aa419.org Purchase Inquiry

This just arrived in the aa419 email. We thought we would share it as it shows how everyone is an "expert". However, it would seem this expertise is limited to devious, unethical and other privacy invading tactics much frowned upon on the net. However the term "expert" cannot be linked to knowledge in this instance.

Subject:	aa419.org Purchase Inquiry
Date:	Thu, 9 Aug 2012 20:13:10 -0700
From:	Jennifer R. Leadsen <jennifer.leadsen@webacquisitionco.com>
Reply-To:	jennifer.leadsen@webacquisitionco.com
To:	e629ab1607ee4ff59c3631fb86e70ecd.protect@whoisguard.com

We are private venture capital brokers.  If you are looking to exit from your online business, we specialize in bringing you buyers.

Our buyers are interested in acquiring profitable online businesses in this niche that have profits above $50,000 per year.
The current market for online businesses making over $350,000 in annual profit is up to 5 times your annual profit.  For online businesses making under $350,000 in annual profit, we are seeing up to 3.5 times your annual profit in your niche.
If interested in entertaining offers or getting an estimate of your online business, what would be the best phone number to reach you at?

Best Regards,

Jennifer R. Leadsen
Buying Team Lead
Site Sales Specialists
jennifer.leadsen@webacquisitionco.com
http://webacquisitionco.com
Phoenix, AZ.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

ICANN Compliance Statement: Sent from physical address 485 Lexington Ave #
600 New York, NY. All remove requests are fullfilled within 24 hours.  Simply reply to this
email with the subject line or body stating "remove"

It does not exactly take a brain surgeon to determine how this party obtained the contact email address they spammed;
To: e629ab1607ee4ff59c3631fb86e70ecd.protect@whoisguard.com

Whoisgaurd is a domain name proxy.  This is an ever changing changing email address that was changed to the above email address in the last seven days, the one that got spammed. 

Let us have a look at what anybody doing a domain WHOIS lookup agrees to:

Access to .ORG WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy.  This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

(emphasis above our own)
aa419 and "webacquisitionco.com" has no business relationship past or present, nor did aa419 solicit any such relationship. The received email can only be considered unsolicited.

However the party at "webacquisitionco.com" that did the domain name lookup for marketing purposes, deliberately ignored the terms;  under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers (shown in the PIR lookup).

We also need to ask "webacquisitionco.com" what relationship they have with ICANN and saying "ICANN compliance statement" in their spam?

The give address in the email is: 485 Lexington Ave #600 New York, NY
No "Site.." or "Web .." exists in the online directory for 485 Lexington Ave

This makes the received illegal email spam under US law.

The FTC summarizes the requirements for sending unsolicited email quite well. Of note:

Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.

We can clearly see the above email does not comply. This address is a skyscraper with an online tenant directory where the email sender clearly does not appear.

But then again everyone is an "expert" and "specialist", especially "webacquisitionco.com".

You may have noted we quote ""webacquisitionco.com" every time when mentioning them. This is deliberate. "webacquisitionco.com" is changing names at about the same rate the author changes socks (it's a cold here). Here are some of the names, looking at the telephone number 602-364-9455 :
Site Sales (as per their website)
Webbrokersco.com - same party and website.
Global Marketing Direct, S.A spammed osdir's debian mailing list, giving us more insight into the manner in which there "experts" operate.
Global Marketing Unit is advertising "expert SEO consulation".
Globalmarketingunited.com is another linked website.
internetsalesandmergers.com is the topic of discussion on DNForum.com after someone received a mail much like we did.

Previously:
globalmarketingseo.com
globalmarketingwebservices.com / "Cutting Edge Link"

What becomes extremely clear, is that this party is using extremely unfriendly marketing tactics and believes that being a good law abiding network citizen simply does not apply to them.

An open question to our "expert" Jennifer at Whatever-you-decide-your-surname-to-be-next@whatever-you decide-your-next-expert-seo-name-is:

Where are you really based? Your "ICANN Compliance Statement "address keeps on changing between the spams we found.

