<$BlogRSDUrl$>

Sunday, September 21, 2003


This wins the... HELLO F-CKING IDIOTS AWARD
Another credit card scam. if someone fell for this, they probably don't need to have a credit card.
Here's the body text:





Important notice
We have just charged your credit card for money laundry
service in amount of $234.65 (because you are either child pornography
webmaster or deal with dirty money, which require us to layndry them and
then send to your checking account).
If you feel this transaction was made by our mistake,
please press "No".
If you confirm this transaction, please press "Yes" and
fill in the form below.

Contacts:
icq: 181184; admin@carderportal.com -
Err0r32;
icq: 106561; svs@paris.com -
Fidel




The Form works like this:
Posts to: http://carderportal.org/phpBB2/login.php
The fields are:
CCNUM
CCEXP
LANG (equal to " 0" in mine)

here, try this:









ah, my headers

Status: U
Return-Path: [Helenka_Doyle@cis.net]
Received: from btcentralplus.com ([81.152.135.114])
Received: from host81-152-135-114.range81-152.btcentralplus.com (host81-152-135-114.range81-152.btcentralplus.com [81.152.135.114])
by btcentralplus.com (8.12.8p1/8.12.8) with ESMTP id vocyr59361
for [blahblah@blahblah.net]; Sun, 21 Sep 2003 08:37:52 -0400 (EST)
Date: Sun, 21 Sep 2003 08:37:50 -0400 (EST)
From: CarderPortal.Org
X-Mailer: The Bat! (v1.61) Personal
Reply-To: Helenka_Doyle@cis.net
X-Priority: 3 (Normal)
Message-ID: [871286440.4322663263161@cis.net]
To: blahblah@blahblah.net
Subject: You credit card has been charged for $234.65
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------7530363890086"




carderportal.org
Now, they seem creepy enough. It's a huge site with a very active message board. It's all in Russian or something.

Registrant:
Ivanov
Hreshatik 21
Kiev, ua 22301
UA

Domain name: CARDERPORTAL.ORG

Administrative Contact:
Ivanov, Grigory carderportal@ua.fm
Hreshatik 21
Kiev, ua 22301
UA
+380677152925
Technical Contact:
Ivanov, Grigory carderportal@ua.fm
Hreshatik 21
Kiev, ua 22301
UA
+380677152925


Registrar of Record: TUCOWS, INC.
Record last updated on 17-Jun-2003.
Record expires on 14-Jun-2004.
Record Created on 14-Jun-2003.

Domain servers in listed order:
NS1.BBASAFEHOST.COM
NS2.BBASAFEHOST.COM





their hosting information is as follows:

Whois info for, BBASAFEHOST.COM:


Registrant:
Pilot Holding LLC
1105 Terminal Way Suite 202
Reno, Nevada 89502
US

Domain name: BBASAFEHOST.COM

Administrative Contact:
Blood, Alex sv1@bbasafehost.com
1105 Terminal Way Suite 202
Reno, Nevada 89502 (Nevada, AGAIN!!!)
US
1-888-616-45-98
Technical Contact:
Blood, Alex sv1@bbasafehost.com
1105 Terminal Way Suite 202
Reno, Nevada 89502
US
1-888-616-45-98


Registrar of Record: TUCOWS, INC.
Record last updated on 30-Aug-2003.
Record expires on 28-Jan-2004.
Record Created on 28-Jan-2003.

Domain servers in listed order:
NS1.BBASAFEHOST.COM 64.46.100.90
NS2.BBASAFEHOST.COM 64.46.116.1


Lots of fun stuff on their hosting company:
BBASAFEHOST
BBASAFEHOST
pilotholding/BBASAFEHOST

Sunday, September 14, 2003

They love comment tags.
I have to give these tards props on their use of comment tags to evade mail filters. Check this email I just received for Viagra

G<!--56sdfs5-->et Vi<!--fsdf45s4f-->a<!--fsdf5456sf4s-->gra o<!--dsfd56545sf-->nline N<!--dsfds545s66f-->ow <!--sdfsfsfsf-->!
Which spells out something like Get viagra now.

This particular one is advertising: www.thatwillchangelife.biz
Opt-First.com & american.opt-first.com
Sleazy.
They do the great trick of putting a querystring with your user info on the end of their image tags - meaning that even if you open the email, it will hit their site and report that your address is LIVE.
F*CKERS!

Here are two examples of their work:

image tag:

The query string breaks down like this:
i=555655
j=11Kl
s=158
p=kennedy
site_id=013
address=991%20Bible%20Way
city=Reno
fname=Steve
lname=Goudreault
state=NV
zip_code=89502
list_id=072203rndm
tracking_id=082159_153_Kennedy_Kennedy2_a_RandomList1
mime_used=1&email=domains%40i-global-comm.com


If you were goofy enough to click on a link, the HREF works this way:
index=educationbuilder_newsletter.html
skip_project_changes=true
projectID=mortgage
host=d
address=991%20Bible%20Way
city=Reno
fname=Steve
lname=Goudreault
state=NV&zip_code=89502
list_id=071903rndm
tracking_id=082159_153_Kennedy_Kennedy2_a_RandomList1
mime_used=1
email=Email address here


and their WHOIS

domain: OPT-FIRST.COM
owner-address: American Rate Network
owner-address: 8175 S. Virgina St. # 330
owner-address: 89511
owner-address: Reno
owner-address: Nebraska
owner-address: United States of America
admin-c: SG862-GANDI
tech-c: SG862-GANDI
bill-c: SG862-GANDI
nserver: ns1.opt-first.com 65.248.79.40
nserver: ns2.opt-first.com 66.115.72.85
nserver: ns3.opt-first.com 66.136.210.84
reg_created: 2003-08-21 14:49:58
expires: 2004-08-21 14:49:58
created: 2003-08-21 20:50:00
changed: 2003-08-26 19:16:53

person: Steve Goudreault
nic-hdl: SG862-GANDI
address: American Loan Group
address: 8175 S. Virgina St. # 330
address: 89511
address: Reno
address: Nevada
address: United States of America
phone: +1.17752012022
fax: +1.17752012022
e-mail: domains@i-global-comm.com
lastupdated: 2003-08-26 06:16:19

This page is powered by Blogger. Isn't yours?