(The quickest way to register)

Check out our new Mobile App

Forum

  1. User picture
    • Nulander on Mon 03 May 2010
    • 06:35:19 PM UTC

    Hypothetic Fraud occuring through SEO Poisoning

    Today I have found that, if you search VLC, using Google, the first entry you get is this:

    Download VLC Player
    http://www.VLC-Player-Now.com Download della versione più recente in modo facile, veloce e sicuro !

    This is a sponsorized link, occurring only if you have a browser without any AD-blocker. I use ABP and, with it turned on, the entry doesn't appear to me.

    The URL reported above bring you in a fake VLC-legit download page. If you surf on the "Download link" presented there, you arrive on http://www.easy-download.info

    If you register on easy-download.info, then you start to receive tons of scare-scam e-Mails warning you about the subscriptions obligations (about paying 96 € for it).

    After some research on the net, I have found that an Italian-Anti-Fraud online-service "ADUC" has reported the e-Mail messages as Fraud (telling the user asking for support to simply ignore the contents presented by the message).

    I'm going to check it and release a comment and a rating accordingly to the real status of these websites.

Comments:

  1. User picture
    • Nulander on Mon 03 May 2010
    • 06:59:47 PM UTC

    An analysis of

    An analysis of http://www.easy-download.info to hpHosts has resulted a malicious IP address involved.

    easy-download.net, easy-download.info and http://www.easy-download.info point to 95.211.4.201

    That included:

    1indir.net 95.211.4.129 10/06/2009 EMD
    kadr2.ru 95.211.4.11 14/09/2009 EXP
    kontroli.ru 95.211.4.6 05/03/2010 07:00:49 EXP

    Host names sharing IP with A records: easy-download.info, easy-download.net

    Checking the ToS, in the message there's references to a legit Italian law and customer procedures called "Codice dei Consumatori". This probably means that the website, even if hosted on NL, it has been conceived by italians.

    -----
    MF IT-UESC - Protecting your Digital Experience. Now.

  2. User picture
    • Nulander on Mon 03 May 2010
    • 06:59:11 PM UTC

    Website hosted on

    Website hosted on NL.
    Domain-name bought using an Reg-Proxy.

    Registrant ID:CR43494499
    Registrant Name:Registration Private
    Registrant Organization:Domains by Proxy, Inc.
    Registrant Street1:DomainsByProxy.com
    Registrant Street2:15111 N. Hayden Rd., Ste 160, PMB 353
    Registrant Street3:
    Registrant City:Scottsdale
    Registrant State/Province:Arizona
    Registrant Postal Code:85260
    Registrant Country:US
    Registrant Phone:+1.4806242599
    Registrant Phone Ext.:
    Registrant FAX:+1.4806242598
    Registrant FAX Ext.:
    Registrant Email:EASY-DOWNLOAD.INFO@domainsbyproxy.com

    NS-Servers inside an RFC-Ethical-Blacklist (http://tinyurl.com/38lsk2e).

    Reading the ToS, the service-holder shown (and responsable for Private-data caring) is: Euro Content Ltd. Quirinsstr. 8, 60599 Frankfurt am Main, Fax: +39 06 60513297. Considering that the company involved is not Italian, the Italian rules could not be considered valid for this type of service-deal. The citations about Italian laws are unvalid.
    Analysis on the net, about Euro Content Ltd. don't have given any result.

    -----
    MF IT-UESC - Protecting your Digital Experience. Now.

    • User picture
      • c۞g on Tue 04 May 2010
      • 02:43:20 AM UTC

      RFC-Ethical-Blacklist

      Where did you get the idea that www.rfc-ignorant.org is a blacklist?

      Because at times there may be references within robtex "LISTED IN BLACKLIST!" ?
      Those results are placed in that area on robtex page views, it is a generic label.
      On their own rfc-ignorant listings are not a reason for rating low but if other results are displayed from sites that are blacklist services then it's worth more investigation.

      Go to www.rfc-ignorant.org and read:
      It is important to note that NOTHING requires ANYONE to comply with an RFC
      Put another way, rfc-ignorant.org does not block anyone..

      And WOT raters certainly should not use rfc-ignorant.org listings / references as a reason for rating red.

