Webcam Blackmail Email Spam

The latest, greatest attempt to get money out of people on the Net has been making the rounds in different variations, the essence of which are threats to release a webcam video of misbehavior committed while watching pornography online. I bothered to check the latest one out because it actually was addressed to me with the correct email address AND my old LinkedIn password in the subject.

Fortunately, that was a unique one not recycled due to my personal distrust of any social media service. The 2012 hacking of LinkedIn exposed 117 million passwords which were sold off to various criminals looking to commit cybercrime. They did get around to notifying users to change their passwords (I did long ago) but tried to conceal the size of the security breach.

SEO Spam or Fear the Penguin

One of the most irritating con jobs on the Net is selling links to people desperate to get traffic to their websites. This is part of what is known as “black hat SEO” with SEO standing for Search Engine Optimization. So it was rather interesting to get two false referrals from seoairport . com / site / product / in my Blogger stats today. UPDATED: December 2014 has seen a massive amount of hits from seoairport . com / site / recommended with no end in sight. New screen captures added at the end of the post.

Firing up the trusty virtual machine, I checked it out. Remember folks, don’t click on strange links and leave that to daredevils or those of us with more than one operating system on a machine. The name told me what to expect out of the site and I wasn’t disappointed.

The home page above is of basic design, which will be important later on.

Chatty Spam

A wave of referral spam recently hit my Blogger stats that looked like it might be real referrals, but as you have probably guessed from the title, it was spam again. The culprits are from freenode . net in two incarnations and I’ll be showing where the links lead to. Also included is some bonus spam involving the sex trade, travel, and an error message.

Remember to never click on suspicious links and leave that to those of us crazy enough to do so! You could end up with all sorts of nasty stuff on your computer.

Just What I Wanted: More Spam

While the blog hasn’t been hammered with referral spam recently, there have been a few drive byes. Also in the mix was an attempt at comment spam that shows how the Web 2.0 emphasis on social media makes it easy to establish a false identity on the Internet, thereby lending an appearance of credibility to a post.

Remember not to click on suspicious links, folks. Leave that to crazy people like me who use layers of security and virtualized computers to poke cyber hornet nests.

First up is from Russia, without love:

Trust Combat’s spam came in as http: // www . trustcombat . com / faq . htm and appears to be an SEO (search engine optimization) outfit wanting money to help boost your web page ranking. They want to help you so badly that they accept Bitcoin, Litecoin, Nextcoin, Primecoin, and Paypal for payment. Links to proxy services are also found on the site.

UPDATED: Taking advantage of Blogger’s ease of setting up blogs to fake a legitimate presence is nothing new. What’s new is trustcombat . blogspot. com showing up in my referral data, complete with a Google Plus account. Tips and tricks for link building and creating a fake social media presence along with every single link going back to trustcombat . com fill the page.

I’d steer away from them, nothing good would come of doing business with what looks to be a fly by night operation. While neat and tidy, this is a barebones site that probably was set up in an hour or so of work. Avoid clicking on this link if it shows up on your Blogger stats.

Forget Mystery Meat, How About Mystery Spam?

Just in time for the end of the year, I found a new referral spam in my Blogger statistics. http: // semalt . com / competitors_review . php? u= (then my blog address) is obvious spam due to it having text suggesting that someone is competing with my website and checking me out.

Using a virtual machine and TOR to be anonymous, I checked out the address. It only gets me to the home page where a requirement to register first stopped me cold. Of course, it wants you to log in using your Facebook, Google Plus, or Microsoft Live accounts. Oh, nothing suspicious about that, is there?

It offers to show you what your Google rankings are, which is interesting given that you can sign up for Google’s own tools for free to do the same. As the page loaded, I noticed that it loaded counter . yadro . ru , a Russian address I only fleetingly glimpsed. Some sites report this as a malware infection while others that it is simply a tracking site like Google analytics. Still a bad guy according to most, so consider it a red flag.

