Archive for the ‘Internet Scams’ Category

In the last 2 months, I reported about a nasty phishing scam known as ‘msn-blocked.com’ that ask the users to type their MSN user name/password and then use their log-in details to connect the server of MSN/Live Messenger and send a fake invite messages to all the contacts of the user.
This Web site also send the users to msnpass.info Web site, which is used to sell my freeware MessenPass utility by using the payment system of Allopass. You can read more about this scam, in the previous posts of my Internet Scams section.

MsnPass.Info Scam In English

MsnPass.Info Scam In English

Until now, msn-blocked Web site was in french language, and targeted only  users that speaks french.
But now the owner of this nasty scam decided to go international and created new versions of msn-blocked and msnpass.info Web sites in multiple languages, including English. The user that browse into these Web sites automatically get the right language according to the  language settings of the Web browser and there is also a flags toolbar to select the right language.
This means that Internet users of many countries that were not affected by this scam until now, including all Live Messenger users in United State, are now vulnerable to this scam.

Msn-Blocked.com in English

Msn-Blocked.com in English

Since I discovered this scam, around 2 months ago,  I tried to contact any company/ organization that can help to stop this scam right away, including well- known companies like Microsoft and GoDaddy.  Unfortunately, it seems that these companies don’t care that their services are used for Messenger spamming and phishing scams.

Here’s a partial list of companies that received my complaint about msn-blocked scam and didn’t do anything to stop it:

  1. GoDaddy:  GoDaddy is the domain registrar of all domains used for this scam, including msnpass.info, msn-blocked.com, msn-block.info,  msnblocks.com, msnapps.net, and possibly a few others.The Web site of GoDaddy says that “We do not allow our customers to send mass unsolicited e-mails, or spam” and they even provide a special spam report form to report about spammers. They also have an option in their form to report about IM Spam, which is exactly what msn-blocked Web site does.
    So I sent my entire report about msn-blocked.com to GoDaddy, even twice, but so far, there is no any response from them.
  2. Domains by Proxy:  This company provide a ‘privacy protection’ service that hides the real details of the user that Registers  a domain. It’s a very good and useful service, as long as it’s used by legitimated Web site owners, but unfortunately, this service is also used by scam owners like msn-blocked.com that want to hide their identity.
    Like GoDaddy, this company also says that they don’t allow to their customers to send spam and they also provide a form to fill a complaint about a spammer.
    I also send them my full report about msn-blocked.com scam, and exactly like GoDaddy, they simply don’t answer.
  3. Microsoft Live Messenger Team:  The entire scam of msn-blocked.com Web site is based on connecting the MSN/Live Messenger servers and flooding the contacts of the user with fake messages.  The team of Live Messenger servers can easily block the IP addresses of msn-blocked Web site and bring down this scam right away.
    I reported about this scam to the team of Live Messenger, by using their feedback form and as a comment in their Blog. I also know that I’m not the only one that reported them about the msn-blocked scam.Unfortunately, like the other companies, the team of Live Messenger don’t bother themselves to do anything with this issue, even when they can easily shut down the scam by making a few changes in their Firewall.

    Maybe now, when this scam also targets English speakers, and will probably start to spread in United States very quickly, Microsoft will understand that they have to do something about it.

  4. Allopass: As I already reported in my previous posts, the owner of this scam sell my MessenPass software in msnpass.info Web site, by using the SMS payment system of Allopass.
    As opposed to other companies, Allopass answered the messages I sent them about this scam, but unfortunately, they refused to stop working with the scam owner, saying that they cannot legally close the account and other excuses. Allopass also enjoys their part in the scam, because for each SMS code used by msnpass.info Web site, the revenue is shared between the scam owner, Allopass, and the phone company.
  5. EURO-WEB Servers renting: EURO-WEB is the hosting company that currently hosts the servers of msn-blocked scam. I sent a full report about the scam to the abuse email of this company, but their is no any response from them.

I hope that one of the above companies will finally decide to take action against msn-blocked Web site before it start spreading in United States and many other countries that were not affected by this scam until now.

