If you try to create a migration endpoint on Office 365 to migrate users from an existing exchange server and it fails – Microsoft tries to tell you to view the following URL: https://technet.microsoft.com/library/jj874458(v=exchg.150).aspx
However.. the page doesn’t exist! Thanks Microsoft.
However the following page seems to contain a lot of the information that I _think_ might have been on the above URL:
This is a mirror of what used to be on the URL http://www.commsolutions.com/2012/09/two-ways-to-push-wlan-profiles-to-your-windows-devices/
I did not write the content and claim no praise for it.. The above URL appears to no longer be valid and the information doesn’t seem to exist on any other website other than archive.org. I am also posting a copy here should the archive.org version expire or be unavailable for some reason.
Content originally by Comm Solutions.
Today we’ll look at two ways besides Aruba’s QuickConnect or CloudPath to push WLAN profiles to your Windows devices….
CONFIGURING WLAN POLICIES VIA GROUP POLICY FOR DOMAIN MEMBER WINDOWS CLIENTS:
Within a Windows Server and Active Directory domain, Group Policy allows you to push network profiles to domain-joined computers. You can do this by container or globally, by specifying wireless settings for clients running Windows 7, Windows Vista, Windows XP, as well as Server 2008 versions (although I don’t know of too many 2008 Servers running WLAN cards…)
If your domain controllers are Windows Server 2003/2003R2, the Active Directory schema has to have been extended to add the wireless GPO support, and you’re better off to run the GPO plugin on a Vista/Win7 machine to ensure that WPA2 support exists. Open the Microsoft Management Console (MMC), open the Group Policy snap-in, navigate to Computer Configuration>Windows Settings>Security Settings>Wireless Network (IEEE 802.11) Policies, and begin your WLAN configuration.
If your domain controllers are Windows Server 2008/2008R2, use the Group Policy Management Console (GPMC) and navigate to Computer Configuration>Policies>Windows Settings>Security Settings>Wireless Network (IEEE 802.11) Policies, and create policies for XP and/or your Win7/Vista clients.
NON-DOMAIN/NON-ACTIVE DIRECTORY WINDOWS PROFILE EXPORT/IMPORT:
For non-domain machines, you can configure the wireless settings via the Netsh tool. This works for clients running Windows Vista/Win7 and perhaps Win8. You can run the commands locally on a machine to create the export, and on each new client machine locally or remotely via a share/UNC. You can manually type the import or script them in your batch files or login script.
The Netsh tool doesn’t let you directly configure a whole lot of anything but it lets you export an existing wireless profile (and this same process can be utilized to sync IAS/NPS servers, but that’s another story) and import it into other machines (and a similar process can be utilized to sync IAS/NPS server configurations, but that’s another tech tip. So we need to first export the configuration from a working client that has had a profile created for the desired ESSID/WLAN.
You can display the configured WLAN network profile(s) with the following command:
netsh wlan show all
Now you can export the desired profile, using the profile name as listed by the previous command:
netsh wlan export profile name=PROFILE_NAME
On other machines you can now import the profile using the filename of the XML file you exported from the source machine:
netsh wlan add profile filename="WLANPROFILE.xml"
Using remote netsh you can also import to a remote computer on the network:
netsh wlan add profile filename="WLANPROFILE.xml" –r COMPUTER_NAME -u DOMAINUSERNAME-p PASSWORD
I’ve spent about an hour and a half on this problem and the internet has nearly no results on how to fix the issue so I’m going to post the solution.
Problem
Phone system based on asterisk 1.8 (running on OpenWRT on an AMD Geode ALIX box) is working fine for all internal calls, external to internal calls and internal to external calls.
Internal calls to voicemail work
External calls to voicemail plays the greeting and asks the caller to record a message. Asterisk records 1 or 2 seconds of audio and then the caller gets cut off.
Asterisk reports:
[May 9 22:57:09] WARNING[3547]: app.c:977 __ast_play_and_record: No audio available on SIP/siptrunkprovider-1-00000005??
If you enable debug logging you see a bit more information that you think might point you in the right direction..
