ipr-protection.com and ipr-protection.org spam.

A customer received the following spam today:

From: IPR Protection info@ipr-protection.com
Sent: 13 March 2023 RE:DAC
To: REDACTED
Subject: Trademark registration for REDACTED

Dear Sir/Madam,

Yesterday we received an application for the trademark registration of REDACTED. This application was not filed by you or your company, but by a third party, as we observed from the application forms.

During our screening, we noticed that you have a similar company name, but in a different sector.

Given the fact that your company was the first to be registered, you have the first option of registering this brand name.

If you would rather not have the other party use this brand name, please let us know. In that case, you can register the trademark for yourself.

If you want to register the trademark in the UK, the costs are £550.00 excluding VAT. Your registration will be processed within 24 hours. An European (£1249.00) or international registration (£1775.00) is also available.

Please let me know within three business days whether you wish to make use of this offer. If you do not respond or are not interested, we will approve the other party’s application, which means that they will obtain the trademark rights to REDACTED.

Kind regards,

Jack Walsh
IPR Protection
http://www.ipr-protection.com

Unsolicited and also includes an unsubscribe link in the disclaimer at the end of the email which links to an email marketing campaign application MailWizz. Seems like a strange way to send one off “warnings of application” emails, using mass mailing software!

Their website doesn’t have any postal address, doesn’t give a company registration number

Digging into it more.

IPR-PROTECTION.COM and ipr-protection.org were only registered 28th December 2022.
They only pointed it at a valid website server on 1st January 2023.

However! Things on their website (files uploaded) are dated as far back as March 2022.
Most of the photos uploaded appear to be headshots of people but show high graphical artefacts to suggest the photos have been generated by an AI website “this person does not exist”:

Note the way stray hairs have turned into unusual creases in the background and that the earring doesn’t appear to be quite right.

Going further it appears in March 2022 they went under the name “EU Brand Protection” “eubrandprotection.com” and the EU Intellectual Property office write an article on their website about them:
https://euipo.europa.eu/ohimportal/en/misleading-invoices

Also highly likely to be related:
ieobenelux.com
trademarkbenelux.com
ids-norway.com
dns-austria.com
dns-eu.net

Also highly likely to be related:
ieobenelux.com
trademarkbenelux.com
ids-norway.com
dns-austria.com
dns-eu.net
dns-eu.org
dns-osterreich.com
dnsna.org
ukraine-donation.org – known scam run from the same web server

Going by some of the language used in their code.. I think the actors behind this spam are Dutch.

I’m no lawyer but it seems unusual to me that a company supposedly offering trademark registrations would issue another company trademark of a brand they ALREADY know is in use! (as they are emailing the victim to ask if its ok).

Plus the AI generated photos of the people on their website, plus the historic company also involved with misleading invoicing / practices.

I would block, report and delete the email and ignore you’ve received it. Certainly do not pay them. If you do want to register your trademark, do it directly with the government at around £170…

Advertisement

Fake Bitcoin investment sites: swancoins.net, orchidcoin.net, lidocoin.net etc.

These sites are unusual. They are spread by unsolicited emails claiming to be updates to an account or someone who needs to recover an account. It gives a username and a password.

The username isn’t unique. When you sign in you are asked to set a password. This is used along with the username to identify you as a victim.

They then ask you to use a mobile number and they use an API or web service to trigger an SMS or call to the number. (This costs the scammer).

Once you’ve validated the account you are then shown a page claiming you have a bitcoin wallet or investment with a large balance. There are options to pay in or withdraw.

There are two modes of operation. One it forces you to send bitcoin to them for the annual account fee before you can do anything. The aim here is to just steal that fee.

The other mode is to error when you try to withdraw a large amount. They then say you need to withdraw a tiny amount (around US$2) as a test transaction before you can withdraw the remaining.
What is unusual about this is, the payment actually gets made. If you game this scam you can get $2 in bitcoin for free.

But… what they hope for is the victim then, after the test transaction works, tries to withdraw the remaining balance. Their system then fake errors and says you need a higher balance to withdraw. The scammers hope victims send a larger amount of bitcoin back to the scam site to increase the balance and allow withdrawal of the full amount.

They troll the victim into believing the site is real, they respond to online tickets like a normal organisation would.

Needless to say if you send bitcoin back to them, you won’t see any of it ever again.

