A new twist on blog spam

 

I’ve written about blog spam before, a particularly underhanded and sleazy way of driving traffic to another website by flooding others with comments which contain backlinks or IP addresses.

The following chain of comments (unedited) appeared at various posts two days ago; it took me a minute or two to figure out what was going on, wondering if someone was really getting ad-based notices from my blog.

“you advise me to come to thjs site to unsubscribe, yet all i see are ads for your company which is wich you tell me”
“unsubscribe me thank you i am not interested”
“for the third time i an not interseted please do not send me any more blogs”
“not in the least bit interested, thank you”
“stop sendind me ads”

These all came on a single day within 6 minutes of each other, with a name (Salvatore Monda), an email address, and an IP address attached. It’s the IP address that provides the basis for raising search-engine rankings for spurious websites – aside from the fact that this tactic rarely works any longer, Google and others having factored it in to their search algorithms. Yet somehow, devious and stupid people keep trying.

I checked out the IP address – it appears to be defunct already, meaning someone has shut it down before anyone could be driven to it for whatever purposes – advertising, malware, who knows what. Akismet does a good job at filtering out most blog spam, but these look legitimate enough that they slipped through. Fortunately, I get to approve (or trash) comments at this blog before they go live – which I have done.

Salvatore Monda, this one’s for you.*

No Because No

The Old Wolf has spoken.

Not from Yahoo (scam)

yahoo

“Your Mail version is outdated.” “Upgrade your account now.”

Never follow links like this that ask you to enter your email username and password. Would you hand your credit card to a criminal? Don’t give access to your Yahoo, Gmail, Hotmail, or other accounts to scammers.

If  you have loved ones who are not especially tech-savvy, please protect them from this kind of jiggery-pokery.

Be safe out there.

The Old Wolf has spoken.

go0dvinez: Malware Central

With uBlock Origin attached to Chrome and a host of other malware protections on my computer, I almost never see ads, spam, malware, popups, popunders, or any such things.

My phone is not so fortunate.

Recently I’ve checked out a couple of things on my Android that had shown up on my Facebook wall, and it’s been a long time since I’ve seen such a blatant effort to redirect, scam, browser-hijack, deceive, and annoy visitors as I experienced today with go0dvines.com (don’t go there.)

When you get a link like [http://go0dvinez.com/bakla-m3t-gayam-t-loko-ka-barok-xyter-iexsa-sonnn-off/], you know something is going to be off in the first place – but that didn’t show up until I did some researching on my desktop. On the phone, as soon as you hit the site, you’re immediately taken on like a six-level-deep redirect, and this is what you see:

This slideshow requires JavaScript.

I don’t even want to think about what kind of insidious garbage you wuld be downloading to your handheld device if you followed those links or clicked on the install buttons. One of them completely locks your browser; the only way out is to restart.

This is internet evil in its most distilled form, topped only by ransomware viruses and the unspeakable horrors of the deep web where few of us ever wander.

Stay away from this website, and if you see strange things happening to your phone when you follow a link, get out of there as fast as you can. Legitimate websites will never give you virus popup warnings like this.

Be careful out there.

The Old Wolf has spoken.

Nine more Crypto Emails

Today in the mail, another gush of spam emails, each one with a .zip attachment labelled “invoice” or “statement” or “employees” or some other innocuous title. Each one containing a .js (javascript) file which would download encryption software, corrupt my files, and demand a ransom. Please do not be victimized by these criminals.

From: Carole Middleton <MiddletonCarole95@bol.net.in>
Subject: [SPAM] Re: Chart of Accounts
hello info,
You may refer to the attached document for details.
Regards,
Norma Palmer

From: Beatrice Salinas <SalinasBeatrice75015@slotcarsdirect.co.uk> Subject: [SPAM] FW: vendors

Hi info
The attached spreadsheet contains bills. Please review
Regards,
Beatrice Salinas

From: Devon Garcia <GarciaDevon55@uid.uk.com>
Subject: [SPAM] Re:

Hi info,
As promised, the document you requested is attached\
Regards,
Devon Garcia

Subject: [SPAM] Emailing: Photo 05-11-2016, 98 43 44

Your message is ready to be sent with the following file or link attachments:
Photo 05-11-2016, 98 43 44
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.

