Just For Fun: the April Fools that attacked BoonEx show up with some demands.

Andrew Boon posted 5th of April 2011 in Boonex News. 50 comments.

Well, well, well... lookie here. We got ourselves a blackmailer! Just in the midst of the latest DDoS attack we received the following:

 

-----------------------

Yunlong Li


Through our monitoring, Your company website will suffer in the near future a strong attack.


If you want to avoid a loss, Please in 12 hours, will $10,000 transfer to the following account, we will endeavour to
ensure the safety of the website of your company.


Libertyreserve.com      LR Account: U5415277


by netwsafe@yahoo.com
-----------------------
Received: from [122.156.234.148] by web121411.mail.ne1.yahoo.com via HTTP; Tue, 05 Apr 2011 17:17:34 PDT
Their IP from email headers: 122.156.234.148
Their ISP:

122.156.0.0 - 122.159.255.255
China Unicom Heilongjiang Province Network
China Unicom

ChinaUnicom Hostmaster
abuse@chinaunicom.cn
No.21,Jin-Rong Street
Beijing,100140
P.R.China
+86-10-66259940
+86-10-66259764

Binghui Gao
luanfuyu@vip.hl.cn
Shuniu Building,No.155 Zhongshan road,Harbin,Heilongjiang
+86-451-82651467
+86-451-82651464
-----------------------


Not sure how it's done in China, so if you know - share your ideas on how and where to report them to make sure they're spanked by Chinese Police or at least by their mom.

 

We contacted Libertyreserve and reported the fraud, but they dont' seem to care - another shady payment provider. Anyway, there's not much more that we'd care to do about it, but wanted to share some details with the Unity crowd. Anyone willing to exercise their detective skills may try to investigate further. Another option is to contact those dullards for some free stress-testing of your infrastructure. Funnily, the first message from them came on 1st of April.

 

p.s. sometimes I really wonder if somebody actually believes that they could have $10,000 (or any money, for that matter) sent to them in such situation... is it even possible that one could be THAT ignorant?

 
Comments
·Oldest
·Top
Please login to post a comment.
houstonlively
houstonlively5th of April 2011
 
China will soon become the new Nigeria, only ten times worse. I think all the Chinese scamming that we see, is only the beginning; The best that we can hope for, is that the EMP of a giant solar flare wipes out all communication infrastructure in China... I'll keep my fingers crossed.
PermalinkReplyPlus0 pluses
Estacey20096th of April 2011
 
Certainly Yahoo should be notified. I note to LibertyReserve would be something (maybe fruitless) to do, if they are a legitimate business.. let them know they've been mentioned in a blackmail scheme.. I'm sure your site isn't the only one being attacked this way. What does your ISP or Webhost Provider say about it..
Can they block the range of IP addresses?
PermalinkReplyPlus0 pluses
UFO360
UFO3606th of April 2011
 
agree with Estacey2009 report this to yahoo
PermalinkReplyPlus0 pluses
don766th of April 2011
 
I'm trying to finish my website I need boonex.com I hope the boonex team find a solution for this.
I'm not a computer expert I don't understand why this is happening.
Good thing my web host tmdhosting have anti- DDOS capability. I really don't understand what that is, I'm going to check that on them.
PermalinkReplyPlus0 pluses
Draxxon
Draxxon6th of April 2011
 
I'd definitely be contacting abuse@chinaunicom.cn
PermalinkReplyPlus0 pluses
saurav121
saurav1216th of April 2011to Draxxon
 
Such attacks are backed by china govt too... we cant do nything except blocking the whole china... these guys f****d even google n govt did nuthin....
so i advice boonex to block china, these ppl are nt gona give u business but only KICKS ON UR BUTTS..
PermalinkReplyPlus0 pluses
houstonlively
houstonlively6th of April 2011
 
Andrew, are you familiar with these folks?

