What type of businesses dealing with the public would hide their main website behind a login? Seems that being in business you would want the public to be able to access at least part of your site without having to login to a 'secure' server. Obviously, banks, couriers, and other sites that transact business online would (and should) use such protection for clients personal and transactional information, but the main site entry is not hidden behind secure logins.
Lately there seems to be a trend for fake business sites to hide the whole website behind .htauth protection. The victims are given a general login/password pair to access the site, beyond the custom login/pass to the scam account setup for them. Of course, the scammer may think he is being clever; but in reality, this just means another obvious indicator, that with the help of hosting companies and other investigators, we can quickly zoom in on these red flag sites and take them offline.
I can't think of a more obvious way to shout at any and all internet investigators that "Hey, we're hiding something!"
What I wrote was correct just a few days ago, but the technology industry being what it is, what stays the same for long?
Here are some minor updates to our first series of posts:
Microsoft Office Live (MSOL) can now be accessed through Firefox web browser; a friend of mine was even able to get to it on his Macintosh (!)
The basic service is now what everybody signs up for, the paid tiers are gone. However, there are optional services which you can add onto your package (for example, more storage space, no advertisements) which cost either annually or monthly.
Initial signup only requires a name and city. You don't give them a credit card number unless you want a domain name or other special features.
The free domain name offer is now only for one year, instead of indefinitely; after the first year, it costs $14.95 (slightly higher than the cheapest domain services available, but hardly unreasonable). However, you still get a free domain name for one year. Just by giving a credit card number. And we've mentioned how easy this is for a scammer to obtain.
While a few features, valuable for real businesses, have been changed around, the fundamental problem with scammer signups won't change. Nor has MSOL appeared to take any steps to address this. I found one of the last sentences of David Pogue's article to be particularly amusing:
...Office Live Small Business has all the hallmarks of a start-up: innovative, focused, fast-moving, game-changing, quick to respond to customer feedback and nimble in recovering from mistakes.
I'm not sure whether that implies it's intentional to allows lottery scammers to nest on their server for months, but MSOL certainly hasn't shown much flexibility or nimbleness in cleaning off the fraud.
Posted by suziecue in Web sites on February 13th, 2008
Please read Part 1, Part 2, and Part 3 before this. It's important background.
Our Conclusions
In our opinion, Microsoft Office Live is at a crossroads. There are other webhosts who we've criticized in the past. Most of them have made great improvements in their policies and procedures, in some cases moving from "incredibly unresponsive" to "fast reacting". There are things that Microsoft can do to fix its current problems: clean off the active scam sites, and establish some process to prevent further abuse. Or, it can decide what it's doing is good enough.
If it just sits back, though, that is hardly the action of an industry leader. Microsoft publicly paints itself as a positive force for internet security, fighting against phishing and online fraud. How can they make that match with their inactivity in their own hosting services? They are not verifying the identity of their account holders, they are not watching for probably fraudulent domain names, they can not even fully close accounts that are abusing their services.
aa419 recommends that if you see a company is hosted by MSOL, don't trust its website or emails without extensive third-party verification of their statements. There is substandard investigation of applicants. While any web host is at risk of fraudulent signups, the nature of MSOL means there is zero safety net (see previous post).
We also recommend that, if you find yourself to be represented as the owner of an MSOL domain, you contact them immediately to stop the identity theft.
Finally, we suggest that if you are looking for hosting services, leave MSOL out of your consideration for two reasons.
Scammer sites tend to be a magnet for hackers, who are typically other scammers trying to shut down their competition. Being on the same server as criminals is just asking for trouble. It also doesn't make your business look very reputable.
If MSOL support isn't able to do something as simple as close an email account, how comfortable are you relying on them if your legitimate website and email have trouble?
As we have in the past, we'll keep you posted if we see any changes in the behavior of this hoster. Also, to be clear, our statements reflect only our observations of and opinions about the Microsoft Office Live services, not Microsoft's software or operating systems.
Posted by suziecue in Web sites on February 12th, 2008
Today the most disturbing problem: MSOL can't actually close accounts!
Let's take a best case scenario: we have reported a domain to MSOL, and they have confirmed it has been investigated and action has been taken. Indeed, the website is down and gives visitors an error; in some cases, it won't even resolve.
Here's an example: skyinternationalcourier.com. Go ahead and try to visit their website; it doesn't work. MSOL closed it weeks ago. The typical conclusion is that the whole account no longer functions. However, email can still be sent to and received from that domain name.
X-Originating-IP: [65.54.246.237]
Authentication-Results: mta247.mail.re2.yahoo.com from=skyinternationalcourier.com; domainkeys=neutral (no sig)
Return-Path:
X-Originating-IP: [217.21.64.226]
From: "SKY INTERNATIONAL COURIER SERVICE" []
Subject: COURIER DELIVERY COST FOR [XXXXXX XXXXXX]
Date: Mon, 4 Feb 2008 16:53:04 +0000
SKY INTERNATIONAL COURIER LTD
2ND Drakes Yard, 291 Kilburn High Road, NW6 7JR,London.
