A Failure to Load a Spam Site

While I post about referral spam as a form of public service, I sometimes get sites that won’t load right in my Linux based virtual machine. I can’t tell if the error is due incompatibilities or attempted shenanigans by the spam site.

http: // ceae2122 . dyo . gs / is once such site that appeared in my Blogger stats today. It goes straight to LinkBucks and is supposed to be a video. When I clicked on the video it wanted me to update my video player.

It looks like an ad before the actual destination, but curiosity led me to see what would happen if I clicked the button. First came instructions and then it got interesting:

It wanted me to download and install a customized version of VLC player. Being very familiar with that software, I recognized that isn’t the real release file. Not being interested in cleaning up an infection when I haven’t even gotten to the final destination, I canceled that.

So where did clicking “skip this ad” end up taking me?

Well that’s disappointing. I have no clue what it was supposed to be thanks to the server error. It could be a missing destination for all I know.

LinkBucks is a very shady bunch and to be avoided like the bubonic plague anyway. Don’t click on anything going to them!

I really need to get ReactOS or WindowsXP running in a virtual machine for some of these investigations.

Comment Spam in the E-mail

The experiment with removing bot checks from commenting continues and so does the spam in my email account. Always posing as an anonymous commenter, it only shows up in my Gmail account but not in Blogger. So at least some of the filters are working. That’s the only silver lining since I have to check each email out.

Once again it is time to fire up the virtual machine with Ubuntu on it to do some investigating. Here are some examples and where the links lead to:

Anonymous has left a new comment on your post "Howl’s Moving Castle (2004)":
Cygiefiania xaikalitag icergeallonia [ url = http: // usillumaror . com ] iziananatt [ /url ] Juicillenna http: // gussannghor . com EnedonoMory

The first link is embedded in xaikalitag and is ww2 . wikaswieier . com which throws up an error message. The secong link gets the same result.

The third time is the charm and we get to see a fake search engine made to mine money from click referrals.

Time for Some Polish Comment Spam

One of the best reasons to enable Recaptcha aka the oddly colored and jumbled letters in the comments form is the fact you will very quickly see spam show up in your comments if you don’t. I moderate every post and had done this to save time though it does stop real people from commenting due to frustration deciphering the text.

To make it easier for people to post, I disabled the Turing test last night. At 2:17 AM this morning, the following arrived in my mailbox (edited to defeat autolinking):

Anonymous has left a new comment on your post "Godzilla vs Biollante (1989)":
[ url = http : // www . page1 . pl] pozycjonowanie [/ url ]

Needless to say, that looked suspicious sort of like a masked man robbing a bank does. Firing up the trusty virtual Ubuntu machine, I investigated the link which led to a very professional looking site put up by a company called Arteria.

It’s a rather large page involving a lot of scrolling, so I present only the top and bottom of the content. I’ve edited out the actual contact information which includes an address in Krakow, Poland.

Courtesy of Google Translate, the opening text in English:

As you have probably guessed, they are selling something. In this case, SEO optimization and placement. What’s SEO? Search Engine Optimization. That’s why they are spamming websites, hoping to get someone wanting higher traffic to pay them for their services.

If you are a webmaster or blog owner, do not click on this and feed their shady practices.

UPDATE: Turns out I missed another comment spam from a mere hour or two after I disabled the robot check. What’s hilarious here is that the link goes to a page that no longer exists:

Anonymous has left a new comment on your post "Howl’s Moving Castle (2004)":
When some one searches for his essential thing, so he/she wants to be available that in detail, thus that thing is maintained over here.
My weblog: southwest florida art galleries

atlcurling . info / wiki / index.php?title = User: JZFLourde

Once these spambots are set loose they seem to keep going long after the site is dead. I wonder how much zombie spam is out there?

Referral Spam Overload

Updated 15 July 2013 with screen captures and testing Tor for browsing.

A very quick post; referral spam went nuts the past 24 hours on the blog totalling 35 hits. The culprits:

adsensewatchdog . com

This is what it looks like without Tor and NoScript. A wide index of terms so they get hits. Just another fake search engine riding the real ones to get traffic and money for pages served.

