Just For Fun: the April Fools that attacked BoonEx show up with some demands.

Andrew Boon posted 5th of April 2011 in Boonex News. 50 comments.

Well, well, well... lookie here. We got ourselves a blackmailer! Just in the midst of the latest DDoS attack we received the following:

 

-----------------------

Yunlong Li


Through our monitoring, Your company website will suffer in the near future a strong attack.


If you want to avoid a loss, Please in 12 hours, will $10,000 transfer to the following account, we will endeavour to
ensure the safety of the website of your company.


Libertyreserve.com      LR Account: U5415277


by netwsafe@yahoo.com
-----------------------
Received: from [122.156.234.148] by web121411.mail.ne1.yahoo.com via HTTP; Tue, 05 Apr 2011 17:17:34 PDT
Their IP from email headers: 122.156.234.148
Their ISP:

122.156.0.0 - 122.159.255.255
China Unicom Heilongjiang Province Network
China Unicom

ChinaUnicom Hostmaster
abuse@chinaunicom.cn
No.21,Jin-Rong Street
Beijing,100140
P.R.China
+86-10-66259940
+86-10-66259764

Binghui Gao
luanfuyu@vip.hl.cn
Shuniu Building,No.155 Zhongshan road,Harbin,Heilongjiang
+86-451-82651467
+86-451-82651464
-----------------------


Not sure how it's done in China, so if you know - share your ideas on how and where to report them to make sure they're spanked by Chinese Police or at least by their mom.

 

We contacted Libertyreserve and reported the fraud, but they dont' seem to care - another shady payment provider. Anyway, there's not much more that we'd care to do about it, but wanted to share some details with the Unity crowd. Anyone willing to exercise their detective skills may try to investigate further. Another option is to contact those dullards for some free stress-testing of your infrastructure. Funnily, the first message from them came on 1st of April.

 

p.s. sometimes I really wonder if somebody actually believes that they could have $10,000 (or any money, for that matter) sent to them in such situation... is it even possible that one could be THAT ignorant?

 
Comments
·Oldest
·Top
Please login to post a comment.
houstonlively
China will soon become the new Nigeria, only ten times worse. I think all the Chinese scamming that we see, is only the beginning; The best that we can hope for, is that the EMP of a giant solar flare wipes out all communication infrastructure in China... I'll keep my fingers crossed.
Certainly Yahoo should be notified. I note to LibertyReserve would be something (maybe fruitless) to do, if they are a legitimate business.. let them know they've been mentioned in a blackmail scheme.. I'm sure your site isn't the only one being attacked this way. What does your ISP or Webhost Provider say about it..
Can they block the range of IP addresses?
UFO360
agree with Estacey2009 report this to yahoo
I'm trying to finish my website I need boonex.com I hope the boonex team find a solution for this.
I'm not a computer expert I don't understand why this is happening.
Good thing my web host tmdhosting have anti- DDOS capability. I really don't understand what that is, I'm going to check that on them.
Draxxon
I'd definitely be contacting abuse@chinaunicom.cn
saurav121
Such attacks are backed by china govt too... we cant do nything except blocking the whole china... these guys f****d even google n govt did nuthin....
so i advice boonex to block china, these ppl are nt gona give u business but only KICKS ON UR BUTTS..
houstonlively
Andrew, are you familiar with these folks?

http://www.shadowserver.org

I wonder if they could be of any help in tracking down the criminals behind these attacks. Whoever it is, has escalated this from a ddos attack to EXTORTION (NOT blackmail)... a crime punishable by imprisonment in most countries. It's time to involve law enforcement.
richmanfl
If you like, I can make some calls to the cybercrimes division of the FBI here. I have dealt with them in the past, and they are pretty open to looking into new leads and since the servers reside indie the USA, it would be of their interest.
houstonlively
That's exactly what should be done. Not only are the servers in the US, but it is likely that a large portion of the attacking botnet or even command center is within the US as well. The trail leading to China could just be a smoke screen... maybe the responsible person is right here in the US. Really.... what are the odds of some guy in China commanding a botnet to attack Boonex for a lousy 10,000 bucks? That's chump change. There are people in the world that would pay much more than that, see more for control of a botnet like the one used on Boonex. No offfense to Boonex, but there are much bigger fish to fry, so why wouldn't they? It's either a colossally stupid extortionist, or more likely a disgruntled ex employee or competitor. Whoever it is, I think it's time they did some jail time.
When will the MODULE SITES be fixed ?? ...

http://www.boonex.com/unity/forums/#topic/module-SITES.htm
houstonlively
WTF does that have to do with THIS topic?
i felt being naughty ..
houstonlively
Good enough.... carry on then.
It is absolutely f****** ridiculous that they think they will land themselves 10 grand. Yet I am not in any way surprised any more.

