European Bank (EBRD) ventures into blogging
The European Bank for Reconstruction and Development has launched a blog which is described by the bank’s Communications Director Reijo Kemppinen as an opportunity “to build dialogue, share knowledge and exchange lessons learnt in an informal forum.”
The first article, by Chief economist Erik Berglöf, describes how the global financial crisis has changed the bank’s operations, and sets the tone for analysis and future articles to come. Four bloggers are currently signed-up to contribute to the blog, and others are planned to follow, to ensure a constant flow of articles.
The blog was created for the bank by digital consultancy Blogminster Media, which is also advising EBRD on its digital strategy. Danny Dagan, Director at Blogminster Media said: “to succeed, a corporate blog not only has to look good and work well, it also needs to have something interesting to say. The illuminating point about the European Bank launching a blog now is that it obviously sees a need to communicate more openly with its stakeholders at a time when financial markets and their players have such high visibility.”
Internet Filtering in the United Arab Emirates- What you see if you hit a forbidden site
The full list of prohibited content is here. Removal requests for the UAE firewall can be submitted here.
What to do if your Hotmail account got hacked – the recent spate of attacks on Hotmail accounts
If your friends and contacts have received an email or IM message from your Hotmail account with wording along the lines of "I would like to introduce a good company who trades mainly in electronic products... etc" - it is highly likely that your Hotmail account has been compromised.
IF YOU ARE THE POOR SOUL THIS HAPPENED TO, THEN YOU SHOULD READ ON AND FOLLOW THE INSTRUCTIONS AT THE BOTTOM OF THIS ARTICLE.
In most cases when a spam email is sent in your name to someone else, the spammer doesn't need access to your account. All they need to do is spoof your email address - i.e. make it look like it was sent from you. That's very simple to do, and is very common.
However, the latest spate of spam from Hotmail accounts is different in that the attackers actually hack into your Hotmail account and then do some or all of the following things:
- They send a spam email to all your contacts.
- They may send a spam IM message to all your Messenger contacts
- They may delete all your Hotmail contacts
- They may set your autoresponse (the one you set when you go away) to send this spam message
- They may set your email signature to include the spam message
You know that they have hacked into the account because you can see clearly that they have sent an email from it to all your contacts, or even an instant message. They would not be able to do this if they did not have access to the account.
HOW IT HAPPENS
I don't have a definitive answer, but I do have a theory which, based on the evidence, looks likely. If your password is a common name or a word that appears in a dictionary, then your account is vulnerable, even if it has a year of birth or number attached to it.
This is how the hackers do it:
- They employ an automated script that is fed your Hotmail address and then goes to work./li>
- It feeds the entire dictionary and common passwords and names into Hotmail one by one, trying to log in.
- After several attempts Hotmail "locks" the account and present a CAPTHCA (i.e. a string of wonky letters and numbers that are supposed to stop scripts from doing exactly that, because only a human can read these letters, supposedly).
- Unfortunately the CAPTCHA method no longer stops scripts, because hackers have found ways around them. One of those ways works by using sophisticated character recognition software that can read the wonky letters. Another is to feed the letters to "CAPTHCA farms" - the letters are fed to human users, employed by the hackers to read and enter CAPTCHAS, and they are often paid by the number of CAPTCHAs they enter (for example 1 cent per entry). This becomes viable financially if the spam is part of a bigger scam. The scale of the deception means it makes more money, especially because people are much more likely to trust spam messages sent by their friends. This achieves greater returns for the hackers and means they can attack many accounts, bypassing email security systems.
- Sometimes the scripts do their work over days, and sometimes weeks, to escape being caught by Hotmail's attack detection systems.
There are of course other ways for hackers to achieve this kind of attack, such as spyware on your computer, or you being deceived by a rogue website. My instructions below would help you tackle these as well.
WHAT SHOULD I DO IF MY HOTMAIL ACCOUNT GOT HACKED?
