[PPRAANet] PPRAANet forums sending dangerous ads.

Dan Scott w0ro.dan at gmail.com
Wed Jan 25 23:04:47 EST 2017 

In the support forums for the forumotion there are complaints various adds
over the last year, including pop-under adds.  I'm trying to figure out how
to report this particular add.  Being I just signed onto the support forum
the first time, it seems I don't have credentials to post to it. It appears
to be something they are aware of there is a forum to post , and I think
the group that sponsors the free forums sell the service so they can make
some $$ off us freebie users.

73,
Dan
WØRO
-----
http://www.eQSL.cc/Member.cfm?W0RO

On Tue, Jan 24, 2017 at 7:53 PM, Phillip H. Blanton <phillip at n0tan.com>
wrote:

> It was NOT VIA EMAIL. Sorry for the caps, I just want to make sure I am
> understood. This is NOT SPAM!
>
> This is a *NEW attack vector*. It was a pop-under ad that was sent to my
> browser through the PPRAA forums.
> I attached the images to the email I sent to the board members, but you
> can see them at these links..
>
> http://www.screencast.com/users/pblanton/folders/Snagit/
> media/95bc9c08-adc9-4b7e-af02-fdf074f97412
> http://www.screencast.com/users/pblanton/folders/
> Default/media/3203f671-0c87-4907-bb9c-d448a1ca6e51
>
> The issue isn't with the forums. I think that scammers have simply paid to
> have targeted ads run on the normal ad channels and nobody who runs those
> cares as long as their checks cash.
>
> This is a problem for Century Link and it is growing. I know because I got
> the first pop under yesterday and tried to report it to Century link but
> was rebuffed.
>
> Today I got another one. I isolated my machine and engaged it. I extracted
> the page source from it and put it through its paces. It's just a very
> targeted attempt to trick Century Link users into clicking on all of the
> crappy click-bait ads that have become synonymous with internet use.
> Century link should definitely care, but at this time they don't. If you
> want to see the spamminess of the one I got today, a screen shot of it is
> here...
>
> http://content.screencast.com/users/pblanton/folders/
> Default/media/f9bf52df-6098-4ed3-a831-40a314f3bad0/2017-01-24_14-42-20.png
>
> The danger of this attack vector is that it's targeting Century Link
> customers and it is 100% certain that you are, based on your IP address.
> Other targeted attacks may try to send out a message that your Wells Fargo
> account has been compromised, but they have no clue whether you have a
> Wells Fargo account or not. They're just throwing a fistful of sham into a
> fan and seeing what sticks. In this attack however, they KNOW FOR 98%
> CERTAINTY THAT YOU ARE A CENTURY LINK CUSTOMER.
>
> This is dangerous and only Century Link can do anything about it, but so
> far they don't care.
>
> --
> Phillip (NØTAN)
> phillip at n0tan.com
>
>
>
> On 1/24/2017 4:26 PM, Dan Scott wrote:
>
> I did see a fictitious user account created about 2 months ago so I
> deleted that.  I doubt it will help as there was no activity
> associated with the user.
>
> Other possibilities include:
> 1.  The hosting organization got hacked.  But I would expect something
> widespread.
> 2.  The originating email is a spoofed.  This is a very common technique
> of spammers.  See: https://en.wikipedia.org/wiki/*Email*_*spoofing* for a
> good overview.
>
> 73,
> Dan
> W0RO
>
> 73,
> Dan
> WØRO
> -----
> http://www.eQSL.cc/Member.cfm?W0RO
>
> On Sun, Jan 22, 2017 at 3:53 PM, Phillip H. Blanton <phillip at n0tan.com>
> wrote:
>
>> Hello all. I don't have all of the details yet, but I was recently
>> presented with an evil, spear phishing attempt via a pop-under ad sent
>> to my browser via the ad service on the PPRAANet forums.
>> (*http://ppraa.forumotion.net/*)
>>
>> The ad was targeted to me as a Century Link customer. Here's a screen
>> shot of the pop-under ad...
>>
>>
>>
>> I reported it to Century Link, but they didn't much care. They followed
>> the script, "Thank you for reporting this issue, to keep yourself safe
>> online please refer to... blah blah blah".
>>
>> Here's a screen shot of the page info of the pop under ad. Note the
>> Referring URL...
>>
>>
>>
>> So my warning is to be careful when using the forums. Maybe someone
>> should limit who can advertise on the forum page, if possible. If it's
>> not possible then the forums need to be moved somewhere safer.
>>
>> --
>> Phillip H. Blanton (NØTAN)
>> phillip at n0tan.com
>> 719 244-0779
>>
>>
>>
>> ______________________________________________________________
>> PPRAANet mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/ppraanet
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:PPRAANet at mailman.qth.net
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
>>
>
>
>

More information about the PPRAANet mailing list