http://www.shadowserver.org

I wonder if they could be of any help in tracking down the criminals behind these attacks. Whoever it is, has escalated this from a ddos attack to EXTORTION (NOT blackmail)... a crime punishable by imprisonment in most countries. It's time to involve law enforcement.
PermalinkReplyPlus0 pluses
richmanfl
richmanfl6th of April 2011
 
If you like, I can make some calls to the cybercrimes division of the FBI here. I have dealt with them in the past, and they are pretty open to looking into new leads and since the servers reside indie the USA, it would be of their interest.
PermalinkReplyPlus0 pluses
houstonlively
houstonlively6th of April 2011to richmanfl
 
That's exactly what should be done. Not only are the servers in the US, but it is likely that a large portion of the attacking botnet or even command center is within the US as well. The trail leading to China could just be a smoke screen... maybe the responsible person is right here in the US. Really.... what are the odds of some guy in China commanding a botnet to attack Boonex for a lousy 10,000 bucks? That's chump change. There are people in the world that would pay much more than that, see more for control of a botnet like the one used on Boonex. No offfense to Boonex, but there are much bigger fish to fry, so why wouldn't they? It's either a colossally stupid extortionist, or more likely a disgruntled ex employee or competitor. Whoever it is, I think it's time they did some jail time.
PermalinkReplyPlus0 pluses
wannabe6th of April 2011
 
When will the MODULE SITES be fixed ?? ...

http://www.boonex.com/unity/forums/#topic/module-SITES.htm
PermalinkReplyPlus0 pluses
houstonlively
houstonlively6th of April 2011to wannabe
 
WTF does that have to do with THIS topic?
PermalinkReplyPlus0 pluses
wannabe6th of April 2011
 
i felt being naughty ..
PermalinkReplyPlus0 pluses
houstonlively
houstonlively6th of April 2011to wannabe
 
Good enough.... carry on then.
PermalinkReplyPlus0 pluses
pegecon6th of April 2011
 
It is absolutely f****** ridiculous that they think they will land themselves 10 grand. Yet I am not in any way surprised any more.

I see on one of the sites I recently took over, the amount of scamming is absolutely amazing. One could not fathom the ongoing efforts these people make; ESPECIALLY from Nigeria. But its corrupt companies that are the problem. Companies such as these pay sites, or in the case of the website I refer to, VLD which is a RUBBISH platform for poor souls wanting to build see more a dating site. Personally I was horrified that the previous owner of the site went with such a poor and limited software. But beyond the low quality of the platform, I have never seen such a bug infested software before. It has encrypted coding that allows these Nigerian scammers to send hundreds of email in seconds. Yet the admin, cannot actually perform the same actions or alter the locked code. It is as if they designed it themselves. Similarly, users with banned IP addresses still manage to return and spam/scam. I mean you should see the sick twisted emails they send to lonely blokes/gals around the world with promises of enduring love. Can you believe i have to monitor them all (unlike previous owner) and actually contact people to save them from being so gullible. Yet my time is precious and enough is enough...

...and of course, this is why I am here, rebuilding the entire site with Boonex and so far, I am extremely HAPPY with the quality of the software and the extent of the instructions at hand... I look forward to finishing so I can migrate my members, have a great site and be done with the VLD curse that I inherited!

Much appreciation to the Boonex team.
PermalinkReplyPlus0 pluses
praveenkv1988
praveenkv19887th of April 2011
 
You should contact the IP provider at (abuse@chinaunicom.cn). They will be able to do the best.

Not sure whether this will work in China. If its USA, I am sure, this would work.

