Bitcoin Phishing Spams Cashing in on the New Tulip Mania

As a spam and scam research I watch new domains being created for malicious purposes. The following domains are look-alike domains of blockchain.info and blockchain.com, two legitimate Bitcoin-related domains:

xn--blckchain-66a.info (blóckchain.info)
xn--blckchain-66a.net (blóckchain.net)
xn--blckchain-m8a.info (bløckchain.info)
xn--blckchain-wxb.info (blōckchain.info)
xn--blckchai-w3a03f.info (blóckchaiń.info)
xn--blckchaln-66a.com (blóckchaln.com)
xn--blckchan-81a8d.com (blóckchaìn.com)
xn--blckchan-i2a8c.info (blóckchaín.info)
xn--blckchin-eza9o.info (blóckcháin.info)
xn--blckchin-m7a96e.info (blōckchāin.info)
xn--bliockchai-s1b.com (bliockchaiņ.com)
xn--bliockci-o8a35ayl.com (bliockcħąiņ.com)
xn--bliokchai-3eb86d.com (blioċkchaiņ.com)
xn--bliokci-u4a5c4s9l.com (blioċkcħąiņ.com)
xn--bliokhai-49ab66d.com (blioċkċhaiņ.com)
xn--blioki-00a0cb4z9l.com (blioċkċħąiņ.com)
xn--blocchai-gmb8m.info (blocķchaiņ.info)
xn--blocchain-orb.com (blocķchain.com)
xn--blocchain-orb.info (blocķchain.info)
xn--blocchin-m7a15c.info (blocķchāin.info)
xn--blockchan-dob.info (blockchaīn.info)
xn--blockchan-ipb.info (blockchaįn.info)
xn--blockchan-n5a.info (blockchaín.info)
xn--blockchin-12a.info (blockchäin.info)
xn--blockchin-61a.info (blockcháin.info)
xn--blockchi-n7a50e.info (blockchāiņ.info)
xn--blockchin-c3a.info (blockchåin.info)
xn--blockchin-ccb.info (blockchāin.info)
xn--blockchin-hdb.info (blockchąin.info)
xn--blockchi-o8a54d.info (blockchąiń.info)
xn--blockchn-fza4j.info (blockcháín.info)
xn--blockchn-n7a43b.info (blockchāīn.info)
xn--blockhai-obb78c.info (blockčhaiņ.info)
xn--blokchain-xdb.info (bloćkchain.info)

These so-called IDN domains substitute characters for easily confused look-alikes. There will be sighted in links inside spam emails as part of Phishing scams.

Phishing is just one of the pitfalls around Bitcoin and other crypto-currencies. Scammers have revamped the old so called “High Yield Interest Programs” (HYIP), which are really just a Ponzi scheme, to hitch a ride on the publicity around Bitcoin’s stratospheric rise in 2017. If you deposit Bitcoins into an online investment scheme, the scammers can just walk away with your deposit and cash it out into dollars, euros or rubles without being traced.

The latest exchange rate push beyond US$10,000 came on the heels of the cancellation of the SegWit2x fork, a proposed upgrade to the underlying technology that not the entire Bitcoin community was prepared to follow. The driving force behind the upgrade was the urgent need to handle more transactions, if Bitcoin was truly going to be used as a payment vehicle competing against credit cards, wire transfers and PayPal. If new Bitcoins are constantly being mined and the value of Bitcoin goes up but the average purchase the crypto-currency is to be used for doesn’t change much then the system needs to be able to handle more individual transactions.

By cancelling the upgrade, a split of the community has been avoided, but at what cost? It’s really a vote for Bitcoin as speculation object and against it as a viable payment method.

A friend of mine expressed it best when he mentioned that it reminded him of “Pump and Dump” stock scams, only that in the case of Bitcoin it is legal. With all this publicity, existing Bitcoin holders
will be able to offload their existing tokens at huge profits. Then, when people realize that Bitcoin is no longer able to work as an efficient payment system (except for scammers, drug dealers and money launderers who value anonymity), the bottom will fall out and all the recent investors will lose billions. It’s Tulip mania all over.

See also:

Bitcoin Scams – Stay Away!

The relative anonymity offered by virtual currencies such as Bitcoin (BTC) makes them an attractive vehicle for criminals.

Recently we’ve seen some scams that involve spam inviting you to send money to a Bitcoin address, offering ridiculously high rates of interest on this supposed investment. It’s a new take on the old High Yield Investment Program (HYIP) ponzi schemes.