Go through the following steps, one by one:
1. Before you do anything else, change your Hotmail account password to something very safe. Not a dictionary word or name, or even a word and numbers. Use symbols such as $ and & in your password, and make it long. I know it is difficult to remember, but if you don't want to be hacked, you'll have to start using strong passwords.
2. Now check that your autoresponse and email signature on Hotmail do not have any spam text added to them, as this would go out to your contacts automatically.
3. Then check that your computer does not have spyware or viruses, by following the instructions here.
4. From now on keep your passwords safe, and be extra careful when using public computers (such as those in Internet cafes). If in doubt - change your passwords.
5. You may want to alert Hotmail support to the problem. It seems to be happening all over the place, and the more they know about it, the better it is for their efforts to address it.
And please note: if for some strange foolish reason you decide to go to the site advertised by the spammers, and you are even more foolish and decide to buy something on it, don’t be surprised if it never arrives. This is a well known scam, and you will never get your goods, you muppet.
How Google penalises sites with too many of the same URL – Tested!
Last week I got an insight into how Google penalties work if you use a URL too many times in a blog entry.
In my recent article, I covered how scammers target Sedo users.
The article was included in the Google index within the hour, as it usually is for my blog, and for the following three days I had 80-100 daily unique users reach it through Google.
Then on the fourth day - all traffic to the page from Google stopped. Nothing. Nada.
After a quick investigation, I found that that particular page was no longer included in the Google index. The rest of my site was unaffected.
I looked at it in more detail and theorised that because I quoted the correspondence with the scammer, which repeatedly included his email address ("murphy@eliteinvestment.net"), Google must have decided that this was a spam message and excluded it from its index - probably because Google ignored the "@" sign and treated the companyname.com part as a URL, thus viewing it as being repeated many times over. The other option is that it doesn’t like too many repeats of the same email address, although i like my first theory better.
I decided to test my theory, and reduced the total number of references to the company from a total of ten URLs/emails (eliteinvetment.net) to only three. I then updated my sitemap and pinged Google to re-crawl my site.
Sure enough, a week later my article has been re-indexed, and is hitting traffic again. An insight into the mind of the (fluffy) beast.
It also shows that my pages were first ingested and indexed, and only a few days later the penalty was applied.
Domain valuation scam targets Sedo users
If you want to skip the background scroll down to my entertaining correspondence with the scammer, as he tries to hook me in.
Sedo is a service that allows owners of domain names to sell them in much the same way that eBay allows you to sell goods, either for a fixed price or at auction. It also provides an escrow service so that a transaction is secure (they get the money and the domain and then swap them between buyer and seller).
Domain sellers on Sedo have recently been targeted in the following way:
1. The seller places a domain for sale on Sedo.
2. The scammer scans Sedo for new domain listings and targets those listings.
3. The seller receives an email from the scammer. An important characteristic of this email is that it is not via the Sedo service - the scammer looks up the registered owner of the domain and contacts them directly through the domain's contact email.
4. This first email is the "hook". It offers a large sum of money for the domain and waits for the domain owner to take the bait.
5. Once the domain owner shows an interest, the scammer explains that he is very interested in the domain but cannot pay any money for it without a third party valuation service. He explains that he has researched valuation services and only a few are reliable and cost-effective. Gradually he narrows it down to one service that he insists on using.
6. If the buyer bites (what's a small sum to pay for the riches offered by the scammer?), then they will pay for the valuation service and submit the result to the scammer.
7. At this point the scammer no longer responds to emails. They got what they wanted - the valuation fee.
Here's my correspondence with the scammer:
Email #1 - the bait:
================================================
From: murphy@eliteinvestment.net
To: danny
Subject: [my domain name for sale (date sent)]
Hello,
I'm interested in your domain in the subject line.
Investing in domains is a profitable business. We are in real estate business. Sometimes we buy, sometimes we resell for making a profit.
Looking forward to do business with you.
