Low value goods scam. (ebuy2016.com / kf@onlinezh.net)

Hello everyone. This is another scam that works similar to a previous “high value electronics goods scam” that I’ve written about in the past. The websites, mostly, look professional and genuine. Take payment and then _never_ send any goods.

This scam seems to revolve around very small transactions (probably small enough that the credit card companies eat the fraud rather than charge it back to the fraudulent retailer). Or possibly they hope that the victims can’t be bothered with the paperwork and phone calls to report the fraud.

Most the goods on the websites are around £30 to £150ish with a rare few slightly higher priced goods mixed in. The page and form asking for credit / debit card payment isn’t even https / secure.

The good news – if you are a victim and you paid by Credit Card (or possibly even Debit Card) your bank is required to refund you!

http://www.ebuy2016.com/ – Seems to focus specifically on USB portable hard disks. Confirmed by victims as a scam.

http://www.betsbuyer.co.uk/ – Seems to sell GPS devices and sports “smart” watches.

http://www.top10tablet.us/ – Seems to sell Samsung Android tablets.

The first two of the above were registered 8th June 2016. The tablet site seems to have been registered 3rd November 2016. All are associated with the same domain registrant and / or have shared code between the domains.

Registered a month before is

https://www.prezzoshop.net/ – This appears to be the main domain name associated with the web hosting account and is another USB portable hard disk scam site aimed at victims in Italy. (162.218.179.41)

Other domains associated with the same scam:

http://www.prixonline.net – Seems to be aimed at French victims.

http://www.solde-tablette.com/ – Another site aimed at French victims.

http://www.tabprix.com/ – Another site aimed at French victims.

http://www.maillot-de-football.com/ – Football kit site aimed at French victims.

http://www.perruque-prix.fr/ – A hair / wig site aimed at French victims.

http://www.shopsunglass.net/ – Sunglasses store aimed at UK victims.

http://www.top-external-hard-drives.com/ – A copy of the portable hard disk scam site above.

http://www.nmdsneakers.com/ – Supposedly selling designer shoes / sneakers to US victims.

http://www.bayernoutlet.com – Another football kit scam site aimed at US victims. This domain is easily attributed to the www.nmdsneakers.com domain.

http://www.nmdforsale.com/ – Similar to the above. This domain is easily associated with the maillot-de-football.com scam.

http://www.luxuryonline.com.ru/ – Shoes store aimed at Russia.

http://www.ventepolo.com/

http://www.mlbforsale.com/ – Already taken down by a US Federal Court Order.

http://www.mlbofstore.com/ – A website already taken down by a court order.

http://www.shopmlbshirt.com – A website already taken down by a court order.

http://www.psgmaillotfr.com/ – Scam football (soccer) site.

http://www.aaqshop.com/ – Scam NFL website claiming to be nflshop.com.

http://www.inflmarket.com/ – Scam NFL site claiming to be nflshop.com

 

http://www.eyewearofstore.com/ – Scam Ray Ban sunglasses website.

http://www.glassesbestsale.com/ – Scam Ray Ban website.

http://www.camisas-futebol.com/ – Fake football / soccer kit store.

http://www.watchinshop.com/

http://www.bestfishop.com/

http://www.monclerofshop.com/

http://www.franceofjersey.com/

http://www.shop-jewelrys.com/ – Fake pandora online store

http://www.outletjewelryshop.com/ – Scam “Pandora” shop.

http://www.nhlstores.com/ – Fake NFL site claiming to be the “Official online store of the NHL”.

http://www.chicagocubstocks.com/ – A fake store claiming to be the “Official online shop” of the Chicago Cubs.

http://www.chicagocubsmarket.com/ – A fake store claiming to be the “Official online shop” of the Chicago Cubs.

http://www.footsportsoutlets.com/ – Somehow also associated with “www.awolf.net”, the website of someone who appears to be interested in hacking, databases, VPN servers, FTP server software and VMWare.

http://www.jerseys-shop.com/ – Fake NFL website claiming to be “The official online store of the NFL” (much like all the other “official” ones I’ve found then!).

http://www.barcashops.com/

 

http://www.shirts-store.com/ – Another fake NFL website.