I see on one of the sites I recently took over, the amount of scamming is absolutely amazing. One could not fathom the ongoing efforts these people make; ESPECIALLY from Nigeria. But its corrupt companies that are the problem. Companies such as these pay sites, or in the case of the website I refer to, VLD which is a RUBBISH platform for poor souls wanting to build see more a dating site. Personally I was horrified that the previous owner of the site went with such a poor and limited software. But beyond the low quality of the platform, I have never seen such a bug infested software before. It has encrypted coding that allows these Nigerian scammers to send hundreds of email in seconds. Yet the admin, cannot actually perform the same actions or alter the locked code. It is as if they designed it themselves. Similarly, users with banned IP addresses still manage to return and spam/scam. I mean you should see the sick twisted emails they send to lonely blokes/gals around the world with promises of enduring love. Can you believe i have to monitor them all (unlike previous owner) and actually contact people to save them from being so gullible. Yet my time is precious and enough is enough...

...and of course, this is why I am here, rebuilding the entire site with Boonex and so far, I am extremely HAPPY with the quality of the software and the extent of the instructions at hand... I look forward to finishing so I can migrate my members, have a great site and be done with the VLD curse that I inherited!

Much appreciation to the Boonex team.
praveenkv1988
You should contact the IP provider at (abuse@chinaunicom.cn). They will be able to do the best.

Not sure whether this will work in China. If its USA, I am sure, this would work.

I think in China, you will hardly get any response from them because most of their IPs are already in SPAM blacklist. Also, they will have dynamic ip allocation.
annabel
I also had scammers from Nigeria, but people cannot create a profile on my site unless I approve and activate. Besides that, my site is only in Dutch and those people speak (very bad) English. So I track them before they can even get on my site and I reject their profiles.
silverado350
Because this is an attack directed at a server in the United States , I believe it could be considered an act of terrorism against the U.S and there for it should be an F.B.I. matter. Definitely contact them.
Andrew Boon
Sorry about a long silence. We had to deal with the traffic and soem issues with blocked users. We have already filed some reports and will continue pursuing. Thank you for everyone's advice and patience.
elsweb
Interesting, I have just now been able to pull up your site. I tried until the wee hours of the morning on the pacific coast of usa. I have only just now been able to access your site. I kept getting a message that your server was taking to long to respond. I hope all is resolved now. I know it isn't your fault for this happening, but it is very frustrating while trying to access information for the development of my site(s).

I do hope you don't suffer further attacks and that your server is able see more to be better secured.
danielmarseille
I like the Please ...
you are polite people - all is not lost to you - please change activity
Adminmysite
How crazy would that be if we find out it's one of unity's pissed off members doing this /:
theguypc
How lame.

I wonder if someone didn't see the attack and just think they could make money - having nothing to do with actually causing it. Anyone can see when Boonex is under attack and send something like this out. When the Lindbergh baby was kidnapped many years ago in the U.S. he received all kinds of ransom notes from people that had nothing to do with it.

I hope you track whoever this is down. It's a sick, twisted world we live in isn't it?
Nathan Paton
I hate people who try to profit off the hard work of others.
Andrew Boon
Looks like Wordpress.com had a similar attack, only about 10 times bigger. Took them down for a while.
tomakali
Call John Rambo or Iron Man
maybe i need a nuke to end those shitty noodle brains...
tomakali
Release 7.1 soon
We love Boonex who fights!!!
richmanfl
See Andrew, that is what happens when you eat Chinese... and don't read your fortune cookie!

I have detailed the outlines of the attack and also the details regarding the extortion issue in a detailed report to the FBI, and it has been taken up by a team who are investigating. Hopefully they will still be working after the Govt shuts it's doors next week.
theguypc
It makes so much sense to attack open source script sites.

Anyone who thinks hackers have any basis in social justice is kidding themselves.
Nathan Paton
I think you're confusing white hats, black hats, and a guy from China with one another.
rickyricky
I don't understand, do people like these attackers not have anything better to do with their pitiful lives!? Recently my roomates Facebook account was hacked and get this......the hacker emailed him and asked him for 1500 dollars to leave it alone!!! If my site is ever attacked in such a way, I'll be screwed, 'cause I won't have a clue what do to!! I have my site set on approval before anyone can get in, but these days that doesn't seem to mean too much. I'm so sorry about this attack on Boonex see more 'cause I LOVE this company! I hope it's all good now.
Nathan Paton
It's not too hard to automate these kind of things, or do things manually to the point where you can just step out and grab a sandwich.
nikoma
Is this some sort of envy on Boonex or just simple criminals, trying to get real money?
Nathan Paton
I accidentally Li's Dolphin.
BeWytched
I have started keeping logs of all spammers that come to my site including their username, email address and IP. Search for them on www.stopforumspam.com where I found the person had a ton of accounts using different names but same IP. My chat rooms which are hosted in China also too a severe DDOS Attack from the end of February until about the third week of March. Our chat had to change servers three times as they got in there too. I vote that boonex have a forum set up to report our spammers see more so we can all be aware. If boonex chooses not to do that, there are a ton of sites which will post the info including all my sites. The spammers seem to come from China and India for the most part and try to get into all my dolphin sites, even being dumb enough to use the same name and email. Good luck with the legal case and I hope you snag these deadbeats who have nothing to do with their lives than to attack websites. Bet they were bullies on the play ground too.
We get attacked constantly. We have had to invest in a Riorey DDOS firewall. The units about 3k and then supports about a 1k a year.