I think in China, you will hardly get any response from them because most of their IPs are already in SPAM blacklist. Also, they will have dynamic ip allocation.
PermalinkReplyPlus0 pluses
annabel
annabel7th of April 2011
 
I also had scammers from Nigeria, but people cannot create a profile on my site unless I approve and activate. Besides that, my site is only in Dutch and those people speak (very bad) English. So I track them before they can even get on my site and I reject their profiles.
PermalinkReplyPlus0 pluses
silverado350
silverado3507th of April 2011
 
Because this is an attack directed at a server in the United States , I believe it could be considered an act of terrorism against the U.S and there for it should be an F.B.I. matter. Definitely contact them.
PermalinkReplyPlus0 pluses
Andrew Boon
Andrew Boon7th of April 2011
 
Sorry about a long silence. We had to deal with the traffic and soem issues with blocked users. We have already filed some reports and will continue pursuing. Thank you for everyone's advice and patience.
PermalinkReplyPlus0 pluses
elsweb
elsweb7th of April 2011
 
Interesting, I have just now been able to pull up your site. I tried until the wee hours of the morning on the pacific coast of usa. I have only just now been able to access your site. I kept getting a message that your server was taking to long to respond. I hope all is resolved now. I know it isn't your fault for this happening, but it is very frustrating while trying to access information for the development of my site(s).

I do hope you don't suffer further attacks and that your server is able see more to be better secured.
PermalinkReplyPlus0 pluses
danielmarseille
danielmarseille7th of April 2011
 
I like the Please ...
you are polite people - all is not lost to you - please change activity
PermalinkReplyPlus0 pluses
Adminmysite
Adminmysite7th of April 2011
 
How crazy would that be if we find out it's one of unity's pissed off members doing this /:
PermalinkReplyPlus0 pluses
theguypc
theguypc7th of April 2011
 
How lame.

I wonder if someone didn't see the attack and just think they could make money - having nothing to do with actually causing it. Anyone can see when Boonex is under attack and send something like this out. When the Lindbergh baby was kidnapped many years ago in the U.S. he received all kinds of ransom notes from people that had nothing to do with it.

I hope you track whoever this is down. It's a sick, twisted world we live in isn't it?
PermalinkReplyPlus0 pluses
Nathan Paton
Nathan Paton9th of April 2011to theguypc
 
I hate people who try to profit off the hard work of others.
PermalinkReplyPlus0 pluses
Andrew Boon
Andrew Boon8th of April 2011
 
Looks like Wordpress.com had a similar attack, only about 10 times bigger. Took them down for a while.
PermalinkReplyPlus0 pluses
tomakali
tomakali8th of April 2011
 
Call John Rambo or Iron Man
maybe i need a nuke to end those shitty noodle brains...
PermalinkReplyPlus0 pluses
tomakali
tomakali8th of April 2011
 
Release 7.1 soon
We love Boonex who fights!!!
PermalinkReplyPlus0 pluses
richmanfl
richmanfl8th of April 2011
 
See Andrew, that is what happens when you eat Chinese... and don't read your fortune cookie!

I have detailed the outlines of the attack and also the details regarding the extortion issue in a detailed report to the FBI, and it has been taken up by a team who are investigating. Hopefully they will still be working after the Govt shuts it's doors next week.
PermalinkReplyPlus0 pluses
theguypc
theguypc8th of April 2011
 
It makes so much sense to attack open source script sites.

Anyone who thinks hackers have any basis in social justice is kidding themselves.
PermalinkReplyPlus0 pluses
Nathan Paton
Nathan Paton9th of April 2011to theguypc
 
I think you're confusing white hats, black hats, and a guy from China with one another.
PermalinkReplyPlus0 pluses
rickyricky
rickyricky8th of April 2011
 
I don't understand, do people like these attackers not have anything better to do with their pitiful lives!? Recently my roomates Facebook account was hacked and get this......the hacker emailed him and asked him for 1500 dollars to leave it alone!!! If my site is ever attacked in such a way, I'll be screwed, 'cause I won't have a clue what do to!! I have my site set on approval before anyone can get in, but these days that doesn't seem to mean too much. I'm so sorry about this attack on Boonex see more 'cause I LOVE this company! I hope it's all good now.
PermalinkReplyPlus0 pluses
Nathan Paton
Nathan Paton9th of April 2011to rickyricky
 
