December 29, 2004
The Phony Charity Scam
The recent powerful earthquakes and deadly tsunamis in South Asia has killed over 70,000 people. I'm sure this devastating event tugs at your heart strings and results in many folks sending donations to their favorite charity. Unfortunately, Spammers are already planning to exploit this event and worst of all, phony charities will proliferate.
Perform your due diligence before you contribute to a charity
Don't read the Spam. Determining which charity is legitimate is a little harder. Your goal is to find a reputable charity which donates nearly all the money collected to your given cause. A round number is about 92 cents out of every dollar collected should actually go to the cause. We have some tips to help you:
1. Don't talk to any charity which calls you on the phone. These boiler plate operations are a huge red flag. Just hang up.
2. Check the name of the charity very carefully. The fraudsters will often use similar names. For example, Kids Wish USA was a scam. "Michael Manzer, was sent to prison for mail fraud and money laundering. This charity promised to grant the wishes of terminally ill children yet it did not grant even one wish, according to federal prosecutor Mike Snipes." Source: Charity Watch Notice the similarity to the legitimate charity named "Make a Wish Foundation".
3. Check the record of the charity with their local Better Business Bureau
4. Ask the charity to send you printed material via US mail. If the material does not contain details on exactly how the money is used and the percent of donations which actually reach the given cause, do not contribute.
5. Ask the charity for annual financial statements and proof of their IRS 501c non profit status. This is generally granted via an "award letter" from the IRS.
6. Avoid all charities that use a "pitch" filled with a significant amount of emotional words and or images.
7. Setting up a phony charity is pretty easy. Check the rating of the charity with Charity Watch before you contribute.
Posted by Steve_S
December 28, 2004
Spam: A look at 2004
The Federal legislation titled "CAN-SPAM" is a resounding failure. AOL claims about a 75% reduction in Spam complaints through November 2004 but we think that number includes some marketing spin which inflates it and we so no evidence of any reduction in Spam for the greater Internet population. We do see plenty of evidence that Spammers will continue to use Spyware to infect systems and turn them into "zombies", sending millions of Spam emails every day.
The failure of CAN-SPAM
CAN-SPAM was destined for failure and after almost one year we have seen very few law suits and jail sentences.
"One of the provisions of CAN SPAM directed the FTC to consider implementing a do-not-spam list similar to the popular do-not-call list they maintain. The FTC diligently investigated the possibilities, and interviewed dozens of knowledgeable people including several CAUCE board members. They concluded that a do-not-spam list at this point would be unenforceable for a variety of reasons, notably that it's so easy to fake the source of e-mail that it would be very difficult to identify and go after violators." Source: CAUCE
The FTC is the federal agency responsible for enforcing the provisions of the CAN-SPAM law and they really don't seem to be very aggressive and or interested. Let's be clear, the USA delivers about 42% of the Internets Spam. You won't significantly reduce Spam until you place the enforcement authority in the hands of the States and let consumers sue Spammers and the advertisers who use Spam.
Spammers and the law
On the legal side of the issue, we do like the action which AOL took against Spam King Jeremy Jaynes, also known as Gavin Stubberfield. He was prosecuted not under CAN SPAM but under an older Virginia state law that makes it illegal to send unsolicited bulk e-mail with falsified routing information. Although Jaynes lives in North Carolina, the target of much of his spam was AOL, so the trial took place in Leesburg VA, the seat of the county where AOL is located. The jury found Jaynes guilty and sentenced him to nine years.
While this is a great first step, we need dozens of law suits and jail time for Spammers in a given 12 month period. AOL should not be the only Company engaged in these law suits. We would hope that deep pocketed companies like Microsoft, Yahoo, Earthlink, Google, and major hosts would sue dozens of Spammers every year. Some may be reluctant to due this because they are developing their own "authentication" system which they hope will become a standard. We are not very optimistic about the evolution of a standard and would always prefer to let consumers sue Advertisers who use Spam.
