Beware of fake Kaspersky beta installer emails

Posted on 2008-09-22 by Joe Wein

Today I received a Trojan email that bears the same handwriting as the recent fake Google Chrome installer emails. Both emails are in German, offer an attached RAR file with what supposedly is an installer for a beta test version of new software from a well-established software company:

Sehr geehrter Nutzer,

heute möchten wir Sie zu unserem Aktuellen Betatest des neuen Kaspersky© 9.5.710 einladen.
Unser neues Produkt besticht durch seine überarbeitete Scanroutine sowie die schnelle und effektive
Aufspürung von Viren, Trojaner und anderer böswilliger Maleware.

Für ihren persönlichen Zugang haben wir ihnen ein Beta Account eingerichtet welchen Sie bei der
Installation angeben müssen, um den Webinstaller sowie das Programm an sich nutzen zu können.

Benutzername: kis_aX9535
Passwort: c3VF5gg8

Diese Daten werden bei der Installation abgefragt. Notieren Sie sich diese Daten bitte genau,
da diese auch für ihren Zugang auf unserer Seite erforderlich sind.

Zum Ende des Betatests bekommen Sie eine Volllizenz und können somit Kaspersky© ein
Jahr kostenlos für ihre Sicherheit nutzen.

Sollten Sie Fragen oder Probleme haben, so schreiben Sie und eine Mail an: beta-team@kaspersky.de

Wir wünschen Ihnen nun viel Spass mit unserem neuem Produkt und hoffen auf eine Positive Wertung
von ihnen auf unserer Website.

Mit freundlichen Grüßen
Ihr Kaspersky Beta Team

Copyright © 1997 – 2008 Kaspersky Lab

Industry Leading Antivirus Software

Message headers:

Received: from mo-p05-ob.rzone.de (mo-p05-ob.rzone.de [81.169.146.182]) by mail.joewein.net (Ogose Mail Daemon) with ESMTP id 818CC10DCC78 for <419@419scam.org>; Sun, 21 Sep 2008 21:43:45 +0000 (UTC) X-RZG-CLASS-ID: mo05 X-RZG-AUTH: :L2MKYUGrb9+s7Ys+/C6cdNboKaxR22vZQHQdVrAeYnDdBsCFdpW1J0sdHw== Received: from [77.21.44.13] ([62.159.230.93]) by post.webmailer.de (fruni mo40) (RZmta 17.4) with ESMTP id L03273k8LKd8yb for <419@419scam.org>; Sun, 21 Sep 2008 23:43:17 +0200 (MEST) (envelope-from: ) Date: Sun, 21 Sep 2008 23:40:54 +0200 Mime-version: 1.0 Subject: [PR] Kaspersky Betatester Programm From: Matthias Franken To: <419@419scam.org> Message-Id: <9212340.EDWNJLIN@kaspersky.de> Original-recipient: rfc822;419@419scam.org Content-Type: multipart/mixed; Boundary="--=BOUNDARY_9212340_SIIK_IDLO_OFNM_KSKB"

At the time of writing this blog posting, Kasperksy’s online malware scanner did not yet recognize the Trojan Kaspersky.9.5.7.1.exe in archive file Kaspersky.9.5.7.1.rar.

As I already stated in my posting about the fake Google Chrome installer, do not install software attached to or linked from emails you didn’t request.

The real Kaspersky software is highly regarded and trial versions are available on the Kasperky website.

Beware of fake Google Chrome installer emails

Posted on 2008-09-08 by Joe Wein

Barely had Google announced its new browser Chrome, that malware senders responded by sending out fake emails claiming to provide an installer for the new software. Here is a German message I received:

From: “Steffen Neukirch” <beta-team@google.de>
To: spamtrap-email-address
Sent: Friday, September 05, 2008 09:26
Subject: [PR] Neuter Webbrowser Chrome erhältlich

Sie benötigen einen JavaScript-fähigen Browser, um diese Software herunterzuladen. Klicken Sie hier, um Anleitungen zum Aktivieren von JavaScript in Ihrem Browser zu erhalten.

