Spyware alert: goldfishfreebies

[Julian]

Do not download anything from the site goldfishfreebies . com. This site
pretends to be a freeware / shareware download site, but the downloads
are hosted on the site and all have numeric filenames. When executed,
they install spyware.

Software authors who have products listed on this site may be especially
concerned, as the links to their home page and the product descriptions
are real.

 

[Anthony Wieser]

Do not download anything from the site goldfishfreebies . com. This site
pretends to be a freeware / shareware download site, but the downloads are
hosted on the site and all have numeric filenames. When executed, they
install spyware.

Software authors who have products listed on this site may be especially
concerned, as the links to their home page and the product descriptions
are real.

It seems that they claim to supply some of my software, but of course, it
isn't my software that's being shipped.

Also, I notice they're hiding behind GoDaddy in terms of their identity.

I've now put a file on mywebsite, named badguy.png which is shipped in place
of my screen shots.

You can see the example here:

http://www.goldfishfreebies.com/content/view/522/35/

For those of you who aren't familiar with setting .htaccess files up, here's
how I did it

<BEGIN .HTACCESS>
SetEnvIf Referer .\goldfishfreebies\.com bad_guy1

SetEnvIf Request_URI "\.gif$" object_is_image=gif
SetEnvIf Request_URI "\.jpg$" object_is_image=jpg
SetEnvIf Request_URI "\.png$" object_is_image=png
SetEnvIf Request_URI "\.ico$" object_is_image=ico

RewriteEngine on
RewriteBase /

RewriteCond %{REQUEST_FILENAME} !/badguy.png
RewriteCond %{ENV:bad_guy1} !^$
RewriteCond %{ENVbject_is_image} !^$
RewriteRule /* /badguy.png [L]

RewriteEngine on
RewriteBase /
<END .HTACCESS>


It's a pity it doesn't save people who have their referers turned off in
Opera or whatever, but I guess it serves them right.

If they won't tell me where they've come from, I can't help them.


Anthony Wieser
Wieser Software Ltd
Easy Web Log Analysis with TopDrop
www.wieser-software.com/topdrop/?051111

 

[Glenn Jarvis]

Do not download anything from the site goldfishfreebies . com. This site
pretends to be a freeware / shareware download site, but the downloads
are hosted on the site and all have numeric filenames. When executed,
they install spyware.

Software authors who have products listed on this site may be especially
concerned, as the links to their home page and the product descriptions
are real.

The IP assigned is 67.19.30.2
Info as below...
[Querying whois.arin.net]
[Redirected to rwhois.theplanet.com:4321]
[Querying rwhois.theplanet.com]
[rwhois.theplanet.com]
%rwhois V-1.5:003eff:00 rwhois.theplanet.com (by Network Solutions, Inc.
V-1.5.9)
network:Class-Name:network
network:ID:THEPLANET-BLK-11
network:Auth-Area:67.18.0.0/15
network:Network-Name:TPIS-BLK-67-19-30-0
network:IP-Network:67.19.30.0/29
network:IP-Network-Block:67.19.30.0 - 67.19.30.7
network:Organization-Name:Blink Development
network:Organization-City:Calgary
network:Organization-State:AB
network:Organization-Zip:T2Z-3Y7
network:Organization-Country:CA
network : Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:[email protected]
network:Admin-Contact;I:[email protected]
network:Created:20041018
network:Updated:20041018

 

[Glenn Jarvis]

Do not download anything from the site goldfishfreebies . com. This site
pretends to be a freeware / shareware download site, but the downloads
are hosted on the site and all have numeric filenames. When executed,
they install spyware.

Software authors who have products listed on this site may be especially
concerned, as the links to their home page and the product descriptions
are real.