There is only one good side  in this story:  Both Firefox and Internet Explorer blocks some of the Web addresses of msn-blocked Web site thanks to the phishing reports made by users. However,  this Web site blocking only slows down the spreading of scam, but it doesn’t really prevent it. The scam owner also constantly replace the domain name and host name to avoid the blocking by the Web browser.

A few days ago, I reported that Allopass company decided to close the account of msnpass.info scam. So it seems that they simply lied to me.
After a few days, I saw that msnpass.info Web site is still very active, so I contacted Allopass again, and now their representative says that they are not going to close the account.

The reason: The owner of msnpass.info told them that msnpass.info sell a software developed by msnpass.info team, and this Web site doesn’t sell the utilities of NirSoft at all.
This is probably the reason for the screenshot change, that I reported a few days ago.

The owner of msnpass.info created a fake screenshot of a software that doesn’t really exist, and told the Allopass company that msnpass.info sell the software shown in the screenshot, which doesn’t look like the MessenPass utility of NirSoft.

But according to reports that I received in the last days from 2 people that fell into msnpass.info scam, after users pay through the payment system of Allopass, they are still sent to download my MessenPass and Mail PassView utilities.
The fake screenshot in the landing page of msnpass.info was just created to give Allopass a good excuse for not closing the account.

The sad fact is – Both msnpass.info and Allopass company have interest of keeping msnpass.info account open and to continue making a lots of money from this nasty scam.

In the last few weeks, I was in contact with a few employees of Allopass company regarding this scam, and in all this time, they just wasted my time and protected the side of the criminals.
Instead of suspending the account of msnpass.info and require this Web site owner to stop the nasty MSN spamming activities and to stop selling the software of others,
Allopass simply sent my complaint to msnpass.info owner. msnpass.info owner answered them that he sell his own software and not my software, and Allopass simply accepted this answer, and decided to keep the account open.

Just to remind you again – msnpass.info and msn-blocked.com are a pair of scam Web sites in french that use very nasty way to get a large amount of traffic and… money.
The first one, msn-blocked.com – asks innocent users to type their MSN user/password, and then floods all their contacts with fake instant messages that invite them to join msn-blocked Web site, and enter their user/password too.
The second one, msnpass.info – offer the users of msn-blocked.com to purchase the MessenPass utility of NirSoft through the SMS payment system of allopass.com, misleading french users that don’t know that this utility is available for free at www.nirsoft.net.

For more information about how this scam works, read this post.

msn-blocked.com blocked by Firefox, so other domains are used

Due to complains of many users about msn-blocked Web site, Firefox and Google blocked this domain for ‘Reported Web Forgery’.
So the owner of this scam started to redirect Firefox users to other domains like msn-block.info, msn-blocking.com, msn-check.info, and possibly others.
msn-block.info and msn-blocking.com domains are already completely blocked by Firefox too, while msn-check.info is only partly blocked.

So for, Firefox/Google are the only good side in this world that do something against this scam.
I already reported about this scam to Microsoft (for MSN Messenger abuse), to GoDaddy (The domain registrar), to Domains By Proxy (the privacy protection company), to EURO-WEB Servers renting (the current hosting company), and to some other organizations that handle these kind of scams. So far, there is no any action from any of them.

After a few hours with the new ‘who loves you’ scam Web site, msn-blocked Web site once again redirect all users to msnpass.info
But now msnpass.info shows a new screenshot of password-recovery software, instead of the screenshot of MessenPass. I don’t know if this screenshot is based on a real existing software, or it’s just a completely fake screenshot created by msnpass.info owner.

Finally, the owner of msnpass.info decided to stop selling my MessenPass software.
The Web page of msnpass.info still exists, but all visitors of msn-blocked.com are now redirected to a new Web site that is hosted in the same IP addresses of msnpass.info
The new Web site is oh-love.me, and like msnpass.info, it’s hosted with multiple host names, like http://d.oh-love.me, http://c.oh-love.me, http://b.oh-love.me, and others.

