Showing posts with label fraud. Show all posts
Showing posts with label fraud. Show all posts

Friday, 28 August 2015

Online fraud - the GoDaddy way

I send a lot of abuse reports to hosts and registrars, but normally never receive any kind of response from +GoDaddy, sometimes they remove the fake site I'm reporting, sometimes they don't.

But this reply, eventually received is nonsensical at best.

"Dear Sir/Madam,

Thank you for contacting GoDaddy's Domain Name Abuse department.

Unfortunately we cannot assist with this issue through this department.

GoDaddy does not allow illegal content on our customer's websites. However, as a Registrar/Hosting provider, it is not our place to determine if the site you have mentioned is actually engaging in illegal activities. GoDaddy suggests reporting your issue to IC3 via their File a Complaint page. The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) who accepts online Internet crime complaints filed by a person who believes they were defrauded.

GoDaddy regularly works with courts and law enforcement from the local to the international level and has a long-standing history of cooperation with these groups. Should we receive notification from these groups in regards to this issue we will be able to work with them on the matter.

Sincerely,

Domain Name Abuse
GoDaddy"

If it's not your place to determine whether sites you register and host are abusing your services in order to commit fraud, then how do you know you don't allow it?

Because GoDaddy apparently can't recognise a fake bank when they see one on their own servers.

http://frdbk.com/

Or even two, because it has a clone at http://www.meshraqbank.com/.

What makes this a fake bank? Well, lets have a closer look and see.


It claims to be a bank in the UAE, but is not registered there according to the Emirates Central Bank.

On the home page we can see that while the logo is for FRD bank, in the text on the page it refers to itself as FGD bank! Which is it? Incidentally, FGD Bank isn't registered in the UAE either.

And here's the unsecured login page, shared by both sites:

http://frdbk.com/bank/index.php

And, if that wasn't enough, should you, and I would most definitely advise against it, still wish to register as a 'customer' of this fake bank here's the form.

http://frdbk.com/bank/registration.php
Everything needed to commit ID theft, on one unsecured page...
But GoDaddy doesn't allow illegal content on their customers websites right?
Then how do they explain this site, registered with them and still remaining on their servers, after first being informed of it's abuse of their services in April?

http://milton-laboratories.com/
Black Money chemicals brought to you courtesy of GoDaddy
Yes, it's another Black Money Chemical site registered and hosted with Godaddy.
Offering a range of weird and wonderful chemicals, all of which are guaranteed to 'solve' your Black Money problems!

The Black Money Scam is probably the most obvious of the 419 Advance Fee Fraud sites, but GoDaddy can't see the problem with this site either.

Fake banks, Black Money Chemical sites and others. GoDaddy allows it's customers to create and maintain fraudulent websites, despite it's claims to the contrary.
Posted by at No comments:
Labels: , ,

Sunday, 10 May 2015

A fake bank with SSL - amanahsahammalayanbank.com

A previous entry also dealt with this topic, but this fake bank deserves it's own entry, if only because it highlights issues which have allowed this fraudulent bank to continue in being able to defraud the public long after it should have been suspended.
From the whois:
Queried whois.internic.net with "dom amanahsahammalayanbank.com"...
   Domain Name: AMANAHSAHAMMALAYANBANK.COM
   Registrar: EVERYONES INTERNET, LTD. DBA SOFTLAYER
   Sponsoring Registrar IANA ID: 925
   Whois Server: whois.softlayer.com
   Referral URL: http://www.softlayer.com
   Name Server: BETH.NS.CLOUDFLARE.COM
   Name Server: WILL.NS.CLOUDFLARE.COM
   Status: ok http://www.icann.org/epp#OK
   Updated Date: 18-feb-2015
   Creation Date: 16-feb-2011
   Expiration Date: 16-feb-2016
We can see that this alleged bank site has been in operation for four years, which is highly unusual for a fake bank site. In fact, at first glance this appears to be a legitimate bank site, it even has an SSL certificate on it's login page, again highly unusual for a fake bank site.

