Webcam Blackmail Email Spam

The latest, greatest attempt to get money out of people on the Net has been making the rounds in different variations, the essence of which are threats to release a webcam video of misbehavior committed while watching pornography online. I bothered to check the latest one out because it actually was addressed to me with the correct email address AND my old LinkedIn password in the subject.

Fortunately, that was a unique one not recycled due to my personal distrust of any social media service. The 2012 hacking of LinkedIn exposed 117 million passwords which were sold off to various criminals looking to commit cybercrime. They did get around to notifying users to change their passwords (I did long ago) but tried to conceal the size of the security breach.

Russian Spam Returns

UPDATED: There has been a flood of 3 hit drive by spams out of Russia via Ukraine ever since these hit. In fact, there are too many different ones to look into so it appears that we’re under siege again.

Original Post:

It looks like I spoke too soon about Blogger having improved on blocking Russian spam referrals. Once again a flood of unwanted fake referrals showed up in Stats and of course it is all from Russia or rerouted through Ukraine. Reinstalling TOR to check out the sites was an annoyance I’d never planned on doing again, but I’m in a bad mood these days so once again it is time to inform people of the garbage being pushed out.

Remember, never click on suspicious links in your Blogger referrals. I’ve taken the precaution of running an anonymous browser system within a virtual machine to take these screenshots because you never know what kind of malware might be pushed through the code embedded on these pages.

On to the spam…

The Sound of Spam

More referral spam from Russia and the Netherlands cluttered my Blogger stats in Fevruary. Adding to the mess is the loud blast of spam from http: // ranksonic . info / krawler . pho?refToken threatening to blow the doors down on my blog for the past month. Join me as I explore the links you should never click on…

Let’s start with spam from RanKSonic since it is clogging up Statcounter as well as Blogger’s stats. Of course, it is SEO spam claiming to be able to boost traffic to your website. Hey, if they were that good at it, would they be spamming blogs to get business? Of course not.

Scrolling down to the bottom of the page, I tried several links since there was no way I would sign up for the shady service. Terms of Service and Privacy Policy produced 404 errors like the one above, while About Us just took me back to the top of the home page.

Inspires great confidence in their understanding of webpage design, doesn’t it?

Spam for Christmas

It seems that the dark elves responsible for pumping out unwanted spam of all kinds have the Christmas spirit of giving right now. Unfortunately, they completely misunderstood the true meaning of the season and are bent on raking in money for themselves.

Whether it be email or Blogger referral spam, the filters have been tested to the breaking point in December. Earlier, I posted an update on seoairport suddenly returning with a flood. A new approach that I haven’t seen outside of emails showed up too and that’s what I’ll be covering in this post.

I hope by now that everyone knows not to open an Adobe Acrobat (PDF) attachment from a stranger when they get one in their inbox. This has been a way to deliver trojans and viruses onto PCs for many years.

So it was surprising to see referral spam that linked to PDFs including one hosted on Amazon’s cloud service which arrived as s3 . amazonaws . com / pdf-1ydO / qyR20YHDImN9.pdf on my Blogger stats page.

Why would anybody use such a discredited way to get hits? Another referral and a little digging provided me with a theory.

Remember to not click on links such as these, leave it to security pros and madmen to investigate. In my case, it is the latter though a virtual machine and an anonymous routing service were employed to keep my PC uncompromised.

SEO Spam or Fear the Penguin

One of the most irritating con jobs on the Net is selling links to people desperate to get traffic to their websites. This is part of what is known as “black hat SEO” with SEO standing for Search Engine Optimization. So it was rather interesting to get two false referrals from seoairport . com / site / product / in my Blogger stats today. UPDATED: December 2014 has seen a massive amount of hits from seoairport . com / site / recommended with no end in sight. New screen captures added at the end of the post.

Firing up the trusty virtual machine, I checked it out. Remember folks, don’t click on strange links and leave that to daredevils or those of us with more than one operating system on a machine. The name told me what to expect out of the site and I wasn’t disappointed.

The home page above is of basic design, which will be important later on.

Return of the Russian Spam

A familiar pattern of false referrals has shown up in my September 2014 Blogger statistics making me wish there was a way to exile them to Siberia. Featuring a bevy of webpages originating from a site previously encountered, the spam is dedicated to parting you from your hard earned rubles.

