How people try to rip other people off, in all the myriad ways

I found the hacker… and I’m wondering where else he might be

So finally I had to take Stefan’s advice. Having upgraded to WordPress 2.8.5 over at the Free Our Data blog (where I’ve been having problems with a hacker who’s been inserting spam links invisibly into the end of the page), I …

Oh. And while I was writing that, I noticed – from the FTP transfer that was going on to do a second comparison – that there are a ton of spam pages in the site. Sodding hackers.

Anyway. I downloaded the entire blog content, and then ran a diff – that is, Filemerge (which comes with the Apple Developer Tools, free on your OSX install disk). It compares the content of any set of files, or directories.

Of course the site I’d downloaded was pretty old, and had been upgraded loads of times, so there were loads of files that were on the left (old) and not on the right (new). They just hadn’t been deleted.

Slogging on… I came across a WordPress page which explains which files have been deleted in the move up from 2.7 to 2.8. It’s a useful list and I was working my way through it. Slowly.

By now I’d got to blog/wp-includes/js/tinymce/themes/advanced/skins/o2k7/ and was starting to marvel at how deep WordPress is. When I came across a rather odd one – ui.php – which had the interesting opening:

Codz by angel(4ngel)

Make in China


Hmm, is it very likely that a valid WordPress file would really have that sort of comment? And more telling was that when you loaded it in a PHP editor with live PHP generation, you get this:

Yup, it's a hacker's login

Which in essence says: oh, lordy, you’ve been hacked.

Much digging around followed. It’s a fascinating file: it allows the hacker to download your database, and possibly upload chunks as well. I’m going to have to do an SQL dump now to see whether the content of older posts has been hacked (a favourite trick, apparently).

I also discovered a slew of website pages hidden in a directory called “Online” in the “Default” theme folder – which of course every WordPress install will generally have, so that’s a smart place to put it. (That also makes it a good one to delete.)

But as far as I can tell, the site is clean now. My best guess for how they did this is that it was one of the WordPress weaknesses via user registration – this one? This one? There are so many to choose from – and that it’s been sitting there for an age, just waiting to be exploited, or perhaps being exploited and I didn’t spot it. (Certainly neither Google’s indexing nor I discovered the hack of the /default/images folder – which is intriguing. Have you checked that folder lately?)

I hope this is the end of the tale. I’m not pinning everything on it though.

One other point: thanks again to Stefan Pause, who has helped a lot on this (what’s your site, Stefan?) I’m now alerted to the WordPress Exploit Scanner plugin, which will look through your site and find any suspicious CSS, HTML or similar. It reckons that there’s nothing suspicious in the older posts. Good-o, though I’d like to (and will) make sure myself.

Endnote: interestingly, Google won’t allow the ui.php file to be emailed, even in zip form. (I wanted to send it to my web host to explain what I’d found and tell them to search for it.) So obviously Google Mail’s already got some sort of hashing going on to detect malware being passed around. Impressive.

The hackers? Boring, really, that this sort of endless diversion from site to site is how they make their money. All that enthusiasm and knowledge and ability, turned to trying to persuade people lacking self-esteem to buy pills of unknown quality from sites of extremely dubious status. Isn’t there something better we could do with all our time here?

Super-endnote: And then I find another file – this one at /wp-includes/Text/Renderer/Diff/ where there was one called online.php (a bit of a clue by now, because it’s all about “online” crap these guys are selling.)

The WP Exploit Scanner tipped me off – it notes that it’s a base_64 command, which usually means “something to hide”.

And so it proves: here’s the picture you get
Hacker control interface dropped inside WordPress

(You can see the full-size thing at Flickr.) And hey – what is it about hackers and the black backgrounds? Too much watching the Matrix, I think. Forget it, guys – you’re not The One, you’re pushing junk pills.

The hacker leaves more footprints… but how many sites have this problem?

Another day, another little hack on’s front page – once more adding spam links to it in invisibie links (using the stylesheet command div style="display:none").

What’s interesting this time though is that the person doing it has decided to be a bit more subtle. Rather than doing it all by hand, he’s clearly decided that automation is the thing.