Regards,
Andrew Murphy
Vice President
Elite Investment Group
================================================
Commentary:
- Notice how there is no mention of where this company ("Elite Investment Group") is based. I will press this point with "Andrew Murphy" later, but he wouldn't respond.
- At the time of writing there was no content in the domain that the email originates from (eliteinvestment.net)
- Further research shows that eliteinvestment.net is registered by Proxy, so the owners obviously want to hide who they are.
Email #2 - I bite:
================================================
From: "Danny"
To: Murphy
Subject: [domain name (date sent)]
Thanks, are you wishing to make an offer on my domain?
Email #3 - Trap is laid out:
================================================
From: Murphy
To: Danny
Subject: [domain name (date sent)]
Sorry for delay with answer. Our family was celebrating newborn child of my sister.
Can you accept 5,000 USD?
Do you sell domain with a web site or just the name?
Domain without content is ok with me. Web site is not necessary.
Have you had your domain names evaluated in the past? I mean domain appraisals. Without valuation we cannot be sure in the sale price. It's
very
important for me in terms of reselling too. But we must engage a valuation company with REAL manual service. So I will only accept valuations from independent sources I and my partners trust.
To avoid mistakes I asked domain experts about reputable appraisal companies.
Please check this blog with suggestions from other sellers and buyers: http://domainblog.007sites.com/587412.htm
If, for example, the valuation comes higher you can adjust your asking price accordingly. It will be fair. I also hope you can give me 12% - 15% discount.
After you send me the valuation via email (usually it takes 1-2 days to obtain it) we'll continue our negotiations.
What is your preferred payment method: Escrow.com, International wire transfer, PayPal.com or something else?
Hope we can come to an agreement fast.
Looking forward to your reply.
================================================
Commentary:
- Notice how the scammer tries to lead you to believe he relies on reputable companies by sending you to an obviously planted forum.
- The company he wants you to focus on is www.DomainExplorer.org - but he will narrow it down to that company later. For now he wants you to think the name of the actual valuation company doesn't matter. He just needs a reputable one.
- Notice that he is also talking about methods of payment to lure you in.
- Interestingly, the grammar is a bit wonky and inconsistent, which suggests this 'script' was adapted and 'perfected' by different people.
Email #4 - I test his determination
================================================
From: "Danny"
To: "'Murphy'"
Subject: [domain name (date sent)]
I only transact through Sedo, and do not require the use of appraisal companies who are usually just a scam.
If you would like to buy this domain I would encourage you to put an offer through on the Sedo site.
Thank you and have a good weekend!
Danny.
Email #5 - He responds and refocuses on the appraisal :
================================================
From: Murphy
To: Danny
Subject: [domain name (date sent)]
Sedo is a good broker and we can use it for transfer/transaction. Unfortunately , Sedo is not acceptable as an appraiser because your names are listed with them and they are not independent. They are interested in earning 10% commission on every sale. I need appraisals from a company which is not interested in selling your domains.
I heard many appraisal companies often made inaccurate appraisals. So I cannot accept appraisal from each and every site. I will only accept appraisals from independent appraisal companies I know and trust.
================================================
Commentary:
- He persists, because I engaged. As long as I am engaged, there is still a chance to hook me.
- Notice how I didn't mention domain appraisal services, but he keeps coming back to that point, as if it was a crucial part of domain sales. In actual fact, a domain is worth what a seller is willing to pay for it, and oftentimes pricing it is more of an art than a science, with a mix of luck.
Email #6 - I don't bite. What will he do?
================================================
From: "Danny"
To: 'Murphy'
Subject: [domain name (date sent)]
I thank you for your response, but I have no interest in these appraisal services, or in doing business with you this way. If you wish to place a bid on my domain you are welcome to do so on the Sedo site.
Regards for a good weekend,
Danny.
Email #7 - It's all about the valuation, of course, but let's narrow it down:
================================================
From: Murphy
To: Danny
Subject: [domain name (date sent)]
We both need independent valuation first.
Sellers always provide buyers with valuations. This is a common practice.