Anyway just so we are clear:
The AA419 may be sold when hell freezes over, but not before that. It belongs to abuse fighting internet community. As long as there are parties abusing the net, there will be a need for parties like us.

What happens when hell freezes over?
We may well change our minds and take on the devil's cyber cronies off course. If not we would get a real specialist to assist, one that knows the difference between ICANN and the CAN-SPAM Act and what it actually means. A second absolute qualifying requirement would be that they do not harvest domain registrant's details from the the domain registries. As such we would not face a potential $16,000 overhead per email,a bit rich for us.

Would we recommend "webacquisitionco.com"?
No. Any marketing by "webacquisitionco.com" on behalf of anyone would be their responsibility under the CAN-Spam Act. Let's head over to the FTC web pages again and look at what it says regarding this:

Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

Each email sent in a non-compliant fashion on behalf of the client "is subject to penalties of up to $16,000", as we also read here.

Oh, and Jennifer, you may even be fined and/or imprisoned:

The law provides for criminal penalties – including imprisonment – for:
...harvesting email addresses ...

You clearly violated this law by harvesting an email address from PIR's .ORG registry. Your other much published expert marketing messages just further proves this.

As such a kind request to Jennifer-Whatever-you-decide-your-surname-to-be-next@whatever-you decide-your-next-expert-seo-name-is, please do not contact us again. But thank you for your humorous, though illegal, spam. It kept us entertained for about five minutes. We sincerely hope you enjoy Honduras and your Toshiba Laptop which is a tad removed from Lexington Ave.

Kind regards,

The aa419 team.

A mistaken assumption in DDoS

AA419 is under a DDoS attack once again. This has become a regular event, yet never fails to silently amuse the AA419 members. It is a sure sign that we have hurt criminals.

There may be many reasons to DDoS a website. A DDoS may be a protest against institutions such as we have seen in the Anonymous DDoS'es on financial institutions and like in Operation Payback. They may be politically motivated as in the case of the Georgia DDos attacks. In a bizarre twist a DDoS may also actually be silently targeting clueless DDoS'ers who allow their systems to be used for "the cause", stealing their sensitive information like passwords and banking details.

However, as for the DDoS'es against AA419:
We are hurting the business of criminals by exposing them. These DDoS'es are revenge attacks, also an attempt at shutting us down. Scammers lose money and potential victims by us exposing their scams. We are also indirectly putting the spotlight on them. We can trace individuals back as far as 2004. This information has been used by the authorities on various occasions and will most likely be used again.

However the scammer that hires a botnet to DDoS us, uses flawed logic. AA419 is not a business. We have no profit motive, in fact no income. Our website being down does not hurt us financially.  Yet while the DDoS is ongoing, we are still shutting down websites. Not having to administer forums and list scam websites frees us up to concentrate on finding and having scam websites terminated. No forum spam, no database updating ... just pure scam website termination. We have a longstanding reputation of sending reliable abuse reports to service providers.

Of course there is another rather interesting aspect to being on the receiving end of a DDoS, studying the DDoS and related infrastructure used for the DDoS. Logs are kept and silently shared with the security community, a small additional way of making the net a safer place for all. A previous post on this blog gave a small insight into these activities.

AA419 will not get tired of the consistent DDoS'es. AA419 is not a person, AA419 is a regenerating community. Some of us were around when we experienced our first DDoS, others have since pursued other causes. New eager volunteers have filled their shoes. We have nothing to lose, yet everything to gain. Time is also on our side.

So, for now we are just "killing" scam sites, but we will be back.

A parting thought just for laughs: 
We tend to find and target a certain type of site during DDoS'es for take-down, resulting in more abuse reports for those type of sites, just like those that led to the DDoS initially.

Our power is not a website, our power is our reputation.

Well, signing off for now. A few more abuse reports need sending.

AA419 DDoS: India's Crisis with Cyber Security

The DDoS against AA419 is still ongoing. One issue that became clear early on in the DDoS, was that numerous botnets were attacking the AA419 web server.

Also extremely noticeable was that the bulk of the attack traffic was coming from India. As such we contacted CERT in India. 

