KnujOn

KnujOn (nûj-ôn)


Discuss Knujon at CastleCops Become a Premium Member
Tech Security Feeds:
cnn| fox| msnbc| zdnet| bbc| gcn| reuters| theregister|
KnujOn Press| techworld| computerworld| securityblog.itproportal| castlecops| apwg| wp securityfix| spamhaus|
first| mcafee avert labs| bankinfosecurity| dhs| cnet| contrarisk| ddanchev.blogspot| ben edelman| jonathan zdziarski|
Knujon Archives: 2007| 2006| 2005|

This is archived news from 2005, for current news click here.


"Federal Credit Union" Scam

December 12, 2005
You may have received an email like this, in fact you may have received several.



While the message text only refer to a generic credit union, the headers are forged with ncua.gov or cuna.org. NCUA was the target of similar phishing attack in July.

The messages are virtually the same text except for the fake case ID, we have recorded 4:

CU1-818-214-242146
CU1-833-557-9888
FCU1-GX833-234-P4TYUN1
FCU1-813-214-242146


Why four fake codes? They are related to the sources of the messages. Each one seems to be coming from one of three IP addresses:

CU1-833-557-9888 or CU1-818-214-242146 = 66.165..
FCU1-GX133-234-P4TYUN1 = 209.190..
FCU1-813-214-242146 = 207.36..

The first string of messages linked to 210.72.224.26, a subnet in China. Later, the link changed to: http://www.tamin.org/.CREDIT-UNION/update.php. There is no content at this location but the site is still up. Tamin.org is registered to a company in Iran.

cuna.org recommends that you delete these messages, but KnujOn thinks that this is the wrong approach. You may send any of these messages to yourjunk@knujon.com.

More


Dissecting a Virus Attack

December 8, 2005
How do the ISPs rate in response to viruses attacks from their networks?

Surviving a Virus Attack

November 21, 2005
About Sober.

Updates

November 20, 2005

Beta participation in this project is already having an effect. 922 Shutdowns and suspensions are pending because emails forwarded by testers.

Two sites have recently been shutdown through efforts of the KnujOn project:

emsimages.net pushed various products through unsolicited emails and did not provide a way to unsubscribe.

nancenowyes.com advertised questionable loans and mortgages at impossible interest rates.

These are just two of the 1437 sites that are no longer sending junk mail thanks to people like you.


KnujOn has added space for more beta testers

November 10, 2005
Beta info.

KnujOn Presented at Northeast HTCIA Training

November 3 & 4, 2005
KnujOn was presented at the NE-HTCIA training.

Family postcard scam

October 26, 2005
Emails with the title: You have just received a virtual greeting from a family member! actaully link to a spyware/virus download run from a subnet at the Kent Institute of Art and Design in Kent, England.

Stock Spam

October 25, 2005
You may have noticed an increase in stock-related spam recently. A great site: spamstocktracker.com follows the value of the stocks pumped through junk mail. Big surprise, all of these stocks a losers. So far he has lost a hypothetical eight thousand dollars on spam stocks.

KnujOn To Be Presented at Northeast HTCIA Meeting

October 13, 2005
Computer Security Professionals and Law Enforcement are invited to an HTCIA meeting November 3 - 4, 2005 at Pace University in Manhattan. KnujOn will be one of the presentations.

Beta Test Applications

September 26, 2005
KnujOn is looking for beta testers. More information here.

KnujOn Presented at HTCIA Meeting

September 22, 2005
More information here.

Six Month KnujOn Alpha Testing Complete

September 1, 2005
Active testing began on March 1, 2005 and the results have meet and exceeded our expectations. With over 1000 shutdowns, 147 voluntary removals, 2963 administrators tracked, and 3507 domains tracked we are calling the alpha test an amazing success. However, this is only the beginning. Soon we will begin soliciting beta testers and expanding our network and the project scope.

KnujOn Shutdown Count Passes 1000

August 26, 2005
1000 Shutdowns and climbing. With more networks soon to join the effort the number can only grow faster.

Range of junk sites shutdown

August 9, 2005
bailieldnab.com, bbovercowia.com, cnyoungunba.com, dnbfbsqs.com, eeladd.com, narrjl.com, gemuleycn.com, ghtnsecn.com, rumbumbale.com, tnashbsv.com, turuntale.com as well as others were all junk mail sites run by "Alexandr Zhamelgo" of Moscow. They have all been shutdown or suspended by KnujOn.

Shutdown Count Exceeds 600

August 5, 2005
As the database grows, the program becomes more efficient resulting in more and more shutdowns.

oneclicksearches.com and psguard.com use Trojans to Hijack Browsers

August 4, 2005
oneclicksearches.com and psguard.com are using viruses to take over PC browsers. For more information and to find out what you can do, click here.

Site Uses Scripting to Mask Browser Address Bar

July 27, 2005
Phishing

Shutdown Count Exceeds 500 - July 25, 2005


Attempt to Obtain Bank of America Customer Information Blocked and Reported

July 18, 2005
Phishing

Unauthorized Use of TRUSTe Seals Reported by KnujOn

July 13, 2005
A "mortgage approval" email processed by KnujOn lead to a site with an unauthorized use of TRUSTe seals. tpbaj.com, a purported "American Financial Specialist" is actually located in Canada and has an TRUSTe seal on his site but is not a register TRUSTe member.



Ronald Hentington of Toronto also runs these sites with similar offers:
discount-financing.net
liberyteloan.com
lowest-rate-loans.net
perfered-loans.net

None of these sites are TRUSTe members. If you have an email or site with a questionable TRUSTe seal you may verify it here.