The privacy policy and terms of use pages are generic giving no useful information. There was no way I’d sign up to find out what lied beneath the barebones page other than to look at the source html. In there the meta description of the content bills the site as a “Professional keyword ranking monitoring service with competitor analysis. Fee plans.”  Also found in the code was the yadro address, so that is being loaded as a hit counter.

My advice to all who get a variant of this link in their statistics is to avoid clicking on it. Semalt is most likely only there to harvest data to access your email and social accounts with the possible additional goal of selling SEO (search engine optimization) methods.

UPDATE

I’m seeing more hits from this spam showing up in StatCounter now and they are coming from computers in different countries with differing versions of Windows and screen resolutions.  This means a bot net of infected computers is most likely being used to push the spam rather than forged addresses.

Please do not click on the link and if you have, run an antivirus program along with something like MalwareBytes or Spybot to make sure you haven’t been infected.

Salary Comparison and Bitcoin Spam

With a sudden stop to the flood of Russian blog spam, I’d been feeling a little lonely this holiday season. But hey, Cyber Monday brought me a deal! UPDATED: Added links to articles on Bitcoin malware at end of post.

http:// www . amiricherthanyou . com / ec_recommended . php ?q=Oved&id=473535 arrived in my blog stats to assist me in feeling financially inadequate. Oh boy! Just what I wanted, more spam! Sarcasm aside, I was wondering why things had gotten so quiet lately. So firing up my trusty virtual machine and TOR, I checked out the link. Remember, don’t try this at home, kids. Never click on suspicious links or you will be sorry.

Surprise! The link took me straight to an ad for BitCoin trading. Yeah, that doesn’t look shady at all, does it? I’d have a better screenshot, but I forgot to maximize my browser and there was no quick way to get that site back – there’s a good reason for that I’ll go into later.

Comments and Spam

It truly feels like a Monday, complete with the first significant snow of the season. In the wee hours of the morning here, a comment came into my blog that looked somewhat legitimate. After publishing it to get full access to all the html involved, I decided it was too shady to keep on the blog. Here’s the content of the post:

Social Cubix said...

Comment spamming you can only prevent by configuring your posting software appropriately. There are some technics like image code verification to verify a human is posting, against human postings with inappropriate content helps only an editor review before release. Machine posted spam may increase, if you use well known templates from popular blogging software.

12:21 AM

Strange Influx of Russian Spam, Part 3

Given how much I’ve already documented the new wave of Russian referral spam showing up on Blogger, I’m simply listing the new links as they come in. For more information on what this is all about, please see my previous posts here and here. In what may be a coincidence, vampirestats has been showing up in large numbers during the same time period. Also, I'm starting to see repeats of the same links, but they always register four times when they hit.

Strange Influx of Russian Spam, Part 2

Another day brought in another round of the odd referral spam to my Blogger statistics. Following the same pattern as the first batch, things took a turn toward the sinister once I started checking them out.  If you receive any of these in your referrals, do not click on the links!

http: // art-cs . ru / ?p=275 linked to a post on a Russian blog, just like all during this onslaught of faked referrals. This one does have phone numbers in one post, though I didn’t look them up. Last post was in September of 2012 and most of the posts were put up on one day.

The second of this wave was http: // etiketu . ru / ?m=20120907 which links to a blog about proper etiquette and how it helps in business. Like the farming site in the first wave, this one has an about page. Unlike that one, no name is associated with it. Instead a mission statement of promoting humanism and decency is present. This will turn out to be highly ironic.

It was last posted to in October of 2012.

Strange Influx of Russian Spam

November has brought cold winds with it and a flood of Russian spam on the 3rd. The false referrals on my Blogger stats lead to a  baffling variety of blogs. Only one is an obvious attempt to sell things, which makes it very mysterious that they all came at once. Oddly, all showed up four times with the exception of the first. All use Wordpress and none have ads placed on the pages, but do have LiveInternet statistics links.

