Search Engine Optimization & Web Hosting Solution

TOKYO (MacHouse) - Some 10 hours ago, we noticed that Internic’s Whois Server started showing odd results. If you use Mac OS, then launch Network Utility, switching the tab to Whois. If you run a search with a domain like google.com, you may get the result like the following.






GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
GOOGLE.COM.ZZZZZ.DOWNLOAD.MOVIE.ONLINE.ZML2.COM
GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
GOOGLE.COM.ZNAET.PRODOMEN.COM
GOOGLE.COM.WORDT.DOOR.VEEL.WHTERS.GEBRUIKT.SERVERTJE.NET
GOOGLE.COM.VN
GOOGLE.COM.UY
GOOGLE.COM.UA
GOOGLE.COM.TW
GOOGLE.COM.TR
GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM
GOOGLE.COM.SPROSIUYANDEKSA.RU
GOOGLE.COM.SERVES.PR0N.FOR.ALLIYAH.NET
GOOGLE.COM.SA
GOOGLE.COM.MX
GOOGLE.COM.IS.SHIT.SQUAREBOARDS.COM
GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
GOOGLE.COM.IS.HOSTED.ON.PROFITHOSTING.NET
GOOGLE.COM.IS.APPROVED.BY.NUMEA.COM
GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE.THAN.SECZY.COM
GOOGLE.COM.DO
GOOGLE.COM.CO
GOOGLE.COM.CHIQUITASEXY.COM
GOOGLE.COM.BR
GOOGLE.COM.BEYONDWHOIS.COM
GOOGLE.COM.AU
GOOGLE.COM.AR
GOOGLE.COM   (more…)

TOKYO (MacHouse) - In reference to our report of January 12, 2009, a legal representative of Duebelbeis and Clever Agency opened a support ticket at our website to indicate their intention of suiting MacHouse. They write






This law firm represents Bobby Duebelbeis, and we have been asked to write this letter to you. Many of your statements about Bobby Duebelbeis in your blog postings are untrue and defamatory. You made them maliciously to injure Bobby Duebelbeis in his trade, office and profession. As such, they are defamatory per se. Under O.C.G.A. 51-5-11, this letter constitutes a demand for immediate retraction in writing of these false and libelous statements. In accordance with MO Statute 509.210, Bobby Duebelbeis deamnds that your retraction and correction be accompanied by an editorial in which you specifically repudiated your libelous statements. (See Screenshot 01.)   (more…)

TOKYO (MacHouse) - Yesterday, we reported that an organized group of half-retarded cyber criminals sent at least four spam messages targeting French PayPal users. Sender’s address is specified as service@paypal.com in each case. Also, the return-path is shown as anonymous@ns24075.ovh.net in each message. This phishing campaign is organized so poorly that the URL underlying the phrase Cliquez Ici pour activer votre compte (Click here to activate your account.) is misconfigured. Nonetheless, three of the four messages imply that there is a phishing website hosted at http://paypail.netingame.net. Yesterday, there was. And the same PayPal phishing website is still active. (See Screenshots 01-2.)

Screenshot 01 - Source: paypail.netingame.net

Screenshot 02 - Source: paypail.netingame.net

Screenshot 03 - Source: MacHouse

Inspecting the HTML source code of each phishing message, it doesn’t take an IT security expert to conclude that the mail source is a web server at ovh.net. (See Screenshot 03.) OVH is a web hosting company. (Screenshot 04 shows the gate page of OVH’s web hosting website.) We don’t know exactly where their main office is located (Roubaix, France?). The web server whose IP address is 91.121.18.16 may be traced to France since the packet crosses the English Channel through Global Cross from the U.K. side.   (more…)

TOKYO (MacHouse) - An organized group of half-retarded cyber criminals sent out at least four spam messages in the past 12 hours or so to scam French PayPal users. The first spam message of this kind that we received is titled Update Your Account Information. It’s written in English. But the entire message is then written in French. People with a common sense would write both the subject line and the body with the same language. That’s why we say a group of half-retarded people is involved.






1st PayPal phishing message

Title: Update Your Account Information
Sender’s address: service@paypal.com
Return-path: anonymous@ns24075.ovh.net






2nd PayPal phishing message

Title: Chers utilisateurs PayPal:Attention! Votre Compte PayPal A ete limite!
Sender’s address: service@paypal.com
Return-path: anonymous@ns24075.ovh.net






3rd PayPal phishing message

Title: (none)
Sender’s address: service@paypal.com
Return-path: anonymous@ns24075.ovh.net






4th PayPal phishing message

Title: Chers utilisateur PayPal:Attention! Votre Compte PayPal A ete limite!
Sender’s address: service@paypal.com
Return-path: anonymous@ns24075.ovh.net






(See Screenshots 01-4.)   (more…)

TOKYO (MacHouse) - If you have never heard of USTREAM.TV (www.ustream.tv), you may not be alone. (Screenshot 01 shows the index page of USTREAM.TV’s website.) According to Quantcast, this website is quite popular. Quantcast says USTREAM.TV attracts 1.4 million visitors from the U.S. and 6.6 millions visitors globally each month. (See Screenshot 02.) This large amount of traffic possibly translates into tens of thousands of dollars. Perhaps, the webmaster doesn’t care whether or not they have spam profiles. Traffic is traffic, which brings money, right?