This Web site is also in french, so I used Google Translator to find out what exactly this Web site offer the users, and here’s the result:
Welcome to oh-love.me, You always wanted to be able to read minds of others? Power who secretly pinching for you? Your dream will come true soon! With oh-love.me, you will be able to know the name of the boy or girl who secretly loves you! It’s super easy, you simply send an SMS that you will be shown by clicking on the flag of your country. By entering the code magic optenu on the site, you immediately know the name of your claim or your pr?tendante secret!

I don’t know what exactly the users get when they send the SMS, but there is no any utility in NirSoft Web site that can do that 🙂

Also, Firefox/Google blocked the entire domain of msn-blocked.com, so now all the Firefox visitors are redirected to msn-block.info domain (like s502.msn-block.info and many others)
while the users of Internet Explorer are still redirected to msn-blocked.com domain, because IE doesn’t block them.

It looks like whoever is behind these scams, works around the clock just to keep them alive…

And just more good news… I received another email from Allopass, and now they say that they are going to cut the account that was used for selling my MessenPass software.
I guess that even after closing the Allopass account, the scam owner won’t give up, and will open a new account in Allopass or in other similar payment company.

msn-blocked.com and msnpass.info are a pair of scam Web sites in french that are extermly active in the last few weeks.
The first one, msn-blocked.com – asks innocent users to type their MSN user/password, and then floods all their contacts with fake instant messages that invite them to join msn-blocked Web site, and enter their user/password too.
The second one, msnpass.info – offer the users of msn-blocked.com to purchase the MessenPass utility of NirSoft through the SMS payment system of allopass.com, misleading french users that don’t know that this utility is available for free at www.nirsoft.net.

As I already reported in my previous posts, these Web site were hosted in ovh.net hosting company, but in the last few days the owner of these scams moved most of the servers into another hosting company – EURO-WEB Servers renting, which is also an hosting company in France. Although most of the activity moved to the new hosting company, some of the servers are still active in the previous hosting company – ovh.net

The host names in the new hosting company are:
a.msnpass.info
b.msnpass.info
c.msnpass.info
d.msnpass.info
e.msnpass.info
f.msnpass.info
a2.msn-blocked.com
b2.msn-blocked.com
c1.msn-blocked.com
d1.msn-blocked.com
f5.msn-blocked.com

…And there are possibly more…

Ridiculous Answer From Allopass.com

I the previous post, I reported that there was no answer from Allopass payment company that is used as a part of msnpass.info/msn-blocked.com scam.
So after a while, they sent me their ridiculous answer to my complaint about these scams, and here’s the quote from their response:
Please apologize for this late answer. As a payment system provide, Allopass is not entitled to take side in this kind of dispute. However, we just notified the publisher of http://www.msnpass.info/ of your complaint, and now look forward to his reply.

So Allopass don’t want to “take side” in this issue, but they actually enjoy to take their side in sharing the revenue with msnpass.info owner.
Each time that a new innocent victim pays for my MessenPass software in msnpass.info Web site, Allopass company also get their side in the SMS revenue, together with msnpass.info scam owner.
But the main problem with msnpass.info is not the action of illegally selling NirSoft software, but the fact that this Web site get all the traffic by spamming the MSN Messenger accounts of innocent people with fake messages generated by msn-blocked.com Web site.

As you can see from Alexa ranking, the traffic of msn-blocked.com Web site continue to grow, and in the last days the it reached to a new record:

most of the traffic of msn-blocked.com comes from countries with french speakers – France, Belgium, Switzerland, and a few more.

How This Scam Works

If you still don’t understand how exactly this scam works, and how these scam Web sites get so much traffic, here’s a simple explanation of the viral spreading made in these Web sites.
For the examples below – User X, User Y, and User C are french speakers that constantly use MSN or Live Messenger to chat with their friends.