[May 9 22:57:04] DEBUG[3547]: channel.c:5297 set_format: Set channel SIP/siptrunkprovider-1-00000005 to write format alaw [May 9 22:57:04] DEBUG[3547]: app.c:1490 ast_lock_path_lockfile: Locked path '/var/spool/asterisk/voicemail/default/0404/INBOX' [May 9 22:57:04] DEBUG[3547]: app.c:1507 ast_unlock_path_lockfile: Unlocked path '/var/spool/asterisk/voicemail/default/0404/INBOX' [May 9 22:57:04] DEBUG[3547]: channel.c:5297 set_format: Set channel SIP/siptrunkprovider-1-00000005 to write format gsm [May 9 22:57:04] DEBUG[3547]: channel.c:5297 set_format: Set channel SIP/siptrunkprovider-1-00000005 to write format alaw [May 9 22:57:04] DEBUG[3547]: app.c:894 __ast_play_and_record: play_and_record: <None>, /var/spool/asterisk/voicemail/default/0404/tmp/1s4hH1, 'wav49|gsm|wav' [May 9 22:57:04] DEBUG[3547]: app.c:918 __ast_play_and_record: Recording Formats: sfmts=wav49 [May 9 22:57:04] DEBUG[3547]: dsp.c:489 ast_tone_detect_init: Setup tone 1100 Hz, 500 ms, block_size=160, hits_required=21 [May 9 22:57:04] DEBUG[3547]: dsp.c:489 ast_tone_detect_init: Setup tone 2100 Hz, 2600 ms, block_size=160, hits_required=116 [May 9 22:57:04] DEBUG[3547]: channel.c:5297 set_format: Set channel SIP/siptrunkprovider-1-00000005 to read format slin [May 9 22:57:07] DEBUG[3547]: app.c:974 __ast_play_and_record: One waitfor failed, trying another [May 9 22:57:09] WARNING[3547]: app.c:977 __ast_play_and_record: No audio available on SIP/siptrunkprovider-1-00000005?? [May 9 22:57:09] DEBUG[3547]: channel.c:5297 set_format: Set channel SIP/siptrunkprovider-1-00000005 to read format alaw [May 9 22:57:09] DEBUG[3547]: app.c:1490 ast_lock_path_lockfile: Locked path '/var/spool/asterisk/voicemail/default/0404/INBOX' [May 9 22:57:09] DEBUG[3547]: app.c:1507 ast_unlock_path_lockfile: Unlocked path '/var/spool/asterisk/voicemail/default/0404/INBOX' [May 9 22:57:09] DEBUG[3547]: app_voicemail.c:4917 sendmail: Attaching file '/var/spool/asterisk/voicemail/default/0404/INBOX/msg0000', format 'WAV', uservm is '2048', global is 2048 [May 9 22:57:09] DEBUG[3547]: app_voicemail.c:4928 sendmail: Sent mail to voicemaildestination@domain.com with command '/usr/sbin/sendmail -t' [May 9 22:57:09] DEBUG[3547]: pbx.c:5544 __ast_pbx_run: Spawn extension (default,main,3) exited non-zero on 'SIP/siptrunkprovider-1-00000005' [May 9 22:57:09] DEBUG[3547]: channel.c:2735 ast_softhangup_nolock: Soft-Hanging up channel 'SIP/siptrunkprovider-1-00000005' [May 9 22:57:09] DEBUG[3547]: channel.c:2884 ast_hangup: Hanging up channel 'SIP/siptrunkprovider-1-00000005' [May 9 22:57:09] DEBUG[3547]: chan_sip.c:6534 sip_hangup: Hangup call SIP/siptrunkprovider-1-00000005, SIP callid 2017050923565400001@2700-0344-0103-283 [May 9 22:57:09] DEBUG[3547]: chan_sip.c:6150 update_call_counter: Updating call counter for incoming call [May 9 22:57:09] DEBUG[3547]: res_rtp_asterisk.c:2604 ast_rtp_remote_address_set: Setting RTCP address on RTP instance '0x88152e8' [May 9 22:57:09] DEBUG[3547]: chan_sip.c:3526 __sip_xmit: Trying to put 'BYE sip:201' onto UDP socket destined for 81.158.130.1:5060
Attempts to fix it.