Registrant:
Gratisites Inc.
70 Elgin Way S.E.
Calgary, Alberta T2Z3Y7
Canada

Registered through: GoDaddy.com
Domain Name: GOLDFISHFREEBIES.COM
Created on: 13-Oct-05
Expires on: 13-Oct-07
Last Updated on: 14-Oct-05

Administrative Contact:
Haynes, Chris (e-mail address removed)
Gratisites Inc.
70 Elgin Way S.E.
Calgary, Alberta T2Z3Y7
Canada
(403) 701-4440 Fax --
Technical Contact:
Haynes, Chris (e-mail address removed)
Gratisites Inc.
70 Elgin Way S.E.
Calgary, Alberta T2Z3Y7
Canada
(403) 701-4440 Fax --

Domain servers in listed order:
NS1.GRATISITES.COM
NS2.GRATISITES.COM

 

[Gabriele Neukam]

On that special day, Anthony Wieser, ([email protected]) said...

It's a pity it doesn't save people who have their referers turned off in
Opera or whatever, but I guess it serves them right.

It works with my Opera 8.5. Referrer is activated under Settings (Ctrl-
12), advanced, network.


Gabriele Neukam

(e-mail address removed)

 

[Ed Guy]

Registrant:
Gratisites Inc.
70 Elgin Way S.E.
Calgary, Alberta T2Z3Y7
Canada

Registered through: GoDaddy.com
Domain Name: GOLDFISHFREEBIES.COM
Created on: 13-Oct-05
Expires on: 13-Oct-07
Last Updated on: 14-Oct-05

Administrative Contact:
Haynes, Chris (e-mail address removed)
Gratisites Inc.
70 Elgin Way S.E.
Calgary, Alberta T2Z3Y7
Canada
(403) 701-4440 Fax --
Technical Contact:
Haynes, Chris (e-mail address removed)
Gratisites Inc.
70 Elgin Way S.E.
Calgary, Alberta T2Z3Y7
Canada
(403) 701-4440 Fax --

Domain servers in listed order:
NS1.GRATISITES.COM
NS2.GRATISITES.COM

Looks like this might be against Canadian law and could get him a free
vacation as a guest of Her Majesty:

"(5) Every one who commits mischief in relation to data,

(a) is guilty of an indictable offence and liable to imprisonment for
a term not exceeding ten years; or
(b) is guilty of an offence punishable by summary conviction."

http://security.uwo.ca/CRIMINAL.CODE.html

You could send a note to the Calgary City Police fraud squad
(http://calgarypolice.ca/index.html).

 

[Art]

Do not download anything from the site goldfishfreebies . com. This site
pretends to be a freeware / shareware download site, but the downloads
are hosted on the site and all have numeric filenames. When executed,
they install spyware.

Kaspersky antivirus alerts on these files as:
Trojan-Downloader.Win32.lstBar.is
No other antivirus products at Virus Total alert.

Art

http://home.epix.net/~artnpeg

 

[Ash]

Registered through: GoDaddy.com
Domain Name: GOLDFISHFREEBIES.COM
Created on: 13-Oct-05
Expires on: 13-Oct-07
Last Updated on: 14-Oct-05[/QUOTE]

GoDaddy have been known to act fast to close scammers down
etc when contacted by an affected party.

Problem is when the moron moves to yet another registrar.


Ash

 

[Glenn Jarvis]

GoDaddy have been known to act fast to close scammers down
etc when contacted by an affected party.

Problem is when the moron moves to yet another registrar.


Ash

That's not whom I'm after. I'm receiving assistance on contacting the
host. If that fails, I'll contact the Calgary PD this evening. If need
be, I call Calgary by phone.

 

[me]

That's not whom I'm after. I'm receiving assistance on
contacting the host. If that fails, I'll contact the
Calgary PD this evening. If need be, I call Calgary by
phone.

Glenn,

It might be a good idea to contact godaddy. They have cancelled
spammers rather quickly in the past. If nothing else, it would
irk the spammers and cost them some monies.

J

 

[Glenn Jarvis]

Glenn,

It might be a good idea to contact godaddy. They have cancelled
spammers rather quickly in the past. If nothing else, it would
irk the spammers and cost them some monies.

J

An email went to the hosting company, theplanet.com located in Texas and
I'm about to amble over to godaddy tonight and advise them as well, as
Ash suggested.I also suggest to those who software is listed to take
legal action if you so desire. I'm also going to contact Google, as the
site has Adsense on it. I'm sure Google will be quite interested.