While I don’t have any rubles to lose, precaution was taken in exploring the links. Firing up my trusty VirtualBox installation of Ubuntu 14 and using the TOR browser for anonymity I keep spam sites from looking at my real computer. Don’t try this at home unless you know what you are doing! It is best to never click on strange links.

Oh the irony of the first spam to hit my blog. http: // detective01 . ru / offers private investigator services of all kinds and would be somebody to hire to find out where spam is coming from in Russia. There’s just the small issue of them being spammers. Like quite a bit of spam from that country, it is connected to St. Petersburg and in this particular case the agency is based there.

Russian Spam Invasion

Things have been relatively quiet on the referral spam front for awhile, but the last month or so has seen an uptick in my Blogger stats. Most are not shown as links due to Google filtering, however the country of Russia is showing a ridiculous amount in my “Audience” figures. In fact, it is close to matching my traffic from the United States which is mostly legit.

Remember not to click on strange links in your Blogger stats because you never know where they will take you. Leave that to people crazy or skilled enough to safely investigate.

The latest spam from the Land of the Bear comes from a fake auction site. Oh you can really buy stuff there, but the timer is just a come on to influence you into an impulse buy. A long running con is magnetic bracelets for athletes and arthritis sufferers exploiting the placebo effect to work “miracles” through bogus science. Power Balance is one of those cheap trinkets being flogged at http: // power-balances . apishops . ru / proving that scams are universal or at least international.

Blog Comment Spam Researched

Over at Imperva, an online security firm, they have put up a fascinating Acrobat document showing how spam comments are made with automated tools. It is well worth reading for anyone who runs a blog and wonders how or why all the fake comments with links flood in.

Of course it mostly boils down to trying to elevate rankings of websites in Google’s search engine, surprise, surprise. Particularly interesting is the small percentage of sources responsible for most of the spam. I have no doubt automated tools like the ones shown in the report are used to generate fake referrals as well.

One of the things I’ve wondered about is how the text is composed for the comments and figured they just rotated prefabricated scripts. It turns out it is more complicated than that, using software to generate topically correct comments to get past filters or Google’s spam detection.

Most of the comment spam aimed at this blog isn’t that sophisticated, however. Usually it is blatant attempts to sell drugs, sex, and shoes. What, you were expecting rock and roll? Yeah, it is disappointingly unoriginal.

Ironic that I’d run into this just after marveling how an article at Wired was over run by comment spam. You’d think a big website would have their act together, but that clearly wasn’t the case. Anyway, thought this would be of interest and I hope they keep the report up for posterity.

Chatty Spam

A wave of referral spam recently hit my Blogger stats that looked like it might be real referrals, but as you have probably guessed from the title, it was spam again. The culprits are from freenode . net in two incarnations and I’ll be showing where the links lead to. Also included is some bonus spam involving the sex trade, travel, and an error message.

Remember to never click on suspicious links and leave that to those of us crazy enough to do so! You could end up with all sorts of nasty stuff on your computer.

Just What I Wanted: More Spam

While the blog hasn’t been hammered with referral spam recently, there have been a few drive byes. Also in the mix was an attempt at comment spam that shows how the Web 2.0 emphasis on social media makes it easy to establish a false identity on the Internet, thereby lending an appearance of credibility to a post.

Remember not to click on suspicious links, folks. Leave that to crazy people like me who use layers of security and virtualized computers to poke cyber hornet nests.

First up is from Russia, without love:

Trust Combat’s spam came in as http: // www . trustcombat . com / faq . htm and appears to be an SEO (search engine optimization) outfit wanting money to help boost your web page ranking. They want to help you so badly that they accept Bitcoin, Litecoin, Nextcoin, Primecoin, and Paypal for payment. Links to proxy services are also found on the site.

UPDATED: Taking advantage of Blogger’s ease of setting up blogs to fake a legitimate presence is nothing new. What’s new is trustcombat . blogspot. com showing up in my referral data, complete with a Google Plus account. Tips and tricks for link building and creating a fake social media presence along with every single link going back to trustcombat . com fill the page.

I’d steer away from them, nothing good would come of doing business with what looks to be a fly by night operation. While neat and tidy, this is a barebones site that probably was set up in an hour or so of work. Avoid clicking on this link if it shows up on your Blogger stats.

