Hey whats up? my name is Natalie i was just surfing the net and came accross your profile..
i was wondering if you might like to chat my MSN is firstname.lastname@example.org
hit me up i would love to chat with you
hey there I found your pic online I think your pretty hot add me to msn messgner to chat email@example.com
Hi I saw Your Profile Online I wanted to chat with you add me to your msn messanger to chat I'll be waiting!!
my msn addy is firstname.lastname@example.org
More recently, these messages don't even contain any text at all, instead attaching an image (in bmp format, how very 1994 of them) which features a scantily clad woman's torso and (again, always) a hotmail or livemail address. I've included an example here.
Ignoring, for the moment, the inanity of these messages ("came across your profile.."?! Really. Where?) the focus of this type of spam is to get hotmail users to start a chat with this account.
Doing so produces the following results, literally every single time.
hey whats up babe, U got a webcam? finally someone adds me, I am soo fuckin horny today for some reason lol
listen hun, I'm just about to start my webcam show with jen, come chat me there in my chat room? We can cyber, I'll get naked if u do..lol!
I can show u how to watch if u promise not to tell anyone else how to do it???PLEASE
well since its the law that u gotta be 18 (nudity involved), u have to sign up with a credit card for age verification! BUT.. Once you are inside, just clikc on "Webcams" let me know what name you use to sign in with so I know it's you babe! http://jane2hot.thegirlsathome.com/ fill out the bottom of the page then fill out the next page as well and u can see me live!
Please dont mention anything about that in the chatroom once u get in ok?
OH SHIT.. k I'm late to start my show, I gotta get off msn...I'll see ya inside my chatroom babe.. remember not to mention that I am upgrading u... You can use your msn name to sign in so i know it's you..
So there's the bait: jane2hot.thegirlsathome.com
Notice that at no point does "Jane" ever ask why I'm not even speaking in complete words, let alone sentences. That's because (as you might have guessed) "Jane" is actually an automated MSN bot, probably of the PHP variety. There are several of these on the market and all of them are very easy to implement.
Anyway. Continuing on, if we visit that site we are presented with a page entitled "Jane ON WEBCAM" featuring photos of a girl in various stages of undress and the following at the top of the page:
I am probably the horniest girl you will ever meet :)
Cum see how naughty I can be ;)
All photos on that page, and all other links, point to:
http://sp.slickcams.com/track/[19-character tracking code]/signup
That page looks like this:
So now we have a direct connection between this Hotmail-initiated spam, leading to MSN abuse, leading to an attempt to gain a signup to the site "SlickCams."
If you attempt to visit the root spammed domain on its own [thegirlsathome.com], you're met with a username and password prompt for "Website Administrator Access". Clearly they only want the spamvertised subdomain to be the ones that get visited.
At the bottom of that page are two rather ridiculous claims:
YOUR PRIVACY IS IMPORTANT TO US
YOUR INFORMATION IS NEVER DISCLOSED TO ANY THIRD PARTY
SlickCams is available to adults age 18 years and older.
By clicking the "Submit My Information" button you affirm that you are at least 18 years of age.
That's interesting because: the addresses I monitor which continually receive spam promoting these sites have never been used, ever, for anything. No permission has ever been given to anyone to receive adult-oriented content, and at no point have these addresses been shared with anyone.
If they're so concerned about my privacy, how did they get my addresses?
If they're so concerned about only "adults age 18 years and older" viewing this content, why were these email addresses spammed?
As usual with illegal spammers: it's all lies. There is no "Jane". There is no concern for anyone's privacy, and they clearly don't care whether five year olds are receiving this spam. They're liars through and through.
Until very recently, the affiliate program behind SlickCams was named SlickCash. I notice in recent weeks, however, that the program has suddenly shifted to SexPromote. [sexpromote.com] SlickCash is still active, but it's unclear whether they still handle promotions for the SlicCams websites or not, or what the relationship is between SlickCash and SexPromote.
At the bottom of the SexPromote affiliate signup page is the following claim:
By submitting this application, you agree to the Terms and Conditions. You also agree to abide by our Spam Policy. Slick Cash has a ZERO tolarance policy against unsolicited email marketing.
You can read their alleged "anti-spam policy" here, although as mentioned above: clearly they don't enforce it in any way at all. I've been receiving these spam messages going on three years now, and via numerous email accounts I've been complaining directly to SlickCams about it. I have never, not once, received a single reply from anyone at SlickCash, and the spam never abates. I receive at least one a week to numerous accounts, all of which I never used to sign up to anything, ever.
So: Am I wasting my time? If you're the spammer behind these bullshit messages your first answer will be "yes." :)
However, it's worth noting that law enforcement members have certainly begun to take an interest in this affiliate group, probably in large part due to a lawsuit initiated in December, 2008 against SlickCash on behalf of Facebook. (You can read about that here and here.) Essentially the suit claims that SlickCash servers attempted to access Facebook some 200,000 times in an attempt to divert users to their websites. They're only seeking damages of $5,000 which seems pretty paltry, considering the other widespread abuse this company is engaged in. They're calling this activity "hacking". It's a bit of a weird suit. They name SlickCash and several John Does, both individuals and corporations. You can download the court papers here [pdf]. This makes further clear how difficult it has been to discover the actual human beings behind this abuse.
