Phishing using Google Adwords / Adsense

Today while searching for a UK Bank Google offered me an advert.

The advert looks very unclear and I expect most “normal” people searching will click on it thinking it is the genuine website.

metrobank phishing mbinternetaccountant org.png
Note: The top “Ad” entry is the phishing link!

So… is Google dumb enough to allow this? It seems so!

You click on it.. spot the difference.

metrobank phishing mbinternetaccountant org fake site
metrobank genuine site

Google are allowing a phishing site to advertise on keywords for a UK bank!

To make identification of this site more difficult it seems that if you visit the site without Google as the referer you get either a 404.. or a website that looks like it is for an accountancy practice.

metrobank phishing mbinternetaccountant org with no google referer

Poor show.. time to report the advert to Google.

However it looks like it isn’t the first time. I can find similar names that have likely had the same scam – HSBC Bank phishing site – UK Bank; TSB phishing site – UK Bank; TSB phishing site – UK Bank; TSB phishing site – Clydesdale Bank phishing site – Clydesdale Bank phishing site – Clydesdale Bank phishing site – Clydesdale Bank phishing site – Clydesdale Bank phishing site – Clydesdale Bank phishing site – Clydesdale Bank phishing site – Clydesdale Bank phishing site – Clydesdale Bank phishing site – US bank “Chase” phishing site – Clydesdale Bank phishing site – Clydesdale Bank phishing site – Clydesdale Bank phishing site – UK Bank NatWest phishing site – UK Bank NatWest phishing site – Yorkshire Bank phishing site – Yorkshire Bank phishing site – Yorkshire Bank phishing site – Yorkshire Bank phishing site – Yorkshire Bank phishing site – Unknown – Unknown – Unknown – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Metro Bank phishing site – Royal Bank of Scotland phishing site – UK Bank Post Office phishing site – UK Bank Post Office phishing site – UK Bank Post Office phishing site

Most are hosted at “” (

Posted in Uncategorized | Leave a comment

The curious time an advert knows your mobile phone number..

Sorry for the length of this article.. there are so many different parts to this that it is difficult keeping a single sensible train of thought.

I don’t know my mobile number, I don’t use it for calls or texts. It is a SIM I use just for data alone. No Google, Microsoft or any other account has my mobile number.

While browsing a weather website today over 3G on my mobile phone I saw an advert.


Fine.. so what.. an advert.. This one was for “MobiPlanet” (see screenshot top right); the thing that intrigued me about it was the advert touted FlappyBird – as a Subscription. I was interested how they were doing this along with a “free trial”.

Upon clicking the advert I was taken to a screen similar to this one (see screenshot on left):


Except the first time I visited it – it didn’t have the mobile number input prompt. This was missing and only the “Subscribe Now” option existed (see photo to the right).

Stupidly – and thinking that there was no way my browser on my mobile phone was leaking my phone number.. I clicked Subscribe now. To my astonishment I got a text message and was subscribed to the service. No phone number input, no “text back to confirm” feedback loop.

Just instantly subscribed. How! How the heck does a website know my mobile number without me ever inputting it into _anything_.

With a bit of collaboration with a person called “therioman” they confirmed that the same issue affects the 3 other major UK network providers. (O2, Vodafone and EE).
therioman has (very kindly, thank you!) made a video of this happening:


I’m quite angry at this in the first place. I’ve since spent many hours reproducing the “problem”. Lots of tricks are employed to prevent you seeing the same sign up form again, further visits ask you to type in your number.

I can find what I believe to be the API or service that reported my phone number to the advertiser.

Roll in IMI Mobile (“”)!

My reasoning for thinking it is them is… They are the only likely party with access to cell networks customer data. Business relationships get built.. then API access or customer databases get abused.

Remember.. I don’t know my mobile number and I don’t have it associated with anything. The only thing that knows my mobile number is my password vault and my mobile provider, called “Three”, themselves.

So how can an advertiser get my mobile number from just me browsing around?

The most likely cause is IMI Mobile having a “special deal” with the major UK cell networks.. Three and the other networks have probably setup an intercepting proxy for requests to some IMI Mobile domains and subdomains where the subscriber number is injected into an HTTP header. This IMI Mobile can tell the subscriber accessing their service and can then pass it onto the advertiser.

