Scam Domain News

A difficult situation any hosting provider faces, is a notice that he is hosting criminal content. Let us be fair, he cannot police each and every hosting account. However, the less than savory criminal elements do abuse the internet from on an ongoing basis.

Part and parcel, in many cases of scam websites, is plagiarism. Criminals need quick web content to propagate a scam. The Internet is their menu. They will simply go and steal content from a luckless victim. The choice of web content stolen is often reflected by the particular scam they are trying to con luckless victims into.

Consider your average phishing scam. Criminals will send an email claiming to be from a bank to many potential victims. The less than alert and knowledgeable victim will actually fall into this trap and be defrauded on a website that has content stolen from a real bank website.

Note: One of the critical elements of a phishing scam will be content stolen from a real bank to deceive the victim. Any self respecting hoster eager to protect his reputation will immediately remove such content upon notice. Why?

Because they know and understands what the intent of the website is, namely to deceive the internet populace and to defraud them. Additionally, were they to leave such content online for any protracted amount of time after becoming aware of it, they could be held liable, the changes getting better as more and more people are defrauded. Additionally the same criminals will keep on coming back to abuse their services, hardly the type of client any hoster wishes for.

What would the public and consumer groups do if they were to ask that a DMCA notice be sent to actually remove that website?

Obviously it is the wrong tool for the wrong job. A monkey wrench is not the tool to drive in nails (though you could potentially use it, but do not cry if you end up with blue fingers).

On a daily basis we do find similar situations however. The latest hosting provider that fell into this trap of doing exactly this, is Liquidweb.

Let us look at the following websites: http://www.euromover.eu/, http://www.euromovers.biz/ and http://www.euromovers.ws/.

In the anti-scam community the following scam websites are extremely well known and are associated with Romanian escrow fraud. The luckless victim company who’s website has been stolen, is http://www.svgverhuizingen.nl/. In fact we can trace the beginnings of this escrow scam gang infamously known as the “Yellow Courier”, back two years. They have made the rounds, finding all the hosters slow to act. In fact before moving and testing the fraud tolerance of Liquidweb, they had many incarnations of websites on Earthlink with exactly the design discussed here. Luckily it appears that Earthlink eventually figured out why it is wise to not host them.

Enough talk, let us look at websites: This is how the website of http://www.svgverhuizingen.nl/, the victim website looks:

Compare to http://www.euromover.eu/, the plagiarized website:

— looking up www.euromover.eu
— performing WHOIS on “67.225.195.63″, please wait…
— contacting server whois.arin.net
— smart whois on “67.225.195″

OrgName: Liquid Web, Inc.
OrgID: LQWB
Address: 4210 Creyts Rd.
City: Lansing
StateProv: MI
PostalCode: 48917
Country: US

The devil lies in the details – and differences; we note despite the same street address shown, the domain name differs, the second website has an email address on the index page and shows a Verisign seal.

The Verisign Secured Site is a trademark of Verisign and anybody that has any experience in matters relating to internet security knows that by clicking on the seal, you will be diverted to Verisign’s website where a certificate relating to the domain you came from, is displayed and shows they are who they claim to be.

Of course criminals have been spoofing these certificates for a while now. As stated at http://www.lets-ride.com/classifiedadvertisements/tipsforspottingfraud.htm:

Verify and then trust
If using an on-line escrow company, verify any and all endorsements and credentials on an online escrow site. Are those really TRUSTe, Better Business Bureau and VeriSign Secure seals on an escrow site? Be sure to check.

Study all licensing information carefully. Contact any licensing authority listed on the escrow company website and verify that the site is actually registered. Check this information carefully. Many scam sites have ripped off the legitimate license numbers from other companies.

You’ll also want to check when an escrow site’s domain name was registered. Many scam escrow sites say they’ve been in business for years but only have been registered for a few days or weeks. You can use a “Whois” tool at any domain name registrar, such as networksolutions.com or godaddy.com, to find out.

Excellent advice! Let us examine what is happening to http://www.euromover.eu/. If we click on their displayed seal:

Firstly we are redirected to http://www.euromover.eu/home_files/verisign.html where we find this content:

Note the URL:

https://digitalid.verisign.com/oneclick-secure-324554%A123%/secure.exe/423%22ave/35%.php

This is at the top of the popup. However, the address bar does appear strange. Going directly to this URL yields:

This certificate is hosted in totality at http://www.euromover.eu/home_files/verisign.html and is bogus!

Looking at the content of the supposed certificate:

www.EuroMover.eu is a VeriSign Secure Site

Security remains the primary concern of on-line consumers. The VeriSign Secure Site Program allows you to learn more about web sites you visit before you submit any confidential information. Please verify that the information below is consistent with the site you are visiting.