And so the inserted spam-generating code is just one line of PHP. One line!

Ah, but it’s clever – it’s a base64_decode (ie, a string of encoded stuff) which is then enclosed in an eval() statement.

So PHP decodes the base_64 stuff and then does what it’s told by that statement.

And what it’s told to evaluate is to get the content of a URL:

Weberneedle, in case you’re wondering, is part of Weber Medical. Obviously, it’s been hacked.

The spam is pointing to two directories – and They’ve been hacked too. (Oh, Anats – the Australian National Association of Teachers of Singing. You’re offering links to a lot more than singing, I’m afraid.)

But it would be interesting to know how many more sites weberneedle’s hacked directory is pointing to.

And the bigger question is: how many sites out there have been hacked? In the course of my experiences alone I’ve come across half a dozen. (And I’m still trying to locate and close the hole in our server that makes this possible, of course. It’s annoying, but not disastrously so.) How many millions (and yes, I mean millions) of sites are there out there which have been exploited in this way, and which are therefore pointing to stuff they never realised?

At some stage there’s going to have to be a massive clearup – but I can’t imagine it happening. You’d pretty much have to turn the web off and on again.

Tim Carron Brown sentenced to two-and-a-half years’ jail for 312,000pd VAT fraud (updated) re Omedian, Companytv, Second Sight Ltd, Anstruther Management

Tim Carron Brown – who pretty much deserves his own category here, doesn’t he? – was sentenced at Bournemouth Crown Court on the afternoon of Friday 26 June 2009.
(Image: HMRC)

He was sentenced to two and a half years, serving half of this time in prison, and disqualified from being a company director for eight years.

He was sentenced on the charge of cheating the Public Revenue, namely HM Customs and Excise, later HM Revenue & Customs, by dishonestly accounting for Value Added Tax (VAT) and/or monies charged as VAT in relation to four limited companies. An offence of cheating, contrary to common law.

The four companies, through which the fraud was committed by Carron Brown as a Director, are: Companytv Limited; Second Sight Limited; Anstruther Management Limited; Omedian Limited.

All of these VAT registered companies were run from a rented property in Waddock, Dorchester, and previously from rented property in Ickham, Kent. He was arrested in August 2006.

(Separately I’ve been told that there’s an application for bankruptcy proceedings against him, but haven’t confirmed that.) He was also subject to Bankruptcy Proceedings instigated by Lombard North Central (apparently a financial/leasing/loans organisation). He was made bankrupt at Weymouth County Court on 1 June 2009.

Relating to that, I’ve received a press release from HM REvenue and Customs:

Dorset VAT fraudster jailed

A Dorset based fraudster who illegally reclaimed £312,000 in VAT (Value Added Tax) was jailed for two and a half years at Bournemouth Crown Court today.

Following detailed investigations by HM Revenue & Customs (HMRC) officers, Timothy Colin Carron Brown (aged 52) pleaded guilty on 22 May 2009 to an offence of cheating the public revenue.

Peter Avery, HMRC Assistant Director Criminal Investigation said: “This sort of scam requires detailed planning on the part of the criminal and immense dedication from HMRC officers to unravel. This calculated attack on the VAT system not only robbed the exchequer, and therefore honest UK taxpayers, of public funds, but is also unfair to those respectable businesses that diligently abide by the rules.

“Tackling VAT fraud is a priority for us and we will not hesitate to pursue those who commit this type of offence. Anyone who has information about suspected tax fraud can call our 24-hour Customs’ hotline on 0800 59 5000 or email”

Upon sentencing His Honour Judge John Harrow said: “I take the view that you invested a substantial amount of time and energy into the business ventures, and the companies were set up for a legitimate purpose. However you exploited the VAT system by fraudulently claiming VAT repayments of £312,000. This was taxpayers’ money and despite what was said (by defence counsel) it (the fraud) did have a degree of sophistication.”

Judge Harrow then commended the main investigating officer: “For the degree of hard work and investigation skills in this case.”

The VAT fraud involved Carron Brown submitting VAT repayment claims in relation to four VAT registered limited companies. The claims were not legitimate and he was not entitled to the repayments.