  1. User X get an instant message in MSN from his good friend, User Y, that recommend him to visit msn-blocked.com Web site (And User X doesn’t know yet that this is fake message generated by msn-blocked.com Web site)

  2. User X Visit msn-blocked Web site and put his MSN user name and password, assuming that it’s a safe Web site, because User Y, his good friend that he trust, sent him to this site.


  3. After giving his MSN user name/password to msn-blocked, this Web site connect to the MSN account of User X, and send fake instant messages to all his contacts !!
  4. Now User C, D, E, F, and others, which are in the contacts list of User X, receive the fake invitation message from User X, and some of them, like User X, do the same mistake, and go to msn-blocked Web site and give their user name/password.
  5. In the User X side, msn-blocked page is loaded and display his contacts list for a few seconds.
  6. After a few seconds, the Web site is suddenly redirected to www.msnpass.info Web site.
  7. www.msnpass.info Web site offers User X to download my MessenPass Software by using the SMS payment system of allopass.com
    User X still doesn’t know that all his contacts received the fake instant messages in his name, and he think that msnpass.info is good Web site recommended by his friend, and of course, User X doesn’t know that MessenPass utility is available to download for free at NirSoft Web site.
  8. User X send an SMS and get the code for downloading my MessenPass Software, assuming that User Y recommeneded him to do so.

  9. When User X send the SMS, the payment is shared between the scam owner, Allopass payment company, and the phone company.
  10. After a while, User C, a friend of User X, ask him about the link he sent him earlier.
    User X doesn’t remember that he sent any link to User C, and he start to understand that msn-blocked.com sent fake messages to all his contacts.
    But it’s already too late. Some of the User X contacts, the received the same fake invitation message, already gave their MSN user/password, and continued the viral spreading of msn-blocked scam.
  11. User X, angry about the embarrassment that this Web site caused him, browse into msn-blocked.com link again, and report it as ‘Web Forgery’ from the Web browser interface.
    After a while, the Web address reported by User X will be blocked by Firefox/Google and other Web site blockers, but it won’t help much to the next victims, because the scam owner constantly modifies the Web site address. For example: If User X, received the Web site address as s12.msn-blocked.com, the next victims will get a new address like s35.msn-blocked.com, and thus it won’t be blocked for the next victims.

  12. The owner of mspass.info and msn-blocked sites, accumulates more and more money from the SMS system, allowing him to pay more for the hosting services and to extend his scam Web sites to more servers.
  13. Due to the nature of “viral spreading” like in this scam, the number of users visit these sites grows exponentially, and the scam owner rent more and more servers in order serve all the site “visitors”.
    The scam owner probably relies on payments from Allopass system for paying the new hosting servers.
  14. Allopass company also enjoy the scam of msnpass.info, and get their part of the revenue, without caring about the nasty way that the visitors are sent into msnpass.info Web site, and without caring about violation of my intellectual property rights, even if it’s against their own conditions of use.
  15. It’s possible that all MSN user/passwords provided by users in msn-blocked Web sites, are collected into a large database of passwords for using it later for
    identity theft and other crimes.

That’s all for now.

You are welcome to add your comment about Allopass behaviour in this matter, and whether they should continue to provide their payments services for the nasty scam Web sites that I described above.

After digging more into the MsnPass.Info scam that I reported in previous posts, I found out that this scam is a only part of possibly a larger scam that may involve in collecting emails and passwords of french users.

msn-blocked.com is a Web site that offers french users to find out who block their msn messenger user. In order to use this “service”, the users are required to provide their MSN user name and password.
Currently, it has at least 3 active servers: http://s601.msn-blocked.com/, http://s502.msn-blocked.com, http://s12.msn-blocked.com
There are some other addresses that already blocked by Firefox with “Reported Web Forgery!” message (For example: http://s11.msn-blocked.com), probably after users reported that it’s a phishing site.
But every time that a Web address is blocked, the scam owner simply replace it with a new server name.

This Web site has a terms and conditions in french, so I used the ‘Google Translate’ tool for translating them to English, and that’s what they say: “The site aims to provide you with tools to identify people who you are blocked and / or removed from their list of contacts on MSN or Windows Live Messenger. In return you grant this site (MSN-blocked.com) to include your email address in mailing lists marketing.”
In other words, the Web site owner says that he collect every email entered by the user for spamming purposes.

