Same ol' spam, but different

So the same scam has been sent to me again (well, the Adobe version this time, not the Skype one). This scam has been around often and long enough (already back in 2010!, prior to them stealing my identity for one of the scam runs) that it has a Snopes page.

The updated spam, which I received a couple of days ago, again invents new versions of the adobe products that don’t exist. This time it’s Adobe 2012, and they are “charging” (i.e. stealing your details) for Adobe reader – which is always free.

This is what the scam looks like (and please don’t go to the links in the scam unless you know what you are doing) – although the mailout redirect goes through a third party, so the links have a landing page which collects usage information before sending you to the scam landing page. The scam landing page then takes you to the scam page proper that takes your money.

[sourcecode language=”html”]
INTRODUCING UPGRADED ADOBE ACROBAT READER 2012

Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader

http://www.adobe-upgrade-2012.com

Advanced features include:

– Collaborate across borders
– Create rich, polished PDF files from any application that prints
– Ensure visual fidelity
– Encrypt and share PDF files more securely
– Use the standard for document archival and exchange

To upgrade and enhance your work productivity today, go to:

http://www.adobe-upgrade-2012.com

Start downloading the update right now and let us know what you think about it.

We’re working on making Adobe Acrobat Reader better all the time !

Copyright 2011 Adobe Systems Incorporated. All rights reserved.

Adobe Systems Incorporated
343 Preston Street
Ottawa, ON K1S 1N4
Canada
[/sourcecode]

So the main difference that I’ve noticed with the scam is that this time they’ve used some extra money (also presumably stolen) to pay for the site whois to not be shown:

Domain Name:adobe-upgrade-2012.com
Record created:11/29/2011
Record expired:11/29/2012


Domain servers in listed order:
	 ns1.dns-diy.net 	 ns2.dns-diy.net

Administrat:
   name-- Domain ID Shield Service
   org-- Domain ID Shield Service CO., Limited
   country-- CN
   province-- Hong Kong
   city-- Hong Kong
   address-- 1102-1103,11/F,Kowloon Bldg.,555 Nathan Rd.,Mongkok,Kowloon
   postalcode-- 999077
   telephone-- +852.22060092
   fax-- +852.30030133
   E-mail-- ad4561094151701@domainidshield.com
Technical Contact:
   name-- Domain ID Shield Service
   org-- Domain ID Shield Service CO., Limited
   country-- CN
   province-- Hong Kong
   city-- Hong Kong
   address-- 1102-1103,11/F,Kowloon Bldg.,555 Nathan Rd.,Mongkok,Kowloon
   postalcode-- 999077
   telephone-- +852.22060092
   fax-- +852.30030133
   E-mail-- ad4561094473302@domainidshield.com
Billing Contact:
   name-- Domain ID Shield Service
   org-- Domain ID Shield Service CO., Limited
   country-- CN
   province-- Hong Kong
   city-- Hong Kong
   address-- 1102-1103,11/F,Kowloon Bldg.,555 Nathan Rd.,Mongkok,Kowloon
   postalcode-- 999077
   telephone-- +852.22060092
   fax-- +852.30030133
   E-mail-- ad4561094473303@domainidshield.com
Registrant Contact:
   name-- Domain ID Shield Service
   org-- Domain ID Shield Service CO., Limited
   country-- CN
   province-- Hong Kong
   city-- Hong Kong
   address-- 1102-1103,11/F,Kowloon Bldg.,555 Nathan Rd.,Mongkok,Kowloon
   postalcode-- 999077
   telephone-- +852.22060092
   fax-- +852.30030133
   E-mail-- ad4561094539504@domainidshield.com

Despite this, it all does look very very similar and the one thing that cannot be hidden is the creation date of the URL. It is always a giveaway that if a website is contacting you unsolicited, and asks for your money from a web domain that has been put together in the last few days, they are up to no good.

Spam irony, and the same scammers are still out there

In a twist of irony, I have now been sent the same type of spam as the one that was created using my stolen credit card details and name earlier this year.

