Thursday, February 17, 2011

Flying Croc Promotes Its Webcam Sites with Even More Lies and Messenger Spamming

Several readers (and others who found my blog via numerous searches) have complained to me for several months about a site known as "MyWebCamCrush.com."

This domain, among several others (camsecret.com, camsecretcrush.com, camsecretcrush2.com, yourprivateshow.com, many, many more), is being spammed via MSN Messenger and Yahoo Instant Messenger in much the same way that the renowned "SlickCams" webcam dating sites were spammed since 2007. (SlickCams is part of a very large number of companies and properties owned and operated by Flying Croc, who have a history that dates back several years of malicious adult-content spamming of one sort or another, but predominantly via MSN Messenger.)

It turns out that FlyingCroc.net has never stopped this practice, and appears to now control a large variety of similar adult webcam dating sites and affiliate programs, with no intention of stopping the ongoing practice of spamming total strangers (and probably minors) with automated MSN chat sessions promoting webcam porn dating sites. The most prominent of their spammed properties since 2008 has been StreaMate.com. I'll outline that setup here, but there are others.

At first it was assumed that this particular spammer was engaging in this malicious activity on behalf of only one webcam affiliate program. It turns out: he / they are doing this on behalf of at least two distinct affiliate programs, but probably more.

Here's how the StreaMate scam works:
  • An unsuspecting user of either Yahoo Messenger or MSN Messenger receives notice that an unknown user has added them to their list of Messenger friends / "Buddies"
  • They accept the invite
  • They initiate a messenger session with the anonymous "person"
  • The anonymous person goes through a predictable script
  • The messenger chat always mentions a specific link that the victim should click on to see this "person" on their webcam
  • The link is always to one of the above-mentioned domains
There are several examples of these fake chat sessions which make it clear that these are in fact MSN bots, not real people. (Examples: here and here.)

Here's a sample:

<[redacted] 4:19:15pm> hello
<princesstera200 4:19:38pm> hey :-)
<[redacted] 4:22:11pm> someone told me to IM you
<princesstera200 4:22:18pm> im good how are you?
<[redacted] 4:22:30pm> oh it's a bot
<princesstera200 4:22:40pm> looks like you got my message? whats up with you?
<[redacted] 4:22:50pm> you're a bot yo

...

<princesstera200 4:26:12pm> do you think i should wear a thong?
<[redacted] 4:26:17pm> no
<princesstera200 4:26:30pm> lol great choice well i want to give you a free courtesy pass to view me on my cam?
<[redacted] 4:26:40pm> chii would never wear a thong
<princesstera200 4:26:54pm> i want to give it to you k babe?
<[redacted] 4:27:06pm> k fine
<princesstera200 4:27:18pm> Ok go to http://www.camsecretcrush.com/kiss***** and create a free profile
<[redacted] 4:27:32pm> k thx
<[redacted] 4:27:44pm> bot

Very obviously an automated chat session.

So here's where we end up if we follow that link [click to enlarge]:


Visiting the site we see a page that presents a few things which appear to be real, but actually are not.

The first is a countdown, indicating that this invitation from our MSN bot has a time limit, and therefore some urgency is implied with your immediate registration.


The second is that there is what appears to be a live chat window, which it turns out is a pre-recorded 1 minute video of a girl pretending to engage in conversation with the victim.


If you attempt to type into the fake chat field, the page refreshed with a totally different video of a totally different girl.


Note the inclusion of the blinking words "Live Now" on the top right corner of the video window. Also utterly fake.

It turns out that video is provided in an iframe by the camsecretcrush.com website itself:

http://www.camsecret.com/exports/golive/iframe/?chat=0&input=0&AFNO=1-0-1&

But that iframe is in fact pulling all of its content from a site called camsecret.com

http://www.camsecret.com/exports/golive/iframe/?AFNO=1-0-1&chat=0&input=0&rlc=1&timer=5

Each of these pass the affiliate id of "1-0-1". This is probably irrelevant since the only time I or anyone else have seen these is via spammers, so one could assume that every single affiliate of this program is probably a spammer via MSN, and that this company fully condones MSN or Yahoo Messenger spamming. (Some have also complained that this is also occurring on Skype.)

If you load that camsecret.com iframe url on its own you see a completely random choice of fake videos depicting several women. It lies to you and says it's "Live Now", but in reality these are all pre-made videos which stream to it in real-time from the domain naiadsystems.com:

http://www.naiadsystems.com/flash/generic/20110112/avchatpure.swf

naiadsystems.com uses flyingcroc name servers:

Domain Name: NAIADSYSTEMS.COM
   Registrar: TLDS, LLC DBA SRSPLUS
   Whois Server: whois.srsplus.com
   Referral URL: http://www.srsplus.com
   Name Server: NS1.FLYINGCROC.NET
   Name Server: NS2.FLYINGCROC.NET
   Status: clientTransferProhibited
   Updated Date: 02-apr-2007
   Creation Date: 27-apr-2005
   Expiration Date: 27-apr-2012

Surprise surprise. Welcome back, former SlickCam.com spammers.

