are preferred, and probably easier to write.

Your posts must be INTELLIGIBLE, written in ENGLISH. You MUST make sense. Random gibberish will not count. I prefer you use standard spelling and punctuation. If you don't, all the differently named registered users you create that make recognizably the same spelling mistakes WILL be counted as one.

You MUST use the same IP address for all your posts, this is how I will count them.

You must send me (user : Mr. M) one private message when you start posting, stating that you intend to start posting. Mention this board and optionally your user name here.

You must send me (user : Mr. M) one private message when you are done posting 100 posts. It MUST contain your paypal address (you will be paid $10 within the same day) and specify if you intend to start another 100 posts block. If you do, please wait for my ok. That means I will tell you whether I'm happy with your work and you should bother doing another 100.

All people satisfying the above conditions will be paid the above sum. No exceptions.
All people FAILING to satisfy the above conditions will NOT be paid the above sum. No exceptions.

I will respond to any disputes here, should one arise (not sure why it would tho).

My budget for paying posters is 1,000$ (it actually is, yes), so post away and take my money. Good luck."

So, despite the fact that the domain was apparently only registered on the 7th February, the forum itself could appear to be extremely active because a large number of people are being paid to post under 15 different registered usernames, with 100 posts each.

This is a fairly clever idea in terms of making a forum come to life quickly - does the earlier statement regarding not understanding the workings of having a third party handle your advertising still ring true? If you're smart enough to do something like the above, why would you even bother to use Polimedia to send out these random mailshots?

Who knows. What I do know is, their tactics need a serious rethink and fast. Though the buttons and code they're placing on websites appear to be harmless, the techniques they're using to promote the site most definitely aren't - as least with regard the reputation of Doingfine.org.

Of course, now someone needs to point out that it would actually be "Anti-Malware Jedi"!

Click here to read all about it. Great to see some of the security support forums getting a lot of mainstream press coverage!

Here's a prank application that might not be to everyone's taste - dubbed Win32.spin (and posing as a fake MSN Crashing program) called "Nudge Madness", anyone unfortunate enough to run this executable will suddenly discover the meaning of the phrase "very bad day".

w32spin.JPG

Why? Well, running the application makes it attempt to open up meatspin.com (a shock meme site) 1,500 times on your desktop.

It wasn't so long ago that we covered the Rick Astley rickroll meme that somehow found its way into being combined with a spinning browser hijack of doom. It's interesting how hackers are now taking it to another level and combining shock memes with hacking / cracking tools.

You spin me right round, baby, right round...

A Phishy Tale

| | Comments (0)

I'd been watching the antics of a 20 year old girl from Malaysia who had a serious thing for Phishing. I couldn't have predicted the direction the investigation would take when, quite randomly, I came across the following post with regards one of her former identities:

rib1.gif

...."Ribut", eh? Interesting. A quick Google search later, and we find some interesting Ribut-related Phish pages:

ributmyspace1.gif

...don't bother to look for it, I already had it killed off. What really intrigued me here was if she had any more pages floating around under her "old" username. Using a few search strings that tend to reveal some of the more "obvious" password-stealing fake logins via Google, I stumbled across a rather unusual way of keeping an eye on Phish pages:

ads_galore.gif

There she is, buried in a pile of other phish pages. What is that a screenshot of, I hear you ask? And why exactly is she buried in a wall of phish? Well, note the title - "Where can I find these ads?"

This is a page from advertising network Adbrite, who the host of all these phish pages (2222mb.com) has an account with. If someone wants to host an advert on 2222mb.com, they make their selection and purchase ad space:

http://blog.spywareguide.com/upload/2008/02/advertiseon2222mb-thumb.gif

However, this isn't the part of the page we're interested in. You've already seen it, above, listing the "most trafficked pages" from the site in question. That's right, it appears that the most popular pages on 2222mb.com are phish pages, going off the information presented to us by Adbrite.

In fact, here's a snapshot of the current set of pages listed by Adbrite as "most trafficked pages":

currentphish.gif

...is anyone else faintly disturbed that EVERYTHING being listed for this webhost is almost always a phish page?

