Affiliate Movie Streaming Scam Service

Dear readers,

I'm sharing some information here wondering if anyone can identify the criminal affiliate program at the root of this scam service.

The scam begins with what seems to be an automated bot-response posted on Facebook.  One of the outstanding questions -- can anyone identify a bot that is making these spammy posts?  These are a few examples from many thousands observed over the past week.

Step One: Unknown malware uses stolen Facebook credentials to post a spammy comment link.

We'll just do one walk through here, but each of these functions in the same way.  The spam post, which often will be added as a comment to a publicly shared post that mentions a movie, links to a Facebook page.  Let's walk through the Ogbani Wanyu post first.

Step Two: The Spam link points to a Facebook page created to share a shortened URL.

Recently popular movies have Facebook pages created that claim to offer the ability to watch full movies and share a shortened URL, usually bit.ly links, but we've also seen Goo.gl links.

Step Three: A shortened URL redirects to a Blogspot page (sometimes other types of pages)

The bit.ly shortened URL on the fake IMDB page has received 4,298 clicks as of this writing.  Important to note that we've seen A COUPLE HUNDRED of these pages so far!  Each shortened URL points to a different redirection page.  So far about 80% of those we've traced go to Blogspot pages.

Step Four: A Blogspot page hosts a movie streaming service affiliate page

These Blogspot pages promise free streaming of many movies that are still out in the theaters.  Currently these include Solo (the new Star Wars movie), Avengers Infinity Wars, Deadpool 2, Rampage, and many other movies that are very recently released in the theaters.

Some of the top affiliates in this program actually send their bit.ly shortened URL to a free ".tk" domain which then uses randomization to send the traffic to one of their dozens of Blogspot blogs.  That is the situation with Gmail user ugutganteng2345@gmail.com who has at least 50 blogs just associated to that gmail account!  Each link takes the visitor to yet another movie streaming redirector site:

Step Five: Try to stream a Movie ... redirects to the streaming service and credits the affiliate

So, let's try to stream "Ant-Man and the Wasp" which, as of this writing, hasn't even been released to theaters yet.  

We are now redirected to the streaming service ... in this case, the site is "box.imdbmov.com" but that is one of dozens as well.  Note the "sub=doelsumbang" ... that part of the URL is revealing the affiliate name that should receive credit for the income generated from this click.

Many of the affiliate blogspot pages point to streaming services that have names similar to the old PutLocker criminal streaming service.

Step Six: Register your "Free Account" 

Oops!  We can't watch the movie yet!  We haven't registered our "Free Account!" 

Stream your favorite movies FOR FREE!  Sign up FOR FREE!   FREE Unlimited Access!

Step  Seven:  Provide your Credit Card for the Free Service!

Step Eight: Get Billed $39.95 per month

So, how much do you suppose this Free service will cost you?

That's right....$39.95 per month ... FOREVER.

But wait!  I thought it was FREE!?!?!? 

Did you read the Terms & Conditions?   Free trials are for 24 hours, after which, they automatically convert to premium accounts, billable at $39.95 per month.

Upon completion of the free trial period, your signup to the Site will renew automatically on a monthly basis billed as stipulated in your signup process, until cancelled regardless of the length of your free trial period. Please note, prices for the service may vary depending on country, device, service offered and promotions. The first day following the expiration of your free trial period will be your anniversary date for billing purposes during your Monthly Package Term. Your Payment Method will be charged the recurring monthly package fees and any applicable sales tax on the day following the expiration of your free trial period unless you have chosen to cancel your package prior to the conclusion of the free trial period. YOU MUST CANCEL YOUR MONTHLY PACKAGE PRIOR TO THE END OF THE FREE TRIAL OFFER TO AVOID CHARGES TO YOUR PAYMENT METHOD. You will not receive any notification from Silveris s.r.o. online at the expiration of your free trial. Please note the expiration date of your free trial for your records.

The Ask: Do you know more about this scam?

