So a couple weeks back, I get an email in my mailbox telling me that there is a problem with my PayPal account, and asking me to click a link to verify my account information.
Since I don't have a PayPal account, it didn't take a great deal of intellectual prowess to figure out that it was a "phish" email--an email designed to trick the credulous and unwary into going to a phony site and handing over their PayPal password. I get about a half-dozen of them a day, and I fired off emails to the appropriate Web hosts and forgot about it.
Next day, I got another phish asking me to validate my Bank of America account information. I don't have an account with Bank of America, naturally. Again, a standard phish.
The only weird part was that the phony Bank of America site was hosted on the same Web server as the phony PayPal site. Fired off another email to the ISP hosting the fake sites and forgot it.
And got another phish email. And another, and another after that, and another after that. All advertising phony Web sites hosted on the same server.
"Huh," I thought. "This is weird."
The phish emails keep rolling in. I got four of them today. All of them advertising various phony sites hosted on the same server.
The server is at http://78.110.170.227/~hewar/. If you go there (which I don't recommend), you'll see that it is an open server directory. Right now, as I type this, it has three phish sites living on it--a phony Bank of America page and two phony PayPal pages in French.
It's also got a bunch of other stuff living there:
If you go to the directory called "bankofamerica.com" you end up at a phony Bank of America site. The "fr" and "paypal.fr" directories each contain a phony copy of the PayPal signin page. The file you see called "france2009.zip" contains everything the budding criminal needs to set up his own phony PayPal page on a hacked Web server.
There are two other files there, called "x.php" and "foxMailer.php". Each of those is a bulk spamming program. You connect to the server, upload a list of email addresses, upload a spam message, and press "go" and off it goes, sending the spam email to all the addresses.
Now, it's pretty clear that this server at 78.110.170.227 is entirely 100% owned and operated by a group of criminals who are in the spam and theft business. They send out spam from this server, and they host phony sites on this server which are designed to steal banking information.
The server is hosted by a British ISP called a2b2.com. The ISP a2b2.com is in turn a subsidiary of an outfit called vaserv.com. The a2b2.com Web site advertises cheap Web hosting, and the parent company vaserv.com offers cheap Web hosting and cheap VPS hosting.
My first impulse was that a2b2.com is a dirty, corrupt ISP, knowingly hosting Web sites for organized crime. You see them popping up from time to time, McColo, Calpop, and other unethical businesses which profit from hosting Web sites for criminals and quietly looking the other way.
But I've been taking a look at a2b2.com and vaserv.com more closely, and I don't think they're corrupt--I just think they're clueless.
Or perhaps I should say, I think he's clueless.
As near as I can tell, both of these ISPs are owned and run by just one guy. The whois information for both ISPs lists the contact as a guy named "Russell Foster." The parent company at vaserv.com has a WordPress blog, which hasn't been updated in months, whose posts are signed "Rus". This place very much gives the impression of a hobby business whose owner doesn't pay very close attention; the lights are on, but nobody's home.
Hell, even the security on the official WordPress blog sucks.
So this guy is hosting Web sites for organized crime, and far from profiting by it, I don't even think he knows about it. For that matter, I don't even think he reads his email!
Unfortunately, the upstream from a2b2/vaserv is the Italian outfit Tiscali, which is listed in the "I" section of the dictionary under "incompetent." Tiscali is so slow to act against spammers and abusers of their network that they've actually ended up on spam blacklists; as near as I can tell, the only way to get the folks at Tiscali to take action of any sort is to fuck the CEO's daughter on the CEO's desk. During a business meeting.
So it seems that the criminals responsible for these phish sites have found a perfect storm of incompetence and fail, which effectively means they can host their sites on servers in the UK with impunity. The people responsible for these phish sites are so confident that they haven't even bothered to cover their tracks or secure their Web servers.
This is the dirty secret of Web hosting, and it's an example of where Libertarian laissez-faire ideals fail. There is little incentive for ISPs to take action against malware, frauds, spammers, and phish sites on their networks, and financial incentive for them not to. An abuse person who is doing his job costs his employer money, and as the example of iPower Web shows, hosting such sites, and playing fast and loose with its customer's Web site security, doesn't actually seem to cost an ISP any business.
Since I don't have a PayPal account, it didn't take a great deal of intellectual prowess to figure out that it was a "phish" email--an email designed to trick the credulous and unwary into going to a phony site and handing over their PayPal password. I get about a half-dozen of them a day, and I fired off emails to the appropriate Web hosts and forgot about it.
Next day, I got another phish asking me to validate my Bank of America account information. I don't have an account with Bank of America, naturally. Again, a standard phish.
The only weird part was that the phony Bank of America site was hosted on the same Web server as the phony PayPal site. Fired off another email to the ISP hosting the fake sites and forgot it.
And got another phish email. And another, and another after that, and another after that. All advertising phony Web sites hosted on the same server.
"Huh," I thought. "This is weird."
The phish emails keep rolling in. I got four of them today. All of them advertising various phony sites hosted on the same server.
The server is at http://78.110.170.227/~hewar/. If you go there (which I don't recommend), you'll see that it is an open server directory. Right now, as I type this, it has three phish sites living on it--a phony Bank of America page and two phony PayPal pages in French.
It's also got a bunch of other stuff living there:
If you go to the directory called "bankofamerica.com" you end up at a phony Bank of America site. The "fr" and "paypal.fr" directories each contain a phony copy of the PayPal signin page. The file you see called "france2009.zip" contains everything the budding criminal needs to set up his own phony PayPal page on a hacked Web server.