http://www.clevelandindianshirt.com/

http://www.clevelandindianshop.com/

http://www.mkbagsonline.com/

http://www.mlbofshop.com/ – MLB fake online store.

http://www.mlbshirt-shop.com/ – MLB fake online store.

http://www.indians-shop.com/

http://www.indiansjersey.com/

http://www.sportskitonline.com/ – Fake NBA online store.

http://www.basketsforsales.com/ – Fake NBA online store.

http://www.lysportsmalls.com/ – Fake NBA online store.

http://www.officialmapleleafs.com/

http://www.bluejays-shops.com/

http://www.cheapbluejay.com/

http://www.bluejaysale.com/

http://www.onlineyeezy.com/

http://www.mapleleafshop.com/

http://www.fashionlinestore.com/

http://www.soccerjerseystores.com/

http://www.topishirt.com/ – Another fake NFL store.

http://www.mlbshirtshop.com/ – Fake MLB online store.

http://www.bluejaysoutlet.com/

http://www.officemlbshop.com/ – An already ceased / suspended domain by court order.

http://www.ievpolo.com/ – Fake Polo online store.

http://www.ferragamoshops.com/

http://www.eferragamoshop.com/

http://www.topbeltsshop.com/

http://www.hiferragamo.com/

http://www.outletferragamo.com/

http://www.ferragamobeltsshops.com/

http://www.ferragamoonline.com/

http://www.bagsbagsonline.com/

http://www.ferragamostores.com/

http://www.topferragamoonline.com/

http://www.bestbeltsonline.com/

http://www.vipferragamo.com/

http://www.usnflshops.com/ – Fake NFL online store.

http://www.maillotsdefrance.com/

http://www.basketijersey.com/ – Fake NBA store.

http://www.vipbasketjersey.com/ – Fake NBA store.

http://www.fchelseas.com/ – Chelsea FC fake store, supposedly “the official Asia Pacific online megastore”.

http://www.asoccerjerseys.com/ also associated http://www.headdres-store.com/

http://www.broncostores.com/ – Fake Denver Broncos “official online store”.

http://www.bestfootballshop.com/

http://www.storejewelryshop.com/

http://www.salejewelryshop.com/

Weirdly a lot of the above have SSL certificates self-issued to “tong.com”, probably an unrelated and invalid domain but still unusual.

There are so many associated websites and domains that I’ve given up crosschecking them! Here is the source list of the domains I’ve not yet investigated.