I tried so many things including changing to “minivm”, changing the recording format, trying to turn off silence detection in voicemail and installing other codecs / translators.
None of this helped. The only other hint I had was watching wireshark on the RTP ports. I could see that as soon as Asterisk started recording the voicemail it stopped sending packets to the SIP provider while the SIP provider continued to send RTP data for a few more seconds… then the call would get cut off.
I knew this wasn’t a SIP provider bug or problem as I have another Asterisk system on a different version of Asterisk and running on a traditional computer which does not exhibit the same problem.
Thinking that the problem was likely something to do with the audio data / RTP stream I searched around using many other keywords. I wanted to work out how to make Asterisk send either silence or comfort noise while it was recording the voicemail.
Eventually I googled for the correct magic keyword “asterisk send audio while recording” and came across this post:
https://www.spinics.net/lists/asterisk/msg168788.html
SOLUTION
It took so long to get to this point but I’m glad I continued
The solution is to edit or add this line into your asterisk.conf in /etc/asterisk (or wherever you keep your asterisk config files):
transmit_silence = yes
The documentation in the config file notes:
Transmit silence while a channel is in a waiting state, a recording only state, or
when DTMF is being generated. Note that the silence internally is generated in raw signed
linear format. This means that it must be transcoded into the native format of the
channel before it can be sent to the device.
It is for this reason that this is optional, as it may result in requiring a temporary codec translation path for a channel that may not otherwise require one.
I hope this page helps someone!
Hello everyone. This is another scam that works similar to a previous “high value electronics goods scam” that I’ve written about in the past. The websites, mostly, look professional and genuine. Take payment and then _never_ send any goods.
This scam seems to revolve around very small transactions (probably small enough that the credit card companies eat the fraud rather than charge it back to the fraudulent retailer). Or possibly they hope that the victims can’t be bothered with the paperwork and phone calls to report the fraud.
Most the goods on the websites are around £30 to £150ish with a rare few slightly higher priced goods mixed in. The page and form asking for credit / debit card payment isn’t even https / secure.
The good news – if you are a victim and you paid by Credit Card (or possibly even Debit Card) your bank is required to refund you!
http://www.ebuy2016.com/ – Seems to focus specifically on USB portable hard disks. Confirmed by victims as a scam.
http://www.betsbuyer.co.uk/ – Seems to sell GPS devices and sports “smart” watches.
http://www.top10tablet.us/ – Seems to sell Samsung Android tablets.
The first two of the above were registered 8th June 2016. The tablet site seems to have been registered 3rd November 2016. All are associated with the same domain registrant and / or have shared code between the domains.
Registered a month before is
https://www.prezzoshop.net/ – This appears to be the main domain name associated with the web hosting account and is another USB portable hard disk scam site aimed at victims in Italy. (162.218.179.41)
Other domains associated with the same scam:
http://www.prixonline.net – Seems to be aimed at French victims.
http://www.solde-tablette.com/ – Another site aimed at French victims.
http://www.tabprix.com/ – Another site aimed at French victims.
http://www.maillot-de-football.com/ – Football kit site aimed at French victims.
http://www.perruque-prix.fr/ – A hair / wig site aimed at French victims.
http://www.shopsunglass.net/ – Sunglasses store aimed at UK victims.
http://www.top-external-hard-drives.com/ – A copy of the portable hard disk scam site above.
http://www.nmdsneakers.com/ – Supposedly selling designer shoes / sneakers to US victims.
http://www.bayernoutlet.com – Another football kit scam site aimed at US victims. This domain is easily attributed to the www.nmdsneakers.com domain.
http://www.nmdforsale.com/ – Similar to the above. This domain is easily associated with the maillot-de-football.com scam.
http://www.luxuryonline.com.ru/ – Shoes store aimed at Russia.
