On 2 February 2020 (02022020), we launched a sister site, www.financialcrimeriskandcompl.... Although it was built before that date, access to it was denied to anyone outside our own network.

Today, 12 February 2020, we received a message submitted through the online enquiry form at that site. It is fascinating that this new form has been attacked by criminals so early in its public life.

For the avoidance of doubt, this is not in any way a data breach: it is what is known as "form spam," which is a problem that afflicts every website that has a contact form.

So what's criminal about it?

First, it's making illegal copies of intellectual property and selling them. Secondly, it's breaching terms and conditions which expressly refuse authorised entry to websites for such purposes and are, therefore, guilty of intrusion. Third, it's assisting others to commit offences by producing fake websites that are capable of obtaining personal security information from innocent users.

The perpetrator (tetakhiling2015@mail.ru) is using an anonymous email account at mail.ru. In our email security systems, mail received directly from mail.ru and other free and anonymous e-mail is deleted at the first line of defence but while preventing this in public enquiry forms for a commercial venture is easy, it is less than ideal. The IP address used by the criminal is 95.67.223.138, registered as follows:

ISP: Rostelecom
Organisation: For Client Togliatti Communication TSINFORM
Likely static IP
Country: Russia ru flag
State/Region: Samara Oblast
City: Syzran'
Latitude: 53.1731 (53° 10′ 23.16″ N)
Longitude: 48.4744 (48° 28′ 27.84″ E)
Postal Code: 446009

This is public information collated and published by whatismyipaddress.com. The address is listed on only a handful of blacklist sites.

So, that's the techy stuff: what's the purpose of this criminal activity?

The answer is simple: to download, to order, the full content of any accessible website which uses a Content Management System to generate pages on the fly.

It is interesting that the spam, for at its heart that's what it is, specifies a short list of popular, mostly hosted, CMS / website builders:

- Tilda (Тильда)
- Wix (Викс)
- Joomla (Джумла)
- Wordpress (Вордпресс)
- Bitrix (Битрикс)

There are more. The one we, and the USA's White House, uses isn't on the list.

The spam, in Russian and English, is below.

Why is this fascinating? Aside from the IP address issues, the offer is to download online forms in a way that would allow them to be recreated on a fake website and the results directed to a destination chosen by the operators of the site.

That means that those using the service can, if it does what it says, produce a full, working, copy of the website of, say, a bank which will appear in high in the results of search engines as soon as it is spidered. It won't matter that the user won't be able to login because the criminals were not able to access the data required for credentials. What matters is that the credentials are captured.

While many companies, including banks, now separate username input (which is validated first) from password access, perhaps with a third validation indicator e.g. image verification and - because the username validation will fail, the image and/or password stage will not be reached, there are many, many more which do not.

Given the range of businesses which grant customers on-line access for a wide range of purposes, the number of possible victims, both amongst websites and their users, is astronomical.

-----------------------

Submitted on Tuesday, 11 February, 2020 - 16:17
Submitted by anonymous user: 95.67.223.138
Submitted values are:

Description: Miss
First or Christian name: Neoosup
Surname: Neoosup
Your email address : tetakhiling2015@mail.ru
Your enquiry:
Здесь вы можете заказать копию любого
сайта под ключ, недорого и качественно,
при этом не тратя свое время на различные
программы и фриланс-сервисы.

Клонированию подлежат сайты как на
конструкторах, так и на движках:
- Tilda (Тильда)
- Wix (Викс)
- Joomla (Джумла)
- Wordpress (Вордпресс)
- Bitrix (Битрикс)
и т.д.
телефон 8-996-725-20-75 звоните пишите viber watsapp
Копируются не только одностраничные
сайты на подобии Landing Page, но и
многостраничные. Создается полная копия
сайта и настраиваются формы для отправки
заявок и сообщений. Кроме того,
подключается админка (админ панель),
позволяющая редактировать код сайта,
изменять текст, загружать изображения и
документы.

Здесь вы получите весь комплекс услуг по
копированию, разработке и продвижению
сайта в Яндексе и Google.

Хотите узнать сколько стоит сделать копию
сайта?
напишите нам
8-996-725-20-75 звоните пишите viber watsapp

Here you can order a copy of any site turnkey, inexpensive and high quality,
while not wasting your time on various programs and freelance services.

Cloning sites are subject to both designers and engines:
- Tilda (Tilda)
- Wix (Wicks)
- Joomla (Joomla)
- Wordpress (WordPress)
- Bitrix (Bitrix)
etc.
phone 8-996-725-20-75 call write viber watsapp
Not only single-page sites like Landing Page are copied, but also multi-page
sites. A full copy of the site is created and forms for sending requests and
messages are set up. In addition, the admin panel is connected, which allows
you to edit the site code, change the text, upload images and documents.

Here you will get a full range of services for copying, development and
promotion of the site in Yandex and Google.

Do you want to know how much it costs to make a copy of the site?
write to us
8-996-725-20-75 call write viber watsapp
Your IP address has been recorded as: 95.67.223.138
Date: Tuesday, 11 February, 2020 - 16:17

-------------------