Sometimes you get a little good done...

[The Annoyed Man]

So lately, among the spam messages I've been getting is one with the subject line "Your ACH Transfer", purporting to come from "alerts@nacha.org."

For the record, "NACNA" is the Electronic Payments Association, and they have already issued a phishing alert about this here: http://nacha.org/news/newsDetail.cfm/Re ... NewsID/212.

Anyway, on a Mac, if you hover your cursor over the link, it will tell you the actual website address the link goes to, not the address you see in the text. So this was inviting me to "click here" to view some kind of report related to me. The link actually went to "http://ACH-XBLOG.INFO/" and so I decided to do some investigation.

First, I deliberately went to the website, and it tried to download an executable virus to my Mac. Fortunately, Macs aren't generally susceptible to this stuff (which is why I felt comfortable with doing this). Of course I refused the download.

Next, I did a "Who Is" search at Network Solutions to see who owns the domain and where it is hosted. Here are the results of that search. (I don't mind publishing the owner's information since it is A) public access at networksolutions.com, and B) he is a criminal!):
http://www.networksolutions.com/whois-s ... XBLOG.INFO

Domain ID:D37249388-LRMS
Domain Name:ACH-XBLOG.INFO
Created On:17-Mar-2011 10:36:00 UTC
Last Updated On:17-Mar-2011 10:36:01 UTC
Expiration Date:17-Mar-2012 10:36:00 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR78125735
Registrant Name:Michael rebelo
Registrant Organization:
Registrant Street1:2 academy dr
Registrant Street2:
Registrant Street3:
Registrant City:Cumberland
Registrant State/Province:Rhode Island
Registrant Postal Code:02864
Registrant Country:US
Registrant Phone:+1.4016634334
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:vorelxgwk3715@yahoo.com
Admin ID:CR78125737
Admin Name:Michael rebelo
Admin Organization:
Admin Street1:2 academy dr
Admin Street2:
Admin Street3:
Admin City:Cumberland
Admin State/Province:Rhode Island
Admin Postal Code:02864
Admin Country:US
Admin Phone:+1.4016634334
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:vorelxgwk3715@yahoo.com
Billing ID:CR78125738
Billing Name:Michael rebelo
Billing Organization:
Billing Street1:2 academy dr
Billing Street2:
Billing Street3:
Billing City:Cumberland
Billing State/Province:Rhode Island
Billing Postal Code:02864
Billing Country:US
Billing Phone:+1.4016634334
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:vorelxgwk3715@yahoo.com
Tech ID:CR78125736
Tech Name:Michael rebelo
Tech Organization:
Tech Street1:2 academy dr
Tech Street2:
Tech Street3:
Tech City:Cumberland
Tech State/Province:Rhode Island
Tech Postal Code:02864
Tech Country:US
Tech Phone:+1.4016634334
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:vorelxgwk3715@yahoo.com
Name Server:NS69.DOMAINCONTROL.COM
Name Server:NS70.DOMAINCONTROL.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:

OK, so now I know that his domain is registered and hosted at Godaddy. So I give their 800 number a call, and navigate to their tech support and I get a guy in Arizona who's almost as mad about this as I am. He confirms that the website tries to infect the viewer's computer with a virus download. He has me forward a copy of the email to "abuse@godaddy.com" with a brief explanation. He immediately contacted their hosting department to scan the site and shut it down.

Presumably, the address information will be forwarded to the Rhode Island authorities, and Michael Rebolo will get a knock on his door a little later this morning.

...or not. You never know how these things get handled once they are out of your hands, but I do have the satisfaction of knowing that I got an Internet criminal's website shut down.

[flintknapper]

"Good on ya" TAM!


Now....how do we solve my log-in problem here.

[chasfm11]

Good work super-sleuth!. I hope that the authorities take action against this guy but am a little doubtful that they will. I recognize that there are a lot of people like this perp out there and that many of them are off shore and pretty untouchable. Still, if you can get one or two off the streets or at least out of business for a while, it reduces the chances that someone who is far less tech savvy than you are will fall prey to a scheme like this. Who knows how many times he has been successful already.