Google Chrome (BETA) für Windows
Google Chrome ist ein Browser, durch den die Nutzung des Internets beschleunigt, vereinfacht und sicherer gestaltet werden soll. Dabei bietet der Browser eine hohe Nutzerfreundlichkeit.

Für Windows Vista/XP

Ein Eingabefeld für alles
Bei Eingabe von Text in die Adressleiste erhalten Sie Vorschläge zu Such- und Webseiten.

Miniaturansichten Ihrer am häufigsten besuchten Websites
Rufen Sie Ihre Lieblingsseiten von jedem neuen Tab aus blitzschnell auf.

Verknüpfungen für Ihre Anwendungen
Starten Sie Ihre am häufigsten verwendeten Webanwendungen über Desktop-Verknüpfungen.

Zögern Sie nicht den neuen Webbrower zu testen, im Anhang finden Sie die neuste Version des Chrome
einfach installieren und sofort loslegen.

©2008 Google – Startseite – Über Google – Datenschutzbestimmungen – Hilfe

I checked the attached 705 KB ChromeSetup.rar file with Kasperky’s online virus scanner:

Scanned file: ChromeSetup.rar – Infected
ChromeSetup.rar/ChromeSetup.exe – infected by Trojan-Dropper.Win32.VB.efh

Do not install software attached to or linked from emails you didn’t request. The real Google Chrome (Beta) browser is available at http://www.google.com/chrome

Malware: “Por favor veja isso!!!”

Posted on 2008-09-04 by Joe Wein

Today I received a couple of near identical emails in Portuguese that differed only by the (forged) sender address:

From: “Fernanda” <fernandinha@globo.com.br>
To: <joewein@pobox.com>
Sent: Thursday, September 04, 2008 06:29
Subject: Por favor veja isso!!!

Você acredita que essas coisas ainda acontecem no Brasil?

Eu não posso acreditar…

Se você quiser, assine e repassse!

Tratamentos Desumanos.wmv (153,0 KB)

Google translation:

Subject: Please see that!!!

Do you believe that these things still happen in Brazil?

I can not believe …

If you want to, sign and pass on!

Inhumane Treatment.wmv (153.0 KB)

The link to what looks like a Windows movie file will try to run a malware installer.

The link in one of the emails goes to http://ceubba.org.ar/chat/data/web/~/anexo/video.wmv, which is actually a directory created by the malware senders on a hacked website. For any directory, the browser resends the request with index.html, index.htm and a few other typical default document names. The criminals named their Windows malwale index.html and placed it into that folder. Because the file starts with an executable program header, Windows will try to run it, rather than using the Windows media player to play it as a video.

Be very careful when clicking on links or attachments in unexpected mail sent to you. Use common sense or a good anti-malware program, ideally both!

Gmail “Never send it to spam” and IE 6

Posted on 2008-09-02 by Joe Wein

Earlier this summer a friend told me about a way to keep emails out of the Gmail spam filter, which unlike that of Yahoo! Mail can not be disabled. By setting up a filter rule (say, the email contains certain words) and specifying the “Never send it to spam” action for messages that match the rule, these emails will never get caught in the spam folder.

I collect a lot of spam for building my spam blacklists and would have liked to use my Gmail accounts for that, so this sounded useful. By using a filter rule I could ensure that the spam emails I wanted to analyze would either end up in the Inbox, from where my spamfilter can extract them via POP, or would be forwarded to another email address for retrieval.

However when I tried it, the new option wasn’t there. I found many blogs talking about the feature, but none of the Gmails accounts I tried gave me that option. What was I missing?

The mystery seems to be related to the browser I use: When I use Internet Explorer 7 on a Vista machine, the new option was indeed available. However, with Internet Explorer 6.0 on two XP machines it wasn’t there. When I installed and ran FireFox 3 in parallel on one of those XP machines, the option appeared too.

Therefore, if like me you use IE 6 and don’t want to switch browsers just yet, set up the Gmail filter from another machine running IE 7 or install FireFox as an additional browser (not the default) on your IE 6 machine. Unlike IE 7, FireFox will coexist happily with IE 6 and upgrading to it is not a one way street as it is with IE 7.

flapstate.com / mdanclub.com / wayizer.com

Posted on 2008-08-11 by Joe Wein

Today I was contacted by someone about a domain flapstate.com which was still on my spam list from spam received last year. It looks like since then the domain had expired and been deleted, but then registered by a new owner for what appears to be a scam.