      • User picture
        • BobJam (not verified) on Tue 04 May 2010
        • 03:12:44 AM UTC

        RFCs

        May be stating the obvious here, but I'll expand some on what g7w has said.

        While RFCs ("Request for Comment") may be in the category of "Standards", "Best Practices", "Informational", and a few other categories I can't remember (there is always an April Fools RFC that is actually a joke), basically they're just "Guidelines". ISOs are more formerly standards.

        (The term "RFC" is a relic from the Arpanet days, and "RFC" has now morphed into all these categories).

        Most developers follow RFCs, but not all do. For example, the Thunderbird mail client "violates" an RFC (can't remember the number) regarding trailing lines. You could say that the TB developers are "rfc-ignorant".

        • User picture
          • Nulander on Tue 04 May 2010
          • 12:58:15 PM UTC

          > Most developers follow

          > Most developers follow RFCs, but not all do. For example, the Thunderbird mail
          > client "violates" an RFC (can't remember the number) regarding trailing lines. You
          > could say that the TB developers are "rfc-ignorant".

          Ok, but if you consider it, this is a quite banal ignorance. Thunderbird still works. But an ISP that do not provide a functioning Abuse address is a more serious issue. If there's abuses with the services, how can users inform it about the problems going on? Simply they can't. So someone could even say that the ToS articles are there only for formal presence and not to give a concrete help to customers being harassed.
          -----
          MF IT-UESC - Protecting your Digital Experience. Now.

          • User picture
            • BobJam (not verified) on Wed 05 May 2010
            • 05:50:11 AM UTC

            Key phrasing

            That's why Dave said: "On their own rfc-ignorant listings are not a reason for rating low but if other results are displayed from sites that are blacklist services then it's worth more investigation"

            The key phrases here are "On their own" and "more investigation".

            You apparently found cause to conduct "more investigation", and that's fine. What Dave was saying was that listings in rfc-ignorant.org are not sufficient ALONE to rate poorly.

            Whether the violation of the rfc is "banal" or "serious" is for the rater to determine.

            • User picture
              • Nulander on Wed 05 May 2010
              • 01:48:50 PM UTC

              That's obvious. But even if

              That's obvious. But even if there's no clear evidence of abuse, the presence of misconfigurations raise suspects about admin competence on maintaining servers. Who tells me that it hasn't already been hacked? We don't have an evidence only because maybe we are searching on the wrong point.

              For example, months ago I found and lately examinated an italian auction-site (it was before entering WOT as active user). Everything was apparently good at the first check. After a run of Acunetix I found that the servers was "not so much well maintained". Tons of services was not updated properly. There was even a OpenProxy present on it. Now, I didn't have any evidence of abuse, but I still would have rated it as deeply red.
              -----
              MF IT-UESC - Protecting your Digital Experience. Now.

              • User picture
                • BobJam (not verified) on Wed 05 May 2010
                • 02:01:14 PM UTC

                Can you clarify?

                So, are you saying that you would rate poorly based on a site being listed in rfc-ignorant.org ALONE, or that this would just prompt you to investigate further (regardless of whether or not it's "banal" or "serious" . . . since you say it may be an indication that "admin competence on maintaining servers" is "suspect")?

                • User picture
                  • Nulander on Wed 05 May 2010
                  • 07:49:18 PM UTC

                  No, I would never, instead

                  No, I would never, instead it raise me BIG suspects about them (that would drive me to check further). But I'm talking about their presence in more BL, not 1/2. Of course, their presence on them deteriorate the final ratings.

                  > "admin competence on maintaining servers" is "suspect"

                  IMHO, Admins have great responsability about the servers their are administrating. Being an IT-SysAdmin means keeping always updated, reading news, books, taking certifications etc.
                  I don't know there, but here in Italy there's a lot of people that take IT very superficiality and when someone ask them what happened "Ehh.. there are a lot of Badass hackers out there", when instead misconfigurations was going rampant, due to their ignorance.
                  Servers happily virtualized with no criteria at all, no OS updates, no security policies on firms because "Authorities will never catch me" and so on. For me these are lame attitudes that should be avoided. Returning to us, If I find an ISP that is trying to cheat and not fight abuses as it should be done, because the admin is not able to do his duties there (and only take money, and this happend frequently), or because they're the source of abuse themselves, I will try to obtain evidence, but even if all seems apparently clean, I'm still going to red-rate them because not taking consideration about security issues, in such servers, is a big and lame attitude that should be firmly condemned. This even make me wonder about how extended could be the "hemorrhage" in their enviroments. IT is a serious thing. IT-S even more.
                  BTW, abuses in misconfigured servers will happend soon. There's a lot of automatic-cracking bots out there. Try to consider Zeus. Even a teenager could build up a botnet with it, only pressing two buttons. Here in Italy, for example, the third most common worm still around our nets is NetSky (source: ESET).
                  -----
                  MF IT-UESC - Protecting your Digital Experience. Now.

