Tuesday, May 27, 2008

SlickCams and SlickCash: Webcam Spammers and Lying Liars

If you have a hotmail account, it's highly likely that at one point or another you have received email that looks something like these:

Hey whats up? my name is Natalie i was just surfing the net and came accross your profile..
i was wondering if you might like to chat my MSN is slimnatalie1@hotmail.com
hit me up i would love to chat with you

Natalie


hey there I found your pic online I think your pretty hot add me to msn messgner to chat upnatalie8@hotmail.com


Hi I saw Your Profile Online I wanted to chat with you add me to your msn messanger to chat I'll be waiting!!

my msn addy is janerealhot2@hotmail.com


More recently, these messages don't even contain any text at all, instead attaching an image (in bmp format, how very 1994 of them) which features a scantily clad woman's torso and (again, always) a hotmail or livemail address. I've included an example here.

Ignoring, for the moment, the inanity of these messages ("came across your profile.."?! Really. Where?) the focus of this type of spam is to get hotmail users to start a chat with this account.

Doing so produces the following results, literally every single time.


[SiL] says:
s

jane24hot says:
hey, A/S/L?

[SiL] says:
ds

jane24hot says:
hey whats up babe, U got a webcam? finally someone adds me, I am soo fuckin horny today for some reason lol

[SiL] says:
fd

jane24hot says:
listen hun, I'm just about to start my webcam show with jen, come chat me there in my chat room? We can cyber, I'll get naked if u do..lol!

[SiL] says:
gf

[SiL] says:
hg

jane24hot says:
I can show u how to watch if u promise not to tell anyone else how to do it???PLEASE

[SiL] says:
jh

[SiL] says:
kj

jane24hot says:
well since its the law that u gotta be 18 (nudity involved), u have to sign up with a credit card for age verification! BUT.. Once you are inside, just clikc on "Webcams" let me know what name you use to sign in with so I know it's you babe! http://jane2hot.thegirlsathome.com/ fill out the bottom of the page then fill out the next page as well and u can see me live!

[SiL] says:
;l

jane24hot says:
Please dont mention anything about that in the chatroom once u get in ok?

[SiL] says:
wq

[SiL] says:
re

[SiL] says:
tr

jane24hot says:
OH SHIT.. k I'm late to start my show, I gotta get off msn...I'll see ya inside my chatroom babe.. remember not to mention that I am upgrading u... You can use your msn name to sign in so i know it's you..


So there's the bait: jane2hot.thegirlsathome.com

Notice that at no point does "Jane" ever ask why I'm not even speaking in complete words, let alone sentences. That's because (as you might have guessed) "Jane" is actually an automated MSN bot, probably of the PHP variety. There are several of these on the market and all of them are very easy to implement.

Anyway. Continuing on, if we visit that site we are presented with a page entitled "Jane ON WEBCAM" featuring photos of a girl in various stages of undress and the following at the top of the page:

I am probably the horniest girl you will ever meet :)
Cum see how naughty I can be ;)


All photos on that page, and all other links, point to:

http://sp.slickcams.com/track/[19-character tracking code]/signup

That page looks like this:



So now we have a direct connection between this Hotmail-initiated spam, leading to MSN abuse, leading to an attempt to gain a signup to the site "SlickCams."

If you attempt to visit the root spammed domain on its own [thegirlsathome.com], you're met with a username and password prompt for "Website Administrator Access". Clearly they only want the spamvertised subdomain to be the ones that get visited.

At the bottom of that page are two rather ridiculous claims:

YOUR PRIVACY IS IMPORTANT TO US
YOUR INFORMATION IS NEVER DISCLOSED TO ANY THIRD PARTY

SlickCams is available to adults age 18 years and older.
By clicking the "Submit My Information" button you affirm that you are at least 18 years of age.


That's interesting because: the addresses I monitor which continually receive spam promoting these sites have never been used, ever, for anything. No permission has ever been given to anyone to receive adult-oriented content, and at no point have these addresses been shared with anyone.

If they're so concerned about my privacy, how did they get my addresses?

If they're so concerned about only "adults age 18 years and older" viewing this content, why were these email addresses spammed?

As usual with illegal spammers: it's all lies. There is no "Jane". There is no concern for anyone's privacy, and they clearly don't care whether five year olds are receiving this spam. They're liars through and through.

Until very recently, the affiliate program behind SlickCams was named SlickCash. I notice in recent weeks, however, that the program has suddenly shifted to SexPromote. [sexpromote.com] SlickCash is still active, but it's unclear whether they still handle promotions for the SlicCams websites or not, or what the relationship is between SlickCash and SexPromote.