A further link (here) goes into much further detail of precisely how far back this complaint has been going on, and its current status, and represents a veritable goldmine of information on this operation. I'll save you some reading: on April 30th, 2008, a permanent injunction was signed by a judge against the following companies and individuals:
1564476 Ontario Limited
The charges are violations of the California comprehensive computer data access and fraud act and the computer fraud and abuse act.
This lawsuit represents further evidence that the mailers behind SlickCams don't care how many systems or services they abuse. They've also recently begun spamming from MySpace accounts using similar vectors: the MySpace profiles feature an MSN account, which, if you chat with it, leads to the exact same trail. More recently the spam from MySpace skips the whole "view my profile" portion and just includes yet another hotmail account:
janey is a member of MySpace and is inviting you to join.
hi i saw your on that site (youre cute!) may be can talk sometime on windowslivemessenger my name there is email@example.com add me! thanks Jane
More lies, of course. None of my email accounts are registered at MySpace either.
All attempts to communicate with the operators of SlickCams have proven fruitless. Attempting to identify just where they're located is similarly difficult, but not impossible. (As with all illegal spam operations, several shell companies have been created in an attempt to distance the guilty parties from the illegal activity.)
The trail goes something like this:
SlickCash affiliate program
1564476 Ontario Limited
Attempts to discover the actual physical location of these companies was pretty slow going, but I happened to discover a few things on my own which were mirrored in some investigations dating back to June, 2005. That further ties SlickCash with more serious charges of botnet operation and attempts to infect users. It's definitely well-researched, but no followup is listed anywhere.
A porn affiliate site known as "GreenGuyAndJim" has a page (located here) which clarifies which company is for which program. You can see that line #4 of that list directly states that 1564476 Ontario Limited is a front for SlickCash.
1564476 Ontario Limited is located at a post office box:
Manulife Building Postal Outlet
55 Bloor St W
P.O. Box 19647
So obviously no actual individuals would be located there.
Istra Holdings claims to be located at 48 Hayden Street, Toronto. Interestingly, Yahoo Canada lists that company as being an "Investment Bank" (here.)
Several of their domains (notably WebVoyeur.com and cupidcams.com) linked SlickCash to a company named "Turvill Consultants Limited Scarborough Ontario CA #422"
That "company's" address is located here:
265 Port Union Rd
Scarborough, Ontario M1C 2L3
This is already a pretty lengthy runaround to conceal the actual owners and operators of this operation, don't you think? This only furthers the suspicion that these people are very well aware that they are operating illegally.
But let's return to that 2005 investigation. It lists the following further companies, one of whose addresses turned out to be an accurate location of their affiliate managers' offices
701 Rossland Rd East Suite 323
Whitby, Ontario L1N 9K3
Turvill Consultants - NARD
265 Port Union Rd
Scarborough, Ontario M1C 2L3
77 Mowat Ave.
That led me to this posting on "sponsorchat", dating from May, 2007:
"We take pride in the fact that our affiliates have access to the most advanced free hosting available," said Greg Parsons, owner of Slick Cash. "This great partnership with Revshare Hosting is just another example of how we keep our affiliates at the very top of our priority list."
Aha. Greg Parsons, "owner" of Slick Cash.
I asked several colleagues to investigate that address, and they confirmed a few things for me:
- That building is in a neighborhood in Toronto which was nicknamed by NBC's Dateline as "Porn Alley" in an August, 2005 report. (That story is unrelated to Slick Cash, but that's still an important detail to be aware of.)
- 77 Mowat is in an office building which is part of what is called the Toronto Carpet Factory. It houses several marketing companies who represent large-scale corporate entities (who I will not name here.) But it also houses one or more adult-oriented and online casino operations.
This definitely seems to be leading to the right path. It may not be, but I'm continuing to investigate.
Greg Parsons and Baltic Consultants are the "Administrative Contact" for several domains, with the "Billing Contact" for the same domains being Turvill Consultants, in Scarborough.
This investigation is far from complete, but at least now we all have a very clear idea of who to blame for this scourge of unwanted fake webcam spam.
Of course attempting to investigate the domain that I was spammed with (thegirlsathome.com) now shows that they want to further cover their tracks:
WhoisGuard Protected (firstname.lastname@example.org)
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
SexPromote has been in business for a while and may have only recently taken on the affiliate operations for the SlickCams websites. As I mentioned earlier, that relationship is not as well known. They don't list SlickCams anywhere on their list of sites. (Neither did SlickCash, by the way.) However both sites do list a handful of the same sites, so it's definitely a possibility that the two are fronts for the same operation. I decided to check that out:
Domain Name: SEXPROMOTE.COM
Administrative Contact :
Turvill Consultants email@example.com
265 Port Union Rd.
One last note: their dns servers:
Domain servers in listed order:
Record created on: 1998-08-26 00:00:00.0
Database last updated on: 2007-03-22 03:46:49.68
Domain Expires on: 2008-08-25 00:00:00.0
That's a Seattle-based web hosting company. I had seen previous complaints online regarding Flying Croc somehow being responsible for this spam. I don't believe that to be the case. Their reputation as a legitimate hosting company, however, would have to be suspect since they are supporting and aiding a known illegal spam operation.
More as I get it.
SiL / IKS / concerned citizen
P.S. This posting was started months ago, but I received inspiration from a fellow blogger who was also investigating this operation: matchent.com. I am clearly not the only one attempting to get this operation to take responsibility for its continued widespread abuses.