“Questions About GDPR Data Access Process” Spam from Virginia

  • NOTE: See recent updates below the original April 2021 post!

The other day, I received the following email:

Subject: Questions About GDPR Data Access Process for [DOMAINNAME]
To Whom It May Concern:

My name is [REDACTED], and I am a resident of Roanoke, Virginia. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:

  1. Would you process a GDPR data access request from me even though I am not a resident of the European Union?
  2. Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
  3. What personal information do I have to submit for you to verify and process a GDPR data access request?
  4. What information do you provide in response to a GDPR data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding [DOMAINNAME], I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.

Sincerely,

[REDACTED]

It’s a confusing email, but as it turns out, one received by many other website owners. In fact, there’s a thread about it on Reddit.

GDPR deals with processing personally identifiable information. Non-compliance can lead to stiff fines. It even applies to companies outside the EU if they process personal data of EU residents.

If you get a request regarding personally identifiable information from a EU resident, you will need to answer promptly or you can face fines. However, no such requirement exists under GDPR regarding data of individuals outside the EU.

I don’t know what the intention of the sender of this email email is, but I have my suspicions.

The email was sent from an address at “potomacmail.com”, a recently registered domain (2020-03-02). It was sent from an Amazon EC2 host (52.23.113.96). The HTML portion of the email contains an image reference to a single pixel “web bug”, an image loaded from the potomacmail.com website that will cause the IP address of the browser to be logged on that server when you open the email with a web client that doesn’t automatically block images from untrusted senders:

https://potomacmail.com/p.png?req=GDPR&target=1234

The URI contains a unique value (it was something other than 1234 in my case) that presumably identifies the recipient of the email. In other words, the senders of this email themselves collect personally identifiable information which, if the recipient happens to be in the EU, is subject to GDPR and its potential fines.

UPDATE (2021-12-11)
There is a similar spam e-mail going around recently, with almost identical wording but mentioning the California Consumer Privacy Act (CCPA) instead of the European GDPR:

Subject: Questions About CCPA Data Access Process for [DOMAINNAME]

To Whom It May Concern:

My name is [REDACTED], and I am a resident of San Francisco, California. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

1. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
2. What personal information do I have to submit for you to verify and process a CCPA data access request?
3. What information do you provide in response to a CCPA data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
(…)

This email was sent from an address at “yosemitemail.com”, a domain registered on 2020-03-02 with the same registrar at the exact same time as the “potomacmail.com” domain used in the GDPR variant of this spam:

Domain Name: YOSEMITEMAIL.COM
Registry Domain ID: 2498859495_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-03-08T03:30:04Z
Creation Date: 2020-03-02T02:15:46Z
Registry Expiry Date: 2022-03-02T02:15:46Z
Registrar: NameCheap, Inc.

Domain Name: POTOMACMAIL.COM
Registry Domain ID: 2498859494_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-03-03T22:25:43Z
Creation Date: 2020-03-02T02:15:46Z
Registry Expiry Date: 2022-03-02T02:15:46Z
Registrar: NameCheap, Inc.

As you can see, the creation time is the exact same, down to the second and the Domain IDs of the two domains are actually consecutive. Both sender domains were obviously created by the same registrant who uses them for the same purpose.

As far as I can tell, whether you are in California or outside, you are under no obligation to reply to this email. I would not advise replying to it.

UPDATE (2021-12-13)
The GDPR mails sent in the name of a person in Russia are sent from a domain registered via a different registrar about one month after the other two domains:

domain: NOVATORMAIL.RU
nserver: ns1crv.name.com.
nserver: ns2ckr.name.com.
nserver: ns3cjl.name.com.
nserver: ns4fpy.name.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: RU-CENTER-RU
admin-contact: https://www.nic.ru/whois
created: 2020-04-06T05:35:06Z
paid-till: 2022-04-06T05:35:06Z
free-date: 2022-05-07
source: TCI

Another domain used for sender addresses is “envoiemail.fr” which was registered a day after “yosemitemail.com” and “potomacmail.com”

domain: envoiemail.fr
status: ACTIVE
hold: NO
holder-c: ANO00-FRNIC
admin-c: ANO00-FRNIC
tech-c: RT12727-FRNIC
zone-c: NFC1-FRNIC
nsl-id: NSL82816-FRNIC
registrar: 1API GmbH
Expiry Date: 2022-03-03T20:45:06Z
created: 2021-03-03T20:45:06Z
last-update: 2021-03-03T20:45:07Z
source: FRNIC

All four domains have their email hosted at Google. That is not unusual, lots of domains use Gmail for mail hosting these days. It is still worth pointing out though.