It’s a sophisticated scam. The scammers send money, the scammers pay for a SMS and Phone one time code verification service! The scammers appear to be running multiple brands and sites. They look like they have a central operation to automate payments of bitcoin but multiple “agents” to scam victims. The agents are given a cut of the income which they can cash out every so often.

Other names they’ve gone under in the past:

bitforte.net
orchidcoin.net
coinlux.net
coinforte.net
coincrow.net
cryptoncoin.net
fortcoin.net
coinloaf.net
coinomac.com
heliumcoin.net
horizencoin.net
coinrow.net
coinfist.net
paxcoin.net
securecoins.net
orbitcoin.net
tatcoin.net
coins45.com
rendercoin.net
swancoins.net
pdcoin.net
protoncoin.net
bitcount.net
astarcoin.net
golemcoin.net
coinfolds.com
bitmantic.com
binancial.io
golemcoin.net
qtumcoin.net

To effectively game the site and get free money you would need lots of mobile numbers, lots of bitcoin wallets and lots of IP addresses. They also check for common VPN and Onion exit IP addresses.

The main person behind it appears to be in Nigeria as do the majority of the “agents”.
To date (2023-02-20) across all the agents since mid 2021 they’ve been paid $25,000 worth of bitcoin. The total losses from victims is likely much higher as I suspect the agents only get a percentage of the overall theft.

NReco.PdfGenerator “Exit with code 1 due to network error: ContentAccessDenied”

Took me ages to work this one out. HtmlToPdfConverter.GeneratePdf causes the error mentioned in the title.

Looking at the iis trace in process monitor produced no mention of it attempting to access anything at all.

A few years ago someone posted the same issue on stackoverflow https://stackoverflow.com/questions/56289916/how-i-can-generate-pdf-document-with-nreco-pdf-generator
As with the issue I was troubleshooting, I could get the code to run ok on an old server and also when running it via IIS Express in Visual Studio but the moment you deployed it to the main IIS it would error when generating a PDF.

It took hours of messing around but eventually I figured out the Exit Code was a message produced by another component, “wkhtmltopdf.exe” (which I’ve used in the past with my own process running wrapper). Seems NReco just runs a 3rd party application “wkhtmltopdf.exe” but with command lines to write to a system temporary folder.

"D:\website\mainroot\App_Data\wkhtmltopdf\wkhtmltopdf.exe"  -q  -s A4  "C:\WINDOWS\TEMP\pdfgen-cex1sm4a.zbf.html"  "C:\WINDOWS\TEMP\pdfgen-ioeaohqn.wvq.html" 

You don’t see this as a user of NReco PDFGenerator, you just see the error. It gives you no indication of which folder it is failing to access.

My instance was solved by adding Authenticated Users to have full permissions over the c:\windows\temp folder:

Hours of time could have been saved if the error output from the component was more coincide or if it was clearer that the .net component just runs a .exe to perform the conversion, this would make it clearer that temporary files must be being used somewhere.
It appears there is no way to set the temporary file NReco PDF Generator uses either. This restriction will be an unfixable issue for deployments on shared servers where you won’t be able to change the permissions on the windows system temp folder!

Required OpenVPN modifications for Grandstream phones.

Just for my future reference as normal..

Using a standard setup from this script: https://github.com/angristan/openvpn-install

Comment out the tls-crypt line

add a log line:

log /var/log/openvpn/log.log

Turn off LZO on phone. Configure, then reboot phone.

Asterisk PBX: Using TimeZones in GotoIfTime

Asterisk VoIP PBX allows you to setup your dialplan to route calls to different places depending on the time of day.

I setup a system in the UK which has British summer time / daylight savings time. (BST). The documentation on Asterisk.org is always missing examples.
The examples on the incredibly helpful voip-info.org didn’t contain any information about timezones. Googling also didn’t reveal much.

Eventually I managed to find the right Google words to dig up a blog.

The correct use of timezones for the UK is:

 same = n,GotoIfTime(8:30-17:00,mon-thu,*,*,/usr/share/zoneinfo/Europe/London?helpdeskopen,1)
 same = n,GotoIfTime(8:30-16:00,fri,*,*,/usr/share/zoneinfo/Europe/London?helpdeskopen,1)
 same = n,Verbose(1, "Helpdesk is in night mode")
 same = n,Playback(duty-manager-details)

exten = helpdeskopen,1,Verbose(1, "Helpdesk is in day mode")
 same = n,Playback(pls-wait-connect-call)

Obviously modify to fit your needs.

