Sunday, 26 April 2015

SSL Certificates and Fake Banks

For a long time people have been relying on SSL certificates to tell whether a bank site is genuine or not. It seems pretty straight-forward, the majority of fake bank sites don't bother, mainly because it's an extra expense and hassle for a site that probably won't be around for the length of it's short registration.

Due to recent events, specifically revelations over the extent of various Governments internet surveillance, efforts are under way to encrypt more and more sites to https standard, but it's important to realise the limitations of this increase in security. Https only guarantees that the connection between your computer and site it is communicating with is encrypted, and it can be undermined in various ways, for example if your computer is infected with a virus or other malware, or if the site itself is not a legitimate site.

It is, of course, this last one that I'll be focusing on here.

So lets look at an example of a fake bank with an SSL Certificate:
http://www.wealth-dib.com/ 


You'll note that the homepage itself is not secured, not unusual even for legitimate banks. However, when we attempt to login to this bank, we're redirected to a different domain:
https://banking.dubai-international-bank.com/
Encryption..........
Which is secured, but choose either corporate or personal banking and the next page is:
http://banking.dubai-international-bank.com/?lg=1
...you're doing it wrong!
Your choice of personal or corporate banking is safe, but entering any credentials isn't!

This site only uses the basic SSL Certificate that any site owner can get themselves, not the Extended Verification Certificate that major online sites have, which requires more than just evidence that you own the domain name, it also requires that the domain is linked to the actual business, to guarantee that you are at the correct site and not a fake site. Most browsers will differentiate between the two, so if you are unsure of being able to tell the two apart it may be time to learn, as more of the internet switches to https as standard, so too will the fake sites.

Update: Both sites have been suspended.

Friday, 24 April 2015

Staminus and a fake company continued

Today’s response from Staminus:
""I can only ask you to investigate because there are serious doubts this is a legitimate website."
Investigator : a person, persons or entity who is qualified to and tasked with investigation. e.g. Policeman or law enforcement.
Law Enforcement: a body that can investigate and gather evidence to be used in a court of law for prosecutions.

ISP : a company that provides internet services and is generally is unqualified and unlicensed to conduct legal investigations or provide chain of custody for evidence necessary for a trial.
**

Therein lies the source of your problem. Now that I understand, I can probably be of some assistance to you.
Not dissimilar to grabbing a random used car salesman and putting them in charge of designing and building nuclear bombs, you have been focusing on getting the wrong group/individual(s) to do your investigation for you.
I encourage you to contact your local law enforcement office. They are qualified, licensed and certified to conduct legal investigations, collect legal evidence, track chain of custody for said evidence, and then provide said evidence to a prosecutor. If they determine that they require additional information, they will contact us directly via established channels.
By following this procedure, criminals can be investigated, charged, tried and convicted.
By following your procedure, at best, criminals would have their services briefly interrupted while they relocate to another host - possibly even within the same data center / ISP.
I'm glad we were finally able to clarify the challenge you were experiencing and get it resolved for you.
If you need the numbers to any law enforcement, FBI, Homeland security or secret service, please do not hesitate to ask. We will be happy to provide you with appropriate contact information.

Abuse Department
Staminus Communications
"
"Dear Staminus,

While I can understand your position, I do disagree with you.

I note that you still have not provided a link to, or copy of your TOS, but I guess that fraud is against your TOS. It generally is for most hosting companies.

I can only ask you to investigate, look into or at least re-examine your side of things, specifically the arrangement that your company has with your customer.

I am asking because you are in a much better position to do so than I am. I can only point to the website and raise with you the doubts over the validity of the statements and claims made on the website that are claimed to be facts. Where I can refute those I have provided sources for my information. You may not choose to recognise the sources I linked to, that is your right, just as it is my right to inform you of abuse that I believe is occurring that is utilising your resources.

In this case as the site claims to be a company in 6 different countries, is hosted in a seventh and the registrant claims to be in an eighth, just which countries Law Enforcement would you suggest I contact? All of them? When I have serious doubts that it would fall under any of their jurisdictions? As I said previously, I am not a victim. Or do you think Law Enforcement would be more willing to hear from yourselves, as after all, you have a financial relationship with your customer and can provide much more information and, in general, be of more assistance to them than I can as an ordinary citizen?

I am all for having getting the police and courts involved in investigating these matters, but the sad fact is that unless they have victims, ie. evidence of a crime having been committed, there is little for them to do. Who exactly is in the better position here to provide this? Myself an ordinary citizen, or the hosting company?

Or, just perhaps, it may be better for everyone for the hosting company to step in before people are defrauded and turned into victims.

Most hosting companies have abuse teams that can recognise fraudulent sites, and suspend them. As you say, briefly interrupting their criminal activity, but it does prevent people falling victim to these fraudsters while they relocate their site.
It also sends a message to the fraudsters to stay away from that hosting company, in effect the more sites hosts suspend the fewer they will have to in future. After all, no hosting company wants to have a reputation for hosting fraudulent sites, do they?