http://www.mlbforsale.com/ – Already taken down by a US Federal Court Order.
http://www.mlbofstore.com/ – A website already taken down by a court order.
http://www.shopmlbshirt.com – A website already taken down by a court order.
http://www.psgmaillotfr.com/ – Scam football (soccer) site.
http://www.aaqshop.com/ – Scam NFL website claiming to be nflshop.com.
http://www.inflmarket.com/ – Scam NFL site claiming to be nflshop.com
http://www.eyewearofstore.com/ – Scam Ray Ban sunglasses website.
http://www.glassesbestsale.com/ – Scam Ray Ban website.
http://www.camisas-futebol.com/ – Fake football / soccer kit store.
http://www.franceofjersey.com/
http://www.shop-jewelrys.com/ – Fake pandora online store
http://www.outletjewelryshop.com/ – Scam “Pandora” shop.
http://www.nhlstores.com/ – Fake NFL site claiming to be the “Official online store of the NHL”.
http://www.chicagocubstocks.com/ – A fake store claiming to be the “Official online shop” of the Chicago Cubs.
http://www.chicagocubsmarket.com/ – A fake store claiming to be the “Official online shop” of the Chicago Cubs.
http://www.footsportsoutlets.com/ – Somehow also associated with “www.awolf.net”, the website of someone who appears to be interested in hacking, databases, VPN servers, FTP server software and VMWare.
http://www.jerseys-shop.com/ – Fake NFL website claiming to be “The official online store of the NFL” (much like all the other “official” ones I’ve found then!).
http://www.shirts-store.com/ – Another fake NFL website.
http://www.clevelandindianshirt.com/
http://www.clevelandindianshop.com/
http://www.mlbofshop.com/ – MLB fake online store.
http://www.mlbshirt-shop.com/ – MLB fake online store.
http://www.sportskitonline.com/ – Fake NBA online store.
http://www.basketsforsales.com/ – Fake NBA online store.
http://www.lysportsmalls.com/ – Fake NBA online store.
http://www.officialmapleleafs.com/
http://www.bluejays-shops.com/
http://www.fashionlinestore.com/
http://www.soccerjerseystores.com/
http://www.topishirt.com/ – Another fake NFL store.
http://www.mlbshirtshop.com/ – Fake MLB online store.
http://www.bluejaysoutlet.com/
http://www.officemlbshop.com/ – An already ceased / suspended domain by court order.
http://www.ievpolo.com/ – Fake Polo online store.
http://www.ferragamoshops.com/
http://www.eferragamoshop.com/
http://www.outletferragamo.com/
http://www.ferragamobeltsshops.com/
http://www.ferragamoonline.com/
http://www.bagsbagsonline.com/
http://www.ferragamostores.com/
http://www.topferragamoonline.com/
http://www.bestbeltsonline.com/
http://www.usnflshops.com/ – Fake NFL online store.
http://www.maillotsdefrance.com/
http://www.basketijersey.com/ – Fake NBA store.
http://www.vipbasketjersey.com/ – Fake NBA store.
http://www.fchelseas.com/ – Chelsea FC fake store, supposedly “the official Asia Pacific online megastore”.
http://www.asoccerjerseys.com/ also associated http://www.headdres-store.com/
http://www.broncostores.com/ – Fake Denver Broncos “official online store”.
http://www.bestfootballshop.com/
http://www.storejewelryshop.com/
http://www.salejewelryshop.com/
Weirdly a lot of the above have SSL certificates self-issued to “tong.com”, probably an unrelated and invalid domain but still unusual.