POTOMACMAIL.COM. 3600 IN MX 1 aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 10 alt3.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 10 alt4.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 5 alt1.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 5 alt2.aspmx.l.google.COM.

YOSEMITEMAIL.COM. 1799 IN MX 1 aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 10 alt3.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 10 alt4.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 5 alt1.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 5 alt2.aspmx.l.google.COM.

NOVATORMAIL.RU. 300 IN MX 5 alt1.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 5 alt2.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 10 alt3.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 10 alt4.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 1 aspmx.l.google.com.

envoiemail.fr. 1799 IN MX 10 alt3.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 10 alt4.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 5 alt1.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 5 alt2.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 1 aspmx.l.google.com.

I am told the GDPR reply period of one month under Article 12 of GDPR only applies to data access requests, which the email specifically clarifies this is not.

UPDATE (2021-12-15)

It turns out that these deceptive emails using fake identities were sent out by a researcher at Princeton University as part of a study into how website operators implement GDPR and CCPA. In the most recent mails to website operators, the senders are now disclosing their background instead of using fake identities.

These GDPR and CCPA emails created great anxiety amongst the recipients (nobody wants to pay huge fines) and that should have been clear to the senders from the very beginning, yet they went ahead and spammed us as if we were human guinea pigs.

Even if somehow it wasn’t clear to them in the beginning, public blog posts and forum discussions after the April spam run should soon have shown them that this wasn’t going to end well. Why did they continue with the same mode of operation more than half a year later? And why did their university let them do that?

Normally I would expect to be able to easily distinguish between online scams and academic research but I guess, not any more. We are living in strange times.

Loan Application Spam

Usually Gmail does a great job at keeping spam out of my Gmail inbox, but this morning I found an unsolicited email that looked like perhaps it was meant for someone else, supposedly for a loan application I had made:

Hi,

Welcome to Statforge Finance!!

Thank you for applying loan with Statforge Finance.

As per the telephonic conversation, please find attached the company brochure and list of required documents.

Please find below the list of documents which you need to submit as a primary and secondary identification proof.

1. Primary Identification Proof (Driver’s License or Copy of the passport)
2. Address proof (Any utility bill under your name. Most recent is preferred)
3. Income Proof (Recent 3 Months of bank statement/Pay stubs/Tax Documents)

In case of any further clarification please revert on this email or feel free to reach us back on our Toll Free number 1-855-892-0516.

Please submit all the required documents on our email or fax us on 1-810-222-7376 in order to proceed further.

We are happy to help you.

Thanks & Regards,
Communication Department,
Statforge Finance US LLC
Contact No: 1-855-892-0516
Fax No: 1-810-222-7376
Email: info@statforgefinance.com
Website: https://www.statforgefinance.com/

I had never heard of this company, let alone contacted them for a loan (I don’t live in the US).

Sometimes I receive mail meant for people with a similar address, so I wanted to check out if this was perhaps legitimate, but the more I looked the more I found that was odd about it.

To start with, the email wasn’t addressed to anyone by name, nor was it signed by anyone by name. “Thank you for applying loan” is broken English. This matched up with a line in the email header that mentioned an IP address in India:

x-originating-ip: [175.111.128.90]

I had a look at the website listed in the mail footer. The “About Us” page stated:

Statforge Finance loans are best-received and utilized by our customers when they are able to easily understand the loan terms and determine whether the product is the correct fit for their needs.

Searching Google for that line, without the company name, also found the same wording on a couple of other websites, e.g.