The specific request which does this, I believe, is unusual requests in the advertiser site pointing to a javascript file at IMI Mobile. However these _all_ return a 0 byte (empty) file. E.g.:

It is my belief that the /identify/ request, tagged with a GUID, is sent from your mobile browser to IMI Mobile. IMI Mobile receive the request their end along with the mobile phone number or subscriber details injected by the mobile network.

They then, in the background, pass this information back to the advertiser (probably by the advertiser requesting another back end API asking for details about the GUID). The advertiser can then subscribe you or use your mobile phone number in any way they please.



On most UK mobile networks.. and especially Three.. visit weather underground and look at the weather for a location. If you see an advert for a subscription service.. click on it.

I expect the first time you visit that advert you won’t be prompted for your mobile number. You will just see a subscribe button. Any subsequent visits will probably show you a prompt to fill in your mobile number.

See the YouTube video further up the post for one users experience.

IMI Mobile partners have been naughty in the past with subscription SMS services.–Tribunal-Minutes-022016.ashx

Related indicators.

Google Tag Manager: AW-833104379, GTM-59M4Z8S, AW-848165185


I also believe that “”, “”, “” are similars site that employs the same “knows your number” trick. They send requests to the imimobile hosts as well.

Also related but not seen in this incident is “” which has some association with IMImobile. However the tap2bill name appears on a portal called “PFI Admin” at .

Other domains that have previously been seen to call in scripts from the IMIMobile domain and could potentially have also been doing the same “no number to enter or feedback loop” subscription:

Posted in Uncategorized | Leave a comment

eBay: zaful advert playing music automatically (another malicious advert)

As a follow on from last month where was hijacking eBay pages.. this month it is

This time the visitors don’t get hijacked away from eBay but they do get music playing at them in the background while they are on eBay pages.

The advert causing this looks like:

ebay advert playing music.png

The chain of requests goes as so.

You visit an item on eBay (and probably many of the other pages too).

This has, among many others, an iFrame that fetches from:

Which then runs some JavaScript to show an advert:  function showAd()

This triggers a request to which is a legitimate advertising network. This responds with:

Interesting to see the price paid in the URL! Mathtag seems to be where things go wrong (as it did last month too). Mathtag respond with some javascript that sends users onto: (also used in last months page hijacking).

This malicious website then responds with the advert code:

<div><a href="" target="_blank"><img src="" height="90" width="725"></a>
<img width="300" height="250" src="*600&amp;af=;cn=3049544&amp;cv=5455548&amp;dp=5956238474928068609" style="display:none;">
<iframe src="" style="display: none"></iframe>
<iframe src=";lkid=13266105" style="display:none"></iframe>
<iframe src="" style="display: none" sandbox="allow-scripts allow-same-origin allow-top-navigation-by-user-activation"></iframe>
<iframe src="" style="display:none"></iframe></div>

Job done! While trying to pollute the eBay visitor with referal code tracking for gamiss, zaful, rosegal, gearbest and aliexpress the zaful page embedded within the advert then has a further embedded youtube video that plays music!

eBay’s only response to this is blaming the user.

ebay blaming user for bad adverts.png

If you are reading this and are affected.. it isn’t you.. it is eBay (again!). Feel free to send them to this page so they can read up on their own crappy advertising ecosystem and fix it.

Posted in Uncategorized | 1 Comment

Spear Phishing against Painter Decorators

This article is a work in progress, some back in a day or so please.

Unusual one this… a painter decorator friend has been plagued by various attempts at phishing his e-mail logins over the past few months. Each time I’ve got to investigating it the “bad page” in the email link has been removed.

Today I got to one early enough to research it while the site was still active.

It starts with a full e-mail conversation that looks like a client interested in the decorators service:

decorating spear phishing

The decorator responds… and then gets a reply with a supposed link to a design or work order.

This link is the phishing page.

With what looks potentially like a unique id for the phishing attempt.

If the victim clicks the link they are presented with the phishing page prompting them to select their chosen login method:

decorating spear phishing page.png

decorating gmail phsihing example.png

And, if they fall for it, the deed is done.

However.. the person behind it didn’t do a good job of hiding who they are. The website is hosted in Russia but the domain involved with the one I investigated:

Registered by Saim Raza. They are, for other scams, using the email addresses “”, “”, “”,  “”, “”, “”, “” and “” mainly using the telephone number “923241237632”.