Website	http://www.EuroMover.eu
Status	Valid
Validity Period	01-DEC-03 – 01-DEC-08
Server ID Information	Country = UK State = East Sussex Locality = Uckfield Organization = EUROPEAN MOVERS TRANSPORT Organizational Unit = Corporate Office Organizational Unit = Terms of use at www.verisign.com/RPA (c)01 Common Name = EuroMover.eu

If the information is correct, you may submit sensitive data (e.g., credit card numbers) to this site with the assurance that:

• This site has a VeriSign Secure Server ID.
• VeriSign has verified the organizational name and that EUROPEAN MOVERS TRANSPORT has the proof of right to use it.
• This site legitimately runs under the auspices of EUROPEAN MOVERS TRANSPORT.
• All information sent to this site, if in an SSL session, is encrypted, protecting against disclosure to third parties.

To ensure that this is a legitimate VeriSign Secure Site, make sure that:

1. The original URL of the site you are visiting comes from EuroMover.eu
2. The URL of this page is https://digitalid.verisign.com.
3. The status of the Server ID is Valid.

Validity Period : 01-DEC-03 – 01-DEC-08 !!

Considering that the domain was only registered on the 4th of July 2008, is would be technically impossible for this website to have such a Verisign certificate. Look at the whois record:

From the Whois Record

Domain: euromover
Status: REGISTERED
Registered: Fri Jul 4 2008

Registrant:
Please visit www.eurid.eu for webbased whois.

…..Nameservers:
ns64.globehosting.net
ns63.globehosting.net
ns12.globehosting.net
ns11.globehosting.net

So now we have uncovered not only a stolen website, but also a fraudulent Verisign certificate. (note the name servers – a Romanian based hosting provider.)

The same analysis holds true for the sister websites to http://www.euromover.eu/, http://www.euromovers.biz/ and http://www.euromovers.ws/.

However, should a hosting provider be made aware of such a fraudulent website, they should have all the details to quickly examine such content and recognize it for what it is: Escrow Fraud. In fact when I first heard of this website, it took me less than a minute to unravel it and classify it as fraudulent. As such any self respecting hosting provider should be only too glad to know about so that he can take steps to ensure no member of the public is defrauded on his resources.

What was the reality? A member of an anti-abuse group made Liquid Web aware of the LiquidWeb aware of http://www.euromovers.biz/ and http://www.euromovers.ws/, also later of http://www.euromover.eu/. LiquidWeb replied as follows:

Subject: Re: Fraud on liquidweb ip’s 2008-08-22 14:45:10

From: C*** G*** <cg****@liquidweb.com>

COPYRIGHT INFRINGEMENT POLICY

Notice And Procedure For Making Claims Of Copyright Infringement Liquid Web customers are required to respect the legal protection provided by copyright law. If you believe that your work has been copied in a way that constitutes copyright infringement, please provide to the LiquidWeb.com copyright agent the information listed below. This procedure is exclusively for notifying LiquidWeb.com that your copyrighted material has been infringed:

* A physical signature of the person legally authorized to act on behalf of the owner of the copyright interest. * A description of the copyrighted work that you claim has been infringed. * A description of where the material that you claim infringes your copyright is located on the site. * Your address, telephone number and e-mail address. * A statement by you that you have good faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law. * A statement by you, made under penalty of perjury, that the above information in your notice is accurate, and that you are the copyright owner or legally authorized to act on behalf of the copyright owner.

Designation Of Agent To Receive Notification Of Claimed Infringement A notification of claimed copyright infringement must be provided in writing to:

Copyright Agent
LiquidWeb.com
4210 S. Creyts Road
Lansing, Michigan 48917
phone: 517-322-0434
fax: 517-322-0493
e-mail: DMCA@liquidweb.com
_____________________
C***** G****
Systems Administrator

Liquid Web, Inc.
www.liquidweb.com
support@liquidweb.com

800-580-4985 TollFree
517-322-0434
Int. 517-322-0493 Fax.
_____________________

and

Subject: Re: Fraud on liquidweb ip’s 2008-08-22 15:38:11

From: C**** G**** <cg****@liquidweb.com>

Hello,

I spoke with our security department and found out we need either a subpoena or court order to take these sites down.

You will want to contact your local law enforcement agency.

Cheers

_____________________
C**** G***
Systems Administrator

Liquid Web, Inc.
www.liquidweb.com
support@liquidweb.com

800-580-4985 TollFree
517-322-0434
Int. 517-322-0493 Fax.
_____________________

_____________________
C***** G****
Systems Administrator

Liquid Web, Inc.
www.liquidweb.com
support@liquidweb.com

800-580-4985 TollFree
517-322-0434 Int.
517-322-0493 Fax.
_____________________

At this stage I am once again left gobsmacked by the reaction of a certain class of hosting providers where they hide behind legalese and simply are unwilling to stick out their necks by actually examining content hosted on their websites.