In reality there is no way to ensure you get repaid once you’ve sent (virtual) money or that the scammers will be held accountable for the fraud. At best some early “investors” will have interest paid from deposits of later “investors”, who will definitely get stiffed. The scammers can simply exchange any deposited BTC into dollars at a Bitcoin exchange and walk away with the money.

Subject: blockchain doubler.

BLOCKCHAIN BY THE NUMBERS,

9/23/2017 12:58:33 from blockchain support

We are pleased to announce a new product – Bitcoin Doubler,
This is limited offer , 5-10 days.
Bitcoin Doubler is active from 23 September 2017 18:00 Pacific until September 29, 2017 18:00.

You can deposit today 0.2 minimum Bitcoins. Maximum amount of deposit by a natural or legal person is 50 Bitcoins. This is an amazing opportunity to win up to 40 Bitcoins if you invest 20 Bitcoins.

How do you double my bitcoins?

Our automated system gathers information from the blockchain transfers and cryptocurrency exchanges to study and predict the bitcoin price, our servers open and close thousands of transactions per minute, analyzing the price difference and transaction fees, and use that information to generate profit.

Investors who want to apply and invest on Blockchain, please make a Bitcoin transfer to:

147SBxHfuN2KJaLMNGo852gJCm5gCdNvq6

How long does it usually take to receive doubled bitcoins?
We pay to you 10% every hour for 100 hours.
HINT : users who deposit more the 10 bitcoins will get bitcoins doubled in maximum 5 minuts.
users who deposit lower then 10 bitcoins will get bitcoins doubled after 6 confirmations.

To trace your investment please send an email to bitcoin-doubler@blockchain.info , And subject to put your Bitcoin address. The Bitcoin address must be the same as you used to invest. If you put in the email a Bitcoin address you not used to making investments, you will only receive an email with your status. If you submit a correct email with a correct address Bitcoin (the same used to make your placement), you will receive an email with the total Bitcoin invested and the date and time of your payment will be made.

Hurry up! This is a Iimited license, unique opportunity.

Here’s another one, using the name of one Bitcoin exchange:

Subject: WEX. important news!

WEX. Rising ex. BTC-e,

9/22/2017 13:20:27 from admin

Team of WEX is glad to welcome you on our new platform!

This is our first official announcement!
We thank all ex-users of BTC-E for their patience at such a difficult moment for all of you guys.

All users who deposit on our platform will get in 2 days , 40% bonus.
Clients who want to apply now on WEX, please make a Bitcoin transfer to:

1QGbpENUv3xJCtiqTcUPM1Vvnwx5FRR6uZ

Hurry UP ! 4510 clients allready deposit , we have now 4110.562 BTC
Due to a large demand among our customers, we expand our bonus for 10 days.

Check status here : https://blockchain.info/address/1QGbpENUv3xJCtiqTcUPM1Vvnwx5FRR6uZ

We will refund your first deposit with dividends withing 2 days at 00:00 Pacific Time. (For example: investing 3.00 Bitcoins today will return 5.20 Bitcoins after 2 days at 00:00 Pacific time) The profits are withdrawn immediately and Blockchain or WEX waives all rights for 1st level investments.

To trace your investment please send an email to btc-invest@wex.nz , And subject to put your Bitcoin address. The Bitcoin address must be the same as you used to invest. If you put in the email a Bitcoin address you not used to making investments, you will only receive an email with your status. If you submit a correct email with a correct address Bitcoin (the same used to make your placement), you will receive an email with the total Bitcoin invested and the date and time of your payment will be made.

Hurry up! This is a Iimited license, unique opportunity.

Thank you, that you believed in us. Thank you that you are with us.
With respect, WEX team.

Any offer arriving via spam that mentions Bitcoin: Stay away from it!

The MKT Negocios Spammers in Argentina

For years I’ve been tracking spam from Argentina that is using yopmail.com / yopmail.net disposable sender addresses.

Unlike a lot of spam sent from other countries, the advertised companies are mostly legitimate businesses, some of whom may be clueless that mail is being sent to unwilling recipients all over the globe who may not even speak Spanish.

The sender IPs tend to be on cablevision.com.ar, for example from the 190.188.0.0/15, 190.190.0.0/15 and 181.164.0.0/14 ranges.

