Spamzy

CoolWebSearch is the most widely known and the most annoying browser hijacker. It distributes itself by exploiting security holes in older or unpatched version of Microsoft Internet Explorer. It has many variants (see Variants), each of them with its own performance and actions.

CoolWebSearch

VirusProtect (also known as VirusProtect v.3.8, Virus Protect 3.9) is a rogue anti-spyware program. It is usually installed via Trojans and web vulnerabilities (even though manual download and installation may also occur). VirusProtect pretends to be an anti-virus program, but is in fact a simple scam: it uses scare tactics (fake system notifications and pop-ups) to convince users to buy the full version of VirusProtect. This “full version” is a fake.

Do not download or buy VirusProtect and block VirusProtect’s domain using your HOSTS file.

Read the rest here:
VirusProtect

Total Protect 2009 is a fake spyware remover tool. Application is installed into computer through the use of trojans. When Total Protect2009 is on board it begins to load imaginary system reports that claims about infections and system risks. If you click on any of these pop-ups you will be redirected to the website that has rogue content. Of course all this is made to force users into buying of TotalProtect 2009 full version, which in fact do not do anything. Program is configured to start automatically every time you log on into Windows. Manual removal of TotalProtect2009 could be very difficult because it hides from user and do not appears in add/remove list of programs. Also this parasite may be a reason of several problems like system slowdown or even limited internet connection. Remember that all notifications are falsified and only one way to keep your computer safe is to use legitimate anti-spyware software.

Go here to read the rest:
Total Protect 2009

The year of 2008 represented the highest strings of arrests, prosecutions, sentencings and imprisonments of illegal spammers in the history of illegal spamming. 2007 was already a very bad year for spammers. 2008 continued this trend, all of which underscores the fact that people really are fed up with hearing from spammers, and that spammers will go to jail if they continue to spam illegally or engage in identity theft or fraud.

Here is the basic run-down of 2008. Enjoy!

January:

• We begin the year still revelling in the arrest of Robert Soloway, and the investigation into the computers and properties of Shane Atkinson, known spammer and sponsor representative for SanCash and VPXL. Intensive investigations are ongoing into both of these cases as the year begins.
• Alan Ralsky, and several of his colleagues (notably one James E. Fite, aka “buba” on bulkerforum.biz), are indicted. The indictment carries 41 counts including Fraud, Wire Fraud and Money Laundering. He faces a sentence of 26 years in jail for the tax evasion charge alone.
• SpamInMyInbox continues his investigation into what is now known to be SanCash.

February:

• Several colleagues commence an intensive communications campaign between ICANN and XIN NET (also known as “paycentre”) in the hopes of waking them up to the mass amount of illegal abuse they are supporting by allowing domains to be registered using 100% fictitious contact information, in violation of ICANN accreditation policies. It sounds dry, but this is a huge achilles heel for spammers, and more importantly the sponsors who pay them. Without a large supply of illicitly-registered domains, spammers have nothing to promote, and sponsors lose money. This campaign would turn out to take many weeks and months. Red Dwarf, Alpha Centauri and (most notably) trobbins file literally hundreds of thousands of complaints using Red’s “Complainterator.”

March:

• Renowned unrepentant criminal spammer Robert Soloway pleaded guilty to charges of felony mail fraud, fraud in connection with electronic mail and failing to file a tax return in 2005.

April:

• SpamInMyInbox’s investigation into SanCash, GenBucks, Tulip Lab and “VPXL / Express Herbal” continues. Tulip Lab serves him no notice while launching a lawsuit claiming (we think) libel. He later removes several references to Tulip Lab. Meanwhile New Zealand law enforcement firm up their plans to charge Shane and Lance Atkinson for illegal spamming pending their continuing investigation into several computers they seized in December, 2007 following the BBC4 investigation into the same operation.

May:

• SpamInMyInbox is placed under a temporary injunction thanks to the Tulip Lab complaint. He removes all mention of Tulip Lab from his blog.
• The criminal charges keep on coming! On May 19th, 2008, US Attorney General Michael B. Mukasey holds a press conference in Bucharest, Romania announcing the indictment of 38 individuals, from numerous countries, all of whom were involved in phishing scams based out of California and Connecticut. This is fairly big news since it involved the cooperation of Romanian law enforcement officials, and communication between several international law enforcement agencies including the FBI.