At the bottom of the SexPromote affiliate signup page is the following claim:

By submitting this application, you agree to the Terms and Conditions. You also agree to abide by our Spam Policy. Slick Cash has a ZERO tolarance policy against unsolicited email marketing.


You can read their alleged "anti-spam policy" here, although as mentioned above: clearly they don't enforce it in any way at all. I've been receiving these spam messages going on three years now, and via numerous email accounts I've been complaining directly to SlickCams about it. I have never, not once, received a single reply from anyone at SlickCash, and the spam never abates. I receive at least one a week to numerous accounts, all of which I never used to sign up to anything, ever.

So: Am I wasting my time? If you're the spammer behind these bullshit messages your first answer will be "yes." :)

However, it's worth noting that law enforcement members have certainly begun to take an interest in this affiliate group, probably in large part due to a lawsuit initiated in December, 2008 against SlickCash on behalf of Facebook. (You can read about that here and here.) Essentially the suit claims that SlickCash servers attempted to access Facebook some 200,000 times in an attempt to divert users to their websites. They're only seeking damages of $5,000 which seems pretty paltry, considering the other widespread abuse this company is engaged in. They're calling this activity "hacking". It's a bit of a weird suit. They name SlickCash and several John Does, both individuals and corporations. You can download the court papers here [pdf]. This makes further clear how difficult it has been to discover the actual human beings behind this abuse.

A further link (here) goes into much further detail of precisely how far back this complaint has been going on, and its current status, and represents a veritable goldmine of information on this operation. I'll save you some reading: on April 30th, 2008, a permanent injunction was signed by a judge against the following companies and individuals:

Istra Holdings
1564476 Ontario Limited
Brian Fabian
Josh Raskin
Ming Wu

The charges are violations of the California comprehensive computer data access and fraud act and the computer fraud and abuse act.

This lawsuit represents further evidence that the mailers behind SlickCams don't care how many systems or services they abuse. They've also recently begun spamming from MySpace accounts using similar vectors: the MySpace profiles feature an MSN account, which, if you chat with it, leads to the exact same trail. More recently the spam from MySpace skips the whole "view my profile" portion and just includes yet another hotmail account:

janey is a member of MySpace and is inviting you to join.

janey says:

hi i saw your on that site (youre cute!) may be can talk sometime on windowslivemessenger my name there is jane21gstring@hotmail.com add me! thanks Jane


More lies, of course. None of my email accounts are registered at MySpace either.

All attempts to communicate with the operators of SlickCams have proven fruitless. Attempting to identify just where they're located is similarly difficult, but not impossible. (As with all illegal spam operations, several shell companies have been created in an attempt to distance the guilty parties from the illegal activity.)

The trail goes something like this:

SlickCams
SlickCash affiliate program

And then:

Istra Holdings
1564476 Ontario Limited

Attempts to discover the actual physical location of these companies was pretty slow going, but I happened to discover a few things on my own which were mirrored in some investigations dating back to June, 2005. That further ties SlickCash with more serious charges of botnet operation and attempts to infect users. It's definitely well-researched, but no followup is listed anywhere.

A porn affiliate site known as "GreenGuyAndJim" has a page (located here) which clarifies which company is for which program. You can see that line #4 of that list directly states that 1564476 Ontario Limited is a front for SlickCash.

1564476 Ontario Limited is located at a post office box:

Manulife Building Postal Outlet
55 Bloor St W
P.O. Box 19647
Toronto ON
M4W 3T9


So obviously no actual individuals would be located there.

Istra Holdings claims to be located at 48 Hayden Street, Toronto. Interestingly, Yahoo Canada lists that company as being an "Investment Bank" (here.)

Several of their domains (notably WebVoyeur.com and cupidcams.com) linked SlickCash to a company named "Turvill Consultants Limited Scarborough Ontario CA #422"

That "company's" address is located here:

265 Port Union Rd
Suite 15525
Scarborough, Ontario M1C 2L3
CA
416-536-6020


This is already a pretty lengthy runaround to conceal the actual owners and operators of this operation, don't you think? This only furthers the suspicion that these people are very well aware that they are operating illegally.

But let's return to that 2005 investigation. It lists the following further companies, one of whose addresses turned out to be an accurate location of their affiliate managers' offices


OKB Offers
701 Rossland Rd East Suite 323
Whitby, Ontario L1N 9K3
CA
1-403-770-8348

Turvill Consultants - NARD
265 Port Union Rd
Suite 15525
Scarborough, Ontario M1C 2L3
CA
416-536-6020

Parsons, Greg
Baltic Consultants
77 Mowat Ave.
St. 300
Toronto
Ontario
CA
M6K3E3
Phone: +1.4165366020


That led me to this posting on "sponsorchat", dating from May, 2007:

"We take pride in the fact that our affiliates have access to the most advanced free hosting available," said Greg Parsons, owner of Slick Cash. "This great partnership with Revshare Hosting is just another example of how we keep our affiliates at the very top of our priority list."