I don't trust $14 services like that GoDaddy's valuation service. Nobody will do a research for $14. We need a real manual service.
I researched several companies and here are the results:
I wanted to engage AccurateDomains.com as appraiser but looks like this company has very bad reputation Just read this blog http://accuratedomains.blogspot.com/
So I'm not going to accept this fraudulent service.
I also considered www.Afternic.com, but now it's clear their service is not reliable enough. Just read this: http://www.igoldrush.com/links3.htm "Capsule Review: After lots of complaints, Afternic is no longer a recommended service. We will re-review the service in the near future."
Another complaint http://www.out-law.com/page-1630
I was told about manual research service from http://www.DomainMart.com. It costs - $200/hour.
Many experienced sellers suggested me www.DomainExplorer.org as a trustworth manual service. They charge per name not per hour. I've read only positive comments about them.
================================================
Commentary:
- He seems to go back to the script. This is the mail he would use to narrow the victim down to domainexploere.org, where he wants me to go.
- I decide to repeat my previous email exactly and see if he would notice.
Email #8 - I repeat myself, will he notice?:
================================================
From: "Danny"
To: "'Murphy'"
Subject: [domain name (date sent)]
I thank you for your response, but I have no interest in these appraisal services, or in doing business with you this way. If you wish to place a bid on my domain you are welcome to do so on the Sedo site.
Regards,
Danny.
Email #9 - He keeps going... It's all about the valuation:
================================================
From: Murphy
To: Danny
Subject: [domain name (date sent)]
It's a big risk to proceed without professional valuation. I already spoke to industry experts and they prohibited me to do business without valuation.
Without manual valuation nobody will buy. You'll sit on your domain for years in this case, paying renewal fees to your registrar. Just think about it. So sooner or later, you'll have to obtain an appraisal. Why waste time now?
As a seller, you can use a valuation certificate to sell names to other buyers. I cannot do the same because I don't keep control over your domain.
I'm still interested in your domain. Hope you'll change your position. I simply don't want to take additional risks.
Thank you for understanding. I'm looking forward to do business with you.
Email #10 - I decide to confront him:
================================================
From: Danny
To: "'Murphy'"
Subject: [domain name (date sent)]
For someone in the domain reselling business you seem awfully focussed on the appraisal of one specific company whose domain is registered via proxy and that does not have a physical address, and appears on several scam warnings.
You also never mentioned where your company (elite Investment) is registered, and your own domain isn't populated.
Entertaining. Care to comment?
Regards,
Danny.
Email #11- This is clearly off script - so he sends one last ditch (none of my questions are answered):
================================================
From: Murphy
To: Danny
Subject: [domain name (date sent)]
No deal without appraisal from a trusted source. This simple rule has saved me a lot of money and time. Feel free to contact me when you change your position and let's do business the right way.
================================================
FURTHER SCAM INFORMATION
This pattern has been repeated in quite a few cases, but with changing names, often using the same script, for example: the same scam email (with the same text) was sent from:
Robert Gardos, CEO Elite Investment
Steven Campanella, Vice President, Elite Investment Group
Paul Rancour, CEO, ELI LLC
Eric Jorgensen, Vice President, Elite Invest Network
Tom Myers, 'Independent Cybersquatter'
Jeffrey Burnstein, CEO of OBS LLC (burnstein@theonlinebrokerage.com)
(source).
Robert Gardos, VP, TGS Technologies (gardos@toughguy.net) (source)
Further examples are here, here , here and here.
SEDO'S RESPONSE:
I wrote to Sedo saying: "I was wondering if you were aware of this sort of scam happening, and if so, whether you would consider placing some kind of warning for other users of your site. It can be very easily misleading."
Their response was:
"We are aware that there are unscrupulous persons around who will contact domain owners to try and get them to order an appraisal or sell the domain.
At Sedo, we encourage customers to use our appraisal service which is much more trustworthy.
You can always privacy protect the WHOIS record for your domain to avoid receiving these kind of emails in the future. You can do this through your registrar."
