[PPRAANet] PPRAANet forums sending dangerous ads.

Phillip H. Blanton phillip at n0tan.com
Tue Jan 24 21:53:24 EST 2017 

It was NOT VIA EMAIL. Sorry for the caps, I just want to make sure I am
understood. This is NOT SPAM!

This is a *_NEW attack vector_*. It was a pop-under ad that was sent to
my browser through the PPRAA forums.

I attached the images to the email I sent to the board members, but you
can see them at these links..

http://www.screencast.com/users/pblanton/folders/Snagit/media/95bc9c08-adc9-4b7e-af02-fdf074f97412
http://www.screencast.com/users/pblanton/folders/Default/media/3203f671-0c87-4907-bb9c-d448a1ca6e51

The issue isn't with the forums. I think that scammers have simply paid
to have targeted ads run on the normal ad channels and nobody who runs
those cares as long as their checks cash.

This is a problem for Century Link and it is growing. I know because I
got the first pop under yesterday and tried to report it to Century link
but was rebuffed.

Today I got another one. I isolated my machine and engaged it. I
extracted the page source from it and put it through its paces. It's
just a very targeted attempt to trick Century Link users into clicking
on all of the crappy click-bait ads that have become synonymous with
internet use. Century link should definitely care, but at this time they
don't. If you want to see the spamminess of the one I got today, a
screen shot of it is here...

http://content.screencast.com/users/pblanton/folders/Default/media/f9bf52df-6098-4ed3-a831-40a314f3bad0/2017-01-24_14-42-20.png

The danger of this attack vector is that it's targeting Century Link
customers and it is 100% certain that you are, based on your IP address.
Other targeted attacks may try to send out a message that your Wells
Fargo account has been compromised, but they have no clue whether you
have a Wells Fargo account or not. They're just throwing a fistful of
sham into a fan and seeing what sticks. In this attack however, they
KNOW FOR 98% CERTAINTY THAT YOU ARE A CENTURY LINK CUSTOMER.

This is dangerous and only Century Link can do anything about it, but so
far they don't care.

--
Phillip (NØTAN)
phillip at n0tan.com


On 1/24/2017 4:26 PM, Dan Scott wrote:
> I did see a fictitious user account created about 2 months ago so I
> deleted that.  I doubt it will help as there was no activity
> associated with the user. 
>
> Other possibilities include:
> 1.  The hosting organization got hacked.  But I would expect something
> widespread.
> 2.  The originating email is a spoofed.  This is a very common
> technique of spammers. 
> See: https://en.wikipedia.org/wiki/*Email*_*spoofing* for a good overview.
>
> 73,
> Dan
> W0RO 
>
> 73,
> Dan
> WØRO
> -----
> http://www.eQSL.cc/Member.cfm?W0RO
>
> On Sun, Jan 22, 2017 at 3:53 PM, Phillip H. Blanton <phillip at n0tan.com
> <mailto:phillip at n0tan.com>> wrote:
>
>     Hello all. I don't have all of the details yet, but I was recently
>     presented with an evil, spear phishing attempt via a pop-under ad sent
>     to my browser via the ad service on the PPRAANet forums.
>     (*http://ppraa.forumotion.net/* <http://ppraa.forumotion.net/*>)
>
>     The ad was targeted to me as a Century Link customer. Here's a screen
>     shot of the pop-under ad...
>
>
>
>     I reported it to Century Link, but they didn't much care. They
>     followed
>     the script, "Thank you for reporting this issue, to keep yourself safe
>     online please refer to... blah blah blah".
>
>     Here's a screen shot of the page info of the pop under ad. Note the
>     Referring URL...
>
>
>
>     So my warning is to be careful when using the forums. Maybe someone
>     should limit who can advertise on the forum page, if possible. If it's
>     not possible then the forums need to be moved somewhere safer.
>
>     --
>     Phillip H. Blanton (NØTAN)
>     phillip at n0tan.com <mailto:phillip at n0tan.com>
>     719 244-0779 <tel:719%20244-0779>
>
>
>
>     ______________________________________________________________
>     PPRAANet mailing list
>     Home: http://mailman.qth.net/mailman/listinfo/ppraanet
>     <http://mailman.qth.net/mailman/listinfo/ppraanet>
>     Help: http://mailman.qth.net/mmfaq.htm
>     <http://mailman.qth.net/mmfaq.htm>
>     Post: mailto:PPRAANet at mailman.qth.net
>     <mailto:PPRAANet at mailman.qth.net>
>
>     This list hosted by: http://www.qsl.net
>     Please help support this email list: http://www.qsl.net/donate.html
>
>

More information about the PPRAANet mailing list