Aha. Greg Parsons, "owner" of Slick Cash.

I asked several colleagues to investigate that address, and they confirmed a few things for me:


  1. That building is in a neighborhood in Toronto which was nicknamed by NBC's Dateline as "Porn Alley" in an August, 2005 report. (That story is unrelated to Slick Cash, but that's still an important detail to be aware of.)

  2. 77 Mowat is in an office building which is part of what is called the Toronto Carpet Factory. It houses several marketing companies who represent large-scale corporate entities (who I will not name here.) But it also houses one or more adult-oriented and online casino operations.



This definitely seems to be leading to the right path. It may not be, but I'm continuing to investigate.

Greg Parsons and Baltic Consultants are the "Administrative Contact" for several domains, with the "Billing Contact" for the same domains being Turvill Consultants, in Scarborough.

This investigation is far from complete, but at least now we all have a very clear idea of who to blame for this scourge of unwanted fake webcam spam.

Of course attempting to investigate the domain that I was spammed with (thegirlsathome.com) now shows that they want to further cover their tracks:

Administrative Contact:
WhoisGuard
WhoisGuard Protected (29953497834249eaaa616643009f7189.protect@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US


SexPromote has been in business for a while and may have only recently taken on the affiliate operations for the SlickCams websites. As I mentioned earlier, that relationship is not as well known. They don't list SlickCams anywhere on their list of sites. (Neither did SlickCash, by the way.) However both sites do list a handful of the same sites, so it's definitely a possibility that the two are fronts for the same operation. I decided to check that out:

Domain Name: SEXPROMOTE.COM

...

Administrative Contact [12257]:
Turvill Consultants dnsadmin@adulporn.com
Turvill Consultants
265 Port Union Rd.
15525
Scarborough
Ontario
M1C4Z7
CA
Phone: +1.4165366020


Surprise surprise...

One last note: their dns servers:

Domain servers in listed order:

NS1.FLYINGCROC.NET
NS2.FLYINGCROC.NET

Record created on: 1998-08-26 00:00:00.0
Database last updated on: 2007-03-22 03:46:49.68
Domain Expires on: 2008-08-25 00:00:00.0


That's a Seattle-based web hosting company. I had seen previous complaints online regarding Flying Croc somehow being responsible for this spam. I don't believe that to be the case. Their reputation as a legitimate hosting company, however, would have to be suspect since they are supporting and aiding a known illegal spam operation.

More as I get it.

SiL / IKS / concerned citizen

P.S. This posting was started months ago, but I received inspiration from a fellow blogger who was also investigating this operation: matchent.com. I am clearly not the only one attempting to get this operation to take responsibility for its continued widespread abuses.

12 comments:

Anonymous said...

Haha, great! I'm not alone ^.^
Gonzo Hi, who is this? :P
Christi hey, Age/Sex/Location? :)
Gonzo so who are you?
Christi hey whats up babe, U got a webcam? finally someone adds me, I am soo fuckin horny today for some reason lol
Gonzo :/
Christi listen hun, I am just about to start my webcam show with jen, come chat me there in my chat room? We can cyber, I will get naked if u do..lol!
Gonzo ...
Christi I can show u how to watch if u promise not to tell anyone else how to do it???PLEASE:-$
Gonzo auto
Christi well since its the law that u gotta be 18 (nudity involved), u have to sign up with a credit card for age verification! BUT.. Once you are inside, just clikc on "Webcams" let me know what name you use to sign in with so I know it is you babe! http://jane2hot.lovelocalgirls.com/ fill out the bottom of the page then fill out the next page as well and u can see me live!
Gonzo generated
Christi Please dont mention anything about that in the chatroom once u get in ok?:-$
Gonzo response
Christi OH SHIT.. k I am late to start my show, I gotta get off msn...I will see ya inside my chatroom babe.. remember not to mention that I am upgrading u... You can use your msn name to sign in so i know it is you..
Gonzo k bai
Christi AUTO-RESPONSE: hey just in the middle of my webcam show if you want to watch click the link http://jane2hot.lovelocalgirls.com/

IKillSpammerz said...

> Haha, great! I'm not alone ^.^

Far from it. They spam hundreds of thousands of individuals as often as they possibly can. They don't care if the recipient is a six year old. They're utter scum.