At this point, you normally contact the host and (depending on a whole range of factors) they kill off the rogue pages in a few days or so. My hopes were high, seeing as another host (110mb.com) with the same Admin contact (a person called Tycho Luyben, more on him later) had previously removed phish pages for me in as little as six minutes.

My first mistake, as it turns out, was getting my hopes up.

http://blog.spywareguide.com/upload/2008/02/2222mb-thumb.gif
Click to Enlarge

The above is the frontpage of 2222mb.com. At the bottom of the page, it mentions Terms of Service, but you can't click into it. There is no contact email address anywhere on site, and no mention of what to do when finding evidence of abuse on the network.

Uh-oh.

As it turns out, the only way to try and get someones attention was to register for the hosting service, then submit a ticket which......was completely ignored by whoever received it.

> http://dustyd34th.2222mb.com/myspace.php
> http://ribut.2222mb.com/myspace.php
> http://najn.2222mb.com/
> http://tjt1991.2222mb.com/myspace.php
> http://darktornadic.2222mb.com/myspace/myspace.php
> http://english-naats.2222mb.com/index.htm
> http://titan7.2222mb.com/myspace.php

....were all reported on the 21st of January, and a few days later, nobody had replied to my ticket. So much for the "24 / 7" support - I added to the ticket a few days later (with words to the effect of, "these pages still appear to be live"?) and that was ignored too.

Okay, change of plan. Let's go to the guy who must be providing these reseller accounts to these webhosts in the first place. A quick check of the whois data for 2222mb reveals....something weird, actually. The other hosting services that are presumably reseller accounts provided to individuals by "Tycho" have different addresses listed, as you would expect (110mb.com, for example, is owned by someone in Australia). With 2222mb.com though, Tychos own "Admin Contact" address is listed as the main contact address for this domain.

owner-contact: O-EZL21
owner-organization: E-lab BV
owner-street: Weverstede 27 b
owner-city: Nieuwegein
owner-zip: 3431 JS
owner-country: NL
owner-phone: +31 615065229
owner-email: tycho@e-lab.nl

Is the owner of this reseller account living with Tycho or something? Could it be Tycho himself? It seems unlikely, given that Tycho replied to my first email to him (sent on the Tenth of February) with the following:

"Dear,
I will tell my client to remove these asap.

Regards,
Tycho"

...."My Client"? Okay, so why is his own Admin address listed as the primary contact point for this domain when someone else apparently owns it?

Anyway, all of the above phish pages were deleted - but I had a second, final batch of pages that needed to be deleted too. As anything and everything sent to abuse@2222mb.com and postmaster@2222mb.com went unanswered, I thought I'd better send Tycho another email. He'd fix those too, right?

Wrong.

Three more emails, sent on the 11th, 13th and 15th of February went unanswered - as did the second round of tickets raised inside the 2222mb system:

http://blog.spywareguide.com/upload/2008/02/unanswered-thumb.gif
Click to Enlarge

Two of the above phish pages have since gone offline, but it seems unlikely that I had anything to do with it, given that all the rest are still online and happily phishing away. I thought I'd check out the E-Lab site attached to Tychos email address - here's where things spiral into madness:

http://blog.spywareguide.com/upload/2008/02/elab1-thumb.gif
Click to Enlarge

Note the "www" at the start of the web address. So far, so good - nothing out of the ordinary. Just a page that talks about helping people "start out" online with regards technology based ventures and the like.

However - type in the address minus the "www" and look what happens:

http://blog.spywareguide.com/upload/2008/02/stoopid3-thumb.gif
Click to Enlarge

...you're redirected to a site called "Stoopidsh*t.com" that contains links to numerous "extreme / crazy" videos, and also a number of videos that require you to install Zango to play them (they're the ones with the red "play video" buttons).

Apart from the fact that it's a little odd for a site acting as some kind of provider for web services to redirect to something like that, can you guess who the site is registered to?

fakedata11.GIF

I have no idea what's going on with that whois data, but it looks a little strange, right? S4V 3C5 is merely a postcode - where is the rest of the address?