Ventura Financials loans are best-received and utilized by our customers when they are able to easily understand the loan terms and determine whether the product is the correct fit for their needs.

and

LOANRAFT finance loans are best-received and utilized by our customers when they are able to easily understand the loan terms and determine whether the product is the correct fit for their needs.

Web contents ripped-off from other websites is never a good sign, but sometimes it’s not straightforward to tell whether a site is a legitimate original or a dodgy clone. So I looked at all three sites (there may be more).

These were the contact details for “LOANRAFT”:

Give us a call
855 955 9655
Mail us
info@loanraftfinance.com
FAX
3023518834

855 955 9655
Address: Delaware Avenue , Wilmington, DE 19801
Email: info@loanraftfinance.com

Notice the absence of a number on the street address. Like the other two companies it uses an 855 free dial phone number with a physical area code for the fax number. The domain is registered through GoDaddy, with the registrant hidden:

Domain Name: loanraftfinance.com
Registry Domain ID: 2283058202_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019-07-09T16:51:23Z
Creation Date: 2018-07-06T22:55:47Z
Registrar Registration Expiration Date: 2020-07-06T22:55:47Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com

Contact details for Statforge Finance:

info@statforgefinance.com
Greenfield Rd, Oak Park, MI 48237
Statforge Finance US LLC
Contact No: 1-855-892-0516
Fax No: 1-810-222-7376

Again no number on the street address, 855 free dial and a physical area code for the fax. However, the 810 area code does not include Oak Park, MI which instead uses 248 and 947.

The domain is also registered via GoDaddy, only two months earlier and the registrant is also cloaked:

Domain Name: statforgefinance.com
Registry Domain ID: 2259908468_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019-05-13T20:06:35Z
Creation Date: 2018-05-04T17:19:55Z
Registrar Registration Expiration Date: 2020-05-04T17:19:55Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC

And this is the third one in the set:

Green Valley Parkway,
Henderson, NV 89074
+1 (855) 850 7390
info@venturafinancials.com
Fax: 13033747343

No number on the street address, 855 free dial plus physical area code for the fax.

It is also registered via GoDaddy, in the same month as loanraftfinance.com:

Domain Name: venturafinancials.com
Registry Domain ID: 2416866824_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019-07-25T21:31:33Z
Creation Date: 2019-07-25T21:31:32Z
Registrar Registration Expiration Date: 2020-07-25T21:31:32Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC

Looking at who hosts email for the three different domains:

loanraftfinance.com. 3600 IN MX 0 loanraftfinance-com.mail.protection.outlook.com.
venturafinancials.com. 3600 IN MX 0 venturafinancials-com.mail.protection.outlook.com.
statforgefinance.com. 2858 IN MX 0 statforgefinance-com.mail.protection.outlook.com.

They are all using Microsoft’s Outlook mail infrastructure. This is also where my initial sample email was sent from.

While I don’t know yet what exactly these people are up to, I would advise anyone who received a loan offer via spam to steer well clear of such offers.

1-518-684-5177 Domain Owner Spam

Today I received the following spam message:

Attention: Important, DOMAIN SERVICE
Domain Name: [MyDomainNameHere]

Call: 1-518-684-5177

ATT: Domain Owner JOE WEIN
ADMINISTRATIVE CONTACT
[MyAddressHere]
WWW.[MyDomainNameHere]

Requested Reply Before
January 7, 2019

PART I: REVIEW SOLICITATION

Attn: Domain Owner JOE WEIN
As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration.

This letter is to inform you that it’s time to send in your registration and save.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this proposal making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine subscription includes domain name search engine submission.

You are under no obligation to pay the amounts stated below unless you accept this proposal. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine registration so your customers can locate you on the web.

This Notice for: WWW.[MyDomainNameHere] will be terminated on January 4, 2018 Act today!

