Thursday, November 29, 2012

Why th3j35t3r's Efforts Are Ultimately Useless

I follow th3j35t3r on Twitter and he follows me, though I doubt if he reads anything I post. It is obvious that we disagree on political issues and perhaps others as well.

I read his posts while he was DOSing the Westboro Baptist Church in retaliation for their picketing the funerals or American servicemembers who had been killed in action in Iraq or Afghanistan. However, it was obvious to me that they simply used alternative means to spread their message around. Since they didn't have their websites, they used Twitter, Twitpic and other forms of social media to alert their friends and enemies where their next picket would be. Naturally, the3j35t3r didn't DOS those sites because millions of innocent users would have been denied their use, in addition to the WBC.

So, while DOSing WBC's websites may have made the3j35t3r and his fans very happy, it didn't affect WBC in any way, other than to force them to use other means of communication. While th3j35t3r knew they were doing this, he still counted it as a victory for himself and Good Guys in-general.

the3j35t3r also regularly DOSes websites run by known or suspected jihadist organizations, for which he receives thunderous applause on Twitter as well as a lot of attention in the media. He's got his enemies, like everyone else but, that doesn't slow him down.

Objectively speaking, I have to wonder if his activities do any good, at all. It's impossible to know if any terrorist attacks have been deterred by his DOSings or if he has acquired information on terrorist groups which were then passed to US authorities. Such is the world of covert operations, where the Good Guys don't receive public acclaim for what they have done because we're not supposed to know what they've done, unless somebody is a fucking glory hound out to make a name for himself.

But, the terrorists share a number of things with the Westboro Baptist Church: they know that their websites are being watched and traced. Their websites have been DOSed, DDOSed and hacked in the past, so they can safely assumed that such things will happen again. So, they don't solely rely on these websites and avail themselves of other means of communicated among themselves and the general public.

But, while th3j35t3r strikes at targets which are already in the crosshairs of law enforcement agencies around the world, criminal gangs operate with impunity right here in the USA and around the world, where they victimize ordinary people and businesses on a regular basis.

I'm talking about the textspammers who set-up websites where they attempt to trick people into giving them their home addresses and cellphone numbers while they offer them the false lure of a $1000 Best Buy or Walmart card. I'm talking about the fraudulent websites that scammers set-up impersonating real businesses. I'm talking about scam websites set-up to impersonate banks, so they can acquire people's personal information and commit identity fraud, as well as attempting to launder the money they make defrauding people out of their life savings.

Where is th3j35t3r for the innocent people and businesses affected by these scam websites? He's on Twitter, taking a bow for all the terrorists' websites he's DOSed and proclaiming "TANGO DOWN".

One of the most prolific textspammers out there are the people associated with freegiftcardtoday.com who are associated with nearly all of the textspammers I have written about on this blog. Just imagine what would happen if th3j35t3r would DOS them for as long as he did WBC - which was about three weeks - while simultaneously DOSing all the sites whose links are being sent out via textspam. Those sites are easy enough to find, if you look through the reports at SMSWatchdog.

The sites whose links are spread-around via textspam ultimately depend on freegiftcardtoday.com to accumulate the information the scammers are after. Without it, their scam wouldn't work and thousands of people would be safe from having their personal information stolen under the guise of claiming a free gift card. It doesn't take a rocket scientist to figure-out that the scam does work, since the scammers wouldn't be so busy spamming people via their cellphones, setting-up fake websites and paying Namecheap for domain names and servers. They're not going-through all that trouble for shits and giggles, they're doing it because they make more money than they're spending, which is the goal of any business, legal or not.

Namecheap makes money from selling domain names and providing servers, so while they know what's going-on, they won't do anything about it. Walmart, Best Buy, Target, etc know about the on-going scams and where they're vulnerable (hint: the US-based servers) but the scammers aren't cutting into their bottom line, so they're not going to spend the legal fees needed to take these people down. A hard-to-find warning on their corporate website will suffice. The only people who are being victimized is John/Jane Q. Citizen and nobody gives a fuck about them, right?

So, these scam sites are up for weeks, months and even years without any serious steps to take them down. People fall for these scams and lose their money and/or personal information, with the accompanying risk of becoming the victim of identity theft which can take years to rectify once they become aware of it. Real people are becoming victims of these scammers everyday with no end in-sight.