Carron Brown used a number of methods to perpetrate the fraud. These included reusing invoices for which he had already reclaimed VAT; submitting false invoices and records, and trading between his own companies to reclaim tax on purchases but not accounting for the corresponding sale.

The fraud was committed between 2001 and 2005. ‘Nil’ returns were rendered once officers began to probe into the companies. Carron Brown used the proceeds of this crime to fund a seemingly affluent lifestyle. HMRC and its prosecutors will pursue confiscation proceedings. The case was successfully prepared for prosecution by the Revenue and Customs Prosecutions Office (RCPO).

Here’s the explanation of the offence from HMRC: “VAT registered businesses must charge VAT on the selling price of any goods and services that are liable to VAT. This is known as ‘output tax’ and must be paid to HMRC.

“VAT registered businesses can reclaim VAT paid on their business purchases. This is known as ‘input tax’.

“In simple terms the amount of VAT that can be reclaimed as a ‘VAT repayment’ is the difference between the VATable sales (output) and VATable purchases (input).”

Update: the Dorset Echo has a piece about it:

It was proved that Brown submitted illegitimate VAT repayment claims for four VAT-registered limited companies for which he was not entitled to repayments.

Investigators found Brown used a number of methods to perpetrate the fraud, including reusing invoices for which he had already reclaimed VAT.

His other scams included submitting false invoices and records and trading between his own companies to reclaim tax on purchases without accounting for the corresponding sale.

NCP: all they want is your money. More of it.

The railway station where I get the train to London has a car park that is now run by National Car Parks (hereafter NCP). Until January 10, you can buy your car parking ticket along with your rail ticket, and then park the car. Simple enough. One transaction, two tickets, one location.

But after that date, you’ll only be able to buy your car parking tickets from NCP’s machine, or via text or phone call.

At first the idea of buying the car park ticket – actually a virtual one – through a text or phone call is attractive. Great – I can park the car if I’m in a hurry, and get straight on the train, text from there, sorted.

Except when you look at the fine print. (Which is the link of “How it works” from the “Fastpark by phone” page, just in case that’s a one-off URL.)

How much does it cost?

We will calculate the best possible price for the duration that you have requested. The parking fee plus a Service Charge will be charged to your credit or debit card. The Service Charges are as follows:

20p where the parking charge is less than £2

30p where the parking fee is £2 or more

10p to extend a parking session

Optional text reminders or text receipts are charged at 10p per text.

Network charges may vary and are not included in the service charge.

Come on – it all adds up to more money for them. A 10% rise on the sub-£2 transactions, and 15% on those only just over. Plus you have to guess how many hours you’re going to be there; the previous system just let you buy until midnight, by which time you were very likely to be back, and also there were unlikely to be wardens checking for infringements.

I know – might be credit card charges? Except that why would they go up like that?

And more to the point: what was wrong with the ticketing office selling car park tickets? They did it perfectly well. They did it very well. It worked. There was no need to change it – except that NCP is a bastard greedy company.

And so I ask the question again: what was wrong with the original system? Oh, well, I guess it’s time to go to the local paper. Like I did when this was being suggested back in June or so.

China delayed poisoned milk investigation until after Olympics, says Economist

Fascinating story in The Economist:

The government blames middlemen who collect milk from dairy farmers. They allegedly added water to increase its volume and, to disguise this, mixed in melamine, a chemical used to make plastics, which can deceive inspectors about the milk’s protein content. Melamine gained notoriety last year when several pets in America died after eating food contaminated with it by Chinese-made additives.

The central government has boasted it was quick to react to the latest problem. But the chronology revealed so far suggests otherwise. It has fuelled speculation of a delay to make sure the Olympic games in August were not marred by a food scare.

(Emphasis added.)

The government of Gansu province in China’s west says it told the Ministry of Health on July 16th about an unusual upsurge of kidney stones among infants who had all drunk the same brand of milk. It was not until September 1st that the ministry says its experts tentatively concluded that the powder had caused the sickness. Still, nothing appeared to happen.