[ ] 1 year 01/07/2019 – 01/07/2020 $75.00
[ ] 2 year 01/07/2019 – 01/07/2021 $119.00
[ ] 5 year 01/07/2019 – 01/07/2024 $199.00
[ ] 10 year -Most Recommended- 01/07/2019 – 01/04/2029 $295.00
[ ] Lifetime (NEW!) Limited time proposal – Great value! Lifetime $499.00

Payment by Credit Card or Check
Call our New York main office: (518)684-5177

At the bottom was the following disclaimer, separated by many blank lines to make it unlikely that anyone would read it:

By accepting this proposal, you agree not to hold DS liable for any part. Note that THIS IS NOT A BILL. This is a solicitation. You are under no obligation to pay the amounts stated unless you accept this proposal. The information in this letter contains confidential and/or legally privileged information from the notification processing department of the DS. This information is intended only for the use of the individual(s) named above. There is no pre-existing relationship between DS and the domain mentioned above. This notice is not in any part associated with a continuation of services for domain registration. Search engine submission is an optional service that you can use as a part of your website optimization and alone may not increase the traffic to your site. If you do not wish to receive further updates from DS reply with Remove to unsubscribe. If you are not the intended recipient, you are hereby notified that disclosure, copying, distribution or the taking of any action in reliance on the contents of this letter is strictly prohibited.

Harvesting contact details for domains via WHOIS for spamming is illegal under the terms of service.

This spam is deceptive advertising. Some people will make payments because they mistake the spam email for a domain registration renewal reminder, which it isn’t. Never do business with spammers!

trafficads.net scam ads: “Googleユーザーのあなた、おめでとうございます!”

For a few months I have been seeing sudden popups in the middle of visiting various websites. The ads are hosted on URLs such as http://trafficads.net/graun/?pubads={some-hexadecimal-number} and the back button will be disabled – there is no way to get back to the article that had been reading.

The ads are in Japanese (I am accessing from a Japanese IP address) and tell you that you can win an iPhone X, iPad Air 2 or Samsung Galaxy S6. They then ask some easy questions about who founded Google, in what country it is based and what year it was founded. Regardless of your answers, it will tell you that they were correct and that you have won an iPhone X 64 GB. You are then asked to give your credit card to pay for shipping. I strongly recommend you do not give them your credit card!

Before I started seeing the ads in trafficads.net, I think saw them on a number of different domains that kept changing. For several weeks, one consistent domain has been used instead.

I do not know yet how those ads get injected into the Chrome browser. However, I have seen them on three different machines, one of them a Mac, the others PCs. I doubt all three of them could be infected with the same malware. There’s got to be a different mechanism.

There are a number of Japanese web postings that discuss these fraudulent ads masquerading as prize wins to get people’s credit cards, but none of them explain how the ads are injected or what countermeasure there is, other than closing the tab of the ad once it appears.

Swisscoin (SIC) Crypto-Currency Spam

When crypto-currencies like Bitcoin (BTC) were first introduced, they were claimed to offer the potential of a low-cost, frictionless international payment system. This has not really happened, as BTC turned out to be severely restricted on the volume of transactions it could handle. From then on, it increasingly became a vehicle for criminal transactions (including fraud) and speculation.

In the past twelve months, people have been buying BTC and other crypto-currencies primarily because of the expectation that they could later sell them at a profit. This has allowed existing holders of crypto-currencies to do precisely that. This is very much how “pump and dump” scams operate, usually involving unlisted (OTC) stocks.

“Pump and dump” scams used to involve selling by phone, but in recent years many switched to email spam. Now we are seeing crypto-currencies being advertised via spam. One example is Swisscoin (SIC), as in this email received on 2018-01-16:

It’s probably not news to you at this point if I tell you that bitcoin has made tons of people tons of money. Something else you probably already know is that it will never go up like crazy again. Its time to shine is long gone. That’s why we must look into what the next big thing is, and the truth is that there have been plenty over the last few months. Can you jump on the next huge one before it soars? Swiss coin {SIC} is the most likely candidate for a fifty thousand percent return this year. It has the support of the Switzerland government. It is already considered as legal in the country. It’s the type of coin that you can buy a thousand bucks of right now, sit on for a small period of time and you could make out crazy wealthy when all is said and done. SIC has already doubled since Saturday. This long Martin Luther King weekend could bring you even more upside if you act quickly. For those of you who know what this means- you can get it for under 50 satoshi right now. And if you have no clue what this means, it basically means that you can get in on the ground floor How do you get some? You just need an account at coinexchange. Read the currency’s official page to find out more info: https://swisscoin.eu/sic-deposits.html

The truth is, far from “having the support of the Switzerland government”, Swisscoin / swisscoin.eu is listed on a warning list by FINMA, Switzerland’s independent financial-markets regulator. The Swiss company listed in the FINMA warning did not have an office there. It was founded with a capital of only CHF 20,000. Its officers are based in Leipzig, Germany.