At this point it seems only fair to inform you that I happen to maintain a blog - http://419fraudtoleranthosts.blogspot.com/ and I have posted our exchanges so far.

Kind regards
Rob"
 Staminus' reply:

"but I guess that fraud is against your TOS"
You have not proven fraud. You have implied some form of deception and suggested that I obtain sufficient evidence on my own.
Will you be funding the investigation?

"I can only ask you to investigate"
You can, indeed, ask. But that is not the "only" thing you can do. You could also perform the investigation yourself and obtain proof beyond circumstantial evidence of a violation of our TOS or criminal activity.

"I am asking because you are in a much better position to do so than I am"
By what method do you arrive at that conclusion? I have the same internet access as you do. And, if you are suggesting that I access the server, drives or data, then you also have the same access to hack the server that you are suggesting I do.

"but the sad fact is that unless they have victims, ie. evidence of a crime having been committed"
That damned US Constitution gets in the way every time, doesn't it. Let's throw out the 'search and seizure' laws. Let's throw out 'innocent until proven guilty'. Let's throw out 'wire tapping' laws. While we're at it, let's just take anyone you suggest behind the barn and shoot them - unless you'd prefer hanging.
In fact, we require the same proof/evidence that law enforcement requires.
You aren't really supporting the notion that services be terminated based on suspicion, are you?
You'd be okay with having someone report a suspicion to your ISP and having them terminate your services based on that suspicion? Really? Or will you, perhaps, suggest that your ISP should spend money investigating you? Will they be looking for evidence to convict or evidence to clear you? Who will pay for that investigation? Will you be okay with them reviewing all of your emails and phone calls? Just how much of an ISP police state are you advocating?

"Who exactly is in the better position here to provide this? Myself an ordinary citizen, or the hosting company?"
None of the above. Law Enforcement is in the best position to investigate and collect information that leads to a conviction.

"Most hosting companies have abuse teams that can recognise fraudulent sites"

We are not a hosting company. We do not provide web hosting services.
We are an ISP

"At this point it seems only fair to inform you that I happen to maintain a blog"
Email communications are private and copyrighted. Publishing them is a criminal offense and can be prosecuted. You have not requested and I have not granted permission to republish my copyrighted and private communications.
Clearly you have now established that you are a criminal.
No further communication is necessary.
Have a great day.
 As Staminus has asked me to stop emailing them on this issue, I will. However, this would have been my response to them.
"Dear Staminus,
In answer to your email,

"You have not proven fraud. You have implied some form of deception and suggested that I obtain sufficient evidence on my own.
Will you be funding the investigation?"
The definition of fraud:
"Fraud is a type of criminal activity, defined as:
'abuse of position, or false representation, or prejudicing someone's rights for personal gain'.
Put simply, fraud is an act of deception intended for personal gain or to cause a loss to another party.

The general criminal offence of fraud can include:

deception whereby someone knowingly makes false representation
or they fail to disclose information
or they abuse a position."
Site claims to be an international company head quartered in the UK. The contact address listed for these headquarters is another countries Embassy. No company has any office in an Embassy. They can afford their own offices.
The company is not registered with Companies House in the UK, despite claiming to be a 150 year old company.

The telephone number for the headquarters is a mobile number, would a long established company really not have a geographic number in their own offices for potential customers to call?
The email address listed for the headquarters is for a suspended domain. The email address used to register this suspended domain does not exist. A whois violation.
"By what method do you arrive at that conclusion? I have the same internet access as you do. And, if you are suggesting that I access the server, drives or data, then you also have the same access to hack the server that you are suggesting I do."
You are at the abuse desk of an ISP. You are providing services for this website, and as such, I would imagine, have better contacts with Law Enforcement and the hosting company for this website than I as an ordinary citizen would have access to. You could simply pass my email to them for them to look at and make a decision on. They may decide that it warrants investigation, although you have made it abundantly clear that you do not.

"That damned US Constitution gets in the way every time, doesn't it. Let's throw out the 'search and seizure' laws. Let's throw out 'innocent until proven guilty'. Let's throw out 'wire tapping' laws. While we're at it, let's just take anyone you suggest behind the barn and shoot them - unless you'd prefer hanging.
In fact, we require the same proof/evidence that law enforcement requires.
You aren't really supporting the notion that services be terminated based on suspicion, are you?
You'd be okay with having someone report a suspicion to your ISP and having them terminate your services based on that suspicion? Really? Or will you, perhaps, suggest that your ISP should spend money investigating you? Will they be looking for evidence to convict or evidence to clear you? Who will pay for that investigation? Will you be okay with them reviewing all of your emails and phone calls? Just how much of an ISP police state are you advocating?"
Not at all. I think you misunderstand me. I am saying please look at the website in question, look at the links I have provided and come to your own conclusion as to whether this is a website that you want your company associated with. If it is, fine. Feel free to ignore me. I am asking if what I have said has raised no doubts in your mind as whether you would be happy to engage this companies services or not.
""Who exactly is in the better position here to provide this? Myself an ordinary citizen, or the hosting company?"None of the above. Law Enforcement is in the best position to investigate and collect information that leads to a conviction."
Again, you misunderstand me. I agree LE is in the best position to investigate, however I also believe that you would be able to provide them with better leads than I could.