This time, the content of the spam is (with extra spaces in the URLs to break them):
[sourcecode language=”html”]
Dear Shawn Sijnstra,

This is to notify that new updates have been released for Skype.

http://www. official – skype – update.com/

Following are major new features :

* Up to 5-way group video call.
* Redesigned calling experience.
* Improved video snapshots gallery.
* Improved browser plugins performance on some websites.
* Reduced false positives on browser plugin phone number recognition.
* New presence icons.
* Improved handling of calling attempts made when the user has run out of credit.
* Improved access to sharing functionality

To download the latest version , go to :

http://www. official – skype – update.com/

Start downloading the update right now and let us know what you think
about it.

Talk soon,

The people at SkypeUnsubscribe (http://jenadyco.offthepageemarketing.com.au/unsubscribe.php?cid=145&pid=755316&auth=13b78fdbd9b406c40959611b276d3546&upw=)
[/sourcecode]

It would appear to be the same group as the whois record for the address is registered in the same way, with the same or similar registrar, with the same fields used and a very similar address used. I have left the name of the registrant out for obvious reasons:

% By submitting a query to RU-CENTER's Whois Service
% you agree to abide by the following terms of use:
% http://www.nic.ru/about/servpol.html (in Russian)
% http://www.nic.ru/about/en/servpol.html (in English).

Domain name:             OFFICIAL-SKYPE-UPDATE.COM
Name Server:             ns1.official-skype-update.com 122.224.4.108
Name Server:             ns2.official-skype-update.com 122.224.4.108
Creation Date:           2011.09.27
Updated Date:            2011.09.28
Expiration Date:         2012.09.27

Status:                  DELEGATED

Registrant ID:           QH9BLSG-RU
Registrant Name:         
Registrant Organization: 
Registrant Street1:      1039 Avenue Street
Registrant City:         New York
Registrant Postal Code:  10023
Registrant Country:      US

Administrative, Technical Contact
Contact ID:              QH9BLSG-RU
Contact Name:            
Contact Organization:    
Contact Street1:         1039 Avenue Street
Contact City:            New York
Contact Postal Code:     10023
Contact Country:         US
Contact Phone:           +1 800 2379293
Contact E-mail:          adobe@awssportswear.com

Registrar:               Regional Network Information Center, JSC dba RU-CENTER

Last updated on 2011.09.28 10:34:48 MSK/MSD

The individual whose name was used has a much more common name so hopefully does not have the same issues I have.

Reclaiming your name after credit card theft

The Situation

In February this year, my Credit Card details were stolen. I received a phone call from Citibank identifying a fraudulent transaction (kudos to them!). I confirmed this, the card was cancelled and replaced, and the money re-credited. I also found another transaction on there at about the same time, where someone had purchased something from a Russian domain registrar. I was surprised at the time about how much you could spend at the registrar, but I filled out the paperwork for Citibank, had the money re-credited immediately, and all was right with the world. Or so I thought.

The Fallout

So it turns out that my credit card details were used to register a lot of websites. These websites were used as some kind of presumably honeypot scams via email spam, directing them to dodgy URLs offering free upgrades to Skype and Adobe products. How do I know this? My name is rather rare (I suspect unique world-wide), so when I Google searched my name a little while ago, rather than seeing a list of interesting and good deeds I may have done, I saw websites like “stupid scammers” come up. Now I’m very much in favour of these sites remaining up, because I would like people to be generally aware of such scams and be able to easily identify them as such. What adds insult to injury for me is that not only did the scammers use my stolen credit card to pay for the domain name registration, they also used my name as the technical contact, administrative contact and company name. This means that when people went to investigate the scam sites using whois, my name came up.

Why do I care?

At the moment I am looking for work, and so my Google search profile is very important to me. I would like the first impressions to be good. So when I started checking in to my current profile and found my good name to be associated with these scams above any other things that I’ve done, I was less than impressed. Secondly, as an IT professional, these scams are particularly badly done and make me look bad in my own field of broader expertise.

How do I know that every time I apply for a job, someone  isn’t Google searching my name and ruling me out just-in-case? I want to reclaim my name.

What am I doing about it?

I”ll be trying quite a few options, and I’m also soliciting other ideas from the internet at large (that includes you!) I do not expect this to be a fast process, but something I want to see how far I can get; with the intent of sharing my experiences and what to do if the same thing happens to you. I will also look at issues around Bing and sites like Pipl, but luckily the stupid scammer stuff is buried much deeper on those.