The spamming company owns several domains, but these don’t normally show up in sender addresses or links, e.g.:

mktnegocios.net:

Domain name: mktnegocios.net
Registry Domain ID: 186887
Registrar WHOIS Server: whois.dattatec.com
Registrar URL: http://dattatec.com
Updated Date: 2017-09-20T01:00:53Z
Creation Date: 2011-09-19T11:24:51Z
Registrar Registration Expiration Date: 2018-09-19
Registrar: dattatec.com SRL
Registrar IANA ID: 1388
Registrar Abuse Contact Email: abuse@dattatec.com
Registrar Abuse Contact Phone: +54.3415169000
Domain Status: OK
Registry Registrant ID: DC282919DTT
Registrant Name: Cid Ricardo Ernesto
Registrant Organization: Cid Ricardo Ernesto
Registrant Street: Islandia 4393
Registrant City: Lanus Oeste
Registrant State/Province: Buenos Aires
Registrant Postal Code: 1824
Registrant Country: ar
Registrant Phone: +54.42679611
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ricardocid@hotmail.com

mktnegocios.info:

Domain Name: MKTNEGOCIOS.INFO
Registry Domain ID: D42311407-LRMS
Registrar WHOIS Server:
Registrar URL: http://dattatec.com
Updated Date: 2017-09-19T22:22:35Z
Creation Date: 2011-09-19T11:25:09Z
Registry Expiry Date: 2018-09-19T11:25:09Z
Registrar Registration Expiration Date:
Registrar: Dattatec.com SRL
Registrar IANA ID: 1388
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: ok https://icann.org/epp#ok
Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod
Registry Registrant ID: C114356985-LRMS
Registrant Name: Cid Ricardo Ernesto
Registrant Organization: Cid Ricardo Ernesto
Registrant Street: Islandia 4393
Registrant City: Lanus Oeste
Registrant State/Province: Buenos Aires
Registrant Postal Code: 1824
Registrant Country: AR
Registrant Phone: +000.42679611
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ricardocid@hotmail.com
Registry Admin ID: C114356985-LRMS
Admin Name: Cid Ricardo Ernesto
Admin Organization: Cid Ricardo Ernesto
Admin Street: Islandia 4393
Admin City: Lanus Oeste
Admin State/Province: Buenos Aires
Admin Postal Code: 1824
Admin Country: AR
Admin Phone: +000.42679611
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: ricardocid@hotmail.com
Registry Tech ID: C114356985-LRMS
Tech Name: Cid Ricardo Ernesto
Tech Organization: Cid Ricardo Ernesto
Tech Street: Islandia 4393
Tech City: Lanus Oeste
Tech State/Province: Buenos Aires
Tech Postal Code: 1824
Tech Country: AR
Tech Phone: +000.42679611
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: ricardocid@hotmail.com
Registry Billing ID: C114356985-LRMS
Billing Name: Cid Ricardo Ernesto
Billing Organization: Cid Ricardo Ernesto
Billing Street: Islandia 4393
Billing City: Lanus Oeste
Billing State/Province: Buenos Aires
Billing Postal Code: 1824
Billing Country: AR
Billing Phone: +000.42679611
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email: ricardocid@hotmail.com
Name Server: NS21.DATTATEC.COM
Name Server: NS22.DATTATEC.COM
Name Server: NS3.HOSTMAR.COM
Name Server: NS4.HOSTMAR.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

mktnegocios.com.ar:

Datos del dominio
Nombre y Apellido: DALLAVIA FERNANDO LUCIANO VICTOR LUCIANO VIVTOR
CUIT/CUIL/ID: 20220483895
Fecha de Alta: 23/01/2017
Fecha de última Actualización: 24/01/2017
Fecha de vencimiento: 23/01/2018

On their website they explain to their prospective customers that they will spam to harvested addresses:

BASE DE DATOS :

Contamos con bases de datos argentinas y del exterior validadas la totalidad de las mismas cada 15 dias, asegurandonos asi la completa funcionalidad y validez de los emails. Los datos se obtienen a traves de extracciones de emails por medio de software en la web.

Translation:

Databases

We have Argentine and foreign databases completely validated every 15 days, thus ensuring the full functionality and validity of emails. The data is obtained through extraction of emails through software on the web.

Owners of harvested addresses have by definition not signed up to receive bulk mail. Their various mailing package go as high as 16,000,000 emails…

See also:

If you’re a business in Argentina trying to decide on online advertising, hiring a spammer like this will damage your reputation and may end up getting your domains blacklisted.

Updated jwhois.conf File for CentOS for New gTLDs

The whois command on CentOS 6.x and 7.x doesn’t handle queries for many domains in new Top Level Domains (TLDs) that were added by ICANN in the last few years.

Domains from many of these new TLDs are selling as cheap as $0.99 a pop, making them attractive to snowshoe spammers who create them in large numbers. As a spam researcher, I see lots of new spam domains from TLDs such as .xyz, .online, .top. .club, .services, .win, .site, .bid, .life and .trade.

WHOIS is an important tool for me to track the domain registrants. CentOS uses jwhois as its WHOIS client, which relies on a configuration file to tell it what servers to query for detailed information. The configuration file that comes with recent CentOS versions is woefully out of date.