Just for a test, I tried to create a new MSN account (I wouldn’t give my real user name/password for criminals) and use them in http://s12.msn-blocked.com/ Web site.
After I did it, The Web site showed it’s connecting to the MSN server, and than it redirected me to a page with a few french words that I don’t understand. A few seconds later, it redirected me again… to mspass.info Web site.
So after I gave my user name/password to the Web site owner, he simply offer me to buy my own utility through SMS/phone system of allopass.com.
In the beginning, both msnpass.info and msn-blocked.com were hosted in the same server, but now each of these Web site is hosted in 3 – 4 separated servers.

There are 2 other things to concern:
1. This Web site (msn-blocked.com) may also collect that passwords of each user that uses this service, and that’s really bad, especially when we already know that the owner is a thief that sell the software of others.

2. With the MSN user name/password, the Web site owner can collect the email addresses of all the contacts of the user – for spamming purposes.

But the most concerning thing in this scam is the large amount of traffic the scam owner managed to receive.
I have already seen many scam Web sites in my life, but scale of this scam is really unusual.
Both Alexa and radarurl.com (a widget added by scam owner to watch the number of online users) displayed exterme amount of traffic in the last
few days.
radarurl.com already removed msnpass.info and msn-blocked.com sites (Maybe because the owner of radarurl.com found out about this scam), but before they were removed, it was displaying around 100-200 online users for each server (around 1000 online users for all servers together) in the peak hours.

In Alexa, the traffic rank of msn-blocked.com is around 8000 in the last few days, which is very high for a Web site that established only 3 weeks ago.

Moreover, it seems that the scam owner have at least 8 dedicated servers (4 for msnpass.info and 4 for msn-blocked.com) which implies that it’s really a major scam. The scam owner wouldn’t pay for 8 dedicated servers unless there is something huge behind that.

As I already reported, I tried to contact both ovh.com hosting and the payment company (allopass.com) by email and from their Web site contact forms, but with no success.
They simply don’t answer – I don’t know if they simply don’t understand English or they don’t really care that their services are used for fraud activities.
Unfortunately, I don’t live in france and I don’t speak french, so I cannot do anything else to shut down this scam.

If you live in france and/or you can talk in french, you may try to call this ovh.com company, get to the right department, and tell them about scam of msn-blocked.com and msnpass.info.

If no one will do something about this scam, these criminals will continue to collect more and more msn emails/passwords and to make money from selling my software.
In the end, they’ll have a nice amount of money in the bank, and a large user/password database that will allow them to do many other terrible things.

Finally, here’s a small explanation about how these Web sites get all the traffic:
Each time that a use put his user name and password into msn-blocked.com, this Web site send a live message in french to all the contacts of the user:

The message is sent in the name of the user that gave his user name/password, and invite all contacts to check the Web sites of MsnPass.Info or msn-blocked.com
The users that receive this message think that it as came from their messenger friend, and thus many of them browse into this Web site, login with their user/password, and cause this viral spreading to continue.

Since my last post about the MsnPass.Info Scam, the owner of this scam extended the Web site, and now there are 3 new dedicated servers – 2.msnpass.info, 3.msnpass.info, and 4.msnpass.info
These new servers are hosted in same hosting company – http://www.ovh.com, although I already reported them about the scam. I seems that they don’t really care that their services are used for fraud activities.

The main server (www.msnpass.info) is used for randomly redirecting the user to one of the other 3 servers, probably to avoid server overload.
In the last few days, this Web site has extreme amount of traffic, as you can see from this Alexa report:

In fact, for some of these days, this Web site received more traffic than the entire NirSoft Web site, despite the fact that it contains only a single page in french. This amount of traffic for one-page Web site cannot be “natural”. The scam owner probably uses spam messages and other bad techniques in order to get this volume of traffic.

msnpass.info displays a download counter inside the landing page, saying that more than 800,000 already downloaded it. I don’t believe that this download counter is really the truth.
It’s more likely that this number represents the number of page views.
Assuming that this number represents the number of page views, and even if only low percentage of the users actually payed and downloaded my software, it possible that the scam owner and allopass.com (the payment company) already generated an income of more than 100,000 Euro from this scam.