Supposedly living in Lahore 31050 Pakistan possibly with family Rizwan, Werwer Shahzaf and Noman.. just going by a Google for the telephone number. These associations may be inaccurate.

This information sent me onto a trove of other likely phishing or malicious domains!

This article is a work in progress, some back in a day or so please. (Note to author: This is also at the top of the page!).

Posted in Uncategorized | Leave a comment


Google doesn’t have much about this payment reference. So here is an article to help!

If you have applied to South West Railway / South West Trains for a Delay Repay refund on a delayed journey you will probably see the refund on your bank account as “JOURNEYCALL PINGIT”.

Journeycall are a travel payments refund management company.

Posted in Uncategorized | Leave a comment

My preferred method for deploying Adobe Flash Player on a domain.

I am mainly writing this for my own reference as I always forget the script.
Sadly I also can’t credit the person who wrote this script. I didn’t write it! And I can’t find the source of the script by Googling for keywords within the batch file.
A similar version of the script is here but isn’t as feature rich..

Deploying Adobe Flash is always a pain. Firefox blocks it by default now and Chrome seems very variable – works one day and doesn’t work the next.
Additionally while Adobe do provide an MSI download – it doesn’t actually seem to install when set as a Group Policy Installation item. I’ve always had to fall back to the .exe using the below batch file.

@echo off


SET latestVersion=
SET version=0


echo 64-bit...
SET key="HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX"
goto afteroscheck

echo 32-bit...
SET key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX"
goto afteroscheck

echo checking %key% for DisplayVersion
SET emptyTest=reg query %key% /v DisplayVersion

rem FOR /f "tokens=3 delims=	" %%# In (
rem 'reg query %key% /v DisplayVersion^|Find "REG_" 2^>Nul') Do (
rem Set "version=%%#"
rem echo Set version to %%#
rem )
rem echo Version in registry reports as %version%
rem IF %version% == %latestVersion% GOTO LATEST_VERSION

  for /f "delims=" %%i in ('reg query %key% /v DisplayVersion^|Find "REG_"') do (
    rem echo.%%i
    echo.%%i | findstr /C:%latestVersion% 1>nul
    if errorlevel 1 (
      echo not current version installed
      Set "version=notcurrent"
    ) ELSE (
      echo Already Installed

TASKLIST /NH | FIND /I "iexplore.exe"
echo Internet Explorer was detected to be running.  Adobe Flash Player installation cannot continue.

echo Adobe Flash Player for ActiveX not found, installing...

start "FlashAX" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_active_x.exe" -install
start "FlashPlugin" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_plugin.exe" -install
start "FlashChrome" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_ppapi.exe" -install
echo Completed installation of Adobe Flash Player version %latestVersion% for ActiveX.

echo Version %latestVersion% of Adobe Flash Player for ActiveX is already installed.


Remember to change latestVersion= to the version of Flash you are installing. Also change the path to the 3 installation files further down in the script.
Hope this helps someone!

Posted in Uncategorized | Leave a comment

Rogue adverts redirecting ebay visitors off-site. ( and


ebay gamiss advert page

Today while browsing eBay I was taken off the eBay site several times and onto “”. I did click click or even mouse over any advert.

I’ve seen this happen about 3 or so times in the past year with eBay but today I had time to investigate and trace what is going on.

It looks like eBay are sending visitors to an advertising partner called “” who are in turn then sending the visitor to “”.. who are then sending advert javascript with content referencing “” and “”

ebay request 1

ebay request 2

ebay request 3

ebay request 4

ebay request 5

The most interesting parts of the exchange are…. returning the following Javascript:

They reference something to do with Math Media. An advertising agency or system.