There are so many associated websites and domains that I’ve given up crosschecking them! Here is the source list of the domains I’ve not yet investigated.
franceofjersey.com nflsaleshops.com eyewearmalls.com strapshops.com outletjewelrystore.com b5jewellery.com jerseysmarkets.com basketjerseyshop.com basketshirtshops.com footballsshops.com jewelrysstock.com bagsbagsonline.com nhlsmall.com nhlstores.com nflsportsstock.com bagbagforsale.com mlbsstores.com baggoodsforsale.com madeinnfl.com nflsstocks.com nflsshops.com mlbsforsale.com mlbonsale.com beltonsale.com ferragamoonsale.com ferragamosonsale.com ferragamodiscount.com nikesonsale.com ferragamosforsale.com ferragamo4sale.com ferragamosonline.com nflsonsale.com nflsdiscount.com nflforsale.com nflsstock.com bananaces.com iakqks.com hotsalespro.com hariees.com chicagocubsoutlet.com clevelandindianstore.com bluejaysale.com cfljerseyshop.com ferragamonline.com outletferragamo.com ferragshop.com fashionlinestore.com ferragamocenter.com basketshirts.com shirtnba.com chicagocubstore.com nba-eshop.com jerseynba.com ibasketjersey.com basketeshop.com nfl-shirt.com nfl-center.com shoulderbagshop.com crossbodybagshop.com mlbshirtstore.com footballshirtsale.com buymlbshirt.com ukfootballjersey.com soccerjerseystores.com wholesalemlbshop.com mlbshirtsale.com outletfootballshirt.com outletmlbshirt.com footballshirtoutlet.com outletmlbstore.com officemlbshirt.com catmte.com colorrushstore.com officemlbshop.com mlbinshop.com mlbshirtshop.com colorrushuniform.com mlbshirtoutlet.com colorrushcenter.com colorrushmall.com officemlbstore.com colorrushop.com colorrush2016.com bestnflmall.com nflbazaar.com enflonline.com topeshirt.com topishirt.com enfloutlet.com nflshoppingcenter.com bestluxshops.com topilux.com enflcenter.com infloutlet.com nfldiscount.com nfljerseyoutlet.com espcamisetasdefutbol.com topmksale.com fashionjewelrymalls.com iluxjewelry.com ibuylux.com iluxfashion.com luxferragamo.com ferragamomall.com iluxcenter.com luxfashionshop.com bestfootballjersey.com topnflshirt.com topfootballjersey.com ievpolo.com ssoccerjersey.com uksoccershirts.com salebasketshirts.com iibasketjersey.com ferragamosale.com ferragamobagstore.com ferragamobagshop.com sferragamo.com fferragamo.com vipbasketjersey.com eferragamobag.com ibasketshirt.com iferragamo.com ebagshops.com eferragamoshop.com ebasketjersey.com viferragamo.com basketshirtonline.com hiferragamo.com yshoesoutlet.com mkbagsonline.com vipshoeshop.com footballshirtonline.com mkbagplazas.com luxybagshops.com mnushirts.com manushirt.com mujerseys.com buycheapmkbag.com mkbagsclub.com suglassesclub.com nflshirtstore.com vipsunglasseshop.com basketijerseys.com nbasketsmarkets.com manutdone.com basket4sales.com nbasketmaks.com spolostocks.com basketsdiscounts.com ferragamoshops.com vipferragamo.com spolomalls.com ferragamostores.com usnflshops.com cheapolos.com manutdmalls.com csoccerjerseys.com itlaynbasket.com spainbaskets.com francebaskets.com maillots-de-football.com frmaillot.com camisas-futebol.com porsoccerjerseys.com maillotsdefrance.com basketijersey.com ventepolo.com fcbarcastock.com bayernoutlet.com fchelseas.com asoccerjerseys.com asoccershirts.com broncostores.com nflonsale.com mlbforsale.com birkstock.com bksandals.com mkbagsmalls.com mkvipbag.com mkbagsmarkets.com vipmkbag.com mkbagtop.com nmdforsale.com fcmudtjersey.com airmaxshoeshop.com psgmaillotfr.com everyhoe.com nicemkbag.com acoachag.com
If you ever have the need to hack or crack the trial period on OPrint – an airprint relay / proxy / print server for Windows then here is how.
Re-open OPrint. The trial will be back to 30 days.
Another day and while browsing the internet I clicked on an advert that promised 30% discounts on Amazon’s prices… Then got this. (And uncovered a huge scam using about 40 different “it company” domains).
