Is there a way to report the scammer responsible for the phony Firefox update redirect?
As was pointed out to me, the phony update download domain changes on a daily basis.
This time the phony site was IERAIDREAMLAND.ORG
I immediately went to the ICANN whois page and looked it up -- this phony update page was created by the EXACT SAME individual that did the last one (keeshelcuara.net) that popped up.
When I looked keeshelcuara.net yesterday, the record came up. Today ICANN Whois says it doesn't exist. However, I saved the page from that whois lookup, and from today's phony update popup.
Aside from the domain name,, all the other information matches - from the persons name to their address to their phone number. While this information is probably also phony, it would be great if there was an avenue for reporting this jerk.
At: https://whois.icann.org/en/lookup?name=ieraidreamland.org (created 2016.09.08)
The person's info is:
Showing results for: IERAIDREAMLAND.ORG Original Query: ieraidreamland.org Contact Information Registrant Contact Name: Chad N. Wessels Organization: NA Mailing Address: 4145 Diane Street, Atascadero California 93422 US Phone: +1.8054618382 Ext: Fax: Fax Ext: Email:[email protected]
The jerks Registrar is:
Registrar WHOIS Server: URL: http://www.PublicDomainRegistry.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com IANA ID: 303 Abuse Contact Email: Abuse Contact Phone
Is there anything that can be done?
Chosen solution
Just to followup, James -- Since I submitted the report at http://www.PublicDomainRegistry.com as you suggested, the phony update page has not come up even once for me.
I don't know if that means that the person named as registrant has been stopped or apprehended [if it was actually real info and not an alias], but I find it interesting that it hasn't happened since. Even if it just stops the jerk for a short time, it may be a way to keep knocking his phony update page off the web each time he tries bringing it back.
I greatly appreciate the responses you gave. It really helped.
Thanks.
Henry
Edited for spelling 2016.09.13@21:16
Read this answer in context 👍 0All Replies (13)
You can try to report the sites at https://publicdomainregistry.com/report-abuse-2/
Even if they deal with the sites registered by a person the persons or group behind this can just register with new details.
I have no idea why the text layout changed. I'll try it again:
Showing results for: IERAIDREAMLAND.ORG
Original Query: ieraidreamland.org
Contact Information Registrant
Contact Name: Chad N. Wessels
Organization: NA
Mailing Address: 4145 Diane Street,
Atascadero California 93422 US
Phone: +1.8054618382 Ext:
Fax: Fax Ext:
Email:[email protected]
The jerks Registrar is:
Registrar WHOIS Server: URL: http://www.PublicDomainRegistry.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com IANA ID: 303 Abuse Contact Email: Abuse Contact Phone
BTW, I saved the complete whois listing page for both of the domains I mentioned above, so if any info is needed from it, I will be happy to put it up -- especially since the domain listings seem to disappear from the whois database within days of being created.
James; I did fill out the form at the website you listed. I have no idea if they received it since there was no acknowledgement block - the page just went back to a blank submission for page. I hope they got it though.
I attached a text file that had the Raw WHOIS Record for today's 'domain'. While that info will probably be gone from the whois page in the next day or so, the owner info was the same as previously, so maybe that will help them narrow down who this jackass is.
Thanks for your assistance.
Henry
Edited for spelling @20:31
Modified
FYI, there is a lengthy contributors support thread over here - https://support.mozilla.org/en-US/forums/contributors/712056 - where the topic of fake updates is being followed and updated by many support contributors here.
Seçilmiş Həll
Just to followup, James -- Since I submitted the report at http://www.PublicDomainRegistry.com as you suggested, the phony update page has not come up even once for me.
I don't know if that means that the person named as registrant has been stopped or apprehended [if it was actually real info and not an alias], but I find it interesting that it hasn't happened since. Even if it just stops the jerk for a short time, it may be a way to keep knocking his phony update page off the web each time he tries bringing it back.
I greatly appreciate the responses you gave. It really helped.
Thanks.
Henry
Edited for spelling 2016.09.13@21:16
Modified
Well, the jackass is at it again and the whois info at ICANN is identical to previous.
For the moment, you can see it here:
https://whois.icann.org/en/lookup?name=raefughst.net
Too bad law enforcement is apparently content to let him spread his viral BS.
Modified
Hopefully I am not speaking too soon but after again reporting the joker to his registrar, I also sent the information from the whois report to the FBI, and so far I haven't had the phony redirect come up once.
Of course that could also be because of the latest Firefox patches and, even though they have caused other issues, they may be the reason the phony update page hasn't come up.
PDR has been the registering company for a long time. Their abuse department cancels the URL and there is no cost for the initial registration. The Name/address of the person has altered but is currently constant. Abuse said they would take steps to prevent reoccurance. They lied; new URL's daily. PDR has a NJ phone number but the fax is in Minn. The company seems to actually be in the middle east (Saudi or Amaridsomething) The trace always ends in NJ, and so far is always via the ISP of Coopa and their machines are in NJ and Chicago.
Reliable, and PDR refuse to give any info. I've asked. PDR has a legal requirement to know the person registering. Their legal department has not responded to my inquiry, nor their CS dept which has grown tired of my "cancel this URL with its spread of malware" emails.