There is no “ground floor” opportunity for Swisscoin. It has been marketed via MLM since 2016 and various people called it a Ponzi scheme. The Dynamoo blog writes in a recent post:

There are questions as to whether Swisscoin is actually a cryptocurrency or a Ponzi scheme. Honestly, I don’t know and I’d advise you to do your own research. However, this has all the markings of a pump-and-dump scheme, so it’s quite possible that someone who bought Swisscoins at their peak wants to pump the price up so they can sell off their holdings. Given that the spam is being sent out from a network of hacked machines and does not comply with anti-spam laws, you can pretty much guarantee that this is not legitimate and should be avoided.

Never buy anything advertised via spam!

Bitcoin Phishing Spams Cashing in on the New Tulip Mania

As a spam and scam research I watch new domains being created for malicious purposes. The following domains are look-alike domains of blockchain.info and blockchain.com, two legitimate Bitcoin-related domains:

xn--blckchain-66a.info (blóckchain.info)
xn--blckchain-66a.net (blóckchain.net)
xn--blckchain-m8a.info (bløckchain.info)
xn--blckchain-wxb.info (blōckchain.info)
xn--blckchai-w3a03f.info (blóckchaiń.info)
xn--blckchaln-66a.com (blóckchaln.com)
xn--blckchan-81a8d.com (blóckchaìn.com)
xn--blckchan-i2a8c.info (blóckchaín.info)
xn--blckchin-eza9o.info (blóckcháin.info)
xn--blckchin-m7a96e.info (blōckchāin.info)
xn--bliockchai-s1b.com (bliockchaiņ.com)
xn--bliockci-o8a35ayl.com (bliockcħąiņ.com)
xn--bliokchai-3eb86d.com (blioċkchaiņ.com)
xn--bliokci-u4a5c4s9l.com (blioċkcħąiņ.com)
xn--bliokhai-49ab66d.com (blioċkċhaiņ.com)
xn--blioki-00a0cb4z9l.com (blioċkċħąiņ.com)
xn--blocchai-gmb8m.info (blocķchaiņ.info)
xn--blocchain-orb.com (blocķchain.com)
xn--blocchain-orb.info (blocķchain.info)
xn--blocchin-m7a15c.info (blocķchāin.info)
xn--blockchan-dob.info (blockchaīn.info)
xn--blockchan-ipb.info (blockchaįn.info)
xn--blockchan-n5a.info (blockchaín.info)
xn--blockchin-12a.info (blockchäin.info)
xn--blockchin-61a.info (blockcháin.info)
xn--blockchi-n7a50e.info (blockchāiņ.info)
xn--blockchin-c3a.info (blockchåin.info)
xn--blockchin-ccb.info (blockchāin.info)
xn--blockchin-hdb.info (blockchąin.info)
xn--blockchi-o8a54d.info (blockchąiń.info)
xn--blockchn-fza4j.info (blockcháín.info)
xn--blockchn-n7a43b.info (blockchāīn.info)
xn--blockhai-obb78c.info (blockčhaiņ.info)
xn--blokchain-xdb.info (bloćkchain.info)

These so-called IDN domains substitute characters for easily confused look-alikes. There will be sighted in links inside spam emails as part of Phishing scams.

Phishing is just one of the pitfalls around Bitcoin and other crypto-currencies. Scammers have revamped the old so called “High Yield Interest Programs” (HYIP), which are really just a Ponzi scheme, to hitch a ride on the publicity around Bitcoin’s stratospheric rise in 2017. If you deposit Bitcoins into an online investment scheme, the scammers can just walk away with your deposit and cash it out into dollars, euros or rubles without being traced.

