Who are threesixtymaintenance.co.uk (a review of osint data)

Leaders and Romans estate agents are recommending, without further comment or clarity, maintenance on properties by a company:

we can certainly recommend Three Sixty Maintenance who will be able to assist with arranging an EICR at your property.  You can liaise with them direct on electric@threesixtymaintenance.co.uk.

Email from Leaders 06/12/2020.

The website, at time of writing, contains no details other than a contact number and email address. No postal address or company registration details.

This caught my interest. Who is this company, where are they based and why are Romans / Leaders recommending them?

Low hanging fruit – Hidden pages on their website…
https://threesixtymaintenance.co.uk/welcome-leaders-romans-group/

https://threesixtymaintenance.co.uk/team/jason-farrimond/

Oh right.. there we go. I see, they are recommending a company who is actually….. the same company!

Is this ok?
I feel like this association or “part of the Leaders Romans Group” should be made clear in their letters to tenants and landlords!

Slightly higher hanging fruit:
The IP address of the website is “68.183.153.109”.. hosted on that same server is “threesixtymaintenance.com” among other domains. For clarity on who is hosted on the same website as Leaders Romans Group…

hislinsurance.com
threesixtyliving.co.uk
threesixtymaintenance.com
revolutionpropertymanagement.co.uk
bodeinsurancesolutions.co.uk
revolutionpropertymanagement.com
lrg.co.uk

Posted in Uncategorized | 1 Comment

More onlineresolve scams

If you look back through the last few posts you will see that a fake tech support company, onlineresolve, have been sending phishing and other junk to their vicitms.

Today is slightly different. Instead of a fake Amazon order it is an email claiming that the victim has renewed their “Tech Protection Plan” for “Premium Tech Support”.

The message came from a gmail account and the content is entirely images so there is no easy way for spam filters to check the text / wording.

The email reads:

Dear Customer,

Greetings from Premium Tech Support!

This notice is to keep you informed that your existing Tech Protection Plan has expired on November 2nd, 2020 at 23:59:59 hrs

To ensure continued protection of your computer, your account has been AUTO-RENEWED of your service effective after expiry date for $429.99 which will be valid for the next 3 years.

However, if you wish to CANCEL your service and GET YOUR REFUND for today’s transaction $429.99, we request you call to us at: (805)-284-9888 to discontinue.

NOTE: You are required to deactivate the service before getting your refund.

THIS IS A SYSTEM GENERATED EMAIL. ANY REPLY TO THIS EMAIL WILL NOT CANCEL YOUR MEMNERSHIP. PLEASE REACH US TO CANCEL.

Details:
Name: PC-PROTECT 6.81.3.3
Price: $429.99
Period: 3 YEARS

Best Regards,
Premium Tech Support, LLC
1110 Gold Street, Van Nuys, CA 91405

Customer Service:
Phone: (805)-248-9888
Mon-Sat: 08:00 AM – 04:00 PM (EST)

@ All Rights Reserved Premium Tech Support, LLC

It is important to note that the victim that was sent this message did not give the previous tech support scammers any payment details. The above message is a fake designed to get the victim to call up and, likely, give over their bank details in a “refund scam” where the scammers will likely “refund too much” and then request the remainder back by Google, iTunes or other gift cards (which are impossible to then cancel and get a refund on!).

Posted in Uncategorized | 2 Comments

Accounts used in CEO Impersonation / Push Payment Fraud

Another day another attempted scam..

Value attempted to be stolen: IRO £19,900.

Destination accounts:
Sort Code: 07-04-36
Acct Number: 00666342
and
Sort Code: 08-71-99
Acct Number: 00989036

Both have been reported to the banks in question. If you’ve been a victim and sent payment after around 4pm on 24th September 2020 the destination bank is likely liable to return your payment if they’ve failed to take action on the destination account being used in the fraud.

Posted in Uncategorized | Leave a comment

onlineresolve.com phishing

Three times in the past I’ve come across onlineresolve.com , tech support scammers.

