Friday, December 2, 2016

Phishing Attempts On My Facebook Fan Page

Right about the time my Facebook fan page started blowing up, all the scammers came out of the woodwork. It's pretty much what you'd expect, from the "hey I wired you a bazillion dollars so make me admin and I'll give you the codez" to the "hey i luv ur page make me admin plz,"

This one was novel because it took me a couple glances to read the domain name. There's so new top level domains nowadays that you have to mentally parse the URL, which is good for all the phishing scams.

The message begins with an ominous warning that your page has violated someone's terms.

Wе hаvе rесеivеd mаny rероrts frоm yоur fаn раgе. Plеаsе rеviеw yоur раgе аnd yоur роsts fоr rеаsоns thаt yоu hаvе viоlаtеd оur tеrms.

‌Y‌о‌u‌r‌ ‌c‌a‌s‌е‌ ‌і‌d‌ ‌і‌s‌:‌ ‌59382774


Here's the full URL they linked. I wouldn't advise following it. I sure didn't.

http://110741904325873.review/127351927/

A quick WHOIS search for 110741904325873.review shows it was bought from namecheap and they paid for the "whois guard" which pretty much anonymizes them.

Yeah, it's pretty much a throw-away domain technically registered tomorrow haha! Scammers in different time zones for the win!

Domain Name: 110741904325873.REVIEW
Domain ID: D428254-REVIEW
WHOIS Server: whois.nic.review
Referral URL: http://www.namecheap.com
Updated Date: 2016-08-17T22:05:09Z
Creation Date: 2016-08-17T22:01:41Z
Registry Expiry Date: 2017-08-16T23:59:59Z
Sponsoring Registrar: NameCheap, Inc.
Sponsoring Registrar IANA ID: 1068
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant ID: C428250-REVIEW
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Fax: +51.17057182
Registrant Email: 3fe9b0dba0d64d9a82743c7f23d74bb5.protect@whoisguard.com
Admin ID: C428251-REVIEW
Admin Name: WhoisGuard Protected
Admin Organization: WhoisGuard, Inc.
Admin Street: P.O. Box 0823-03411
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code: 00000
Admin Country: PA
Admin Phone: +507.8365503
Admin Fax: +51.17057182
Admin Email: 3fe9b0dba0d64d9a82743c7f23d74bb5.protect@whoisguard.com
Tech ID: C428253-REVIEW
Tech Name: WhoisGuard Protected
Tech Organization: WhoisGuard, Inc.
Tech Street: P.O. Box 0823-03411
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code: 00000
Tech Country: PA
Tech Phone: +507.8365503
Tech Fax: +51.17057182
Tech Email: 3fe9b0dba0d64d9a82743c7f23d74bb5.protect@whoisguard.com
Billing ID: C428252-REVIEW
Billing Name: WhoisGuard Protected
Billing Organization: WhoisGuard, Inc.
Billing Street: P.O. Box 0823-03411
Billing City: Panama
Billing State/Province: Panama
Billing Postal Code: 00000
Billing Country: PA
Billing Phone: +507.8365503
Billing Fax: +51.17057182
Billing Email: 3fe9b0dba0d64d9a82743c7f23d74bb5.protect@whoisguard.com
Name Server: DNS1.NAMECHEAPHOSTING.COM
Name Server: DNS2.NAMECHEAPHOSTING.COM
DNSSEC: unsigned
>>> Last update of WHOIS database: 2016-12-03T02:26:27Z <<<




Wednesday, November 30, 2016

More Malware From IMDB

Just like last time, I was looking up a movie (yeah, I watch a lot of movies) on IMDB when it redirected me to the URL below. Same "Urgent Chrome Update" message, and this time I noticed that it still says "Miller's Crossing (1990)" on the tab.

The domain is new: aamaebuzzbookmarks.com and the domain registration is locked down this time, so it's hard to follow up on like the last one. Others on Reddit have mentioned this type of malware redirect from large sites. My guess is that IMDB is still serving up infected ads.