I have gone through the currently existing TLDs and counted 466 of them that are not supported by jwhois but appear to have a valid WHOIS server. I have been able to verify for about half of these TLDs that the WHOIS server works and have added them to my configuraion file, which you can download here.

Many of the rest of the new TLDs are hosted on Neustar, which performs rate limiting on lookups. Because of that I didn’t fully verify functioning of all those hosts, but I verified that CNAMEs exist for the WHOIS hosts that redirect to Neustar WHOIS servers and tested a small sample of those TLDs.

The Latest “Pump and Dump” Stock Scams

For a while it was quiet about stock spam pushing penny stocks, but recently they’ve been making a comeback. Recently we’ve seen these campaigns:

  • 2017-03-20: Incapta Inc (INCT)
  • 2017-04-11: Quest Management (QSMG)

If you receive spam pushing shares, beware! Never buy stock based on “information” sent out as spam. The only people making money on such stocks are the scammers, who wait for the spammed buyers to offload their near worthless shares at grossly inflated prices. Reselling such stock is near impossible and and usually will lead to great losses.

Native ads, a race to the bottom for online media

Over the past year you will have seen a steady increase of so-called “native ads” while reading articles online. You know, those half dozen or more links with pictures to what at first looks like other articles recommended by the publisher. Only, they are really outside links. Many are click-bait ads, with pictures and headlines designed to grab your attention. They are introduced with tags like “From the web” or “Promoted stories”. The small print will mention companies like Outbrain, Taboola or Revcontent that place the ads in the space that they rent from the website owner.

At best, the advertised content doesn’t live up to the attention-grabbing ads. At worst, the advertisers try to sell you something utterly worthless through deception and lies, including miracle weight loss, anti-aging and anti-Alzheimer pills or promises of jobs that make thousands of dollars a month with no special skills required. Many of these offerings involve recurring credit card charges that are very difficult to get out of.

So why have reputable publishers like the Washington Post, Newsweek and The Atlantic embraced “native ads” on their websites? The answer of course is money. As the Internet grew, print advertising revenues have been collapsing for traditional media as much of the ads have moved online. What’s worse, with Google Adsense and Facebook ads, traditional publishers now have to compete for eyeballs against an almost unlimited number of websites and SNS, making it very hard to replace print ad revenue with online ad revenue. Companies like Outbrain and Taboola (both based in Israel) and RevContent (based in Florida) are offering better rates to site owners, but they can only do that because they seem to have few ethical problems selling anything that makes money.

Back in the 1990s I used to read High Times, which always carried pages of “fake pot” ads. The description for these products might lead naive readers to think that these legal products offered some of the effects of illegal marijuana, but it was really just bullshit and the High Times editors knew that. Their dilemma was that Congress had passed anti-paraphernalia laws that discouraged their traditional advertisers (e.g. for glass pipes) from advertising and the “fake pot” scammers were ready to fill the gap. When rival magazine Cannabis Culture pointed out the hypocrisy of High Times helping to defraud their readers, one of the editors offered an excuse along these lines: “If you don’t like these ads, why don’t you buy that advertising space yourself?” It’s not quite as simple as that.

While every business needs revenue to survive, I think ultimately, accepting money from unethical sources such as scammers does undermine your credibility. Gradually, more and more consumers will realize these “promoted stories” and “sponsored content” are nothing but deceptive junk. Taking money from these advertisers is a devil’s bargain that will damage the reputation of sites running unethical ads. If readers of reputable news sites lose faith in them, what will they have left that distinguishes them from fake news sites?

OTCH:SWRM spam

Never buy stock advertised via spam (especially penny stocks), such as this one:

Subject: This company is a rare opportunity to quintuple your money before Christmas.

Appswarm needs your attention. This is the only stock you need to buy today.
Keep on reading to find out why..

Appswarm (ticker: SWRM) is a mobile games developer that has built some of
the most popular games on the planet.

The games have been downloaded more than 100 million times and the company is
planning to launch 5 new titles in January 2017 (next month).

SWRM is extremely undervalued and there are serious rumors circulating that the maker of
Candy Crush (King, a multi billion dollar company) is about to buy it out for $1.17 per share before Christmas.

At this moment SWRM is trading at just pennies but a buy out from King will automatically
send it to over $1 in a matter of minutes.

This is your chance to buy a stock just days before a major acquisition and stand to
gain more than 1,500% just days before Christmas.

This is a scam, the only people making money on this stock are the spam senders who will be trying to offload their existing holdings.

