August 2008

Interesting comments made on Brian Krebs article.
Report Slams U.S. Host as Major Source of Badware

other domains are suspended by us.
Posted by: Konstantin Poltev | August 31, 2008

That is recent, let’s hope they keep on top of it.

http://whois.domaintools.com/avxp08.net

http://whois.domaintools.com/avxp-2008.net

http://whois.domaintools.com/powerantivirus-2009.com

{ 0 comments }

So there I was at Photobucket looking at images when this popped up.

I clicked No and was redirected to the site anyway. In other words my browser was Hijacked.

WOT edged in to say no no no.

http://www.mywot.com/en/scorecard/consumergain.com

Site Advisor also flags consumergain.com
http://www.siteadvisor.com/sites/consumergain.com

Press release January 30, 2008 by the Federal Trade Commission (FTC).
Online Advertiser Settles FTC Charges. “Free” Products Weren’t Free; Settlement Calls for $200,000 Civil Penalty

According to the FTC, Member Source Media LLC, doing business as ConsumerGain.com, PremiumPerks.com, FreeRetailRewards.com, and GeatAmericanGiveaways.com, and the company’s principal, Chris Sommer, used deceptive spam and online advertising to lure consumers to its Web sites. For example, Member Source Media used e-mail subject lines such as, “Congratulations. You’ve won an iPod Video Player”; “Here are 2 free iPod Nanos for You: confirm now”; “Nascar Tickets Package Winner”; “Confirmation required for your $500 Visa Gift Card”; or “Second Attempt: Target Gift Card Inside.” The company’s Web-based ads contain similar representations: “CONGRATULATIONS! You Have Been Chosen To Receive a FREE GATEWAY LAPTOP.”

http://www.ftc.gov/opa/2008/01/media.shtm

The FTC should take another look at Consumergain.com.

Of secondary interest, Photobucket uses the ASK searchbar.

The searchbar can be used to perform an internal search of the website, and as with the ASK pre-checked toolbar that is offered for one’s browser during the installation of certain programs, a search still comes with plenty of sponsored results.

http://certifiedbug.com/blog/tag/ask/

{ 1 comment }

7Search.com’s website owner has filed a complaint at the US District Court in Illinois, claiming it is being unfairly maligned by warnings from McAfee that the site poses a risk to its customers.

Site Advisor: http://www.siteadvisor.com/sites/7search.com

Are you the owner of this site? Leave a comment.

7search.com Web site owner comments (0)

http://www.mywot.com/en/scorecard/7search.com

The person listed as domain owner for 7Search also owns other domains. browseraccelerator.com hosts a browser toolbar blocked by some security products.

http://www.mywot.com/en/scorecard/browseraccelerator.com

Source: The Register

{ 0 comments }

Maybe not the one people have fought for over the centuries…

A council yesterday admitted using laws designed to track serious criminals to spy on a family for nearly three weeks to find out if they were lying about living in a school catchment area.

The council used the Regulation of Investigatory Powers Act (RIPA) to draw up a list of the mother’s movements from February 13 to March 3, showing the times and exact routes of school runs with her children. She told the Bournemouth Echo that the record, shown to her by a school admissions manager, included detailed notes such as “female and three children enter target vehicle and drive off” and “curtains open and all lights on in premises”.

Council uses criminal law to spy on school place applicants

{ 0 comments }

Deployment of the latest version of WGA Notifications for Windows XP has began, this release includes a couple of significant updates.

Based on user feedback, a return to the Windows Update install prompt as the simplest, fastest way to install and stay up-to-date.

The Team will be focusing on the product edition that is most often stolen, aka pirated, Windows XP Pro.

This release will be offered to Windows XP Pro as well as those using editions based on Pro code such as Tablet and Windows Media Center. The plan is to narrow the offering to Pro in future releases.

With this update to WGA Notifications in Windows XP, we’ve implemented a couple of related features that draw on the notifications experience we designed for Windows Vista SP1. After installing this version of WGA Notifications on a copy of Windows XP that fails the validation, most users will discover on their next logon that their desktop has changed to a plain black background from whatever was there previously

Article and screenshots:
Update to WGA Notifications for Windows XP Professional

{ 0 comments }

Spamhaus Blog.
2008-08-29

When cybercrime is mentioned it never takes long for Russia and the Ukraine to enter the picture. However, while a lot of cybercriminals are based in those countries, a lot of their infrastructure is housed in the west, in the United States to be precise.
Without exception, all of the major security organizations on the Internet we know of agree that the ‘Home’ of cybercrime in the western world is a place known as Atrivo/Intercage. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet’s “command and control” to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage.