However, the SSL certificate issued to this bank is not the Extended Validation Certificate a legitimate bank would have, but just a normal SSL certificate that any domain owner can obtain, which is suspicious, but not conclusive evidence of this site being fake, so lets examine this site a little bit closer.

Many fake banks impersonate or copy legitimate banks, and this site is no different in that regard. It's copying the legitimate Kumari bank in Nepal, although this site claims to be a bank in Malaysia.


However a search of the Central Bank of Malaysia's list of licensed banking institutions reveals that this bank is not licensed in Malaysia.

There is also a SWIFT code on this page which it's claimed belongs to this bank, well those can be checked too, and in this case, it doesn't exist.

So it's now clear that this a fake bank site, and it should be a simple matter to inform the host and registrar of this abuse of their services.

Well, its a little more complicated than that, if we look again at the whois record for this domain:
Name Server: BETH.NS.CLOUDFLARE.COM
Name Server: WILL.NS.CLOUDFLARE.COM
This fake bank uses Cloudflare, a pass through service, so while the whois lists Cloudflare as the hosting provider, they actually don't host the domain.

So we can inform CloudFlare, and hope that they remove their support for this fraudulent domain or at least pass the information back to the real hosting company.

When it comes to informing the registrar, again things are not as simple as it seems. While SoftLayer is listed as the Registrar according to the whois info, the domain was registered through a reseller, UKCheapest.

Here we have a clear example of a fake site using an SSL certificate to provide it's victims with a false sense of reassurance that this is a legitimate bank and using a pass through service to hide it's true location on the internet, and all attempts to inform the companies responsible for allowing this site the freedom to scam over the past year have resulted in exactly nothing.

+SoftLayer, despite being the Registrar, continue to claim that as the site is not on their network they can't do anything.

UKCheapest, the reseller, at one point said they had escalated the matter, but nothing came of it.

+CloudFlare, Inc. claim that as they are not the true hosts they can't do anything.

In fact, the only companies that have taken any action, so far, have been the Certificate Authorities who have revoked their SSL Certificates after being informed of what their certificate is securing.

While the host, reseller and Registrar fail to act, the scammers behind this fake site are free to obtain yet another SSL Certificate to continue their scam.
Posted by at No comments:
Labels: , , , , , , ,

Friday, 8 May 2015

A happy DreamHost customer

Reporting fraud to DreamHost is a lot like banging your head off a brick wall. It doesn't seem to accomplish much and leaves you wishing you hadn't. But if they don't know there's a problem they can't fix it.

With that lets look at one such site that they seem happy enough to not only register, but also host and to provide privacy protection for: http://msccargouk.com

From a whois lookup:
"Domain Name: MSCCARGOUK.COM
Registry Domain ID: 1884729481_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.dreamhost.com
Registrar URL: www.dreamhost.com
Updated Date: 2015-01-07T06:46:10.00Z
Creation Date: 2014-11-11T18:54:00.00Z
Registrar Registration Expiration Date: 2015-11-11T18:54:00.00Z
Registrar: DREAMHOST
Registrar IANA ID: 431
Registrar Abuse Contact Email: domain-abuse@dreamhost.com
Registrar Abuse Contact Phone: +1.2132719359
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: PRIVATE REGISTRANT
Registrant Organization: A HAPPY DREAMHOST CUSTOMER
Name Server: NS1.DREAMHOST.COM
Name Server: NS2.DREAMHOST.COM
Name Server: NS3.DREAMHOST.COM"

The first thing to notice is the claim that it's secured by SSL, but the URL says otherwise. But maybe the login and register pages where you're expected to enter personal information will be secured.

Claims of SSL security here, but the URL can't lie!

http://msccargouk.com/register.php
Still no sign of that SSL security....

In fact there is no SSL security at all on this site, neither does clicking on the security seals bring up any of the information that a valid SSL seal would. They are simply images added to give prospective victims false reassurance.