UPDATE: Continued with a theory of why these are being sent out.

Now the individual links:

http : / /www . kyho . ru / was the first to arrive Sunday morning. I copied the link for future investigation and headed out to church. Little did I know that it was the first of a larger group of spam arriving through early Monday.

Firing up my virtual machines for safe and compartmentalized browsing, I found out I’d be using Google translate a lot in trying to decode the mystery. This site is dedicated to hair care with repetitive posts which raises suspicions of being an automated site scraping content from legitimate blogs. There are no comments and it is a barebones blog layout. It also was last updated in November 2011!

With no ads and no immediately visible malware on the page or in the source code, it looked like another case of zombie spam.

A Frightening Innovation in Malware?

It may be Halloween and a time for spooky tales from the dark recesses of the imagination, but real life has more than enough frightening things. As we are now a high technology bound society in the West, it seems some of the more alarming things involve computers. A new strain of malware has shown up that supposedly can use a computer's speakers and microphone to transmit data.

If this turns out to be a legitimate thing rather than a hoax, badBIOS is a thing of nightmares for IT and security experts. Normally I'd call this a fraud or someone having a paranoid break, but the technology has existed  in the world of espionage for decades that allowed lasers bounced off of windows to measure and detect conversation inside rooms, for instance. This would be the kind of project a government would be capable of in theory, most likely one of the big three: the United States, Russia, and China.

It's been awhile since I've seen a BIOS based attack get any press, so this caught my attention quickly. Of course simple precautions will prevent malware from getting on your system and this one is said to have come in on a USB thumb drive. However, the way this thing works is fascinating if real.

Part of me wants this to be a hoax, because this kind of PC infection would be incredibly difficult to deal with if it spread widely. Another part of me wants it to be real simply because it would be an amazing feat of computer science. But most of me is holding judgement until more evidence is brought forward.

UPDATED 6 Nov 2013:

While there is a possibility this is a real virus or trojan, the evidence isn't checking out and some are calling into question the mental stability of Dragos Ruiu. Strange behavior by him in social media is making it look like a paranoid episode, which is still bad news of a different kind. Given the fragmentation of BIOS implementations, it would be extremely difficult to pull off with limitations to attacking specific brands and models of PC's.

Again With the Spam

While there hasn’t been a lot of new spam hitting this blog (been a lot of vampirestats lately), there has been one showing up under two different links and one that showed up on another blogger’s site.

First up is the worst offender. Coming in as www . seoanalyses .com or under its real address,  ourmeets . com , this is a pornographic “dating” site. As you can see, it was blocked by OpenDNS, which I use to pre-filter anything coming into the house. Don’t click on it as it is exceedingly unsafe to visit.

Next up is one that commenter Sarma listed.

kallery . net out of South Korea looks like a real site at first glance, but digging further reveals that it sends you off to other sites where art is for sale. That’s a traditional tactic of cross promoting links used to generate ad revenue or of black hat SEO to up search engine rankings. Appears relatively harmless, but I advise avoiding.

Notice the art quiz winners on the right hand sidebar of the first screenshot. What are the odds that four of them would be links promoting the site? The mind boggles!

I wonder what percentage of Web pages in the world are actually spam sites? The search engines have enough trouble keeping up with the legitimate content being put up.

Spam from Google?!

Just a short report this time around on a strange referral spam that showed up briefly on my Blogger statistics. This time it was http: // dailydeal . de / gutschein-freizeit-ruhrgebiet-alpincenter-ski-tageskarte-060913

 

Checking out the spam in my trusty virtual machine setup revealed a professional site that held up under further scrutiny. A little research revealed Google owns the company which is a typical special offer promoting kind of place. DailyDeal was purchased by Google in 2011 and is based in Germany. Of course I’m not German, so talk about hitting the wrong target!

Now why would a false referral from a Google company show up in the first place?