Glenn

 

[me]

An email went to the hosting company, theplanet.com located
in Texas and I'm about to amble over to godaddy tonight and
advise them as well, as Ash suggested.I also suggest to
those who software is listed to take legal action if you so
desire. I'm also going to contact Google, as the site has
Adsense on it. I'm sure Google will be quite interested.

Glenn

Google might act.
theplanet.com don't give a sh*t, AFAIK.

Anyway, good luck.

J

 

[J French]

On Fri, 11 Nov 2005 18:41:43 -0500, Glenn Jarvis

That's not whom I'm after. I'm receiving assistance on contacting the
host. If that fails, I'll contact the Calgary PD this evening. If need
be, I call Calgary by phone.

Be aware that the scammer probably used a stolen credit card
- the address could well belong to a victim

 

[Mike the Canadian]

That's not whom I'm after. I'm receiving assistance on contacting the
host. If that fails, I'll contact the Calgary PD this evening. If need
be, I call Calgary by phone.

He's got my stuff too. Since I am in Calgary I can handle this here. I
talked to the police just now and they apparently classify this as
fraud as well as mischief and it is a very serious crime. I will make
an official report as soon as my district office opens at 8 AM.

I reported his site to godaddy and theplanet. If they take his site
down I won't have as much evidence. I can't find him on Google. Anyone
know of any cached links?

___
New Trialware Author Tips
http://www.trialware.org/newauthor.html

 

[Anthony Wieser]

He's got my stuff too. Since I am in Calgary I can handle this here. I
talked to the police just now and they apparently classify this as
fraud as well as mischief and it is a very serious crime. I will make
an official report as soon as my district office opens at 8 AM.

I reported his site to godaddy and theplanet. If they take his site
down I won't have as much evidence. I can't find him on Google. Anyone
know of any cached links?

___
New Trialware Author Tips
http://www.trialware.org/newauthor.html

I've saved a complete archive of my page from the site on my PC using
internet explorer's mhtml format, along with the file they've bundled with
it instead of mine. Helpfully, they've set the version info to say
"GoldfishFreebies" as the company!

If you want a copy of the stuff I've downloaded, please don't hesitate to
get in contact with me.


Anthony Wieser
Wieser Software Ltd

 

[Steven Burn]

I reported his site to godaddy and theplanet. If they take his site
down I won't have as much evidence. I can't find him on Google. Anyone
know of any cached links?

http://temerc.com/phpBB2/viewtopic.php?t=1438

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Glenn Jarvis]

He's got my stuff too. Since I am in Calgary I can handle this here. I
talked to the police just now and they apparently classify this as
fraud as well as mischief and it is a very serious crime. I will make
an official report as soon as my district office opens at 8 AM.

I reported his site to godaddy and theplanet. If they take his site
down I won't have as much evidence. I can't find him on Google. Anyone
know of any cached links?

Hello Mike,
I sent a message to both GoDaddy and theplanet last night. Google
Adsense was also advised. As of 8:34am EST, his site still existed.
Since you are in Calgary, I left the police part in your hands as
someone local would have better luck than myself
Let us know how you make out.

Glenn

 

[Pete]

Do not download anything from the site goldfishfreebies . com. This site
pretends to be a freeware / shareware download site, but the downloads are
hosted on the site and all have numeric filenames. When executed, they
install spyware.

Software authors who have products listed on this site may be especially
concerned, as the links to their home page and the product descriptions
are real.

Report abuse to Google at:
https://www.google.com/support/adse...ctx=en-uk:quick_answer&Action.Search=Continue

Report abuse to theplanet at:
(e-mail address removed)

Report abuse to godaddy at:
(e-mail address removed)

 

[Pete]

I sent a message to both GoDaddy and theplanet last night. Google Adsense
was also advised. As of 8:34am EST, his site still existed. Since you are
in Calgary, I left the police part in your hands as someone local would
have better luck than myself
Let us know how you make out.

Glenn

I have also done the same.
If site still up in 24 hours we will set legal proceedings in motion.

 

[Ed Guy]

That's not whom I'm after. I'm receiving assistance on contacting the
host. If that fails, I'll contact the Calgary PD this evening. If need
be, I call Calgary by phone.

Mike Fullerton lives there. He might be able to help.