[speedsix]

...thanks for giving him some grief...I wouldn't know how to begin...sent my son an email yesterday and got a "reply" from some nekkid gal...wanting to play...asked my son and he hadn't even opened the email yet...how'd that happen??? also got an email from some soldier in Afghanistan who wanted my help in shipping a large amount of cash back home...for a fee, of course...if these jerks would put their imaginations to good use, they'd be millionaires...

[RoyGBiv]

Before you go shooting anyone...
You should know that it MAY not be the site owners fault..

Lots of web sites are hacked and taken over by criminals that are unrelated to the site owner... They insert their own code onto the site and... voila. An untraceable virus.

I had my personal site hacked in a similar manner last year, so, I'm speaking from experience. I didn't know I had a problem until I sent a friend a web page link and they told me they received a virus warning when they navigated to my page... I had to delete the entire web site and reload a saved copy that was clean.

Think about it..... If you were web-savvy enough to be a malicious hacker, wouldn't you know better than to put your real name, address and phone number on your Whois?

[e-bil]

Banner ad services are another place this happens on an innocent site. All the more reason to use ad blocking software...

[RoyGBiv]

Banner ad services are another place this happens on an innocent site. All the more reason to use ad blocking software...

Good suggestion.... On FF I'm using...

Adblock Plus (blocks ad's, uses a free blacklist, works GREAT)
Flashblock (block flash until you ask it to play. Safer and speeds things up considerably)
Beef Taco (sets permanent opt-out cookies to stop behavioral advertising networks)

[cougartex]

Good job.

[cowboymd]

Great job TAM! If you google the address and look at the satellite view, seems this guy has a thing for pink vehicles.

[chasfm11]

Before you go shooting anyone...
You should know that it MAY not be the site owners fault..

Lots of web sites are hacked and taken over by criminals that are unrelated to the site owner... They insert their own code onto the site and... voila. An untraceable virus.

I had my personal site hacked in a similar manner last year, so, I'm speaking from experience. I didn't know I had a problem until I sent a friend a web page link and they told me they received a virus warning when they navigated to my page... I had to delete the entire web site and reload a saved copy that was clean.

Think about it..... If you were web-savvy enough to be a malicious hacker, wouldn't you know better than to put your real name, address and phone number on your Whois?

Not necessarily. Some folks forget small details in their lives of crime. I do agree with your point that this could be a highjacked website and that the poor guy who owns it could be in for a shock.

[The Annoyed Man]

Think about it..... If you were web-savvy enough to be a malicious hacker, wouldn't you know better than to put your real name, address and phone number on your Whois?

Actually I've traced two other hackers like this, one to Great Britain, and and another to Turkey. You're correct that most hackers try to cover their tracks. But once in a while you run into one whose arrogance is such that he is almost bragging about his "work." In this particular case, I am convinced that THIS hacker is real.

Think about it....

1. He is phishing by spoofing the NACHA website
2. The subject line is "Your ACH Transfer
3. The domain he is fishing from is ACH-XBLOG.INFO

This guy is a deliberate spammer, and I caught him, and I hope they grind his family jewels to dust.

More information about what ACH is: http://nacha.org/c/Intro2ACH.cfm

[rmr1923]

Great job TAM! If you google the address and look at the satellite view, seems this guy has a thing for pink vehicles.

they could be red, but they sure do look pink

i was hoping street view would take me up to the house, but judging by the neighborhood, this guy probably isn't a very good scammer. either that or he does it for the heck of it and not to make money. street view showed a police car right around the corner, i should give him a call and see if he can stop by since he's in the area.

Edit: Does anyone know how often those google street and overhead shots are updated? i just looked up a place we used to live in Lubbock over 3 years ago and the street view still shows my old mustang in the driveway.

[lonewolf]

Maybe it is........