2015 on a Wii

2016 via DNSUnlocker

and in 2019 when they had changed names

Their database must now have been sold or leaked. I’ve woken up this morning to phishing email to unique email addresses given only to them.
Subject: “Action Required- Verify your Order”

The email claims to be an Amazon order and has a “manage your order” link.

“Order # 171-8121815-3772341”
“Order # 171-629457-4772” has also been used.

Your order will be sent to:
Thomas Draus
5526 N Luna Ave
Chicago, IL 60630″

and invites you to click a link.

Posted in Uncategorized | Leave a comment

How to dial from the asterisk CLI

There seem to be many, many articles and forum posts on the internet about how to trigger a call directly from the Asterisk command line.

Mostly they reference the “dial” command, which on Asterisk 17.4 doesn’t seem to exist.

Then there is voip-info which references the “originate” command but doesn’t give any context or examples. If you just type in originate into the command line it doesn’t recognise it.

You need to
channel originate PJSIP/02082446556@voiceflex-endpoint extension 01309655655@Voiceflex-Incoming

This command would dial on an outbound PJSIP extension at the VoIP provider. And would link it to extension 01309655655 in the context Voiceflex-Incoming.

(This article is mainly for my own reference at a later date).

Posted in Uncategorized | 9 Comments

BP ChargeVision / Smartcharge / chargemaster speed settings.

The energy company BP has an EV charging platform for home installations. The main name is chargemaster for the home charging box.
There are then bolt on services (free for the first 3 years) called:
-Smartcharge (the app)
-ChargeVision (the website)

The bolt on services allow you to see charging status, set a charging schedule and estimate the cost of electricity you’ve dumped into your electric vehicle.
Generally these services are usable but not really well coded or enjoyable. Documentation seems to be non existent other than a few FAQ entries on the main chargemaster site.

This blog post is about the charging speed settings in the advanced schedule settings page.

On the desktop version it looks like this:

The mobile version looks like:

BP seem to have forgotten to give any guidance or information on what the three settings Slow, Medium and Fast actually mean.

I’m in the position of having an easy method to measure my power consumption so can reveal… (And since then I’ve found the API calls give away the Amps settings)..
If you have the standard installation where the maximum possible charging speed through the home charger is 7kW then the following seems to be true:

-Slow = ~1.5kW / 6 Amps
-Medium = ~3kW / 18 Amps (though in practice I’ve found this to be around 4.5kW)
-Fast = ~7kW / 30 Amps

Chargevision (the website):
-Awful user interface bugs.
Creating a schedule often duplicates the entry, it doesn’t seem to allow for a schedule to cover all day, you need two entries.
-Missing user interface functionality.
The Smartcharge app allows you to set the cost per kWh of your electricity. These functions don’t seem to exist on the ChargeVision web interface.
-The javascript file that runs the site is 2.5Megabytes in size! What the hell.
-Never remembers the login even if you tick the option.

Smartcharge (the app):
-Also seems to log you out regularly. Every time I’ve loaded it I’ve had to sign in.
-Doesn’t allow you to take screenshots; not sure why they would need to block that function. I had to use sneaky methods to capture the screenshots used in this post.

The website vs. the App.
Posted in Uncategorized | 4 Comments

Securing LibreNMS Weathermaps

If you use LibreNMS and have setup the Weathermaps plugin… your weathermaps are open to the world if anyone guesses the image or html file name.

(How is that even a feature?)

You can fix this mess by making the following changes.. (Bearing in mind I’m not a LibreNMS expert or Weathermap plugin author.. I make no claims of the security or viability of my modification but it seems to do the job for my setup).