Terrorists, on the other hand are all hunted men and they know it. Law enforcement agencies around the world are searching for them, they all risk being betrayed by people eager for the substantial reward money being offered for them or abandoned by whatever country may be sponsoring or sheltering them at the time. The US government, not th3j35t3r or anyone like him, found Osama Bin Laden and is actively looking for his confederates, fully intending to capture or kill them at the first opportunity.

So, terrorists are already hunted people and their websites are already being watched, as well as DOSed, DDOSed, and hacked. So, this is territory that is already covered. But, the professional law enforcement agents seldom get a lot of applause from the public. Their agencies might, but seldom the individuals who did the actual work. That's the very nature of covert operations. The world of Special Operations is often thankless, because covert operations are meant to be secretive. That's okay with the agents doing the work, but they often go into that line of work for the challenges it offers, as well as out of a sense of doing their patriotic duty, rather than becoming famous.

But, th3j35t3r seems to crave that acclaim, despite the fact that the field is pretty well covered. He'll get more of this acclaim for taking-down terrorist websites, Westboro Baptist Church and Wikileaks than he would get for knocking-down scam websites. He knows this and his audience probably knows this, too.

After all, proclaiming to the world that you've DOSed a jihadist website will make a lot more people happy and donating money to him (he claims to give a portion of his donations to The Wounded Warrior Project, the same claim that the author of "No Easy Day" does about proceeds from his book sales) than doing the same to a fake bank. But, the actual good being done is, I think, far less.

Imagine that you're a terrorist and you want to plan an attack. You know that your websites are monitored and your discussion forums have been infiltrated. Do you plan your attacks there anyway? Of course not! If you're smart, you'll take your planning off to a safer route, like one of those free messaging systems that you can download to your smartphone or some other private messaging system that would be far more secure. You'll have all of your contacts already aware of these alternative routes, so that there's less risk of being watched when you want to plan something covertly. So, th3j35ter's attacks on these sites nets little in real results beyond the applause from the public. I seriously doubt if any attacks have been thwarted by his efforts.

Compare that to my blog. This is a small blog and I don't write for it on a daily basis. I write whenever something comes up that sparks my interest and I'll admit that I've even made some money from it. I've written a few entries that haven't gotten a lot of views, but that's okay. But, I've written many articles on scams that I've either become aware of by reading Internet forums or I was the intended target of such a scam. Those are my most popularly-read articles - aside from the ones I wrote about Charles Darwin - and they recive the most comments from readers. I've gotten messages from people who had been targeted by scammers, but decided to check it out before committing to anything. They found my blog entry on that topic and it saved them from getting scammed. I've got those comments here on this blog and anyone can read them. Most were posted anonymously, so there's no way for anyone to go and check on their veracity. Still, I get comments like that just from the blogposts here, which is some evidence that I've at least done some good from it. Links to my blog entries can be found in forums around the Internet, such as SMSWatchdog. My posts on a quote falsely attributed to Charles Darwin has even been discussed in 4chan, though I don't know what was said about it. Nobody was saved from getting scammed, just from being misinformed.

I don't do this blog for the glamor, which is nonexistent anyway. I'm unlikely to be interviewed by the media or offered a book deal. No one has ever offered to donate money to support my work. I just do it for the sake of maybe doing some good and hoping that I might just be able to keep someone from getting scammed. I do this knowing with great regret that there is no th3j35t3r out there who will be DOSing these scam sites, as well as the sad fact that the corporations being used as cover for these scammers don't care enough to even try to take these sites down themselves and the companies the scammers buy their server space from are too busy making money to give a shit about the innocent people being victimized.

Don't misunderstand my feelings about th3j35t3r. I like him. I do. But, I think that his talents are being wasted covering ground that is already covered and he could actually being doing some tangible good if he directed his efforts towards those who victimize the innocent on a daily basis.


Duane Browning

Monday, November 26, 2012

Eng Wang: Scamming from China

Text messages have been received saying things like:
Congrats! Please redeem your prize with this code: U9R5 http://www.bestbuy2013.net 
or words to that effect. Sometimes, people are told that they placed, second, third, fifth or whatever.