So it's time to see if this company actually exists.

 

http://msccargouk.com/contact.php

The site claims to be a company in the UK so it's a quick check with Companies House to find out that it's not registered, despite claiming:
"The company has over 500 employees and annualized revenues exceeding £200 million."
A quick search also reveals that at the addresses claimed on site as being their physical location, there is no mention of this company.


On this page we see a claim that not only will they arrange transportation, they will also:
"act as a trusted middle-man for both the seller and buyer, offering them great security and fast movement for national and international transactions. Our fees are not cheap, but still, when dealing with your money or merchandise as we do the money is not important. If you will not be satisfied with our way of dealing with your belongings then we will refund you with any fee you have paid."
This site is clearly offering escrow services, which requires the company to be registered with the UK FCA in order to provide these services, and once again a simple check reveals this is not the case.

Just for fun lets look at some of the other claims made on the site.

"MSC Trans Cargo wins again! 

EMMA awards

MSC Trans Cargo has been named International Moving Company of the Year at the 2010 EMMA Awards"
Well, we are lucky enough to have search engines, and no, this company didn't.
A legitimate, registered company won that award.

"MSC Trans Cargo Named Best Relocation Service Provider at the 2010 Re:locate Awards"

Again a simple search reveals the lie.

So we know that this company does not exist, cannot carry out the activities it claims it does, it's a fraudulent site.

Lets now turn our attention to DreamHost.

From DreamHost's Terms Of Service:
"DreamHost Web Hosting will exercise no control whatsoever over the content of the information passing through the network, provided that it adheres to all other conditions set forth in our Terms of Service and Acceptable Use Policy documents.
DreamHost Web Hosting reserves the right to police its network to verify compliance with all agreed upon Terms.

The Customer agrees to cooperate in any reasonable investigations into their adherence to all agreed upon Terms. Failure to cooperate is grounds for immediate disablement of all accounts/service plans."
From DreamHost's Acceptable Use Policy:
"Illegal Activity
Customer may only use DreamHost Web Hosting’s Server for lawful purpose. Transmission of any material in violation of any Country, Federal, State or Local regulation is prohibited. To this effect, child pornography is strictly prohibited as well as housing any copyrighted information (to which the customer does not hold the copyright or an appropriate license) on DreamHost Web Hosting’s Server. Also, using DreamHost’s servers or network to conspire to commit or support the commission of illegal activities is forbidden as well."
"Personal Information Harvesting
Collecting or using email addresses, screen names or other personal identifiers without the consent of the person identified (including, without limitation, phishing, Internet scamming, password robbery, spidering, and harvesting)."
It seems pretty obvious that this site is in violation of these policies. So informing DreamHost of this abuse of their services should quickly result in this fraudulent site being suspended. Instead the following reply was received:
"Hello!

This is an automated reply. Please carefully read the information below so that we may best address your complaint. To avoid this message in the future, you may use abuse-replies@dreamhost.com.

Due to the volume of complaints we receive daily we cannot guarantee a personal response to each message we receive. However, we will endeavor to reply to individual inquiries in cases where a personal response is requested or necessary. Otherwise, please rest assured that we will take necessary action to ensure our Terms of Service (as well as applicable US/state laws) are being respected.

###########################################
# Common concerns:
###########################################

- Spam / Unsolicited Bulk Email

DreamHost has a very strong policy against spam
(http://www.dreamhost.com/spam.html), and does not tolerate it in
conjunction with the services we provide. If you receive a spam message (email or newsgroup based) associated with one of our clients, please forward it to us with full and complete headers as well as the body of the message itself. Email headers can be trivially forged, and only with the proper tracking data can we ascertain their actual origin.

- Denial of Service / Server Exploits / Cracking

If you have reason to believe that one of our clients is attempting to
breach the security of one of your computers or is otherwise behaving in a manner detrimental to network resources, please send us complete and thorough logging information (ie. time/date, IP addresses or host names, etc), as well as any other background information that may be of use.
- Copyright Violation / Trademarks

We do not allow our customers to misuse intellectual property belonging to others. If you feel that someone has misappropriated your content, please let us know. We may require proof of ownership, so please forward any relevant documentation related to your rights to the content in question.