""Most hosting companies have abuse teams that can recognise fraudulent sites"

We are not a hosting company. We do not provide web hosting services.
We are an ISP"
Again, you could simply pass my email to the hosting company and let them make their own decision.

""At this point it seems only fair to inform you that I happen to maintain a blog"
Email communications are private and copyrighted. Publishing them is a criminal offense and can be prosecuted. You have not requested and I have not granted permission to republish my copyrighted and private communications.
Clearly you have now established that you are a criminal."
Actually, I believe that I would be covered by fair use. You are sending emails in your capacity as a representative of Staminus, who I am conversing with over their providing services to a domain I believe to be fraudulent, I am attempting to demonstrate why and your responses to my emails, it is for those reading to make up their own minds. If you didn't want these emails made public, perhaps you should reconsider what you are saying before you send them."
Update 09/05/15: panwestafricasec.net is currently offline, hopefully for good.

Thursday, 23 April 2015

Namecheap, eNom and their strange approach to fraudulent sites

Namecheap's approach to fraudulent sites is novel to say the least. A fraudulent site that they host or register themselves is suspended quickly, for which they are to be rightly commended, but when acting as a reseller for eNom, which is how they began their business, any email reporting abuse to eNom as the listed Registrar on the domain whois, is quickly forwarded to Namecheap who will, most often, just as quickly deny any and all responsibility for the fraudulent domain, with the following email:
"Hello,

Thank you for your email regarding the domain name (insert fraudulent site name). While the domain name does have Namecheap.com as the registrar, we do not have the ability to oversee what data are being transmitted through its site. We do not own the domain name mentioned in your complaint, we are simply the registrar that the registrant purchased the domain name from.

The issue would need to be addressed through the hosting provider to see if their terms of service have been violated, and would need to be addressed through the domain registrant as they should be the individual that would control what particular content is being exchanged. We have no way to police these issues as we do not control the hosting company in this instance.

While I understand your issue, we are not in a position where we can make determination of validity of your statements. If you believe you are the victim of an internet crime, or if you are aware of an attempted crime, you can file a complaint through Internet Crime Complaint Center at https://complaint.ic3.gov. You also may contact either your lawyer(s) or the local authorities in order get the issue resolved. We will assist them any way we can."
Lets pick this reply apart.
"While the domain name does have Namecheap.com as the registrar,"
Well the domain might not, if Namecheap is acting as reseller for eNom. But Namecheap is an accredited Registrar, and this is just a form letter, so this part of the May 2013 RAA with ICANN, that both eNom and Namecheap have, applies.
"3.12 Obligations Related to Provision of Registrar Services by Third Parties. Registrar is responsible for the provision of Registrar Services for all Registered Names that Registrar sponsors being performed in compliance with this Agreement, regardless of whether the Registrar Services are provided by Registrar or a third party, including a Reseller. Registrar must enter into written agreements with all of its Resellers that enable Registrar to comply with and perform all of its obligations under this Agreement."
So when Namecheap is listed as reseller for the domain and eNom is listed as the Registrar, under the RAA eNom is still responsible, even though Namecheap is an accredited Registrar themselves.
"we do not have the ability to oversee what data are being transmitted through its site."
I understand that abuse teams are busy, but they could just take a minute to look at the site that has been reported to them as being fraudulent, couldn't they?
After all, their RAA with ICANN also includes the following:
"3.18 Registrar's Abuse Contact and Duty to Investigate Reports of Abuse.
3.18.1 Registrar shall maintain an abuse contact to receive reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity. Registrar shall publish an email address to receive such reports on the home page of Registrar's website (or in another standardized place that may be designated by ICANN from time to time). Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse."
From the FAQ's about the 2013 RAA:
"26. Section 3.18.2 provides that well-founded reports of Illegal Activity submitted to the registrar must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report. In responding to any such reports, Registrar will not be required to take any action in contravention of applicable law. What does "well-founded" mean?

ICANN will consider this on a case-by-case basis, taking into account factors such as substantiation, demonstration, corroboration or evidence of Illegal Activity, but cannot specify in any particular circumstance what qualifies as "well-founded" as that may vary based upon the situation. If the registrar believes the request is not "well-founded," it should document the reasons for this decision."
Which seems pretty clear. Registrars have a responsibility to investigate any reports of abuse, so long as those claims can be backed up. With that in mind, lets look at an example.


Seems legit, right?