  Other links to this story: New Haven FBI Press Release, Overview of the Law Enforcement Strategy to Combat International Organized Crime [pdf], US DOJ Indictment, and coverage by GarWarner’s blog.

• SiL’s Blog (the very one you are reading now, ikillspammerz.blogspot.com) gets listed in The Industry Standard’s Top 25 B-to-Z List Blogs.
• SiL creates a new entry in the Spam Wiki which outlines in relatively good detail the perceived infrastructure and hierarchy of a typical pharmacy or replica email spam operation. He also firms up quite a bit of evidence regarding each of the known sponsors of illegal spam, including Spamit, Bulker.biz and SanCash (also known as AffKing.)
• Todaynic, long a haven for the registration of literally millions of spamvertised domains per year, suddenly take decisive action and shut down a very large list of domains which have been registered using completely fake contact information, and which are used in spam campaigns for properties such as Canadian Pharmacy, ED Pill Store, Downloadable Software, Prestige Replica, Exquisite Replica, etc. etc. etc. They even go so far as to automate the verification and shutdown process against any domains listed in the uribl list under their registration. This is a huge blow to spammers and their sponsors as it slam a door shut on a previous aider and abetter of illegal spammers.

June:

• More criminal charges! Robert Matthew Bentley of Panama City is sentenced to three and a half years (41 months) in jail and fined $65,000USD for hijacking hundreds of PC’s for use in a botnet which was used in attacks and popup ad fraud. This is the result of nearly two full years of investigation as part of “Operation Bot Roast II”
• Paul Laudanski leaves castlecops to become a full time Internet Safety Investigator for Microsoft’s Live Consumer Services.
• Greg King, renowned for DDOS’ing Castlecops in February 2007, pleads guilty to two felony counts of transmitting code to cause damage to protected computers. He faces a maximum of 20 years in prison and a fine of $500,000USD.
• XIN NET finally (FINALLY!) takes action on not just a few, not just a few dozen, not just a few hundred, but several tens of thousands of illicitly-registered domains. This has a devastating effect on several spam sponsors, notably Spamit and SanCash. None of the spammers or sponsors dares complain publicy, but the effect is obvious and we notice several mailers suddenly switch 100% from mailing PowerEnlarge, Prestige Replicas, MaxGain+, VPXL and Canadian Pharmacy, to instead spamming long-in-the-tooth pump and dump stock symbols. (CYHD, then AGSM.)
• Almost overnight, sponsors and domain registration mules switch from XIN NET and Todaynic to otherwise unknown domain registrar “Xiamen Chinasource Internet Service Co., Ltd.” Red Dwarf and trobbins lead the charge to informing them of this shift in the spammer’s (or their sponsor’s) activity and they immediately also begin shutting down and nullrouting several hundreds of new domains per day, all of which feature verifiably fake contact information and are used, of course, in illegal spam campaigns supporting bogus or dangerous products.
• Research by Ironport correctly identifies the operators of the Storm Worm as the same group responsible for the rampant spamming on behalf of “Canadian Pharmacy”. Most domains used for Canadian Pharmacy are also hosted on fast-flux botnet hosting, further digging the whole for that operation. The Register reports on it, further expanding the audience for this important research.
• Martin Heller receives a memo from Garth Bruen of KnujOn detailing why XIN NET should be issued a breach notice from ICANN. His timing is a little late, but it further raises the lingering issues with XIN NET in the public eye. Heller also draws a direct relationship between XIN NET and several well-known SanCash spamvertised properties including Wondercum and Diamond Replica.
• Between June and July, a very large spate of Storm worm spam attempts to convince unwitting Internet users to click on links leading to hijacked websites with the hopes of greatly increasing the number of usable bots in the Storm botnet. Spam messages initially take the form of winsome (if illiterate) love letters with subject lines like “Always with you” or “Always in my heart”. Shortly thereafter, they exploit breaking news of the earthquake that hit China in late June, claiming “Millions dead in China Quake”. Then still later, they take on a variety of totally fake “news headlines” such as “The beginning of World War III”, “Angelina Jolie dies during childbirth” and “USA declares war on Iran.” For whatever reason, recipients appear to click on the links anyway and the Storm worm gains in numbers. [source]
• SanCash debuts their “Exquisite Footwear” brand of fake designer goods. SiL creates the Exquisite FootWearErator to counteract these spam messages. Later on, in July, spam for this brand diminishes significantly. (Coincidence?)

