…Actually please don’t!

Their grey small-print ad declares that calls cost £1.02 per minute and rightly (but pretty much illegibility) claims “this service is not connected with the London2012.com website.” It also says “this information service is provided as is and is without any warranty or guarantee to its accuracy or fitness for any particular purpose.” If that’s true, then why bother?

I have always had an ethical issue with premium-rate information lines profiteering from otherwise free and high-quality information resources. Official information regarding 2012 ticketing is available via  www.london2012.com. It’s a great site and the only one you’ll need and clearly links to the ticketing subsite at www.tickets.london2012.com. The legitimate site even has a page that documents a heap of scams they’ve seen already! Clearly scammers and cybercriminals will continue to use sporting events as a lure to relieve people of their money. Stay informed. Stay updated. Stay safe.

Please ensure that when you donate to victim relief efforts, that you do so through legitimate sites.

  1. .Org domains are cheap. Registering does not authenticate charitable status in any way. Verify that the organization is actually a registered charity.

  2. Domain solicitations that arrive by unsolicited email, especially those sounding overly urgent or desperate, are very likely to be scams

  3. The same goes for advertising banners

  4. If you’d like to help, I recommend you support one of the major international organizations that have a “most in need” fund

The types of scams to expect are fake donation and charity sites (including charity phish), 419 variants, fee based loved-ones locators, tweets pointing to scams and, of course, exploit-laden search-engine optimized sites installing malware.

This post from our cybersecurity mom, Tracy Mooney, charitable giving may also be of use.

Stay safe!

Sale!

1. Heroin, in liquid and crystal form.
2. Rocket fuel and Tomohawk rockets (serious enquiries only).
4. New shipment of cocaine has arrived, buy 9 grams and get 10th for free.

Everyone is welcome, but not US citizens.

ATTENTION. Clearance offer. Buy 30 grams of heroin, get 5 free.

Prices upon reqeust:

Our email: <redacted>@<redacted>.COM

PHONE 0093 (0) 20 <redacted>
FAX 0093 (0) 70 <redacted>

Afghanistan

This is actually a really old prank, originally targeted at the Dark Profits website in 2003. This is simply a prank twist of a traditional email Joe Job., designed to flood a mailbox/phone/fax with responses.

We saw a couple of different flavors of this campaign targeting different entities however all were appropriately caught.

Snopes have a great article in their archive if you’d like a refresher.

Don’t panic. Nothing to see here!

However, around the coffee machine the other day I got involved in a quick discussion about spam on Facebook. A long-term social networker genuinely thought that Facebook spam did not exist and that all the noise was from Facebookers playing games or using annoying apps. So I offered to write up an example.

One of the most subversive forms of advertising on Facebook is (though I hate to admit it) fram.

You receive a post like this from a friend:

^{(Sorry Plum)}

This page uses the FBML application to render content in a tab, and that tab is the default you see.
Step one is become a fan, so that you can see the next step.

This posts to your wall:

The fram quickly propagates from friend to friend–and spreads virally, to almost half a million fans.

Let’s return to step 2: after becoming a fan:

<click>

Oooh, SEKR3T CODE! <click>

This bit of JavaScript is very common on Facebook pages that want to spread quickly. It selects all your friends in the invite pop-up. It is a clear sign of something you don’t want to do, and it’s almost always related to some form of scam. I ask my friends not to do it; you should do the same.

Double bubble: Because you’ve posted to your wall once that you’re a fan, why not repeat the process and “share” the page, too?

Of course you want to share this, even though you have not yet seen the content.

By now we hope your friends have said “no thanks” to this. That’s a vain hope, however, because they have nearly a half-million members.

<click> Oh drat. I had JavaScript blocked.

<click> Oh drat> I had ad-block installed.

At last the Video! … on http://thiswillruinurreputation.blogspot.com/

All that work and what do we see? It’s affiliate spam.

So there’s your example. Facebook spam is somewhat complicated and mostly initiated by your friends.

Here are my tips for avoiding wall spam. Befriend only people you know and trust. Hide all the daft apps your friends use. Hide all the friends who think the world wants to know every time they visit the bathroom. Think very very hard before granting an app permission. And please, please, please report spam on the bottom left of the wall page.

The tragedy is that the spammer didn’t lie because behind that advert on the blogspot site there really is a funny video, but to the average user friend it’s impossible to see.

32 minutes ago · Comment · Like

I’m a little pedantic about the Queen’s English from time to time, and like most people I also make mistakes. However, this little spelling error caught my eye and a quick Google proves it’s gone unnoticed by the owners for quite a while, too.

I was doing a little research into some DSL IPs being abused at the moment and spotted the misspelling acess in this broken English phrase taken from the terms of service of a fake AV website:

“If acess services is unavailable during the subscription period, the member has the right for a refund of subscription fee.”

Google-dorking it with quotes so we get the exact phrase [link] reveals 141 sites that Google knows of. Misspelling access is hardly a crime, but copying the whole phrase is a little odd, isn’t it?

Take a look at the terms and conditions page of advanced-virus-remover2009 .com. (Visiting this site is bad for your health.)

