Personal website/blog, with a focus on cybersecurity

Author: jeroengui

New ways cybercriminals are circumventing spam filters

In a variation on the Google forms e-mail spam wave I wrote about in the beginning of the year, cybercriminals are making use of other platforms and online signup forms to circumvent spam filters and spread their malicious links.

These scammers use a multitude of strategies to make use of legitimate services, domains and webservers instead of their own infrastructure that would quickly get flagged as spam.

Some of them make use the fact that a substantial amount of websites don’t implement input validation on the “name” field, in the form where users sign up for the web application. Giving criminals the ultimate freedom to take over the content of the e-mail and add malicious urls. This with varying rates of succes…

Others make use of legitimate features in web applications that send out invites for groups, or reminder e-mails in project management software. Like this e-mail from Facebook (Meta):

Or this one from Atlassian:

Prevention

While achieving total prevention may be challenging without restricting features for normal users, there are measures to mitigate abuse in your web applications and domains. For the “Name” field, handling input validation for names is complex; consider blocking input containing URLs and domains initially. Implementing rate limits can deter cybercriminals from exploiting features for mass emails to potential victims.

Vigilance is key. Regularly monitor service usage, detect misuse, and promptly deploy countermeasures for the most effective strategy against abuse.

Reclaim your personal data

In my search for a more secure and private online presence I came across Incogni,

In today’s world, our personal information is scattered across the internet, making it vulnerable to cyber threats such as identity theft, cyberstalking, and phishing attacks. Cybercriminals can use this information to harm individuals and businesses, leading to financial loss and reputational damage. Sending out removal requests is often a time consuming task, especially because you don’t know which entities have data on you.

This is where Incogni comes in to help.

Incogni is a personal information removal service that contacts data brokers on your behalf and handles the removal process of your personal data.

The companies they contact include:

  • Marketing data brokers;
  • Recruitment data brokers;
  • Financial information data brokers;
  • Risk mitigation data brokers;
  • People search sites.

My experience was very positive. After filling in all my details and giving consent for sending out these requests they immediatly began contacting companies and were transparant about the progress made.

They currently even have a 50% off deal (affiliatelink):

https://get.incogni.io/SH126

In conclusion I would really recommend you check this service out! Or take a look at their blog posts that help you with doing this work for free yourself on:


Any opinions expressed in content on my blog are my own. Incogni doesn’t pay me for writing this article. However any purchases through the above links could earn me a commission.

I believe in being transparent with my readers, and want to make sure you are aware of this arrangement. Please note that my affiliate partnerships do not impact my content in any way, and I will always provide honest and unbiased reviews and recommendations.

My goal is to provide you with useful and valuable content, and I appreciate your support in helping me achieve that goal. As always, if you have any questions or concerns, please don’t hesitate to reach out to me.


How scammers use Google Forms to defraud victims

As we all know, fraudsters are always looking for new ways to scam victims out of their hard earned money. Recently my honeypot inbox got flooded with e-mails claiming my account would be blocked.

gmail screenshot showing bombarding of google forms scams

The e-mails where e-mails coming from the official mail Google uses to send a copy of form respones to users ([email protected]).

google forms scam

The links to “my personal account” (making use of the Google open redirect functionality, more info). Then there are multiple redirects and sometimes a page where there is a fake Google captcha (that is just a clickable png, with the link to the next redirect)

fake google captcha

or fake antivirus check (to mislead AV scanners or victims, I’m not really sure).

waiting page before redirect

Most sites are hosted on servers in Russia, or hidden behind the Cloudflare proxy service. In the end the redirect chain opens a generic crypto scam, where they promise you huge amounts of money if you first pay them a small transaction fee or something similar.

crypto scam screenshot

In the end the they were just trying to bypass spam filters by using the “send copy of response” feature in the Google Forms software.

Google luckily acted really fast and took down the forms, and I suspect suspended accounts that were involved with this scam.

I feel like I should come to a conclusion, but the fact is that I have none. Stay safe out there and be a little bit more suspicious when you receive form responses in your inbox from froms you didn’t fill in.

If you have any questions, if I got something wrong, or if I forgot something: feel free to post a comment or contact me via http://jeroengui.be/contact

Guide on taking down malicious sites and reporting phishing

Most of us receive multiple phishing e-mails and text messages and come across malicious sites from time to time. 

But what can we do to protect others from getting scammed?

Taking down the sites can be quite a long process, but first we can do other things to prevent people from accessing the malicious url by accident.