- Concerns About Site Content

Concerns over the specific content of a DreamHost hosted site should be referred to the site's operator. As a part of our commitment to free
speech and expression, DreamHost does not censor the content of its
hosted sites beyond the removal of illegal content and protecting the
security and integrity of shared network/server resources.

###########################################
# Potentially Useful Resources:
###########################################

DH Terms Of Service, Spam Policies & Resources:
- http://www.dreamhost.com/tos.html (Terms of Service)
- http://www.dreamhost.com/spam.html (Spam Policies)
- http://www.dreamhost.com/privacy.html (Privacy Policy)

Spam Resources:
- http://www.spamcop.net/ (Spam tracking/filtering)
- http://news.spamcop.net/cgi-bin/fom?file=19 (Revealing full headers)

Intellectual Property:
- http://www.templetons.com/brad/copymyths.html (10 copyright myths)

Other:
- http://www.ncmec.org/ (Stopping online child abuse)
- http://www.cert.org/ (CERT coordination center)
- http://www.symantec.com/avcenter/ (Symantec Virus info)

...

Thank you,

- DreamHost Abuse Team"
Yes, that's right:
"Concerns over the specific content of a DreamHost hosted site should be referred to the site's operator."
Fraudulent content should be reported to the scammer who set up the site!

At least in this case the scammer is protected by DreamHosts privacy protection service so this isn't even an option.
"As a part of our commitment to free speech and expression, DreamHost does not censor the content of its hosted sites beyond the removal of illegal content"
It really doesn't seem like this is the case, because I know DreamHost was made aware of this site in March, and yet it's still able to defraud the public two months later. Another site I was reporting to them took eleven months of playing whack a mole with DreamHost where it would be suspended and then come back to life before the site finally no longer resolved. I am also aware of other cases where it takes a lot of effort to get DreamHost to act on it's own TOS & AUP.

And let's not forget that DreamHost is also the Registrar of this domain and have responsibilities to investigate and act on abuse reports under its RAA with ICANN.

In short, what is the point of DreamHost having these Terms of Service and Acceptable Use Policies if they fail to uphold them?

It's no wonder that the criminal behind this site is labelled "A happy DreamHost customer."

Update: This site is now offline, having been placed into ClientHold by DreamHost.

Posted by at No comments:
Labels: , , , , , , , ,

Thursday, 23 April 2015

Namecheap, eNom and their strange approach to fraudulent sites

Namecheap's approach to fraudulent sites is novel to say the least. A fraudulent site that they host or register themselves is suspended quickly, for which they are to be rightly commended, but when acting as a reseller for eNom, which is how they began their business, any email reporting abuse to eNom as the listed Registrar on the domain whois, is quickly forwarded to Namecheap who will, most often, just as quickly deny any and all responsibility for the fraudulent domain, with the following email:
"Hello,

Thank you for your email regarding the domain name (insert fraudulent site name). While the domain name does have Namecheap.com as the registrar, we do not have the ability to oversee what data are being transmitted through its site. We do not own the domain name mentioned in your complaint, we are simply the registrar that the registrant purchased the domain name from.

The issue would need to be addressed through the hosting provider to see if their terms of service have been violated, and would need to be addressed through the domain registrant as they should be the individual that would control what particular content is being exchanged. We have no way to police these issues as we do not control the hosting company in this instance.