Mathtag then send the following javascript:

<div class="script">
        ! function() {
            var e, t = "",
                n = "5a40ca64fc0c4d14be22ffa8",
                r = {},
                o = {
                    10: "2005374866234899183",
                    9: "[SUBID]",
                    8: "https%3A//",
                    7: "[LOCATION_LAT]",
                    6: "[LOCATION_LONG]",
                    5: "[DEVICEID]"
                a = {
                    10: "2903631",
                    9: "5344163",
                    8: "[CUSTOM3]",
                    7: "[CUSTOM4]",
                    6: "[CUSTOM5]",
                    5: "[CUSTOM6]"
                c = {
                    10: "[APP_NAME]",
                    9: "[IDFA]",
                    8: "[AID]"
            try {
                for (var d = 10; d > 4;) r["z" + d] = o[d], r["c" + d] = a[d], d--;
                for (d = 10; d > 7;) r["a" + d] = c[d], d--;
                var i = m(r);

                function m(e) {
                    var t, n;
                    for (var r in "object" == typeof e && (t = ""), e) e.hasOwnProperty(r) && (t = t + "&" + r + "=" + (n = e[r], encodeURIComponent(n)));
                    return t

                function p() {
                    if ( return;
                    for (var e = window; e.parent;) e = e.parent;
                    return e

                function s() {
                    try {
                        return p().document.location.href
                    } catch (e) {
                        try {
                            return p().location.hostname
                        } catch (e) {
                            return function() {
                                try {
                                    var e = window.parent.location.ancestorOrigins;
                                    if (e && e.length >= 1) return e[e.length - 1]
                                } catch (e) {}

                function l(e) {
                    if ("" !== e.responseText) {
                        var t, n = document.createElement("div");
                        n.innerHTML = "

<div>" + e.responseText + "</div>

", n = n.firstChild, document.body.appendChild(n);
                        var r = document.getElementById("adder-inisder"),
                            o = n.getElementsByTagName("script");
                        if (o.length > 0)
                            for (var a = 0; a < o.length; ++a) {
                        r.parentNode.appendChild(n), r.parentNode.removeChild(r)
                    } else {
                        (t = document.createElement("div")).className = "ad-serve-image", t.innerHTML = '<a>  <img src="" height="250" width="300"> </a>', document.getElementById("adder-inisder").parentNode.appendChild(t);
                        var c = document.getElementById("adder-inisder");

                function u(e) {
                    var t = document.createElement("script");
                    e && (e.text ? t.text = e.text : e.src && (t.src = e.src)), e.parentNode.appendChild(t), e.parentNode.removeChild(e)

                function h() {
                    if (200 !== this.status) {
                        if ("complete" !== document.readyState) var e = setInterval(function() {
                            "complete" === document.readyState && (clearInterval(e), f())
                        }, 140);
                        "complete" === document.readyState ? f() : l(this)
                    } else l(this)

                function f() {
                    try {
                        e = !(window.self ===
                    } catch (t) {
                        e = !0
                    var r = t.concat("/?pid=") + n,
                        o = {};
                    e ? ( = function() {
                        try {
                            return p().document.URL
                        } catch (e) {
                            try {
                                return p().frames[0].document.referrer
                            } catch (e) {}
                    }() || "", = s() || "") : ( = window.location.hostname, = function() {
                        try {
                            for (var e = document.getElementsByTagName("meta"), t = 0; t <span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>< e.length; t++) {
                                var n = e[t];
                                if ("og:url" === return n.getAttribute("content")
                        } catch (e) {}
                    }() || ""), r += m(o), r += i;
                    var a = new XMLHttpRequest;
                    a.onload = h,"GET", r), a.send()
            } catch (e) {

This code looks like it is supposed to be showing the following advert: possibly if the browser doesn’t support JavaScript(?) but it also triggers yet another request to (see the last screenshot) which responds with.

<a href="*600" target="_parent"><img width="725" height="90" src=""/></a>
<img width="725" height="90" src="*600&af=[URL]&cn=[CUSTOM1]&cv=[CUSTOM2]&dp=[CB]" style="display:none;">
<iframe src="" style="display: none"></iframe>
<iframe src="" style="display:none"></iframe>
<iframe src="" style="display:none"></iframe>
<iframe src="" style="display:none"></iframe>

And the deed is done. Something within the iframe for gamiss hijacks the entire page and takes you off ebay. It looks like an attempt to deploy affiliate cookies to people so that when, and if, they visit the websites referenced above and make a purchase – the person behind the junk adverts gets a kickback.

Piss poor vetting and subsequent takedown of rogue adverts. This has been a problem for at least a couple of days at this point. eBay is what I’ve seen people refer to as a “dumpster fire”. Lacking competition and drive to do things right.

