RE: CRIME An Interesting Spyware Scam to watch out for

From: Arthur Strutzenberg (arthur.strutzenberg@private)
Date: Mon May 12 2003 - 08:31:17 PDT

  • Next message: George Heuston: "CRIME Meeting Tomorrow - Last Call"

    Here is something else to think about as well, just occurred to me, that
    would be handy with such a list, is also trying to find out where
    permutations of a given domain are pointed to.  Nothing more
    embarrassing than fat-fingering the link to a web site, and having it
    come up with some other web site that has inappropriate content,
    especially when at work.
    
     
    
    --Arthur
    
     
    
    ------------------------------------------------------
    
    Arthur Strutzenberg        Swan Island Networks Inc
    
     
    
    arthur.strutzenberg@private
    
    http://www.swanisland.net
    
     
    
    (503)-796-7926 (x20)
    
    ------------------------------------------------------
    
     
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private] On Behalf
    Of Keith Proffitt
    Sent: Sunday, May 11, 2003 11:28 PM
    To: Crime List
    Subject: Re: CRIME An Interesting Spyware Scam to watch out for
    
     
    
    Shaun,
    
     
    
    After doing some searches on Joshuathan Investments, Inc, it seems this
    company is invloved in multiple scams.  They buy and sell domain names.
    I would suggest staying away from all web sites that are registered to
    Joshuathan Investments, Inc.
    
     
    
    Here are a few URLs that either Joshuathan Investments owns or is
    written about.
    
     
    
    (Please do not go to this this URL from a company computer.)
    
    www.sexflick.com/privacypolicy.html 
    
     
    
    Complaint was filed with CPR (Joshuathan Investments is the Respondent)
    
    http://www.cpradr.org/ICANNDecisionCPR0227-021209.htm
    
     
    
    Sunrise Challenges in .info
    
    http://arbiter.wipo.int/domains/decisions/2001/dinfo00200-00399.html
    
     
    
    Domain pirates (Shows several different people/companies doing the same
    thing)
    
    http://www.searchenginewatch.com/searchday/article.php/2160751
    
    "Lcos.com
    This site looks remarkably like googl.com. It's registered to "(This
    Domain is For Sale) Joshuathan Investments, Inc., 62 Cleghorn Street,
    Belize City, Belize."
    
     
    
     
    
    Good post on the different domain and search engine pirates
    
    http://eng.cmu.ac.th/~pruet/mailarchives/searchday/msg00036.html
    
     
    
    Here is a question(s) to the group.  
    
    Is there a way to obtain a listing that shows companies in select
    categories (porn sites, marketing sites, etc.) and are the companies
    required to identify themselves on the website?
    
     
    
    The reason I ask is it would be easier (cost & time) to register a new
    domain name than it is to start a new company or change the name of a
    company.  
    
     
    
    With the list, IT Security should be able to block such sites from
    corporate users.  Who knows, it might be possible to check the domain
    registery to see who owns a site before allowing a user to browse it.
    With the amount of domain names one company may have, I would think it
    would be easier to block the company than the domain.
    
     
    
    Keith
    
     
    
     
    
    Shaun Savage <savages@private> wrote:
    
    Good Analysis.
    How long now, until law enforcment shuts it down, or will it?
    
    Shaun
    
    Alan wrote:
    > I received an interesting spam in the mail. It contained a scam that
    > you might want to be aware of, especially if you have fairly gullible
    > users on your network.
    > 
    > Here is the text of the spam:
    > 
    > 
    > 
    >>From - 
    >>Return-Path: 
    >>Delivered-To: alan@ctrl-alt-del.com
    >>Received: from windowsupdatenow.com
    >> (adsl-68-120-92-123.dsl.irvnca.pacbell.net [68.120.92.123]) by
    >> clueserver.org (Postfix) with SMTP id 457062B6C3 for
    >> ; Sun, 11 May 2003 03:53:24 -0700 (PDT)
    >>Message-ID: <8d6d63abe320$003a31b0$c04fd773@private>
    >>From: 
    >>To: 
    >>Subject: Windows Update Notification
    >>Date: Mon, 12 May 2003 06:32:11 -1100
    >>MIME-Version: 1.0
    >>Content-Type: text/plain; charset="iso-8859-1"
    >>X-Priority: 1
    >>X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
    >>X-MSMail-Priority: High
    >>X-Mailer: Microsoft Outlook Express 5.00.2314.1300
    >>Content-Transfer-Encoding: quoted-printable
    >>X-Spam-Status: No, hits=1.4 required=5.0
    >>
    tests=X_MSMAIL_PRIORITY_HIGH,X_PRIORITY_HIGH,NO_REAL_NAME,LINES_OF_YELLI
    NG
    >> version=2.20
    >>X-Spam-Level: *
    >>Status: 
    >>
    >>WINDOWS SECURITY WARNING!!
    >>=20
    >>A VIRUS HAS BEEN DETECTED ON YOUR COMPUTER. IN ORDER FOR YOUR COMPUTER
    NOT =
    >>TO CRASH YOU WILL NEED TO GO TO:
    >>=20
    >>http://WWW.WINDOWSUPDATENOW.COM
    >>=20
    >>AND IT WILL AUTOMATICALLY UPDATE YOUR COMPUTERS! SECURITY PATCHES.
    >>=20
    >>SIMPLY TYPE IN H! TTP://WWW.WINDOWSUPDATENOW.COM INTO YOUR BROWSER.
    OTHERWISE=
    >> YOU WILL KEEP RECEIVING THIS SECURITY ALERT EMAIL EVERY DAY.
    > 
    > 
    > Since I am running Linux, I was not too worried...
    > 
    > I checked out the site and it redirects you to
    > http://www.quicklaunch.com/perl/detection.pl.
    > 
    > The Linux unaware script attempts to download
    > http://download.quicklaunch.com/quicklaunch154.cab and install it. 
    > 
    > The program it tries to install is called "Quick Launch Toolbar". It
    is
    > a nasty little bit of Spyware/Adware. There is a good description on
    > removal at http://www.doxdesk.com/parasite/BrowserAid.html . 
    > 
    > The biggest concern is that it has an "update feature" that can
    install
    > arbitrary code on your machine.
    > 
    > Both domains are registered to:
    > 
    > This Domain Is For Sale joshuathaninvest@private
    > ( This Domain is For Sale ) Joshu! athan Investments, Inc.
    > 62 Cleghorn Street
    > Belize City, Belize none
    > US
    > Phone: 501-2-31244
    > Fax: 501-2-34222
    > 
    > 
    > www.windowsupdatenow.com is hosted on wfb.dnsvr.com (65.125.231.178)
    in
    > Florida.
    > 
    > www.quicklaunch.com (66.117.19.206) hosted by nhicolo.com in LA,
    > California.
    > 
    > 
    
      _____  
    
    Do you Yahoo!?
    The New <http://us.rd.yahoo.com/search/mailsig/*http:/search.yahoo.com>
    Yahoo! Search - Faster. Easier. Bingo.
    



    This archive was generated by hypermail 2b30 : Mon May 12 2003 - 09:59:44 PDT