SiL

Angel said...

This happened to me too, but id did'n received an email asking me to add a contact. The msn bot just added me:

Eula: hey, A/S/L?:)

Freak On A L: quién eres?

Eula: hey whats up babe, U got a webcam? finally
someone adds me, I am soo fuckin horny today for some
reason lol

Freak On A L: i don't have a webcam

Eula: AUTO-RESPONSE: hey just in the middle of my
webcam show if you want to watch click the link
http://jane2hot.lovelocalgirls.com/

Freak On A L: why did you added me???
Freak On A L: do you have a webcam?
Freak On A L: still there?
Eula ha cerrado sesión

IKillSpammerz said...

This is unsurprising.

Make a point of reporting the abusive MSN bot addresses to all four of the following addresses, it's the only way to ensure that they shut them down:

report_spam [at] hotmail [dot] com
report_spam [at] msn [dot] com
abuse [at] msn [dot] com
abuse [at] hotmail [dot] com

Refer them to this blog entry. Mention that this is an illegally-operating "company" which is already the subject of a lawsuit on behalf of Facebook.

These assholes need to be taught a lesson. They've been doing this for three years at the very least.

SiL / IKS / concerned citizen

karen said...

(#)taiyou(#) hallo

Kathrine hey, A/S/L?:)

(#)taiyou(#) you added me so :| who are you?

Kathrine hey whats up babe, U got a webcam? finally someone adds me, I am soo fuckin horny today for some reason lol

(#)taiyou(#) where did you get my addy from?

Kathrine listen hun, I am just about to start my webcam show with jen, come chat me there in my chat room? We can cyber, I will get naked if u do..lol!

(#)taiyou(#) i first wanna know where you got my msnaddress from

Kathrine I can show u how to watch if u promise not to tell anyone else how to do it???PLEASE:-$

(#)taiyou(#) tell me

Kathrine well since its the law that u gotta be 18 (nudity involved), u have to sign up with a credit card for age verification! BUT.. Once you are inside, just clikc on "Webcams" let me know what name you use to sign in with so I know it is you babe! http://www.lovelocalgirls.com/janefun fill out the bottom of the page then fill out the next page as well and u can see me live!
29/08/2008 15:37:22 (#)taiyou(#) Kathrine are you actually reading what i say?
29/08/2008 15:37:25 Kathrine (#)taiyou(#) Please dont mention anything about that in the chatroom once u get in ok?:-$
29/08/2008 15:37:47 (#)taiyou(#) Kathrine taiyou zegt: i first wanna know where you got my msnaddress from
29/08/2008 15:37:51 Kathrine (#)taiyou(#) OH SHIT.. k I am late to start my show, I gotta get off msn...I will see ya inside my chatroom babe.. remember not to mention that I am upgrading u... You can use your msn name to sign in so i know it is you..
29/08/2008 15:37:57 (#)taiyou(#) Kathrine taiyou zegt: i first wanna know where you got my msnaddress from
29/08/2008 15:37:59 (#)taiyou(#) Kathrine taiyou zegt: i first wanna know where you got my msnaddress from
29/08/2008 15:38:01 Kathrine (#)taiyou(#) AUTO-RESPONSE: hey just in the middle of my webcam show if you want to watch click the link http://www.lovelocalgirls.com/janefun

IKillSpammerz said...

Yup.

Remember:

1) They don't care who receives these messages. You could be a five year old. They don't care. Their only concern is money.

2) It's a completely automated chat session. It doesn't matter what you enter, the script is always exactly the same.

One day this company is going to be sued out of existence. It's really only a matter of time.

SiL

Anonymous said...

I sign up at dating spammers, several times with "throw-away email addresses. Of course you shouldn't if you look for love and sex, as they are scammers. Why would they spam otherwise.

I do this, assuming Confirm-ed-Opt-In will fail, to file reports to get them listed, so also people really signed up there might not receive mails by the spammers.

Also to see who is spamming. Usually as you noted, most ends up at uadreams. As they then send via mccolo and he.net (deeply listed anyway) as mentioned they might get blocked and not get mails out.

Then I mark them Phishing at Gmail. As I receive multiple spam I mark them all as Phishing. Should be enough that Gmail marks them Phish for all other users too. Those who really want to sign up hopefully get scared and so don't.

I also use a script to sign up about 5000 accounts daily there (works also for MLM and other spammers to distribute other spammers email addresses). The mail addresses are guessed and composed of common local parts and spammer domains (not those showing up in the spam of course), and their supporters (black hatted ISP such as mentioned above).