One of my software users reported me about a scam Web site in french that sells my MessenPass utility in another faked name.
This Web site displays a faked screenshot of MessenPass utility. In this screenshot, the name of the utility is MsnPass.Info and my Web site address in the status bar was removed.
This Web site offers the users to “purchase” this utility for 2.00 EUR, which looks like a good and attractive price for a password-recovery utility , but without specifying that it’s a freeware tool that was taken from NirSoft.

This Web site uses the services of allopass.com to get the payments from users. I already send them a message about this scam, but I don’t know if they are going to do something about that.

The Web site address is http://www.msnpass.info

In the last few days, I received a lots of emails with “IKEA’s New Planning Software” in the subject:

This email offers a new Home Planner software from IKEA , and ask the user to follow the instructions in the attached zip file. But the attached file contains a Virus that probably continues to spread this “New Planning Software” message to more and more users.

The email looks like this one:

From: HomePlanner@IKEA.com
Subject: IKEA’s New Planning Software
From: “HomePlanner@IKEA.com”
Attachment: ikea.zip (347KB)

Body:
IKEA has a Fantastic new FREE tool for home decorating.
Introducing our Home Planner software which allows you to plan your home in a 3D environment.
Simply follow the instructions in the attachment and start planning your dream home today.

In the last few weeks, some virus distributors try to exploit the holiday season in order to spread Viruses more easily. The viruses are attached to email messages that offer coupons or special offers for Christmas.
The first 2 ‘Christmas Virus Messages’ already appeared in the beginning of december and these emails identified themselves as originating from Coca Cola and Mcdonalds.
Now there are 3 new messages which identified themselves as originating from Symantec, British Airways and Jack Daniel’s.

As my email address is pretty popular, I received dozens of these emails together with other junk, as you can see in the following screenshot:

All these emails instruct the user to open the attached file, which contain a Virus that probably continues to send these emails to more and more people.

Here’s the details of all 5 Christmas Virus Messages:

  • Symantec

    Subject: Christmas Product Extention
    From: “noreply@symantec.com”
    Attachment: product-extention.zip

    Message Body:
    This holiday season Synamtec is rewarding our valued customers by extending your products protection period by six months.
    Follow the instrustions in the attachment to receive your extra protection and have a wonderful Christmas!
    Offer valid until midnight 31st January 2008.

  • British Airways

    Subject: Holiday Savings
    From: “noreply@britishairways.com”
    Attachment: britishairways-coupon.zip

    Message Body:
    British Airways is offering fantastic deals this festive season. Check your attached coupon and book online today for an amazing holiday!

  • Jack Daniel’s:

    Subject: Limited Edition Merchandise
    From: “noreply@jackdaniels.com”
    Attachment: jackdaniels-coupon.zip

    Message Body:
    Have yourself a Merry Christmas with Jack Daniel’s.
    Print the coupon and head for your local outlet
    for limited edition merchandise.

  • Coca Cola

    Subject: Coca Cola is proud to announce our new Christmas Promotion
    From: “noreply@coca-cola.com”
    Attachment: promotion.zip

    Message Body:
    Coca Cola is proud to announce our new Christmas Promotion.

    December, 2008

    Play our fantastic new online game for your chance to WIN a trip to the Bahamas and get all Coca Cola drinks for free in the rest of your life. See the attachment for details.

  • Mcdonalds

    Subject: Mcdonalds wishes you Merry Christmas!
    From: “giveaway@mcdonalds.com”
    Attachment: coupon.zip

    Message Body:
    McDonald’s is proud to present our latest discount menu.

    Simply print the coupon from this Email and head to your local McDonald’s for FREE giveaways and AWESOME savings.