Let's repeat that just incase you missed it. Spammers can hide under rocks and seek off shore havens. While the Advertiser who uses Spam are generally a much easier target for a law suit. Many are well known companies and easy for the consumer to Sue and obtain a money judgment in Small Claims court.
Webmasters and Spam
We are continually dismayed by Webmasters who actually read Spam email and take the bait. Certainly, many of these folks are cheaters looking for a brand new Affiliate program to rob but many aren't. Don't read Spam. Don't support or join any affiliate program which uses Spam. We have never seen an Affiliate Network prosper long term who uses Spam.
Spyware and Spam
As more ISPs develop strong anti-Spam filters like AOL, we expect Spammers to increase the use of Spyware/Adware to infect your computer and turn it into a "zombie" which sends out millions of Spam Emails. This condition is also the result of more folks using broadband Net access which often results in Computers running 24/7. Some of the Spammers plan to set up more ecommerce sites, escrow companies, affiliate programs, and hosting companies. This fertile ground will produce even more infections and more Spam.
Spammers Love Blogs
Most of the major Forum scripts contain a robust set of tools to control abuse and lower Spam to an acceptable level. The same can not be said for Blogs. All Blog scripts and services! Spammers have found an easy mark with Comment Spam and track back Spam in Blogs. Thousand per day in a given Blog. Blogs have rundimentry controls at best and all the plug-ins in the world pail in comparrison to Spam control available in Forum scripts like vBulletin.
Posted by Steve_S
December 21, 2004
Identity Theft: Review your Credit Reports on a regular basis
Reviewing your Credit Reports on a regular basis is a critical step in catching criminals who have stolen your credit via Identity Theft and also insures that the data is accurate. A recently enacted US federal law provides you with a Free report every 12 months from the major reporting agencies (Equifax, Experian and TransUnion).
Visit www.AnnualCreditReport.com for your Free Credit Report. The United States is divided into 4 regions with effective launch dates for each. The Western States is already open for your Free Report. You will need to copy and paste this URL into your browser since this site prevents nearly every other web site on the face of the planet from linking to it. Are they trying to keep it a secret and reduce costs? At a minamum, this action is deplorable. If you try a link from your site to theirs you will see this:
"For security purposes, www.AnnualCreditReport.com can be accessed by typing the web address "www.annualcreditreport.com", or from links from the Federal Trade Commission (www.ftc.gov), Equifax (www.equifax.com), Experian (www.experian.com) and TransUnion (www.transunion.com) websites.
AnnualCreditReport.com is the only web source authorized by all three nationwide consumer credit reporting companies from which free annual credit file disclosures can be requested."
This site is the result of the US Federal Law so you can rest assured that it's not only safe/secure but legitimate. We suggest you mark you calendar for the date you wish to retrieve your reports and do this every 12 months.
Print and then carefully review your Credit Reports for accuracy. If you find data that is not accurate, you have the right to dispute these entries by contacting each of the major Credit Reporting agencies. You need to contact all 3, since some lenders may only use one of them. Fortunately, they all have Web sites:
Equifax - www.equifax.com
Experian - www.experian.com
TransUnion - www.transunion.com
Each agency has a slightly different procedure and form for disputing your Credit Report. We suggest that you save all your correspondence and send the dispute forms via Certified Mail. The Internet is full of companies that claim they can improve your credit report for a fee. HA! No thank you. Read this:
"The Federal Trade Commission (FTC) cautions consumers to be wary of companies that make claims regarding credit repair. These companies, commonly called credit clinics, don't do anything for consumers that consumers cannot do for themselves at little or no cost. Beware of any organization that offers to create a new identity and credit file for you. The FTC and state attorneys general have filed actions against those who pursue these fraudulent practices. Here are some warning signs that the FTC and others say consumers should look out for to determine if they might be dealing with a credit clinic:" Click here to read more.
