Wednesday, September 16, 2009

Unraveling A "Work-From-Home" Twitter Scam/Spam

If you're on teh Twitter like I am (@RafalLos) you've without a doubt noticed you're being followed (twit-stalked?) by one of those bots.

You know what I'm talking about. They follow you, sit silent until one day the @ you with some link they hope you follow, or re-tweet something someone-else says, and insert a link they want you to go to. Honestly, I wonder how many people fall for these things. I guess enough so that they keep doing it, right?

Anyway, this one (shown above) particularly annoyed me because I looked up this account's history and and what I found wasn't really revalation, but it was interesting. Each hour, via the Twitter API (so you know it's a script running somewhere), this bot would @ between 3-4 people with the same message I got above. As of the writing of this post, this account was still active, and had 0 friends, 0 followers, and 19 tweets -all of which were the above link. A quick search for "Google hiring" brought up 30 other bots that are tweeting and re-tweeting this same message, but some with obfuscated (shortened/hidden) URLs.

I was intrigued, and chose to look into this more. What followed was a twisting, winding road to a place many of us have seen before, from a phantom company selling you the "work from home to be a millionaire" dream.

First, a "wget" yielded:
--2009-09-16 21:56:02--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily Location: /?3d7fa980 [following]
--2009-09-16 21:56:02--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily Location: / [following]
--2009-09-16 21:56:02--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 302 Found Location: [following]
--2009-09-16 21:56:03--
Reusing existing connection to
HTTP request sent, awaiting response... 200 OK
Length: 783 [text/html]
Saving to: `index.html'
I found the part I highlighted in red above interesting, because it only showed up like that the first time I hit the site from my machine. Subsequent tries would simply net me the single-redirect to the www.ajobwithgoogle page. So that was interesting and a little more digging (with the help of some Twitter friends) showed the site is very careful about how it does redirects and keeps track of people. The first time you hit the site you get that 3-step redirect loop which hands you a "key" (/?3d7fa980) in my example. Every other time you hit the site after that (as you can see by the redirect, you are simply 302-redirected to the ajobwithgoogle site... interesting!

The page you're redirected to is nothing short of an obvious fraud ploy. It's one of those "Use Google to make millions working from home" pages that they hope you fall for. This farse even had a bunch of fake comments added to the "article" to make it look a lot more legitimate than it would at first-glance! All links on that page, point you to this horribly inviting page (but shady as crap) on{some affiliate IDs here}. OK, obviously this "Search 4 Profit, LLC" must be legitimate, right? I mean, it says "As Seen on: ABC, CNBC, CNN"... what they don't say is that this site (and off-shoots of it) were actually seen on these news outlets... but as a story about fraud!

There are even "Terms", "Refunds" and "Privacy Policy" links on the bottom of the page to help you feel better about this site, and what it's selling... but check this out, because someone didn't pay attention in Web Dev 101.

The "Terms" page... read carefully
How it Works! By clicking "Rush My Order" I am agreeing to receive GoogleFortune for a 7-day bonus period for $1.97 billed to my credit Card(please allow 5 days for the shipping process and 2 days to try the product). If you enjoy GoogleFortune, simply do nothing. On the 7th day my credit card will automatically be charged $69.97 and every month, thereafter, unless I cancel by calling 1-877-361-8622 M - F, 8am-7pm PST. No Hassle, Cancel Anytime!Product is fully refundable within 30 days of purchase. Customer's cancelling within their billing period will be fully refunded upon request. I also agree to the 14 day and 21 day bonus trials to Grant Members Site� (1-877-495-1145) and Network Agenda� (1-800-418-9320) for $19.95 a month and $9.95 a month thereafter, the trial will begin the day I accept these terms, should I choose not to cancel. For refunds please contact customer support at 1-877-361-8622 M - F, 8am-7pm PST, GoogleFortune only. Please note the following terms and conditions you accept when ordering from us: i. Prices are subject to change without notice. We reserve the right to correct typographical and printing errors. We have done our best to ensure that all information is accurate and up-to-date. Errors and omissions occasionally occur and are subject to correction. We apologize for any inconvenience this may cause. We will notify you via e-mail of your refund once we have received and processed. You can expect a full refund in the same form of payment you used to make your purchase within 7 to 14 business days from calling to request the refund, depending on your financial institution."
Whoa! If you don't read that carefully you'll not realize that you're being signed up for 2 more services at a BIG cost to you each month! Let's call some phone numbers!

The GoogleFortune number is answered by a sweet female voice "Thank you for calling customer service"... she proceeds to tell you the hours, and when it's best to call (Wed-Fri) and then asks for your patience, and hangs up. Nice.

Grant's Members Site is a site that purports to be by one Dr. John Porter who has devoted his life to helping ordinary Americans get tax-free cash from the government. Wait... wasn't there some fool on TV a few years ago running our with a suit of question marks selling a book like this?! And I'm going to give him $19.95 a month... why?! The 877 phone number at this place doesn't get picked up by anything... just dead air. If you call during business hours, you get someone who will eventually pick up, but makes it very, very difficult to "get a refund" or "resign from their service"...

The other site "NetworkAgenda" sells virtual office software which does amazing things like a web calendar, webmail, virtual time-card, and many other awesome features that require you to give them money for... all of which are available via Google or any other legit provider free of charge. Sweet. The phone number here is picked up by a machine that identifies the company properly and asks you to call within business hours. When I did... I got someone who was clear on a VOIP system because they were breaking up like crazy - but she was kind enough to take my information down and told me someone would get back to me... I'm still waiting patiently.

The "Privacy Policy" on the main site was an absolute joke... the pinnacle of which was this:
So they're basically saying anything you give them they can resell/transfer to anyone they want and you can't do anything about it... unless you call them and instruct them not to...hah!

Their "Refunds" page (which was a copy/paste of the Terms & Conditions page because someone forgot to change the page header) basically says they'll refund you... if you call them within 30 days. Calling them within business hours and asking some questions yielded a lot of hold time... then the person I talked to said they could not disclose any information about the company aside from the non-existant physical street address. They won't answer questions, they won't really talk to you except put you on a long, long hold repeatedly... as expected.

Curious where 7614 Arvilla Ave, Sun Valley CA is? Check out this Google Maps link... which is basically a large industrial lot... so unless they're into construction there is no company there. Oh, and this is actually Burbank and not Sun Valley...

It was time to do a little digging on the domain and IPs. First off, a traceroute to the IP address never made it to the destination... shocking.

That's when I ran into this site, Blog... which is intensely comprehensive in outlining the fraud that someone here is running, and connecting the dots between shadow corporations and SelfProfitsMadeEasy down to Raven Media, Inc. I suggest you go read that blog post because there is some very serious investment in time, energy, and smoke here... but again, the only reason it's up is because some schmuck somewhere keeps paying them.

No comments: