forum spambots

 CastleCops -> Phishing, Fraud and Dastardly Deeds
Author: logicman_alfLocation: UK PostPosted: Sat Jun 28, 2008 7:00 am    Post subject: forum spambots
Forum operators should be on their guard against a new generation of forum spambots.

These use a very primitive AI algorithm, a bit like the ALICE and ELIZA programs, snagging up a phrase and firing it back.

Typically, the bot will plant a 'thnx for that' message as an excuse to plant a 'sig' with hyperlinks.

The purpose there is to boost sites in google ratings.
A classic example of this would be bablorub's posts - just google it.

There have been recent posts by spambot
username boebtpstaacl

boebtpstaacl@8nfoblog.cn
ICQ 15663615

The following URLs are posted by this bot:

clicking on a credit card image shows url:
hxxp://seobox.net/in.cgi?16&group=forumbt
seobox is in some blacklists.
note the 'forumbt' - cute!

ordinary hypertext urls:

transfer-balance-offer-visa.prmotions-card-now.cn
creditcards-rewaeds-now.cn
transfer-balances-chase.amazing-carrds-now.cn
transfers-saving-limit-to.bonouscreditcard-now.cn
creditcards-incenctives-now.cn
transfer-balance-2000.cardsbenefits-now.cn
transfer-balance-search.creditpromotions-now.cn
0balance-transfer-transfer-balance.goodies-creditcards-now.cn
freebies-credit-now.cn
transfer-balance-offers-free.instantresultscardact-now.cn
transfur-airline-miles-to.cardbenefits-now.cn
banlance-transfer.card-advantages-now.cn
cardsbenefits-now.cn
transfer-balance-checks-amex.creditcard-flexiblerewards-now.cn
transfer-balance-credit-cards.prmotionscredit-now.cn
loyaltyprogramscreditcards-now.cn
transfer-balance-amount-until.bestdards-now.cn
creditspecialpromos-now.cn
transfer-account-balance.prizescreditcard-now.cn
insentivescreditcard-now.cn

I have tagged all these in WOT and SA as a fraud alert.
They can only have one purpose: a criminal purpose.

Any help with checking these further will be greatly appreciated.
Author: logicman_alfLocation: UK PostPosted: Sun Jun 29, 2008 3:24 am    Post subject: more spambot posts/links
A new batch of credit-card fraud sites.

looks like seobox is the control HQ for a lot of spambots!

botname: boebtpstaabh

links:
hxxp://seobox.net/in.cgi?16&group=forumbt. hxxp://seobox.net/in.cgi?16&group=forumbt.hxxp://seobox.net/in.cgi?16&group=forumbt.hxxp://seobox.net/in.cgi?16&group=fbtlapr

hxxp://seobox.net/in.cgi?16&group=forumbt. hxxp://seobox.net/in.cgi?16&group=fbtlapr.hxxp://seobox.net/in.cgi?16&group=fbtlapr.hxxp://seobox.net/in.cgi?16&group=fbtexe

domains:
amazingcardit-now.cn
approval-transfer-balances-instant.credit-rewarding-now.cn
beneiftscredit-now.cn
carddinstan-now.cn
craditeexcellant-now.cn
freeholderscard-now.cn
redemptioncreditcard-now.cn
rrewardscreditcards-now.cn
transaction-transfer-balance-with.boness-cards-now.cn
transfer-balance-chase.dobblemoney-creditcard-now.cn
transfer-balance-compare-deals.creditcardscrisereward-now.cn
transfer-balance-fees-apr.besr-dredit-now.cn
transfer-balance-offer-visa.prmotions-card-now.cn
transfer-balance-with-cap.amazing-crdeitcards-now.cn
transfer-balence-offers.incenctives-card-now.cn
transfer-credit-cards-best6362491.crdditcard-goodcredit-now.cn
transfer-interest-rate-past.cardite-instantdecition-now.cn
transfers-approval-balance-instant.cardrewards-credit-now.cn
transfers-balance-balance-life6267840.credit-rewardpoints-now.cn
washington-balance-tranfer-mutual.bestdealscardss-now.cn

and no doubt thousands more to come?

Please note that all domains in 2 posts are verbatim,
spelling errors are spammer's errors.
Author: AlphaCentauri PostPosted: Sun Jun 29, 2008 3:29 am    Post subject:
In an interesting twist, I have also seen this type of forum post that appeared to be trying to get higher search engine ranking than a page exposing a group of websites as scams.

During that time period, the sites themselves were unavailable, but multiple forums had users register with the site URLs as unames (eg, a new user named "scamsite.com" or whatever) and including that URL and perhaps one or two others of the group in his sig. The posts themselves were lame but innocuous and relatively on-topic, not typical spam that would be easily recognized as such.

Googling any of the domain names would produce pages and pages of these forum posts, with the page describing them as a scam pushed down in the ranking.
Author: logicman_alfLocation: UK PostPosted: Sun Jun 29, 2008 4:34 am    Post subject:
That's an interesting idea. Wink

It's a bit like when someone accused of being a spammer gets an injunction, as here:
http://courtnic.nic.in/dhcorder/dhcqrydisp_o.asp?pn=20089&yr=2008

Not much to say about that except to quote the official, public court document, where it was said in the bloggers defence
that he never claimed: "Tulip Lab is directly behind the spamming ".

Wink

Moderators: if there are, or may be, any legal issues here,
please feel free to delete my reference to what the court's official document says.
Author: logicman_alfLocation: UK PostPosted: Sun Jun 29, 2008 6:00 am    Post subject:
Domains list updated.

I have copied the list to:
http://www.mvps.org/winhelp2002/hosts.htm

If I find more, I'll post a fresh link to latest SA here.

http://www.siteadvisor.com/sites/excellent-credit-rates.cn/
Author: logicman_alfLocation: UK PostPosted: Tue Jul 01, 2008 10:51 am    Post subject:
This single domain was added to hosts file at winhelp2002 (see above)
track dot acclaimnetwork dot com

It's an affiliate site used by all above domains, and probably more.

Nicely spotted by these folks. Smile
CastleCops -> Phishing, Fraud and Dastardly Deeds

All times are GMT

Page 1 of 1


Powered by phpBB © 2001 phpBB Group