While I understand your issue, we are not in a position where we can make determination of validity of your statements. If you believe you are the victim of an internet crime, or if you are aware of an attempted crime, you can file a complaint through Internet Crime Complaint Center at https://complaint.ic3.gov. You also may contact either your lawyer(s) or the local authorities in order get the issue resolved. We will assist them any way we can."
Lets pick this reply apart.
"While the domain name does have Namecheap.com as the registrar,"
Well the domain might not, if Namecheap is acting as reseller for eNom. But Namecheap is an accredited Registrar, and this is just a form letter, so this part of the May 2013 RAA with ICANN, that both eNom and Namecheap have, applies.
"3.12 Obligations Related to Provision of Registrar Services by Third Parties. Registrar is responsible for the provision of Registrar Services for all Registered Names that Registrar sponsors being performed in compliance with this Agreement, regardless of whether the Registrar Services are provided by Registrar or a third party, including a Reseller. Registrar must enter into written agreements with all of its Resellers that enable Registrar to comply with and perform all of its obligations under this Agreement."
So when Namecheap is listed as reseller for the domain and eNom is listed as the Registrar, under the RAA eNom is still responsible, even though Namecheap is an accredited Registrar themselves.
"we do not have the ability to oversee what data are being transmitted through its site."
I understand that abuse teams are busy, but they could just take a minute to look at the site that has been reported to them as being fraudulent, couldn't they?
After all, their RAA with ICANN also includes the following:
"3.18 Registrar's Abuse Contact and Duty to Investigate Reports of Abuse.
3.18.1 Registrar shall maintain an abuse contact to receive reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity. Registrar shall publish an email address to receive such reports on the home page of Registrar's website (or in another standardized place that may be designated by ICANN from time to time). Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse."
From the FAQ's about the 2013 RAA:
"26. Section 3.18.2 provides that well-founded reports of Illegal Activity submitted to the registrar must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report. In responding to any such reports, Registrar will not be required to take any action in contravention of applicable law. What does "well-founded" mean?

ICANN will consider this on a case-by-case basis, taking into account factors such as substantiation, demonstration, corroboration or evidence of Illegal Activity, but cannot specify in any particular circumstance what qualifies as "well-founded" as that may vary based upon the situation. If the registrar believes the request is not "well-founded," it should document the reasons for this decision."
Which seems pretty clear. Registrars have a responsibility to investigate any reports of abuse, so long as those claims can be backed up. With that in mind, lets look at an example.


Seems legit, right?

I think anyone can see the problem with this site at first glance.
The UN does not run any companies of any sort, let alone 'Express Delivery Companies'. So to say that:
"The issue would need to be addressed through the hosting provider to see if their terms of service have been violated,"
in this case is ducking responsibility. Also, while fraud is generally against most hosting companies Terms of Service, even if some need to be gently reminded of that, that doesn't mean that registrars, Registrars and resellers get to pass the buck fully on to them. In an ideal world the hosting company would suspend the site while the Registrar places the fraudulent domain into ClientHold, to prevent the registrant simply taking his fake site to another hosting company, who may not be as responsive.
"and would need to be addressed through the domain registrant as they should be the individual that would control what particular content is being exchanged."
This is just particularly ill informed. A registrant who registers a clearly  fraudulent site should not be contacted about his content, he is already fully aware of what he's doing, and that it's illegal hasn't stopped him from doing it. Why would he suddenly decide to take it down because I send him an email? There is no telling what his response would be. An attempt to scam me, spamming my email account or attempting to hack my email account, these are all possible options I'd rather avoid.
"While I understand your issue, we are not in a position where we can make determination of validity of your statements."
Again, you could actually read the email, look at the site in question, and see if the claims are valid or not, like the agreement with ICANN states. 
"If you believe you are the victim of an internet crime, or if you are aware of an attempted crime, you can file a complaint through Internet Crime Complaint Center at https://complaint.ic3.gov.You also may contact either your lawyer(s) or the local authorities in order get the issue resolved. We will assist them any way we can"
As I'm not a victim, and the police tend to need victims to prove a crime took place, this is well intentioned, but also pretty useless. Also, I'm sure they have many other more pressing calls on their limited resources than investigating every fraudulent site for registrars and hosting companies, many of which will inevitably fall outside their jurisdiction, such is the nature of the internet, especially when all it often takes is a quick look.



Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)