Cyber Crime USA

{ 0 comments }

hostexploit.com

It has become increasingly apparent the malware, spam, phishing and other BadWare distributors are now engaged in automated domain generation, 100’s to 1,000’s per week, which is proving a serious difficulty for major domain / IP ‘blocklist’ and ‘blacklist’ providers to simply keep up . Added to this we now have; iFrame attacks via web portals, several major international web hosts with 1,000’s of their innocent and money paying clients having hacked and infectious (to web surfers) web sites, DDos (distributed denial of service), polymorphic malware that many anti-virus / spyware / malware solutions are unable to detect, and millions of PC users being directed to rogue and fake web sites. Finally we have the rise of the Botnets, anonymously managed fast and double-flux (ever changing IP addresses) control of 1,000’s of infected zombie PCs.

We now believe the general situation on the Internet calls for an alternative and added open source approach to deal with this head on, i.e. the web hosts and Internet carriers. Every one of the IP’s, web sites or domains are hosted or carried by someone, we feel it is time to break the taboo and name, list and expose the ones that host the malware that infects us all. This approach is not to replace existing methods, but we hope it will add to the security community’s and PC user’s array of possible tools to reduce the threat.

Brian Krebs, washingtonpost.com
Report Slams U.S. Host as Major Source of Badware

“Update: Directi disclaims all allegations in the knujon / hostexploit reports as baseless and factually incorrect“

Our official response to inaccurate reports which falsely implicate the Directi Group

There have been some articles and reports recently published by Garth
Bruen at Knujon and by Jart Armin and James Mcquad at Hostexploit, that
somehow link Directi with groups that support organized internet crime.
The motives behind these reports are still unknown, but as an
organization that prides itself in setting industry benchmarks in ethics
and best practices, we are extremely shocked by these allegations. While
I applaud the efforts of volunteers such as Knujon and Hostexploit who
spend their personal time to try and combat spam, I am personally quite
saddened when the very individuals who we trust to combat fraud engage
in publicity moves without consideration for the reputation of
legitimate businesses.

Neither Knujon nor Hostexploit extended a basic courtesy of even
contacting us to verify any of the facts in their report before
publishing the same. Directi is not even remotely related to the
organizations or activities listed in those reports. The arguments
presented in these reports are either downright baseless, or based on
complete fabrication of facts.

Complete article at the Directi Corporate Blog

Directi has provided an official online response on their blog in an attempt to deny us, the press, bloggers, and other groups the freedom to report or blog on independent findings on the Internet. The Directi blog article contradicts their own statements elsewhere and distorts the facts of the matter. Below we provide our responses and further clarification including third party verification.

Directi – an update and response from HostExploit.com

The Register.
Anonymous domain registration nixed amid fraud complaints.
Directi strikes back

ESTDOMAINS, INC. owns an anonymous domain registration.
ICANN Registrar: ESTDOMAINS, INC.
Registration Service Provided By: ESTDOMAINS INC
Domain Name: PROTECTDETAILS.COM
IP Location: United States - California - Concord - Intercage Inc

From McAfee Alert Labs. The darksides domains

Before anyone from a registry or registrar starts the classic “Smith & Wesson” rant think about this, “Smith and Wesson” don’t sell maps or cars, drive you to the forest, apply your camouflage, help with your ICANN accreditation or load your gun for you

A good read.

Updates:
Certifiedbug: Directi

September 7, 2008

In light of recent developments, Jart Armin of HostExploit.com Bhavin Turakhia, CEO of Directi and Garth Bruen of Knujon have had an open dialogue and mutually agreed to release this joint statement clearing any previous misconceptions and reaffirming their common goal to combat abuse on the Internet. Here are few of the points they would like to jointly make -

HostExploit

{ 0 comments }

Too many users still open spam, click on links and get infected. So beating on the drum, this is what this particular spam in your mailbox may look like.

Totally bogus, this is SPAM and NOT from Microsoft. The usual install.exe to infect the computer was hidden under “Free Update Windows XP,Vista”.

Spam posing as MSN Featured Offers

{ 0 comments }

We all use them, those handy little gadgets that make it so easy to transfer media from one computer to another.

USB’s are also a prime source of spreading infections between machines and in this case into orbit.

Topic at SpaceRef Space, a news website.
NASA Discovers Computer Virus Aboard the International Space Station

W32.Gammima.AG worm is a level 0 gaming virus intended to gather personal information. Virus was never a threat to any of the computers used for cmd and cntl and no adverse effect on ISS Ops. Theory is virus either in initial software load or possibly transferred from personal compact flash card. Working with Russians (and other partners) regarding ground procedures to protect flown equipment in the future. It was noted that most of the IP laptops and some of the payload laptops do NOT provide virus protection/detection software.

NASA spokesperson Kelly Humphries was quoted by Wired’s Ryan Singel, “This is not the first time we have had a worm or a virus, it’s not a frequent occurrence, but this isn’t the first time.”

{ 0 comments }