[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Privacy and Identity on the Net...



Are You On A Spam Site?

I was Googling a street address a little while ago and noticed that my final search return seemed a tad unusual. Curious, I clicked on it and was redirected to a very large text file filled with names, addresses, phone numbers, and IPs, hosted on a curious little website called pmaftp.com.
 
There was a ton of personal information on this page, and it was all wide open to view. Upon examining the site further, I realized how much more info is being stored on this site: There are dozens of files, some over 25 megabytes in size, loaded with what appear to be reams and reams of personal information.

Check out Google's cache... http://www.google.com/search?q=site:www.pmaftp.com

The homepage of the site is now gone, and apparently requires basic auth to access the data now.

I found similar reports, from people who visited prior to the homepage takedown back in September. They found a sound clip, appearing to be an introductory pep talk for some shady get-rich-quick scheme. There was an intro PDF too. The talk is all about being a "recruiter," with a 1-800 number given at the end for people to "want to be successful." Why would a job recruiter need hundreds of thousands of email addresses? It seems our spammers are outsourcing now.
 
I found that Google had cached files, some marked "VIP" and noticed that in these massive files, individuals are listed with the full "Royal Flush" of GLBA data -- first and last names, email address, street, city, state, zip, cell phone number and IP address.

Sad. Like the NSA really needs access to non-public information when there's stuff like this on the net, lingering around in caches.
It will be interesting when DMCA takedown notices try to "go faster" than the copies being made and syndicated through the search engines, blogs, aggregators, and places like archive.org.

Oh, and I caught a phisher in the act...
http://www.archlug.org/private/WF-phish-money-shot.png

Of course, Google was useless at connecting the dots and realizing that they were being used as a dropbox for fraud victim's information, and gave me the "we don't give out any information about our users" canned response, which wasn't even what I asked them for. I was _reporting_ (ab)use of _their_ systems by _criminals_. It would be really embarrassing if Google *knows* this, and does nothing to prevent them from potential claims of conspiring with these criminal elements by providing anonymous mailboxes for them to hide their loot (personal and financial information defrauded from the victims).

And, surprise, surprise, the phisher is an Egyptian in Cairo that uses an ISP that requires username/password to even access the *homepage*, that, in turn goes through another blind ISP in London. His IP was clearly in the webserver logs when he uploaded the phishing site.


And in other news, it is trivial, apparently, to clone the VeriChip RFID chips that are surgically implanted and are being sold as a means to verify identity. Hello? Apparently, everyone has forgotten that a core requirement for "identity" is "uniqueness".

http://cq.cx/verichip.pl

Anyone up for getting some of this equipment and see for yourselves? Now, everyone can be Paris Hilton. Or, anyone you want to be.
Like somebody other than the person accused of some crime. Wanna to 'fix' your DMV record? Credit history? No problem. Just become someone else. Instantly.

Hey, let's all become the _same_ person! How about this guy? http://www.electric-clothing.com/chipped.html

But it is OK. You can just shield your "private parts". Hmmm....
I wonder what else could you stuff into your pockets that has an RFID that you don't want detected?

http://www.electric-clothing.com/rfidpocket.html

Discuss.

Mike/


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.