The same scam also uses domains

mdanclub.com
wayizer.com
wayate.com
coralnic.com
grigga.com
srcify.com
azureclub.com
flipality.com

and probably many others. The fact that they keep switching the domain of their website is already one giveaway that it’s a scam.

The four domains wayate.com, wayizer.com, mdanclub.com and flapstate.com are all hosted on the same server, at IP address 216.22.50.130. That IP address has been assigned the reverse DNS name “server1.bestunbeatableoffer.com”. Interestingly “bestunbeatableoffer.com” is not currently working, as it has been suspended by its registrant for spam or abuse. A Google search for the domain “bestunbeatableoffer.com” finds a blog entry that accuses the site owners of phishing, using a whole bunch of different domains that harvested personal details, including email addresses and passwords.

Do not enter your real name, email account or password on any of these websites. These sites are deceptive and harvest personal information which can (and probably will) be abused!

Here is what happens. If you access any of these websites it first gives you this message:

Our system indicates that a pic from your ip address has been uploaded to this site within the past 48 hours.

This is a blatant lie, because it will say that from whatever IP address you access from, as this is hard-coded into the website. It doesn’t even check what IP address you access from before it puts up this dialog.

Once you click OK it puts up another dialog:

Fill in to view your pics.

FULL Name of Friend
who referred you to this page:

Your FULL Name:

Your FULL Email:

It then asks for your password. This is highly dangerous. With your email address on Yahoo, Hotmail, Gmail and many other services and your password, the website could access your online address book and find all your online contacts. What’s more it can then contact everyone in your address book in your name, sending them an email that looks like it was sent by you! Thus the deception would snowball. It would allow massive address harvesting.

This is especially true because they also ask about which social networking site you come from (e.g. Myspace, Facebook). If people happen to use the same password there, it will allow the scammers to break into social networking accounts and their associated address books, “friends lists”, etc. They can then tell every one that “their pic has been uploaded” and repeat the game ad infinitum, until they have stolen millions of names, email addresses and passwords.

After filling in the previous forms with bogus data, I got this dialog:

FINAL STEP BEFORE RETRIEVING RESULTS

Our system indicates that your friend recently bookmarked and reserved this page just for you.

It said that after I made up a bogus name for the friend who supposedly sent me there. My email address was also one I made up and had never used before (on a domain that I own). After that I got an error message:

Link unavailable

Possible causes are:
Your geographic location is not allowed for this offer.
Duplicate IP Address.
A system error ocurred.
The offer has expired.
The AFID or CID is not valid or authorized.

The domain flapstate.com was registered with these details, which appear to be forged (see comments below by the real Adam Arzoomanian, who appears to be an innocent party whose name was abused and reputation destroyed by the real scammer):

Registrant [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
NV
89109
US

Administrative Contact [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
NV
89109
US
Phone: +1.7029221911

Billing Contact [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
NV
89109
US
Phone: +1.7029221911

Technical Contact [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
NV
89109
US
Phone: +1.7029221911

Domain servers in listed order:

NS1.DOMAINSERVICE.COM 67.99.176.12
NS2.DOMAINSERVICE.COM 67.97.247.209
NS3.DOMAINSERVICE.COM 64.49.213.231
NS4.DOMAINSERVICE.COM 67.97.247.210

Record created on: 2008-08-03 19:18:56.0
Database last updated on: 2008-08-03 19:16:31.357
Domain Expires on: 2009-08-03 19:18:56.0

(Note that registrant details are not generally verified by registrars, so there is little to stop a criminal from using someone else’s name for a fraudulent domain registration.)

Any other domains that are part of this same scam are likely to use the same address details.

The street address and phone number listed above appear to belong to a nightclub called Spin Nightclub.

Toptieprofiles.com appears to have been part of the same scam, because its HTML code used to reference IP address 216.22.4.42, as does flapstate.com.