With Tor (an untrackable browser) and NoScript it looks completely different. Fancier parked graphics and no links.

Spam and an Apparent Pyramid Scheme

Commenter Charlotte gave a heads up that a new spammer has shown up in Bloggers stats so I checked it out several days ago. I didn’t get the spam myself and wasn’t feeling the love from referral spammers. Then the last 24 hours produced 22 spam hits of various kinds including the new one awsurveys . com / ?R=1070526 which showed up seven times. I guess they still love me. Is this what they call “bad love”? UPDATED with another link being used and a shady service connected to it.

So I fired up my virtual PC and checked out the link. Remember folks, don’t try this yourself! Clicking on referral link spam can cause any number of problems including getting you computer infected with malware.

Old Spam Is Still Indigestible

Getting back to posting reviews is turning out to be harder than I expected and the new rounds of referral spam have taken up time meant for writing on other topics. The latest to hit by Blogger stats is from newsuc . com and according to DuckDuckGo it is a parked domain which means no real content is hosted there. The page showing up from this dedicated to spamming site is newsuc . com / blog / blog1 . php / 2009 / 07 / 20 /giant-quake-tsunami though there are several others at the site.

I fired up my virtual machine (VM) running Ubuntu for safe investigation of the site and to take screen captures. Remember, don’t click on the links from newsuc! What I found looked like a real blog, if out of date by three years. But why would they be linking me now?

A Tricky Bit of Spam

Spammers apparently never sleep and so it isn’t long before a new referral spam hits Blogger or an old one appears under a new link.  This particular one is a new one to me and came in as t . co / 1kXhhiBfBE using a shortened Twitter link. So what is it really?

A misogynistic offer to teach men how to seduce women. Apparently it is a video and the format looks all too familiar. The content is different, but I never did see the presentation due to this:

Firefox on Ubuntu failed to install when the camera icon was clicked on. Children don’t try this at home! Digging into the page source code revealed the video link claims to be in SWF format but as you can see, nothing happened. If it is malicious code aimed at Windows, it found the wrong operating system to play with.

Finally, when you try to close or back out of the page, the javascript launches this appeal to the profoundly desperate. I’m sad to say this will actually work on some guys.

UPDATED: This is now coming in as a full address, thetaoofbadass . pw / ?a_aid=517d032416eac which makes it seem even more silly.

Looking at the source code (with no expertise on my part) was revealing in that this appears to be a prefabricated template complete with instructions. A talented coder will glean a lot more than I did, but it shows just how polished the malware and spam pushing has gotten. It is all very professional now and it seems that the weight loss spam used the same form.

Ohbelog Referral Spam

So I see a Malaysian website on my Blogger stats today and couldn’t resist seeing what the latest spam was. It turned out to be a very interesting place to investigate. An ornate trap is what I would describe ohbelog . com as. At first look it appears to be a social media aggregate site where you can vote up or down on different links.

It’s flashy and oh so modern:

Scrolling down reveals that not a lot of voting is going on and clicking on some of the subsections in the menu nets these results:

Notice anything suspicious yet?

Some Brief Thoughts on Snowden and Heroism

I do not believe Edward Snowden is a hero like some on the political right and left are hailing him. The timing of the disclosures and his running to Hong Kong are straight out of Cold War espionage operations so I suspect China’s hand in this. From his own statements, I see him as an erratic personality more than likely manipulated by a handler working for Chinese intelligence.

Even if he wasn’t, he’s not the white knight people think he is. A Ron Paul supporter and Obama sympathizer, he did not go public with this information when it mattered most before the 2012 presidential election. Timing is everything in life and doubly so in politics, which is why I believe China’s spies have a hand in this.

This would be a perfect opportunity to weaken President Obama for his meeting with President Xi Jinping on cybersecurity. Given how much attention had been focused on Chinese hacking of defense, government, and business servers in the United States it makes sense to skewer Obama with spying on his own people to deflect attention.