Prodding from the government of New Zealand may have been what eventually goaded the Chinese authorities into action. On September 8th it told them what it had learnt from Fonterra, a New Zealand dairy company that owns 43% of Sanlu [until recently one of China’s biggest producers of milk powder]. Fonterra says it was told by Sanlu of a problem with the powder on August 2nd, six days before the games.

(Emphasis added.)

Now, of course one should usually not ascribe to malevolence what can be ascribed to incompetence, but with the tainted milk thing really kicking off (European ban, children still dying) I’m not persuaded that someone who could have taken action didn’t see it, but suppressed it.

After all, what’s the deaths of a few children compared to favourable worldwide TV coverage?

Imagine the regulation stink if British banks hadn’t been allowed to deal in toxic loans

So, the Bush neo-conservative government is buying all those toxic loans with more than $100bn of the American peoples’ money. Near enough. Actually, the numbers don’t matter. It’s the principle of the thing: the banks screw it up, and the government bails them out completely, giving them a get-out-of-jail free card, swapping their rubbish assets – which in many cases they can’t actually put a concrete value on – for real money.

Amazing. The nationalisation of banking risk, no matter how you try to spin it.

What I’d really like to see is some analysis of quite how much economic growth was enabled by all those toxic loans. I mean, that’s the thing, isn’t it? These were about making money, and spinning up some very dubious debt into what were effectively bonds. Everyone’s paying for it now, in terms of the housing market falls (and consequent retail falloff, and thus-consequent economic falloff).

The real question is, what would economic growth have looked like if we hadn’t had those loans? A lot slower? A little slower? Someone needs to do the reckoning on this, I think.

As for the people wondering how Britain got into this position: I think it’s pretty easy to imagine. US investment banks start generating these amazing financial instruments which seem to generate money out of the air. In Britain, investment banks see them and are envious as hell: they want to have some.

Imagine now that the Financial Services Authority had told those banks that no, they couldn’t have or buy or deal in those instruments. (We’re talking about CDOs and CDSs here.)

And imagine the howl and stink that the banks would have put up about being denied that. You’re regulating us too much! they would have cried. You’re stifling our business! Look, in the US they can offer lower interest rates because these things, which we’re assured are copper-bottomed, generate the sort of returns that mean we can offer cheaper mortgages. Are you sure, Mr (or Ms) MP, that you want us to tell your constituents – via the newspapers – that we can’t offer them cheaper mortgages because you’re regulating us too much. Imagine it.

Faced with that, and the prospect of cheaper loans, which of course will lead to more house purchases, which will lead to a growing economy, which will lead to more tax receipts and less unemployment… would you, as a government minister listening to these bankers who have been lobbying the FSA, turn them down?

You can see how it all unfurled. Everyone honestly believed it would be all right. Or at least, that by the time the music stopped they’d have made their pile and got off.

The irony. The idiocy. Photographers ripping off Guardian content..

Every week I run a Technorati and Icerocket search against the links of the stories from the Guardian’s Technology supplement to see what people have been saying about our articles. And pretty much every week I find at least one blog where they’ve taken all the content, lock stock and barrel, and simply reposted it on their blog.

This never fails to annoy me, I’m afraid. The point I make is that by doing this they’re contributing to a spiral which goes thusly: people read the content away from the Guardian; people don’t come to the Guardian pages to read it; Guardian reading figures fall; advertisers pay less and less to be on Guardian site; Guardian has less money to pay contributors; less is on site; nothing to rip off from Guardian site. So by nicking our content, these folk are cutting off their own source of stuff. (Sure, they’ll just move on to the next paper, but the idea that they’ve liked the stuff enough to take it from us is an indication that they think we’re worth something, surely.)

When I point out that this is theft and that they could be done for copyright infringement, most react by taking it down fast. Some apologise and say they weren’t aware. (This is I guess excusable; most people don’t get schooled in copyright law for everyday use.)

Some sites keep doing this; generally they’re in the US and use forum software.

But what’s remarkable is when you have a group of people who I’d always thought were very protective of copyright – photographers – who then go and do the same to not only the text but also the picture from a story.