The latest exchange rate push beyond US$10,000 came on the heels of the cancellation of the SegWit2x fork, a proposed upgrade to the underlying technology that not the entire Bitcoin community was prepared to follow. The driving force behind the upgrade was the urgent need to handle more transactions, if Bitcoin was truly going to be used as a payment vehicle competing against credit cards, wire transfers and PayPal. If new Bitcoins are constantly being mined and the value of Bitcoin goes up but the average purchase the crypto-currency is to be used for doesn’t change much then the system needs to be able to handle more individual transactions.

By cancelling the upgrade, a split of the community has been avoided, but at what cost? It’s really a vote for Bitcoin as speculation object and against it as a viable payment method.

A friend of mine expressed it best when he mentioned that it reminded him of “Pump and Dump” stock scams, only that in the case of Bitcoin it is legal. With all this publicity, existing Bitcoin holders
will be able to offload their existing tokens at huge profits. Then, when people realize that Bitcoin is no longer able to work as an efficient payment system (except for scammers, drug dealers and money launderers who value anonymity), the bottom will fall out and all the recent investors will lose billions. It’s Tulip mania all over.

See also:

Bitcoin Scams – Stay Away!

The relative anonymity offered by virtual currencies such as Bitcoin (BTC) makes them an attractive vehicle for criminals.

Recently we’ve seen some scams that involve spam inviting you to send money to a Bitcoin address, offering ridiculously high rates of interest on this supposed investment. It’s a new take on the old High Yield Investment Program (HYIP) ponzi schemes.

In reality there is no way to ensure you get repaid once you’ve sent (virtual) money or that the scammers will be held accountable for the fraud. At best some early “investors” will have interest paid from deposits of later “investors”, who will definitely get stiffed. The scammers can simply exchange any deposited BTC into dollars at a Bitcoin exchange and walk away with the money.

Subject: blockchain doubler.

BLOCKCHAIN BY THE NUMBERS,

9/23/2017 12:58:33 from blockchain support

We are pleased to announce a new product – Bitcoin Doubler,
This is limited offer , 5-10 days.
Bitcoin Doubler is active from 23 September 2017 18:00 Pacific until September 29, 2017 18:00.

You can deposit today 0.2 minimum Bitcoins. Maximum amount of deposit by a natural or legal person is 50 Bitcoins. This is an amazing opportunity to win up to 40 Bitcoins if you invest 20 Bitcoins.

How do you double my bitcoins?

Our automated system gathers information from the blockchain transfers and cryptocurrency exchanges to study and predict the bitcoin price, our servers open and close thousands of transactions per minute, analyzing the price difference and transaction fees, and use that information to generate profit.

Investors who want to apply and invest on Blockchain, please make a Bitcoin transfer to:

147SBxHfuN2KJaLMNGo852gJCm5gCdNvq6

How long does it usually take to receive doubled bitcoins?
We pay to you 10% every hour for 100 hours.
HINT : users who deposit more the 10 bitcoins will get bitcoins doubled in maximum 5 minuts.
users who deposit lower then 10 bitcoins will get bitcoins doubled after 6 confirmations.

To trace your investment please send an email to bitcoin-doubler@blockchain.info , And subject to put your Bitcoin address. The Bitcoin address must be the same as you used to invest. If you put in the email a Bitcoin address you not used to making investments, you will only receive an email with your status. If you submit a correct email with a correct address Bitcoin (the same used to make your placement), you will receive an email with the total Bitcoin invested and the date and time of your payment will be made.

Hurry up! This is a Iimited license, unique opportunity.

Here’s another one, using the name of one Bitcoin exchange:

Subject: WEX. important news!

WEX. Rising ex. BTC-e,

9/22/2017 13:20:27 from admin

Team of WEX is glad to welcome you on our new platform!

This is our first official announcement!
We thank all ex-users of BTC-E for their patience at such a difficult moment for all of you guys.

