Another grateful member of the public…

thank you for watching out for us
good people who only try to do the right thing by not getting rip off

The first step to avoiding fraud is asking questions — does this deal sound too good to be true? If a little voice is telling you something might be wrong, pay attention! There’s nothing silly about checking into a company’s claims; it’s certainly easier than learning the truth only after you’ve lost money.

There are lots of ways to research online transactions or offers, including asking aa419 for advice. (Never just take the company’s word for it that they’ve been in business for twenty years and are the #1 trusted source online… find an independent source to verify!)

I’d like to thank you for this brilliant service you’re providing. I was almost a victim of a scam being carried out by klz holdings and was debating whether to transfer money to them or not when I found them listed on your site after carrying out a search under their name.

You’re welcome. We’re always thrilled to hear that we’ve saved somebody from losing to a scammer!

What type of businesses dealing with the public would hide their main website behind a login? Seems that being in business you would want the public to be able to access at least part of your site without having to login to a ’secure’ server. Obviously, banks, couriers, and other sites that transact business online would (and should) use such protection for clients personal and transactional information, but the main site entry is not hidden behind secure logins.

Lately there seems to be a trend for fake business sites to hide the whole website behind .htauth protection. The victims are given a general login/password pair to access the site, beyond the custom login/pass to the scam account setup for them. Of course, the scammer may think he is being clever; but in reality, this just means another obvious indicator, that with the help of hosting companies and other investigators, we can quickly zoom in on these red flag sites and take them offline.

I can’t think of a more obvious way to shout at any and all internet investigators that “Hey, we’re hiding something!”

What I wrote was correct just a few days ago, but the technology industry being what it is, what stays the same for long?

Here are some minor updates to our first series of posts:

• Microsoft Office Live (MSOL) can now be accessed through Firefox web browser; a friend of mine was even able to get to it on his Macintosh (!)
• The basic service is now what everybody signs up for, the paid tiers are gone. However, there are optional services which you can add onto your package (for example, more storage space, no advertisements) which cost either annually or monthly.
• Initial signup only requires a name and city. You don’t give them a credit card number unless you want a domain name or other special features.

Source:
“A Little Piece of Microsoft Aids Small Business” by David Pogue, New York Times — and also visiting MSOL ourselves.

The free domain name offer is now only for one year, instead of indefinitely; after the first year, it costs $14.95 (slightly higher than the cheapest domain services available, but hardly unreasonable). However, you still get a free domain name for one year. Just by giving a credit card number. And we’ve mentioned how easy this is for a scammer to obtain.

While a few features, valuable for real businesses, have been changed around, the fundamental problem with scammer signups won’t change. Nor has MSOL appeared to take any steps to address this. I found one of the last sentences of David Pogue’s article to be particularly amusing:

…Office Live Small Business has all the hallmarks of a start-up: innovative, focused, fast-moving, game-changing, quick to respond to customer feedback and nimble in recovering from mistakes.

I’m not sure whether that implies it’s intentional to allows lottery scammers to nest on their server for months, but MSOL certainly hasn’t shown much flexibility or nimbleness in cleaning off the fraud.

Please read Part 1, Part 2, and Part 3 before this. It’s important background.

Our Conclusions
In our opinion, Microsoft Office Live is at a crossroads. There are other webhosts who we’ve criticized in the past. Most of them have made great improvements in their policies and procedures, in some cases moving from “incredibly unresponsive” to “fast reacting”. There are things that Microsoft can do to fix its current problems: clean off the active scam sites, and establish some process to prevent further abuse. Or, it can decide what it’s doing is good enough.

If it just sits back, though, that is hardly the action of an industry leader. Microsoft publicly paints itself as a positive force for internet security, fighting against phishing and online fraud. How can they make that match with their inactivity in their own hosting services? They are not verifying the identity of their account holders, they are not watching for probably fraudulent domain names, they can not even fully close accounts that are abusing their services.

aa419 recommends that if you see a company is hosted by MSOL, don’t trust its website or emails without extensive third-party verification of their statements. There is substandard investigation of applicants. While any web host is at risk of fraudulent signups, the nature of MSOL means there is zero safety net (see previous post).

We also recommend that, if you find yourself to be represented as the owner of an MSOL domain, you contact them immediately to stop the identity theft.

Finally, we suggest that if you are looking for hosting services, leave MSOL out of your consideration for two reasons.

1. Scammer sites tend to be a magnet for hackers, who are typically other scammers trying to shut down their competition. Being on the same server as criminals is just asking for trouble. It also doesn’t make your business look very reputable.
2. If MSOL support isn’t able to do something as simple as close an email account, how comfortable are you relying on them if your legitimate website and email have trouble?

As we have in the past, we’ll keep you posted if we see any changes in the behavior of this hoster. Also, to be clear, our statements reflect only our observations of and opinions about the Microsoft Office Live services, not Microsoft’s software or operating systems.