There are two other files there, called "x.php" and "foxMailer.php". Each of those is a bulk spamming program. You connect to the server, upload a list of email addresses, upload a spam message, and press "go" and off it goes, sending the spam email to all the addresses.
Now, it's pretty clear that this server at 78.110.170.227 is entirely 100% owned and operated by a group of criminals who are in the spam and theft business. They send out spam from this server, and they host phony sites on this server which are designed to steal banking information.
The server is hosted by a British ISP called a2b2.com. The ISP a2b2.com is in turn a subsidiary of an outfit called vaserv.com. The a2b2.com Web site advertises cheap Web hosting, and the parent company vaserv.com offers cheap Web hosting and cheap VPS hosting.
My first impulse was that a2b2.com is a dirty, corrupt ISP, knowingly hosting Web sites for organized crime. You see them popping up from time to time, McColo, Calpop, and other unethical businesses which profit from hosting Web sites for criminals and quietly looking the other way.
But I've been taking a look at a2b2.com and vaserv.com more closely, and I don't think they're corrupt--I just think they're clueless.
Or perhaps I should say, I think he's clueless.
As near as I can tell, both of these ISPs are owned and run by just one guy. The whois information for both ISPs lists the contact as a guy named "Russell Foster." The parent company at vaserv.com has a WordPress blog, which hasn't been updated in months, whose posts are signed "Rus". This place very much gives the impression of a hobby business whose owner doesn't pay very close attention; the lights are on, but nobody's home.
Hell, even the security on the official WordPress blog sucks.
So this guy is hosting Web sites for organized crime, and far from profiting by it, I don't even think he knows about it. For that matter, I don't even think he reads his email!
Unfortunately, the upstream from a2b2/vaserv is the Italian outfit Tiscali, which is listed in the "I" section of the dictionary under "incompetent." Tiscali is so slow to act against spammers and abusers of their network that they've actually ended up on spam blacklists; as near as I can tell, the only way to get the folks at Tiscali to take action of any sort is to fuck the CEO's daughter on the CEO's desk. During a business meeting.
So it seems that the criminals responsible for these phish sites have found a perfect storm of incompetence and fail, which effectively means they can host their sites on servers in the UK with impunity. The people responsible for these phish sites are so confident that they haven't even bothered to cover their tracks or secure their Web servers.
This is the dirty secret of Web hosting, and it's an example of where Libertarian laissez-faire ideals fail. There is little incentive for ISPs to take action against malware, frauds, spammers, and phish sites on their networks, and financial incentive for them not to. An abuse person who is doing his job costs his employer money, and as the example of iPower Web shows, hosting such sites, and playing fast and loose with its customer's Web site security, doesn't actually seem to cost an ISP any business.
- Current Mood:
aggravated
Comments
Idle thought, but why is it always daughters getting fucked? Why don't sons ever get fucked like this?
(I'd assume the obvious answer is "because we don't sexualize men", IE sexism, but I've just never really thought about it until now. So, hey, thank you for making me think about it :))
---
Also, these posts are always an interesting read :)
I'd flip that and say that boys are expected to be sexual (thus sexualised) from an early age, whereas girls are expected to be passive, and therefore fathers are more protective of their daughters 'virginal' status. Still sexist, slightly different reasoning. (Also, no matter what you do to them, boys can't get pregnant, so I suspect some part of this will never change!)
On the other hand, this is Tacit's journal... perhaps it's just because he prefers girls?
In this stereotype, the father is glad when his son "becomes a man," but wants to protect his daughter's presumed virtue.
It seems being on the receiving end is something to be seen as shameful still. So sad.
Incidentally, you've already met me in my Chaosbunny guise - this is my slightly more 'sensible' persona ;)
- Maxine
(My Goddess wanted to take me out in the woods and use her strapon with me on Beltane, but the logistics of male ass-fucking combined with the cold rainy Illinois weather convinced us otherwise.)
We found at least one other way: telling them you will piss in their cabs in Telehouse North. This probably works better when you live in London and have machines next to theirs, mind.
This information brought to you courtesy of a random stranger who ran across your journal and friended it for sheer interest/amusement value :)
That will toss it on a their blacklist which is used by a LOT of companies as well as the free K9 app.
You might also want to toss them in the direction of http://mynetwatchman.com/
and then send an email to the Department of Justice. ^_^ Cuz you know, internet theft across country boundaries or some such. I'm sure that's illegal somewhere. ^_^
<---not a lawyer. (if you couldn't tell)
The firewall issue is a bit odd. No reasonable software vendor would ever write software that requires you to disable your firewall; you should just be able to get a list of the ports the software uses and make holes in the firewall for just those ports.
with respect, the fail here is in this interpretation of those ideals. the libertarian laissez-faire thing to do is to have a populace not dumbed down by government schools and a hand-wringing media that interlocks with the passivity taught therein - the libertarian thing is to educate oneself and protect oneself and those one is close to - not to passively hope that ISPs/governments/FSM will somehow protect us. the decentralized, voluntary services linked-to above (e.g. here - http://tacit.livejournal.com/297618.htm
I have been receiving spam from CalPop servers. I contact the
company and spoke with Matt Crowin (matt@calpop.com) the sales manager. He appears to be aware of the spam and is extremely rude and refused to help me. I then called and asked to speak with Lynn Hoover (lynn@calpop.com) the owner of the spamming servers and company. I was told that I could not speak to her. After some research I found that they have been spamming for a long time and do not care to stop.
According to my online research Matt Crowin (matt@calpop.com) has a history of disrespect, is aware of the spamming practices and Lynn Hoover (lynn@calpop.com) appears to be absent from the daily operations but fully aware of the spam situation.