Also, the email address used in the domain registration (bulletinpics@gmail.com) suggests a link to domain BulletinPics.com which was also used for an email address and password harvesting scam (see here). Website www.bulletinpics.com looks identical to flapstate.com but is hosted on a different server, on IP address 159.25.17.50. This site loads an iframe that points at domain destination-server.com, which is hosted at IP address 216.22.50.130 like flapstate.com, wayate.com, wayizer.com and mdanclub.com. Here’s the registration record for bulletinpics.com:

Registrars.domain: bulletinpics.com
owner: – –
organization: Spin Promotions
email: bulletinpics@gmail.com
address: 2255A Renaissance Drive
city: Las Vegas
state: —
postal-code: NV
country: US
phone: +1.7029221911
admin-c: CCOM-1288874 bulletinpics@gmail.com
tech-c: CCOM-1288874 bulletinpics@gmail.com
billing-c: CCOM-1288874 bulletinpics@gmail.com
nserver: a.ns.joker.com 69.39.224.27
nserver: b.ns.joker.com 66.197.237.21
nserver: c.ns.joker.com 69.39.224.26
status: lock
created: 2008-05-13 12:14:33 UTC
modified: 2008-05-14 10:01:57 UTC
expires: 2009-05-13 12:14:33 UTC

contact-hdl: CCOM-1288874
person: – –
organization: Spin Promotions
email: bulletinpics@gmail.com
address: 2255A Renaissance Drive
city: Las Vegas
state: —
postal-code: NV
country: US
phone: +1.7029221911

The name “Spin Promotions” suggests a possible connection to Spin Nightclub, whose street address was used for the other domain registrations.

ProfileMirrors.com is another domain that loads a page off destination-server.com. This job offer on GetAFreelancer.com for people doing captcha entry mentions both destination-server.com and bulletinpics. This is very interesting because CAPTCHAs are commonly used to defeat spammers who automatically set up or log in to email accounts at free email providers or BBSes or social networking sites. Here’s a copy of the posting, just in case it gets removed:

searching for good and reliable Teams for desntination captcha entry project . we can pay good rate . PM for more details

when you will PM , please include in your PM

* how many entries you will do everyday
* how many peoples you have to work on this project

********************************************************************

Before bidding work for 15 mins then give us feedback

http://www.destination-server.com/bulletinpics/entry.cgi

entry ID : demo

When I tried the URL given I got this message:

TOO MANY AGENTS LOGGED IN AT ONCE:

PLEASE TAKE A 30 MINUTE REST.

After 30 minutes CLICK HERE to continue work.

Project Manager: Scott Shaw
bulletinpics at gmail dot com

The reason this error page continues to appear is
because agents NEED to take a 30 minute break.
Do not keep attempting to open page.
PLEASE WAIT 30 MINUTES or this
error will continue to appear.

When I tried it again, I got a CAPTCHA to solve. It turned out to be from MySpace:

MySpace CAPTCHA

Could it be that these people use software to log into MySpace accounts using passwords obtained via the scam and then use job seekers in Bangla Desh, India and other low-wage countries to defeat the CAPTCHA test thrown at them by MySpace, so they can get at the data in the account afterwards?

With bulk CAPTCHA tests they can also invite anyone on MySpace to become “friends” of the phished accounts, so they can potentially reach every active MySpace user.

Here’s another job offer (a Google search finds many more offers like this):

we need captcha entry team for destination capthca project . we need teams who can deliver minimum 15,000 captcha entries to 50,000 captcha entries daily

http://www.destination-server.com/bulletinpics/entry.cgi

entry ID : demo

please go to the link and work for 15 mins , then give us feedback how many entries you can handle daily.interested team can PM us . but u should check the given link before PM us

Rate is negotiable

happy bidding

The following offer that mentions “bulletinpics” even talks of millions of CAPTCHAs to be solved:

Status: Open
Budget: $30-250
Created: 06/15/2008 at 5:07 EDT
Bidding Ends: 08/14/2008 at 5:07 EDT (2 days, 2 h left)
Project Creator: bulletinpics
Buyer Rating:
(2 reviews)
Description: As many people know, the BulletinPics CAPTCHA project has been very succesful, solving over 250,000 captcha entries per day for several teams earning very good money. We are looking to expand to over one million captchas per day but in order to do this, we need to rotate new domain names to host our images.