Actually, that's not the only website connected to Tycho that looks a little odd in a whois search. Take, for example, the whois for a site called "Riddleman.net":

riddleman.gif

....I'm sure you'll agree, that's a pretty strange looking contact address. At any rate, I think we're done poking around the weird and wonderful world of domain registrations. Time to contact Adbrite and let them know anyone going looking for either

a) 2222mb.com information via Google or

b) more information regarding Myspace phish pages on 2222mb.com via Google

are (more often than not) going to see Adbrite pages appear before anything else, usually listing some phishing pages in their own "most trafficked pages results:

http://blog.spywareguide.com/upload/2008/02/adbritemyspace2222-thumb.gif
Click to Enlarge

Now to me, having your own pages pop up when searching for someone else's phish pages is a form of negative association you could do without - both in terms of not wanting to be associated with such a thing, and also not wanting to be seen to be providing a way to generate money for webhosts that don't seem to be overly speedy with regards removing network abuse.

Surely, when notified about such antics you'd be quick to take action, right? At the very least, you might want to drop the person running your ads a note and suggest that a housecleaning might be in order, lest your account be canceled?

Well, that's what I thought too. However, the emails sent to Adbrite on both the 17th and the 22nd of February have (so far) not had a response from either pr@adbrite.com or support@adbrite.com (note that I only sent Adbrite details of 2222mb.com and the way that requests for phishing pages to be removed were seemingly ignored - they were not sent any additional information regarding other domains, which although interesting, were irrelevant to the point I wanted to raise with Adbrite).

I would hope that Adbrite will take a second look at this and take appropriate action if needed - 2222mb.com has already gained a form of notoriety on hacking / cracking forums as a good place to host phishing pages. Indeed, look at the results from this search...there are many hacking sites distributing tutorials recommending 2222mb.com for phish hosting.

Take those tutorials and combine them with the experiences I had simply trying to get a handful of phish pages taken offline and you have the makings of a problem that is going to grow and grow unless something is done about it.

The question is, is anybody listening and do they actually care?

Biggest Wordlist Ever?

| | Comments (0)

That's what people are asking on a number of hacking websites, as the link for a 28GB wordlist is being passed around. Of course, the excitement of using such a list with their favourite brute forcing tool soon turns to disappointment when they realise there's no text editor or password cracker in existence that can actually open the file. Or, as one guy put it:

"I cant find any thing that opens this. Every text editor i use says error and a reference to the size. so far i have tryed :-
microsoft Word
Notepad
WinWord
internet explorer
Dream Weaver
open office word.

and it crashes all my brueforcers."

The download might as well be called "How to waste 28GB of your bandwidth".

"This is going to be the ultimate tool to take down a webserver of our choosing. I need you guys help distributing it." - The creator of the below Botnet and related executables

Here's an interesting (and particularly unpleasant) Botnet. While building out the net, the creator posted this to a forum:

"This is a screenshot of me testing the program against Google, using 1 bot. As you can see, the loop speed of the program is so fast that it's downloading at an incredible speed. According to NetLimiter, this bot was downloading from Google at almost 4 times my connection line speed max, and uploading over 40kb faster than my max line speed."

A few revisions later, and the botnet is ready to roll. This Botnet is highly unusual in that the creator is freely advertising its services from both his website and inside downloadable zips of the infection executables - absolutely anyone can jump into the IRC Channel and give commands to the Bots. See where that whole "Infinite Ringmaster" thing comes into play now? In this net, everybody is famous for 15 minutes (or until their Bots stop bombing websites, whichever comes first).

The infection files themselves are disguised to look like hacking programs - anyone considering jumping on the hacking bandwagon and running any of the following:

hbt1.gif

....will quickly find themselves dumped into the Botnet as a drone.

The text from the supplied Readme is as follows:

********** IRC v2.0 by **********

For you fools out there, don't run the EXE. That is the file that you pass around to the victims.
This is an IRC BOTNET. You must connect to the IRC server listed below to be able to access these bots.
This new version is a very powerful HTTP bomber, as you may have seen from the screenshot I posted.

This version also contains the capability of self updating.
I've done my best to hide this program from AV's by using EXE packers.

YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT
YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT
YOU MUST TYPE THE COMMAND EXACT, OR YOU WILL RECEIVE ERROR AND/OR CRASH THE BOT

*instructions for issuing commands removed*

For example: You want to bomb www.google.com. Go to that site in your browser, and find the path of an image hosted on the site. For www.google.com, their main logo is www.google.com/intl/en_ALL/images/logo.gif

It is CRUCIAL that you DO NOT type http:// into the address that you are bombing. The colon : in the http:// will disrupt the bots data parsing technique and could possibly crash the bot.

So, if you wanted to bomb google, 10,000 times, you would type to the bots this command

*bombing instructions removed*

=============================PLEASE NOTE=============================
The bots WILL TELL YOU when they are done with the last accepted
command! Do not flood the bots!
=====================================================================

The rest goes into detail about the function of the executables, the server to join, channel information and the password to enter the channel correctly. Of course, posting your Botnet login data like this is a crazy thing to do, because you're practically begging for people to enter the channel who don't know what they're doing and start screwing up on a grand scale.

Inexperienced botnet wielders can quite easily start breaking lots of things they might not have even intended as targets. And how many of them (when frustrated by their inability to control the bots) will simply start using the details to attack Google as detailed in the readme? It's unlikely this would cause any problems for Google, of course - however, the intention here seems to be to jam as many people into the pilot seat as possible and have them fire at will.

Never a good thing, especially when the Botnet owner himself is apparently feeling the strain as seen in his, er, welcoming message to visitors:

http://blog.spywareguide.com/upload/2008/02/angry_botnet_guy-thumb.gif
Click to Enlarge

...charming. As the executable files are being promoted on forums with up to 2000+ members (with the intention that they go out into the wide blue yonder and try to trick people into running the infection files) it could spread very quickly.

We detect this infection as HTBomber.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

I hope you hear a red alert sound when you read the following:

- What should be done for being your participant and earning 750 US dollars?

You need to fill in the registration form.
After your registration processing you will receive a letter with the following instructions.
Then you will need to send us your PayPal Debit Card via USPS Company to the address of our branch office.

That's right, if you send completely random strangers on the internet your Paypal Debit Card in the post (who claim to have been around since 2003 even though their website was set up in February 2008!), then they'll make you rich beyond your wildest dreams.

Honest.

A great summary of why you should give any mails regarding Webcardmaster.com a very wide berth can be found here.

/ Hat-tip!

This is a World of Warcraft Time Card. If you play games online that require payment, you can either pay by direct debit or keep buying these cards which entitle you to x amount of days gameplay.

This was posted to a forum yesterday, and could easily have made the leap from "how about this.." to "currently in operation":

world_wcraft_scam.gif

A lot of stores seal these cards in clear wrapped plastic to prevent tampering, but apparently not all, as the poster claims:

"The time cards are kept behind the counter and the boxes out front, you grab the box bring it up to the front and they slip a time card in and throw one of those round plastic dealies over the flap. Even if they are sealed with the plastic stickers fold the pamphlet in half and slip it into the bottom of the box.

On top of that the plastic sticker is put on by employees of the retail store, It is not hard at all to find someone to assist you in this endeavor. I would even go work part time at (store removed) in the evenings if I knew I had someone solid backing me up with a idiot proof phishing site."

If you happen to purchase a World of Warcraft Time Card and a pamphlet falls out inviting you to a closed Beta, contact Blizzard Software to ensure it's legitimate before you hand over your details....

We've had a few reports of the (now familiar) style of site that asks you to enter your MSN Messenger details in return for being informed who "has you blocked". The site in question is called

msnliststatus.com

Not only is it a bad idea to simply fill in ANY login details on a random website you happen to come across, I don't think I've ever seen a single website offering this "service" actually carry it out successfully.

