Spam irony, and the same scammers are still out there

In a twist of irony, I have now been sent the same type of spam as the one that was created using my stolen credit card details and name earlier this year.

This time, the content of the spam is (with extra spaces in the URLs to break them):
[sourcecode language=”html”]
Dear Shawn Sijnstra,

This is to notify that new updates have been released for Skype.

http://www. official – skype – update.com/

Following are major new features :

* Up to 5-way group video call.
* Redesigned calling experience.
* Improved video snapshots gallery.
* Improved browser plugins performance on some websites.
* Reduced false positives on browser plugin phone number recognition.
* New presence icons.
* Improved handling of calling attempts made when the user has run out of credit.
* Improved access to sharing functionality

To download the latest version , go to :

http://www. official – skype – update.com/

Start downloading the update right now and let us know what you think
about it.

Talk soon,

The people at SkypeUnsubscribe (http://jenadyco.offthepageemarketing.com.au/unsubscribe.php?cid=145&pid=755316&auth=13b78fdbd9b406c40959611b276d3546&upw=)
[/sourcecode]

It would appear to be the same group as the whois record for the address is registered in the same way, with the same or similar registrar, with the same fields used and a very similar address used. I have left the name of the registrant out for obvious reasons:

% By submitting a query to RU-CENTER's Whois Service
% you agree to abide by the following terms of use:
% http://www.nic.ru/about/servpol.html (in Russian)
% http://www.nic.ru/about/en/servpol.html (in English).

Domain name:             OFFICIAL-SKYPE-UPDATE.COM
Name Server:             ns1.official-skype-update.com 122.224.4.108
Name Server:             ns2.official-skype-update.com 122.224.4.108
Creation Date:           2011.09.27
Updated Date:            2011.09.28
Expiration Date:         2012.09.27

Status:                  DELEGATED

Registrant ID:           QH9BLSG-RU
Registrant Name:         
Registrant Organization: 
Registrant Street1:      1039 Avenue Street
Registrant City:         New York
Registrant Postal Code:  10023
Registrant Country:      US

Administrative, Technical Contact
Contact ID:              QH9BLSG-RU
Contact Name:            
Contact Organization:    
Contact Street1:         1039 Avenue Street
Contact City:            New York
Contact Postal Code:     10023
Contact Country:         US
Contact Phone:           +1 800 2379293
Contact E-mail:          adobe@awssportswear.com

Registrar:               Regional Network Information Center, JSC dba RU-CENTER

Last updated on 2011.09.28 10:34:48 MSK/MSD

The individual whose name was used has a much more common name so hopefully does not have the same issues I have.

Next observed stats change

So while relooking at the search engines, I’ve noticed that the root home page for this site has come up the ranks. It’s pushing some other results down by one. Interestingly, it is the home page with little content – not the blog – that is creeping up in rank.

On another note, the last updated page is yet to update in search engines. I will need to spend more time on seeing what I can do there.

Stats and security

While developing this blog, I’ve been working on the background on security and other curiosities. I wanted to use a log processor to look at where some of the hits on this site were coming from, so of course I turned to AWstats. I also wanted to make this viewable by myself, and didn’t want another password to either type in or store. There were great instructions available for basic installation, but I had to look a little harder for secuirity. I only really want to view the stats from home, and luckily I have a fixed IP address. This is certainly a lazy way to do security, and I haven’t yet pushed it to be SSL-only, but to bolt down the AWstats pages by IP address all that was required in the Apache2 conf file was:

[sourcecode language=”xml”]
Alias /awstatsclasses "/usr/share/awstats/lib/"
Alias /awstats-icon/ "/usr/share/awstats/icon/"
Alias /awstatscss "/usr/share/doc/awstats/examples/css"
ScriptAlias /awstats/ /usr/lib/cgi-bin/
<Location /awstats>
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order Deny,Allow
Deny from all
Allow from 1.2.3.4
Allow from 127
</Location>
[/sourcecode]

Where of course the 1.2.3.4 is replaced with your desired access address – IP address or DNS address

In other security related news, somebody else ran a script against this site but at least it was a better attempt. They looked for 151 vulnerabilities in a single sitting rather than the 6 the last guys did. There’s been some other feeble one or two since then, but it’s nice to be tested thoroughly.