The website bestbuy2013.net (WHOIS) is owned by the same person as bestbuycodeverify.net (WHOIS) and bestbuycardcode.net (WHOIS), a Chinese national named Eng Weng. Here is his contact information that I gathered from the WHOIS searches I did on the websites

Eng Wang
4954 Wei Shen
Hong Kong China 5495839
Telephone: +86.852485354842
Email address: engwang100@yahoo.com

Scammers feel that they can operate out of China with impunity, since American law enforcement agencies have no jurisdiction over them. However, their servers can be cutoff, if they are based outside of China and these websites use servers based in Japan and the USA.

At last count, six websites have been registered by this person

1.  bestbuy2013.net 
2.  bestbuycardcode.net
3.  bestbuycodeverify.net
4.  bestbuypromocode.biz
5.  codewinners.net
6.  winningcode.net

The websites registered via Kalyhost have been deleted. The two remaining websites were registered under a German company, 1API GmbH, and I have filed complaints against them. You can file complaints of your own at info@1api.net as part of the effort to close these websites.

At the bottom of the websites is the "Privacy Policy" which is posted in hard-to-read text which I will repost for you

By clicking continue you are agreeing to our Privacy Policy
Information We Share This Privacy Policy applies to consumers that have signed up on the prizecenterdirect.us website. We may sell, brand or share your personal information that you supply to us with other 3rd party businesses so they can bring selected retail opportunities via direct mail, e-mail, SMS text messaging, telemarketing, pre-recorded messages, or automated attendant telemarketing. These businesses may include providers of direct marketing services and applications, including lookup and reference, data enhancement, suppression and validation and email marketing. For example, if you express interest in a particular product or service, you may be contacted by telephone regarding that particular product or service. prizecenterdirect.us collects minimal demographic and personally identifiable information from many users. This information is aggregated and analyzed to help us tailor future offers and to help our marketing partners and advertising agencies understand the demographics of our customers in order to evaluate the potential effectiveness and profitability of doing business with us. Part of our business model involves sharing personally identifiable information, such as name and address, with third-party marketing concerns. While prizecenterdirect.us cannot control the practices of our advertisers and third-party marketers, we endeavor at all times to do business with reputable partners who also follow a best practices model regarding your privacy.
All information provided to prizecenterdirect.us by the users of this site may be used to support our suppression, validation and enhancement services to other marketing companies, advertising agencies, compilers and data companies.
As an example, opt-out information may be shared with other marketing partners so that those users opting out of further offers are suppressed from the partner's mailings or promotions, as well as our own. In addition to complying with our users' preferences, it simply makes good business sense to mail only to those customers who have indicated a desire to receive such mailings.
prizecenterdirect.us's business model includes participating in affiliate network programs and other co-marketing partnerships to promote our site. We reserve the right to share with 3rd parties the information we collect on this site for any purpose.

These three websites operate under the umbrella of prizecenterdirect.us which is an anonymously registered website whose servers are based in the USA.

Entering a code or clicking "Don't Have A Code?" takes you to a weblink run by freegiftcardtoday.com which is another anonymously registered website whose servers operate in the USA and the United Kingdom.

Despite seeming to be very popular with textspammers, Best Buy is not the most popular ploy of these people. Walmart is, as you can see from this list of links to freegiftcardtoday.com's subdomains:

Where Visitors Go on Freegiftcardtoday.com
Subdomain & Percent of Visitors
walmart.freegiftcardtoday.com 35.56%
target.freegiftcardtoday.com 21.46%
bestbuy.freegiftcardtoday.com 17.60%
targetcard.freegiftcardtoday.com 8.04%
newipad.freegiftcardtoday.com 4.57%
ipad.freegiftcardtoday.com 3.65%
costco.freegiftcardtoday.com 2.83%
iphone5.freegiftcardtoday.com 2.10%
twilight2.freegiftcardtoday.com 1.95%
I really don't know what can be done about these people. They give themselves plausible deniability by linking to foreign-based websites, so they disavow any responsibility for their actions. Hopefully, some sort of action can be taken by governments and multinational corporations, assuming they want to even try to stop them.

Duane Browning


Friday, November 23, 2012

Trent Lee: Twitter Spammer

On Thanksgiving Day 2012, I was checking my Twitter account to see if anyone had sent me messages and I found this
It looked like just another spam message that you often see on Twitter, but this time I decided to see how widespread the spammers' activities really were. While the actual texts of the messages varied, certain elements were common enough that I could do a search to find many of the other tweets sent out over the past few days. What I found was really interesting...