On the bright side, the site does offer you some terms of service to look at before you sign up:

termsofuse1.gif

Sadly, it all goes horribly wrong when you realise half the text is hidden behind the image on the right hand side:

http://blog.spywareguide.com/upload/2008/02/termsofuse2-thumb.gif
Click to Enlarge

The site does this in both IE and FireFox. Can't say I've ever seen that before. Note that the really important part (that says your messenger contacts will be sent adverts via MSN) just happens to be hidden by the graphic. Here's how it reads with the text obscured:

By using this service you optin receiving email advertising from blockdelete.com. will receive an advertising message from you when you use this service.

Without the hidden first part, an end-user could potentially think it's talking about the opt-in Emails you receive when using the service. Now let's add the missing section back in:

By using this service you optin receiving email advertising from blockdelete.com. Your messenger contacts will receive an advertising message from you when you use this service.

A bit of a difference!

(Note - I don't normally publish the exact same article to both Vital and SPG, but I thought this one might be important enough to warrant it).

Yesterday, I had an Email sitting in the mailbox that looked like this:

"CONFERENCE/INVITATION

Dear Sir/Madam

We are cordially inviting you to our Twin Combined Conference which will be
held. From the 21st - 23rd of March 2008 In Anaheim California and in Dakar
Senegal from the 27th -30th of March 2008.

If you are interested to participate and want to represent your country,
You may contact the secretariat of the organizing committee for details and
information. You should also inform them that you were invited to participate
by a friend (Miss Precious Wright ), Who is a member of the American Youths
for Peace and a staff of (WORLD YOUTH ORGANIZATION FOR HUMAN RIGHTS).

The benevolent donors of the Organizing Committee will provide round trip air
tickets and accommodation for the period of participants Stay in the U.S, to
all registered participants.You will only be responsible for your own hotel
booking in Dakar where the second phase of the conference will be held.

If you are a holder of an international passport that may require visa to
enter the United States you may inform the conference secretariat at the time
of Application , as the organizing committee is responsible for all visa
arrangements and travel assistances.

Email// info@worldyouthsorganization.org OR
secretariat@worldyouthsorganization.org
By TEL: +1 (516) 303-0022 or By FAX +1 (718)-228-8213
http://www.worldyouthsorganization.org/

Sincerely,
Precious Wright
my email: ( p.wright@worldyouthsorganization.org )

.....uh, yeah, okay. Now, even before I start thinking about this I can see some serious problems here:

1) Random email. Important conferences randomly mail anyone they feel like to come along?

2) It takes place in California AND Senegal in the space of a few days? That's some pretty messed up, jetlagged people at the second event, right there.

3) Two oddly disjointed topics: Child abuse and racism? Uhh...okay...I guess? Seems more like they randomly picked two worthy topics than anything else.

3) Never heard of them and it looks like a 419 mail. Shall we take a look at their breathtakingly fake website?

http://blog.spywareguide.com/upload/2008/02/fakeconf1-thumb.gif
Click to Enlarge

....wow, 1995 has entered the building. Also: "Come and lets join hands and wage this global stigma against racism and chid abuse"?

Well, that's the first time I've been asked to "wage a global stigma" against something. Now let's all go save a "chid".

Sigh. Shall we look at some more? How about the "recent photographs" page? They have a whole bunch up:

http://blog.spywareguide.com/upload/2008/02/fakeconf2-thumb.gif
Click to Enlarge

Look at that - Jesse Jackson AND Fidel Castro have taken part in previous events held by this organisation!

http://blog.spywareguide.com/upload/2008/02/fakeconf3nhlf-thumb.gif
Click to Enlarge

I guess I'd be somewhat more impressed if the photograph in question hadn't just been lifted from a series of shots taken at the World Conference Against Racism, Durban South Africa 2001:

http://blog.spywareguide.com/upload/2008/02/fakeconf3-thumb.gif
Click to Enlarge

...and so it goes for the other images on the site - seemingly culled from other sources (how does GEORGE BUSH take part in one of these things without the whole world knowing who this organisation is?)

Check it out:

http://blog.spywareguide.com/upload/2008/02/fakeconf4-thumb.gif
Click to Enlarge

This is supposedly the Conference "Come join hands with us wage global war against racism" (which is simultaneously taking place in both 2007 and 2008...maybe it was a New Year's thing).