We are now looking for people/companies who own unused .COM domain names. We need to point these domains to our main image server for two weeks per domain.

For example, if you own 10 unused domains, we would need you to change the DNS so the A record of each domain would point to our captcha server’s IP address. We are willing to pay $1USD (or best lowest bid) to use up to 1000 domains for 2 weeks each. Please let us know if you can provide this type of service.

More related domains (see also):

tellafriendrewards.com
stolenprofiles.com
profilemirrors.com
ownyourfriendarchive.com
tradepeopleprofiles.com
friendownership.com
mirrorsocialsites.com
bulletinpics.com
peepatpeeps.com
buddyspots.com
saveyour profile.com
seepeopleprofiles.com
socialprofilemirror.com
discussprofiles.com

UPDATE 2008-10-21:

The server at 216.22.50.130 (http://www.destination-server.com/bulletinpics/entry.cgi) now displays this message, suggests the scam has ended:

This website has been discontinued

All team leaders will be paid in full this week.

UPDATE (2008-11-06):

Spin nightclub happened to be where infamous spammer Sanford “Spamford” Wallace aka “DJ Masterweb” worked (see here). According to the WikiPedia article on Wallace he has been targeting MySpace users before:

On 2008-01-26 the UK Register reported that the Federal Trade Commission has asked the Judge overseeing the 2006 settlement to find Wallace and partner Walter Rines in civil contempt of court for their use of malware and social engineering on MySpace to promote porn and gambling sites.[8] In May 2008 Wallace and Rines were found guilty and ordered to pay $230 million to MySpace by the L.A. District Court when they failed to appear for trial.

What a remarkable coincidence!

Jim Lanton rides a Trojan horse

Posted on 2008-07-04 by Joe Wein

A recent malware spam takes a new approach to hijacking your computer.

From: Internal Revenue Service [mailto:jim.lanton@irs.com]
Sent: Thursday, July 03, 2008 10:25 AM
To: User@CompanyName.com
Subject: Re: Company report for CompanyName

To : Firstname Lastname

The report is attached.

You need to complete the fields about CompanyName income.

Jim Lanton
IRS Fraud Department

© 2008 Internal Revenue Service All Rights Reserved.

At attachment named “notice_248-849.doc” included an embedded object called “notce.pdf” which was identified as a Trojan downloader by several scanners, including:

AntiVir (7.8.0.64, 2008.07.03): TR/Crypt.XDR.Gen
F-Prot (4.4.4.56, 2008.07.03): W32/Heuristic-217!Eldorado
Microsoft (1.3704, 2008.07.03): TrojanDownloader:Win32/Small.gen!N

While there have been phishing spams before that masquerade as emails from the IRS in the USA or the UK Inland Revenue, this one strikes a raw nerve for the attention to detail.

The email was sent to a friend of mine and addressed him by his full name, not the short form that virtually everyone commonly uses around him, even in business. The name of the company and his email address were capitalized exactly as he normally does it. That is, the company name had capital letter at the beginning of both the first and second words that it’s composed from. The email address was not all lower case, instead both his initials were capitalized on the left hand side of the ‘@’ in the email address and the domain name was capitalized like the company name.

While it’s possible the malware took the name from an address book of an infected machine, I think it’s somewhat unlikely, as I don’t have a single copy of an email from my friend’s address in which he writes is name in the full version used here. Another possibility is that the malware author purchased a commercial address list of businesses. That would be very unusual, though not unheard of.

Specifically targetting companies and their executives could net the scammers high-yield targets, as they are likely to have sensitive information stored on their computers, which Trojan horse software would open up to these criminals.

P.S.: My apologies to Jim Lanton at the IRS. If he really exists, he has nothing to do with this scam. I am just mentioning him in the headline because people might search Google for the name and I want them to find out that what they received was a malware spam.