franceofjersey.com
nflsaleshops.com
eyewearmalls.com
strapshops.com
outletjewelrystore.com
b5jewellery.com
jerseysmarkets.com
basketjerseyshop.com
basketshirtshops.com
footballsshops.com
jewelrysstock.com
bagsbagsonline.com
nhlsmall.com
nhlstores.com
nflsportsstock.com
bagbagforsale.com
mlbsstores.com
baggoodsforsale.com
madeinnfl.com
nflsstocks.com
nflsshops.com
mlbsforsale.com
mlbonsale.com
beltonsale.com
ferragamoonsale.com
ferragamosonsale.com
ferragamodiscount.com
nikesonsale.com
ferragamosforsale.com
ferragamo4sale.com
ferragamosonline.com
nflsonsale.com
nflsdiscount.com
nflforsale.com
nflsstock.com
bananaces.com
iakqks.com
hotsalespro.com
hariees.com
chicagocubsoutlet.com
clevelandindianstore.com
bluejaysale.com
cfljerseyshop.com
ferragamonline.com
outletferragamo.com
ferragshop.com
fashionlinestore.com
ferragamocenter.com
basketshirts.com
shirtnba.com
chicagocubstore.com
nba-eshop.com
jerseynba.com
ibasketjersey.com
basketeshop.com
nfl-shirt.com
nfl-center.com
shoulderbagshop.com
crossbodybagshop.com
mlbshirtstore.com
footballshirtsale.com
buymlbshirt.com
ukfootballjersey.com
soccerjerseystores.com
wholesalemlbshop.com
mlbshirtsale.com
outletfootballshirt.com
outletmlbshirt.com
footballshirtoutlet.com
outletmlbstore.com
officemlbshirt.com
catmte.com
colorrushstore.com
officemlbshop.com
mlbinshop.com
mlbshirtshop.com
colorrushuniform.com
mlbshirtoutlet.com
colorrushcenter.com
colorrushmall.com
officemlbstore.com
colorrushop.com
colorrush2016.com
bestnflmall.com
nflbazaar.com
enflonline.com
topeshirt.com
topishirt.com
enfloutlet.com
nflshoppingcenter.com
bestluxshops.com
topilux.com
enflcenter.com
infloutlet.com
nfldiscount.com
nfljerseyoutlet.com
espcamisetasdefutbol.com
topmksale.com
fashionjewelrymalls.com
iluxjewelry.com
ibuylux.com
iluxfashion.com
luxferragamo.com
ferragamomall.com
iluxcenter.com
luxfashionshop.com
bestfootballjersey.com
topnflshirt.com
topfootballjersey.com
ievpolo.com
ssoccerjersey.com
uksoccershirts.com
salebasketshirts.com
iibasketjersey.com
ferragamosale.com
ferragamobagstore.com
ferragamobagshop.com
sferragamo.com
fferragamo.com
vipbasketjersey.com
eferragamobag.com
ibasketshirt.com
iferragamo.com
ebagshops.com
eferragamoshop.com
ebasketjersey.com
viferragamo.com
basketshirtonline.com
hiferragamo.com
yshoesoutlet.com
mkbagsonline.com
vipshoeshop.com
footballshirtonline.com
mkbagplazas.com
luxybagshops.com
mnushirts.com
manushirt.com
mujerseys.com
buycheapmkbag.com
mkbagsclub.com
suglassesclub.com
nflshirtstore.com
vipsunglasseshop.com
basketijerseys.com
nbasketsmarkets.com
manutdone.com
basket4sales.com
nbasketmaks.com
spolostocks.com
basketsdiscounts.com
ferragamoshops.com
vipferragamo.com
spolomalls.com
ferragamostores.com
usnflshops.com
cheapolos.com
manutdmalls.com
csoccerjerseys.com
itlaynbasket.com
spainbaskets.com
francebaskets.com
maillots-de-football.com
frmaillot.com
camisas-futebol.com
porsoccerjerseys.com
maillotsdefrance.com
basketijersey.com
ventepolo.com
fcbarcastock.com
bayernoutlet.com
fchelseas.com
asoccerjerseys.com
asoccershirts.com
broncostores.com
nflonsale.com
mlbforsale.com
birkstock.com
bksandals.com
mkbagsmalls.com
mkvipbag.com
mkbagsmarkets.com
vipmkbag.com
mkbagtop.com
nmdforsale.com
fcmudtjersey.com
airmaxshoeshop.com
psgmaillotfr.com
everyhoe.com
nicemkbag.com
acoachag.com

 

Posted in Uncategorized | Leave a comment

Reset the trial counter on O’Print “AirPrint Activator for Windows”.

If you ever have the need to hack or crack the trial period on OPrint – an airprint relay / proxy / print server for Windows then here is how.

Quit OPrint
Delete the following registry keys and their sub-values.
HKLM\SOFTWARE\Wow6432Node\OPrint
HKCU\AppEvents\EventLabels\option
Delete the following file
C:\Windows\SysWOW64\config\settingenv

Re-open OPrint. The trial will be back to 30 days.

However – this software is reliable and fully worth paying for. These instructions might be ideal if you installed it and then forgot to test it before the trial period expired.
Posted in Uncategorized | Leave a comment

Optimum Global Services” Tech Support Scam / “0800 098 8413”

Another day and while browsing the internet I clicked on an advert that promised 30% discounts on Amazon’s prices… Then got this. (And uncovered a huge scam using about 40 different “it company” domains).

0800-098-8413-scam

The messages read as follows:

Critical Error! Some suspicious activities has been detected from your network and your system has been blocked. Call immediately on 0-800-098-8413 to prevent further data loss.

Critical Error! Your system has been blocked because suspicious activities has been detected from your IP address. Call 0-800-098-8413 immediately.

ERROR! Call for support: 0-800-098-8413

Warning!
** YOUR COMPUTER HAS BEEN BLOCKED **
Your computer has alerted us that it has been infected with a virus and spyware.  The following information is being stolen…

> Facebook Login
> Credit Card Details
> Email Account Login
> Photos stored on this computer
You must contact us immediately so that our engineers can walk you through the removal process over the phone. Please call us within the next 5 minutes to prevent your computer from being disabled.
Toll Free: 0-800-098-8413

The number victims are asked to call is a UK freephone number. “0-800-098-8413” (aka.. 08000988413 or “0800 098 8413”).