Sadly, this image has been lifted from this site:

http://blog.spywareguide.com/upload/2008/02/fakeconf5-thumb.gif
Click to Enlarge

...whoops. They're even willing to stoop to swiping pictures from the Eurovision Song Contest - compare and contrast:

http://blog.spywareguide.com/upload/2008/02/fakeconf6-thumb.gif
Click to Enlarge

The "Con-Vision" (appropriate!) Media Center is actually taken from here:

http://blog.spywareguide.com/upload/2008/02/fakeconf7-thumb.gif
Click to Enlarge

...the 2006 Eurovision Press Center.

From their "Staff Page":

http://blog.spywareguide.com/upload/2008/02/fakeconf8-thumb.gif
Click to Enlarge

Someone needs to report their "staff" for moonlighting, because this is actually the registration desk of the 2005 Environmental Monitoring, Evaluation and Protection Conference.

Why am I spending so much time on the images? Well, it's important to debunk this stuff as it's the images that ultimately go a long way to convincing people to fall for this kind of thing. The best example of this I can think of is one that even a newcomer to scams should be able to spot - the images from the speakers page. Bear in mind, they could have called their fake speakers anything at all - imagine the hilarity, then, of having to listen to...

http://blog.spywareguide.com/upload/2008/02/fakeconf9-thumb.gif
Click to Enlarge

....that well known expert on the causes of racism, Mr GEORGE WASHINGTON.

Incidentally, the below picture is supposed to be George Washington too:

http://blog.spywareguide.com/upload/2008/02/fakeconf10-thumb.gif
Click to Enlarge

....there are two problems with this. One, he doesn't appear to be bald and white anymore. Two, he's speaking at a presentation for the International Congress of Nanotechnology (check the banner below the podium).

I think we've covered the "this is completely fake" bases, so who are they and what are they after?

Well, as far as the "who" part goes, the Whois data is quite probably fake:

Domain Name:WORLDYOUTHSORGANIZATION.ORG
Created On:15-Nov-2007 09:56:38 UTC
Last Updated On:15-Jan-2008 03:48:47 UTC
Expiration Date:15-Nov-2008 09:56:38 UTC
Sponsoring Registrar:Wild West Domains, Inc. (R120-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:GODA-039910427
Registrant Name:Jesse Rocha
Registrant Organization:World Youths Organization
Registrant Street1:3710 airport blvd
Registrant Street2:
Registrant Street3:
Registrant City:Austin
Registrant State/Province:Texas
Registrant Postal Code:78722
Registrant Country:US

Apparently, the "World Youths Organisation" operates out of an address
associated with Tire and Car Brake repairs.

With regards what they're actually after, I fired them an Email to "confirm my interest in this wonderful event" and this is what I got back:

"Dear Sir,
By recommendation, we accept you to participate in the forth-coming conferences,
which will now be held at the DISNEYLAND CONVENTION CENTER , ANAHEIM , C.A ,USA
and at OLYMPIC STADIUM HALL, DAKAR-SENEGAL, West - Africa.
The theme of the forth coming International Conferences is to equip participants
with the strategies and policies to wage a global war against Racism & Child
Abuse. The conference organizing committee in conjunction with the donor
sponsoring committee has mapped out some financial rewards to group
participants that distinguished themselves in their areas of discipline......
Panel of Judges has been appointed to oversee and to select participants of
merit.

(1) Group participant NO.1 Winner is entitled to the sum of $150,000.00 Dollars
( HUNDRED AND FIFTY THOUSAND DOLLARS)..
(2) Group participant NO .2 Winner is entitled to the sum of $100,000.00 (ONE
HUNDRED THOUSAND DOLLARS).
(3) Group participant NO..3 Winner is entitled to the sum of $75,000.00 (SEVENTY
FIVE THOUSAND DOLLARS)"

Wait....wouldn't it be more useful to, you know, give that money to all those starving people they're trying to help as opposed a bunch of well off conference flunkies? You'd be amazed how many people would see something like that and be packing their suitcase within minutes. They continue:

"REGISTRATION OF PARTICIPANTS: A minimum of five (5) or a maximum of ten (10)
people are expected to participate together as a group or organization to
represent their Country in the forth-coming events. None of them should be less
than eighteen years of age and must participate in both Conferences."