Seeking asylum in China while spouting off about freedom indicates that Snowden is either lying or quite stupid. Yeah, going to a country that censors the Internet, has spied on its citizens for many decades, and suppresses any mention of Tiananmen Square is beyond foolish if you are seeking freedom. It looks like someone has been working on his perception of China, if you get my drift.

Meanwhile, there are purportedly idiots in the intelligence community talking about “disappearing” Snowden in public. Oh and another scandal is hitting involving the State Department covering up drug dealing and use of prostitutes by ambassadors and security contractors.Our government is in the best of hands, isn’t it? There is no way to indicate just how much sarcasm fills that sentence.

There aren’t any heroes, folks. So please don’t rush to put Snowden on a pedestal just yet. Remember that Manning and Assange both proved to have motives that weren’t heroic and even Deep Throat turned out to be someone wanting revenge for being passed over for a promotion.

Isn’t it interesting that all the wrong doings of the current administration are coming to light after Obama was safely re-elected?

A Source of Referral Spam

Ever wonder where the strange links in your Blogspot stats come from that don’t really link to your blog? Ever wonder why someone would do such a thing? Wonder no more.

r-e-f-e-r-e-r . com showed up on my stats today and this site blatantly lays out what is going on. For $29.95 you can spam forty million websites with links to your site to artificially drive traffic – or at least that’s what they promise. You may have heard of similar schemes for Facebook likes and Twitter follows to boost apparent status.

Screen capture follows and is safe to click on:

The part selling ads pointing out mostly webmasters visit this site is something I find vaguely hilarious. Most won’t be pleased to be visiting, I suspect.

Please don’t help them out by visiting their site.

Topblogstories Referral Spam

Another round of spam has hit the blog stats page and this time it is a link to a purported hookup service for the sexually desperate. Okay, it doesn’t say that, but that’s how I view it.

topblogstories . com / led me to this page:

Link to NSFW screen capture, but not pornographic image.

topblogstories . com / 18331&c=3 led to virtually the same page:

Link to NSFW screen capture, but not pornographic image.

Notice the javascript coding picks up where your IP is from. I suspect false advertising given the number of breasts promised.

As usual, do not click on the referrals! I hope your mother warned you about these kinds of girls…

…and hopefully you will warn others about these kinds of spam.

UPDATE: The first link now leads to a topless photo. It may be that they rotate them, but be warned it is now very NSFW!

UPDATE 2: Seeing another round of it with a small variance. Persistent, aren’t they?

topblogstories . com / 7293&c=6

UPDATE 3: Thanks to the efforts of commenter Edgar Bangkok there are more details on the spammers, both methods and probable location in Ukraine. He’s posted detailed analysis at his blog in two posts:

The first one shows how javascript is used on the webpage.

The second post drops shows the topblogstories spammers are now targeting Google Analytics and shows sublinks going to AdultFriendFinder and Damned Love.

If you don’t read Italian, you’ll need to use a translation service such as Google Translate to read his posts.

April Fools Day Delivers the Spam

It was an unusually sedate April 1st without any friends pranking me. But a wave of spam hit one of my email accounts. 61 were caught by filters and three made it through for the biggest spam assault I’ve seen in years. All were diet/weight loss centered with many purporting to come from celebrities ranging from Oprah to Pamela Anderson. Other common elements were the phrase “special offer” introducing a link and Microsoft Office Word 12 formatting.

It makes me wonder if it is connected to the attacks on Spamhaus, an organization that blacklists known spammer IP addresses. Probably not, given the ridiculous number of spammers out there. There seems to be no end to the Black Hats on the Net.

More interesting is that weigh loss spam is amongst the most successful in getting people to open it. Nothing beats social engineering for finding a way into a system as the banks in South Korea found out last month. I remember when it was false protestations of love or romantic interest that was the best bait to get people to open emails.

It is amazing that spam is still successful given how old email and the Internet are now. One would think people would stop falling for this by now. I guess P.T. Barnum was correct about “a sucker born every minute” – except he never said that.

Can’t trust anything, can you?