Looking into the domain involved more ( it seems that the following person is the owner of the domain:

Name Thevar
Organization Mahesh
Street Address

Phone 919029929719

They also own other similarly named and fishy looking domains:
Posted in Uncategorized | 1 Comment

Suspiciously low cost Office 365 accounts are a bad idea!

I’m going to cut to the chase right at the top here. The person behind this specific Office 365 subscription and setup is: with what appears to be an invalid UK format phone number (4414402325)

While hunting for a low cost way to get Office 2016 I came across ebay sellers and forum posts touting Office 365 accounts for as low as 1$.

In this instance the domains associated with this are:
and the company name associated with the account is “inc”.

It looks like there are at least 662,053 users on the domain(s).. so a lot of fraudulent accounts. If each one sold for $1 there is potential for a pretty decent income for the person breaking the Microsoft tenant terms.

The account I managed to get hold of had the subscription “Office 365 A1 Plus for faculty” assigned to it. This is an educational subscription to which Microsoft do not charge the establishment. They are meant for staff only and are only valid for the period that the staff member works for the establishment.

Software piracy is nothing new.. what is new is software piracy twinned with “Cloud Computing”. Essentially victims are joining the software on their computers and the OS on their mobile devices (tablets, phones etc.) to a cloud administration and delivery service.

ObjectId                             DisplayName UserPrincipalName         UserType
--------                             ----------- -----------------         --------
6feaec4c-a03d-47b8-a91e-91763ca15acf new93193 Member
410a9f71-b35b-498b-9359-66b00f61294e newera12 Member
35484d0b-3728-486a-8c12-32925fcce783 Newloib Member
90195ce8-d191-4405-b794-1f6c2e8f69e7 newo           Member
35cab5e1-a57b-4776-bd66-37b6a14344f7 newton1982 Member
fc37f5ed-f2fa-472c-a6fe-4db7f4a78d0d Newupmm Member
33b1c685-e7fa-48f9-8cc3-6a373b451a78 Newuyru Member

Out of the 662,053 users there appears to be about 28,700 devices registered against the Office 365 Azure AD.

With just a normal “user” account you can list all the devices, find their name, OS version and the last logon time. Some even appear to have joined their entire windows machine to the Azure AD domain.

DESKTOP-524MHQJ     Windows      10.0.16299.0    AzureAd         26/01/2018 13:01:53
LAPTOP-HH8A7UON     Windows      10.0.15063.0    Workplace       30/12/2017 09:29:07
iPhone              iPhone       11.2            Workplace       04/12/2017 04:18:02
DESKTOP-204GR9D     Windows      10.0.16299.0    Workplace       11/01/2018 03:57:02
Redza Harith        iPhone       11.2.5          Workplace       29/01/2018 18:56:19          &amp;lt;span 				data-mce-type="bookmark" 				id="mce_SELREST_start" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			&amp;gt;&amp;lt;/span&amp;gt;
stockroom           Windows      10.0.16299.0    Workplace       30/01/2018 19:15:03
DESKTOP-4R1702H     Windows      10.0.15063.0    Workplace       06/12/2017 13:04:42
ExoticNympho        Windows      10.0.15063.0    Workplace       06/12/2017 11:05:53
user-PC             Windows      10.0.16299.0    Workplace       21/01/2018 08:29:24 &amp;lt;span 				data-mce-type="bookmark" 				id="mce_SELREST_start" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			&amp;gt;&amp;lt;/span&amp;gt;

All the mailing list group names are visiable to any other user too – but luckily, for most, the members and content are not. There are about 1,600 mailing lists / groups visible on the tenant. A selection of which are below.

ObjectId                             DisplayName                                      Description
--------                             -----------                                      -----------
00319e30-08c1-4f0a-a94a-4615902dba7f BDB Group IT                                     Group IT Document
00630644-ae08-4892-967a-e94ce2443c7e Giesse                                           Giesse
00b53ca7-98fd-4207-8e19-6b5cc0f24d40 CMDB                                             CMDB
00b7dd8b-c55e-42bc-b915-4b03fe333bb7 proba                                            proba
01071288-059e-4650-adf9-ddfc70e7866d Buying house                                     Buying house
0141e0cd-8dd4-4d87-933c-e4060dcf7c07 HASA-MCH-TRAINING                                للاستخدام بتعليم المستمر         

Some people have even joined their oauth and other data sharing devices and apps to it!