....HAHAHA. Okay, they now want you to round up five to ten more victims, presumably so you can take a thorough beating once they've all lost piles of money.

"They should be in possession of their international passports to enable them
participate in this conferences. For registration to participate in this event,
you may forward the names and passport numbers of your group members to us, as
soon as possible, as all participants visa assistance request will be forwarded
to the U.S Department of State for same day visa Authorization which shall be
sent by fax to the consular section of the U.S. Embassy, in your country of
residence.

Delegates will only be responsible for their own hotel booking in Dakar-Senegal
for the second pharce of the event due to the inability of our partner
organizations to mobilize enough funds to sponsor the number of expected
delegates to attend both conferences... All registered participants are
entitled to a round trip air tickets, meals and accommodation during their stay
in the U.S.
If you are interested to participate in the forth-coming International
Conferences, You must send to us the following information :
1) Names exactly as in passport.
2) Passport Numbers.
3) Date of Birth.
4) Place of Birth..
5) Country of Residence.
6) Tel/cell Number
To our registration desk by email: registrationdesk@worldyouthsorganization.org
OR info@worldyouthsorganization.org
Phone: +1-516-303-0022
Fax: +1 (714) 276-0119
http://www.worldyouthsorganization.org/
Mrs. Rose Dixion
Conference Secretariat"

...yes, send us your passport details, hurry! They didn't reply to my follow up about me not needing Visas due to UK Citizens being able to travel to the States on the Visa Waiver program, but if they did, I guarantee the subject of sending them money via Western Union to cover the cost of the Senegal hotel would have been raised.

If you go looking around for these fake conferences, there's a fair amount of them lurking - all using parts of the same information / names / photographs:

wyf.org.tripod.com/index.html
wyforg.tripod.com/
gyfma.tripod.com/
conference.up-a.com/
agecare-organization.tripod.com/index.html ("Age Care Organisation" presents "Child Trafficking and Sex Exploitation" - whaaa??)

Here's one that's been canceled due to violating ToS. In a nutshell, they move from domain to domain once the date for their supposedly current "conference" has passed - sort of like a plague of money making locusts. There's already a number of red flags for the main .org domain on various 419 scamfighter websites.

It seems sort of pointless to finish this off with a dire warning of Internet badness, but here we go - do NOT be suckered by these random "too good to be true" offers to fly to some fancy conference somewhere. It's highly likely to be fake, and could cost you a whole lot of money (and broken bones, after your friends have beaten you up). We're currently trying to have all related domains taken offline, and will post updates as / when they come in.

[7:10:30 AM] Paperghost says: Hey, did you get a chance to look at that thing I found yesterday?

[7:10:39 AM] Peter Jayaraj says: Yep, it's an interesting collection of applications...let me explain
[7:13:50 AM] Peter Jayaraj says: The List Master - this is used to breakup the Emails...
[7:14:05 AM] Peter Jayaraj says: if you have 10,000 emails to crack.. you can split up 5K at a time..
[7:14:16 AM] Peter Jayaraj says: you can extract email Ids based on keyword.

[7:14:31 AM] Paperghost says: Nice. Fill me in on the other ones

[7:15:22 AM] Peter Jayaraj says: List Processor - this is used to clear blank lines in the file.

[7:16:45 AM] Peter Jayaraj says: Myspacefriendfinder is used to find friends on Myspace using keywords.

[7:18:07 AM] Peter Jayaraj says: "OnceIsEnough" is used to remove the duplicates.

[7:18:16 AM] Paperghost says: And at that point, you roll out Myspace Demon and go crack some Myspace accounts?

[7:18:32 AM] Peter Jayaraj says: Yep

[7:19:19 AM] Peter Jayaraj says: So all these apps can be used together effectively.

[7:19:35 AM] Paperghost says: Very effectively, from the looks of it...!