Spammers hitch a ride on Google Earth

Posted on 2008-06-12 by Joe Wein

I recently came across spam that was offering “Google Earth 2008”. In case you don’t know, Google Earth is a free beta product by Google that lets you view satellite images of our planet, probably including a view of your own rooftop.

“Why would someone other than Google promote Google Earth, a product that makes no money?” I asked myself. A little digging soon provided the answer: It’s a scam.

If you search for “Google Earth 2008”, the peculiar product name used by these people, you will not find it on any website owned by Google: There is no product called “Google Earth 2008” by Google. Unlike Microsoft, Google does not include year numbers in any of its product names. The official name of the real product is “Google Earth beta” (there are also Pro and Plus versions, which are not free).

The links in the spam email take you to “new--features.net” and “now--official.com“, which have no connection to Google. Both had only just been registered. Clicking on these links will take you to “instant-access.org” and on to “secure.signupsecurity.com” where you get a choice of several subscription plans, ranging from one year at $2.49 per month to three years at $12.97 per year — for downloading a free product that these people don’t even own the copyright to! If you read the small print you’ll find that you’re buying technical support for a free product that basically doesn’t need any support.

Other domains used with this scam: earth-2008-online.com, mysoftwareprovider.com, googleearth.2008-download-now.com, googleearth-now.com, googleearth.downloading-now.com, googleearth.2008-new.com, googleearth.current-version.com, dailylifeinfo.com, earthvideos.net, dailyfeedback-online.com.

By the way, you can get the real Google Earth beta download for free at http://earth.google.com and it’s a great product.

Sample spam:

Secret Images from Space. Real Photos from a Orbiting Satellite.

Go here to watch video

Search and find different star constellations.
Locate and find comets, asteroids and other heavenly bodies.
A new perspective from our tiny planet.

Explore the universe & our galaxy here

Find your way around town – Search schools, parks, restaurants, & hotels. Also included, driving directions.
Searchable geographic maps – Search and then zoom in! Save and share your searches with your family and friends.
View in 3D and 2D – View the entire world in 3D! Tilt and rotate 3D terrain and buildings.

Go here to visit website

Have a Great Earth Day!

Thank you for your interest,
Steven Nantel
Sales VP

To unsubscribe from onlineproducts-now.com’s list, you may click on the link below: http://onlineproducts-now.com/uns.php?c=isolutions2&m=somenumber&e=emailaddress

Plaza Neptuno, local #7
Via Vicardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama

Update 2008-06-15:
The same people also run a scam in which they promise you can watch 3000 TV channels on your PC. When you sign up and pay a $19.95 “activation and software fee” (and various subscription fees on top) they apparently send you to a website to download LimeWire and Kazaa.

Example email:

Cable & Satellite bills are becoming more and more expensive these days.
Why pay high monthly fees to watch TV?

What if I were to tell you that there is a TV to PC product which offers you thousands of channels and does not charge you a monthly rate?

http://live-tvnet.com

Online TV Networks is an easy-to-use computer program that legally accesses thousands of television channels from all over the world and sends them to your computer through the internet!

Have you recently missed any of your favorite shows? With our Satellite TV to PC software you can get right back on track and pick up where you left off.

Never miss a show again!

http://live-tvnet.com

No cable box or TV card is needed. There are no reoccurring charges.

Are you out of the loop on current events from around the world? Have you been following the election and other political news? Now you can on your own time and at your own pace. Watch TV when you want to.

The Most Watched TV Shows Online:

Lost
Family Guy
One Tree Hill
Naruto
House

http://live-tvnet.com

Enjoy News, Sports, Weather, Educational Broadcasting, Children Channels, Home & Gardening, Cooking, Shopping & a wide range of multimedia content.

Watch all of your favorite shows, with satellite television on your computer!

Enjoy,

Steven Mathews
Customer Relations
http://live-tvnet.com

To unsubscribe from onlinetec-help.net’s list, you may click on the link below:
http://onlinetec-help.net/uns.php?c=isolutions3&m=bignumber&e=emailaddress

Domains used:
live-tvnet.com, onlinetec-help.net, liveonlinedata.com
newonline-vds.net

And a video download version:

New anticipated summer releases for this weekend
Don’t forget the popcorn!