AvailableToOtherTenants    : True
DisplayName                : owncloud external1

AvailableToOtherTenants    : True
DisplayName                : IperiusBackup

DisplayName                : PCS
LogoutUrl                  :
DisplayName                : PCS
KeyCredentials             : {class KeyCredential {
                               EndDate: 31/12/2099 12:00:00
                               KeyId: 2eebea6e-2bc0-4a04-938f-ffc4596aa262
                               StartDate: 02/02/2018 08:32:27
                               Type: AsymmetricX509Cert
                               Usage: Verify
                               Value: }}
LogoutUrl                  :

It all looks like a disaster waiting to happen.

Further research to do with the associated domain names…
Also associated with,,, and
Also associated
Also associated with,,,,,,,,,,,, and
Also associated with and


Posted in Uncategorized | 12 Comments

“” CEO / Director wire transfer fraud

A recently registered domain is being used in attempts to defraud companies and organisations out of money using BACS / Bank transfers.
Registrant details are a fictitious company at a real address.

 Derek Mugley

Trading as:
 Mugley Co

Registrant's address:
 Sheffield Road 443
 S41 8LT
 United Kingdom

Relevant dates:
 Registered on: 14-Jan-2018
 Expiry date: 14-Jan-2020
 Last updated: 14-Jan-2018

The scam starts with a contact within a company or organisation being sent an e-mail.. supposedly from the director or CEO of the company. In this instance the scammer failed and guessed, incorrectly, at the e-mail format for the organisation. The address in question doesn’t exist and has never existed. The person they chose to imitate doesn’t even use a computer regularly, let alone email.

director spoof fraud wire transfer email

“Quick question – could you let me know the cut off time for processing same day payments?”

Sender Preference Framework (SPF), in this instance, highlighted the forgery to the recipient.

Headers of the email are as follows:

Received: from ( by ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.428.12 via Frontend Transport; Thu, 18 Jan 2018 11:08:10 +0000
Received: from ([])
	by :WBEOUT: with SMTP
	id c82kezjlTYt7tc82keBm7t; Thu, 18 Jan 2018 04:07:38 -0700
X-SID: c82kezjlTYt7t
Received: (qmail 2879 invoked by uid 99); 18 Jan 2018 11:07:38 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
User-Agent: Workspace Webmail 6.8.19
Message-ID: <>
From: David REDACTED <>
Reply-To: David REDACTED <>
To: <>
Subject: Morning
Date: Thu, 18 Jan 2018 04:07:36 -0700
MIME-Version: 1.0

It looks like the scammer is using a GoDaddy webmail account that belongs to “” and has an “identity” setup on the webmail to send / spoof the from address as the supposed impersonated director. The reply to address has been set to the newly registered domain with the email “”

The email was submitted to GoDaddy from a Sky Broadband IP address possibly based in Oxfordshire.

The scam would play out as so….

You get an email and the fraudster is counting on the fact that..

-They’ve guessed that the board member’s email address is and you think it is legitimate.

-They hope you don’t notice, when you click reply, that the email address you are sending back to is different.

-They hope you don’t notice that the request / question is very unusual.

If you reply to the initial question about payment they will then send another request similar to: I need you to make a quick wire of £24,730 to cover a payment, I will send you the expenditure details for proper coding later today.

Along with some destination bank details.

They are just attempting to get people to wire X thousands of pounds and by the time (12 hours, 24 hours or more) that the company notices that the payment wasn’t legitimate the scammer is long gone as is the money.

Posted in Uncategorized | Leave a comment

Whatsapp spreading spam “IDN” links ( /

Today I delved into a bit of Whatsapp spam doing the rounds in the UK.


This junk spreads using a Whatsapp message the same or similar to:

“Hey ! Waitrose celebrates its 113th anniversary and giving away FREE gift voucher worth of £250 to everyone ! click here to get yours : http://www.waı  Enjoy .”

The domain involved is an “IDN” (International Domain Name)..  a domain name that can have more than just a-z and 0-9 as letters. They can have international symbols which look very much like normal alphabet letters.
(when these were launched people voiced their concerns about attacks like this.. and here they are).

In this instance the i in waitrose has been replaced with a different international letter.