And also the customer service page of this extreme porn site (incest-related domain redacted for obvious reasons):

These are sites that announce new content frequently, but the 18 U.S.C. 2257 record-keeping statements say that the content is ineligible–as it was created prior to July 3, 1995. Aand they don’t ask for your date of birth when you sign up, either. (The signs are always there!)

…and one of the promotional affiliate networks for a network of porn sites:

…and the world-renowned Data Backuper software from databackuper .com

These are old sites, so let’s be realistic here: It’s just a template. The bad guys are just lazy (or efficient, depending on your point of view) when it comes to their websites. As proof, if more were needed, advanced-virus-remover-2010 .com registered a day or two ago and is exactly the same.

(Old techniques die hard, eh? )

The same group(s) are undoubtedly connected with the recent tsunami spam that’s spreading more fake-alert malware–given the domain overlap below with this detailed VIL’s hosts-file infection data: http://vil.nai.com/vil/content/v_162829.htm

Lastly let’s take a look at their most recent flurry of fake-AV/codec/crypto&porn domains.
(Again, don’t visit; just read.)

0-vs-codec-pro .com
10-open-davinci .com
1-open-davinci .com
1-vs-codec-pro .com
2-open-davinci .com
2-vs-codec-pro .com
3-open-davinci .com
3-vs-codec-pro .com
5-open-davinci .com
6-open-davinci .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover-2009 .com
advanced-virusremover2009 .com
advancedvirus-remover-2009 .com
advancedvirus-remover2009 .com
advancedvirusremover-2009 .com
advanced-virus-remover-2010 .com
advanced-virus-remover2010 .com
anti-virus-xp-pro2009 .com
bastaproject .com
best-scan .com
best-scan .net
best-scan-pc .com
best-scanpc .com
best-scan-pc .net
best-scanpc .net
best-scan-pc .org
best-scanpc .org
bestvsprog .net
coolcodec .net
coolcount1 .com
coolprojectnew .com
downloadavr3 .com
downloadavr4 .com
downloadavr5 .com
downloadavr6 .com
downloadavr7 .com
downloadavr8 .com
greatcrypt .com
hard-xxx-tube .com
maindavinchi .com
mainvscodec .net
megacryptnew .com
onlinescanxppro .com
open-davinci .net
rims-shop .com
testavrdown .com
testavrdownnew .com
trucount3005 .com
trucountme .com
vscodec-pro .net
vsproject .net
xxx-white-tube .net
xxx-white-tube .org

Quite a diverse set, eh? The pornographic content is managed somewhat separately, and I really don’t want to make extra work for our legal team with this one!

I doubt that’s all we’ll see this week. Passive DNS monitoring also shows that many of these are unused so far.

There will be more on this one, I’m sure.

Subjects:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

Also we’ve noticed domain name registrations mentioning the word swine are up by about 30 times and you can bet your daughters it’s not all going to be “whitehat” SEO.

….I didn’t stay for the speech

For those who do not know, false alarms are caused where an anti-virus product detects a clean file as infected and is something all AV companies try hard to avoid. Recognition that we’ve got the lowest false alarm rate on test is awesome.

Clicking the image will take you to today’s fake codec download site. Repeated clicks will take you to an adult site [both NSFW, you have been warned!].

The difference between this and the MSN Spaces abuse that is now about a year old is that Google appears to automatically index code projects, so any Google-Jedi can generate a good list (Google Search–again, don’t click the links) to start with.

Or the fact that the image is linked from http://bestsextube dot net/video.gif all the time might also be useful to know. The icing on the cake, though, is the link to somewhere/in.cgi … I’ll come back to this later.

The porntube site is also host to a number of other related sites such as fake anti-anything software:

The codec download site, which is in Latvia, also hosts a number of related sites:

The Google Code project owner has a few other projects of a similar nature, too.

A year ago I blogged about MSN Spaces beta with a very similar issue… I even spoke to some very nice folks there about it, and a year later it’s still being abused by spammers [ spamhaus award. ] I trust Google would like to appear less evil and will take more decisive action. I’d suggest mashing code and safe browsing together, but it appears not to find anything wrong with the clickable links, though it did catch on after some redirection took place.

…perhaps I should start consulting on this sort of thing

Anybody suffering deja-vous? “/in.cgi should ring an alarm bell or two. If not, check out my colleague Micha’s blog on traffic management. He explains what happens to those clicks! This is campaign “6.”

Happy new year to all!

Our esteemed blogmaster Ed has been moaning about getting something on the blog about it & I wanted to dig out something meaningful for our readers so I contacted a close partner of ours and got some real mailserver stats.

Quite the haircut I’m sure you’ll agree.

You can read my previous blog about bots calling home to mother-ships (often via proxies) if you’re interested as to why this had such a sudden and dramatic effect.

Enjoy the lower load averages while they last though

This is no reason to rest however, we’re still as busy as ever in the labs and we’re watching as intently as ever. The child porn sites are already on a transatlantic move for instance and we’ll be calling our colleagues at the IWF today for sure.

$50 for a survey! It’s our unlucky day…

[Click for full size]

As you can see from the partially obscured email address it is clearly NOT from JP Morgan Chase!! I hope this variation on the theme is suspicious enough to set off most peoples “too-good-to-be-true” radar. We can expect this type of attack to get much more convincing real soon no doubt.