I did notice from the WHOIS record that it looks like the domain was created today. Talk about zero day malware!

Here's the URL:

https://aamaebuzzbookmarks.com/607841460074/c7d6e2f0a084a52fc656d78426e3e109/fc6061dc70679f0f99a7afc751be0eed.html



Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: AAMAEBUZZBOOKMARKS.COM
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.publicdomainregistry.com
Name Server: NS1.EUROPEDNS.NET
Name Server: NS2.EUROPEDNS.NET
Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Updated Date: 29-nov-2016
Creation Date: 29-nov-2016
Expiration Date: 29-nov-2017

>>> Last update of whois database: Wed, 30 Nov 2016 10:17:30 GMT <<<

Sunday, November 27, 2016

IMDB Serving Up Malware?

This is the second time in less than a week where I was looking at a movie on IMDB and it suddenly redirected me to an obvious malware link. Every couple of months I get a popup from Frontier asking to complete a customer satisfaction survey. Big ISPs often use what would best be described as a Javascript injection attack for all sorts of reasons.

So, I looked on my machine for an infection--there was none--and wondered where it came from. But this time I was paying better attention. It redirected to the following URL when I was just sitting there looking at an Al Pacino movie. Exact same site, exact same screen.

My guess is that IMDB is serving up a shady ad from whatever ad network they use.

https://uhaveluntan168.org/834841460074/9ff358f33e0552e52d2072a4c8dcfde9/3503343a651c74f2e814aed5ef3affe9.html

Doing some digging, it doesn't seem like anyone else is reporting this issue. There's no way for me to say definitively that this came from IMDB--there's lots of ways to attack a computer--but it sure looks like it!

Malware scans come back clean and I haven't had any issues or anything suspicious with this Windows 10 / Chrome install. Uh, yeah, don't think I'll be clicking on this.


A WHOIS search shows the domain to be registered in California.

Registrant ID: DI_49692548
Registrant Name: Chad N. Wessels
Registrant Organization: NA
Registrant Street: 4145 Diane Street
Registrant City: Atascadero
Registrant State/Province: California
Registrant Postal Code: 93422
Registrant Country: US
Registrant Phone: +1.8054618382
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: wesselsch@tutanota.com
Admin ID: DI_49692548
Admin Name: Chad N. Wessels
Admin Organization: NA
Admin Street: 4145 Diane Street
Admin City: Atascadero
Admin State/Province: California
Admin Postal Code: 93422
Admin Country: US
Admin Phone: +1.8054618382
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: wesselsch@tutanota.com
Tech ID: DI_49692548
Tech Name: Chad N. Wessels
Tech Organization: NA
Tech Street: 4145 Diane Street
Tech City: Atascadero
Tech State/Province: California
Tech Postal Code: 93422
Tech Country: US
Tech Phone: +1.8054618382
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: wesselsch@tutanota.com
Name Server: NS1.EUROPEDNS.NET
Name Server: NS2.EUROPEDNS.NET

The admin contact for this domain seems to be a German encrypted email service. Searching the email shows this person, Chad Wessels is associated with over 100+ domains, most of which look shady to me. But there's more. The email search also links to a discussion forum post about phony Firefox updates, so it seems like good ole Chad has been quite busy.


I'm a software engineer but security really isn't my specialty, so I'm interested to see how this plays out and whatever people have run into this phony Chrome update.

Friday, July 29, 2016

Using Bluetooth To Share Files Between Your Phone And Desktop Or Laptop

Many laptops come with Bluetooth built-in, but it's super easy to add a cheap Bluetooth dongle to your USB port and use your computer to listen to music, or share files, which is the subject of this article.

This article assumes you are using Windows 10, but I believe it would work similarly on Windows 8 or Windows 8.1, though Windows 10 is the version that finally got Bluetooth right as far as I'm concerned.

Step 1 - Make sure you have a Bluetooth adapter and that it's running.