Ill Tidings

Spring has officially arrived though I can’t tell it looking out my window. It is currently seven degrees Farenheit with snow outside and frost on the inner windows of my room. It could be worse.

North Korea cyberattacked South Korea this morning our time and the afternoon their time. Bank and television computer networks were taken down for many hours and some still aren’t operational. What did this mean for the South Korean people? They had to deal with no debit or credit cards working and that includes ATMs. I suspect business to business transactions were also impossible.

Imagine if that happened in the United States.

Of more local concern and by local I mean household, the Subaru started having serious problems overheating Saturday night and Sunday. It is currently in the shop having its engine torn apart for head gasket replacement plus timing and other belts. So financial pain has arrived with spring.

I suppose Saturday was close enough to the Ides of March to qualify, come to think of it.

SWATting Hits a Bigger Name

One of the nastier things being done by people out to harass bloggers and now reporters is making false phone calls that cause a SWAT raid on innocent people. The latest victim is Brian Krebs who is something of a crusader in the Internet security field. More can be found at Ars Technica.

The tactic has moved out of the political arena to the organized crime category if what I’m reading is correct. If the militarization of local police forces didn’t concern me in the past, this sort of thing has me questioning it. In decades past, the image of heavily armed men kicking in doors and hauling people out was something you associated with communist countries and other dictatorships.

If that isn’t a sign of decline, I don’t know what is.

The only thing that can be done about the rise of SWATting is find some kind of way to have local police informed about the potential for false calls for specific people. That only helps those who know they might be SWATted, but I don’t any other thing that can be done other than to introduce training about the practice to local police forces.

Maybe Krebs experience will finally get the irresponsible mainstream media to start talking about the problem. One can only hope.

How Many Referral Spammers Are There?

That’s the question on my mind. Yet again faked referral links have shown up in my Blogger stats and yet again it is one I haven’t seen before.

afslotat . net16 . net is the newest one to hit the blog with a tempting link:
afslotat . net16 . net / info / my blog address

It appears to be out of Latvia, but that could be faked too. An attempt was made to load the site in a VM, but failed so I’m very suspicious and advise not clicking the link for any reason.

UPDATED

Another address like it showed up this evening:
radepaha . hs8 . ru / de  /info / my blog address . de

I'm not even going to try to investigate it since it is likely from the same people behind the other.

UPDATED again...

Now I've gotten referral spam from one of the biggest weirdos on the net. escapefrommasachusetts . org is on the loose again after being around as escapefromma . com and this site is dangerous to click on. The latest incarnation of pseudo anarchic drivel is salacious statements about Mitt Romney. A little out of date, that.  DO NOT CLICK!

Yet another UPDATE:

A new variation of the first two spams has shown up and racked up a ridiculous number of hits in one day. It uses the same fake "info" then your blog address in the referral. The new culprit is:

tkdot . com

Phony Phone Scam Returns

I posted about this particular one before and the ring behind it was supposedly busted. Well, guess who called my father’s phone today? Online PC! They are back like the athletes foot that never quite goes away.

Since I feel particularly cranky today, I didn’t allow the Indian gentleman on the other end get very far this time. Otherwise, it was the same exact con being run complete with a delay before the circuit connects to hear anyone.

I think I confused the guy on the other end, for I was very gleeful about letting them know I would be blogging about it to warn an international audience. Sadly, that appears to be all that can be done.

So if someone with a heavy Indian accent calls you and tells you that you have a virus on your PC or a security problem – hang up. It is all a con to get a credit card number out of you.

Along with some well composed phishing emails I’ve seen recently, it looks like 2013 is going to be a bad one for con jobs and spam.

And Now It Is Time for a Phone Scam

What an interesting day I am having. After just finishing the most recent post on blog referral spam, I answered my father’s phone line. At first there was no sound, then the sound of a ring in, so the call was placed from an autodialer. On the other end was a clearly VOIP using man with a thick Indian accent, who acted like he was taking a survey at first. Often hard to understand, he implied he was with Microsoft and that there was “something bad” that had been downloaded to the computer there.