Note: How kind of them to warn me against viruses.

Subject: [SPAM] Emailing: Photo 05-12-2016, 64 94 68

Your message is ready to be sent with the following file or link attachments:
Photo 05-12-2016, 64 94 68
Note: To protect against computer viruses, e-mail programs may prevent ending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.

From: Kareem Sweeney <SweeneyKareem2103@residenceferrucci.it>
Subject: [SPAM] Re:

hi info,
As promised, the document you requested is attached
Regards,
Kareem Sweeney

From: Kristine Brennan <BrennanKristine0377@lemmertzturismo.com.br>
Subject: [SPAM] build assemblies

hello info
Attached please find the build assemblies report for your review
Thank you.
Regards,
Kristine Brennan

From: Mable Ward <WardMable44090@cmsadv.com.br>
Subject: [SPAM] FW: invoices

Hi info
The attached spreadsheet contains employees. Please review
Regards,
Mable Ward

From: Milagros Wiley <WileyMilagros41@telefonica.de>
Subject: [SPAM] receive payments

hello info
Attached please find the receive payments report for your review
Thank you.
Regards,
Milagros Wiley

From: Norma Palmer <PalmerNorma3969@jpowerassembly.org>
Subject: [SPAM] Re: Chart of Accounts

hello info,
You may refer to the attached document for details.
Regards,
Norma Palmer

I post these only in case people out there are searching the web for similar messages.

Be clear: THESE MESSAGES CARRY ENCRYPTION VIRUSES. Do NOT open the attachments!

Be careful out there

The Old Wolf has spoken.

Ten Crypto-Emails in a Single Day

Please, please, be careful out there. The Crypto-scammers are ramping up their game.

cryptowall-infographic-enews

Below are eight of the ten spam emails I received only today. Each one was equipped with its own attachment, which would have doubtless encrypted my entire computer.

1)

To: “redacted”
From: Norman Baldwin <BaldwinNorman31872@jawhar9.com>

Subject: Second Reminder – Unpaid Invoice

We wrote to you recently reminding you of the outstanding amount of $7096.64 for Invoice number #18268E, but it appears to remain unpaid.

For details please check invoice attached to this mail

Regards,
Norman Baldwin
Deputy Director of Finance

2)

To: “redacted”
From: Olive Booth <BoothOlive804@beamtele.net>

Subject: Re:

Hello, info

Please find the document file attached to this mail. The attached file contains transfers and invoices history of your bank account

Regards,

Olive Booth

3)

To: “redacted”
From: Greg Maynard <MaynardGreg93@agenciaH.com>
Subject: Re:

Good evening info,
As promised, I have attached the spreadsheet contains last 50 transaction and your account actual balance.
Regards,
Greg Maynard

4)

To: “redacted”
From: Dolly Browning <BrowningDolly48549@feoliveira.com>

Subject: RE: Outstanding Account

This is a reminder that your account balance of $5315.75 was overdue as of 25 April 2016.

Enclosed is a statement of account for your reference.

Please arrange payment of this account today or, if you cannot make full payment at this time, please contact us to make a payment arrangement that is mutually acceptable.
Regards,

Dolly Browning
CEO, Cafedirect

Have a nice day

Yeah, I’d have a really nice day if I opened your attachment and all my files were encrypted. Shove it where the sun don’t shine, fool.
5)
To: “redacted”
From: Clarissa Ewing <EwingClarissa61@betonfiguratie.nl>

Subject: Re:

Hello, info

Please find the document file attached to this mail. The attached file contains transfers and invoices history of your bank account.

