May 312015

DNS hijacking or plain host hijacking is pretty common these days. It’s a safe low-tech attack to get username and passwords of key hosting accounts. Recently I received an email that was 10/10 where quality of Phishing emails applies. None of the broken English words, in fact see the screenshot. Well written with an official disclaimer with an address to boot.

Decipher Inc phishing email screenshot

Scam phishing email

Few points to note here of why this email is well crafted but still a scam.

1. Yes I am a customer of Linode. How do they know?
Normally these emails are crafted using WHOIS information. However my Whois record is private for the domain in question. This is where it gets interesting.
The Nameserver is with Linode and it is a good guess that if the name server is on Linode (ns* is pretty obvious) then I am a customer of Linode. It grabs my attention.

2. This email did not go to spam folder. Private Whois lists a proxy email. When they sent the email to Whois contact it reached the proxy email who forward to me. The Gmail spam is pretty good at picking scan emails up but this one passed right though. If you see the screenshot they have taken every precaution to not use common words like “account” that alert Gmail. Linode ofcourse has my email so they would not send it to my Whois proxy email. Another reason you should get Private Registration

3. The database is not updated for atleast 3 months. I am not using the Linode Nameserver for this domain anymore. Atleast for the past 6 months. It would seem that the data is mined and collected.

4. Decipher Inc. This is indeed a legit company and offers surveys like survey monkey for free. It is not as blatant as free email sign up but ofcourse it must not be hard to get. You request a free demo and they give you a test account. That’s it. The email ends up looking perfectly Legit.

* Google also allows you to create surveys but you cannot add text boxes for password field and will prevent it from being created with name “password” AFAIK.

I emailed Linode support about this. They confirm that this is happening and they are aware of it. They claim SOA records from DNS are being used but in my case the SOA record has no email address. I believe they use NS record for sure to know if the domain is on Linode and that’s about it. Emails are still sent to Whois Contact blindly.

I hope the Linode will send out an informational update before they get overrun with confused noobie admins.

Jan 122013

In response to a Homeland security alert released today I wanted to quickly post on how to disable java or remove it if you are super cautious. Because homeland security alert news did not do two important things

1. tell you how to protect yourself.

2. what is the actual issue: who dafuq are the so called security experts and why is it not critical to mention source as well details of the said exploit.

On windows you can uninstall Java from the control panel and reboot.

If you just want to disable browsers you can do so in Chrome by going to Options menu -> Settings tab -> Under Privacy click “Content Settings” Button. In the following popup you will see a Plugins section. Select “disable individual plug-ins”. A new chrome page will lload with the long list of plugins you have installed.  Disable Java (TM) from here.

On Firefox, Java is usually disabled. But just in case you want to verify it is much easier. Click the Firefox menu -> Select “Add Ons” and then the “Plugins” tab in the following screen. You can disable Java from here. Additionally Firefox will disable other known vulnerable plugins so if you find those in Chrome you might as well disable them there.

You may also want to disable the “java deployment toolkit” or anything that references Java. Though I am not certain if this is safest and therefore recommend uninstalling Java. The reason being that a lot of 3rd party plugins do integrate Java technology within itself. Your choice.

Internet Explorer. You may want to “try” and uninstall that.


Additionally. I recommend disabling or removing “Adobe Reader” plugins as it is the second most vulnerable as reported by “security experts”. For all we know this is just another industry play at screwing with the most prominent Browser plugin and the Android platforms being as omnipresent as they are , are also based on Java software.


The best thing to do is check extension/plugins or addons on your browsers regularly and disable those that seem to be unused or you cannot recall why they are there. Unused and low quality 3rd party plugins are actually much bigger threat as they most likely developed by organizations without much security auditing and do not see security maintenance regularly if at all. Remove them if you can.


– fracking toasters.