The messages read as follows:
Critical Error! Some suspicious activities has been detected from your network and your system has been blocked. Call immediately on 0-800-098-8413 to prevent further data loss.
Critical Error! Your system has been blocked because suspicious activities has been detected from your IP address. Call 0-800-098-8413 immediately.
ERROR! Call for support: 0-800-098-8413
Warning!
** YOUR COMPUTER HAS BEEN BLOCKED **
Your computer has alerted us that it has been infected with a virus and spyware. The following information is being stolen…> Facebook Login
> Credit Card Details
> Email Account Login
> Photos stored on this computer
You must contact us immediately so that our engineers can walk you through the removal process over the phone. Please call us within the next 5 minutes to prevent your computer from being disabled.
Toll Free: 0-800-098-8413
The number victims are asked to call is a UK freephone number. “0-800-098-8413” (aka.. 08000988413 or “0800 098 8413”).
The page, hosted at GoDaddy, that showed the fake warning was:
http://jaunt-googleroutesgo.xyz/uk/microsoftnetsecurity_8413/0-800-098-8413/chrm/
It directs people to call the tech support scammers “Optimum Global Services” who seem to be operating out of the site http://www.rateditteam.com to take payments.
Unusually for these kinds of things – the address given is a UK address (not USA or India) and the postal address given on the website matches the whois:
Registrant Name: Samuel Verghese
Registrant Street: Flat 5, 25 Brunswick Terrace,
Registrant City: Hove
Registrant State/Province: East Sussex
Registrant Postal Code: BN3 1HJ
Registrant Country: UK
Registrant Phone: +44.7342047912
Registrant Email: done4ultd@gmail.com
When that initial payment failed they then tried to take payment via “www.directcontracta.com” which initially looks like an unrelated “find a contractor” website but after a bit of investigation is actually registered by the same email address as rateditteam.
Associated are the Google Analytics accounts: UA-90478716 and UA-67147650
Also related to the rateditteam.com domain is:
sammy@thearch.club (matches the Samuel Verghese name used in the original tech support scam domain and is also near Hove in the UK?)
His local computer fixing business “www.expertpcbook.com”
The shared(?) youtube channel of Samuel Verghese?: Shows three young Indian men in Mumbai and several product reviews or videos attempting to go viral and domain “3wise.men”
The company of someone who lives at the address, supposedly an “Entreprenneur”.
All the following are shady looking web design and tech support companies with similar pricing structure to rateditteam:
www.itshowwedoit.com www.wecansortitforyou.com www.firstitforyou.com www.yourplaceforit.com www.pickusforit.com www.jewelitsolutions.com www.workingwithitteam.com www.itexteam.com www.thetotalitteam.com www.wesortitall.com www.timetotalkit.com www.digitalsconnections.com www.firstinit.com www.timetoaskit.com www.ititcltd.com www.getandgopro.com www.weloveinfotech.com www.itdecided.com www.topmantech.com www.eyeteco.com www.bringhomeit.com www.theitcrib.com www.itstheitcrew.com www.itstheitguys.com www.wegotitguru.com www.quickresponsesolutions.com www.fastexpertsolutions.com www.totalsolutionsexpert.com www.expertproteam.com
Related but probably a “customer” of the scammer:
http://www.amteachings.com – A meditation class around Hove, Sussex, UK.
If you are the owner of the above meditation business above – please contact your web developer and tell them off for being involved in scams.
http://www.everybizsolution.com
http://www.directcontracta.com
optimumglobalservices.com
Another URL used during the scam was http://onlinescanner.somee.com/ which appears to be a fake virus warning site that even has a one time password / unique value that needs to be entered before the fake scan will start! A working code is 84651 if you fancy testing it out.
Hello everyone.
This might be of use for me in the future when I’ve managed to lose an existing configuration or setup – or might be of use for anyone reading this who needs to do something similar to one of my setups.
I have a customer who uses Squid in their network. The Squid proxy is used to do content filtering to prevent access to undesired content on the internet. However – to do this Squid passes all the requests on to a cloud filtering company.