Posted by Steve_S
December 14, 2004
I just stole your domain name. It was easy!
Every month thousands of domain names are stolen. Often, these are developed sites which represent years of work. The criminals who do this can often be hired by anyone and returning the domain name to the real owner can takes weeks. Learn how these criminals work and what you can do to prevent this.
A flawed architecture
Domain name data is held in a huge database which is called Whois. Any criminal can view these records since they are essentially "public record". For example, click here to see the Whois records for Yahoo.com. A given domain name is registered/leased via an approved Registrar. Their are currently dozens of Accredited Registrars, all of whom are regulated by ICANN (Internet Corporation For Assigned Names and Numbers. All of this means that if you want a domain name which is not already taken, you start with an Accredited Registrar like godaddy.com or 000domains.com, create your account, and pay your annual fee.
Their are several major flaws in the ICANN rules which an Accredited Registrar must follow:
1. Only a single email address may be used for the Admin. If you loose control of this email address or a criminal gains control of it, your domain will be stolen.
2. None of the Whois data is verified by the Registrar. This permits fraudsters to hide behind false data.
3. If a domain name is not already registered, any one can registrar it, even if the domain name clearly encroaches on the Intellectual Property rights of others. For example, you could registrar a typo like gooogle.com (note the 3 0s)
4. Their is no provision to require a FAX and a signature to registrar and or change the Whois records for a given domain name.
5. Legal action against the criminals who steal domain names rarely occurs.
All of these shortcomings provide fertile ground for criminals.
Every day, criminals are looking at millions of Whois records for likely targets. They use automated tools to scan millions of records. In some cases, Whois records are sold on the "black market" to other criminals. What are they looking for? In some cases, they are looking for expired domain names which they can legally registrar. This hunt for expired domain names is perfectly legal. In other cases, they are looking for properly registered domain names which have not expired but use a free email providers like hotmail.com or gmail.com for the email address of record. The majority of theft occurs with these free email addresses. Next, they point their "hacker/crack" tools at your free email account and retrieve your user name and password. In other cases, they use these tools on the registrars site to break into your account. These criminals have a list of Registrars which are easier to break into and thus they target them.
After they break into your account, they change the DNS/Name Server records for your domain to their own hosting account along with the other Whois data. In a few hours your domain disappears and the criminal owns it on a new server. Sometimes they even transfer the stolen domain name to a new registrar to cover their tracks. You wake up, navigate to your site and see a different site. Then you check the Whois database and see what has happened.
What you must do to prevent theft
1. DO NOT use a free email provider for your email address of record for your domain name. Even if a Company like Yahoo offers a paid version, DO NOT use it. Companies which provide free email are not reliable, have slow support, thousands of times a day criminals are trying to break in with new tools, and many of these Companies can and have gone out of business.
2. ONLY use a POP email account hooked up to your domain for your Whois email address of record. Prepay this domain names registration for at least 5 years. Use a long alpha/numeric password for this email account. This password should be changed at least every 6 months and should never contain real words. An example: xVVs492nM177qrt27 We also suggest that you set up forwarding for this email address to at least 2 other email addresses to insure you don't miss a renewal notice. Insure that all your email addresses have adequate storage limits enabled. We suggest at least 100 megs and pick up your email on a regular basis.
3. When you create your account with your Registrar please follow the same rules for a password and email address from Item 2. Also, choose a hard to hack user name with your Registrar which is also Alpha/Numeric.
4. Lock all your domains with your Registrar. Prepay your domain name registration fee for at least 5 years.
5. Record this data on paper and leave this document in a secure place in case you die so that others can follow the trail.
6. Insure that your user name and password is NOT used anywhere else. For example, if you are using the same data for your PayPal account and your domain names Registrar, all I need to do is break into one account which then permits me to use the same data on your other accounts.
7. NEVER divulge your user name and or password in an email or by clicking a link in an email which appears to come from your Registrar. Type the domain name into your browser.