So, no, they don't really think they should warn their users, and simply suggest we use their services. Doh!
If you have been contacted in this way feel free to add your experience here as a comment, especially noting the names used in your case, so that they come up in Google searches and warn others.
MFI and Woolworths – websites on the brink
On the day after the two emblematic retail groups Woolworths and MFI had gone under in the UK, their websites showed the signs of disaffected (and potentially jobless) web staff - and who can blame them.
At Woolies they couldn't be asked, so the website simply reported that the site was "undergoing essential maintenance", which is a euphemism for "we took the servers down for now, buy us out, let us keep our jobs and we might be back.".
(click to enlarge)
At MFI, there was a nice letter from the administrators telling customers what to do. A lonely "<div>" tag at the very bottom was the only sign of employee apathy:
(click to enlarge)
eBay Libel Threat After Negative Feedback – When Online Libel Gets Personal
Chris Read, a 42-year-old from Kent, is facing legal action for libel after leaving negative feedback for an item he bought on auction site eBay. On October 3, Read used the feedback facility on eBay and wrote: "Item was scratched, chipped and not the model advertised on Mr Jones's eBay account." Mr Read subsequently received an e-mail from Mr Jones, a 26-year-old businessman from Suffolk who deals in second-hand electrical goods, saying that his comments were damaging his business, and threatening him with legal action unless he deleted them from the site (Source: Times online).
This case is interesting because it demonstrates how personal libel can get when it takes place on the Internet. If the seller wanted to get rid of the comment posted by Mr Read on eBay, the quickest way to achieve this would have been through a legal threat to eBay, not the buyer.
Companies like eBay would most commonly be advised by their lawyers to remove comments that bear a legal threat, to avoid becoming responsible for the content themselves.
As soon as a libel is reported to eBay, all the legal protections that it might have had by claiming it was only a third party to the dispute are no longer certain. Once it is notified, it is most likely responsible. This principle is often referred to by moderation professionals as "notice and takedown".
But when individuals, not companies, are involved, insult is personal, and they often don't have the benefit of a legal team and a cool assessment of the best way to achieve their objective (in this case the removal of a comment).
Lawyers are trained to separate emotion from fact and process. Private citizens aren't. This case is no doubt one of many to come. It would be interesting to see how the legal system adapts.
UPDATE:
As this blog is of a UK slant, it is always interesting to hear how things are across the pond, where libel laws are less onerous, and freedom of expression has more of a legal stance. I got the following comment from Michael Roberts, a reputation analyst at Rexxfield:
"I liked your article. The poster of the information is certainly liable for damages. However, I think you will find that eBay as a third party republisher of the libel enjoys federal immunity (at least in the USA) from civil litigation; furthermore they do not need to remove the offensive material, even if served with positive proof. (section 230(C) of the information communications decency act). (Although I am sure eBay would, they just don't have to)
Frankly I think it is an absurd loophole allowing web services to turn a blind eye to the plight of innocent victims of malicious speech. I recently published a few essays on this issue:
http://www.rexxfield.com/freedom_speech.html
Be sure to follow the links to the "google" blind eye responses to "take down" notices."
ThatDanny comment: As Michael rightly points out, the treatment of libel is different under US law to English (and Scottish) law. The protections that stringent libel laws provide are a double-edged sword, but in this case they make it simpler for individuals to achieve content removal in the UK than in the US.
Understanding Website Statistics – Five Pitfalls to Avoid
Website statistics: what's wrong with the following statements?
1. My website gets 20,000 hits a month!
2. My website gets three million unique visitors a year!
3. Our statistics show that users spend an average of 30 minutes per visit to our website!
When you boast to your friends that your blog gets 10,000 hits, or tell your boss that your company's website has one million annual unique users, you may be setting yourself up for a fall.
Like most statistics, website stats can be misleading, and this article shows you some common pitfalls when quoting site numbers.