All users who deposit on our platform will get in 2 days , 40% bonus.
Clients who want to apply now on WEX, please make a Bitcoin transfer to:

1QGbpENUv3xJCtiqTcUPM1Vvnwx5FRR6uZ

Hurry UP ! 4510 clients allready deposit , we have now 4110.562 BTC
Due to a large demand among our customers, we expand our bonus for 10 days.

Check status here : https://blockchain.info/address/1QGbpENUv3xJCtiqTcUPM1Vvnwx5FRR6uZ

We will refund your first deposit with dividends withing 2 days at 00:00 Pacific Time. (For example: investing 3.00 Bitcoins today will return 5.20 Bitcoins after 2 days at 00:00 Pacific time) The profits are withdrawn immediately and Blockchain or WEX waives all rights for 1st level investments.

To trace your investment please send an email to btc-invest@wex.nz , And subject to put your Bitcoin address. The Bitcoin address must be the same as you used to invest. If you put in the email a Bitcoin address you not used to making investments, you will only receive an email with your status. If you submit a correct email with a correct address Bitcoin (the same used to make your placement), you will receive an email with the total Bitcoin invested and the date and time of your payment will be made.

Hurry up! This is a Iimited license, unique opportunity.

Thank you, that you believed in us. Thank you that you are with us.
With respect, WEX team.

Any offer arriving via spam that mentions Bitcoin: Stay away from it!

The MKT Negocios Spammers in Argentina

For years I’ve been tracking spam from Argentina that is using yopmail.com / yopmail.net disposable sender addresses.

Unlike a lot of spam sent from other countries, the advertised companies are mostly legitimate businesses, some of whom may be clueless that mail is being sent to unwilling recipients all over the globe who may not even speak Spanish.

The sender IPs tend to be on cablevision.com.ar, for example from the 190.188.0.0/15, 190.190.0.0/15 and 181.164.0.0/14 ranges.

The spamming company owns several domains, but these don’t normally show up in sender addresses or links, e.g.:

mktnegocios.net:

Domain name: mktnegocios.net
Registry Domain ID: 186887
Registrar WHOIS Server: whois.dattatec.com
Registrar URL: http://dattatec.com
Updated Date: 2017-09-20T01:00:53Z
Creation Date: 2011-09-19T11:24:51Z
Registrar Registration Expiration Date: 2018-09-19
Registrar: dattatec.com SRL
Registrar IANA ID: 1388
Registrar Abuse Contact Email: abuse@dattatec.com
Registrar Abuse Contact Phone: +54.3415169000
Domain Status: OK
Registry Registrant ID: DC282919DTT
Registrant Name: Cid Ricardo Ernesto
Registrant Organization: Cid Ricardo Ernesto
Registrant Street: Islandia 4393
Registrant City: Lanus Oeste
Registrant State/Province: Buenos Aires
Registrant Postal Code: 1824
Registrant Country: ar
Registrant Phone: +54.42679611
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ricardocid@hotmail.com

mktnegocios.info:

Domain Name: MKTNEGOCIOS.INFO
Registry Domain ID: D42311407-LRMS
Registrar WHOIS Server:
Registrar URL: http://dattatec.com
Updated Date: 2017-09-19T22:22:35Z
Creation Date: 2011-09-19T11:25:09Z
Registry Expiry Date: 2018-09-19T11:25:09Z
Registrar Registration Expiration Date:
Registrar: Dattatec.com SRL
Registrar IANA ID: 1388
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: ok https://icann.org/epp#ok
Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod
Registry Registrant ID: C114356985-LRMS
Registrant Name: Cid Ricardo Ernesto
Registrant Organization: Cid Ricardo Ernesto
Registrant Street: Islandia 4393
Registrant City: Lanus Oeste
Registrant State/Province: Buenos Aires
Registrant Postal Code: 1824
Registrant Country: AR
Registrant Phone: +000.42679611
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ricardocid@hotmail.com
Registry Admin ID: C114356985-LRMS
Admin Name: Cid Ricardo Ernesto
Admin Organization: Cid Ricardo Ernesto
Admin Street: Islandia 4393
Admin City: Lanus Oeste
Admin State/Province: Buenos Aires
Admin Postal Code: 1824
Admin Country: AR
Admin Phone: +000.42679611
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: ricardocid@hotmail.com
Registry Tech ID: C114356985-LRMS
Tech Name: Cid Ricardo Ernesto
Tech Organization: Cid Ricardo Ernesto
Tech Street: Islandia 4393
Tech City: Lanus Oeste
Tech State/Province: Buenos Aires
Tech Postal Code: 1824
Tech Country: AR
Tech Phone: +000.42679611
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: ricardocid@hotmail.com
Registry Billing ID: C114356985-LRMS
Billing Name: Cid Ricardo Ernesto
Billing Organization: Cid Ricardo Ernesto
Billing Street: Islandia 4393
Billing City: Lanus Oeste
Billing State/Province: Buenos Aires
Billing Postal Code: 1824
Billing Country: AR
Billing Phone: +000.42679611
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email: ricardocid@hotmail.com
Name Server: NS21.DATTATEC.COM
Name Server: NS22.DATTATEC.COM
Name Server: NS3.HOSTMAR.COM
Name Server: NS4.HOSTMAR.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

