The conclusion of last week’s thrilling story about cryptocurrency scammers and service providers. Who did come to the aid of Joe Nobody, and who conveniently turned a blind eye to my abuse reports. Welcome to the good, the bad, and Namecheap.

Annoying e-mail spam lures Joe Nobody out of his slumber to once again try to convince service providers to pull the plug on a scammer. Welcome to another installment of Joe Nobody VS world.

A few days ago I discovered several referral spam links to the domain servicematch.cancer.org in my server logs. Spam referrals are usually a part of some blackhat SEO campaign used to generate traffic, and if possible, get the URL listed on a website’s public statistics page.

Content warning: This article contains mildly sexually explicit text and images.

For the last few weeks, my feeds and federated timelines have been filled with absolutely brilliant marketing campaigns for Plausible Analytics, the new open-source privacy-focused website analytics tool. Plausible Analytics has enjoyed exponential growth and is frequently recommended by privacy-conscious voices in the FOSS community.

Last month we had an issue with a multitude of unwanted connections against our mail servers from a specific netblock in Argentina. In my experience, coordinated attacks from IP addresses originating from the same netblock usually indicates an issue on the ISP side.

Earlier this week I discovered an interesting Outlook.com phishing mail that had been caught by the anti-spam measures we deploy for our e-mail customers. Well, to be fair, the phishing attack itself was not anything new or sophisticated, but the choice of hosting provider was rather interesting.

Last week I noticed yet another ongoing brute-force attack against our managed WordPress hosting. The botnet is very low key and each bot connects on average only once per day. Up until now, I’ve collected in the ballpark of 3100 unique bots.

After the GhostProject started offering access to 1.4 billion credentials in the form of usernames with clear text passwords, I’ve seen an expected increase in attacks against customers e-mail accounts.

In the last two weeks I’ve seen a steady increase of bots trying to exploit a remote command execution flaw on D-Link routers. The majority of the attacks are originating from IP blocks belonging to Telecom Egypt Data.

I’ve received a few hundred requests originating from bots setting site.ru as their referrer. These attacks are scanning for compromised WordPress installations and PHP based shells and backdoors. The attacking IP’s belong to compromised hosts and websites from service providers around the world.

About one and a half months ago I experienced a lot of botnet traffic originating from major cloud providers including Microsoft Azure. Against my better judgment I decided to see if reporting a few bad IP’s to the MS CERT team would make a difference.

‘Tis the season to be cracking.
In the webhosting business we’re used to seeing an increase in attacks during the holidays, as most people by then are busy with real life. If you’re a cracker though, this is your favorite time of the year.

By working in the “web business” I do get my hands on a fair share of malware kits as attackers continuously try to infect any website available with their automated scripts.