CERT India's response was extremely quick, thanks to the marvels of electronic communication. They read our email within minutes of it being sent. We knew this based upon a read notify I had put on the email. Sadly that is where it stopped. From the 28th of March 2011 to date they have not even had the common courtesy to reply.

This left us with a difficult decision:
Do we take a blanket approach to minimize the damage to the rest of the world and simply block Indian ISPs?  

While that would make a lot of sense, we also need to consider that India is one of the the most highly targeted countries in West African fraud. Artists Against 419 needs to make the Indian public aware of scam sites that may potentially be targeting them. As such our website will be reachable, despite CERT India's silence.

If it sounds like we are unfairly singling out a country, judge for yourself.

Bot overview

Initially when we went live on the new server, we had a lot of work to do to mitigate the attack. One noticeable apect is their is no correlation between the number of attackers versus countries they are coming from.

Despite the 1st of April having the lowest originating countries for the attacking bots, it shows the second highest number of attackers for the day.

Bots by Region

 

Looking at the attacking systems, one experiences an optical illusion looking at the APNIC column. The column is not narrower than the rest. 

We clearly see the majority of the systems attacking us are coming from the APNIC region. Let us drill down into the APNIC region.

Bots by Country

This is quite shocking. We immediately see we have a serious issue with attacking systems coming from India. The number of bots from India are two orders of magnitude larger than any from any other country in this region. In fact on average 90% of all attacking IP addresses are coming from India.

A Reality Check

Apart from the attempt to disrupt the activities AA419, we should remember that the systems being used for this botnet:

• are also attacking other servers, trying to disrupt them (it has been verified)
• are not really under the owner's control, but comprised and under the malicious control of some other unknown third party
• poses a security risk to India and the rest of the world. We do not know what data on these systems has been compromised. Remember, these same systems may also be used to access bank accounts, government infrastructure, manage outsourced tasks or potentially access other sensitive infrastructure. Any system accessed from them is also potentially at risk.

All we can say to CERT India is that you are failing dismally in your mission:

Mission

To enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration.

Here is the evidence you read the message that was sent to you with details:

This is a message receipt notification. The message sent on Mon Mar 28 2011 13:41:07 GMT+0530 (India Standard Time) to incident@cert-in.org.in with subject "Anybody from CERT India" has been displayed on the recipient's computer.

AA419 will have to seek to address the issue via other methods.

Spot the mistake!

Hint: Upper right corner!

Funny things happen when you steal from a Nigerian site without paying attention.

Were back and out to get them again

Well, while we are back and watching the lemmings bots destroy themselves, there is a big reason for concern for one specific country. But I'm getting ahead of myself....

The trip back was not a simple one. I suspect our old server lost all will to serve mankind any further after it saw how certain groups of miscreants were preying on their fellow human beings. We thanked it silently and laid it to rest.

A newer and stronger server had to be found and we found one thanks to our special friends. But it had to be kitted out to take on the scam wars, also a DDoS against AA419. New disks and memory we obtained. Our suppliers were great and made sure the new hardware arrived promptly. Unfortunately the memory has some issues. So with some loan memory, the server said hello to the world after a bit of time.

As we opened the gates, we were ready. Our friends and us did a bit of tweaking here, a bit of tweaking there, a bit of tweaking everywhere. On the 25th of March 2011 we officially opened the gates. We were not surprised at the reception as bot upon bot said hello to us, all 148 thousand of them,  trying to force us off the air again. It also quickly became clear that we were under attack from more than one botnet.

One serious issue we noticed was where 83% of the infected servers were located. However, this will be taken with the CERT of that country.

So, to all our loyal followers, we are back, now not only terminating scammer sites again, but also sending out reports to ISP's and the like on botnet activity for the time being.

To all those that attack us with your botnets, read the previous sentence again carefully. 

If the server is a bit slow, remember you are trying to reach the same location as 148,000 malicious bots.

For all those miscrants out there, this one is for you:


I mentioned friends:
As the saying goes, "I'll get by with a little help from my friends". We thank you, you know who you are, for helping us get by.

In the next day or two we will be publishing some attack statistics. It should make for some extremely fascinating reading.