DATE:2/2/2008
NOTICE OF DELIVERY CHARGES TO TRACKING NUMBER: EEO311005723UK
DEAR [Xxxxxx Xxxxxx],
The courier can only effect your winning parcels which was brought by the gulf oil and gas companies to you when you meet the delivery service payment requirement. simply select one option from the four option provided below and pay its charges to the courier account office before your winning can leave the courier office in London to your address provided. Note that the option you are paying for serves as the cost of delivery service which is being render.
Option4:BANK TRANSFAR[48HRS REFLECTION THROUGH ELECTRONIC WIRING]
For winning prize to be transfer to your account in your resident country, you will be required to register with the bank [Generations Trust Bank] in charge of transferring your lottery prize which is also called an online account. The cost of open an online account with the GT Bank cost 400pounds which is equivalent to 32,195.64 INR. Once you make the payment, you will be sent your customer id and password which you will use to log into your online account and complete your transfer personally without any interference....
Note: Header and body have been redacted for readability.
That's conclusive proof that scammers continue to access and use their email functions long after their account is "closed". This is not a hypothetical example, nor is it isolated!* Shutting down the website for most of these scams is a useless gesture; we conservatively estimate that at least 75% of the scammers on MSOL use only the email functions of their service anyway. Terminating the MX records (which allow mail service) should be an integral part of closing an account! There is no reason to believe that any of the "dead" MSOL domains are inoperable.
Microsoft is only paying lip service to its assurances that accounts which violate their terms of service will be terminated. I doubt that they intended to have this loophole, but the idea that their system is incapable of closing an email account is almost as ridiculous. It goes beyond "bug" and becomes "serious flaw". They really have no clue what's happening on their own servers or how to administer them -- they can't even close accounts.
* Additional examples are included below. Header and body have been redacted for readability. We stopped after three, because frankly writing to scammers can get rather boring. If you have other dead-but-not-really domains, feel free to post evidence in the comments.
X-Originating-IP: [65.55.175.162]
Return-Path:
X-Originating-IP: [195.166.237.254]
From: "Post Bank Internet Service" []
Subject: Offshore Account Opening Advise
Date: Sat, 2 Feb 2008 09:36:51 +0000
Attention: [XXXXXX XXXXXX],
With regards to your email message/enquiry, please be hereby informed that opening an off/shore account here requires three easy steps. Firstly, you need to submit a copy of your most recent Identification for your personal account. The most preferable ID is either a copy of your international passport, a driver's license or any other Government identification. A copy should be sent to this office via email attachment or to our general fax line +31 84 719 84 06.
Secondly, you are to send to us your personal information in this format as follows:
1. Your Full Names:
2. Your Home Address:
3. Your Phone Number:
4. Your Fax Number:
5. Your Age:
6. Your Occupation:
7. Your Next Of Kin:
Thirdly, there is a new policy that all new accounts must be activated by paying an initial deposit/ opening balance. The lowest interest bearing account is a personal bronze current account. You have to pay (?1450 One Thousand Four Hundred and Fifty Euros) to activate it. This account activation deposit can be sent to us through one of our contractual money transfer agents confirmable within 24hrs. Upon the receipt of the above mentioned, a copy Our web link will be supplied to you along with your account number and pin number to enable you operate your account worldwide online without delay.
With kind regards,
Postbank N.V.
Mr. Niek Jorden
Manager E-commerce and E-mail
X-Originating-IP: [65.54.246.240]
Return-Path:
X-Originating-IP: [217.20.240.19]
From: "CITI ONLINE BANK PLC." [info @citionlinetransfer.org]
To:
Subject: EMAIL FROM CITI ONLINE BANK (ACCOUNTS & THEIR INITIAL DEPOSIT)þþþ
Date: Fri, 1 Feb 2008 15:34:30 +0000
We are in receipt of your mail and want to make you understand that Citi Bank Plc does not need your information for anything but for effective,safe and secure service The Chevron-Texaco Lottery has only issued a NOMINAL ACCOUNT CHEQUE in your name and you are the only one who as access to claims on the issued cheque. Your Winning particulars for payment has been received by the Bank. This means that you have been officially cleared for payment by the Verification Department at the headquarters of the Chevron-Texaco Lottery commission .Your Pay Order, Original Copy of your Winning Certificate and Payment Approval Letter has been received by the Bank. To begin the Final step of the claims process, which is the Payment of your prize, with regards to this here are details.