Add the following to the bottom (before the last } bracket) of /etc/nginx/conf.d/librenms.conf

 location ~ /plugins/Weathermap {
    location ~ \.png$ {
      rewrite ^(.*)\.png$ /plugins/Weathermap/accesscheck.php;
    }
 }

Then make a file /opt/librenms/html/plugins/Weathermap/accesscheck.php:

<?php

#If debugging remove the content type as image and echo out the data you need as html / text

    include 'config.inc.php';
    $init_modules = ['web', 'auth'];
    require $librenms_base . '/includes/init.php';

        if (!Auth::check()) {
                header('Location: /');
                exit;
        } else if (Auth::user()->username == 'externalcontractorusernamehere') {
                #Do nothing, no access.
                $im = imagecreate(200, 300);
                $bg = imagecolorallocate($im, 255, 255, 255);
                $textcolor = imagecolorallocate($im, 0, 0, 255);
                imagestring($im, 5, 0, 0, 'No Access.', $textcolor);
                header('Content-type: image/png');
                imagepng($im);
                imagedestroy($im);
        } else {
                #echo('I am authed as ');
                #echo(Auth::user()->username);
                #echo(' with email ');
                #echo(Auth::user()->email);
                #echo(' with admin status: ');
                #echo(auth()->user()->isAdmin());
                #echo(' wanting to access file ');
                #$htmlfile = str_replace('.php','.png',basename($_SERVER['PHP_SELF']));
                $htmlfile = basename($_SERVER['REQUEST_URI']);
                #echo($htmlfile);
                header('Content-type: image/png');
                readfile('/opt/librenms/html/plugins/Weathermap/'.$htmlfile);
        }
?>

The code does the following..

1) Imports LibreNMS configuration and initalisation scripts.
2) Checks if the user is authenticated.. if they are not it redirects them to the login page (although in practice this is a .png request so the visitor won’t hit that unless they right click and “View image” and the browser follows the request).
3) Blocks a specific named user (if you wanted to) in case you had an authenticated user who wants LibreNMS access but no access to Weathermap images.
4) Otherwise reads the image and spits it out to an authenticated visitor.

Obviously you can expand and customise things as you need.

In one setup the image files were in /output/ so the config file path needed editing with output in the path, accesscheck.php placing in the output folder and accesscheck.php editing so the final “readfile” line has /output/ in it.

Posted in Uncategorized | Leave a comment

“020 3097 1793” tech support scam

Not much information on this one as I doubt I’m going to have much time spare to investigate it.

Contacted by someone today who had been using Microsoft Edge (hah) to browse using Bing search and one of the results had caused their computer to make loads of noise and lock out with an authentication box that had the following words on it:

“The server http://www.clothscard.online is asking for your username and password.

That server also reports: “Suspicious movement distinquished on your IP address because of a spyware introduced in your PC. Call Toll Free now @ 020 3097 1793 for any help. Your information is at a Serious risk. There is a Computer framework record missing because of some Harmful malware infection Debug Malware error (code 0x80093acf). Call Immediately to correct the issue. Please do not Open web browser or make any changes for your Security Issue to avoid data loss & Corrupt system files & drivers, Call immediately to save Hard disk Failure & Data loss. This Harmful malware is affecting your online information & can Track Financial Activity Contact Certified Technicians at 020 3097 1793 PLEASE DO NOT SHUT DOWN OR RESTART YOUR COMPUTER, DOING THAT MAY LEAD TO DATA LOSS AND FAILURE OF OPERATING SYSTEM, ONLINE INFORMATION. HENCE NON BOOTABLE SITUATION RESULTING COMPLETE DATA LOSS . CONTACT ADMINISTRATOR DEPARTMENT TO RESOLVE THE ISSUE ON 020 3097 1793 (TOLL FREE).”.”

The website that triggers the message for authentication seems to be down at the moment so I can’t identify much about that. I might try to troll them on the phone if I have time and a spare computer setup to trick them with.

Posted in Uncategorized | Leave a comment

Electronics goods scam, 2020-2021 version

I’ve a long history of tracking electronics good scam websites (The 2015 to 2019 saga is here)…

2020-05-15_13_50_49

This year they are finally back again*.. I was first alerted to them after a BBC news article. What is more worrying this time is they catch their victims by advertising in the Google Shopping tab making their site(s) look far more legitimate.

(*I’m pretty sure it is the same people but not 100% certain.)

The scammers go under the company names:

Related at some undetermined time in the past:
gerber-elektronik.com – seems to have targeting German speaking victims.