July:

• The CastleCops Bulk Spam Reporting Wiki Entry is created and swiftly becomes a valuable evidentiary tool for domain registrars, hosting providers and law enforcement. Within a very short time, several domain registrars begin to take notice and investigate the fraudulent registration of thousands of domains used in the spamming of all manner of bogus or illegal sites. The wiki entries are regularly updated by numerous CastleCops staff members.
• Sentencing begins for Robert Allen Soloway, who is (at the time) expected to get from 14 to 20 years behind bars after pleading guilty to mail fraud, e-mail fraud, and tax evasion.

  More arrests! On August 13th, the US Dept. of Justice announced the indictment by a federal grand jury of seven residents of Pulaski County, MO. involved in an illegal online pharmacy. Anthony D. Holman is the alleged ringleader of the group, and also designed the templates for the sites his affiliates would use to promote the online pharmacy. The seven individuals allegedly made $3.4 million (USD) of profit via their “PersonalizedRx, LLC” online pharmacy, which sold many controlled pharmaceuticals. Holman and his partner Arcelia Holman were also charged with five counts of money laundering.

  August 14th, 2008 sees the sentencing of renowned AOL spammer Michael Dolan to seven years in prison on charges of fraud and aggravated identity theft related to repeated harvesting of AOL accounts who he would then send malware to steal account details and other personal information. He also participated in numerous phishing exploits on AOL members. Following his seven year sentence he will face three years of supervised release. Dolan appears to have followed in the footsteps of the likes of Chris “Rizler” Smith, engaging in witness tampering and other extremely illegal practices.

  August 22nd, 2008: Still more arrests!

  There are some really damning statements in this press release. More exerpts:

  Did I mention that it’s a bad time to be an illegal spammer?

  More legal activity in Alan Ralsky’s case. On Oct. 15th, Judy Devenow, an accomplice in Alan Ralsky’s stock spamming operation, pleads guilty and agrees to assist law enforcement investigators. At the time she faces from 33 to 41 years in prison related to charges of assisting in Ralsky’s stock manipulation, money laundering and wire fraud operation. Her sentence could be reduced based on how much she assists prosecutors.

  On October 23rd, a Dutch newspaper releases a story claiming that three hackers from Russia and Ukraine were arrested. [Image of English translation available here.]

  Google translated:

  this story.]

• On Dec. 10th, the FTC orders a pair of companies related to a series of bogus antivirus products to shut down and freezes their assets. (The companies were known as Innovative Marketing, Inc. and ByteHosting Internet Services, LLC but operated under numerous aliases.) For many months this company and its affiliate program had been duping unsuspecting consumers into believing their computer had become infected with hundreds of viruses, trojans, and other malware, encouraging them to download and install their alleged antivirus product, which went by a variety of names such as “WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus”. Of course installing that software led to no genuine protection against any malware, and the company profited massively from this frauduelent activity. One such operation was dissected in October 2008 by the SecureWorks team. [source.
• In a related story, on Dec. 10th, Microsoft releases Security Intelligence Report 5, in which they detail a rather large list of infections which the Microsoft security updates had removed over the past several months. Gar Warners blog delves into the data and explains how massive a removal this really is, numbering in the millions of removals of the Zlob infection, among many others. Looks like it’s a bad time to be in the fake antivirus business.
• Dec. 17th, How Wai John Hui pleads guilty to federal fraud and money laundering charges related directly to the Alan Ralsky case. Hui stands to benefit greatly by cooperating with investigators. Even if Hui significantly cooperates with the ongoing investigation into Ralsky and his “business” dealings, he stands to serve from 32 to 39 months (just over ~2 - 3 years) in federal prison, and must “forfeit $500,000 in illegal earnings.” This, in addition to October’s news of accomplice Judy Devenow cooperating with police, is extremely bad news for Ralsky.
• On Dec. 19th, SiL’s “winnings tally” surpasses One Billion Dollars US. It has only been 33 days since he started keeping track of the monetary totals he was allegedly “winning” or “inheriting” via fake Nigerian scam letters.
• On Dec. 22nd, New Zealand court documents are unsealed stating that Lance Atkinson has “admitted his part in a major international spamming operation and will pay a financial penalty of $100,000 plus costs of $7666.” [source] His fine is reduced from the $200,000 maximum due to his cooperation with law enforcement and the fact that when he began SanCash, spamming itself was not illegal in New Zealand. Shane Atkinson and Roland Smits have instead chosen to defend themselves against these charges. No word on a court date at this time, and no word on the still-pending FTC charges.See also this press release, which goes into further detail and specifically mentions Tulip Labs as being directly involved with this illegal operation.
• In some additional followup, the author of SpamInMyInBox.com writes a year-end roundup regarding his investigation into SanCash, GenBucks, and Tulip Lab, indicating he is interested in pursuing the charges against him on behalf of Tulip Lab:

  Regarding the case against me in Delhi High Court, India, then currently all of my research is being evaluated by NASSCOM (because of the techincal dept of parts of it) who will report back to Delhi High Court, and the next hearing will be in the end of february 2009, which can be read in the following court document: http://courtnic.nic.in/dhcorder/dhcqrydisp_o.asp?pn=171295&yr=2008

  He further states that apparently Tulip Lab is currently “interested” in withdrawing their charges against him. (I just bet they are.) This indicates that there will likely be a lot more interesting stuff in 2009 regarding this case.

• In some very disappointing news, at midnight on the morning of Dec. 24th, 2008, revered Anti-spam and Anti-cybercrime site CastleCops.com, which for several years had been instrumental in collating and organizing criminal evidence related to illegal spamming, cybercrime, malware and phishing, closed up indefinitely. As of this writing it is unknown whether the site will ever reappear. The operators of the site had been struggling to maintain it even under crushing workloads at other jobs. That coupled with further complications ultimately led to its demise. Members of the site had to discover or create other means of connecting to each other, and in its wake several wikis, forums and blogs started up, with more very likely to start up in the new year.
• From Dec. 4th through Dec. 26th, “trobbins”, a long time collector and mass-reporter of illegally registered domain names, successfully shuts down just over 12,000 domains used in spam campaigns for the usual variety of bogus “products” promoted via illegal spammers and their sponsors. Much of these domains were registered via domain providers located in China (35 Technology, BizCN, Xin Net, etc.) trobbins is by no means the only individual reporting these domains to registrars around the world, but he has a striking ability to convince even previously non-responsive domain registrars to take action on large numbers of illicit domains, registered using 100% fake contact information. Most of these registrars were previously considered bullet-proof by spammers and their sponsoring companies.

Phew! That’s a lot of activity! Way more than occured in 2007. Mostly all of it good news for people who hate spam and the people who profit from it. A very great deal of it completely bad news for most operators within distributed spam operations.

Clearly we’re entering a more mature phase with regards to legislation of illegal activities and how they relate to online means of execution. To see the sheer breadth of international cooperation between disparate law enforcement agencies is a very encouraging sign, and one that points to even more arrests and other legal action against illegal spammers.

I’ll still say it, since it’s always worth repeating:

DO NOT PURCHASE ANYTHING FROM A WEBSITE YOU RECEIVED IN A SPAM MESSAGE OF ANY TYPE!

To do so is to basically give away your personal data to criminals, to risk having your identity stolen, and to risk personal harm to yourself, or even death.

Happy Holidays everyone. Stay safe!

SiL / IKS / concerned citizen

Original post:
2008: A Significant Year In The Fight Against Illegal Spammers

Victims of spam mails would often ask where spam mails come from. All they know is that they have never given out their email address to other web sites or individuals online. How come they still suffer from receiving tons of unsolicited emails from people or companies they don’t know?

See the original post:
Take Extra Precautions and Stop Spam

Express Antivirus 2009 is a rogue anti-spyware application probably created by the same group of scamers who created well known fake anti-spyware applicarion called Antivirus 2009, because these two programs have many familiarities and act basically the same. ExpressAntivirus 2009 can be installed via trojans such as Zlob or Vundo. Trojans gain access to computer through security holes. Or this rogue can be installed manually by user from scamers website.
Once installed, this rogue uses well known scheme to scare users into purchasing a licenced version of this fake anti-spyware. It might flood user’s computer with alert windows about fake infections and dangerous security problems. Of course these infections then can be removed only with full version of this rogue. But don’t be tricked this fake anti-spyware is worthless and what is more dangerous. Please remove this parasite if already infected.