The side effect of this is, even though the cloud filtering company servers are based in the UK, the BBC have tagged the egress IP as being something that they don’t allow on iPlayer! Here is the response from BBC support…
I understand you’re unable to access iPlayer as you are not recognised as being within the UK.
Your IP is showing as being registered to CLOUD FILTER COMPANY DATACENTER NAME REDACTED (third party IP databases concur). It’s also listed as proxy type: hosting, proxy description: dns. While the proxy type itself indicates that this IP isn’t recognised as a broadband connection, it’s the description of it being a DNS that is actually causing the block here.
This all seems like going the direction of getting the BBC or their “data provider” to re-categorise an IP that the customer doesn’t even own will be far too difficult.
The easiest solution was to work out the configuration required for only allowing the iPlayer content to go direct and bypass the upstream cloud filtering company.
The following lines in the correct positions within the Squid config did the trick. In this case I’ve just made all of bbc go direct as I was too lazy to identify just the iPlayer domains.
acl bbcuksites dstdomain .bbc.co.uk .bbci.co.uk
tcp_outgoing_address 10.0.0.253 bbcuksites
tcp_outgoing_address 10.0.0.254 !bbcuksitesacl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3ssl_bump peek step1 all
ssl_bump splice all
In this instance they were using squid as an https_port and http_port “intercept”. You may not need the SSL Bump stuff if you are using Squid as an explicit proxy as the CONNECT request seen by Squid is likely to be the hostnames already instead of just an intercepted IP.
If using intercept… Squid needs to have ssl-bump enabled which also means you need to be running Squid 3.5 or higher. SSL peeking is required so you can tell the https sites being accessed. A couple of components on iPlayer (even though the main page is non-https) are over https:
Looking up CONNECT request from 192.168.35.4 with url component.iplayer.api.bbc.co.uk:443
Without ssl peeking Squid would only see “52.31.81.220:443” and wouldn’t know to send that traffic direct.
In the example config lines above I’m using source based routing at the router. Traffic from 10.0.0.254 goes via the cloud provider and traffic from 10.0.0.253 goes direct.
You could easily change this to just parent proxies, tcp_outgoing_mark or any other similar routing rule ability.
Further to a previous scam.. an admin assistance this morning had an e-mail claiming to be from the CEO of the company.
The e-mail chain went as follows (names and domains redacted for privacy):
19 December 2016 at 14:01
Subject: INVOICE 277
Adam REDACTED <hon22@inbox.lv>
To: Tanya@REDACTED.co.ukTanya
How much does the bank charge for chaps payment
Regards
Adam REDACTED
sent from my iPad
19 December 2016 at 14:14
Subject: INVOICE 277
Tanya Taylor <tanya@REDACTED.co.uk>
To: Adam REDACTED <hon22@inbox.lv>£25
Tanya
19 December 2016 at 14:28
Subject: INVOICE 277
Adam REDACTED <hon22@inbox.lv>
To: Tanya REDACTED <tanya@REDACTED.co.uk>Tanya
Please make a faster payment of £10,560 to this account,
Beneficiary Name : Firetail Limited
Address:6 Motley Avenue
London EC2A 4SU
Phone: +44 (0) 207 148 0910Email: info@firetail.co.uk
sort code: 777406
account: 23102260
Let me know once this transfer is completed.
Regards.
Adam REDACTED
sent from my iPad
As always – be aware of any kind of scam. Emails claiming to be invoices, emails claiming your Amazon account has been suspended.. and emails asking for payment to be made. It is always worth spending a few minutes to contact the sender directly to ensure that the request is genuine. In this case it is fairly easy to spot as the scammer is using “hon22@inbox.lv” which isn’t anywhere near the domain name of the victim company.
However – often senders get their email accounts hacked… so just because it came from a genuine email address does not mean the request is genuine.
The scammer seems to be using inbox.lv webmail and the e-mail headers give away that they are using Firefox 50.0.
They seem to be hiding behind a VPN or VPS given the amount of abuse associated with the IP. The IP used to submit the messages was:
146.185.31.214 – “92b91fd6.rdns.100tb.com”
So.. another TalkTalk refund / western union scam.