It's not too hard to automate these kind of things, or do things manually to the point where you can just step out and grab a sandwich.
PermalinkReplyPlus0 pluses
nikoma
nikoma9th of April 2011
 
Is this some sort of envy on Boonex or just simple criminals, trying to get real money?
PermalinkReplyPlus0 pluses
Nathan Paton
Nathan Paton9th of April 2011to nikoma
 
I accidentally Li's Dolphin.
PermalinkReplyPlus0 pluses
BeWytched
BeWytched10th of April 2011
 
I have started keeping logs of all spammers that come to my site including their username, email address and IP. Search for them on www.stopforumspam.com where I found the person had a ton of accounts using different names but same IP. My chat rooms which are hosted in China also too a severe DDOS Attack from the end of February until about the third week of March. Our chat had to change servers three times as they got in there too. I vote that boonex have a forum set up to report our spammers see more so we can all be aware. If boonex chooses not to do that, there are a ton of sites which will post the info including all my sites. The spammers seem to come from China and India for the most part and try to get into all my dolphin sites, even being dumb enough to use the same name and email. Good luck with the legal case and I hope you snag these deadbeats who have nothing to do with their lives than to attack websites. Bet they were bullies on the play ground too.
PermalinkReplyPlus0 pluses
garyw7411th of April 2011
 
We get attacked constantly. We have had to invest in a Riorey DDOS firewall. The units about 3k and then supports about a 1k a year.

Our last attack about a month ago was quite sophisticated

If your interested here is their report which shows the length these arses go to
########################

RioRey assisted #### to mitigate a DDoS attack around the time period of #### through ###, 2011. This attack is technically interesting because it is the first observed event of a new HTTP attack see more variant. In this report we will be using the RioRey DDoS Taxonomy to classify the attack.

The attack can be decomposed into two parts:
a) standard SYN floods (type 1) using non spoofed source IP
b) modified HTTP Excessive Verb (type 11) attack

Approximately 10,000 bots were used in this attack, however, the modified Excessive Verb attack was skillfully done that made initial identifications difficult.

Part a, SYN flood:

The SYN flood used were predominately bots with Latin American IP addresses. These bots would repeatedly send SYNs in bursts, then pause, and repeat. Most of the Bots when active was sending several hundred SYNs per minute, but some were running around 50 SYNs per minute, which are close to normal activity levels for a graphics intensive page.

These SYN attackers were easily identified and blocked, and it is interesting to note that a few of these Bots continues to attack for several days even though they have been blocked and rendered ineffective. We speculate that the bot controller has either lost control of these bots or lost interest in managing the attack at the end.
PermalinkReplyPlus0 pluses
garyw7411th of April 2011
 
Part b, HTTP excessive Verb attack:

In this attack, the attacker is using a new code that generates GET attacks to more than one victim pages. Attached, is a pcap file: type_11_attack_signature.pcap which captures attack packet sample from these bots.

When you open this file and sort the packets based on Source IP, you will see that the attackers programmed the bots to visit 3 pages, repeatedly and in random sequences. In addition, most bots also varies their User Agent and Country/Language see more codes, making detection of these bots much more difficult. Fortunately, we were able to train our device to recognize these variations and successfully mitigate the attack.
PermalinkReplyPlus0 pluses
Nokao
Nokao11th of April 2011
 
I fear that's only the beginning.

China is starting to colonize Europe (after Africa and South America).

They never die (they give the dying chinese people paperworks to another person)
They don't respect any law.
They don't buy anything from non-chinese people.
And they have infinite amounts of money thanks to brotherhood-mafia pacts.

We'll see worse in the future.
PermalinkReplyPlus0 pluses
Nokao
Nokao11th of April 2011
 
No I'm not.

I had a Chinese girlfriend and I love their culture,
but unfortunately, politically they are selfishing using money and every rule we invented to conquer us without doing a war.
I live in Venice and a house here costs like 5 million dollars. Sometimes they came, with boxes of cash, and they just buy. And that's happening in every strategically useful city in Europe.
First commercial-money-gaining structures, and second our industry.