The page, hosted at GoDaddy, that showed the fake warning was:

http://jaunt-googleroutesgo.xyz/uk/microsoftnetsecurity_8413/0-800-098-8413/chrm/

It directs people to call the tech support scammers “Optimum Global Services” who seem to be operating out of the site http://www.rateditteam.com to take payments.

Unusually for these kinds of things – the address given is a UK address (not USA or India) and the postal address given on the website matches the whois:

Registrant Name: Samuel Verghese
Registrant Street: Flat 5, 25 Brunswick Terrace,
Registrant City: Hove
Registrant State/Province: East Sussex
Registrant Postal Code: BN3 1HJ
Registrant Country: UK
Registrant Phone: +44.7342047912
Registrant Email: done4ultd@gmail.com

When that initial payment failed they then tried to take payment via “www.directcontracta.com” which initially looks like an unrelated “find a contractor” website but after a bit of investigation is actually registered by the same email address as rateditteam.

Associated are the Google Analytics accounts: UA-90478716 and UA-67147650

Also related to the rateditteam.com domain is:

sammy@thearch.club (matches the Samuel Verghese name used in the original tech support scam domain and is also near Hove in the UK?)

His local computer fixing business “www.expertpcbook.com”

The shared(?) youtube channel of Samuel Verghese?: Shows three young Indian men in Mumbai and several product reviews or videos attempting to go viral and domain “3wise.men”

The company of someone who lives at the address, supposedly an “Entreprenneur”.

All the following are shady looking web design and tech support companies with similar pricing structure to rateditteam:

www.itshowwedoit.com
 www.wecansortitforyou.com
 www.firstitforyou.com
 www.yourplaceforit.com
 www.pickusforit.com
 www.jewelitsolutions.com
 www.workingwithitteam.com
 www.itexteam.com
 www.thetotalitteam.com
 www.wesortitall.com
 www.timetotalkit.com
 www.digitalsconnections.com
 www.firstinit.com
 www.timetoaskit.com
 www.ititcltd.com
 www.getandgopro.com
 www.weloveinfotech.com
 www.itdecided.com
 www.topmantech.com
 www.eyeteco.com
 www.bringhomeit.com
 www.theitcrib.com
 www.itstheitcrew.com
 www.itstheitguys.com
 www.wegotitguru.com
 www.quickresponsesolutions.com
 www.fastexpertsolutions.com
 www.totalsolutionsexpert.com
 www.expertproteam.com

Related but probably a “customer” of the scammer:
http://www.amteachings.com – A meditation class around Hove, Sussex, UK.
If you are the owner of the above meditation business above – please contact your web developer and tell them off for being involved in scams.
http://www.everybizsolution.com

 

http://www.directcontracta.com

optimumglobalservices.com

Another URL used during the scam was http://onlinescanner.somee.com/ which appears to be a fake virus warning site that even has a one time password / unique value that needs to be entered before the fake scan will start! A working code is 84651 if you fancy testing it out.

Posted in Uncategorized | 3 Comments

Squid configuration for BBC iPlayer

Hello everyone.

This might be of use for me in the future when I’ve managed to lose an existing configuration or setup – or might be of use for anyone reading this who needs to do something similar to one of my setups.

I have a customer who uses Squid in their network. The Squid proxy is used to do content filtering to prevent access to undesired content on the internet. However – to do this Squid passes all the requests on to a cloud filtering company.

The side effect of this is, even though the cloud filtering company servers are based in the UK, the BBC have tagged the egress IP as being something that they don’t allow on iPlayer! Here is the response from BBC support…

I understand you’re unable to access iPlayer as you are not recognised as being within the UK.

Your IP is showing as being registered to CLOUD FILTER COMPANY DATACENTER NAME REDACTED (third party IP databases concur). It’s also listed as proxy type: hosting, proxy description: dns. While the proxy type itself indicates that this IP isn’t recognised as a broadband connection, it’s the description of it being a DNS that is actually causing the block here.