“Owl Geek” (OWL-GEEK.COM – registered 28th March 2020).

“Perlmann-Store” (perlmann-store.com – registered 11th April 2020).

“Pearce-Store” (pearce-store.com – registered 17th April 2020).

“Tech Ziox” (techziox.com – registered 18th April 2020).

“Cynax Tech” (cynaxtech.com – registered 18th April 2020).

“My Tech Domestic” (mytechdomestic.com  – registered 20th April 2020).

“Cynax” (cynax.co.uk – registered 26th April 2020).

“Tech Fave” (techfave.co.uk – registered 2nd May 2020).

“shopavo” (shopavo.co.uk – registered 3rd May 2020).

“Shop Zeal” (shopzeal.co.uk – registered 7th May 2020).

“Boboxo” (boboxo.co.uk – registered 8th May 2020).

“Storaxy” (storaxy.co.uk – registered 14th May 2020).

“Wiovo” (wiovo.co.uk – registered 15th May 2020).

“Zeppler” (zeppler.co.uk – registered 15th May 2020).

“Tofevo” (tofevo.com – Registered 20th May 2020).

“Riellazi Electronics” (riellazielectronics.co.uk – Registered 30th June 2020).

“TV & Electronics” (tvandelectronics.com – Registered 4th July 2020).

“Sure Market” (suremarket.co.uk – Registered 3rd August 2020).

“Store Excellence” (storeexcellence.co.uk – Registered 3rd August 2020).

“Salesrific” (salesrific.co.uk – Registered 3rd August 2020).

“Ever Market” (evermarket.co.uk – Registered 3rd August 2020).

“Exclusive Market” (exclusivemarket.co.uk – Registered 3rd August 2020).

“Grand Gadgets” (grandgadgetz.co.uk – Registered 7th September 2020).

“tiersales” (tiersales.co.uk – Registered 9th December 2020). (alexjohnson9812)

“dealsdiscount” (dealsdiscount.co.uk – Registered 8th December 2020). (alexjohnson9812)

“Commerce Perfect Electronics” (commerceperfect.co.uk – Registered 3rd August 2020).

“Saleave Electronics Store” (saleave.co.uk – Registered 15th December 2020).

“Market Bump Electronics” (marketbump.co.uk – Registered 15th December 2020).

“ingadgets” (ingadgetsltd.co.uk – Registered 21st December 2020).

“salepush” (salepush.co.uk – Registered 15th December 2020).

“Mart Find” (martfind.co.uk – Registered 15th December 2020).

“Sale Phase” (salephase.co.uk – Registered 15th December 2020). Not yet in use.

“Sale Park” (salepark.co.uk – Registered 15th December 2020). Not yet in use.

“Sale Logic” (salelogic.co.uk – Registered 15th December 2020). Not yet in use.

“Market Banter” (marketbanter.co.uk – Registered 15th December 2020).

“Apex Electronics Limited” (apexelectronicslimited.co.uk – Registered 15th January 2021).

“buyerpro” (buyerpro.co.uk – Registered 9th February 2021).

“Gadget Space” (gadgetspace.co.uk – Registered 4th February 2021).

“Cartlo Store” (cartlo.co.uk – Registered 9th February 2021).

“salesrepublic” (salesrepublic.co.uk – Registered 13th February 2021).

“Cheapsey Store” (cheapsey.com – Registered 22nd February 2021).

“Best Store” (beststoresday.com – Registered 4th March 2021).

“Olstuff” (olstuff.com – Registered 4th March 2021).

“AIteck Store UK” (aiteck.co.uk – Registered 8th March 2021).

“FM Gadgets” (fmgadgets.com – Registered 22nd March 2021).

“Fit Lab” / “The Fit Lab” (thefitlab.co.uk – Registered 31st March 2021).

“Storm Gadget” (stormgadget.co.uk – Registered 9th April 2021).

“Top Retail” / “Top Retails” (topretails.co.uk – Registered 10th April 2021).

“Cheapsy Store” (cheapsy.co.uk – Registered 9th February 2021).