Regards,
Clarissa Ewing

6)

Subject: Ticket
From: Alma cawley <Veronica344@gmail.com>

To: redacted

Content-Type: application/zip; name=”TICKET-T1153854633273.zip”
Content-Disposition: attachment; filename=”TICKET-T1153854633273.zip”
X-Attachment-Id: 90725767494-local0

 

7)

To: “redacted”
From: Guadalupe Oneal <OnealGuadalupe459@sanctuaryandcare.com>

Subject: FINAL NOTICE – OUTSTANDING ACCOUNT

Dear Client, We are writing concerning the amount of $3339.41 which was due to be paid on 01.05.2016 and, despite numerous requests for payment, remains outstanding. Details attached to this email. We demand that payment of the full amount be paid to us on or before 10.05.2016. If this account is not resolved by the specified date we reserve the right to commence legal proceedings to recover the debt without further notice to you, and you may be responsible for any associated legal fees or collection costs. If you wish to prevent this, please contact the undersigned as a matter of urgency and settle your account before the above date. Regards, Guadalupe Oneal Head of Finance UKGI Planning

 8)
To: “redacted”
From: Tad Whitney <WhitneyTad085@tecktranslations.de>

Subject: FINAL NOTICE – OUTSTANDING ACCOUNT

Dear Client, We are writing concerning the amount of $6958.82 which was due to be paid on 01.05.2016 and, despite numerous requests for payment, remains outstanding. Details attached to this email. We demand that payment of the full amount be paid to us on or before 10.05.2016. If this account is not resolved by the specified date we reserve the right to commence legal proceedings to recover the debt without further notice to you, and you may be responsible for any associated legal fees or collection costs. If you wish to prevent this, please contact the undersigned as a matter of urgency and settle your account before the above date. Regards, Tad Whitney Chief Technology Officer

Even if an email claims you owe them money, if it threatens you, even if it looks like a legitimate invoice, even if it comes from someone you think you know, NEVER open attachments – especially .zip files – without verifying what it is and who it comes from.

Working as I do for a first-rate cloud backup company, I have noticed a definite uptick in people calling in for help to recover their files after having everything they own encrypted, and being blackmailed for anywhere between $300 and $2000 to get their data back (and there’s no guarantee the criminals will send them a decryption key even if they pay.)

carbonite-logo

You may want to consider these folks. They keep up to 12 versions of your data, making you almost Crypto-proof. This article at the New York Times mentions them by name.

The internet has made it excruciatingly easy for human scum to perpetrate financial crimes on their victims. Please be careful and don’t become one of those victims.

  1. Never open attachments from unknown senders.
  2. Keep your anti-virus software up to date.
  3. Back up your data safely.

The Old Wolf has spoken.

Malware Payloads

Chapa NO MALWARE

I’ve noticed a lot of malicious emails coming through to one of my addresses lately – interestingly enough not at Gmail, which may even filter these things out before they are even sent to Spam – but to one of my private email addresses. Here are two examples:

Dear info,

Many thanks for your card payment. Please find payment confirmation attached below. Should you have any queries, please do not hesitate to contact Credit Control Team.

Best regards

Dena Carpenter
Director Audit Services
Attachment: 851E2_info_43A8AE.rar
And this one:
Dear info,
Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.
Best regards
Antonia Snider
Executive Director Sales Account Management Training Performance Support
Attachment: info_e-bill_669770.zip
Both of these emails came with compressed attachments, one a .zip file and one a .rar file. Inside each was a document with the extension “.js,” meaning it’s a javascript file which would automatically run once the file was clicked on to see the “invoice”or “bill.”

DO NOT DO THIS.