If you have additional information about any parts of this scam, we'd love to hear from you.  Examples of things we'd like to know:

1. Where does this program sign up affiliates?

2. What malware is making the Facebook spam comment posts?

3. Who runs the affiliate program?

Other Gaming, Movie, Book, websites offering the same scammy terms of service:

Alpha-fun.net  Alphafuntime.com  AngeBliss.com  Angejoy.com Angel-bliss.net Animaflor.net Anima-fun.net  AnimaMuse.net  Aurora-star.net  Aurorawin.com  Blazeheaven.com Blissfulden.net  Bookrefuge.net  Cheerfun.net Cravebliss.com Cravemuse.com  Crescentfire.net Crescentflame.com  desert-star.net  Dusksky.net  Edenjoy.net Equi-fun.net Fairiefire.com Fairieglow.com  Fairydelight.net  FiestaBliss.net Filmpleasure.com Fireglows.net  Fire-stars.com  

Flame-paradise.com Flamestars.com Flametime.net  FuegoFun.com  FuegoFunlife.com Fuego-star.com  FuegoZone.com  FunFate.net  Funhamper.com  Funhoyden.com Funmuse.net  Funorbit.net  Funrange.net  Funsphere.net  Funvictory.net  Glitterbliss.net  Golden-orbs.com  gothic-night.net  HavenDay.com  Havenwin.com  HugeGames.net  Inksmedia.com JinxedFun.com  Joyorb.com Joysphere.com  Lemonyfun.com  LevityTime.net LuckBliss.com  MarvelBliss.com  Masters-media.net Medievalnight.net  Moonflame.net  Musenow.net Muse-park.net  Musestar.net  OasisPrima.com  OldiesMusicCity.net Orbbliss.com Orbfun.net  Orbjoy.com  Palmtreefun.net  Palmtreemedia.net  Pixiebuzz.com  Pixiefun.net PlayLatex.com Playchain.net Polkafun.net  Sherglee.com  Shinebliss.com  SilvberOrbs.net  Sparkhaven.com  Spring-box.net Star-muse.com  Takencheer.com  Takendelight.com Twilightfun.net Twinkle-fun.net  Vaultfun.net  Yaydigital.net Zen-Muse.net 

A Small  Sampling of Blogs related to this scam:

http://anuapambuh001.blogspot.com/

http://anyar456.blogspot.com/

http://asdfghjkfdgsdfaf.blogspot.com/

http://avengerinfiniitywar.blogspot.com/

http://avengers---boxoffice.blogspot.com/

http://avengers--infinity--war.blogspot.com/

http://avengersmarvell.blogspot.com/

http://avenjerinfinitiwar2018.blogspot.com/

http://birudihatiku33.blogspot.com/

http://blackoval21.blogspot.com/

http://boxoffic---download.blogspot.com/

http://boxoffice----movie2018.blogspot.com/

http://boxoffice--acrimony--hd.blogspot.com/

http://cap-halloween2018.blogspot.com/

http://ciaxs-movie.blogspot.com/

http://cilokdicolookk505.blogspot.com/

http://cimenkabbook404.blogspot.com/

http://deaaddpolll.blogspot.com/

http://deadpooll2freehd.blogspot.com/

http://fastlifepainpayne.blogspot.com/

http://filmimdb112.blogspot.com/

http://gghocher.blogspot.com/

http://gomovieonline90.blogspot.com/

http://goo212.blogspot.com/

http://happytoenjoythemovie.blogspot.com/

http://home--boxoffice.blogspot.com/

http://jarwogembung.blogspot.com/

http://kicebboong19.blogspot.com/

http://kolangkalingeduarew.blogspot.com/

http://kopisusuhitamkupu2.blogspot.com/

http://kurakurabuntung.blogspot.com/

http://liernjink.blogspot.com/

http://madea---lionsgate--boxoffice.blogspot.com/

http://madeamovielionsgate.blogspot.com/

http://madeamoviie.blogspot.com/

http://mercyduffyunik.blogspot.com/

http://minininin21.blogspot.com/

http://moviekadutgood.blogspot.com/

http://moviesonlain212.blogspot.com/

http://moviestriming2018r.blogspot.com/

http://moviestriming222.blogspot.com/

http://nylenehnjk.blogspot.com/

http://oleholehemas.blogspot.com/

http://putlokeress12334.blogspot.com/

http://ratuangin79.blogspot.com/

http://rekuripure.blogspot.com/

http://septiselviana.blogspot.com/

http://tanduransubbur.blogspot.com/

http://tero-retewgold.blogspot.com/

http://terogew-oleb.blogspot.com/

http://the-golden-of-madea.blogspot.com/

http://the-venom-movie-online21.blogspot.com/

http://thebeastmovies2018.blogspot.com/

http://thefirstpurgehd.blogspot.com/

http://top-movie-newsmadea.blogspot.com/

http://trainemovies.blogspot.com/

http://transparanmovie.blogspot.com/

http://tyler--e--perry.blogspot.com/

http://tylerperry55.blogspot.com/

http://venom-movie-hd2018.blogspot.com/

http://welcome-tyler-perry21.blogspot.com/

http://wwwtyllerperry.blogspot.com/

http://zoss01.blogspot.com/

https://beastacrimony.blogspot.com/

https://camat-jos.blogspot.com/

https://inditinditanbae.blogspot.com/

https://luckgd69.blogspot.com/

https://madea-infamily.blogspot.com/

https://mocmov.blogspot.com/

https://reta-x.blogspot.com/

https://wakandawakandablackpanther.blogspot.com/

The Case of Spamford Wallace: Guilty at Last!

My anti-spam community friends were all abuzz today with the news that Spamford Wallace had pleaded guilty in a Las Vegas court to "compromising approximately 500,000 Facebook accounts" in order to deliver "more than 27 million spam messages."

What might amaze the General Reader is that this is the SAME Spamford Wallace case that began with an indictment on July 6, 2011.

The Spamford Wallace Indictment

July 6, 2011 Original Charges

According to the Indictment, Wallace created an account on November 4, 2008 under the name "David Frederix" and then tested posting spam messages to his 'real' wall "Sanford MasterWeb Wallace" experimenting with which posts would best evade Facebook's filters.

He then made a script that would automate the process of logging in to a Facebook account, obtaining a list of all of the Friends of that account, and then posting his advertising message to each of those friends' walls.  Spamford then created a domain registrar account at Moniker Online and another at Dynadot (using the name Laura Frederix) and between the two created 2,500 domain names that would be used in these spamming attacks against Facebook users.

On November 5 and 6, 2008, Sanford sent approximately 125,000 spam messages to Facebook users using this method.  On December 28, 2008, another run was made, posting nearly 300,000 spam messages, by logging in through 143 different IP addresses that were used as proxies to disguise his origins.  On February 17, 2009, another 125,000 messages were posted.

At this point, a civil injunction was served on Sanford Wallace in the case of Facebook Inc v. Sanford Wallace (Northern District of California No 09-00798 JF) where Judge Jeremy Fogel ordered Sanford Wallace to no longer access Facebook's computer network.  (Orders issued on March 2, 2009 and March 24, 2009).  Sanford logged in on April 17, 2009, in violation of this order, while flying on a Virgin Airlines flight  from Las Vegas to New York.

In 2011, Sanford was back on Facebook, using a profile called "David Sinful-Saturdays Fredericks"

Counts 1,3, 7 - Fraud and Related Activity in Connection with Electronic Mail, carry a possibility of 3 years imprisonment.

2, 6, and 9 - Intentional Damage to a Protected Computer, carries a maximum sentence of 10 years imprisonment.

4, 5 and 8 - Fraud and Related Activity in Connection with Electronic Mail, carries a 3 year imprisonment possibility, and a possible $250,000 fine.

Counts 10 and 11  - Criminal Contempt, have unspecified potential penalties.

What's Happened Since?

Lots and lots of lawyering. . . behold the process of a Fair and Speedy Trial!!!!

• 04AUG2011 - the indictment was unsealed
• 04AUG2011 - notice of related cases was received.  These included:

1. the case of Facebook v. Sanford Wallace, Adam Arzoomanian, Scott Shaw, and John Does 1 through 25, for Violation of the CAN-SPAM ACT, violation of the Computer Fraud and Abuse Act, Violation of the California Business Code Section 229489 AKA the California Anti-Phishing Act, and Violation of California Penal Code section 502, the California Comprehensive Data Access and Fraud Act.  That case describes:  "At least one of the Defendants, Sanford (aka "Spamford") Wallace, is a notorious Internet scam artist who has been involved in various illegal spamming and malware activities since the mid 90s.  Indeed, Mr. Wallace has both Federal Trade Commission and civil judgements against him for these activities that total in excell of $235 million."  Myspace, Inc. v. Wallace; FTC v. Seismic Entertainment Prod., Inc; CompuServe v. CyberPromotions, Inc (Ohio, 1997)
2. This case resulted in a Default Judgement in favor of Facebook signed by Judge Jeremy Fogel on 29OCT2009. 