Thus it was with Bruce Schneier’s latest piece, about the imagined threat that people taking photos of buildings poses to our safety. Because we’ve seen dastardly tururists taking photos of their intended target in films and TV, we assume that’s how it works in real life. Not so: it’s there for dramatic effect, so we’ll know what the target is and feel the unease at the people not knowing that they’re a target. When in fact all the terrorist attacks of the last however long haven’t had photographic reconnaissance.

Lots of people linked to this piece (unsurprising: it’s a very good piece, like his previous one about how border guards may take a copy of your hard drive; Schneier has had a galvanic effect on readers). Including photographers. Who in some cases copied the photo from our site and stuck it on theirs – no credit, no nothing. What is with these people? (One was here, another here, another here, another here.)

Update: the last of those four sites, who didn’t take all the copy but did (in the first version) copy the photo, belongs to a professional photographer from Manchester who in his comments is insisting “Good god do you people not know how the internet is changing and raising all kinds of questions about ownership etc. Wake Up”. Obviously, he’ll want you all to use his photos for free without crediting him if this chain of logic is followed through…

One person (not the Manchester photographer) wrote back and said:

Thanks for your note. Stealing is a harsh word when it could just be a misunderstanding first and foremost. (Also, we’re not a site about copyrights, it’s a site about photographers’ rights. There’s a difference.) Every picture we link to we will credit that site. We’re not in the business of stealing images. It’s a simple personal blog, so there’s really no need to get so hostile.

I did use the photo from the Guardian, with a link. There was no photo credit on the Guardian’s site. It looks to us like a still from the movie. Check out the post again. What more would you like?

A photographers’ rights site that doesn’t understand copyright. My irony meter just exploded. What would I like? Well, for you not to have copied the image and stuck it on your site, and left the credit to the very end of the blog post.

I know one thing: I could never work in the music or film industries. I’d simply spontaneously combust at all the expectations of people that because you’ve made something, they can get it absolutely gratis. Some people have the attitude that they’re being forced to acquire the music industry’s output, and that it puts Evil Price Barriers in their way. Uh-uh. Nobody’s forcing you to buy these things. people.

Bonus link: Wendy Grossman’s story from the Technology section from last year: A picture paints a thousand invoices:

Copyright owners are cracking down on the unlicensed use of images. A sample case: Geoff Cox runs Quest Cars, a small cab company in Taunton. In 2001, he hired a small local web developer (since gone bust) who decorated the resulting website with a few small photographs. Then in July, Cox received a letter from the legal firm Baker and Mackenzie saying that one of those photographs used on the website was copyright to the large picture agency Corbis and asking for £1,300 for a one-year licence to use that photograph (to expire a month later) plus administrative fees. The letter quoted copyright law and stated that there would be no negotiations.

More on PKRSER, aka Partygaming, and the credit card data it wants – and where you got scammed

A very interesting collection of information building up now about credit card frauds carried out using PKRSER.COM – aka Partygaming. (Some background on my earlier post about PKRSER; the comments are cogent too.) Just for info: PKRSER.COM is the payment side of Partygaming, an online gambling site.

But first, enjoy this graph of Partygaming’s share price, from the London Stock Exchange, for the past year (the orange line is a continuous moving average):

Sorry it’s so big, but I can’t seem to resize it. Anyhow, wonderful dip in the share price last September; another one, less visible, the other day on the realisation that PG had withdrawn from France, reckoned to be at most 5% of its market. (This is the page with the details, which you can play with – it’s rather neat, and pleasing to find LSE doing such good stuff.)However, Britain – and scammers using British credit cards on it – is still a working market. So where are the details of those credit cards that are scammed and used there collected?

For instance, if someone clones your credit card at a petrol station, is that enough?

I emailed PG’s support to ask what credit card details they require from people creating an account. They responded:

Card number
Card Expiration date
CVV2/Security card code
Card type
First name
Last name
Address registered on card
Postal code

Now, a petrol station cloner could get the card number, security code and perhaps name(s). But they’ll not be able to get the address and postcode (unless the scammers are even more sophisticated than we thought, and have people inside the credit card companies who can get them the address details from the card.)