This all seems like going the direction of getting the BBC or their “data provider” to re-categorise an IP that the customer doesn’t even own will be far too difficult.

The easiest solution was to work out the configuration required for only allowing the iPlayer content to go direct and bypass the upstream cloud filtering company.

The following lines in the correct positions within the Squid config did the trick. In this case I’ve just made all of bbc go direct as I was too lazy to identify just the iPlayer domains.

acl bbcuksites dstdomain .bbc.co.uk .bbci.co.uk
tcp_outgoing_address 10.0.0.253 bbcuksites
tcp_outgoing_address 10.0.0.254 !bbcuksites

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump splice all

In this instance they were using squid as an https_port and http_port “intercept”. You may not need the SSL Bump stuff if you are using Squid as an explicit proxy as the CONNECT request seen by Squid is likely to be the hostnames already instead of just an intercepted IP.

If using intercept… Squid needs to have ssl-bump enabled which also means you need to be running Squid 3.5 or higher. SSL peeking is required so you can tell the https sites being accessed. A couple of components on iPlayer (even though the main page is non-https) are over https:

Looking up CONNECT request from 192.168.35.4 with url component.iplayer.api.bbc.co.uk:443

Without ssl peeking Squid would only see “52.31.81.220:443” and wouldn’t know to send that traffic direct.

In the example config lines above I’m using source based routing at the router. Traffic from 10.0.0.254 goes via the cloud provider and traffic from 10.0.0.253 goes direct.

You could easily change this to just parent proxies, tcp_outgoing_mark or any other similar routing rule ability.

Posted in Uncategorized | Leave a comment

Further CEO Email fraud..

Further to a previous scam.. an admin assistance this morning had an e-mail claiming to be from the CEO of the company.

The e-mail chain went as follows (names and domains redacted for privacy):

19 December 2016 at 14:01

Subject: INVOICE 277
Adam REDACTED <hon22@inbox.lv>
To: Tanya@REDACTED.co.uk

Tanya

How much does the bank charge for chaps payment

Regards

Adam REDACTED
sent from my iPad

19 December 2016 at 14:14

Subject: INVOICE 277
Tanya Taylor <tanya@REDACTED.co.uk>
To: Adam REDACTED <hon22@inbox.lv>

£25

Tanya

19 December 2016 at 14:28

Subject: INVOICE 277
Adam REDACTED <hon22@inbox.lv>
To: Tanya REDACTED <tanya@REDACTED.co.uk>

Tanya

Please make a faster payment of £10,560 to this account,

Beneficiary Name : Firetail Limited

Address:6 Motley Avenue
London EC2A 4SU
Phone: +44 (0) 207 148 0910

Email: info@firetail.co.uk

sort code: 777406

account: 23102260

Let me know once this transfer is completed.

Regards.

Adam REDACTED
sent from my iPad

As always – be aware of any kind of scam. Emails claiming to be invoices, emails claiming your Amazon account has been suspended.. and emails asking for payment to be made. It is always worth spending a few minutes to contact the sender directly to ensure that the request is genuine. In this case it is fairly easy to spot as the scammer is using “hon22@inbox.lv” which isn’t anywhere near the domain name of the victim company.

However – often senders get their email accounts hacked… so just because it came from a genuine email address does not mean the request is genuine.

The scammer seems to be using inbox.lv webmail and the e-mail headers give away that they are using Firefox 50.0.
They seem to be hiding behind a VPN or VPS given the amount of abuse associated with the IP. The IP used to submit the messages was:

146.185.31.214 – “92b91fd6.rdns.100tb.com”

Posted in Uncategorized | Leave a comment

TalkTalk Refund Scammers part 3

So.. another TalkTalk refund / western union scam.

You can find my previous articles on this scam here, with call recording, and here.

This time – customer is cold called by someone claiming to be from TalkTalk.

To prove their authenticity they tell the victim their TalkTalk account number – victim goes off to their filing cabinet and indeed the account number is correct. Using this “validation” the victim then follows the instructions to connect “TalkTalk” (the scammers) to their computer.