Weekend Premier:
The Incredible Hulk (Action/Fantasy)
Fugitive Dr. Bruce Banner must utilize the genetic accident that transforms him into a giant, rampaging hulk to stop a former soldier that purposely becomes an even more dangerous version.

http://mymovies-now.com/

You Don’t Mess with the Zohan
Adam Sandler stars in this new film about a Mossad agent fakes his death so he can re-emerge in New York City as a hair stylist.

Kung Fu Panda
Po the Panda is the laziest animals in all of the Valley of Peace, but unwittingly becomes the chosen one when enemies threaten their way of life.

http://mymovies-now.com/

Here are the current top movies at the box office:

Sex and the City
Carrie Bradshaw returns with her friends in the much-awaited film version of the hit TV series.

Indiana Jones and the Kingdom of the Crystal Skull-
Famed archaeologist Dr. Henry “Indiana” Jones is called back into action when he becomes entangled in a Soviet plot to uncover the secret behind mysterious artifacts known as the Crystal Skulls.

http://mymovies-now.com/

The Strangers
A young couple staying in an isolated vacation home are terrorized by three unknown assailants.

Iron Man
When wealthy industrialist Tony Stark is forced to build an armored suit after a life-threatening incident, he decides to use its technology to fight against evil.

http://mymovies-now.com/

Here’s our picks for the newest released DVD’s of this week:

Rambo, The Golden Compass, 27 Dresses, Paranormal State – Season 1, Cloverfield

http://mymovies-now.com/

Thank you for your interest,

Steven Nantel
Sales VP

To unsubscribe from newonline-vds.net’s list, you may click on the link below:
http://newonline-vds.net/uns.php?c=isolutions2&m=bignumber&e=emailaddress

Plaza Neptuno, local #7
Via Vicardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama

mymovies-now.com

UPDATE (2008-10-23):

They’re running the same scam with OpenOffice (a great product that is free software):

Open Office Suite 2009
Open, Create & Edit Your Files

Download Office Suite 2009??Here

Edit Word, Excel & Power Point files- 100% MS Office Compatible.
Read and write PDF files just like Adobe.

Here’s how to download Open Office 2009:

1. Go to: Download Page
2. Download Open Office 2009
3. Receive access immediately

This software package is the best way to edit your documents.
Publish all of your documents online in the HTML format.

Thank you for choosing us, the worldwide leader in Open Office 2009.

For More Information Visit our Website

Thank You,

David Matthews
Office Solutions

The domain used is daily-product--info.net, one of many spam domains hosted at 89.149.224.86 and 67.209.150.34 that are used for this scam.

Microsoft subsidizes Nigerian scammers

Posted on 2008-02-12 by Joe Wein

A four-part series of blog postings at Artists against 419 discusses in detail the massive abuse of Microsoft’s OfficeLive (MSOL) webhosting service by Advance fee fraud scammers, which I mentioned in a previous blog post here. Currently I come across such MSOL domains at a rate of about two new ones per day.

As the Artists point out, one of the reasons for the large number of scam domains hosted at MSOL is that unlike other webhosting services where customers get their own domain, they are not charged any fees for registering and using a domain. Microsoft appears to be so desparate to find any business willing to host their website with them using the basic webhosting package that they fork out cash to VeriSign for the .com / .net domain registration fees. To secure against abuse, the user has to supply a gredit card when signing up, but no charge is ever made to that card. All that MSOL will do with it is get authorization from the card company to charge $1 to it (that means, the card company will verify that the card exists, has not been cancelled and that current accumulated charges since the last statement are at least $1 below its set spending limit). Those $1 authorizations will not show up on a monthly statement that the owner of a card whose data has been stolen could see. If the owner doesn’t see unauthorized charges he has no reason to cancel the card and the scammer could use the same card over and over to register hundreds of scam domains, while Microsoft pays hundreds of dollars in domain registration fees to VeriSign and scam victims lose thousands of dollars to the scammer.