Screenshot 01 - Source: USTREAM.TV

Screenshot 02 - Source: Quantcast

Screenshot 03 - Source: USTREAM.TV

One of the spam profiles created at USTREAM.TV is found at http://www.ustream.tv/channel/
free-zoo-sex-videos. (A continuous URL is divided into two lines.) If you are lucky, you will get to see a photo image of an attractive woman. (See Screenshot 03.) And you have one second or a little bit longer to escape. Or you will be redirected to a different website. The next destination is controlled by a junk website hosted at skypharmacist.com. You are most likely to then be forwarded to http://sextube.toplog.nl. This is not the final destination of your redirection journey. You will next be redirected to a fake codec website called PrivateTube. And it’s hosted at the domain of extremetube09.com. (See Screenshot 04.)

Screenshot 04 - Source: extremetube09.com

Screenshot 05 - Source: extremetube09.com

Screenshot 06 - Source: extremetube09.com

A fake codec website at extremetube09.com is pretty much the same as the one at myprivatetube09.com. Clicking on any of the gross images, one will be asked to install a video codec update. (See Screenshot 05.) Eventually, they will be forced to download a file called wmcodec_update.exe, which is expected to contain a package of computer viruses including Trojan.Dropper, Downloader, Trojan Horse variants, Tracking Cookie, Suspicious.MH690 and more.   (more…)

TOKYO (MacHouse) - As we reported yesterday, an organized cyber criminal group runs an active phishing website that targets Halifax Online Banking customers. A spam message with the subject line of *IMPORTANT *Update Your Halifax Online Banking* is designed to send Internet users to a phishing website hosted at the domain of uplink411.com. (See Screenshots 01-2.)

Screenshot 01 - Source: MacHouse

Screenshot 02 - Source: uplink411.com

Screenshot 03 - Source: uplink411.com

There is something odd and interesting about a website at uplink411.com. A URL in the spam message points to a phishing package installed at http://uplink411.com/okcjournal/shopping/
www.halifax-online.co.uk. (Note that a continuous URL is divided into two lines.) If you access a URL two levels up, then you will run across an index page that says Team-Hackers-Black Scorpion - Hackers By - www.r3d-crew.com…! (See Screenshot 03.)   (more…)

TOKYO (MacHouse) - According to the website at http://www.halifax.co.uk, Halifax is a division of Bank of Scotland. (Screenshot 01 shows the gate page of Halifax’s website.) And it’s this Halifax that has become the latest target of a phishing campaign.

Screenshot 01 - Source: Halifax

Screenshot 02 - Source: MacHouse

Screenshot 03 - Source: uplink411.com

An organized cyber criminal group circulated a spam message about two hours implicating Halifax Online Banking. Sender’s e-mail address is shown as online@halifax.co.uk. And the title of the message is *IMPORTANT *Update Your Halifax Online Banking*. The phishing message says







Halifax PLC. has been receiving complaints from our customers for
unauthorised use of the Halifax Online accounts.

Click Here.






(See Screenshot 02.) The URL underlying ‘Click Here’ is http://uplink411.com/okcjournal/
shopping/www.halifax-online.co.uk. (A continuous URL is divided into two lines.) And that’s where a phishing website is currently hosted. (See Screenshot 03.)   (more…)

TOKYO (MacHouse) - An organized African scam group circulated a trivial spam message more than one hour ago. It goes






We are pleased to inform you of the result of the just concluded annual final draws held on FEBRUARY 27th, 2009, 2008 PEPSI Company Worldwide Promotion, your email was among the 9 Lucky winners who won £250.000.00POUNDS each on the PEPSI Company.

In other to claim your £250,000.00POUNDS prize winning, which has been deposited in a designated bank. However,you will have to fill the form below and send it to the Promotion manager of The PEPSI Company for verification and then you will be directed to the bank where a cheque of£250,000.00POUNDS has already been deposited in your favour.

(See Screenshot 01.) It’s another boring spam campaign run by a group of half-retarded monkeys in Africa.   (more…)

TOKYO (MacHouse) - Career spammers often use YouTube, a popular video-sharing website, to send Internet users to their sponsors’ websites. Yesterday, we reported that an organized cyber criminal group circulated at least one spam comment around blogs and forums worldwide to send Internet users to a particular spam profile created YouTube.

Screenshot 01 - Source: YouTube

Screenshot 02 - Source: YouTube

Screenshot 03 - Source: YouTube

Shown in Screenshot 01-3 are spam profiles found at YouTube. All three spam profiles and more contain a link to the exactly same URL, which is http://myprivatetube09.com/zoo/19/1635/. Clicking on it, Internet users will be directed to the same fake codec website we introduced yesterday. It’s the same website that distributes a file named wmcodec_update.exe. And even the Mac version of Norton AntiVirus detects a computer virus, which Symantec calls Trojan.Dropper. (See Screenshots 04-6.)   (more…)

TOKYO (MacHouse) - As we reported earlier, an organized cyber criminal group circulates a suspicious Windows file with help of YouTube. They’ve created a spam profile at the popular video-sharing website, hoping YouTube visitors will click on the link that points to http://animalxx.toplog.nl. (See Screenshot 01.) Clicking on the link, internet users will be immediately redirected to a fake codec website hosted at the domain of myprivatetube09.com. (See Screenshot 02.)

Screenshot 01 - Source: YouTube

Screenshot 02 - Source: PrivateTube

Screenshot 03 - Source: PrivateTube

This disgusting website with a number of animal sex images has been installed to distribute a malicious file. Clicking on any of the images, one will be eventually forced to download a file titled wmcodec_update.exe. (See Screenshot 03.)   (more…)