8. In some cases, you may wish to pay an extra fee for a private domain name record. This means that your data will not appear in the Whois database. Only the name and data of your Registrar will appear. This solution is not for everyone. If you sell a product or service, a "proxy/private" Whois record is always a red flag, indicating that the real owner is hiding and thus this may impact your sales. Also, a number of Affiliate Networks will either reject you or require extensive documentation to support your actual address and other data.
9. Insure that all your Whois data is 100% accurate and keep it current. A "fraudulent" Whois record is unlikely to fool most people and actually violates ICANN rules.
They stole my domain name. What do I do?
If you think the criminals hacked into your Registrars account, you need to contact your Registrar immediately and provide all the facts and work with them. We suggest you send them an email, FAX, and call them. All 3 just to make sure. Most Registrars are well equipped to handle these kinds of cases BUT it will take time and they will need proof. Click here to see the guidelines.
If you think that the criminals hacked into your email account of record in the Whois database and used this account to change your Whois data via your Registrar, you are going to indure more pain. It could take days or weeks for your free email provider to respond. We suggest you contact both your Registrar and your email provider.
ONLY your Registrar can return the stolen domain to you. Your current host and or the new host of the stolen domain name can not and will not return ownership of the domain name to you. We strongly suggest that you NOT contact the new host of the stolen domain. Their is nothing to gain and you run the risk that they are involved in the crime. Expect to wait at least 2 weeks or longer for the return of your domain. We also suggest that in this case you change ALL your other passwords and user names with other sites and or services.
Additional resources
Intellectual Property disputes for domain names (NOT stolen domain names) are resolved via WIPO (World Intellectual Property Organization). For example, view this case in a new window in which Google.com prevailed and the domain Registration for the four domain names was returned to Google. These procedures normally take about 4 months.
Posted by Steve_S
December 12, 2004
Identity Theft: Phishers think your an easy target and some of you are!
The use of phony/forged emails and or web sites to gather your personal financial data such as your credit card numbers, account usernames and passwords, social security numbers, and other personal data is increasing at an alarming rate. And, it's going to get much worse before it gets better. Learn how to prevent this.
The emails typically contain a request for your personal financial data and a link to visit Ebay, numerous banks, PayPal, brokerage accounts, and other financial firms. They often look very legitimate and so does the web site. Click here to see a more detailed list of the various types of Phishing attacks. Unfortunately, many folks submit this data to the fraudulent web site and then the criminals steal their identity. They use this data to purchase goods and or services with your Credit Card, obtain birth certificates, obtain social security numbers, obtain drivers license, and other damaging techniques.
How do you avoid this trap?
It's very simple, NEVER respond to these emails. NEVER click on a link inside one of these emails. Ignore them and send them to the trash.
Additional precautions:
If you are visiting a site, we suggest you type the URL into your browser and then bookmark the site. We never release our personal financial information to any party who calls us on the phone. If we think the request is valid, we will use our phone number from our records to call the party back. We don't do business with any firm who request this kind of data via email and or the phone.
If you have the time, we suggest you report these Phishing attacks to the Anti-Phishing Working Group. What do you do if you have given out your personal financial information? Visit this page for outstanding advice. Unfortunately, our undercover research indicates that Phishing attacks will continue to increase and the criminals will use new techniques to fool you. Expect to see fraudulent ecommerce sites, fraudulent escrow companies, downloads that grab your data, criminals advertising in major Search Engines, and using the US mail to request your data.
Posted by Steve_S
December 07, 2004
Till death due us part: Gator's new license agreement
I've read numerous licensing agreements but the new Gator EULA (End User License Agreement) certainly contains some unusual terms and conditions. I'm not an attorney and don't propose to present legal advice but I certainly have some questions about this document.