The domain name that people are actually visiting (but is hidden behind the IDN system) is . The domain is registered via a whois privacy service but there are still some clues as to who is running the spam site.

The website is served from an Amazon AWS host and the DNS infrastructure doesn’t give any clues away.

However the source of the spam site has one unique bit of information: a Google Analytics / Tag Manager code of “UA-96118136-18”. The first part of this code (“UA-96118136”) is used to identify a specific Google Analytics account. The number at the end identifies the website under that account.
This code leads onto several other similar scam domain names! – Another Waitrose domain. – (Delta airlines?) Seen using UA-96118136-23 – Which translates to lidǀ.com (another EU supermarket) seen using UA-96118136-6 (“Lidl célèbre son 42 anniversaire et offre gratuit des chèques-cadeaux d’une valeur de €250 chacun!, Je viens de recevoir le mien, cliquez ici pour obtenir le vôtre : http://www.lidǀ.com/Bon Merci plus tard .”) – Which translates to www.ıĸ seen using UA-96118136-31 – Which translates to www.costcơ.com (International wholesale supermarket) seen using UA-96118136-46 – (Southwest airlines?) Seen using UA-96118136-38 – Which translates to www.asđ (a UK supermarket) seen using UA-96118136-20

The website owner is also quite keen to prevent desktop users from seeing the page. There is some basic javascript to forward any screen resolution above 1000 pixels wide to a 404 page.

When you are using a mobile page you are given a series of supposedly survey questions – none of these question responses are stored anywhere or sent anywhere.

It then asks you to share the page with whatsapp friends – Once you’ve done this 15 times it forwards you to another page. (they don’t verify, just click the button 15 times and back out of sending the message! or (like in my case) don’t have Whatsapp installed so it can’t even attempt to send).

var c = 0;
$(document).ready(function() {
    $("#b1").on('click', function() {
        if (c > 15) {
                href: "",
                target: "_self"
    $("#b2").on('click', function() {
        if (c > 15) window.location = "";
        else window.alert("Share it with friends on WHATSAPP on our anniversary promotion!\n\n You must share to proceed " + c);
}); is a simple single line page that forwards the user to:

The above is a host with an instant referral (CNAME) to “” – a statistics tracking service.
This tracking service then redirects visitors to

The above domain / page is probably the last of the “scammy” pages. The visitor is then redirected to what seems to be a “genuine” “Ocean Cloud” survey and competition:


After bombarding you with demands for your name, date of birth, postal address and then telephone number it asks you tens of questions. Within a few minutes of filling in the survey it sends at least 5 e-mails and one text message with all sorts of spam. The emails have been for casinos and bitcoin.

The text message read

You’ve Won a 
Free Bitcoin System
Claim it NOW here:”

Eventually ends by redirecting you back to (I believe) the scammers controlled page.. whilst also sharing the telephone number with them too:

Who in turn then redirect you to yet another “offer”:

Screenshot_20180105-233258On this page “A brand of SB7 Mobile Ltd.” the terms and conditions hidden at the bottom note that you are signing up to a £4.50 a week SMS service. The page already has your number filled in (from the previous spam survey you just completed).

I presume the scammers get paid an affiliate fee each time they refer someone and their method to generate leads and referral fees is to trick people into sending spam Whatsapp messages.

Thoroughly scammy.

On a side note.. the service shown in the last screenshot is called “”.. This company seem to handle the sign up process to the premium rate reverse charge SMS spam.
They seem to handle sign-ups for the following companies (some are all showing the same postal address): – “SPTwo Ltd” /,, – “SB7 Mobile Ltd” / aka “Alerts 4 U”, – “KPMobTech Ltd” /

Associated domains on the pinchecker servers include “”.. a website that leaks customer telephone numbers! Something that they can be fined for heavily once the EU GDPR comes in to effect.

Update: After just over a week of completing the above I then also got a text:

From: +60441
Free msg: Hi , thanks for completing the telephone survey, now text back YES to confirm your number. Help 03447451791

Part of the same organisation? Or someone they sold their list to who now want me to opt in?