I think anyone can see the problem with this site at first glance.
The UN does not run any companies of any sort, let alone 'Express Delivery Companies'. So to say that:
"The issue would need to be addressed through the hosting provider to see if their terms of service have been violated,"
in this case is ducking responsibility. Also, while fraud is generally against most hosting companies Terms of Service, even if some need to be gently reminded of that, that doesn't mean that registrars, Registrars and resellers get to pass the buck fully on to them. In an ideal world the hosting company would suspend the site while the Registrar places the fraudulent domain into ClientHold, to prevent the registrant simply taking his fake site to another hosting company, who may not be as responsive.
"and would need to be addressed through the domain registrant as they should be the individual that would control what particular content is being exchanged."
This is just particularly ill informed. A registrant who registers a clearly  fraudulent site should not be contacted about his content, he is already fully aware of what he's doing, and that it's illegal hasn't stopped him from doing it. Why would he suddenly decide to take it down because I send him an email? There is no telling what his response would be. An attempt to scam me, spamming my email account or attempting to hack my email account, these are all possible options I'd rather avoid.
"While I understand your issue, we are not in a position where we can make determination of validity of your statements."
Again, you could actually read the email, look at the site in question, and see if the claims are valid or not, like the agreement with ICANN states. 
"If you believe you are the victim of an internet crime, or if you are aware of an attempted crime, you can file a complaint through Internet Crime Complaint Center at https://complaint.ic3.gov.You also may contact either your lawyer(s) or the local authorities in order get the issue resolved. We will assist them any way we can"
As I'm not a victim, and the police tend to need victims to prove a crime took place, this is well intentioned, but also pretty useless. Also, I'm sure they have many other more pressing calls on their limited resources than investigating every fraudulent site for registrars and hosting companies, many of which will inevitably fall outside their jurisdiction, such is the nature of the internet, especially when all it often takes is a quick look.



Staminus and a fake company

Different companies respond in different ways to reports of abuse, but Staminus it turns out has a truly amazing way of responding.

"Mr Stevenson,
Thank you for your report.
As you may not be aware, the database for aa419.org is not reliable. It is editable by the public and there is no individual or entity that accepts legal or financial liability for the content of same.
Please be sure to let us know if you obtain any reliable information that you would like to have taken into consideration.
Best Regards,
Abuse Department
Staminus Communications"

The site in question is panwestafricasec.net



A Security, Logistics & Consultancy company, based in six countries, the UK, Ghana, Sierra Leone, DR Congo, Cameroon and Namibia. So you'd think it would be easy to ascertain that this company exists beyond it's website. Well, I tried.

First stop Companies House in the UK, as it's Headquarters are there.

No such company found. As the site doesn't list a Company Registration number, that can't be checked either, but if it's trading under another name it's possible that I may have missed it somehow. Anyway it's bound to be found at the contact address listed on site, under some name isn't it?

Well, would you believe that the contact address listed for this companies headquarters turns out to be the address for the DR Congo Embassy? A headquarters that's supposed to be responsible for over 10,900 staff and billions in trade is operating out of an Embassy in London? They can't afford their own building after being in business for over 150 years?

Or even afford a landline in the Embassy apparently, as they provide a mobile telephone number to call. They even provide a different, but dead, domain for you to email them on.
Domain Name:TPS-INC.ORG
Domain Status: clientTransferProhibited -- http://www.icann.org/epp#clientTransferProhibited
Domain Status: pendingDelete -- http://www.icann.org/epp#pendingDelete
Domain Status: serverHold -- http://www.icann.org/epp#serverHold
whose registrant used the email address 'info@standard-chart.com' to register that site.
Queried whois.internic.net with "dom standard-chart.com"...
No match for domain "STANDARD-CHART.COM".
>>> Last update of whois database: Thu, 23 Apr 2015 21:42:01 GMT <<<
Oh look, a suspicious looking email address that doesn't exist, a whois error which probably got tps-inc.org suspended.

But the problem was that I referenced the Artists Against 419 database, apparently.  Ok, but that's not the only reference I used.

"Dear Staminus,
The AA419 db may have a few false entries from time to time, because we are only human. The db itself is not editable by the public, there are only a few who can make entries into the database, although anyone can put forward a website for consideration for entry, dependant on evidence. In this case I also provided other links to other sources that you may consider more reliable such as Companies House in the UK for you to double check the accuracy of my claims. Please reread the entirety of my last email and check the other sources I provided then make a decision.
Kind regards Mr Stevenson"
What I received back was beyond all expectation.
"Mr Stevenson,