Emails with Hijacked Amazon.com Content Stopped and Reported

July 12, 2005
Phishing

KnujOn Stops and Reports More "PayPal" Forgeries

July 11, 2005
Phishing

Attempt to Obtain Bank of the West Customer Data Blocked by KnujOn

July 7, 2005
Phishing

Shutdown Count Exceeds 400

July 6, 2005
The shutdown/suspension count has passed 400 and will continue to grow at a faster rate.

Related Article: Hackers make way for criminals, experts say(Reuters)



Two More "PayPal" Scams Stopped Today

July 2, 2005
PayPal is under siege. Two different PayPal impersonators were revealed by KnujOn. One, in Arizona and another in Mexico. It is important to identify these scams quickly and report them before anyone falls victim.


Attempt to Obtain NCUA Customer Information Traced to Korean Site

July 1, 2005
KnujOn processed an email which used web content from the National Credit Union Administration(ncua.gov) requesting that customers login and update their accounts, but the "Click Here to Update You Account" link actually went to a site hosted in South Korea. The "log-in" page at the Korean site was also used hijacked web content from ncua.gov and requested personal credit card information. This incident has been reported. If you are an NCUA customer or you have received a suspicious email from verify@ncua.gov, do not reply to it or click the links. Go to ncua.gov/Phishing/phishing.htm to read about Phishing and report fraud.


Another PayPal Scam Traced to Egypt

June 29, 2005
PayPal seems to be a frequent target of phishing. One processed by KnujOn today was traced to the Egyptian Universities Network. The email was forwarded to PayPal administrators.


U.S. Refinance Specialist Actually in Brazil

June 28, 2005
KnujOn has processed several emails from greatrefi.com, savecashtoday.net, fastrefi.biz, and savenowtoday.com. All these sites claim to be operated by "Fast Refi Co." and offer rates as low as "2.9%"(typical rates are around 5%). We have been unable to locate any registered company or bank by the name "Fast Refi Co.", however all of the sites associated with this "institution" are run out of Brazil. It is unlikely that this is a real refinance offer, but actually an attempt to harvest personal information for unknown purposes. KnujOn has filed various reports about these sites.


Shutdown/Suspension Count Passes 300

June 27, 2005
As of June 27th the total number of unique sites shut down or suspended by KnujOn is 301.


Elaborate "PayPal" Scam Found by KnujOn

June 24, 2005
An email claiming to be from PayPal actually linked to "paypal-chk.com" a site not associated with PayPal but registered to a Werner Strijewski in Toronto, Canada (PayPal is based in San Jose, CA). This was reported to PayPal.


Fake Emails Sent to LaSalle Bank Customers Stopped by KnujOn

June 23, 2005
Phishing


Another Attempt to Obtain Paypal Customer Information Found by KnujOn

June 22, 2005
Phishing

Related article: ID data breaches: as rampant as it seems (money.cnn.com)


Possible Misuse of FDIC and BBB Seals Revealed by KnujOn

June 21, 2005
A "bank" has been sending emails promising $300,000 loans at 3.6%(typical interest these days is around 5%). A review of the site rsraoyh.com showed they claimed FDIC and BBBOnLine accreditation. KunjOn was unable to find certificates at either organization for rsraoyh.com. The owner of rsraoyh.com is actually located in Moscow, Russia.




All FDIC insured banks must have a certificate number. This site was reported to the FDIC and BBB by KnujOn. For more information on verifying FDIC seals and protecting your privacy, click here. To verify a BBB member, click here. To report BBB-related scams, click here.


Attempt to Obtain Ebay Customer Information Traced to Subnet at Tsinghua University in China

June 16, 2005
Phishing

KnujOn Shutdown Count Passes 200

June 14, 2005
Today the number of sites shut down or suspended is over 200. These are unique sites associated with junk mail and various Internet scams. The number is quite significant since it represents the results of a single network running KnujOn. Within a year the impact of KnujOn on this network on the Internet in general will be amazing. Beyond the shutdowns, KnujOn has also identified various attempts to obtain personal information for use in possibly illegal activity. Our goal in the coming months is to make KnujOn available for general use. For more information, please contact us.


KnujOn Builds Profile of Professed "Mortgage Refinance Specialist"

June 9, 2005
We have collected dozens of email samples like this one:



The linked websites are constantly changing, but they are all cleverly crafted, clean-looking sites. There are no phone numbers, names, addresses or even names of legitimate lending agencies, merely on-line forms asking for personal information.



The following sites are all connected to these questionable emails:

slmply.net, easi3r.com, ast0unds.com, f1nds.net, l3arn.net, bllls.net pr1m3time.com, pay-m3.net, m0n3y.net, fre3d0m.com, br3aks.com, easi3r.com

These sites are all owned by "David Learner" of London England who is identified by spamcop.net and toastedspam.com as a notorious junk mailer. It is doubtful that "David Learner" is associated with any banks or lending agencies in the United States even though his emails all claim to offer refinancing in all 50 states.




Russian Spammer Shutdown by One KnujOn Request

June 8, 2005
A spammer in Russia who claimed to sell licensed versions of Microsoft and Adobe software had his site (rrtop.com) terminated 1 hour after the hosting company was contacted by KnujOn. Shutdowns can often take days to complete, but this hosting company was instantly satisfied by KnujOn's reporting and presentation of the case.


Attempted Bank Fraud Exposed by KnujOn

June 7, 2005
Phishing

KnujOn Assists PayPal With Fighting Scams

June 6, 2005
Phishing

KunjOn Presented to HTCIA

May 26, 2005
KnujOn was presented to the High Technology Crime Investigation Association and produced considerable interest and debate. KnujOn and Cold Rain hope to continue to work with the HTCIA in the future.

Privacy Policy and Mission Statement
All Content at Knujon.com Copyrighted by KnujOn, LLC.
KnujOn and Coldrain are not responsible for content at external sites