thecheapostore.com - The face of Identify Theft?

TheCheapOStore.com - Everything is sold for 99 cents, including your identity?

Thecheapostore.com is an anomoly in a world of cheap stuff and people searching for the cheapest stuff. At the thecheapostore.com you can buy anything for 99 cents but whether anything actually gets sold is another question.

As you might probably guess, I am constantly making my friends and family aware of malicious internet "stuff". Apparently, they listen.

My wife approached me yesterday to tell me about what she considered a funny story about a website where she was trying to puchase something. The website was called thecheapostore.com. Apparently, everything is on auction and everything costs 99 cents.

There were two funny things about it she told me. The first was that when she tried to purchase, my network identity theft protection fired off an prevented her from going to the website . The second was that all auctions start at 99 cents, end in 30 minutes, but if you refresh your browser, the clock starts again.

"DING!"

So I asked her to show me the site. Here is my short analysis:

The site itself is a simple front end showing "Latest Products", and it opens rather slow, presumably because it is a DSL connection as reported by centralops.

The products are presented to you in an iframe from another website madsem.com

<iframe src="http://campaigns.madsem.com/magentoshops/index.php" width="350" height="280" frameborder="0" scrolling="no"></iframe>

Now, go to madsem.com

It says only.

"welcome Biatches :)"

So what exactly happens to your information when you click "Send". Someone has it. And he thinks your a biatch.

My suggestion is to research websites before you send their information or making a purchase.

http://www.scamadviser.com/is-thecheapostore.com-safe.html
http://www.webutation.net/go/review/thecheapostore.com#
http://answers.yahoo.com/question/index?qid=20120314153644AArQVTz

Registrant:
   Domains By Proxy, LLC
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)

IP Address:
82.211.28.22
ACCELERATED IT SERVICES GMBH
Germany
DAWN-SERVER.DE
ip2location.com lists this as a DSL connection

Queried whois.ripe.net with "-B 82.211.28.22"...

% Information related to '82.211.28.0 - 82.211.28.255'

inetnum:         82.211.28.0 - 82.211.28.255
netname:         DE-MEDIA-IP-NETWORK-20110823
descr:           Media IP Network
country:         DE
admin-c:         HN1156-RIPE
tech-c:          HN1156-RIPE
status:          ASSIGNED PA
remarks:         ************************************************
remarks:         * ABUSE CONTACT: medianetworksg@gmail.com IN   *
remarks:         * CASE OF HACK ATTACKS,ILLEGAL ACTIVITY,       *
remarks:         * VIOLATION, SCANS, PROBES, SPAM, ETC.         *
remarks:         ************************************************
mnt-by:          ACCELERATED-MNT
changed:         nk@accelerated.de 20110823
source:          RIPE

person:          Hang Nguyen
address:         Duong 8B Pho 4 Bin An, Quan 2
address:         Saigon, Vietnam
phone:           +84 906482860
e-mail:          medianetworks@gmail.com
nic-hdl:         HN1156-RIPE
mnt-by:          ACCELERATED-MNT
changed:         lir@accelerated.de 20110623
source:          RIPE

% Information related to '82.211.0.0/18AS31400'

route:          82.211.0.0/18
descr:          IP-Routing by Accelerated IT Services GmbH
origin:         AS31400
mnt-by:         ACCELERATED-MNT
changed:        nk@accelerated.de 20080709
source:         RIPE

Traceroute

 6  TenGigE0-0-1-0.GW14.BOS4.ALTER.NET (152.179.2.97)  80.593 ms  81.399 ms  81.   276 ms
 7  0.ge-0-3-0.XL4.BOS4.ALTER.NET (152.63.17.134)  80.176 ms  86.179 ms  85.477    ms
 8  0.xe-7-0-3.XL4.IAD8.ALTER.NET (152.63.2.106)  105.865 ms  103.278 ms  112.64   8 ms
 9  0.ae4.BR1.IAD8.ALTER.NET (152.63.33.121)  104.557 ms  117.249 ms  97.695 ms
10  194.25.211.17 (194.25.211.17)  102.064 ms  111.042 ms  182.673 ms
11  f-ed6-i.F.DE.NET.DTAG.DE (62.156.131.242)  259.001 ms 194.25.6.90 (194.25.6.   90)  256.655 ms  251.036 ms
12  80.156.160.162 (80.156.160.162)  260.455 ms  242.994 ms  241.802 ms
13  fra4.xe-0-1-0.accelerated.de (84.200.230.81)  225.309 ms  224.549 ms  212.82   0 ms
14  82.211.28.22 (82.211.28.22)  228.830 ms  216.740 ms  215.035 ms

Why Forwarding Email to a Free Email Provider is a Bad Idea

Written by Frank Angiolelli, CISSP
www.fortknoxnetworks.com

In many cases, we must balance availability against confidentiality. The two are not necessarily mutually exclusive, but in general by increasing confidentiality you decrease availability at least in terms of methods, locations and speed of access.

Why Forwarding Your Email to A Free Email Provide is Good

The benefits of such an action are easy to see:
1. Easier access to the emails.
2. Accessible from any computer without hoops to jump.
3. Easier to configure phones and mobile devices to receive
4. Synchronization options with mobile devices

I have seen cases where this has been done by individuals that just wanted the convenience, did not know how to access their email securely and I have seen cases where a cell phone provider was just trying to help someone access their email but did not know the proper settings, so they assisted with forwarding all the email and setup the phone to receive the forwarded mail.

Why Forwarding Your Email to A Free Email Provide is Bad

The costs associated with this can be tremendous. The primary cost is the considerable lessening of confidentiality. While it is true that most free email solutions provide encryption by default, these services are available to anyone on the web from any computer without restriction. Additionally, their password reset mechanisms are available to anyone on the web.

Beyond that, there is no incident response team attempting to identify unauthorized accesses. Furthermore, audits of who is accessing the system are not possible.

This sets up your organization for the possibility of a malicious individual creating a channel to read corporate email without detection. Take for example the FBI Conference call which was recorded by Anonymous. In this case, an FBI agent had apparently forwarded the conference call details to a free email provider, but the account password had been compromised by the hackers. The result was hackers recording the conference call, which ironically was related to hacking investigations, and posting it to the internet.

What is worse then someone posting the information to the internet? Someone not posting the information and silently, persistently reading the email and information without detection or limits.

In this case where a phone conference was hacked, the forwarding of email to a free email provider was used to further gain access to secure operations, in this case a conference call discussing current investigations. Without disclosing that this had occurred, the malicious individuals could have monitored the email for any other systems which they could access and maintained or even extended their access.

How To Prevent This
1. Block access to webmail providers
2. Monitor mail servers for email forwarding
3. Implement DLP systems
4. Ensure this behavior is restricted by policy
5. Train employees 

As always, I welcome thoughts and suggestions.