That dos attack for me is the same, they can see more do it because there is no law (except martial) in their country, so they do so if that's a plus.
PermalinkReplyPlus0 pluses
theguypc
theguypc11th of April 2011
 
Huh. And here I was sure it was the Martians.

Can I dispense with this tin foil hat now? Have the death rays finally stopped and been replaced with chow mein noodles? :P
PermalinkReplyPlus0 pluses
Nathan Paton
Nathan Paton11th of April 2011to theguypc
 
Don't laugh, that's how my goldfish died.
PermalinkReplyPlus0 pluses
elcentcom
elcentcom12th of April 2011
 
The fist time, a couple of hours ago, when I checked the IP it was an Indian(Delhi) IP address showing on top at http://whois.domaintools.com/122.156.234.148 document which now has changed. Information below was the same as it is now.

Someone's playing nasty I guess and even access the ICANN data perhaps.

But Indian hackers possible?

The part below was showing India and Delhi

**** IP Location: China Harbin China Unicom Heilongjiang Province Network
ASN: AS4837
IP Address: 122.156.234.148 see more ****
PermalinkReplyPlus0 pluses
gondwana
gondwana12th of April 2011
 
Think I'll start carving spears from stone in preparation for the nth world war
PermalinkReplyPlus0 pluses
theguypc
theguypc12th of April 2011
 
@Magnussoft - you should have known better. You aren't supposed to feed goldfish chowmein noodles, or force them to wear tin foil hats. You will end up with rusty little fish corpses every single time. ........or was it the death rays? No advice for you if that's the case since not much can be done without the ability to wear the tinfoil hat.
PermalinkReplyPlus0 pluses
Peet15th of April 2011
 
Ignorant??? No, just plain bloody dumb and stupid, im surprised they managed to sent an email!!!! Idiots!!!
PermalinkReplyPlus0 pluses
Nathan Paton
Nathan Paton15th of April 2011to Peet
 
To be fair, even my dead goldfish can send emails, though they're mainly forwards of jokes and pictures of cats with various captions.
PermalinkReplyPlus0 pluses
slix
slix25th of April 2011
 
Does the payment provider accept visa or mastercard? If so contact visa & mastercard about this, and report the payment company to them! The chinese government won't give a dam. China is becoming a problem. If their business is not valuable to you, you can block chinese traffic to your site simply by using geo targeted blocks.
PermalinkReplyPlus0 pluses
Kingphish
Kingphish27th of April 2011
 
Liberty Reserve is located in San Jose, Costa Rico. Any members of Unity from Costa Rico? This may be a money laundering issue and Costa Rico has money laundering laws. You may want to reach out to them.
PermalinkReplyPlus0 pluses
Kingphish
Kingphish27th of April 2011to Kingphish
 
Who is Boonex's compliance officer? They should be contacting LibertyReserve about this incident and the LR Account number to LibertyReserve that the account is being used in the commission of a crime (i.e., cyber attack, extortion and money laundering). You 'may' also need counsel (attorney) in Costa Rico if you don't already have someone representing Boonex.

Let me know, if you need additional help.

Also, don't respond with no. I'd keep them going asking for more time to get the money to see more them.
PermalinkReplyPlus0 pluses
 
 
Home
Features
Pricing
Hosting
Support
About
StartDemo
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.

Blogs

Dolphin.Pro News
BoonEx News
Our Journey
Social Software World
Community Voice

Help

Support Forums
Documentation
BoonEx at GitHub
Custom Jobs
Contact Support Team

Product

Dolphin.Pro Features
Live Demo & Sandbox
Download Packages
Pricing & Order
Contact Sales Team

Company

Contact Us
About BoonEx
Privacy Policy
Terms & Conditions
© BoonEx Pty Ltd
SSL
© BoonEx
Home
Features
Pricing
Support
Hosting
About
Demo
PET:0.075543880462646