It's really not a great idea to fill up Phish pages with fake data, but I couldn't help laugh when I saw this missive at the bottom of one particular password drop:

myspacephishmessage.jpg

I recently spoke at the ASC Conference in DC:

http://blog.spywareguide.com/upload/2008/02/asc081-thumb.jpg
Click to Enlarge

...and a lot of interesting issues were laid out for discussion (I should point out we didn't speak in the Capitol Building, I just like that photograph. Plus, it looks a bit more impressive than a picture of a hotel). Shall we have an obligatory shot of a board with a lot of companies listed on it? Sure:

http://blog.spywareguide.com/upload/2008/02/asc083-thumb.jpg
Click to Enlarge

That's a whole lot of companies right there! Anyway, the Conference had a lot of FTC people in attendance, and kicking things off was Ari Schwartz and FTC Commissioner Jonathan Leibowitz:

http://blog.spywareguide.com/upload/2008/02/asc085-thumb.jpg
Click to Enlarge

A repeated theme (that may or may not have been intentional) was that, to some degree, the "battle is won" - at least as far as trying to get "legit" Adware vendors to toe the line goes. Of course, there's still plenty of badness out there to contend with. The evidence from security forums and people fighting these infections on the frontline would seem to suggest PC hijacking is as rampant as ever, if not more so.

Shall we lighten the mood with some cameo shots of the antispyware big-hitters? (Click to enlarge each image)

http://blog.spywareguide.com/upload/2008/02/asc086-thumb.jpg
Alex Eckelberry!
http://blog.spywareguide.com/upload/2008/02/asc087-thumb.jpg
Bill Pytlovany!
http://blog.spywareguide.com/upload/2008/02/asc0810-thumb.jpg
John Levine!
http://blog.spywareguide.com/upload/2008/02/asc089-thumb.jpg
Lance James! (Long story..)

Stefan Savage gave a great presentation, where he looked at various elements of the underground economy of hackers - namely, what carders and data theft scammers get up to in IRC channels.

http://blog.spywareguide.com/upload/2008/02/asc0811-thumb.jpg
Click to Enlarge

My own panel featured Alex, Lance, Cindy Southworth of the awesome NNEDV and Luke Erickson of the FTC. We talked about some pretty heavy duty stuff, including how the increasing frequency of illegal pornography is actually causing some people in security to drop out of the business (because, understandably enough, they don't want that kind of material on their PCs lest the police come calling), how kids as young as twelve are happily trading credit cards and the kind of information Phishers and data stealers are collecting (the slides provided by Lance were an extremely interesting extension of what Stefan had been saying earlier on).

http://blog.spywareguide.com/upload/2008/02/asc2008128888-thumb.jpg
Click to Enlarge (Thanks to Bill P for the image!)

A lot of food for thought, and I'm hopeful the presentation I gave regarding the kids getting involved in hacking and cracking hit home with the FTC people in attendance.

At this point, I want to give a mention to NNEDV - I spent a lot of time talking with Erica Olsen of the National Network to End Domestic Violence, and it was frankly mind boggling how many anecdotal tales ended with "Yeah, she died / was killed / beaten to a pulp" etc. It seems depressingly likely that we've just scraped the tip of domestic abuse going hand in hand with monitoring software / keyloggers / all those other wonderful products sold as "surveillance tools" to "keep Junior safe online", which are in fact almost immediately used for much darker purposes.

Truth be told, the entire conference was a strange mixture of conflicting views - on the one hand, we were being told "we've won", but on the other hand, people like myself and NNEDV were showing how a lot of individuals were ending up as losers, with no hope of fixing whatever tech-related problem they happened to be in...from the comical to the life threatening.

I guess the Internet really is serious business.

Listen to the full conference (and check out the slides) here, and make your own mind up. Adware was, is, and will continue to be a problem for the foreseeable future - but beyond all the types of "ware" out there that we need to start concentrating on, we need to remember that every single time something bad gets onto a PC, a life can potentially be destroyed forever.

Now, more than ever, we need to keep fighting.

About this Archive

This page is a archive of recent entries written by Christopher Boyd in February 2008.

Christopher Boyd: January 2008 is the previous archive.

Christopher Boyd: March 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.