"The AA419 db may have a few false entries from time to time, because we are only human."
That is sufficient for us to not be able to use it as a legal resource for the purpose of making legal decisions which could result in our being sued and taken to court.
If a resource is not reliable, then it can not be used to make a decision.
I understand that it is a valuable tool for you. But you are not risking your home, car and future income. You are simply filing (virtually anonymous) complaints. There is no liability or accountability for your end.
As to the rest of your citations.
1) "Site claims to be a courier company in the UK, but is not registered with Companies Houses."
You have not proven it is not registered. You have proven it is not registered under that specific name. Will you put up a $1Million liability bond and guarantee that it is not registered under any other name or spelling?
Furthermore, the point is academic. Can you direct my attention to a clause in our TOS/AUP that requires a downstream customer to register their website with "Companies House" ?
2) "UK contact address listed on site is for the DRC Congo Embassy" So, did you contact the Embassy? Is there an applicable law against a website using their Embassy as a contact address? Again, which part of our TOS is being violated in this example?
3) "Site claims to be a courier company located in the UK, Sierra Leone, Namibia, Ghana, DRC Congo and Cameroon, yet the registrant lists an address in Nigeria."
Your point is what, exactly?
Which relevant law is being violated?
Which portion of our tos is being violated?
Having reviewed your report, as you requested, it appears that you have provided a list of trivia and circumstantial evidence.
Let's review:
You sent an untraceable email from email from a gmail account.
You referenced a database that you subsequently admitted is unreliable.
You sign your emails "Mr Stevenson" in atypical business format, and you fail to provide any additional contact information that would identify you as an actual person.
Using the same criteria you used, it is reasonable to conclude that your report is fraudulent.
Best Regards,
Abuse Department
Staminus Communications"
Yes, being able to provide evidence that your customer who gives you money may actually be up to no good, and trying to show you why, makes me the bad guy here. Certainly not your paying customer who is trying to defraud the public.

"Dear Staminus,

"That is sufficient for us to not be able to use it as a legal resource for the purpose of making legal decisions which could result in our being sued and taken to court.
If a resource is not reliable, then it can not be used to make a decision."
By your logic that would then render every database in the world useless. Human error always creeps in, mistakes are always made.

"But you are not risking your home, car and future income. You are simply filing (virtually anonymous) complaints. There is no liability or accountability for your end."
True. The only thing the Artists have is our reputation, and that many registrars and hosting companies are wiling to listen, work with us and act on our reports is a comment on our reputation. That you choose not to is unfortunate.

"You have not proven it is not registered. You have proven it is not registered under that specific name. Will you put up a $1Million liability bond and guarantee that it is not registered under any other name or spelling? "

Really? Another database that may also have errors? I'm surprised the British Government hasn't done away with it, let alone rely on it for official Company registration certification.

From http://www.panwestafricasec.net/index.php?_page=aboutus
"As the industry leader in risk management and secure logistics, PWASC has safeguarded valuables since 1859. With 150 years of experience, PWASC offers the utmost quality of service and sets the market standard."

For a 150 year old company that claims to be in the UK not to be registered with Company House under their trading name is downright suspicious don't you think?

"Furthermore, the point is academic. Can you direct my attention to a clause in our TOS/AUP that requires a downstream customer to register their website with "Companies House" ?"

No, I can't seem to find your TOS beyond DMCA requirements. Can you please provide a link for me? I would at least like to try.

But I can point to https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/418559/GP2_Life_of_a_Company_Part_1_v4_4-ver0.3.pdf

"GP2 March 2015 Version 4.4
Companies Act 2006
Page 4 of 56
Introduction
This guide tells you about the documents that a company must deliver every year to Companies House - even if the company is dormant – see chapter 9. If you don’t comply, there could be serious consequences. The Registrar might assume that the company is no longer carrying on business or in operation and take steps to strike it from the register. If the Registrar strikes a company off the register, it ceases to exist and its assets become Crown property. However where a company is in operation, the company's officers could be prosecuted because they are personally responsible for ensuring that they submit company information on time. Failing to do so is a criminal offence. In addition, there is an automatic civil penalty for submitting accounts late. The requirement to file annual documents applies to all companies, including small companies such as flat management companies"

As this company doesn't seem to have provided 150 years worth of returns to Companies House, they are breaking UK law. Is that against your TOS? Or perhaps that is why they claim they are operating out of a foreign embassy in the UK. If I did contact the DRC Congo embassy, do you think they'd be able to put me in contact with this company? Or think I was playing a prank? Do you know of any companies that have offices inside an embassy?

"Site claims to be a courier company located in the UK, Sierra Leone, Namibia, Ghana, DRC Congo and Cameroon, yet the registrant lists an address in Nigeria."
Your point is what, exactly?
Which relevant law is being violated?
Which portion of our tos is being violated?
My point being that a supposed 150 year old company with no branches in Nigeria is unlikely to have hired someone in Nigeria build their official website. Again I would actually like to read your TOS, but I couldn't find it on your website.
"You sent an untraceable email from email from a gmail account."

Yes. So what? Gmail is a popular email provider.

"You referenced a database that you subsequently admitted is unreliable."
All databases can be considered inherently unreliable due to human error.
You sign your emails "Mr Stevenson" in atypical business format, and you fail to provide any additional contact information that would identify you as an actual person.
Does it really matter who I am? I am not the one trying to defraud the public like your customer is trying to.
"Using the same criteria you used, it is reasonable to conclude that your report is fraudulent."
I am trying to provide you with evidence. I can only ask you to investigate because there are serious doubts this is a legitimate website. Would you employ their services?

