Personal Blog of Carl Pei

For the first time in months, I check my email address listed in the whois registry. Skimming through all the junk, I notice a title that catches my eye, Scams. And I open it (some info censored for privacy):

From: Chase ******* <*****.*******@kcsg.com>
To: *******@carlpei.com
Subject: Scams
Date: 18/01/08 17:37

I know you have been sending fake IRS emails and setup a fake IRS set to
collect my information such as SS number and credit card number. I have
reported you to the local authorities in Stockholm and they are on there
way to pick you up for fraud. Have fun in jail. Peace.

–
Chase *******
KCSG News, IT

At first, I thought this was some kind of prank. Then I remembered my web host mentioning to me over MSN, in a non-serious manner, that someone reported to him that one of my domains (aglocoearners.com) was used for phishing. I asked him if it was something I was responsible of doing, he said no. I was confused but had other things to do and didn’t think about it more.

I search for “aglocoearners.com” on Google and find that it indeed was used for phishing, and the fish was already published on the anti-phishing website Castle Cops. By now I started to panic.

Checking through my email, I found more messages of the same kind. I immediately called the Swedish Police, but unfortunately their IT department only works on weekdays, so I’ll have to call again tomorrow. I’ve also emailed GoDaddy and various other people.

aglocoearners.com was a domain I picked up back when AGLOCO was being hyped up by blogging gurus like John Chow. I was going to start a AGLOCO forum on the domain together with a friend who I no longer have contact with. It never happened, and the domain was idle. We both had FTP access to the server hosting the domain. I don’t think it was the friend who did this. It’s more likely that he saved the account details somewhere that was later stolen.

Additional Info:
- The phishing email was sent out at the 17th (3 days ago).
- The domain folder shows a CHMOD of 775, unchangeable.

Phishing Email Header: (from one of those emails I got)

Received: from mail.pegaprecision.com ([71.158.242.2]) by mail.decossas.com with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 17 Jan 2008 06:14:50 -0600
Received: from User ([151.12.152.26]) by mail.pegaprecision.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 17 Jan 2008 04:12:31 -0800
Reply-To: <no_reply@usa.gov>
From: "Internal Revenue Service U.S.A"<service@usa.gov>
Subject: Notice From IRS
Date: Thu, 17 Jan 2008 13.13.29 +0100
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: service@usa.gov
Message-ID: <JUPITERvmkBgAusejaa000027ef@mail.pegaprecision.com>
X-OriginalArrivalTime: 17 Jan 2008 12:12:31.0718 (UTC) FILETIME=[3C56B060:01C85902]
X-TM-AS-Product-Ver: SMEX-7.0.0.1345-5.0.1023-15672.002
X-TM-AS-Result: Yes-28.070100-8.000000-1

Any help is appreciated!

Currently, I’m still very confused about what to do and would appreciate if anyone knowledgeable in the field would give a few suggestions. It would be nice if you could link to this post hopefully to attract people who know what to do.

This entry was posted on Sunday, January 20th, 2008 at 11:10 am and is filed under Life. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.