Other addresses are from a list of validated full addresses (sent test mails to all types of spammers to see if they reply, not Nigerian spammers though as those should not last long).

This way not only those scammers get spam. Many of those addresses generated by the script will be invalid. As uadreams and such often use valid addresses in the retuen-Path to see if mail bounces, and they send their spam in bursts via a few hours, they should get bombed by bouncers, hopefully stresses their mail servers.

As they have to also send masses on invalid addies I signed up other mail server get also flooded and hopefully blacklist or even firewall the spammer's ISP (here mccolo and he.net), so that legitimate customers of the spammer might also not receive mails.

Btw. SIL, you once wrote a comment to my Blog "why not order at spammers" but as I noticed it you removed it. I would had been interested what it was.

IKillSpammerz said...

> Btw. SIL, you once wrote a comment to my Blog "why not
> order at spammers" but as I noticed it you removed it. I
> would had been interested what it was.


I wanted you to contact me, but your blog is not performing comment moderation, which is why I removed it.

If you respond to this comment with another comment, including your email address (I won't publish it) I can provide you more details. Also: what was your blog again? (Why do you post anonymously?!?!)

As an aside: I have it on very good authority that this type of retaliation, especially regarding faked / baited orders on pharmacy sites, is extremely effective, and definitely does waste a lot of time and effort on behalf of the spammers, and more importantly their sponsors. They have to validate every single order, and if a lot of them are fake orders, this damages their ability to process credit card transactions.

Nice work, whoever you are.

SiL

IKillSpammerz said...

Quick update:

SlickCams is now promoted via "Sexpromote.com", and hosted by "multiwebhosting.com".

They (Istra Holdings, Inc.) have also moved offices from Mowat Ave. to 48 Hayden Street, Toronto, ON [map].

You can reach them the following ways if you (like me) are continuing to receive spam on behalf of slickcams.com:

Phone: (416) 536-9772
Fax: (416) 536-4585
Email: slickcashbrock@gmail.com
brock@slickcash.com
ICQ: 315 496 668
AIM: slickcashbrock

All email addresses for both sexpromote.com and multiwebhosting.com will bounce.

SiL

Anonymous said...

twice this year I received an invitation via msn, I suspect they got my address by some game apps in facebook, but could be also one plugin for wordpress that I recetly was checking

Anonymous said...

thanks for this mate i got this tonight..kathleenpoorvu81@live.com says:
hi
Satan is a lawyer says:
hi
kathleenpoorvu81@live.com says:
hi how are you today?
Satan is a lawyer says:
not to bad and you
kathleenpoorvu81@live.com says:
my name is paris I'm doing great today I'm 21 yrs old how old are you?
Satan is a lawyer says:
my name is fabian and i am 22
kathleenpoorvu81@live.com says:
listen hun, I am just about to start my webcam show with jen, come chat me there in my chat room? We can cyber, I will get naked if u do..lol!
Satan is a lawyer says:
how much money is involved
kathleenpoorvu81@live.com says:
I can show u how to watch free if u promise not to tell anyone else how to do it???PLEASE
Satan is a lawyer says:
brb
let me think about it
how did u get my email
kathleenpoorvu81@live.com says:
well since its free the law that u gotta be 18 (nudity involved), u have to sign up with a credit card for age verification! BUT .. Once you are inside, just clikc on "Webcams" let me know what name you use to sign in with so I know it is you babe! http://www.delraypartying.com/janegua fill out the bottom of the page then fill out the next page as well and u can see me live for free!
Satan is a lawyer says:
oh ok
that sounds like a scam
can u just send me naked pics
kathleenpoorvu81@live.com says:
Please dont mention anything about that in the chatroom once u get in ok?
Satan is a lawyer says:
do u really get people with this ???
kathleenpoorvu81@live.com says:
OH SHIT.. k I am late to start my show, I gotta get off msn...I will see ya inside my chatroom babe.. remember not to mention that I am upgrading u for free... You can use your msn name to sign in so i know it is you..
Satan is a lawyer says:
how did u get my email adress
i typed that adress in google and 15 people came up on bebo with different names....total bs

IKillSpammerz said...

That is correct, and I notice now that they have shifted from SlickCams over to "Cam With Paris."

It's still SlickCams, and you'll notice that the assets for the resulting site (http://join.camwithparis.com/signup/signup.php?nats=MTAwODYzNzoxOTA6NjE,0,0,0,0&step=2&qualify=1) are presented from FlyingCroc, the well-documented parent company of SlickCash.

[
Example:
http://camwithparis.com.slick12.hosting.flyingcroc.net/nats/images/bg.gif
]

This is a form of child endangerment for which this company should be brought to justice.

SiL