Newsflash: I’ve now had my first spam comment submitted. Hooray!

Thanks to go out

As always, credit where credit is due. Thank you very kindly to John Munoz whom, once I clarified the situation on his blog, moved very quickly to correct the information.

It is now up to the search engines to do their work for those hits.

Status update on search engine results

So at this point I would like to record where the negative results (due to the credit card and identity theft) are turning up so I can track how well the good results are percolating up. I should have started tracking these earlier as I’ve already had 1 reference successfully removed (it no longer shows up in any of these search engines), and some new pages I’ve created have shown up in the top 3 pages.

www.google.com.au

Page 1: bad results at #5,7 (out of 10)

Page 2: #1, #7

Page 3: #5, #10

au.yahoo.com

Page 1: result #6, #9 (out of 10)

Page 2: result #4, #9, #10

Page 3: result #3, #6

www.bing.com

page 1: result #6, #9 (out of 10)

page 2: result #4, #9, #10

page 3: result #3, #6

www.ask.com

page 1: result #1, #5 (out of 10; excluding my ads inserted between 1 & 2, and at the end. The abandoned blog beats my ad!)

page 2: result #5

page 3: result #1

duckduckgo.com

page 1: result #5, 6, 7, 11, 21 out of a total of 28 results. Clearly I’m not popular enough on duckduckgo.

I still have my work cut out for me!

Raising the rank

Part of the point of this blog itself of course is to improve the quality of information that exists online about me, and outweigh the misinformation brought about by the identity theft incident. As a part of ensuring that this blog remains well ranked, I am trying to submit it to all major engines that accept submission – Google, Bing, Yahoo, Ask; some of which required me to put an authentication file in the root of the web server. A secondary part is including a sitemap.xml file for pre-indexing information. I have installed a plugin to WordPress to see if that will do the job automatically rather than me having to generate one separately and then upload it. Conveniently, the plugin advertises itself in the sitemap.xml file it generates.

Trying the simple things first

So I thought I would try the simplest (or apparently simplest) approach first. Ask people nicely to remove my name – not their article as their work has much value as an example of what to look out for in spam that might indicate phishing attacks. The more information out there about not trusting every detail of unsolicited email from strangers (even if they purport to be from familiar places), the better.

I decided on the top 4, which covered the first 3 pages of google results. A blogspot blog, and 3 personal blogs. Here is what has happened with them so far. Bad news first.

The Blogspot blog appears to be abandoned. The post containing my name is the last post on there, and it is now 7 months later. While I have asked on there to have my name removed, I doubt it will have much impact, but I shall try again. Asking the hosting service to edit or remove the page isn’t an option at this point. Blogger is owned by Google, and as such will only take down pages if there is a matching court order. I will pester again. Sadly, this is a very prominent result.

One blog allowed me to submit an email to the author, however, it then disappeared in to a black hole. I will have to bug this one again.

One blog had no way of contacting them at all. I tried to guess email addresses but they all bounced or were undeliverable. I will need to rethink this one.

The one that worked….

So one of the bloggers I contacted understood immediately, and removed my name, replacing it with the word ‘redacted’. Perfect! Of course this now needed Google to know about the change, so luckily he had a sitemap.xml already present, so I could just add a bit of link juice and after about a week it was updated and no longer showing. Thank you Geoff Fox for appreciating the situation, and responding so quickly!

Back to technology adventures – the hacking attempts begin

This was a little more overt and quite frankly faster than I expected. They were nice enough to sign it though.