When connected to their computer they run the following .bat file:

echo
color c

cd..
cd..
cd..
tree

tree

tree
Current Status:Router software warrenty has been expired..Router is not compatible with this network..Computer got corrupted and damaged 61 percent…Router needs to be changed…Customer is eligible to get back a refund of 320GBP from TALKTALK via BANk…

pause
@ECHO off
:Begin
msg * Router software warrenty has been expired..Router is not compatible with this network..Computer got corrupted and damaged 61 percent…Router needs to be changed…Customer is eligible to get back a refund of 320GBP from TALKTALK via BANk…

msg * may corrupt your system or processor
msg * go to this site money will be refundable….
start http://www.talktalkb.yolasite.com

The final step of that batch file loads up a fake version of the TalkTalk site.. under the Contact tab are very convenient and easy logos for the scammers to talk the victim into clicking so that the victim can log into their online banking and the scammer can then transfer money or at least, obtain more personal details.

In my case they got as far as asking the victim to enter into their online banking.. The victim refused and hangs up but isn’t savvy enough to know to also turn off their computer. Shortly after their computer user account password has been changed and their registry and been syskeyed.

This time the scammers used the syskey password “9748”. The computer account password appeared to be sufficiently complicated that ophcrack can’t guess it.

The password hint set on the victims windows account was “western union”.

Posted in Uncategorized | Leave a comment

rightclickitserv.com virus scam warning.

Another day another scam virus warning advert. This time on AOL search or an AOL search paid result link!

rightclickitserv-spam-scam-virus-warning-page-wording

The box that pops up has so many line returns that the OK button falls off the bottom of the screen, probably to confuse the user into thinking their computer really has been locked.
The message reads:

rightclickitserv-spam-scam-virus-warning-page*YOUR Windows COMPUTER HAS BEEN LOCKED*

Windows Security Alert!!

System has been infected due to unexpected error!
Please Contact Microsoft Certified Expert 0-800-014-8239 Immediately!
to unlock your computer.

Suspicious Activity Detected. Your Browser might have been hijacked or hacked.

ANONYMOUS ACTIVITY

Private and Financial Data is at RISK:
. Your credit card details and banking information
. Your e-mail passwords and other account passwords
. Your Facebook, Skype, AIM, ICQ and other chat logs
. Your private &family photos and other sensitive files
. Your webcam could be accessed remotely by stalkers

IMMEDIATELY CALL Microsoft Certified Expert AT 0-800-014-8239

MORE ABOUT THIS INFECTION:
Seeing these pop-up’s means that you may have a virus installed on your computer which puts the security of your personal data at a serious risk.
Its strongly advised that you call the number above and get your computer inspected before you continue using your internet, especially for Shopping or Banking.

Call immediately for assistance. Contact Microsoft Certified Expert at (0-800-014-8239 )

Victims are asked to call a UK freephone number of 0-800-014-8239 (aka. “0800 014 8239” or +448000148239 / 08000148239)

The wording is very similar to a scam I saw back in October.

The domain the scam warning was served from was http://www.rightclickitserv.com who seem to be a SEO (Search Engine Optimisation) and tech support company. Whois on the domain is:

Registrant Name: Manish Verma
Registrant Street: 10518 Friends Colony
Registrant City: Gurgaon
Registrant State/Province: Other
Registrant Postal Code: 122001
Registrant Country: IN
Registrant Phone: +91.8802257971
Registrant Email: memanish1980@gmail.com

Also related is another advertising / search related website of www.afftronics.com (Hosted on the same server linked by GA).

Through a convoluted link of whois details and websites being hosted on the same IP I believe the following domains are suspicious and also related to the same group or call center.

-“aks@itinfocube.com”
-goithelp.co
-onlinecomputerrepairservices.com
-contactus-help.com
-tollfreeshelpline.com
-email-customer-care.com
-tollfreehelplines.com

Posted in Uncategorized | Leave a comment

Pitney Bowes K700 / K721 Franking Machine RJ11 BT Telephone Lead

img_20161108_121123What is it with annoying companies.

Pitney Bowes make franking machines. More recent ones use wifi direct to the internet or USB to a computer for top ups and balance verification.

Older machines use a telephone line. So have an RJ11 (square) connection at the back and then, in the UK, go to a BT plug on the other end of the lead.

BUT… it isn’t a standard lead. You can’t use the Pitney Bowes lead with a normal phone or fax machine and you can’t use a normal replacement lead from a shop with the Pitney Bowes Franking machine. FFS. Really?