About 200 Twitter accounts had been created to send tweets advertising this "business" and the person behind it even had multiple accounts created for himself. I suppose he did that as a precaution against one or more of his accounts getting closed. What I found very disturbing is that many of these accounts seemed to have been formerly active on Twitter until a few days ago. At that point, the names of the accounts seem to have been changed and all the people following or being followed were discarded. That explains why the number of followers and followings were almost always zeroed-out on the Twitter accounts being used for spamming. There was a reported hack of Twitter when many subscribers reported receiving an email telling them to change their passwords. This was apparently a phishing attack which seems to have been successful in a number of cases. It is possible that many or even all of the accounts being used to spam on behalf of Trent Lee were victims of the phishing. I typically ignore emails like that, since I am a suspicious person by nature and seldom trust such requests when I get them.

Having little else to do that day, I blocked every one of them from messaging me in the future and I also reported them to Twitter for spamming. Time will tell what sort of effect that will have. Twitter may or may not decide to close them down, but I think that depends on how many other Twitter account holders also reported them.

The central personality behind all of this goes by the name "Trent Lee" and these are his four accounts: @TrentLeeK37 @TrentLeeU86 @TrentLeef58 @TrentLeez42 and you can see that they haven't been used very much, having at mosts 21 tweets, many of them retweets of posts from supposed "fans" thanking him for whatever the hell he was supposed to have done for them.
Clicking on the link provided on the profiles eventually takes you to his website http://www.trentsteam.com although the actual link is not displayed on his profiles. The links are displayed using URL shorteners which are apparently used to hide the URL http://trentlee.goosenipps.net/ which then redirect to his homepage.

Why go through the trouble? Many people have direct links to their websites on their Twitter accounts. There's a link to this blog on my Twitter page, in fact. So, why did Trent want to obscure his link in this way?

Hey, it is his Twitter page and he can do whatever he wants with it and it's not for me to dictate what he does. But, it did make me wonder, so I started digging around.

Trent's website is a typical "I can help you make lots of money very easily"-type of site. But, Trent has registered his website anonymously through Domains By Proxy, which sets-off alarm bells for me, right away. If this was a legitimate business with nothing to hide, he shouldn't be afraid to let us know his address, right?

But, what about goosenipps.net, where Trent's website appears as a subdomain before the redirect? Well, that's a different story
Domain Name: GOOSENIPPS.NET
Registrar: MONIKER

Registrant [4021699]:
Jessica Gable migajeli@yahoo.com
409 Northern Trail
Leander,TX 78641 US

Administrative Contact [4021699]:
Jessica Gable migajeli@yahoo.com
409 Northern Trail
Leander, TX 78641 US
Phone: +1.5125889682

Billing Contact [4021699]:
Jessica Gable migajeli@yahoo.com
409 Northern Trail
Leander, TX 78641 US
Phone: +1.5125889682
Technical Contact [4021699]:
Jessica Gable migajeli@yahoo.com
409 Northern Trail
Leander, TX 78641 US
Phone: +1.5125889682

Domain servers in listed order:
NS533.HOSTGATOR.COM
NS534.HOSTGATOR.COM
Record created on: 2012-10-17 00:09:04.0
Database last updated on: 2012-10-17 02:33:19.853
Domain Expires on: 2013-10-17 00:09:11.0
Just entering goosenipps.net in your URL bar takes you to Trent's website. Interestingly, the person who owns goosenipps.net also owns at least two other websites, lighthoser.net and crankerobo.net both of which redirect to an adult cam site. I'm curious as to why someone would own two adult sites and one get-rich-quick site. Adult sites can be good moneymakers, but there's a lot of competition out there, including free porn sites. A get-rich website may seem like a good investment, since people are always looking for a way to make a lot of money working from home in their spare time. Maybe the cam site isn't paying the bills. Either that or somebody is just plain greedy.

The phone number given for the registrant is a cellphone, which isn't unusual, since many people are foregoing a land line these days. The email address - migajeli@yahoo.com - is linked to this Myspace account, which looks like it hasn't been accessed in over a year.