              • User picture
                • c۞g on Wed 05 May 2010
                • 05:29:58 PM UTC

                re: That's obvious. But even if

                But even if there's no clear evidence of abuse, the presence of misconfigurations raise suspects about admin competence on maintaining servers.

                WOT rates website reputations based on user trust for that site including, but not limited, to the site's immediate security threats.

                WOT does not rate a site based upon the setup and maintenance of the server that site is hosted on.

                How many website admins have direct intervention of maintaining server setup?
                Most sites are hosted on shared servers, some offer more access / options than others, but all are limited with what a site admin can configure.

                Even with dedicated servers, the site admin has limited say with how the server configuration interacts with the web host providing it.

                A website rating in WOT should not be based on whether or not the NS resolves or not ("not in zone"). If that were the case, you would be giving low ratings for a multitude of innocent websites.

                • User picture
                  • Nulander on Wed 05 May 2010
                  • 08:36:21 PM UTC

                  > WOT rates website

                  > WOT rates website reputations based on user trust for that site including, but not
                  > limited, to the site's immediate security threats.
                  > WOT does not rate a site based upon the setup and maintenance of the server that
                  > site is hosted on.

                  IMHO, if a server is bad-maintained, people should know about it. For example, taking in consideration the auction site with OpenProxy and not update at all on it:

                  - No updates to the libraries and server-core engine means:

                  1) High potential risk of server hacking, that will result in intruders able to steal informations (selling them to spammers), forge/manipulate them (in order to put users on troubles) etc. If they put illegal contents inside the box hacked, in case of investigations, users could get involved in legal issues (consider pedo-pornography), with social issues (get public discredit; and in Italy already happened this). These problems can happend "immediately" and could be considered as an "immediate" security issue.

                  And, in order to cut it easy, to not mention any form of defacement against the website itself, maybe not destructive as a total index-change, but doing some little changes to claims in articles, in order to drive troubles to owners or users.

                  - Admin incapability on server maintenance

                  2) Service "untrustworthy". Do you really want to sell me that, if the admin is unable to keep everything safe, you would give your information to his/her service? And about the data-keep care? If it is all there, their interests on keeping data safe, who assures me about any leaking to unknown identities. Attacks to systems could happend both from outsiders (who is not registered to the service itself, in this case) or insiders (for example an attacker that, giving false information managed to obtain a legit access to it and the, with an SQL Injection, obtain all data stored on DB etc.). About logs? Logs, in this case, could not be considered reliable because, if an admin do not enforce some common rules about security, you can't trust data handled by his/her systems. They could have been manipulated by intruders. I remember, long time ago, that there was teenagers, on IRCNet, that was used to hack linux server using rootkit-exploiting packs. Usually they contained software for logs manipulation, in order to hid their presence on the hacked boxes. And I'm talking about 10 years ago. So, due to this, you can consider logs at all.

                  - In the case brough by me: OpenProxy situation

                  3) In this case, the OpenProxy could be remoted-controlled. Consider that it is seen, by the local machine, as a localhost daemon/service. Even if the admin locked out DB-remote-probing functions, an intruder can use the OProxy to appear as a legit user, in order to ease his/her digging activities. This lead to a more easy enviroment to perpetrate attacks and obtain secret informations. To not mention that, I'm going deep for it. An AUCTION site (where users have to place their personal information) that let anyone to use the local machine to spoof him/herself, is already highly suspicious.

                  And all this is an immediate serious security thread for users, that are of course not aware of what is going on.

                  Setup and Maintenance no. Security Maintenance yes. This tells me how data are considered by their owners and how seriousness they're putting on their activities involving my personal informations. This means reputation.