Microsoft Smartscreen and Google Safebrowsing:

Google Safebrowsing logo

These anti-phising and anti-malware tools are build in on most browsers and can hereby help the most people. They essentially hold a database of al the malicious sites and give a warning before entering the site.

You can report links to https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site

And: https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

Antivirus Providers

A lot of AV providers also have a way to report these sites, here is a short list:

Avast:

https://www.avast.com/report-malicious-file.php#mac

Norton:

https://submit.norton.com/

Eset:

https://phishing.eset.com/en-us/report

Avira:

https://www.avira.com/en/analysis/submit

Bitdefender:

https://www.bitdefender.com/consumer/support/answer/29358/

Spam 404:

https://www.spam404.com/report.html

Symantec:

http://sitereview.bluecoat.com/#/

https://symsubmit.symantec.com/

Bright Cloud

https://www.brightcloud.com/tools/change-request.php

Netcraft:

https://report.netcraft.com/

Spamcop

https://www.spamcop.net

Spam.org

https://www.spam.org/

Paloalto

https://urlfiltering.paloaltonetworks.com/

TrendMicro

https://global.sitesafety.trendmicro.com/index.php

Mcafee

https://sitelookup.mcafee.com/en/feedback/url

Forcepoint

https://csi.forcepoint.com/

And some national reporting sites:

https://phishing-initiative.eu/contrib/

https://www.circl.lu/urlabuse/

https://www.ncsc.gov.uk/section/about-this-website/report-scam-website

https://www.signal-spam.fr/en/

https://incydent.cert.pl/phishing

https://www.cert.ru/en/abuse.shtml

https://nki.gov.hu/en/ncsc/contents/it-security-incident-reporting/

https://www.antiphishing.ch/en/

https://www.incibe-cert.es/notificaciones

E-mail Phishing

Phishing/malicious e-mails can be forwarded to:

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

If you want me to take a look at it personally, you can also forward it to [email protected]

Or just copy this to the “to:”-field when forwarding

[email protected],[email protected],[email protected],[email protected],[email protected],[email protected], [email protected], [email protected], [email protected], [email protected]


Full takedown

If you don’t only want a warning before people enter the site but want the site to be gone from the World Wide Web, you can report the domain to the Registrar and report the site to the hosting provider or proxy service.

If you don’t know what the above terms mean, I will give you a short walk through.

Registrar:

Most sites have a domain name like “google.com” or “jeroengui.be”. Sometimes the domains are obfuscated to make them look legit. If you don’t know how to find the domain from an url you can use this tool:

https://www.goforpost.com/tools/domain-extractor/

These domain names have to be registered with a registrar. To find the registrar of a site, you can use a whois tool like:

https://whois.icann.org/ or https://whois.domaintools.com/

These are just some examples, just do a quick search on “whois search” and you find a lot more. Or, you can install whois on your Linux installation and use the “whois *domainname.com*” command.

When using the whois command you can find the registrar and also often an e-mail where you can report abuse of their services. Just e-mail them explaining that you encountered the phishing site that you are trying to report. If you don’t find an e-mail in the whois you can also search on the registrars site for an abuse form.

Hosting provider/proxy service:

Every site needs to be hosted on a server somewhere in the world. Often scammers use a hosting provider that hosts the site for them. To find the hosting provider, you can use a site like https://www.who-hosts-this.com/ or https://sitechecker.pro/hosting-checker/.

For the Linux users. Use the “host *domainname.com*” command followed by the whois command with as argument the first IP address that you found as output from the host command.

As with the registrar, you find an abuse e-mail or can look up the site of the hosting provider for an abuse e-mail or form.

Not every site is hosted directly by the company that you just reported to, sometimes they are just a proxy service like Cloudflare. Nonetheless do they need to take action and report the site to the actual host and stop providing the proxy service for the malicious site.

Final note

After taking all these steps and often waiting for some days, the site will be gone, or the malicious content deleted. Sometimes no action will be taken, but don’t worry about it, you did everything you could to make a safer place from the internet.

Thank you for taking a deep dive in the world of scam fighting with me. If all this seems a little bit much for you, you can still send any scam links, screenshots from sms and forward any suspicious e-mail to [email protected]. I automated part of the above process and when I find the time I will complete the other part manually. 

If you have any questions, if I got something wrong, or if I forgot something: feel free to post a comment or send me an e-mail on [email protected]

© 2024 Jeroen Gui

Theme by Anders NorénUp ↑