Read the original post:
Express Antivirus 2009

Spyware Protect 2009 is a rogue anti-spyware application - fake spyware remover. Usually users infect their systems with this rogue via Vundo or similar type trojans and viruses. SpywareProtect 2009 is configurated to start automatically when system boots. After that, this rogue launches pop-up windows to alert user about fake system infections and security risks. We can even call those alerts standart, because they are very similar to other fake anti-spyware software alerts. Also with alert windows comes officious sound that can be very pesky and overall creates very noisy environment. So, everything is done to scare user into purchasing full version of this rogue, because it is the only way to remove all the infections as they claim. It might be difficult to remove SpywareProtect2009 manually, but it is worth trying, because your private data and information are at risk if the system is infected with this rogue. We recommend you to remove this rogue as soon as possible.

Go here to see the original:
Spyware Protect 2009

Spam. Those annoying, time-consuming emails that clog your Inbox and ruin your day. You wonder: How did it ever get so bad? While it’s not possible to completely eliminate spam, there are quite a few…

Read more here:
How to Stop Spam (Especially If You’re Already a Victim)

In what seems like a good idea, the People’s Email Network (UsAlone.com), claims that it “facilitates the process of sending email messages to Washington. In one place on our site you can send a message that is automatically submitted to the members of congress for where you live.”

What they don’t state quite as succinctly - although it is in their People’s Email FAQ - is what is exactly under the hood, and what happens when you “send an email” throught their system to your legislators. While it is available to read in their FAQ, the average user would not really understand what it all means, so we are going to translate it for you.

When, in the People’s Email FAQ it says:

“In both the senate and house of representatives, there is a trend away from email addresses accessible to the general public and in favor of qualifying forms to determine if you are one of their direct constituents. The form you fill out on our page confirms your correct zip code and corresponding congressional representation. This information is then transmitted to the appropriate gateways by our proprietary software in the background. “

What it really means is “we have created scripting software which auto-submits copies of what you wrote to the web forms at the various legislators’ sites.”

While perhaps laudable in concept, scripting web-forms is usually associated with spamming, phishing, and malware.

When they say, about the fact that when you submit a form their system also opens a new email message with your mail program, prepopulated with your message, “The strength of The People’s Email Network derives from people pooling the power of their own email clients to spread the word. The message is simply an invitation and notice for other people you many know to visit our site and make their voices heard also.”

What it really means is “spam your friends with this message too”, and not just your friends because…

When they say, about the pre-checked “extra CC” box in their system “If you leave this box checked, we may add a small number (no more than 10) of additional addressees to your outgoing friends email only, in the case where you have pasted in a relatively small number yourself. If you have a number much greater than that, we are hereby asking other participants to help get messages out to them. The purpose of this function is load balancing. By spreading the traffic around we can more effectively and efficiently communicate what is going on here.”

What they really mean is that they are going to have complete strangers get a mass mailing from you - in your name and using your email address, getting you in trouble with your ISP.

Now, we’re all for writing to your elected representatives, but there are much cleaner, safer ways to do it. For example, you can find all of your representatives here, and you won’t even have to worry about this, UsAlone.com’s People’s Email’s last gotcha, from the bottom of their FAQ:

“Why are some of the links like “Remove me” and “Opt-in” not working for me?

Check to make sure you are not rejecting all pop-ups indiscriminately.

Original post:
The People?s Email Network - Spam Your Legislators, Friends and Complete Strangers

iSafe AntiVirus is a brand new rogue anti-spyware application an a clone of VirusResponse Lab 2009. Parasite works as many of its kind, shows misleading information about infections in order to push user into purchasing of a full version. iSafeAntiVirus is a dangerous application that will bring only harm to user. Manually removal process can be very hard because program hides from user and do not appear in add/remove program list. The possibility of Uninstall not provided. Also parasite has ability to recreate itself after removal process. iSafe AntiVirus also is able install additional malware into user