Our last attack about a month ago was quite sophisticated

If your interested here is their report which shows the length these arses go to
########################

RioRey assisted #### to mitigate a DDoS attack around the time period of #### through ###, 2011. This attack is technically interesting because it is the first observed event of a new HTTP attack see more variant. In this report we will be using the RioRey DDoS Taxonomy to classify the attack.

The attack can be decomposed into two parts:
a) standard SYN floods (type 1) using non spoofed source IP
b) modified HTTP Excessive Verb (type 11) attack

Approximately 10,000 bots were used in this attack, however, the modified Excessive Verb attack was skillfully done that made initial identifications difficult.

Part a, SYN flood:

The SYN flood used were predominately bots with Latin American IP addresses. These bots would repeatedly send SYNs in bursts, then pause, and repeat. Most of the Bots when active was sending several hundred SYNs per minute, but some were running around 50 SYNs per minute, which are close to normal activity levels for a graphics intensive page.

These SYN attackers were easily identified and blocked, and it is interesting to note that a few of these Bots continues to attack for several days even though they have been blocked and rendered ineffective. We speculate that the bot controller has either lost control of these bots or lost interest in managing the attack at the end.
Part b, HTTP excessive Verb attack:

In this attack, the attacker is using a new code that generates GET attacks to more than one victim pages. Attached, is a pcap file: type_11_attack_signature.pcap which captures attack packet sample from these bots.

When you open this file and sort the packets based on Source IP, you will see that the attackers programmed the bots to visit 3 pages, repeatedly and in random sequences. In addition, most bots also varies their User Agent and Country/Language see more codes, making detection of these bots much more difficult. Fortunately, we were able to train our device to recognize these variations and successfully mitigate the attack.
Nokao
I fear that's only the beginning.

China is starting to colonize Europe (after Africa and South America).

They never die (they give the dying chinese people paperworks to another person)
They don't respect any law.
They don't buy anything from non-chinese people.
And they have infinite amounts of money thanks to brotherhood-mafia pacts.

We'll see worse in the future.
Nokao
No I'm not.

I had a Chinese girlfriend and I love their culture,
but unfortunately, politically they are selfishing using money and every rule we invented to conquer us without doing a war.
I live in Venice and a house here costs like 5 million dollars. Sometimes they came, with boxes of cash, and they just buy. And that's happening in every strategically useful city in Europe.
First commercial-money-gaining structures, and second our industry.

That dos attack for me is the same, they can see more do it because there is no law (except martial) in their country, so they do so if that's a plus.
theguypc
Huh. And here I was sure it was the Martians.

Can I dispense with this tin foil hat now? Have the death rays finally stopped and been replaced with chow mein noodles? :P
Nathan Paton
Don't laugh, that's how my goldfish died.
elcentcom
The fist time, a couple of hours ago, when I checked the IP it was an Indian(Delhi) IP address showing on top at http://whois.domaintools.com/122.156.234.148 document which now has changed. Information below was the same as it is now.

Someone's playing nasty I guess and even access the ICANN data perhaps.

But Indian hackers possible?

The part below was showing India and Delhi

**** IP Location: China Harbin China Unicom Heilongjiang Province Network
ASN: AS4837
IP Address: 122.156.234.148 see more ****
gondwana
Think I'll start carving spears from stone in preparation for the nth world war
theguypc
@Magnussoft - you should have known better. You aren't supposed to feed goldfish chowmein noodles, or force them to wear tin foil hats. You will end up with rusty little fish corpses every single time. ........or was it the death rays? No advice for you if that's the case since not much can be done without the ability to wear the tinfoil hat.
Ignorant??? No, just plain bloody dumb and stupid, im surprised they managed to sent an email!!!! Idiots!!!
Nathan Paton
To be fair, even my dead goldfish can send emails, though they're mainly forwards of jokes and pictures of cats with various captions.
slix
Does the payment provider accept visa or mastercard? If so contact visa & mastercard about this, and report the payment company to them! The chinese government won't give a dam. China is becoming a problem. If their business is not valuable to you, you can block chinese traffic to your site simply by using geo targeted blocks.
Kingphish
Liberty Reserve is located in San Jose, Costa Rico. Any members of Unity from Costa Rico? This may be a money laundering issue and Costa Rico has money laundering laws. You may want to reach out to them.
Kingphish
Who is Boonex's compliance officer? They should be contacting LibertyReserve about this incident and the LR Account number to LibertyReserve that the account is being used in the commission of a crime (i.e., cyber attack, extortion and money laundering). You 'may' also need counsel (attorney) in Costa Rico if you don't already have someone representing Boonex.

Let me know, if you need additional help.

Also, don't respond with no. I'd keep them going asking for more time to get the money to see more them.
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.19455313682556