Website statistics – common mistakes:
1. Using ‘hits’ as an indicator – ‘hits’ are an old-speak term that expresses, well, absolutely nothing about the popularity of a website. A ‘hit’ refers to any file or part of a webpage that is downloaded by a user. For example, if your web page has seven images on it, then it will be counted as eight hits (the page itself is one hit, and then each image counts as an additional hit). It is no indication of traffic or popularity or anything meaningful about your users. quoting it shows you haven’t got a clue.
2. Annual unique users – website unique users (or ‘uniques’ as old hands like to call them) are a well accepted measure of a website’s popularity, but only when used daily or monthly. Not yearly. It is ignorant to say that your site gets ‘x unique users a year’. Here’s why: your website tracking code can only count ‘uniques’ by leaving a ‘cookie’ on the user’s computer when he or she visits your site. A cookie is a small file that the website checks for whenever the user views the site. The cookies tells the site that it 'knows' the user, and that it should not count him or her again after her first visit. Once you understand this mechanism, some of its flaws become evident: if a user accesses the site through two different browser types (for example Chrome and Internet Explorer), then they are counted as two separate visits. Visits from two different computers (e.g. at home and at work) are counted separately too. Overall, the industry has come to accept these compromises, and treats ‘uniques’ as a good indicator, for lack of a better statistic. However, this works well for a period of up to a month. Longer than that, and your statistics become too distorted. For example, over the course of a year a single user is likely to get rid of the cookies on their computer at least a couple of times, or even replace their computer entirely. If each one of your unique annual users looses the cookie that counts them as unique twice or more over a year, then your annual count of unique visitors could be half, a third, a quarter or even less than what your stats package is showing you. There’s no way around it: annual uniques are a fallacy.
3. Average minutes per visit – I often hear statements like ‘my users are spending 45 minutes on average on my site'. No they’re not. Your workmate Kirsty looked at your site just before she went home last night and forgot to close her browser, so it remained trained on your website all night. In the morning, she came back, browsed it for a couple of minutes and then closed her browser. By doing this, she has skewed your stats big time – and the fewer users you have ,the more distorting the ‘Kirsty effect’ is. Some web statistics packages now use more sophisticated methods to track viewing time, for example by showing you the median time spent on your site, but if that’s not available, don’t quote this number. It’s not really that helpful.
4. Page impressions – a trusty statistic, page impressions (PIs) or page views (PVs) are still an old favourite, but they too are not without their problems, and it all depends on how your tracking code is set up, so be well informed about your settings before you start brandishing PIs. Here’s why:
-
a. There are a lot of files that aren’t actually viewed and are sometimes counted as PIs, for example stylesheets (ending with .css) are also counted, and many sites have more than one, which are loaded every time someone visits your site, thus inflating your PI count. You have to check what's counted and what isn't before you use PIs.
- b. Every time a search engine indexes your site, it imitates a user, often by loading all your site's pages which may well be counted as page impressions. If you have many pages and your site is indexed regularly (for example by Google), you’ll get lots of irrelevant PI counts. Some stats packages exclude them and some don’t – you need to know which is yours.
5. Content groups and folder structures – and finally, you may want to beware how you present popularity of areas on your site. Most commercial website statistics packages allow you to define categories for different areas of the site, and then report on the popularity of those areas. The problem is that the categories in the tracking code often become obsolete in the time between when they were initially put in place and the many site changes and iterations since. You have to ask yourself how different areas are defined: is it by site taxonomy and structure, or simply by a category given to the page by the tracking code. Site taxonomies in themselves aren't a guarantee of accuracy either, because over time they erode, and an urgent patch here, a temporary page there - make them less reliable as an indicator of structure. I'm not saying that either of these can't be powerful analysis tools - they most certainly can be. It's just that you need to make sure you know what you're counting.
And that's really the endgame here –you need to make sure you know what you're counting. If you do, you can make more informed statements about your site's visitors. If not, well... Do not pass GO, do not collect 200 page impressions.