[asterisk-biz] Fraud. (here we go again)

emist emistz at gmail.com
Mon Aug 18 19:18:47 CDT 2008 

I agree with Steve theres definitely the possibility of them using
compromised systems, in which case it will be almost impossible to know
in advance.

If I recall correctly there used to be decent money to be made in this
kind of business as well as in the renting of botnets to perform DDOS a
while back. Storm comes to mind, although I'm not sure what has become
of the rbn since then.



Steve Totaro wrote:
> I think it is less of known proxy, sysadmin, or misconfigured machine
> issue and more of a compromised system, zombie issue.
> 
> I know last Tuesday was a HUGE M$ "patch Tuesday", not sure if any of
> those exploits could be used for proxy or port redirection but if not
> directly, they can probably be used to open a hole big enough to drive
> a truck into let alone remote execution of a little bit of code to
> insert such a hidden service.
> 
> http://news.cnet.com/8301-1009_3-10015517-83.html?hhTest=1&part=rss&subj=news&tag=2547-1_3-0-20
> 
> Not to mention all the bootleg copies of Windows that will not be able
> to update and those that just won't bother.
> 
> We are not even talking about Malware, worms, or viruses here which is
> what most people fear and feel "protected", even allowing their emails
> to append some nonsense about being "scanned and virus free".  So was
> Subseven or basically any new virus at zero hour.
> 
> http://blog.wired.com/27bstroke6/2008/04/zombie-computer.html
> 
> Anyways, on to how to combat it.  I think the only real way is to have
> human intervention.  A phone call to speak with the card holder would
> probably cut it back drastically.
> 
> I think it was Gafachi that sent me a credit card authorization form
> via snail mail which I thought was strange at the time but obviously
> prudent with rampant fraud.  This way they verify the mailing address
> to some degree, get a signature, and have some paper trail.  While it
> could still be fraudulent, I think most would be eliminated.  There
> are easier targets and with the explanation about fighting fraud along
> with the snail mail authorization form, I would totally understand.
> 
> Thanks,
> Steve Totaro
> 
> On Mon, Aug 18, 2008 at 6:52 PM, Nitzan Kon <nk3569 at yahoo.com> wrote:
>> Thanks for the reply Igor. :)
>>
>> I googled a little bit, and I don't see keeping lists as a viable
>> option. There is basically an infinite number of proxies out there
>> so it is impossible to block them all until after the fact. :(
>>
>> What I am going to try, is write something inside my payment
>> modules to try and connect to common proxy ports on the REMOTE_ADDR,
>> and if was able to connect to say port 80 - make a note on the IP
>> address that it is most likely a proxy.
>>
>> The code is pretty simple, but the side effect is a delay in serving
>> the page while the ports are being tried. I set it to a timeout of 1
>> second for each port to avoid this as much as possible, but we'll see
>> how well this works...
>>
>> Also, it is possible that some proxies use non-common ports, or
>> are not open to the public, in which case this approach will fail.
>>
>> I'll let you all know the results after we tested it for a while...
>>
>> Thanks,
>>
>>  -- Nitzan
>>
>> --- On Mon, 8/18/08, emist <emistz at gmail.com> wrote:
>>
>>> From: emist <emistz at gmail.com>
>>> Subject: Re: [asterisk-biz] Fraud. (here we go again)
>>> To: nk3569 at yahoo.com, "Commercial and Business-Oriented Asterisk Discussion" <asterisk-biz at lists.digium.com>
>>> Date: Monday, August 18, 2008, 6:06 PM
>>> Hello Nitzan,
>>>
>>> As to how they do it its not very hard to proxy http
>>> requests(or any
>>> other request for that matter). There are plenty of
>>> publicly available
>>> proxy servers as well as servers that aren't intended
>>> to be used by the
>>> public but due to the sys-admin's misconfiguration they
>>> are open to the
>>> outside world. Most modern browsers can be configured to
>>> use proxy
>>> servers directly and tools exist such as proxychains that
>>> let you proxy
>>> pretty much any type of traffic through socks proxies.
>>>
>>> As to how to stop it...thats sort of a hard question. Maybe
>>> you could
>>> find sites with public proxy listings and write a script to
>>> flag any
>>> deposits made from any of the ips listed, but this
>>> won't help against
>>> non-publicly disclosed proxies.
>>>
>>> Regards,
>>>
>>> Igor H.
>>>
>>> Nitzan Kon wrote:
>>>> Hi list! :)
>>>>
>>>> We've got hit with a guy in Vietnam who's
>>> creating accounts with
>>>> stolen American credit cards. Usually they are really
>>> easy to stop,
>>>> but this guy is matching the IP address to the credit
>>> card address.
>>>> Anyone knows how they do that? I am 100% sure they are
>>> located in
>>>> Vietnam as their SIP IP address is 222.252.42.118. So
>>> somehow they
>>>> go through a proxy or something to fake the IP
>>> location. Any idea
>>>> how they do that - and more importantly - how to stop
>>> that on a
>>>> systematic level?
>>>>
>>>> Thanks!
>>>>
>>>> --
>>>> Nitzan Kon, CEO
>>>> Future Nine Corporation
>>>> www.future-nine.com
>>>>
>>>> _______________________________________________
>>>> --Bandwidth and Colocation Provided by
>>> http://www.api-digital.com--
>>>> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
>>>> Register Now: http://www.astricon.net
>>>>
>>>> asterisk-biz mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>>
>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
>> Register Now: http://www.astricon.net
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
> 
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
> 
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
> 
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-biz
>

More information about the asterisk-biz mailing list