I never filed anything with ICANN because of the complexity. And IMO they would do no more than say "stop it." As for legal action (FBI? Really? Any proof of $ loss? IMO that is what they would require), I would hope but think no aid is coming, and if anything is outside the US, well, the word impossible comes to mind. I've sent email to web sites asking about their advertisers and if they know of the orange screen. Their own forums are sometime mini-Mazolla forums. Denyability, silence, or a 'give us an example' have been read. The result so far, from trying to get the orange screen, is more sites are using multiple ads in one space which rotate and/or get downloaded. Puts a burden on my CPU and lags are like using a 56K dialup modum. My latest is waiting for a response from the httpS firm always involved, but you know privacy ....
Modified
henry, the URL you supplied has been reregistered and ther server is in Austrilia. This happens routinely after a few days. I do not recommend going there - it downloads something new
altered url: aphocpreviewNULLyoursites.net
HenryELenz said
I have no idea why the text layout changed. I'll try it again: Showing results for: IERAIDREAMLAND.ORG Original Query: ieraidreamland.org Contact Information Registrant Contact Name: Chad N. Wessels Organization: NA Mailing Address: 4145 Diane Street, Atascadero California 93422 US Phone: +1.8054618382 Ext: Fax: Fax Ext: Email:[email protected] The jerks Registrar is: Registrar WHOIS Server: URL: http://www.PublicDomainRegistry.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com IANA ID: 303 Abuse Contact Email: Abuse Contact Phone BTW, I saved the complete whois listing page for both of the domains I mentioned above, so if any info is needed from it, I will be happy to put it up -- especially since the domain listings seem to disappear from the whois database within days of being created.
There is a new Fake Firefox update page as of 10/05/2016 chooymusica2012nueva.org
Chad N. Wessels is associated with 58 domains. All of them hosting bad stuff. Unless there is a Diane Street in Atascadero, CA this is fake: Contact Information Registrant Contact Name: Chad N. Wessels Organization: NA Mailing Address: 4145 Diane Street, Atascadero California 93422 US
All of these domains have hosted the same exploit in the last 90 days: eepahuntweeps.net ekiriubuntuupdates.net vangecanadianfamily.net engeesuperedo.net afahshowtosay.net elaetbucketexplorer.net
Maybe Mozilla isn't able to stop it?
BlueDreamer23 said
Maybe Mozilla isn't able to stop it?
That is correct!
The only legal grounds that Mozilla would to shut that guy down is over the misuse of Mozilla registered trademarks.
"Social engineering", by way of trying to fool users or intimidate users into downloading a fake "update" from a domain that clearly isn't legitimate, isn't against the law, anywhere.
Bottom line is install an ad blocker like uBlock Origin or Adblock Plus and never see those fake "update" pages again. When this "thing" started back in June I had to turn off uBlock Origin to "see" what user's were complaining about, and even then is was hard to "see" it because multiple new domains are created daily and the existing domains disappear quickly, to stay ahead of getting blocked by Safe Browsing databases that would block those domains.
What can each user do when they encounter a website like that? Help > Report Web Forgery... to get the domain added to the Safe Browsing database at Google. A service that Google and Mozilla jointly developed over 10 years ago - before Google even had their own web browser, which was in the initial stages of development.
Maybe Mozilla isn't able to stop it?
Even Google with all of their resources has not stopped it as Chrome users on Windows are getting hit by a very similar fake update scam on same disposable websites.
For example in end of thread https://productforums.google.com/forum/#!topic/chrome/HcXgFFaO9WU the image has bahtisoo-boo.net which was reported by a Firefox user in https://support.mozilla.org/en-US/questions/1141947
Thanks go to BlueDreamer23 for registering here and taking the time.
I read some of the related links, including the comments from the software engineer (who, like all of us, experienced the orange page and did a little follow up. (Oh, if he or she only knew ....lol))
The OrangeScreen sites work for one day and don't cost the bad guy any money, get unregistered although some whois sites retain the whois info a bet into the void period. They will get registered, but we don't know for what purpose but I could make an educated guess. The original O.S site registration name has been consistant but has been totally useless in helping prevent the O.S from happening again. (blame upon the company akin to selling known defective stuff to you with a no-refund policy.)
One bad guy site (O.S site) was registered behind a proxy service. Since they paid for that, they didn't bother to un-then-re register the site overseas. Interestingly, the routing using that URL jumped around the US, jumped to the UK then came back to California.
At one point I found a 'mozilla' javascript command which ignored the rest of the program section, to which I thought "how smart of the bad guy. For someone looking at source code, unless the fluke was known, the buk of the coding instruction being inspected was a "red herring". The source we can view and the source that's more readable is not, IMO, always the same. Sorry that I am not explaining this fully to make it understandable here, even for/to another programmer.
I did find one web site that described and predicted exactly what is happening. Saddly it says there is not a solution and says it is not the fault of the advertisers which we heitherfor have been blaming. IMO that helpful site PAGE is near completely like the Wikipedia of our problem.
As for "no company has be able to solve this" (someone wrote), I'm not convinced they have applied enough resources. I think I am too old to understand JavaScript (or know how the little man in the box (real OS or DBMS) works) but I was happy to read that (paraphrased) on a 'native level' (deep code which runs the programs,) the Orange Screen can not load malware from another web site. Anyone notice the URL beginning is always the same?
Modified