Trent's website may be registered anonymously, but we do know that his servers are run by softlayer.com and that site is registered in Texas, just like goosenipps.net.
Softlayer Technologies, Inc.4849 Alpha RoadDallas, Texas 75244United States+1.2144420600 Fax -- +1.2144420601
Despite all these links to Texas, Trent gives the following as his contact information

TrentsTeam.com
8605 Santa Monica Blvd #49267
Los Angeles, CA 90069
Email trent@trentsteam.com
The mailing address is not his place of residence, it's a mailbox that he rents.


As far as Trent's website and money-making scheme, I'd advise everyone to steer clear of him, since anyone who goes through this much trouble to obscure himself from the public has no business being trusted to help people who need to create a source of income for themselves. Plus, the rather unethical behavior demonstrated by spamming Twitter on behalf of his business - possibly using hacked Twitter accounts -shows him to be someone completely undeserving of trust.

UPDATE

A second round of spamming is currently taking place on Twitter advertising the cam show site mentioned earlier. The lead accounts are @CapriGalb82 @CapriGalJ99 @CapriGalq05 and @CapriGalm75 but the accounts being used to send the spam messages across Twitter are mostly different ones than those used earlier.

ANOTHER UPDATE

While all the CapriGal profiles on Twitter seem to have been deleted, the account @GreenSmooth31 has taken their place and is using most of the Twitter accounts that TrentLee and CapriGal were using previously.


Duane Browning

Sunday, November 18, 2012

Phishing Attempts Via Textspam

People have reported receiving text messages on their cellphones consisting of either of these two messages:
Congratulations! you have received a discount of $100 dollars on your next month bill please visit a.vz50offer.com/

or
Congratulations! you have received a discount of $100 dollars on your next month bill please visit http://veri.offerbonus50.com
Going to the vz50offer website takes you to a very well-done and convincing AT&T log-in page, while the offerbonus50 site poses as a log-in page for a Verizon account. Of course, neither of these sites is legitimate and they are both phishing sites designed to steal your personal information and passwords. Submitting any information to either of these sites can result in your becoming the victim of identity theft and unauthorized charges being made to your account.

Both of these sites are registered to the same person and here is the WHOIS information I acquired:

Domain Name: VZ50OFFER.COM
Registrant:
collins voip
Thomas Lopez Colinas (thomas-collins1@hotmail.com)
c/respaldo 27 # 401
Santo domingo
santo domingo,80956
DO
Tel. +1.8095671300
Creation Date: 12-Nov-2012
Expiration Date: 12-Nov-2013
Domain servers in listed order:
ns1.hostengel.org
ns2.hostengel.org

Administrative Contact:
collins voip
Thomas Lopez Colinas (thomas-collins1@hotmail.com)
c/respaldo 27 # 401
Santo domingo
santo domingo,80956
DO
Tel. +1.8095671300
Technical Contact:
collins voip
Thomas Lopez Colinas (thomas-collins1@hotmail.com)
c/respaldo 27 # 401
Santo domingo
santo domingo,80956
DO
Tel. +1.8095671300
Billing Contact:
collins voip
Thomas Lopez Colinas (thomas-collins1@hotmail.com)
c/respaldo 27 # 401
Santo domingo
santo domingo,80956
DO
Tel. +1.8095671300 
and also
Domain name: offerbonus50.com
Registrant Contact:
collins voip
Thomas Lopez Colinas (thomas-collins1@hotmail.com)
Fax:
c/respaldo 27 # 401
Santo domingo, santo domingo 80956
DO
Administrative Contact:
collins voip
Thomas Lopez Colinas (thomas-collins1@hotmail.com)
+1.8095671300
Fax:
c/respaldo 27 # 401
Santo domingo, santo domingo 80956
DO
Technical Contact:
collins voip
Thomas Lopez Colinas (thomas-collins1@hotmail.com)
+1.8095671300
Fax:
c/respaldo 27 # 401
Santo domingo, santo domingo 80956
DO
Status: Active
Name Servers:
ns1.hostengel.org
ns2.hostengel.org
Creation date: 12 Oct 2012 03:26:00
Expiration date: 11 Oct 2013 19:26:00

The offerbonus50 and vz50offer.com sites appear to be down. Attempting to visit either of these site resulted in a warning pop-up opening in my browser, stating that they were suspected of being phishing sites.

The servers for these sites seem to be based in the USA and are registered through GoDaddy.

Duane Browning