[Sun Sep 18 08:09:48 2011] [error] [client 210.71.198.186]
 File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
[Sun Sep 18 08:09:49 2011] [error] [client 210.71.198.186]
 File does not exist: /var/www/phpMyAdmin
[Sun Sep 18 08:09:50 2011] [error] [client 210.71.198.186]
 File does not exist: /usr/share/phpmyadmin/scripts
[Sun Sep 18 08:09:50 2011] [error] [client 210.71.198.186]
 File does not exist: /var/www/pma
[Sun Sep 18 08:09:51 2011] [error] [client 210.71.198.186]
 File does not exist: /var/www/myadmin
[Sun Sep 18 08:09:52 2011] [error] [client 210.71.198.186]
 File does not exist: /var/www/MyAdmin

Well, the script was written by Romanians (according to a quick search). The list of attempted hacks seems remarkably short for a brute force scripted attack. Just for the record, the whois owner of that address is currently:
Taiwan Taipei Chtd Chunghwa Telecom Co. Ltd
although, as I know far too well now for all the wrong reasons, the whois data isn’t always useful, helpful or correct.

First plans of attack to reclaim my identity

So the first step to drawing up a plan of attack is to work out what is the outcome I am after.

So what do I want?

It would be awfully convenient if none of these pages ever turned up again, but that isn’t going to happen and may not even be what I want.

My primary goal is to ensure that if my name is searched on any major search engine, the first 2-3 pages of hits do not associate me with any of the negative fallout of having my name misappropriated. Once that has been achieved, I can see whether I can do better than that.

As I mentioned previously, I do want the bulk of the information in these pages to remain available, but without the reference to my misappropriated details. For brevity, I’ll refer to these negative references caused by the abuse of the misappropriated details as “the fallout”.

So then what are the possible angles of attack to recover my name?

  • Increase ranking of positive references to my name over the other pages.
  • Removal of my name from the inappropriate and negative pages from search results.

Where do I want these removed or rank lowered?

  • Search engines: Google, Bing, Yahoo
  • Metasearch engines:
  • People profiling sites: Pipl
  • More amitious targets: DuckDuckGo

So now that I have an indea of what it is I want to achieve, what are my options?

Based on feedback from my very good friends, there are a few things I will try.

  • Build a site to explain the situation and link to the good material on the internet
  • Use Google ads to improve site ranking of a site describing the situation
  • Ask the people to remove my name from the offending pages
  • Get people to go on a clicking campaign on my behalf to help the good results turn up first
  • Remove my name from people indexing aggregators that associate me with the fallout

As I implement these, I will write up caveats, hits, misses and take on any extra ideas from you!

Reclaiming your name after credit card theft

The Situation

In February this year, my Credit Card details were stolen. I received a phone call from Citibank identifying a fraudulent transaction (kudos to them!). I confirmed this, the card was cancelled and replaced, and the money re-credited. I also found another transaction on there at about the same time, where someone had purchased something from a Russian domain registrar. I was surprised at the time about how much you could spend at the registrar, but I filled out the paperwork for Citibank, had the money re-credited immediately, and all was right with the world. Or so I thought.

The Fallout

So it turns out that my credit card details were used to register a lot of websites. These websites were used as some kind of presumably honeypot scams via email spam, directing them to dodgy URLs offering free upgrades to Skype and Adobe products. How do I know this? My name is rather rare (I suspect unique world-wide), so when I Google searched my name a little while ago, rather than seeing a list of interesting and good deeds I may have done, I saw websites like “stupid scammers” come up. Now I’m very much in favour of these sites remaining up, because I would like people to be generally aware of such scams and be able to easily identify them as such. What adds insult to injury for me is that not only did the scammers use my stolen credit card to pay for the domain name registration, they also used my name as the technical contact, administrative contact and company name. This means that when people went to investigate the scam sites using whois, my name came up.

Why do I care?

At the moment I am looking for work, and so my Google search profile is very important to me. I would like the first impressions to be good. So when I started checking in to my current profile and found my good name to be associated with these scams above any other things that I’ve done, I was less than impressed. Secondly, as an IT professional, these scams are particularly badly done and make me look bad in my own field of broader expertise.

How do I know that every time I apply for a job, someone  isn’t Google searching my name and ruling me out just-in-case? I want to reclaim my name.

What am I doing about it?

I”ll be trying quite a few options, and I’m also soliciting other ideas from the internet at large (that includes you!) I do not expect this to be a fast process, but something I want to see how far I can get; with the intent of sharing my experiences and what to do if the same thing happens to you. I will also look at issues around Bing and sites like Pipl, but luckily the stupid scammer stuff is buried much deeper on those.