A Multicourse Meal of Spam

Though Google and Microsoft have made targeting spammers world wide a priority the last couple of years, the spam still keeps coming. That’s true for referral spam targeting blogs especially Blogger and Wordpress hosted ones. Clearing out my back log of more than questionable referrals highlights the wide variety of spam out there.

Remember folks to never click on strange or suspicious links in your referrals – or anywhere else for that matter. Leave it to people crazy or secured enough to investigate the trash that gets past the junk filters.

As an appetizer, I present a tastefully designed site, http : // hand-made-soaps . com / homemade-lotion-recipes /, that offers recipes and tip on making your own soaps. This is not something normally associated with spammers, since they tend to be a dirty lot who don’t get out of their small apartments very often. Looks bland enough, but it hides a potent kick.

Iconic Spam

Remember when making icons for apps was all the rage? You don’t?! Well, a flood of referral spam to my Blogger site has filled me with nostalgia for the Windows 3.1 era of the early 1990s. All of the following spam traces back to Aha-soft in Canada as the screen captures will show.

Remember never to click on strange referral links showing up on Blogger stats. Leave that to crazy people like me armored up with security, virtual PCs, and anonymous web browsing capabilities.

The spam deluge began with http: // www . badaicons . com/ which leads to a page selling icons for Samsung smartphone apps. Clearly this is aimed at developers creating apps rather than end users.

Digging deeper into the links, it turns out the pages are part of a larger site, www . aha-soft . com, with redirects galore from their many domain names. They appear to be a real company out of Vancouver, Canada selling royalty free icon libraries plus software to view and create them.

Forget Mystery Meat, How About Mystery Spam?

Just in time for the end of the year, I found a new referral spam in my Blogger statistics. http: // semalt . com / competitors_review . php? u= (then my blog address) is obvious spam due to it having text suggesting that someone is competing with my website and checking me out.

Using a virtual machine and TOR to be anonymous, I checked out the address. It only gets me to the home page where a requirement to register first stopped me cold. Of course, it wants you to log in using your Facebook, Google Plus, or Microsoft Live accounts. Oh, nothing suspicious about that, is there?

It offers to show you what your Google rankings are, which is interesting given that you can sign up for Google’s own tools for free to do the same. As the page loaded, I noticed that it loaded counter . yadro . ru , a Russian address I only fleetingly glimpsed. Some sites report this as a malware infection while others that it is simply a tracking site like Google analytics. Still a bad guy according to most, so consider it a red flag.

The privacy policy and terms of use pages are generic giving no useful information. There was no way I’d sign up to find out what lied beneath the barebones page other than to look at the source html. In there the meta description of the content bills the site as a “Professional keyword ranking monitoring service with competitor analysis. Fee plans.”  Also found in the code was the yadro address, so that is being loaded as a hit counter.

My advice to all who get a variant of this link in their statistics is to avoid clicking on it. Semalt is most likely only there to harvest data to access your email and social accounts with the possible additional goal of selling SEO (search engine optimization) methods.

UPDATE

I’m seeing more hits from this spam showing up in StatCounter now and they are coming from computers in different countries with differing versions of Windows and screen resolutions.  This means a bot net of infected computers is most likely being used to push the spam rather than forged addresses.

Please do not click on the link and if you have, run an antivirus program along with something like MalwareBytes or Spybot to make sure you haven’t been infected.

Analysis? Selling Links for Money Spam

Either I’m beginning to become a connoisseur of referral spam or I’m just bored with the usual offerings. Today brought something slightly different to my Blogger stats that piqued my interest: http: // prlog . ru / analysis / from-the-sidelines . blogspot . com . Having my blog address in the spam brings such a warm, fuzzy feeling. Wait.. no, that’s indigestion. Anyway, it was a blink and you’ll miss it hit and run.

Ever curious, I fired up my copy of Ubuntu on a virtual machine and used TOR to anonymously check out the site the link came from. Don’t try this at home unless you know something about security or reformatting your hard drive. Never click on suspicious links like this, leave it to crazy people like me.

Salary Comparison and Bitcoin Spam

With a sudden stop to the flood of Russian blog spam, I’d been feeling a little lonely this holiday season. But hey, Cyber Monday brought me a deal! UPDATED: Added links to articles on Bitcoin malware at end of post.

http:// www . amiricherthanyou . com / ec_recommended . php ?q=Oved&id=473535 arrived in my blog stats to assist me in feeling financially inadequate. Oh boy! Just what I wanted, more spam! Sarcasm aside, I was wondering why things had gotten so quiet lately. So firing up my trusty virtual machine and TOR, I checked out the link. Remember, don’t try this at home, kids. Never click on suspicious links or you will be sorry.