“HiFi Mania” (hifimania.co.uk – Registered 20th November 2020).

“Techea” (techea.co.uk – Registered 18th May 2021).

“Venture Electronics” (venturelectronics.co.uk – Registered 19th April 2021).

“Mart Hub” (marthub.co.uk – Registered 16th June 2021).

“Appliance Store” (appliancesstore.co.uk – Registered 25th May 2021).

“Sneakers Republic” (sneakersrepublic.co.uk – Registered 32rd June 2021).

“AM Home Appliances” (amhomeappliances.co.uk – Registered 24th May 2021).

“Crypto Gadgets” (cryptogadget.co.uk – Registered 4th June 2021).

“Right Gadget” (rightgadget.co.uk – Registered 29th May 2021).

“Electronic Marts” (electronicmarts.com – Registered 8th June 2021).

“Gadget Mart” (gadgetmart.co.uk – Registered 23rd June 2021).

“Electronics Online Limited” (electronicsonlineltd.com – Registered 28th June 2021).

“Sneakers Hub” (sneakershubs.com – Registered 7th July 2021).
Likely unrelated to all the electronics themed sites. This one appears to be run by “ofdads@gmail.com” (Skype: md.omar.faruk.123 and Telegram: @omar.faruk1999 and @omarfaruqe) who is in the business of arranging verified Stripe accounts (a credit card processor).

“Electronic Bargain” (electronicsbargain.co.uk – Registered 9th July 2021).

“APRO Electronics” (aproelectronics.co.uk – Registered 12th July 2021).

“AG Electronics” (agelectronics.co.uk – Registered 12th July 2021).

“Instant Electronics” (instantelectronics.co.uk – Registered 23rd July 2021).

“Retail Gold” (retailgold.co.uk – Registered 23rd July 2021).

“AdvanceDive Electronics Limited” (advancedive.co.uk – Registered 10th August 2021).

“Silicon Gadgets” (silicongadgets.co.uk – Registered 10th August 2021).

“e-tronics gadgets” (e-tronicsgadgets.co.uk – Registered 24th August 2021).

“Home Appliances Trade” (homeappliancestrade.co.uk – Registered 15th September 2021).

“Cappy Gadgets Limited” (cappygadgetsltd.co.uk – Registered 28th September 2021).

“Gadgetsbag” (gadgetsbag.co.uk – Registered 14th October 2021).

“AB Appliances, Shop on the go” (ab-appliances.co.uk – Registered 17th October 2021). Live chat operator is in Nigeria. Has a fake credit card payment screen and then claims that failed and then asks for BACS to Sort Code: 04-00-75 Account Number: 63183013, Then moved to 04-00-04, 96801455. Then moved to 04-00-75, 55408974. Then moved to 04-00-75, 66899257. If you lost money to any of these accounts please comment below as depending on timing (and when the bank was made aware of the accounts) you may be due an immediate refund under the destination banks failure of duty of care.

“Electronics Locker TM” (electronicslocker.co.uk – Registered 18th October 2021).

“Connection Appliances Limited” (connectionapplianceslimited.co.uk – Registered 20th January 2021). Requests bank transfer to Sort Code: 04-00-75 Account Number: 57023956. If you lost money to any of this account please comment below as depending on timing (and when the bank was made aware of the account) you may be due an immediate refund under the destination banks failure of duty of care.

“HOMEPROF” (homeprof.co.uk – Registered 7th November 2021). Uses a Russian language version of wordpress in the back end.

Some of the newer sites have “astroturfed” fake positive reviews on trustpilot and other sites. These quickly get swamped by victim complaints after a week or two.

VICTIMS: Please see the previous article for advice on how to recover any lost funds. It is also very important that you report the fraud to ActionFraud to help collate data and also allocate crime fighting resources to the crime.

Posted in Uncategorized | 58 Comments

Host-to-LAN (OpenVPN) drop in replacement from ZeroShell to OPNsense

Due to the lack of IPv6 support in ZeroShell I’ve recently had to move over to a different routing operating system.

My setup is fairly complex with lots of needs:

-The ability to tcpdump
-Failover and routing rules for multiple internet connections
-VPN hosting for me to get into my network remotely and site-to-site to access remote LANs.
-Multiple IPs per LAN interface
-A mix of NAT and PPPoE routed subnets.
-Requirement to be able to “intercept” and give my own responses to DNS zones and hosts.
-QoS to prevent a single device on the network causing my internet to perform badly.
-NTP Server
-Bandwidth reporting globally and per device.

Lots of you may be saying “just do NTP on a linux machine” or similar.. which I could do. But it is nice to have all of the above in a single system. My previous ZeroShell setup does that.

After a bit of hunting around it looked like OPNsense is a suitable replacement.

This specific article is about what you need to set on OPNsense to allow windows based OpenVPN TAP clients to connect to your new OPNsense without needing to upgrade their configuration.
I use only user and password authentication so things may be different if you use Certificate Authentication for users.

To start – on your ZeroShell machine take a copy of the certificate and private key for the certificate authority:

root@zeroshell ssl> cat /Database/etc/ssl/certs/cacert.pem

 

 

and

root@zeroshell ssl> cat /Database/etc/ssl/private/cakey.pem

 

 

On OPNsense go to System.. Trust .. Authorites. Click on Add.
Give the Trust Authority a name and paste in the certificate data (the “cacert.pem” content) and the private key box (“cakey.pem” content).

To find the serial number for next certificate go to your ZeroShell web interface and then “X.509 CA”. Look at the Serial column and find the highest used number and add one. On my system it was 8, so on OPNsense I put in 9.

Click Save on OPNsense.
In the Trust menu on OPNsense. Click on Certificates. Click on Add.
Change the Method to “Create an internal Certificate”.
In the Name type in whatever you want. Make sure you select “Type” to be “Combined client/server certificate”.
Fill in the Sate, City, Organisation etc.. and click Save.

Now go to VPN on the left menu of OPNsense then to OpenVPN.
Click Servers. Click Add. Type in any description you like.
In Server Mode select “Remote Access ( User Auth )”
Backend for authentication needs to be “Local Database”.
On Protocol I had to select UDP4 as otherwise it seemed to automatically only listen on IPv6.
Make sure Device Mode is “TAP” as this is the old style connection that ZeroShell used. Make sure your Interface to listen for connections on is selected correctly and the Local port is the same as you used on ZeroShell.

Un-tick “TLS Authentication // Enable authentication of TLS packets.”

In the Peer Certificate Authority select the one you imported from your ZeroShell in the first step where you copy and pasted the pem files.

In Server Certificate click and select the certificate you created rather than “Web GUI SSL”.

In the “IPv4 Tunnel Network” box type in “192.168.250.0/24” if you use the default ZeroShell setup.. otherwise just copy the IP range you use in the ZeroShell “Client IP Address Assignment” box on the “Host-to-LAN” Screen. You may need to ask someone for help converting it from a “from IP to IP” range to CIDR notation.

In the “IPv4 Remote Network” box type in: “0.0.0.0/0”

In the “Compression” drop down make sure it is selected on “Enabled without Adaptive Compression”.

On my setup I made sure “Dynamic IP” and “Address Pool” were ticked.. I’m not sure if either help so if you know better than I do – make sure you select what you think is best and also leave me a comment.

I ticked “DNS Servers” and typed in the first IP within the “IPv4 Tunnel Network” range.. in the default setup this would be “192.168.250.1” for “Server #1”.

The screenshot below shows my setup – note that I use an unusual UDP port and most default setups will be on a port like 1194.

Once done you also need to make sure that your users exist in OPNsense under System, Access, Users. The root / administration user should also be able to connect anyway without adding any other users.

I expect your firewall will also need the inbound port adding for the OpenVPN server.

2020-04-12_17_40_03.png

Hope this helps.. it was a lot of trial and error to get to this stage for me so documenting it will also help me in the future.

 

Posted in Uncategorized | Leave a comment