                  Even for the Spanish, in the other case treated by G7w, the website apparently was OK, with not security issues. Then, digging more deeply about it, g7w found something bad was going on. The website itself was acting bad, spreading malware to users etc? No. Who was keeping it was trying to hid something to their potential users? Yes. No security issues there, but the problem was REAL and immediate.

                  -----
                  MF IT-UESC - Protecting your Digital Experience. Now.

      • User picture
        • Nulander on Tue 04 May 2010
        • 12:54:45 PM UTC

        Robtex report it as a

        Robtex report it as a Blacklist (but, IMHO, it is not).
        The website listed here is not rated red only because is present on RFC-Ignorant.

        IMHO, in my work, I always follow RFC, but I'm not red-rating websites only because other admins don't consider them.
        Of course you have either to consider that if some hosts/IP not follow some common rules, there may be a suspicious activity going on (ex. an ISP with no Abuse addresses working etc.).
        -----
        MF IT-UESC - Protecting your Digital Experience. Now.

      • User picture
        • Nulander on Tue 04 May 2010
        • 01:13:50 PM UTC

        About Robtex Reports this is

        About Robtex Reports this is not always as simple as "Abuse not working" or whatelse. Some servers are even more misconfigured. There was a case (that I have seen the last saturday evening), about an MX server apparently involved on phishing delivering activities to users.
        When the dudes of RFC-Ignorant tried to inform the service-provider about the scam e-Mail received, they got troubles even during the report sending, halted during its transit to the service-provider, by a misconfigured AV-mail checking (by their side), that stopped the message tagging it was a malware.

        A Phishing report, with no attachments, identified by a SECURITY check (that should reduce FP as much as possible), as a Malware?
        The fact is not related about too tight threshold configured or whatelse, but IMHO, if these guys have an AV-mail that stop a false malware message, what about all the rest? Add to all this that postmaster and abuse addresses was not working (if I don't remember bad), and you can only yell "Bingo!".

        RFC-Ignorant probably is not a Blacklist as you usually consider it (about blocked IP/Hostnames etc.), but it is there to point out if the admins out there are able to do their work, are they even unintentionally helping scammers/spammers/attackers or they themselves are one of them. In a fraud investigation these evidence could not be ignored.
        -----
        MF IT-UESC - Protecting your Digital Experience. Now.

  3. User picture
    • Nulander on Mon 03 May 2010
    • 07:04:41 PM UTC

    The "satellite"

    The "satellite" http://www.vlc-player-now.com found at 188.121.58.8 (PTR to ip-188-121-58-8.ip.secureserver.net) and using the same suspicious NS-Servers.

    In a matters of hours I will put more informations about the e-mail-scam messages sent to me by these people.
    -----
    MF IT-UESC - Protecting your Digital Experience. Now.

  4. User picture
    • phantazm on Mon 03 May 2010
    • 07:21:22 PM UTC

    Origin..?

    http://www.VLC-Player-Now.com

    The nationality of http://www.VLC-Player-Now.com seems somewhat mixed:

    The frontpage text is italian (I think), but at the bottom one can read a german text:
    "Copyright 2010 vlc-player-now.com. Alle Rechte vorbehalten."

    Plus a Dutch IP Location: Netherlands - Noord-holland - Amsterdam - Go Daddy Netherlands B.v

    Anonymous registrant, and only a month old; created: 2010-04-02

    • User picture
      • Nulander on Mon 03 May 2010
      • 09:32:36 PM UTC

      Yes. As I have reported,

      Yes. As I have reported, there's a lot of evidence about something really wrong going on. Sorry for the delay, I was eating (dinner time here) and I remained to watch some TV.
      -----
      MF IT-UESC - Protecting your Digital Experience. Now.

  5. User picture
    • Nulander on Mon 03 May 2010
    • 11:34:59 PM UTC

    Just checked attachments and

    Just checked attachments and headers. Files are clean and not particular useful data found on the headers.

    Summary:

    easy-download.info
    easy-download.net
    188.121.58.8
    vlc-player-now.com
    ip-188-121-58-8.ip.secureserver.net
    1indir.net
    95.211.4.129
    kadr2.ru
    95.211.4.11
    kontroli.ru
    95.211.4.6
    95.211.4.201

    -----
    MF IT-UESC - Protecting your Digital Experience. Now.