Please understand that I am not a victim of this internet fraud. I am a concerned individual who is trying to keep innocent victims from falling prey to this fraud.  Whether you investigate this matter and take proper action or not is ultimately up to you (as it should be).  Just know that when victims are defrauded by a domain you have been made aware of, you are partially responsible by doing nothing to investigate other than writing unprofessional snide comments rather than look into the matter.
Regards Rob "
I'm patiently awaiting Staminus' next response.



Wednesday, 22 April 2015

Edis and a money mule recruiting website

This conversation was passed to me by some associates, and I am reproducing it here as an example of how some hosts can react to being informed that criminals are abusing their services. You'd think that they'd appreciate being told of such violations, and most are. Sometimes, however, things can take on a strange twist. This was Edis' reponse over a fake employment site being used to recruit money mules, which they hosted. (Note: any editing done by myself has been placed inside <> brackets.)
"Hello,

I have doubts that this violates any laws in Italy (where this server is hosted) and Austria (where we are based), please obtain a court order for shutdown (or a credible person that sends us the abuse - You, from a <free email address> without any signature, are *not* credible.)

(It might violate US laws but No, we will not accept *any* US court orders, we obviously do not care about your funny US laws in Europe.)

Mit freundlichen Grüßen / Yours sincerely

--
EDIS GmbH"
"Wow!

A bit unexpected. Is it your website?

It is a fake company trying to lure gullible/desperate people into helping criminals to launder money.

If you don't care about that then that is your problem.

Regards"
"Considering that we are one of the largest hosting providers in multiple EU countries and the largest one in Austria... no, it is obviously a customer, simple as that.

However, unlike the US laws work different here - We don't take websites down when we get some mail from an unknwon source, from a free mail provider with no signature or anything (and no proof either for anything), this is plain and simple illegal as you have no authority over us and we have no authority to shut a customer down for this sort of abuse (there is an EU abuse template for a reason.).

You should also note that we as provider are never liable in Europe for any content (German: Providerprivileg, see German Telemediengesetz §8 and Austrian ecommerce §116 ) unless we ignore a court order - So i want one from you for it, what is the problem with that?
If it is illegal it should be easy for you to get one or simply report it to the police and have them do it, i really don't see your problem unless you have something to hide or lie to us.
"
"Dear <Edis>
Let's not get over excited.

I do not expect you to take my word for it - which is why I provide the evidence in the form of an abuse report and ask you to investigate.

I am not an arm of Big Brother. I work as a volunteer with www.scamwarners.com to identify, warn about, and try to shut down criminal run sites taking advantage of people's niaivity/greed/stupidity.

If I thought that reporting a site to the police would help I would do so. But I certainly do not have the resources to get court orders etc.

Most registrars and hosts consider and respond to evidence in abuse reports
A few actually seem proud of supporting criminals

So good luck to you and your great big hosting provider
Best wishes"
"Again, what ressources?
You just report it to them, you don't have to pay anything - you don't even have to state a name or any personal data to them.
Don't tell me they don't take this serious - I work daily with Austrian police and Europol in money laundry cases (they happen to use a lot of VPN providers) and they are always well informed and interested

It's certainly nice what you do, this however does not change that i still have zero proof of illegal activity under _EU_ law (let me just for completion add again that we do not care a single % about US laws).

I see your text which might be right, i see a website which might be full of lies (which would not be illegal, even for financial advise) or criminal or a normal website...
It is not my job, no - not even my RIGHT, to judge if this site is illegal or not - that's why i want a court order.
You need to understand that you can go to JAIL here for shutting down customers without the correct reponse time to abuse and without specific proof as you disturb his business - Once we judge the decision is final, no matter if good or bad.
So we simply go the legal, easy and better way and let courts handle it while we enjoy our protection."
"Dear <Edis>,

Calm down. Keep things in proportion - speak to your supervisor. You are ranting like an idiot. You would spend your time better investigating sites rather than arguing with me.

Read the abuse report. Look at the job description for "Financial Agent" and the associated FAQ. See the same template on Bobbear from 4 years ago. If you don't recognise money mule then you are in the wrong job.

The registrant will have given false details, possibly paid for hosting with a stolen credit card, and will not complain if the domain is suspended. Don't hide behind the law, it makes you a moron.

Or is it more fun arguing than doing your job?
"
"There is no supervisor for me, i *AM* the highest person for this already...
And yes, thanks, i know what money mules do - I also know perfectly fine how this industry works, what their income is, money laundry operations involving stolen bank accounts and Cyprus/Panama corporations, the persons behind it like Flyman in St. Petersburg, the companies they use... all nothing new.
As said, we deal often with police and europol.

I gave you enough hints now, so here it is clear: This site is *MONITORED BY EUROPOL* - Even if i WANTED i CANNOT DO ANYTHING without a court order.
"
 At this point a second associate stepped in to assist.
"Hello,

It appears that your web contact form is not working.
A colleague of mine submitted an abuse report concerning a fraudulent domain hosted by Edis.at,

She was concerned that your abuse department representative, a Mr [name removed to protect the guilty], was being over protective of a clearly fraudulent domain and might be under some pressure from the criminal owners of the domain.