This post was inspired by the outstanding research done by Benjamin Edelman in his new article titled Gator's EULA Gone Bad. I've pulled a few key points from this article with my own questions and or thoughts:
1. Prohibition against automated removal tools
Nearly three thousand words into its license, Gator proclaims:
"You agree that you will not use, or encourage others to use, any unauthorized means for the removal of the GAIN AdServer, or any GAIN-Supported Software from a computer."
Gator proceeds to list the "authorized means" for removing Gator -- prominently failing to authorize use of popular tools, such as Ad-Aware, Spybot, and Web Sweeper, which millions of users count on to remove unwanted software from their PCs.
My thoughts: Gator can certainly insert any terms and or conditions they wish in their EULA. After all, they are giving away free software to millions of people. However, it's my computer and I think I have the right to use any legally licensed software I wish. Is this restraint of fair trade?
2. You can't use a packet sniffer
The EULA also says: "Any use of a packet sniffer or other device to intercept or access communications between GP and the GAIN AdServer is strictly prohibited."
My thoughts: Why is this clause necessary? It seems to me that if you conduct yourself in a moral and ethical manner you shouldn't be concerned about what a given packet sniffer may discover. You should embrace third party research on your application and exactly what it does.
It will certainly be interesting to see how the new Gator EULA is treated by the courts, if and when this occurs. Benjamin Edelman has much more data and insightful comments in his article titled: Gator's EULA Gone Bad.
Posted by Steve_S
December 04, 2004
Your computer is infected with Spyware aka Adware. The fix.
Millions of Computers are infected with Spyware which is also known as Adware. It's the single greatest problem facing the Internet. Perpetuated by "quick buck" companies and Webmasters. You would be wise to consider surfing the Internet a very dangerous procedure and you must take the necessary precautions to prevent the infection of your Windows computer. If you are unwilling to take these precautions, I suggest you unplug and take a long walk on the beach.
The tender traps. Let me infect you!
It's free so I download it. Let me scan your system. Surf to my site and I can't wait to infect your system. These ploys and others often infect your system with Spyware/Adware. The results can be scary or in many cases render your system unusable. These programs may open your CD drive, change your Browsers start page, splatter pop ups as you surf, send your confidential data back to the infectors website, steal your passwords, steal your credit card data, and hijack your surfing habits so you are redirected to another site you never wished to visit. Can't I just uninstall these programs? In many cases you can't using the Windows Add/Remove Control Panel. The morally and ethically reprehensible folks who create and distribute Spyware/Adware have made sure of this.
Tools of the trade to prevent infection and or clean your system. Use both!
Spybot - Search & Destroy - A free Windows application to scan for spyware, adware, hijackers and other malicious software. Download and install the latest version. Next, run the Search for Updates to insure you have the latest data. Finally scan and clean your system. Don't forget to make a voluntary donation which insures that this valuable application will stay around and continue to be improved.
Ad-Aware SE Plus - This is not the free version. This version costs $26.95 and is worth every penny. One of it's major features is the ability to write protect system files. This prevents the infectors from altering your Registry file which is the major point of entry for all the Spyware/Adware applications. Purchase and download the latest version. Next run the check for updates and finally scan your system.
I have used both applications for years and they work. I suggest you use both since Spybot, which is Free, may catch an infection that Ad-Aware SE Plus misses and visa versa. Keep your updates current and scan your system on a regular basis. Insure that you also run the Windows Update via your Start Menu and you will be a happy camper.
You will notice dozens of other applications which tout themselves as "Anti-Spyware" and some even offer to scan your system free of charge. Just say NO to all of these applications. Some of which are designed to infect your system with a free scan. The only site in the world which I permit to scan my system is the Windows Update site. I've yet to see any other application which is better than the Spybot plus Ad-Aware SE Plus combination. No need to believe me. Carefully examine the sites of these other applications and look for a feature comparison chart with both of the applications I recommend. Don't count on a Webmaster for an honest evaluation of what works. Most don't care and are only interested in receiving a commission for the sale of another product.