Surprise! The link took me straight to an ad for BitCoin trading. Yeah, that doesn’t look shady at all, does it? I’d have a better screenshot, but I forgot to maximize my browser and there was no quick way to get that site back – there’s a good reason for that I’ll go into later.

Comments and Spam

It truly feels like a Monday, complete with the first significant snow of the season. In the wee hours of the morning here, a comment came into my blog that looked somewhat legitimate. After publishing it to get full access to all the html involved, I decided it was too shady to keep on the blog. Here’s the content of the post:

Social Cubix said...

Comment spamming you can only prevent by configuring your posting software appropriately. There are some technics like image code verification to verify a human is posting, against human postings with inappropriate content helps only an editor review before release. Machine posted spam may increase, if you use well known templates from popular blogging software.

12:21 AM

Strange Influx of Russian Spam, Part 3

Given how much I’ve already documented the new wave of Russian referral spam showing up on Blogger, I’m simply listing the new links as they come in. For more information on what this is all about, please see my previous posts here and here. In what may be a coincidence, vampirestats has been showing up in large numbers during the same time period. Also, I'm starting to see repeats of the same links, but they always register four times when they hit.

Strange Influx of Russian Spam, Part 2

Another day brought in another round of the odd referral spam to my Blogger statistics. Following the same pattern as the first batch, things took a turn toward the sinister once I started checking them out.  If you receive any of these in your referrals, do not click on the links!

http: // art-cs . ru / ?p=275 linked to a post on a Russian blog, just like all during this onslaught of faked referrals. This one does have phone numbers in one post, though I didn’t look them up. Last post was in September of 2012 and most of the posts were put up on one day.

The second of this wave was http: // etiketu . ru / ?m=20120907 which links to a blog about proper etiquette and how it helps in business. Like the farming site in the first wave, this one has an about page. Unlike that one, no name is associated with it. Instead a mission statement of promoting humanism and decency is present. This will turn out to be highly ironic.

It was last posted to in October of 2012.

Strange Influx of Russian Spam

November has brought cold winds with it and a flood of Russian spam on the 3rd. The false referrals on my Blogger stats lead to a  baffling variety of blogs. Only one is an obvious attempt to sell things, which makes it very mysterious that they all came at once. Oddly, all showed up four times with the exception of the first. All use Wordpress and none have ads placed on the pages, but do have LiveInternet statistics links.

UPDATE: Continued with a theory of why these are being sent out.

Now the individual links:

http : / /www . kyho . ru / was the first to arrive Sunday morning. I copied the link for future investigation and headed out to church. Little did I know that it was the first of a larger group of spam arriving through early Monday.

Firing up my virtual machines for safe and compartmentalized browsing, I found out I’d be using Google translate a lot in trying to decode the mystery. This site is dedicated to hair care with repetitive posts which raises suspicions of being an automated site scraping content from legitimate blogs. There are no comments and it is a barebones blog layout. It also was last updated in November 2011!

With no ads and no immediately visible malware on the page or in the source code, it looked like another case of zombie spam.

Again With the Spam

While there hasn’t been a lot of new spam hitting this blog (been a lot of vampirestats lately), there has been one showing up under two different links and one that showed up on another blogger’s site.

First up is the worst offender. Coming in as www . seoanalyses .com or under its real address,  ourmeets . com , this is a pornographic “dating” site. As you can see, it was blocked by OpenDNS, which I use to pre-filter anything coming into the house. Don’t click on it as it is exceedingly unsafe to visit.

Next up is one that commenter Sarma listed.

kallery . net out of South Korea looks like a real site at first glance, but digging further reveals that it sends you off to other sites where art is for sale. That’s a traditional tactic of cross promoting links used to generate ad revenue or of black hat SEO to up search engine rankings. Appears relatively harmless, but I advise avoiding.

Notice the art quiz winners on the right hand sidebar of the first screenshot. What are the odds that four of them would be links promoting the site? The mind boggles!

I wonder what percentage of Web pages in the world are actually spam sites? The search engines have enough trouble keeping up with the legitimate content being put up.