Until I found the helpful blog I had assumed that the timezone would be something like “BST” or “GMT” or “UK”.. I wouldn’t have even though of trying a timezone (zoneinfo) file!

Examples in documentation go a long way to reducing the difficulty of learning new things. I get frustrated that voip-info has been left to do a lot of the heavy lifting in terms of Asterisk examples and documentation.

Asterisk PBX: Enable beep on call transfer.

I always find this difficult to google for.. so just to save me time in the future:

extensions.conf: same = n,Set(__ATTENDED_TRANSFER_COMPLETE_SOUND=beep)

The __ at the beginning means the variable inherits multiple levels on calls or processes spawned by the dialplan.

For more information on ATTENTED_TRANSFER_COMPLETE_SOUND see:
https://www.asteriskguru.com/archives/image-vp330828.html
Otherwise there is very other little documentation about the variable.

Electronics goods scam, 2022 version

It has been a while, I’ve previously written about similar scams in 2021 and earlier.
I stopped being able to find active sites towards the end of 2021 and, sadly, lost interest in checking after a while.
A recent comment on that page has highlighted that they’ve finally returned.

Here are sites which I believe are scams where they will take your money (often by Stripe card payments) and never deliver anything. If you paid via this method you should be able to do a chargeback via your card company for goods not delivered.
A few of the sites don’t even offer card payment and ask for direct bank transfers. If you made a direct bank payment it becomes a lot more complicated to claim the funds back.

In any case, if you’ve been a victim it is important you raise a case with ActionFraud. This won’t do anything specific but the more people who complain about a type of fraud or a specific website the more likely it is that the police will be able to do something about it. If you don’t report it then you leave it wide open for others to become victims; help others and yourself by reporting loss and fraud to ActionFraud!

Likely fraud and scam sites:

akielectronics.co.uk – Registered 16th November 2021.

bscgadgets.com – Registered 16th November 2021.

gadgetspad.co.uk – Registered 23rd November 2021.

gadgetsaids.co.uk – Registered 5th December 2021.

chappliances.co.uk – Registered 2nd January 2022. (Related keyword “daniel”)

dynamicappliances.co.uk – Registered 8th January 2022. (Related keyword “odessy”)

digitalstoreups.com – Registered 11th February 2022.

appliancesaheadltd.co.uk – Registered 20th February 2022.

gadgetslondon.co.uk – Registered 1st March 2022. (different scam group? Related keyword “vibesvilla”)

electsales.co.uk – Registered 4th April 2022. (different scam group? Related keyword “vibesvilla”)

generalgadgets.co.uk – Registered 3rd March 2022. (different scam group? Related keyword “vibesvilla”)

appliancesplace.co.uk – Registered 30th April 2022. (different scam group? Related keyword “riaj35277”)

atomgadgets.co.uk – Registered 27th May 2022.

extremegadgets.co.uk – Registered 28th May 2022. (different scam group? Related keyword “vibesvilla”)

If you’ve come across these or any others please let me know how you found them. What were you searching for and on what website did you see the link to the scam site.

How to make Speedify use multiple gateways on linux

This has been tested on a virtual guest with multiple virtual adaptors provided by the host (no vlans). It may work with linux virtual adapters (e.g. ens10:1) too but untested.

Default adaptor and gateway are as normal. No changes required.

The other two adaptors:

Add a route in on /etc/iproute2/rt_tables by adding the following to the bottom of the file:
1 rt2
2 rt3

ip route add default via 10.67.89.11 dev ens19 table rt2
ip rule add from 10.67.89.254/32 table rt2
ip rule add to 10.67.89.254/32 table rt2

ip route add default via 10.67.89.10 dev ens20 table rt3
ip rule add from 10.67.89.253/32 table rt3
ip rule add to 10.67.89.253/32 table rt3

You may wish to run tcpdumps on each interface:
tcpdump -nn -i ens20
tcpdump -nn -i ens19
tcpdump -nn -i eth0

Then connect on speedify and run a speed test to check that all windows scroll data and it is using all the connections.

Webmin not updating Debian firewall.