From Microsoft’s Malware Protection Center:

Payload: Downloads malware or unwanted software

This threat can download other malware and unwanted software onto your PC. We have seen it download the following threats:

  • PWS:Win32/Fareit
  • Ransom:Win32/Crowti.A

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • davis1.ru using port 80
Malware can connect to a remote host to do any of the following:

  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate

We have seen this threat access online content, including:

  • two.jpg
  • one.jpg

Another similar threat is 097M/Donoff. This Microsoft Article shows many types of emails that are being sent out to try to get people to run this malware. One of my emails contained Win32/Penzievs, which is so new that Microsoft has no technical details on it yet.

Working at Carbonite™, we have seen many customers who have been infected by the Cryptolocker virus and similar encryption programs. Almost all of these vicious payloads come as email attachments that are opened by the unwary. While having good anti-virus protection and a rcloud-based backup system that protects multiple versions of your files is good insurance, the best procedure is never to open attachments from unknown sources, no matter how legitimate they look. Especially always avoid “.exe,” “.com,” “.zip,” and “.rar” files.

Be careful out there. Protect yourself and your loved ones.

The Old Wolf has spoken.

 

Domain Registraton Scam – Bad Actors from China

Be careful out there. I just got this email the other day, and while it looked dodgy from the outset, I thought I’d follow it down the rabbit hole to see where it went.

Dear sir or madam,

We are a registrar for domain names authorized by Chinese government. Today, we received an application from Daoc International ltd applying to register [domain] as their brand name and some top-level domain names(.CN .HK etc). After our initail checking, We found the main body of domain names is same as yours.

We are handling the application and we need to confirm whether or not you authorize them to register them? Let me know your positon ASAP so as to solve it promptly. Looking forward to your reply.

Best regards,
Elvin Lee
Tel:+86-551- 6349 1191
Fax:+86-551- 6349 1192
Address:No.413,Changjiang Road,Hefei City,Anhui Province

OK. So I simply responded and said, “These domains are not authorized, thank you.”

Next up:

Notice: regarding this case, we did not receive any of your reply until now. Concerning the mentioned brand name please confirm whether you need to register by yourselves? If need, please let us know in time, we can send an application form to you. If you think the registration of that company or the use of the brand name will not bring any negative effect to your company, i suggest you can give up the brand name, then we will accept that company application unconditionally. Further questions please contact me in time.

Followed the same day by this:

Notice: hi, i am Elvin Lee. We had discussed the case about disputing your company’s brand name. You have never registered the brand name, the dispute period will come soon. If your company does not register the brand name, we will start aforesaid company registration within 2 workdays. That company will become the legal owner of the brand name in the world. We had notified you, so we are not responsible for any dispute question about your intellectual property right and trademark after they succeed in registration. If you have any questions, pls contact us within 2 workdays.

Basically telling me I’ll lose worldwide rights to my domain name if I don’t quickly take action, or alternatively, I should abandon my own domain so that they can legally register it with other companies.

Lastly, today:

Thanks for your confirmation. As soon as receiving the application of that company, we checked and found [domain] is your company’s using name. We are concerned that your name might be affected negatively by their applications, this is why we informed you. Following brand name and domain names are applied by that company:
Brand name:
[domain]
Domain names:
[domain].asia
[domain].cn
[domain].com.cn
[domain].com.hk
[domain].com.tw
[domain].hk
[domain].in
[domain].net.cn
[domain].org.cn
[domain].tw
[domain].co.in

You know that the domain names registration is open in the world, that company also has the right to apply for the available domain names. You only have the preferential rights to register them.

At present, we haven’t passed their application, we need your opinion. If your company consider these names of importance to your company’s business or interest, i suggest that your company register these names first so as to avoid confusion or speculation. Of course, If you don’t think their application will affect your company in the future, you can give up these names so that we can finish registering for them. Please give me your company’s decision as soon as possible.
Uh, no. While I have no doubt that there are many good and honest Chinese businesses, this is not one of them – in fact, falls under the rubric of “morals of a honey badger.”
Above and beyond the standard advice, “Never deal with spammers,” I’d add that you be extraordinarily careful when unsolicited business proposals come from China – in other words, be doubly vigilant.
The Old Wolf has spoken.