mktnegocios.com.ar:

Datos del dominio
Nombre y Apellido: DALLAVIA FERNANDO LUCIANO VICTOR LUCIANO VIVTOR
CUIT/CUIL/ID: 20220483895
Fecha de Alta: 23/01/2017
Fecha de última Actualización: 24/01/2017
Fecha de vencimiento: 23/01/2018

On their website they explain to their prospective customers that they will spam to harvested addresses:

BASE DE DATOS :

Contamos con bases de datos argentinas y del exterior validadas la totalidad de las mismas cada 15 dias, asegurandonos asi la completa funcionalidad y validez de los emails. Los datos se obtienen a traves de extracciones de emails por medio de software en la web.

Translation:

Databases

We have Argentine and foreign databases completely validated every 15 days, thus ensuring the full functionality and validity of emails. The data is obtained through extraction of emails through software on the web.

Owners of harvested addresses have by definition not signed up to receive bulk mail. Their various mailing package go as high as 16,000,000 emails…

See also:

If you’re a business in Argentina trying to decide on online advertising, hiring a spammer like this will damage your reputation and may end up getting your domains blacklisted.

Updated jwhois.conf File for CentOS for New gTLDs

The whois command on CentOS 6.x and 7.x doesn’t handle queries for many domains in new Top Level Domains (TLDs) that were added by ICANN in the last few years.

Domains from many of these new TLDs are selling as cheap as $0.99 a pop, making them attractive to snowshoe spammers who create them in large numbers. As a spam researcher, I see lots of new spam domains from TLDs such as .xyz, .online, .top. .club, .services, .win, .site, .bid, .life and .trade.

WHOIS is an important tool for me to track the domain registrants. CentOS uses jwhois as its WHOIS client, which relies on a configuration file to tell it what servers to query for detailed information. The configuration file that comes with recent CentOS versions is woefully out of date.

I have gone through the currently existing TLDs and counted 466 of them that are not supported by jwhois but appear to have a valid WHOIS server. I have been able to verify for about half of these TLDs that the WHOIS server works and have added them to my configuraion file, which you can download here.

Many of the rest of the new TLDs are hosted on Neustar, which performs rate limiting on lookups. Because of that I didn’t fully verify functioning of all those hosts, but I verified that CNAMEs exist for the WHOIS hosts that redirect to Neustar WHOIS servers and tested a small sample of those TLDs.

The Latest “Pump and Dump” Stock Scams

For a while it was quiet about stock spam pushing penny stocks, but recently they’ve been making a comeback. Recently we’ve seen these campaigns:

  • 2017-03-20: Incapta Inc (INCT)
  • 2017-04-11: Quest Management (QSMG)

If you receive spam pushing shares, beware! Never buy stock based on “information” sent out as spam. The only people making money on such stocks are the scammers, who wait for the spammed buyers to offload their near worthless shares at grossly inflated prices. Reselling such stock is near impossible and and usually will lead to great losses.