So the reporter will need a court order or subpoena to do anything about this illegal content? Also file a DMCA notice for content that is stolen and not his (and as such not doable), but clearly fraudulent?

Also exactly which authorities? The Netherlands? Romania? The U.S.A.?

The simple truth is that the authorities, if they do take action, will take quite a while to do so. They are not negligent in their duties, but the available staff members at the authorities are extremely overwhelmed by the extent of Internet crime. Their actions are more statistically driven than on a per victim basis.

I wonder if Verisign will receive the same reception from LiquidWeb once they complain about the fake Verisign Protected certificates? What about the fake certificates? The company registration stolen – Certificate of Registration 4077/03? What about the next phishing website? What will happen if they do? Will Liquid web ask the criminals to remove the plagiarized content?

Who is looking after the victims that will emerge (if they do, not simply hiding in shame and being left destitute as is the norm) and not make sure they are doomed to become statistics? What happened to Internet self governance? But that is a topic for another day …

I guess you could use a monkey wrench to drive in nails if you … really .. tried … very … hard ….

LiquidWeb – wrong tool for the job at hand! There is a big difference between plagiarism as such and plagiarism for reasons of fraud.

The correct tool is to be found here on Liquid Web’s website: https://www.liquidweb.com/about/sharedtos.html (The type in red below does not exist on the URL shown, but is done by the author to highlight a specific provision)

Note: Pornography and sex related merchandising are prohibited on any Liquid Web, Inc. shared account. This includes sites that may imply sexual content, or link to adult content elsewhere. This is also true for sites that promote any illegal activity or content that may be damaging to Liquid Web servers or any other server on the Internet. Links to such materials are also prohibited.

Escrow fraud is illegal activity. It is illegal in Michigan, in the USA and in fact of most of the civilized world, even Romonia where this scam operator orginates from.

Incidentally, if LiquidWeb really wanted to look at their copyright policy, they would have noticed this particular paragraph and I quote (the coloring in red is once again my own to highlight a portion of a paragraph):

Notice And Take-Down Procedures
If Liquid Web is notified of a credible claim of copyright infringement, or otherwise becomes aware of facts and circumstances from which infringement is apparent, it will respond expeditiously by removing, or disabling access to, the material that is potentially infringing.

An abuse report has certainly made sure that they “otherwise became aware of facts and circumstances from which infringement is apparent”.

It is indeed sad that LiquidWeb has taken this stance, since this attitude is one of the factors that makes escrow fraud successful and why it will continue for the foreseeable future. In fact as far back as 2002, we find an article on AuctionBytes, from where I only wish to highlight one paragraph shown below, particularly the part of one sentence:

Online escrow fraud is escalating, brought about by various factors including:

• online credit-card theft
• the anonymity the Internet affords users
• a lack of awareness about fraudulent escrow sites
• Web hosting companies that allow fraudulent escrow sites to be created with stolen credit cards, and to remain on their service even after they have been reported.

References:

FTC – Thousands of Consumers Fleeced by Auction Scams (of course, prevention is better than cure)
FTC – Internet Auctions A Guide for Buyers and Sellers
AuctionBytes – Online Escrow Fraud Hits eBay Members
ZDNet – Escrow fraud ruining Craigslist?
escrow-fraud.com – http://escrow-fraud.com/
IC3 – Escrow Services Fraud and Auction Fraud — Romania
(Is it coincidence that the nameservers are that of a Romanian company – not that this is reflection on the actual Romanian company, but rather the location and source of the above websites)
BBB – Tips to Avoid Online Escrow Fraud

A Parting Thought

In my posts I have shown how real companies are being targeted by online criminals, stealing their content and even photographs of people for fake identities.

Last week one of the legitimate online escrows, Buyer Guardian, closed their doors. This is a sad day for the internet community as a whole, since another valuable resource is no more. In light of the above content, I am sure that this victimized company will appreciate me quoting the reason for the closure here. From http://buyerguardian.com/:

Important Notice

August 18, 2008

To Our Faithful Customers:

We are sad to report that after careful and lengthy consideration we have made the decision to cease operations at BuyerGuardian.com. This is a very difficult decision and one that is made primarily due to the rapid growth of online escrow fraud.

Unfortunately, individuals have at times used altered copies of our web site content to defraud auto buyers. We do not want to enable these fraudulent transactions in any manner whatsoever. Any website using the BuyerGuardian.com logo, our site layout or our color scheme is doing so without our permission and is a fraudulent website.

Please check with www.escrow-fraud.com or your local Better Business Bureau before using an escrow company. The only other national vehicle escrow service of which we are aware of at this time is Escrow.com (www.escrow.com).

We want to thank all of the people whom we were able to help experience a seamless and successful interstate or international automobile transaction. We appreciate the kind words and support from our customers and hope to serve the automotive industry again in the future.

Sincerely,

The BuyerGuardian.com Team