This is where things get murky and necessarily go into the realm of speculation. My first thought is that the provider of the deal is trying to goose the results by paying a runner of a botnet to spam the listing. However, it is more likely a competitor to the tour outfit is engaging in negative SEO.

What is negative SEO? Search Engine Optimization is the process where a website builds up presence in Google, Bing, Duck Duck Go, Yahoo, and other search engines on the Web. Much is done by trickery in the HTML coding of a site, making sure keywords (short matches on content) are present in certain amounts.

The most tricky and dangerous optimization involves link exchanges so that it looks like the site is popular. Google has automated algorithms that periodically hunt down any behavior that looks like that. When a detection is made (real or false) an automated penalty is assessed against the webpage. This is all done by software and appealing to a human to quickly straighten out a false penalty is nearly impossible.

That means you can frame a competitor for building up paid links by purchasing said links. This is part of the “black hat” methods to boost your business on the Net by lowering the rankings in search results of your competitor. They can be dropped many pages in ranks by negative SEO.

While it is speculation, there is a higher probability that this referral link is pushed by someone other than the seller of the ski trips than something they did for themselves. However, they may have paid someone for SEO and that company may have engaged in bad practices.

So there is a mystery here that I won’t see solved. There are other possibilities including Blogger/Google getting the stats system screwed up to the point that an error caused the referral to show up.

At least this isn’t a dangerous or hostile site spreading malware.

Secret Spam

Everybody loves a secret, or so it is said. So it is no surprise that old marketing gimmick of using “secret” somewhere in the pitch showed up in some referral spam in Blogger stats. That means another chance to fire up a virtual machine and do some investigating. Don’t try this at home, kids.

http: // www . 7secretsearch . com / is the latest spam to hit and it promises all sorts of secrets to upping your web traffic. The big come on is a form where you can enter your website URL and find out how much it’s worth. Featuring a slick presentation it is an enticing trap, no doubt.

The wrong sized ads showing up in the right sidebar are another giveaway that this isn’t a really a professionally setup website. Poor placement of the title graphic resulted in a banner text ad overlapping it. But the best has to be more Google +1’s than Facebook likes. That is highly implausible, don’t you think?

There was no way I’d put my own website in there, so I decided to click on the Amazon entry. An impressive amount of data comes up including that the site has no threats reported and is “SAFE to browse.” Looks kind of legit, until you notice they are using Bing stats only. Yeah, like Amazon isn’t indexed by Google.

That last oversized ad raised a lot of red flags so I clicked on it.

Anytime something pops on a web page that says you need your system scanned, it is time to get out of there immediately. Systweak has been know to present a download of one program that turns out to be another which grants remote access to your PC. They are bad guys who will take your money and mess your computer up.

What I find amusing is that they had this ad show up when I was using Ubuntu to browse the site. Windows errors on a Linux machine is not logical.

So there are layers of shadiness to what’s showing up at 7secretsearch. Avoid at all costs.

Zombie Spam

I kind of wish the following referral spam had shown up in October so that I could have had a Halloween themed commentary. Instead it arrived in the middle of September. But hey, the undead always show up at the most unwelcome of times – sometimes repeatedly. At the time of writing this, http : // jetsli . de / crawler has shown up fourteen times in my Blogger stats for the day.

Using my trusty virtual machine running Windows XP, I checked out the link safely. Remember kids, don’t try this at home!

What showed up was a classic dead domain, which was mildly disappointing. Since the spammer had let the domain lapse, there wasn’t much evidence of what kind of money making scheme had been involved.

So I clicked on a couple of links anyway.

More Linkbucks Connected Spam

Some more referral spam has shown up on Blogger and one provided an unexpected connection to two earlier ones. The first was reported by commenter Charlotte and arrived as 0288c729 . qqc . co which leads to Linkbucks again like a link that started with ceae2122.

So what do you get if you click on that odd string of numbers and letters?