So.. going from left to right as you look at the connectors (as shown in the picture above) where pin 1 is the left-most pin.

Pin 1 on the BT plug goes to pin 3 on the RJ11 plug

Pin 2 on the BT plug goes to pin 4 on the RJ11 plug

Pin 3 on the BT plug goes to pin 1 on the RJ11 plug

Pin 4 on the BT plug goes to pin 2 on the RJ11 plug

Seriously.. Every other lead for a telephone or fax machine is just a 1:1 mirror of the connections. Why bother being annoying and different Pitney Bowes!

Hope the above information helps someone if they are needing to splice up a new lead.

Posted in Uncategorized | Leave a comment

How to mask off the “wifi power off” pins on M.2 NGFF wireless cards. (The old Mini PCI Pin 20 trick)

 

 

This week I was presented with a problem where a laptop wasn’t connecting to Wi-Fi.

 

 

The laptop, to the end user, would report no networks in the wireless network list and when the “diagnose my network” wizard was run it would report that the “Wireless capability is turned off”.

wireless-capability-is-turned-off

However to confuse things further.. the hotkey to turn off and on wireless (often an Fn and F key combination) wasn’t reporting that the wifi card should have been off.

The netsh command would report “The wireless local area network interface is power down and doesn’t support the requested operation.”

img_20161104_211644

Essentially something had gone wrong, either with the softkey wireless control or somehow with the motherboard.

This problem used to happen a lot on older laptops, especially Toshiba laptops. They had physical wireless switches on the laptop and they would either get broken or go wrong forcing the wifi card to be turned off. We regularly ended up taking out wifi cards, putting tape on them, and putting them back in. The last time I had to do this was quite a few years ago and on a Mini PCI card, not an NGFF M.2 card.

Turning wifi off and bypassing it to always be on
When you use the soft-key or physical switch the motherboard should apply a 3.3 volt “signal” to one (or more, maybe in the case of M.2) of the pins on the wireless card.

mini-pci-pin-20-masking-exampleThe wireless card then understands that it is commanded to be off and disables it’s radio.

The trick to ensure a wifi card is always on, no matter what the wifi switch is set to, is to put something in the way so that 3.3volt signal can’t reach the wireless card.

This was incredibly well documented for Mini PCI cards. Cut out a small slither of tape and stick it over Pin 20 and put the card back in the machine.

 

M.2 NGFF connectors and keying
Things have moved on since Mini PCI and Mini-PCIe in laptops. Quite a few now have what is called M.2 NGFF (Next Generation Form Factor) which can be used for SSDs, Bluetooth, WWAN (cell phone cards), WLAN and GPS (and, I expect a lot more!).

The first problem I came across was identifying the type of socket that the card used. I knew the model card was an M.2 NGFF card so I initially tried putting the M.2 wifi card into my M.2 to USB SSD converter but the “keys” didn’t line up (the cut out bit or bits along with, in the socket, the plastic wall).

This confused me somewhat until I found that there are _many_ different types of M.2 socket. The best reference I found was this pdf on page 6 with a lot of diagrams. I believe my USB M.2 converter is “B Keyed” but the wifi card is “A Keyed”.

How to force an M.2 wifi card to stay on?
The problem I faced is a complete lack of information on NGFF M.2 pin outs and masking. Initially I found quite a promising website..

https://puri.sm/posts/hard-not-soft-kill-switches/

The above url seems to be an article for people who might be worried about snooping (webcam, microphone, wifi etc.).

The top picture on the page starts off well and shows a motherboard with a M.2 wireless card with the same “A keying” as the card I had problems with.

Scroll down the page and there is also some helpful wording and an explanation about how the voltage is applied to disable the card. Their aim is to fully disable it all the time, my aim is the opposite but the information is still good.

They say “The WiFi/Bluetooth Hardware Kill Switch works by applying to pins 56 and 54 an input of [3.3volts]” but then inexplicably then go onto show a photo of what appears to be a Mini-PCI or PCIe slot and an arrow pointing to a pin. This doesn’t match up with (1) the photo at the top of their page or (2) the layout of an M.2 slot.