I was suspicious from the moment the call began, but became utterly incredulous at this point. Instantly, I was in hunter mode stalking prey – yes it was that exact feeling. When he said that he needed to take control of the computer, I knew I had found a scammer. I said that he would not be doing that and that I was a very experienced user with multiple firewalls and virus scanners. True, if you count the multiple computers we have, but I could not keep the glee out of my voice.

If he had half a brain, he would have disconnected at this point. Fortunately for my entertainment purposes, he did not. I pressed him repeatedly for his name and phone number. Instead, he gave a web address for onlinepc . com and eventually a phone number of 1-646-502-6605. Clearly flustered, he repeated the number angrily when I asked for the name again and only gave one after another request, Lazer is what it sounded like. Then I said goodbye and hung up on him.

Well, the website is documented as being a scam at Microsoft and the States are not the only ones getting these cold calls. I found this thread about the calls received in Australia. Looking up the phone number turned up a more recent series of calls with many recipients being on the national Do Not Call list like my father (and me). The phone number originates in New York, but with VOIP hacking making it easy to falsify phone numbers it could have been made from anywhere.

If anyone calls you and uses this routine on you, DO NOT COOPERATE WITH HIM! It is all a con job to access your PC for whatever nefarious purpose.

UPDATED October 5, 2012

Great news! The ring behind this scam has been busted in an international effort by law enforcement in the United States, Canada, and Australia. India may get involved as well, since most of the criminals called from there. It looks like Microsoft got directly involved and that is why things happened.

More Russian Referral Spam

The latest round of spam showing up as blogger hits come from fr.netlog . com and appears to be actually a link from t . co instead. So far I have gotten sixteen “referrals” from there this week. While they show up on the Blogger dashboard’s stats, Google Analytics does not list the hits. Why Google does not filter them out for Blogger’s built in stats puzzles me.

So anyone getting hits from there, please do not clink on the links to investigate, that is what they want you to do. I would not be surprised if this is being done by the same people responsible for the aptratings spam.

UPDATED October 1, 2012

Yet another round of referral spam from Russia has been hitting my blog heavily. In this case adsresultpages . com links to a viagra ad. Out of curiosity, I looked up the website through whois and found out it gets about the same amount of visits I do a day. Not exactly a successful campaign, is it?

Funny thing is that referral spam has been around since at least 2002 when blogs started getting going in earnest and nobody can figure out how it can be profitable.

China Doesn’t Just Copy Electronics: The J-21

The military aviation world got a surprise a couple of years ago when the Chinese government took the wraps off of the J-20 stealth fighter, but that is nothing compared to what just showed up. Roughly in the F/A-18 Hornet size range and possibly a competitor to the F-35 Lightning II strike fighter, it is clearly derived from stolen data from Lockheed and subcontractors of the F-22A Raptor program. That is a scaled down F-22 if I have ever seen one with a radome more like the F-35. The proportions made a lot of us on the Net think it was a Photoshop at first, but I had a pit in my stomach when I studied the photos and better ones came out.

I knew our defense programs has been thoroughly compromised by the Chinese, but seeing the tangible results has been an unpleasant experience. As far as cyber security goes, our most classified and protected programs are in the hands of a hostile foreign government. It makes you wonder if the federal government is competent at anything at all.

Meanwhile, China continues to push claims on disputed territories with no fear of being countered.  With the continued aggression in the Pacific against neighboring countries, is it any wonder an arms race has begun in the region?

Another Blogger Referral Spammer: Pnarp

Yep, another one that has been around for awhile but keeps changing servers and countries. If you see any referrals from pnarp . com please do not click on them, there have been some reports of malware being automatically downloaded. Flicker users have also had problems with it in the past and other social media sites (Digg, Twitter, other blog services) have seen this joker show up too.

UPDATE 8-26-2012: 

Found another spammer, pregolom . com out of Russia. It does not appear to be related to pnarp, but it seems like there is a big uptick in referral spam lately.  It along with filmhill . com have been showing up in large numbers the past week.