This is again mainly for my own reference. If you are stuck in “I don’t like CLI” land – like I am sometimes – this is how you get Webmin configured iptables rules to apply if the GUI isn’t applying them.

ip6tables-restore /etc/iptables/rules.v6
and
iptables-restore /etc/iptables/rules.v4

(Rebooting also seems to apply any unapplied changes but rebooting is also very inconvenient!)

Gaining full root access to the Hyperoptic ZTE ZXHN H298A

Here I will go through the rough and very technical steps to gain root access to this router.

Beware – it is very technical, needs a working GenieACS server and a DHCP server which allows you to set an Option 43 response.

Attack Vector:
The takeover of this router hinges around the default configuration of the router picking up an ACS / TR-069 server from DHCP on the WAN.
ACS / TR-069 is a remote management protocol for routers, SIP phones and other network items. This means we can plug the H298A WAN port into a network we control and respond with our own ACS Server.
Once the router is communicating with our ACS server we can then reset the root password and log into the web admin interface with this root password.

Features Gained:
You gain the ability to edit the WAN settings of the router. Possibly use a 3g dongle as backup and you can configure it to use your own VoIP service.

How:
Install and make sure you have a working GenieACS server. I’m afraid this is a bit of a mission. I installed VMWare Player; debian as a guest with bridged networking to my LAN.

Once debian was up and working I then followed the instructions on the GenieACS documentation to install Node, MongoDB and GenieACS. I also referenced a good summary on Mikrotik’s forum.

Make sure you can bring up your GenieACS UI in a browser using port 3000.. e.g.
http://10.100.1.81:3000 (replacing the IP with the IP you are running GenieACS on, on your LAN).
I had to reboot my debian guest after doing all the install before this web page would work.
I’d also check the port that the router will communicate with.. e.g.
http://10.100.1.81:7547 (This page will give you method not allowed error, but that is expected).

Go into the Admin tab on GenieACS.
Go to Provisions on the left.
Click Show on the default line.
Add the following at the bottom of the existing script:

const password = "wenowknowthis";

const informInterval = 30;
const daily = Date.now(86400000);

declare("InternetGatewayDevice.ManagementServer.ConnectionRequestPassword", {value: daily}, {value: password});
declare("InternetGatewayDevice.ManagementServer.PeriodicInformInterval", {value: daily}, {value: informInterval});

declare("Device.ManagementServer.ConnectionRequestPassword", {value: daily}, {value: password});
declare("Device.ManagementServer.PeriodicInformInterval", {value: daily}, {value: informInterval});

declare("InternetGatewayDevice.DeviceInfo.X_ZTE-COM_AdminAccount.*", {path: hourly, value: hourly});

And then save it. What this does is, along with the other default stuff GenieACS does when a router first communicates, will set the password on the routers ACS “connection request url” to be something we know. This allows easy access to change settings via Genie ACS. If we didn’t do this step then GenieACS would fail to push settings to the router with an authentication error.

We now need to set DHCP Option 43 on your LAN DHCP Server.

On OPNSense you add an option 43, select String from the drop down box and then the value in this format:

01:18:68:74:74:70:3a:2f:2f:31:30:2e:31:30:30:2e:31:2e:38:31:3a:37:35:34:37:2f

Which is
01 (start)
18 (length, in hex, of the url string to follow, windows calculator in programmer mode is your friend here)
68:74:74:70:3a:2f:2f:31:30:2e:31:30:30:2e:31:2e:38:31:3a:37:35:34:37:2f (http://10.100.1.81:7547/ in hex; cyberchef is your friend here to convert to and from Hex).

Save and apply your DHCP config.

Plug in your Hyperoptic router WAN port into your LAN.

Wait for it to boot up – then refresh your GenieACS interface and you _should_ see the Hyperoptic router in there!

Go to the device by clicking on the serial number.
In the grey box below “All parameters” type in AdminAccount.

Click the little pencil icon to the right of “blank” on the password line.
Type in a secure password. If you try and set something like “rob” it will error with task faulted and invalid parameter value. If this happens you need to click on the fault at the top and delete it from the queue.

So after setting a secure password like Underground123! click Queue then Commit.

You should see green status lines saying the change has been sent ok. You can now log into the Hyperoptic router interface using the username root and the password you just set in the last step.

Good luck and I hope this information helps someone :)