Occam’s Razor suggests that it’s not petrol stations. The only place you’ll be giving out those details are… er, pretty much any credit card transaction you do when you’re not there. On the phone? You get asked the security code, and your address and so on. (Though you only get asked the name on the card. But of course you’re usually giving your full name so something can be sent to you..)

Sorry not to be more hopeful. The problem is that “card-not-present” transactions now demand so many details that they can easily be grabbed.

Even so, I do think PRKSER – Partygaming – could do more to identify the hands where the complained-about cards get used, and identify patterns of illegal behaviour. In the meantime, we’ll just have to watch that share price keep dropping.

Cash machine card skimming: the simple way you can avoid it

It’s not even a technological solution. But with the number of cash machines having skimmers and cameras fitted to them by crims, here’s a simple method – on a par with entering the wrong password first time you go to a site from a link in an email, to check whether it’s bona fide – to not get skimmed:

Don’t use cash machines.

So how do I get cash, you wonder?

Simple. Cashback, at the supermarket. It’s free (generally), secure and you can be about as sure as you can that your PIN isn’t being copied.

How banks and credit card companies tweak you: brand new ways

So we were applying today for a personal loan. (That’s an unsecured one, in the lingo.) Do the maths. Hmm, here’s on at 6.4%. Over five years, that’s about.. yeah, that’s manageable.

But hey, here’s another one from the same bank, for 7.1%. What’s the difference? Ah, no redemption penalty. If you come into some money during the life of the loan, you can just pay it off, right there.

Doing the calculation showed that the difference in cost of the 6.4% loan vs the 7.1% loan was a touch under £200 over its life.

And how much would the redemption penalty be on the cheaper loan? 58 days’ interest – that’s two months’ interest, far more than the difference in loan price. Subtle difference that you might not spot if you didn’t go into the detail – and, most of all, ask them. What the banks like about an internet-only loan, of course, is that they don’t have to tell you this sort of thing.

So – redemption fees, one of the banks’ ways of grabbing money off you.

Now the second one, which I got in an email from someone who’d seen these posts.

Just received a letter from MBNA telling me I have a credit on my credit card of £12.44 for more than a year and that from the 30th March they will be introducing an annual service charge for accounts that have a credit balance by 26th March – the charge will be either £10 or the amount of the credit balance if less than the charge.!!!!!!!!!!!!!!!!

Hello, is anybody sane working for these people? They further explain that as a responsible bank they must inform me that I am earning no interest on this amount and that it is not (god help us) fraud protected!!!

They suggest I (1) use my card to clear the balance (2) transfer balance to another card or (this is a good one!!) 3) make a donation to MBNA’s nominated charity!!!!!

Being in credit with your credit card company: another way to get charged.

Oh, and one other experience that came across the inbox. You’ll recall I railed a bit at some organisation called I’m not alone: another email I received..

ust returned from a Miami based Caribbean cruise to find my maestro card charged with £390.00 Sterling – reference Didn’t mean anyrhing to me. Cancelled the card with the bank have set about getting a refund. Used the card twice to withdraw Dollars but nothing else. Could my details have been cloned? Could you tell me if this company regularly do this type of fraud or is it a legitimate error???.

I don’t know if is regularly used for fraud – perhaps someone from the company would like to drop by and tell us? Whenever they Google their name they must find this result pretty high, after all – presently my earlier post is No.7. All link here and let’s see if we can push them up higher! (Though we’re at No.2 on “pkrser fraud”. Must try harder.)

And if you’re wondering how using someone else’s credit card to play online poker could enrich you, here’s how. You get your own credit card. You get someone else’s credit card (or four or five others, ideally). You use all those cards to log on to a particular table at an online poker site. You play very badly with all the hands but one, which wins and gets credited while the others get debited.

You would think, since that’s how it works, that the online poker companies could follow the fraud trail trivially easily, by seeing which cards that are complained about are at tables where they lost and one other card consistently won. Though I suppose that’s hard to discern from the ones where you have complete idiots playing the game. Which is what happens all the time…