SEC takes action against stock spammers

On March 8 the US Securities and Exchange Commission annonunced a 10-day trading suspension for securities of 35 companies quoted on the Pink Sheets quotation service. The suspensions aims at protecting the public from fraudulent stock price manipulation by stock spammers.

All of these stocks have been advertised to millions of email users via pam, usually sent from “botnet” zombie computers. Buyers are tempted into purchasing penny stock already held by the spammers or their paying customers and as soon as prices start inflate due to rising demand, the criminals sell at a profit, leaving the new buyers to take a loss when the stock price deflates back to pre-spam levels or below.

This practise is widely known as “pump and dump”. The SEC welcomes information about such stock scams at email address 35suspensions(at)sec(dot)gov.

We have already reported 14 other companies to them whose stock has been advertised via “pump and dump” spams during the course of the past week.

A tale of two abuse departments

In the last two days I was in contact with two abuse departments at webhosters. Though the reasons for contacting them were similar, I came away with impressions that were as opposite as could be. I called because of two websites, both highly illegal. Both were advertised in spam and I encountered them when checking suspect domains found by my spam filter.

The first encounter was prompted by a phishing site, a clone of a Wachovia bank website designed to obtain account information to steal money via online banking. The email, subject line “Update Your Account Now!” claimed to be from Wachovia Bank, but predictably the links to the site that asks for your password led elsewhere, to a domain named (Wa-) “”. The domain resolved to an IP address that, according to a WHOIS lookup, belonged to Hetzner, a leading webhosting company in South Africa.

I dialled the customer service number listed in the WHOIS entry and spent less than three minutes on the phone altogether. After stating that I found a phishing site on a Hetzner server, I was transfered to the technical department. There I repeated my quick explanation and was transfered to the abuse desk. I explained the problem and spelled the domain name to technician, who immediately checked the site and confirmed the existing of the phishing site on the machine. Using the Linux tool “chmod” he then disabled all access to the site. The website stopped working and the phishing gang was prevented from uploading another set of files. I was impressed how quickly Hetzner had resolved the problem and mentioned to the technician that I was a customer of Hetzner in Germany (their parent company) and was pleased to see their service was as efficient in South Africa as in Germany 🙂

Today I came across another site I found worth reporting, a child pornography site hosted on a GoDaddy server. Phishing is done by unscrupulous criminals who steal millions of dollars, but child pornography is far worse. It’s about small, helpless children getting raped and others making money out of that.

This site, created by a criminal gang calling itself “CP COMPANY” and claiming to be based in Ukraine, was advertised in spam in the following way:

Hello pedo lover!
We present to you NEW PEDO COLLECTION!
High Quality h^rd CP content! Low Prices on the net!
See free preview now and get instant access!

(I only added the actual domain name in this blog posting after the site was finally shut down).

Again, I looked up the IP address and then the WHOIS record for the IP, which included the phone number of the GoDaddy abuse desk.

I called the number and explained I had come across a child pornography site on one of their servers. The representative replied that I would have to put my request in writing because otherwise “you won’t get any action on this.” They needed to be notified in a way that creates a record. I should put the details in an email to abuse (at) godaddy (dot) com.

I said I would do that, but I would like to give him the URL anyway, which I did. The call was finished in less than a minute, but without the desired result.

Checking the details on the domain again, I found it was one of the child pornography sites I had already reported by email as part of my daily spam domain verification procedure, some 15 minutes earlier. So I could only wait, checking at iregular intervals if the site still responded by using the Linux “wget” program that lets me download the text portions without having to retrieve the pictures as a browser would.

It is now more than four hours since I reported the site to GoDaddy by email and more than 3 1/2 hours since I told them by phone. The criminal site is still offering pictures and videos of raped children to willing customers with a credit card.

In the index.html I downloaded with “wget” the criminals explain to their prospective customers:

Buying production at us you support creation of new kids porn films.

I only wish a company as large as GoDaddy was able to take action against criminal abuse of their services as quickly as Hetzner.

P.S. The child porn site was still active 29 hours after reporting it, despite two emails, one phone call and one voicemail left. I have contacted a US law enforcement officer about this.

P.P.S. When the site was still active 56 hours after reporting it, I filed a criminal report with the German police. When I checked again on the following day I found that the site had finally been disabled by GoDaddy.