Whether it's a USB dongle like the the one below, or whether Bluetooth is built into your system, you should see a little Bluetooth icon on your system tray, located on the bottom right of the screen.



 Clicking on the arrow on the system tray will show you the logo:


Click on the Bluetooth icon and choose "Show Bluetooth Devices" and you should see the Bluetooth settings screen similar to below. Notice I have my headphones already paired.



Step 2 - Allow Connections To Your PC


Windows 10 doesn't trust any Bluetooth devices out of the box, so first you'll need to click on "More Bluetooth options" and you will see this popup dialog box:


Step 3 - Get Your PC Ready To Share Files



Make sure the "Allow Bluetooth devices to find this PC" is checked and then press the OK button.

Next, choose the "Send or receive files via Bluetooth" option on the Bluetooth settings screen, and you will see a new popup:


For this example, I will be receiving files to my PC sent from my Android 6 (Marshmallow) phone, which is probably the most common usage.

At this point, Windows will wait for an incoming connection from my phone.

Step 4 - Share From Your Phone


Choose some files or photos to share on your phone, such as a photo of a cute little dog, like my Zoey.


Pressing the little share icon in the lower right hand corner, I get a list of a whole bunch of ways I can share this photo. For this example, you'll want to click the Bluetooth icon.


You should then see your PC on the list of devices to share with. In this example, only my PC shows up on the list, clicking on the device name will start the process of sending the files, but you still have to go back to your PC to receive them.


Step 5 - Receive on your PC

At this point you should see a box pop up on your PC showing you the files being downloaded, like so:



Once your files are received, you see the finish screen:


My photo of Zoey is now on my PC! Notice I could put the file(s) somewhere else, but I just clicked the Finish button and put the file in my Documents folder.


Thursday, February 25, 2016

Disney To Employees: Pay Us To Influence Politicians

In a letter to its employees, Disney recently asked its employees to help corrupt politicians through the millions of dollars it spends on lobbying. Apparently that's not enough, because they are asking their employees to take payroll deductions to help fund DisneyPac, the IP protectionist Super PAC long known for getting laws favoring Disney literally rubber stamped.

The letter, according to Ars Technica, brags about getting the TPP treaty passed, among other things. The TPP for people who haven't heard of it, is an awful trade agreement which was negotiated in complete secrecy, lest anyone find out how bad it was, and quietly ratified by its member countries before anyone realized what was going on.

A few years back when ICE (yes, the immigration service) launched a campaign to stamp out file sharing sites (which it failed at,) it kicked everything off from Disney headquarters just to show everyone how corrupt our political system is.

So, if you work for Disney, they'd sure appreciate if you'd feed their political machine, which for some reason reminds me of this episode of South Park, where Mickey Mouse beats up the Jonas Brothers!


Thursday, January 28, 2016

Spam Buddies: Epicurious and Vanity Fair

It's bad enough that Epicurious sends me email spam every day that I've been powerless to stop. But then, long after I tried to unsubscribe from their emails, they give my email to their sister company, Vanity Fair, which starts sending me unwanted emails. I managed to get Vanity Fair to stop emailing me, but now it looks like the Epicurious email spam is pushing for people to subscribe to Vanity Fair. Their spam is now incestuous.


Nice. For only a dollar per month, I can subscribe to a shitty magazine! But all the unwanted emails--those will be free!

I did notice that Epicurious now has two different email footers. Looks like Conde Nast is consolidating all their spam into one giant machine.

The emails I've been getting all along have this footer:



But ever since Vanity Fair started emailing me, I noticed that the footer changed on the other emails coming from Epicurious.



Thursday, January 21, 2016

Avoid GearBest

GearBest was a decent seller for me, until they started with the shady behavior, which I'm the first to call them out for. So, I would avoid them if at all possible. I gave the full story on my outdoor blog, but this has sort of become a blog focused on consumer protection and similar issues relating to technology, and overseas online shopping seems to fall into that category.