Here we go again...

[dra007]

The benefit of being placed on spammers' lists is that sometimes you get an insight in how they do their business:

here's one of their e-mails I just got..

Hello,

We are glad to introduce you new project http:// hyipsensor.net

Look our board http:// hyipsensor.net/board/ Here you can find any info regarding credit cards , exploits , trojans , viruses , hacked botnets, hacked hostings.

Also you will be able to buy any "closed for public" info like email bases, cc bases etc. And our daughter project http:// f1-finance.com will help you to launder any amount of E-gold currency.

We are glad to accept any innovations in our theme just email at admin[at] f1-finance.com

Thank you and welcome to background world of http:// hyipsensor.net

msg-id: 0684430

[Farelf]

... here's one of their e-mails I just got..

Thanks for breaking those links dra007. I like to check them out and enter anonymously via LinkScanner (using the proffered LS link which is available after a clean scan). LS "found no known exploits" in either but after going back to browse through the first, then rescanning the second as preparation to doing the same there, LS said I (my IP address) had used all of my free 100 scans for the day - an overstatement of at least 95. Not sure what's going on (probably LS is really using a cumulative count rather than daily) but I'm not tempted to revisit either site JIC. A little paranoia is never enough.

[rconner]

The benefit of being placed on spammers' lists is that sometimes you get an insight in how they do their business:

here's one of their e-mails I just got..

I went to the hyipsensor.net site. if there were indeed any info about hacking, trojans, credit cards, etc, then it wasn't obvious. Most of info on this page (as with the f1-finance.com) seems to be devoted to goofy HYIP plans, paid-to-surf plans, and other vaguely seamy activity, but not much about spamming, cracking, etc. I'd be willing to call this a JoeJob against the operators of the hyipsensor.net board. Maybe somebody got kicked off or something <grin>.

-- rick

[Farelf]

...Most of info on this page (as with the f1-finance.com) seems to be devoted to goofy HYIP plans, paid-to-surf plans, and other vaguely seamy activity, but not much about spamming, cracking, etc. I'd be willing to call this a JoeJob against the operators of the hyipsensor.net board. ...

I've looked at both of them now (since Rick kindly went in front to kick the stumps) and would agree with that assessment. The F1 site (that logo has to be an infringement) no longer has the direct entry to the forums which (presently) shows in the Google cache and LinkScanner grumbles that the new indirect/roundabout entry to the forums stealths the owner's name which is only slightly exciting because that's mostly LS trying to coax some money out of me, I suspect. Sure, the F1 site, if operated free of the oversight always applied to financial institutions, could be used for money laundering. That's a big if and anyway the volumes quoted in public wouldn't make the watch point IIUC.

There may be some back rooms but the standard of posts on the surface make the communities there look pretty harmless. dra007, you should reply and ask for your money back and/or the secret handshake - someone's having a laugh I reckon.

[Farelf]

Lucidity:

Somebody is Pretending us to send spam

on 26th of January, we lost our main domain: hyipsensor.com. it is registered at registerfly.com and registerfly never respond to our mails, livechat request and even phone call about this matter. And on 29th January, we launched our site with new domain: hyipsensor.net.

And this time, the attack comes again. Somebody is sending tonne of mails:

-----------------------------------------------------------------------------------------

We are glad to introduce you new project http:// hyipsensor.net

Look our board http:// hyipsensor.net/board/ Here you can find any info

regarding credit cards , exploits , trojans , viruses , hacked

botnets, hacked hostings.

Also you will be able to buy any "closed for public" info like email

bases, cc bases etc. And our daughter project http:// f1-finance.com

will help you to launder any amount of E-gold currency.

-------------------------------------------------------------------------------------------

It is sent from following server: mwinf3007.me.freeserve.com (mwinf3007.me.freeserve.com)

..................................................................................................................

If you have any idea how can we prevent such thing or where to report. Please use our support form to inform us.

Yours

Engedi

Staff of Hyipsensor

Jan-30-2007 09:22:38 AM

And I swear that is not the website I saw when first I looked. The supposed spam originator has me stumped (looks like a Wanadoo internal so just a fake or a missed step in reading the header I guess).

[Added: looking at the context, it might be French mail (that was close) passed through 193.252.22.158 with SC Reporting addresses:

abuse[at]francetelecom.com

abuse[at]wanadoo.fr

abuse[at]uk.wanadoo.com

to which Ripe would add abuse[at]fsmail.net]

[Farelf]

And it just needs to be added - don't touch the supposedly hijacked domain (the .com one) with a bargepole (or IE at any rate). Linkscanner sayeth the WebAttacker active exploit lives there (at IP Addr. 216.40.47.17):

Exploit: Suspicious encrypted java scri_pt

Article Num: 41

Date Posted: 05.30.2006

Posted By: Roger Thompson, CTO

Category: Research

:: Exploit: Suspicious encrypted java scri_pt

A java scri_pt is using a decryption technique to expose code which is suspected to contain a java scri_pt window() (CVE-2005-1790) exploit. A malicious web page uses java scri_pt to create a very large buffer of data and passes this into the prompt() function. This then causes Microsoft Internet Explorer to crash and with the presence of properly injected code can cause the remote execution of that code.

I'm guessing the spammer probably did muck it up - meant to reference the exploited site, or maybe was relying on some sort of redirection during a latency period which went to the .net cached site instead.

[bobbear]

I'm getting these spams too. The domain hyipsensor.net was registered with our 'friends' Enom on Jan 26th. and the whois data is fully anonymized.

[dra007]

There may be some back rooms but the standard of posts on the surface make the communities there look pretty harmless. dra007, you should reply and ask for your money back and/or the secret handshake - someone's having a laugh I reckon.

They keep sending more of those to me for some reason, I never clicked on any of the sites obviously ...just reported them ..if that is doing any good.. What made me smile is that after reporting these idiots for so long they still hope I might join them in their criminal ways, if they can't steal from you maybe they hope they would corrupt you..

[Farelf]

... if they can't steal from you maybe they hope they would corrupt you..

I suspect they were more interested in corrupting your computer on this occasion (a bit of a mis-fire if so, I doubt that many would blunder into the booby-trapped site). Anyway, the illicit goodies promised were not at all evident.

They keep sending more of those to me for some reason, I never clicked on any of the sites obviously...

This particular spam seems fairly wide-spread, distribution may be to a different list. Not that it matters, spam is spam is exploitation, even when it fails. Nobody would imagine you were complicit.