You can find my previous articles on this scam here, with call recording, and here.
This time – customer is cold called by someone claiming to be from TalkTalk.
To prove their authenticity they tell the victim their TalkTalk account number – victim goes off to their filing cabinet and indeed the account number is correct. Using this “validation” the victim then follows the instructions to connect “TalkTalk” (the scammers) to their computer.
When connected to their computer they run the following .bat file:
echo
color ccd..
cd..
cd..
treetree
tree
Current Status:Router software warrenty has been expired..Router is not compatible with this network..Computer got corrupted and damaged 61 percent…Router needs to be changed…Customer is eligible to get back a refund of 320GBP from TALKTALK via BANk…pause
@ECHO off
:Begin
msg * Router software warrenty has been expired..Router is not compatible with this network..Computer got corrupted and damaged 61 percent…Router needs to be changed…Customer is eligible to get back a refund of 320GBP from TALKTALK via BANk…msg * may corrupt your system or processor
msg * go to this site money will be refundable….
start http://www.talktalkb.yolasite.com
The final step of that batch file loads up a fake version of the TalkTalk site.. under the Contact tab are very convenient and easy logos for the scammers to talk the victim into clicking so that the victim can log into their online banking and the scammer can then transfer money or at least, obtain more personal details.
In my case they got as far as asking the victim to enter into their online banking.. The victim refused and hangs up but isn’t savvy enough to know to also turn off their computer. Shortly after their computer user account password has been changed and their registry and been syskeyed.
This time the scammers used the syskey password “9748”. The computer account password appeared to be sufficiently complicated that ophcrack can’t guess it.
The password hint set on the victims windows account was “western union”.
Another day another scam virus warning advert. This time on AOL search or an AOL search paid result link!
The box that pops up has so many line returns that the OK button falls off the bottom of the screen, probably to confuse the user into thinking their computer really has been locked.
The message reads:
*YOUR Windows COMPUTER HAS BEEN LOCKED*
Windows Security Alert!!
System has been infected due to unexpected error!
Please Contact Microsoft Certified Expert 0-800-014-8239 Immediately!
to unlock your computer.Suspicious Activity Detected. Your Browser might have been hijacked or hacked.
ANONYMOUS ACTIVITY
Private and Financial Data is at RISK:
. Your credit card details and banking information
. Your e-mail passwords and other account passwords
. Your Facebook, Skype, AIM, ICQ and other chat logs
. Your private &family photos and other sensitive files
. Your webcam could be accessed remotely by stalkersIMMEDIATELY CALL Microsoft Certified Expert AT 0-800-014-8239
MORE ABOUT THIS INFECTION:
Seeing these pop-up’s means that you may have a virus installed on your computer which puts the security of your personal data at a serious risk.
Its strongly advised that you call the number above and get your computer inspected before you continue using your internet, especially for Shopping or Banking.Call immediately for assistance. Contact Microsoft Certified Expert at (0-800-014-8239 )
Victims are asked to call a UK freephone number of 0-800-014-8239 (aka. “0800 014 8239” or +448000148239 / 08000148239)
The wording is very similar to a scam I saw back in October.
The domain the scam warning was served from was http://www.rightclickitserv.com who seem to be a SEO (Search Engine Optimisation) and tech support company. Whois on the domain is:
Registrant Name: Manish Verma
Registrant Street: 10518 Friends Colony
Registrant City: Gurgaon
Registrant State/Province: Other
Registrant Postal Code: 122001
Registrant Country: IN
Registrant Phone: +91.8802257971
Registrant Email: memanish1980@gmail.com
Also related is another advertising / search related website of www.afftronics.com (Hosted on the same server linked by GA).
Through a convoluted link of whois details and websites being hosted on the same IP I believe the following domains are suspicious and also related to the same group or call center.
-“aks@itinfocube.com”
-goithelp.co
-onlinecomputerrepairservices.com
-contactus-help.com
-tollfreeshelpline.com
-email-customer-care.com
-tollfreehelplines.com