PayPal malware social engineering

I instantly got very suspicious when I received this from PayPal today:

Hello [my name here],

Colin Neal would like to be paid through PayPal.

Note from Colin Neal: Good afternoon. There was a pay of 200$ from my wallet on your wallet , as if I bought smth from you on Ebay. But I didn’t do this. It must be a mistake. Write me on kcsystems1@gmail,com i’ll send you the copy of invoice. Sorry to disturb you.

Details

Request Date: November 29, 2016
Requested Amount: $200.00 USD
Your Email Address: [my PayPal email address]

Click the button below to send Colin Neal your payment and see the details of this money request.

[ Pay now! ]

Of course I did not click on the “Pay Now!” button, but looking at the email header, the mail was actually sent via PayPal’s mail servers!

I logged into PayPal from scratch on another machine by typing in the PayPal domain name and verified that there was indeed a money request for $200 in my PayPal account. However, it came from a random looking Gmail address, “pvbkrngkjqo@gmail.com” and not the address I was told to contact. Even more suspicious than the first email!

So I fired off an email from another mail account (not my PayPal mail account) to “kcsystems1@gmail.com” and explained that I had not received any funds and that this must be a scam. But as suggested in the initial message, they then sent me a link to an “invoice”:

Good afternoon. This is a copy of invoice.
https://paypal.com/user/files/paypalInvoice_000092419298377.doc

Looking forward your reply. Thanks.

Looking at the actual target of the link, it pointed at a completely different location:

http://myotaku.com.my/system/helper/json/paypalInvoice_000092419298377.doc

When I downloaded it using a secure tool and submitted it to VirusTotal.com, six of the tools consulted detected it as malware:

AVware LooksLike.Macro.Malware.k (v) 20161130
Avast VBA:Downloader-DSH [Trj] 20161130
Fortinet WM/Agent.CBW!tr 20161130
Qihoo-360 virus.office.gen.85 20161130
Symantec W97M.Downloader 20161130
VIPRE LooksLike.Macro.Malware.k (v) 20161130

This scam uses a clever bit of social engineering. The original email comes from a real PayPal server, a trusted source and it doesn’t include any malicious links or attachments.

By getting you to initiate contact with the malware scammer, the subsequent reply with its malicious link will arrive from an email address that you have previously contacted, which will subject that email to less severe filtering. This makes it more likely the malicious link goes through.

Always be alert to how scammers set up mail exchanges where malware will only arrive after several steps specifically designed to defeat filtering. For example, they may contact you first to ask for a quote and then email you what is supposed to be an order, but is really malware.

“EU Business Register” spammers

Here is some spam sent to one of my mailboxes recently:

Hello,

In order to have your company inserted in the EU Business Register for 2016/2017, please print, complete and submit the attached form (PDF file) to the following address:

EU BUSINESS REGISTER
P.O. BOX 34
3700 AA ZEIST
THE NETHERLANDS

Fax: +31 30 310 0126

You can also attach the completed form in a reply to this email.

Updating is free of charge!

A very deceptive offer, because even though updates may well be free (as stated), the offer itself is not: A careful reading of the small print in the attached PDF revealed it to be a solicitation for a three year subscription at 995 EUR per year, automatically renewing unless cancelled two months in advance. So filling and signing the form would cost you at least 2985 EUR.

A quick Google search showed that these guys are already known to Spamhaus, who think that they’re from Romania.

“Helfen Sie uns, Ihr eBay-Konto zu schützen”

I received an email today that claimed to come from eBay Germany and at the first glance looked like yet another phishing scam, complete with link to a website for me to click on to “protect my account”. Even more suspiciously, the greeting at the top did not address me by my first name or full name.

Only when I looked at the message headers did I realize that the mail actually came from eBay’s mail servers. It was real. Still, as a simple precaution I typed eBay’s website address into a browser window to log in from scratch, ignoring the link in the email, just in case…

Later, when I had another look I noticed the small print at the bottom did actually mention my full name, again supporting that the mail was legitimate.

I found the whole experience pretty disappointing for a company of this size that has been in the business for so long and during that time has always been a prime target for phishing scams:

1. Please address the customer by their full name, otherwise you undermine years of education efforts. PayPal addresses all their customer mails to the full name of the recipient, why not eBay? Sceptical people may have ignored that email while for naive people it has made it harder to distinguish phishing mails from real mails.

2. Please do not ask people to click a link in an email claiming to be from you to go to a website that asks for their user name and password. Simply ask them to go to the eBay website in a browser and log in there. That removes any question whether any link is genuine or not or whether it’s safe to click on.

Don’t train customers to do things in your real business emails that phishing scammers would also like them to do, especially when there are alternatives.