From: +447860064308 / 07860064308
We are contacting you as you could be owed up to £2,442 if you were miss-sold PPI. Reply POST to receive your FREE check or STOP to opt-out, H&H

From: DavidShow
This new system is
The same one like the one
I’m using:

About a month later I get the following “reminder” sms which reveals another domain name associated with it:

From +88222
FreeMsg: Reminder: U are a member of for £1.50 per alert (max £4.50 per week) until you send STOP to 88222. Help? 03301340181

From +447520660227
We have been trying to contact you re your PPI Claim. We now have details of how much you are due. Reply POST for your pack or END to OptOut

From Maria
Thats the system u ask me about few times:

Another bit of crap to the honeypot number only given to them:

From +447418340104
If you have had a 3 hour+ delay for a flight in the last 6 years reply YES to claim compensation of up to £520 per person or?reply?STOP to opt-out,?Airfair?

Email on 7th Feb at 11:27pm which mentions bitcoin and “” and “”
Followed by an SMS (grr, that late at night!?) at 11:28pm saying:
From Account Dep
Dear ,
Your Bitcoin account has been activated.
Your current balance is: 10,090.18 Pounds.
Claim your Funds Now:

With this latest spam I’ve finally got the name of a person!

Who is also associated with 85 other domains, most of which look suspicious:

I’ve also had calls to my honeypot number from
020 8077 8840 – These people have called 7 times!
01792 272252 – 4 calls
01473 371629 – 3 calls.

1st March 2018 – Another SMS with another domain:
SMS from “Mark C”
I need you to be my beta tester.
Test my system and get it free:

7th March 2018 – Another SMS with another new domain, registered on 5th March:

SMS from “Robert”
This system change the world
test it and get it free:

10th March 2018 – This time a bit of spam that uses as the landing page.

SMS from “FreeCompare”
TestersKeepers needs you to review and KEEP an £18K Audi A3 for FREE – apply by 31/03/18

Stop? END to 07860020187

12th March 2018 – Another new domain.

SMS from “Danny”
Dear VIP member:
enjoy my new system:

16th March 2018 – another new domain “”

22nd March 2018 – another new bit of spam, this time using a google URL shortened service.. hah, google have disabled the url! No sign in any of these text messages on unsubscribe procedures! (Pretty sure that is against sms spam rules).

SMS from Amanda
IM giving you my new free system.
test it and keep th eprofits:

27th March 2018 12:11am:

SMS from Emma
Where have you been? this is your final chance to beta test my amazing software…. Try now:

27th March 2018 13:48am:

SMS from Chris
here is that new deal we mentioned last week

Forwards to

28th March 2018:

SMS from David W
The new upgrade is ready you can have it free now:

29th March 2018:

SMS from Support
Only 2 spots left for this amazing VIP package…. Collect it now


SMS from +447491163257
We are contacting you as you could be owed up to £2,442 if you were miss-sold PPI. Reply POST to receive your FREE check or STOP to opt-out, Hall & Hanley

30th March 2018:

SMS from Terence
I’m going to give you 500$
To test my new system:

2nd April 2018:

SMS from Account82
Dear , your scheduled payout needs confirmation. Please verify your account –

SMS from Denis

your upgrade is ready.
you can start use it now to make profits:

3rd April 2018:

SMS from Stevan
Hi Yes thats the same system im using to make profits daily:

5th April 2018:

SMS from Steven
, This is your LAST CHANCE!!! Only 1 Seat left… Collect Here:

6th April 2018:

SMS from Gorge
it’s your lucky Easter
you win Free system

9th April 2018:

SMS from Nikos
This is your LAST CHANCE!!! Only 1 Seat left… Collect Here:

11th April 2018:

SMS from Support
The upgrade for your system is ready.
Its valid for the next 24hr:
Also associated URL:

12th April 2018:

SMS from Jasson
Its your time to change your life.
Extra 1000¿ income :

13th April 2018:

SMS from Support
Hi {“name”:””}
This is the system I told u about.
I’m making over 500$ every day:

17th April 2018:

SMS from Emma
its your lucky day.
you win my new system:
Associated URLS: and and

25th April 2018:

SMS from StevanT
This is your lucky day
sign here and get free 1000¿
Associated URLS , and

14th May 2018:

Are you ready to make over $2500 in the next 24 hours! Click here to learn more: | Opt out:
Associated URL doesn’t lead anywhere. Hosted on what looks like shared hosting at Amazon and the domain is registered using a privacy service. This is the first message to contain unsubscribe instructions!

Posted in Uncategorized | Leave a comment