First up is an ad telling you that you absolutely need to download a download manager. Yeah, like that won’t lead to bad things on your system. Remember kids, don’t try this at home and don’t trust strange links. Never click on anything you don’t already know and that includes things sent by trusted friends.

Sailing the High Seas of Spam Piracy

No, this post isn’t about hijacking trucks coming out of Hormel’s canning plants.What I’m on about is the latest referral spam to visit Blogger’s stats for From the Sidelines, http : // getfilesme . com / UPDATED 19 Oct 2013 to include filesw8 . com

 

First off, don’t click on the referral if you see it, there is no point in feeding the spammers and associating yourself with piracy if the government comes snooping around on behalf of the entertainment industry. You also don’t know what you could catch from visiting such sites since they are a favorite way to spread trojans, keyloggers, and all sorts of malware. In other words, don’t try this at home kids.

UPDATE: A nearly identical site showed up today as filesw8 . com and I have no doubt it is put up by the same people. Stay away from it too.

More Polish Spam

It seems I’m getting more referral spam linking to websites in Poland than anywhere else these days. The latest is http : // butyairmax90 . pl / which leads to a Nike shoes site (via my virtual Windows XP machine):

How much you want to bet these are knockoffs and not the real thing?

Wrist watches have long been status symbols, so cheap copies of Rolex’s is something one expects. However, the rise of the expensive running shoe has been something that has occurred in my lifetime and is extremely silly to me. There is money to be had there no matter what my viewpoint is so this kind of spam is getting common.

Do not click on the link if it shows up in your Blogger stats or emails!

A Couple of Drive-by Spams

We all notice the spam that hammers our referral statistics on Blogger’s control panel. But there is spam that only hits once or twice and is only seen if you are there at the right time. A couple of cases of these “drive-by” spammers were seen by me this week and you couldn’t get any different in what they were promoting.

First, one that hit today: http : // girlswithglasses . blognet . pw /

This happens to be hosted on blogger but with a name like that I was suspicious and fired up my virtual machine. Sure enough, it is a porn site looking to make money off of clicks. Do not click! Needless to say, there won’t be a screen capture.

The other one was suspicious since it looked like it was masquerading as a legitimate site: http: // quitcoal . org / node / add

Well, it is a legit site. This is a Greenpeace run anti-coal page and it appears someone was trying to make people who clicked on the link automatically join the petition/site. Of course that’s an error message you see in the screen shot, so that forced recruitment failed.

Political referral spam, this is a first in my experience. I’m sure the individual responsible felt righteously motivated and justified in saving the planet. However, a policy of the ends justifying the means always leads into darkness and soon the would be do-gooder is a force of evil rather than good. In other words, a spammer.

By the way, I included the entire virtual machine window to show off my new way of flirting with disaster (cue Molly Hatchet) – checking out sites with Windows XP. The installation is setup to be roughly what an average user would have in the way of security to see what kind of nasty infections I can get from these sites. It’s actually a clone of a clean installation too, so I can do this without any hassle of reinstalls.

A Change of Pace: Porn Spam

It’s been awhile since porn site referral spam showed up and today a false Blogger referral showed up from http: // asian . erolove . in / The title gives away the content right away, so don’t expect screen captures. A simple rule is that anything that has “love” or “ero” is going to feature pornographic material.

Strange as it may sound given my disapproval of pornography, this was almost nostalgic because I remember when porn spam and letters from Nigeria asking for banking help were the norm. These days weight loss and get rich quick schemes dominate with attempts to sell pharmaceutical products right behind.

One of the most bizarre things I’ve run into has been the flood of email spam from a Canadian pharmacy trying to sell Viagra and similar products.

“That doesn’t sound bizarre” you say thinking about your email account’s junk filter. What made it strange is that it posed as a lot of different things in the titles including weight loss, celebrity scandal information, and -- porn. It used to be the porn masquerading as something else! We live in a bizarre world.

Don’t click the referral!