The article series then discusses the problems with trying to get MSOL to take action against the criminal abuse of their system, which appears to be so broken that even a domain that has been disabled (no working website) can still be used for sending email, which is all that some 75% of scammers ever use it for anyway, according to the Artists.

Read the article series here:

Update on child porn hosted at Yahoo

Posted on 2008-01-06 by Joe Wein

Four weeks ago I reported that Yahoo seems to finally have got a handle on the problem of criminals abusing its webhosting service for posting child pornography. Alas, the porn spammer only seem to have taken a vaccation. After those 4 weeks of almost no new child porn sites, they returned. I counted 36 new domains used for hosting child porn between December 12 and January 5.

To their credit, Yahoo have responded promptly to every single report I sent them and have shut down the sites, but it would be far perferable if they took measures to ensure they catch fraudulent registrations before the scammers have a chance to send spam and collect credit card signups from people who respond.

Yahoo abuse handling improves, OfficeLive and Earthlink have their work cut out

Posted on 2007-12-10 by Joe Wein

Nine months ago I reported about a series of child porn sites that were being illegally hosted at Yahoo’s webhosting service. At the time I was seeing about half a dozen new sites pop up every day. I am glad to report that about 4 weeks ago Yahoo finally seems to have done something to stop this. After 18 months of a steady stream of new porn sites that I reported, things went quiet after two sites it suspended on November 5, 2007 that I had reported eralier that day. For the next two weeks I didn’t come across any new sites. Another 9 sites I came across on November 20, 21 and 22 were quickly terminated. Then again no new sites to report for three weeks. Thank you, Yahoo, for stopping these criminals! I don’t know what Yahoo did to prevent fraudulent signups (child porn webhosting signups usually involve stolen credit card data), but whatever it is seems to be working. Now if it could only stop the phishing scammers that still abuse their service.

Meanwhile, two other webhosts constantly keep popping up in connection with various Nigerian scams. For many months Microsoft’s OfficeLive has been the clear leader. I did some counts a few months ago and found that amongst domains connected to Advance fee scams that I was adding to the SURBL blacklist, more than half were hosted at OfficeLive, i.e. more than for all other webhosts combined!

Unlike most other webhosts, OfficeLive does not appear to maintain an abuse reporting email address to which to forward scam reports. All they have is a webform.

The runner up amonsgt Advance fee fraud domains has been Earthlink.net, where numbers seem to be increasing. If you try to report fraudulent domains that have appeared in contact addresses listed inside a scam email, such as a “claim agent” for an “email lottery” or an immigration lawyer for an international employment scam, do not waste your time contacting abuse@earthlink.com. All you would get back is a boilerplate message that the message you reported did not originate from an Earthlink account, which may well be true, but is besides the point. Here’s an example:

Hello,

Thank you for submitting a report to the EarthLink Network Abuse
Department. Unfortunately, we are unable to investigate the email you
forwarded because it does not appear to have originated from the
EarthLink network.

For instructions on determining the origin of an email, please visit:

http://support.earthlink.net/tutorial/mailbox/interpret_headers/

If, after reading the above article, you find that the email did NOT
originate from the EarthLink network, we encourage you to submit the
email to the appropriate network.

If you were trying to report fraud (“phishing”), please contact our
Fraud Department via our Fraud webform located at:

http://securitycenterkb.earthlink.net/fraudmi.asp?route=email

If you find that the email DID originate from the EarthLink network,
please reply directly to this email.

The EarthLink Appropriate Use Policy, Users Agreement, and Privacy
Policy are available at: http://earthlink.net/about/policies

We appreciate your assistance.

Sincerely,

EarthLink Network Abuse

The email I had been trying to report had been sent from a Gmail account, but it was telling people to contact an email address that used an Earthlink-hosted domain name.

I will give the Earthlink fraud report webform a try. Hopefully it works better. Webforms are poor substitute for reporting abuse via email. Much abuse will remain unreported if abuse reporting involves much more than hitting the forward button. Criminals will keep flocking to those providers who do not have effective abuse handling departments, such as OfficeLive and Earthlink.

Joe Wein's blog

Comments from Tokyo, Japan

Category Archives: spam