Posted by Steve_S
December 03, 2004
The implosion of AdSense & AdWords
The dirty little secret about Google leaves me confused and perplexed. They enable folks to cheat their own Affiliate Program and rob Advertisers. Not to mention the fact that Corporations need to speak with one voice.
Welcome to Google. Let us help you cheat and rob!
Run this search in Google for "fake hits". It looks like "I-Faker" has some darn good rankings. This is one of the automated tools which cheaters use to steal money from Google's AdWords Advertisers. Some affiliates of the AdSense program love this tool. Earth to Google: did the thought ever cross your mind that these listings paint you as an enabler. Your very own Search Engine helps folks cheat. If you are serious about reducing click fraud and protecting your Advertisers, it's a trivial matter for you to ban these listings and tell your spider not to index these sites.
Mixed signals about click fraud, direct from a Stanford Dorm
Actually, Google is a public company which apparently lacks continuity in "Corporate Speak". Consider these two examples:
December 1, 2004 - Source " I think something has to be done about this really, really quickly, because I think, potentially, it threatens our business model," Google Chief Financial Officer George Reyes said Wednesday.
Reyes, speaking at an investor conference sponsored by Credit Suisse First Boston, was referring to an illegal practice known as "click fraud" that occurs when individuals click on ad links that appear next to search results in order to force advertisers to pay for the clicks.,..."
November 24, 2004 - Source "We are vigilant in protecting our advertisers and the integrity of our programs. We have sophisticated technology that detects and eliminates fraud. This lawsuit against Auctions Expert demonstrates the success of our anti-fraud system and that we will take legal action when appropriate," said Google spokesman Steve Langdon.
First you tell the world how great your anti-fraud technology is and seven days later you effectively tell "the street" that your entire business model is in jeopardy. Over 70% of your pre tax net profit is in jeopardy.
What a marvelous way to instill confidence in the AdWords community of advertisers. Cheaters also love this. It shows weakness and lack of purpose. Hire a professional Communications/PR agency and speak with one consistent voice.
Posted by Steve_S
December 01, 2004
Affiliate Program Advice From the "dude"
Every few weeks we will publish some email we receive along with our response. We generally redact the senders name and email address to protect their privacy. We have chosen not to enable the Comments feature of our script since it lacks adequate controls to prevent Spam and abuse. We hope you enjoy this regular feature.
Email received:
dude!
Me and my buddies think your investigations of companys and programs is a total waste. We all live in the same frat house and just join programs which sound cool. We get paid and havent been stiffed yet!
later
Our response:
My name is Steve and that would be the appropriate name to use as opposed to "dude". If and when you graduate from College and actually seek employment, you will discover that the use of "dude" won't get you a real job. Perhaps a fry cook at McDonalds but not much else. You need to break this habit because I've seen many folks accidentally use the word in a business setting which always taints their image or in some cases gets them fired.
The real issue in your email is interesting and your thoughts are pervasive in the Webmaster world. Lets break this down into logical points for you and your buddies to consider:
1. You will be cheated and or abused. Not if but when. Period! Dozens of affiliate programs launch, which rely on the fact that you won't spend the time to properly research them and then they cheat you.
2. Your missing the real issue which is training for "Life" and making logical decisions based on prior research. For example, when you join the real world you must research prospective employers, auto insurance, health insurance, credit card terms, sale or purchase of a home, and numerous other issues which play a significant role in your life. If you develop the habit of not performing your investigations before you leap, you will make bad decisions and have little if any chance of succeeding in life.
Later dude!
We couldn't resist a little humor in our response. However, this kind of thinking and correspondence is a serious problem. The Internet has spawned a generation of folks/loosers who think the brick and mortar world works the same way as the Internet. Do you have a clever comment? Take us to task. Let's hear your logic. Send your best thoughts to: ss AT StopScum DOT com
Posted by Steve_S