I copy her abuse report below and ask that you treat the matter sensitively.

Kind regards"
"Hello,

we will deal with this case tomorrow morning, anyway be assured there's no pressure from anyone to keep specific domains/services up and running, we just to need to give our client the chance to remove the content.

Yours sincerely
[Boss]
EDIS GmbH"
The final email from Edis Abuse to the first associate.
"Hello,

It should be noted that i actually HAVE verified this with a lawyer and this website is perfectly legal under Italian laws where it is hosted (not due to laws FOR it, but there don't exist any laws AGAINST it), the VPS was suspended (in fact, by myself, look at the other mail) for a similar, but non visible illegal matter.

Also, i am the head of abuse here - So please stop complaining.

Mit freundlichen Grüßen / Yours sincerely
[Abuse contact]
"
The website was finally suspended.

"Go get a court order" or "report it to the police" is a common response from hosting providers and registrars alike. It's understandable, no one wants to be responsible for disrupting a legitimate website. However, when it comes to fraudulent sites, there are a number of problems, the first of which is the global nature of the internet. There is no internet police or court system, establishing which jurisdiction in which you would need to file such a claim is often beset with difficulties. The police there may not have the resources, or be interested in investigating without victims in their country. There is the time and expense required in order to get your court order, during which the website is still operating and ensnaring victims. Finally, once you have said court order and issue it to the hosting company and registrar, they may or may not recognise it's validity, because they may not even be in the same country, or the site will simply move to a different hosting company or reappear with a new registration, requiring the process to start over again.


Saturday, 11 April 2015

Blogger, a fake lottery and Googles continuing lack of interest

My previous post concerned an impersonation of the Nigerian Customs Service, but that's not the only fraudulent Google blog that's been around far too long. Far from it.

Many people have received emails claiming that they have won a lottery they have never entered. These take on myriad forms, Microsoft, Yahoo, Google, BMW, Coca Cola, the BBC and many other companies and organisations have been, and continue to be impersonated in these nefarious scams.

Victims are told that that it is possible to win a lottery they never entered for a variety of reasons, their email address was entered automatically or random email addresses were selected for entry, for example. But in order to claim the large cash prize waiting for them they need to pay a fee first.

No legitimate lottery ever demands or requires a fee to be paid in order to collect any winnings.

So with that in mind, lets look at http://www.usalotterynews.blogspot.com/


The first thing wrong with this blog, is the fact that it is a blog, a legitimate lottery company handing out large cash prizes would have it's own domain, because it would easily be able to afford one.

The second is that it's clearly stolen it's logo from the UK National Lottery.

Third, the author has bad English, indicative that the author of this is not American.

Fourth, as I said above, this blog claims that your email address can win a lottery.

Fifth, the discrepancy between first posting date and copyright can't possibly be reconciled, even if the logo wasn't stolen.

All this is obvious just by quickly looking at the blog, without even searching for this "United State Lottery Board of Directors", which doesn't exist.

Despite continuing to report this fraudulent blog to Google since April 2014, including reporting alongside blogs that do fit Googles abuse form and asking them to also look at this, it's been allowed to continue to lend a thin veneer of respectability to the scammers behind this blog and assist them in defrauding the public.









Thursday, 9 April 2015

Blogger, Nigerian Customs Impersonation and Googles lack of interest

The company that enables and allows me to post this blog, also has several tales of shame to tell if you know where to look. This is only the first of these tales.

For our first example we have: http://customsng.blogspot.com/, which claims to be the Nigerian Customs Service website.

This is to most people laughable, even without knowing that the legitimate Nigerian Customs Service website is https://www.customs.gov.ng/index.php, no government anywhere has ever used a free service, or blog, to host their official website.

And yet even knowing this, this fraudulent blog has been is existence, according to the 'nigeria customs' Blogger profile that created it, since March 2013. Let that sink in for a moment, Google has allowed a fake blog to impersonate a legitimate Nigerian Government service for over two years. Maybe they didn't know it existed?

I've been reporting this fake blog to them since April 2014.

Most services that host free sites or blogs allow anyone to either email or fill in a web form to report abuse, which they then investigate and act accordingly, removing or suspending any content they agree to be abusing their services,  and Google does this too.

So why haven't they removed this fake blog?

Well, because any abuse email to Google gets this auto-response:

"Hello,

Please note that this is an automated message, and responses to this message will not be reviewed. For all legal removal requests, please fill out our web form at http://support.google.com/legal.