DAMN.. now I can’t be lazy and copy the pin from an arrow on a photo. I have to work it out myself. I also couldn’t validate that their claims on the pin numbers were correct. If they have junk photos on their website then maybe the other stuff is entirely made up too. Still worth a go though.

Because there is very little information about M.2 and, especially, “A Keyed” M.2 sockets on the internet I had to attempt to work out which of the pins, on my card, were 54 and 56. trying to count pins – especially when many are not present – is very difficult.

Wikipedia and paint.net had to come out for some heavy image editing / overlaying of connector diagrams on top of a photo of the card I had in my hand.

m-2-key-a-connector-wifi-mask-ngff-card-front

M.2 A Keyed NGFF overlay with B and M Keyed diagram for pin location.

I started with the front side, the one that would (or should) line up best. This made it easy to identify pin 57 (or where pin 57 should be).

Turning the card over was then fairly easy to guess at which pins were 56 and 54 but I did want to be sure.. more paint.net handiwork and I was confident I’d identified the right pins.

m-2-key-a-connector-wifi-mask-ngff

After playing about lining up the “top” pin diagram with the “top and bottom” socket diagram and then drawing lines – the pins identified are right in the position where 54 and 56 would be (they don’t line up top to bottom as the pins are slightly offset on either side of the card and socket).

Out came the tape and scisors and then some surgical precision “sticking” it on top of the pins and chucked the card back into the laptop….

img_20161104_213240

Success!

So.. I hope this documentation helps someone. I’ve posted it as it looks like accurate and verified, tested as working ok, information doesn’t exist for M.2 wifi pin outs – until now.

WARNING: Make sure you know what you are doing. Don’t blame me if you mess up your wifi card or laptop motherboard. If in doubt take this information and your computer to someone who you are confident has the skills to perform this work.

Posted in Uncategorized | 2 Comments

supportcare.net / Geek Masters / eSupportStation / vlinks tech support scam cold callers.

Another day and, unusually, another tech support scammer but one who called me!

Looking back at my call records it seems they had tried to call on Friday morning too but got through to my answerphone.

This is the first time they have called my number. Normally I have to call them from a fake virus warning page or a friend of mine is called and I have to use the number the friend was given.

The caller ID they called from was “0001632960451” (numbers beginning 000 don’t exist.. but let’s imagine they have broken and / or faked caller ID). At a later date they also called from “00666675”

The initial domain they went to for “ordering” the service I “needed” was:

http://www.supportcare.net/our-plans

The current whois information for the domain is associated with:

Registrant Name: Archit Gupta
Registrant Street: A-4/211 DDA JANTA FLATS
Registrant City: PASCHIM VIHAR
Registrant State/Province: Delhi
Registrant Postal Code: 110063
Registrant Country: IN
Registrant Phone: +91.9953444997
Registrant Email: architguptaa@gmail.com

Yet the website gives a US address and phone number of

276 Fifth Avenue, Suite 704
New York, NY 10001
Ph.: +1-877-848-3948
Email: support@supportcare.net

The email address used is only associated with one other domain that doesn’t seem to be active.

The second part of the payment (the cart stuff) seems to run from zoomworld.ca which gives a logo called Geek Masters.
The zoomworld website code also leaks what appears to be previous name of “SG Technologies Inc.”

ESupportstation is the “merchant name” being used at the payment processor.

The server that their website is hosted on is “45.79.143.121” which has the reverse DNS of “server.studiosos.biz”. The website at www.studiosos.biz, which appears to be an invoice software company, is the same exact template and layout as the supportcare.net site.

studiosos give their address, on their website, as:

1800 Windridge Drive, Sandy Springs
Atlanta GA 30350
Ph.: +1-404-382-0802

Yet their whois details, at the time of writing, give the same address as published on the scam support supportcare.net site:

Registrant ID: DI_47249721
Registrant Name: Studio SOS LLC
Registrant Organization: Studio SOS LLC
Registrant Address1: 276, 5th Avenue, Suite 704
Registrant City: New York
Registrant State/Province: New York
Registrant Postal Code: 10001
Registrant Country: United States
Registrant Phone Number: +1.8622466786
Registrant Email: mail@studiosos.biz

The computer they connected to my test computer from seemed to be on the domain “vlinks”, possibly the name of an outsourcing call center?

Posted in Uncategorized | 2 Comments