• 22AUG2011 - bail hearing
• 28SEP2011 - case reassigned to a new Judge (Judge D. Lowell Jensen)
• 30SEP2011 - Order to Waive Appearance proposed )amd gramted_
• 03OCT2011 - Status hearing held
• 04OCT2011 - case reassigned to Judge Edward J. Davila
• 31OCT2011 - Pretrial services form 8 submitted.
• 28NOV2011 - Status hearing held
• 09JAN2012 - "Fair and Speedy Trial Act" exemption requested due to AUSA Attorney being engaged in another trial, and for additional time for the defendant's need for effective preparation of counsel. "The ends of justice served by granting the requested continuance outweight the best interest of the public and the defendant in a speedy trial." - extension granted until 09APR2012.
• 02APR2012 - extended to 07MAY2012 by mutual consent.
• and again to 06AUG2012, and again to 01OCT2012, and again to 19NOV2012
• Status hearings held 14JAN2013, 11MAR2013
• 11MAR2013 - hearing grants a modification to pretrial release conditions to allow Spamford to travel to Albuquerque, New Mexico for work.
•  More delays 31MAY2013, 08AUG2013, 20SEP2013, in each case ordering that time be "excluded" from consideration in the Fair and Speedy Trial Act to allow for effective preparation for the case.
• 02NOV2013 - Sanford's attorney (K.C. Maxwell) files a sealed document asking to be relieved from the case 09DEC2013.
• Extension granted to 03FEB2014
• 17MAR2014 set as the date to hear the Motion to Withdraw as Counsel.
• Continued to 31MAR2014, when Wallace assigns his new counsel, William W. Burns, Esquire.
• 25JUN2014 new counsel asks for more time to prepare
• 18JUL2014 William Burns petitions the court to withdraw as counsel
• 21JUL2014 Burns Relieved
• 21JUL2014 a Financial affidavit is delivered to the court pertaining to Spamford Wallace
• 01AUG2014 - "The individual named above as defendant, having testified under oaht or having otherwise satisfied this court that he or she (1) is financially unable to employ counsel and (2) does not wish to waive counsel, and because the interests of justice so require, the Court finds that the defendant is indigent, therefore, IT IS ORDERED that the attorney whose name, address and telephone number are listed below is appointed to represent the above defendant." (Wm. Michael Whelan, Jr. / 95 South Market St, Ste 300 / San Jose, CA 95113 / (650) 319-5554 cell)
• 19AUG2014 - time extended to allow Whelan to prepare
• 22SEP2014 Status conference held, Jury Trial date set for 05MAY2015 through 22MAY2015.
• 29SEP2014 Whelan petitions the court that drug testing no longer be required since Sanford has never tested positive. (Granted 15OCT2014)
• 02MAR2015, status hearing extends case until an 08JUN2015 status hearing
• 12JUN2015 - new financial affidavit entered under seal
• 30JUN2015 - a change of plea hearing is requested for 27JUL2015
• 24AUG2015 - Sanford Wallace pleas guilty to a single count - Count 3.  Sentencing scheduled for 07DEC2015 at 1:30 PM

Guilty of Count Three

So, if we go back to the indictment, what does this mean that Sanford has plead guilty to?

---

COUNT THREE: (18 U.S.C.  §§1037(a)(1) and (b)(2)(A) - Fraud and Related Activity in Connection with Electronic Mail.

22. The factual allegations contained in Paragraphs One through Eleven above are realleged and incorporated herein as if set forth in full.

23.  On or about December 28, 2008, in the Northern of California and elsewhere, the defendant, SANFORD WALLACE, knowingly accessed a protected computer without authorization, and intentionally initiated the transmission of multiple commercial electronic mail messages from or through such computer, in and affecting interstate and foreign commerce, to wit: the defendant accessed Facebook's computer network in order to initate the transmission of program that resulted in nearly 300,000 spam messages being sent to Facebook users.



What were 1 through 11?  The only really important paragraph is number 5:

5. From approximately November 2008 through March 2009, WALLACE developed and executed a scheme to send spam messages to Facebook users that compromised approximately 500,000 legitimate Facebook accounts, and resulted in over 27 million spam messages being sent through Facebook's servers.)