For more information or support with other issues, please see the following links:

Removing outdated information from Google's search results: https://www.google.com/webmasters/tools/removals

Google Search removal policies: https://support.google.com/websearch/answer/2744324?hl=en

Support for Google's products and services: http://support.google.com/?hl=en

Google's Privacy Policy: http://www.google.com/intl/en/policies/privacy/

Regards,
The Google Team"
At least it points to alternatives. So lets look at the alternative that applies to this blog. http://support.google.com/legal which leads to a web page where you need to fill in the options, firstly which service is being abused, in this case blogger, and are then confronted with multiple options.


The only one which mentions impersonation requires that the reporter be the person or entity being impersonated.

Perhaps the option needed is in the not mentioned above?


Unfortunately not.
You know this blog is fraudulent, you want to inform Google, as the hosting company of the abuse of their services, but they don't want to know, because this fraudulent blog doesn't fit any category of what they define as abuse of their services.

It gets worse. While reporting blogs to Google that can be made into one of the categories above, which they will remove, albeit slowly, I also asked them to investigate this blog as well.

While all of the other fraudulent blogs were removed, this one continues to carry on in assisting to defraud the public.



Tuesday, 7 April 2015

Black Money or Wash wash scam and iPage

This is the dismissive reply that compelled me to start this blog.

For those who don't know the 'Black Money', 'Wash Wash' or 'Defaced Currency' Scam is where victims are shown a trunkbox full of black construction paper lightly covered in talcum powder and told that it's actually money that's been coated either to evade customs and smuggle it out of a country, or for security reasons. While it can be and is used as a scam in its own right, it is often used at the end of a consignment scam when the victim is either unwilling or unable to pay any more, where it is used to convince the victim that the money exists, it is, in fact, right in front of them.

They are then shown by a 'technician' the cleaning of one or two of these notes using special chemicals. Of course the notes being 'cleaned' are real, simple sleight of hand has switched the construction paper for real bank notes coated in glue and iodine, and the special chemicals nothing more than a liquid containing vitamin C. The real bank notes emerge from the wash and the victim is convinced to part with more money to procure enough chemical solution to clean the rest of the notes.

Once the victim has the notes and solution they are never able to clean their money. They then need to find another supplier able to sell these miraculous and strangely named chemicals, such as SSD Solution, Vectrol Paste, Ogl Magic, Zuta S4, Ks Solution77B, Ttz Universal Solution, and Activation Powder.

This is where the fake sites claiming to sell these chemicals comes in.

The site serves several purposes, they reinforce the idea that the problem of Black Money exists, that chemicals exist to solve this problem, and they set out the fraudsters stall of these chemicals.

 To a normal person seeing a site that sells these products it is blindingly clear that the site is up to no good.

But not iPage.

This was their response when I asked them to investigate internationalpurelaboratory.com, which claims to sell these products proudly.

"Hello,

Thank you for making us aware of this. Because the goods are not being sold on the website, this is not a violation of our Terms of Service. We have notified the customer of your contact today and will monitor for additional complaints.

Regards,

Executive Response"

Have a look and see for yourself if you think this site matches up with their Acceptable Use Policy, which states that:

"Utilize the Services in connection with any illegal activity or activity otherwise prohibited by this AUP. Without limiting the general application of this rule, Users may not:


  • Utilize the Services for or in connection with any activities or content determined by iPage, in its sole discretion, to be related to gambling, adult, obscene or pornographic materials or content, harassment, defamation, libel and hate speech or other offensive speech or content, or for any unlawful purpose, including without limitation, fraud, money laundering, child pornography, terrorist-related activities, activities in violation of U.S. export or import laws, any executive orders, or any rules, regulations or orders issued by Office of Foreign Asset Controls ("OFAC"), infringement on rights of others, trafficking in illegal drugs, or any products or services that are prohibited under applicable law, or which iPage determines to be controversial or disruptive to the operations of iPage or any other User or third party;"

 Since internationalpurelaboratory.com offers
"cleaning all type of blackened, tainted and defaced notes"
"We clean all types of black, green,white note or deface note."
 If that isn't literally money laundering, what is?


Update 9 Apr 15: iPage has now suspended this fraudulent site.
"Hello,

I have reviewed this further with our legal team and we have decided against hosting this customer. Thank you for making us aware of this.

Regards,

Executive Response"
Thank you, iPage.



Welcome to 419 Fraud Tolerant Hosts!

I doubt there's a single person on the planet who has not received at least one scam email, whether it's claiming to be able and willing to share their millions if you can just pay some fees first, some refugee in need of a foreigner to recover her inherited millions, offers of a loan, or any of the various other types of Advance Fee Fraud, commonly referred to as 419 scams.

Behind these scams are often fake websites, fake banks, courier companies, law firms, recruitment sites and more, used to further convince victims that whatever story the scammer has spun is real.

Finding and reporting these websites to the hosting and registering companies, are a group of volunteers called the Artists Against 419, a group I've been a member of for a while now. While most hosts and registrars are generally responsive, and some that are really proactive at removing these sites, there are those that downright bury their head in the sand and ignore the scams on their servers defrauding the public while being happy to take the fraudsters money at the same time.

This blog is dedicated to those wilfully deaf companies. Shame on you.