ACCOUNT OPENING:
As regards to actions of your winnings,You are to open and account with our bank into which your NOMINAL ACCOUNT CHEQUE will be paid into.And then any other action will now commerce. No fee can be deducted from your AWARD winnings because your prize is insured under a Hard Cover Policy following the National Gambling Act of 1996 amended in 1999. In reference to this Act as stated above does not allow deductions from lottery winings.This is to protect winners from Misplacement of Funds.
Below is our types of account and opening range:
With this you are advised to set up a temporary bank account with our bank so that the funds can be deposited into your new account in your favour before transfer can be made to your designated bank account.
NOTE:The account opening fee is going to be in your account and will be added to your winning funds which will round it up.Do get back to us on your choice ASAP.
We have different accounts and this has different initial deposit which is refundable depending on which of the account you will like to activate with us.
and you have to pay for the initial deposit before we can set-up a secure online account.
ACCOUNTS & THEIR INITIAL DEPOSIT:
(1) REGULAR ACCOUNT: This has an initial deposit of 450 Great British Pounds Sterlings and the maximum transfer possible within a month is 1.5 millions Great British Pounds Sterlings .
(2) DAILY ACCOUNT: This has an initial deposit of 1,026 Great British Pounds Sterlings and the maximum transfer possible within a month is 5 million Great British Pounds Sterlings .
(3) PREMIUM ACCOUNT: This has an initial deposit of 1,526 Great British Pounds Sterlings and the maximum transfer possible within a month is 8 millions Great British Pounds Sterlings .
(4) PLATINUM ACCOUNT: This has an initial deposit of 2,026 Great British Pounds Sterlings and the maximum transfer possible within a month is 10 million Great British Pounds Sterlings .
The Platinum Account has a full option banking amenities which involves having a Master Card, credit/debit balance print out and over draft.
NOTE: The initial deposit belongs to you and will be added to your transfer payment before transfer can be made and also, you will be required to pay for the initial deposit depending on the type of account you choose from the options above.
After account activation you will be given your account co-ordinates for online transfer to your designated bank account within 48 hours....
Posted by suziecue in Web sites on February 11th, 2008
In yesterday's post, I pointed out how simple it was for internet criminals to get a free domain name through the Microsoft Office Live (MSOL) hosting service. Today we'll examine what they do when MSOL learns that their (unpaying) customer is violating their terms of service.
Microsoft's Response
The MSOL method of dealing with abuse complaints is mixed. (One of the worst examples can be read in a series of forum posts starting last April, in which a complaint sender was assured a site would be down in 48 hours and it was still up weeks later. This case is extraordinary, however.)
The industry standard is that complaints about abuse of a company's server should go to the contact point listed in the Whois of the server's IP address. MSOL sites show up on two IP addresses, both of which list as the Abuse contact. However, has a spotty track record in responding to these requests. At best they redirect you to talk to somebody else, at worst they deny Microsoft owns that IP address or completely misunderstand the content of a complaint. (For example, if I'm complaining about a lottery scam, I don't need to be told that I may have received a lottery scam email.)
(A minor side note: all Microsoft and MSOL email addresses (even abuse@) have spam filters. That means you can't forward a scam letter in plain text as evidence; Microsoft requests file attachments instead. More reading on abuse department "best practices" can be found at RFC Ignorant and RIPE if you're bored, or really into that sort of thing.
Another side note: aa419 recommends never opening attachments sent to you in email, ever.)
A less typical contact point is to get in touch with the technical contact listed in the site's Whois details, in this case . This results in a somewhat improved response record, but they tend to direct anyone who contacts them to use a web form instead. (A form which, incidentally, requires the complainant to use Microsoft Internet Explorer!)
Once we managed to learn the preferred complaint process, the response rate apparently improved. (More on why I use the word "apparently" in the next post!) One significant problem which remains, though, is an inability to complain about more than one domain at a time. We know of hundreds of scam domains, and the most effective MSOL complaint process doesn't really have a way of handling more than one at a time.
There are indeed some more specialized contacts we know at Microsoft, and we have been trying hard to work with them. We have sent long lists of domains at once for them to work with. For example, 163 domains imitating the Central Bank of Nigeria (CBN) -- we all know that the CBN does its own hosting, not on MSOL free services, and there are a limited number of legitimate CBN domains. That list was allegedly closed down. A sample:
Even Microsoft employees are not able to get consistent results. We send our contact long lists, he states it will be dealt with... and then nothing happens. We send a reminder, the contact says they don't understand why it hasn't been dealt with, and nothing continues to happen. I have every reason to believe these contacts are working with us in good faith -- it is the abuse complaint system within MSOL which is lacking.
To be completely up front, Microsoft got in touch with us first, asking us to moderate some anti-Microsoft commentary in the forums which resulted from general disgust with the MSOL responses to complaints. We took the opportunity to discuss why that commentary was there in the first place and express our desire to see small changes.
The next post will go into detail about the most critical failure of MSOL support -- the fact that they apparently can't actually close an account.