Its contact information in the WHOIS points to StreaMates, allegedly in Cyprus:

Registrant:
         Streamates Limited Streamates Limited  (hostmaster@streamates.com)
        Streamates Limited
        196 Arch Makarios Avenue, Ariel Corner 1st Floor, Office 102, PO Box 57528
        3316 Limassol,   3316
        CY
        00357-25820280

StreaMate has had affiliates spamming via MSN on their behalf for something like two full years as of this writing.

The chat itself (if it occurs) is also completely fake. We can see this by looking at the JavaScript within the page of these throwaway sites this spammer has registered. They make no attempt to hide the fact that this whole setup is fake.

<script type="text/javascript">
var spoof_cam = '';
var start_minutes = 5;
var start_seconds = 30;
var current_minutes = start_minutes;
var current_seconds = start_seconds;
var splashpage_name = 'Sam';
var random_message_start = 3;
var random_message_end = 6;
var random_message_interval = (random_message_start + Math.floor(Math.random() * (random_message_end - random_message_start))) * 1000;
var random_message_text = 'hurry im waiting for u..';
var ad_categories = '';
</script>

"spoof_cam". "random_message_text". This is so clearly a scam. Not a single real event is taking place here. The spammers know this.

When the 1 minute video is completed, a link appears in the flash video window only, an attempt to further obscure where this spammer wants you to click.

In the example I'm presenting here, the link goes to:

http://www.camsecret.com/signup/?smid=5844090&AFNO=1-0-1

[Notice: no secure "https://", just plain "http://"]

CamSecret is also operated by FlyingCroc:

Registrant:
         FCI, Inc. FCI, Inc.  (hostmaster@flyingcroc.net)
        FCI, Inc.
        2019 3rd Ave Ste 200
        Seattle, WA  98121
        US
        206.374.0374

Note that at the top of that page, it claims that you can "Sign-up safely at Camsecret"


This is of course also a lie. None of these domains offer any SSL or other security. CamSecret.com makes this statement boldly on a page which is very obviously not secure.

Just to be 100% sure: attempting to load:

https://www.camsecret.com/signup/?smid=5844090&AFNO=1-0-1

Results in a "not found" error.

Liars. So far numerous lies from beginning to end and we haven't even joined yet. Exactly how "real" do you these so called "webcam girls" are going to be?

As with all of these spamvertised domains, whois information for one of the numerous spammed domains, webcamcrush.com, was originally protected by Privacy Protection provided by GoDaddy.com. However one intrepid researcher decided to raise this case with the Arizona State Attorney General's office, who apparently managed to convince GoDaddy to identify who had registered this domain. It turns out to be one Yaniv Mindell, from the domain "DefiniteDollars.com":

Registrant:
YMIND, Ltd.

Amory Building, Victoria Road
Basseterre, 3979
Saint Kitts and Nevis

Administrative Contact:
Mindell, Yaniv yaniv@definitedollars.com
YMIND, Ltd.
Amory Building, Victoria Road
Basseterre, 3979
Saint Kitts and Nevis
+1.9544788981

Another shell company. First Cyprus, now Saint Kitts and Nevis.

webcamcrush.com is also suspended as a domain.

mywebcamcrush.com's whois information is still protected via GoDaddy. (Aside: When are registrars going to stop providing this for repeat offenders? This is year #4 of this activity. GoDaddy should know better by now.)


DefiniteDollars.com has all the markings of an underground affiliate program. No FAQ, a terms of service that states that they don't allow spamming, but of course no contact gets any response from this company.

I would like to cast an open invitation to anyone who has been affected by this group's ongoing MSN or Yahoo Messenger spamming, and I'd also like to put out an open invitation to both the Yahoo Messenger and Microsoft Live Messenger Team specifically, since I have been attempting to raise any attention whatsoever with that team since 2007, with absolutely no effect.

I'd also like to openly ask GoDaddy why it is that four years on they still allow this group to register dozens-to-hundreds of domains with their company, an continue to hide their contact information despite numerous abuses of their terms of service.

As with all previous spam activity on behalf of Flying Croc, the risk is very high that minors are being exposed to this content. Whoever harvested these MSN and Yahoo accounts had absolutely no concern for how old the unwitting recipient of these invitations might be. They just send out the invitation to however many thousands of these accounts they can unearth, and begin the automated chat to get them into what is clearly an adults-only website. I would assume that the Arizona State Attorney General's office would be aware of this detail, but if not they certainly should be.

Somebody has to start a class-action suit against the owners and operators of Flying Croc. They've been getting away with this crap for years and people are sick of hearing from them.

SiL / IKS / concerned citizen