24 March 2017

Ramiro Helmeyer & RaFa new reputation-cleaning online technique: DDoS & IoT

UPDATED 28/03/2017 - 15:42GMT* - In the latest chapter of new and creative forms of silencing / eliminating from view, accurate and relevant information about certain characters of Venezuela's underworld, this week I've been battling with yet another DDoS attack against my first, now inactive, website: vcrisis.com. This time round, thousands of smartphones are being used, presumably without owners consent, to direct traffic (POST and GET requests) to my site. But the more interesting aspect is that most traffic comes from a handful of Google Cloud's IP addresses.

You read that right, DoSers are using Google's power to crash my server. For public benefit and future reference, abused addresses are:

The requests being made, by the thousands, look like this:

www.vcrisis.com - - [23/Mar/2017:00:01:13 -0400] "POST /index.php?content=archive HTTP/1.1" 200 498751 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en)

www.vcrisis.com - - [23/Mar/2017:00:01:11 -0400] "POST /index.php?content=archive HTTP/1.1" 200 498752 "-" "Mozilla/5.0 (Linux; U; Android 2.3.3; de-ch; HTC Desire Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

www.vcrisis.com - - [23/Mar/2017:00:01:11 -0400] "POST /index.php?content=archive HTTP/1.1" 200 498764 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; Nokia;N70)"

www.vcrisis.com - - [23/Mar/2017:00:01:07 -0400] "GET /? HTTP/1.1" 200 22781 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"

www.vcrisis.com - - [23/Mar/2017:00:01:07 -0400] "POST /index.php?content=archive HTTP/1.1" 200 498759 "-" "Opera/9.80 (J2ME/MIDP; Opera Mini/9 (Compatible; MSIE:9.0; iPhone; BlackBerry9700; AppleWebKit/24.746; U; en) Presto/2.5.25 Version/10.54"

Logs show thousands of such requests, to the extent that the server has been shut down and special measures have been put in place by my web hosting provider. I have, of course, shared relevant data with Google's Project Shield, whose staff alerted me to increased traffic towards my vcrisis.com site the other day.

One of the benefits of this new association with Project Shield is that I get to see things that I couldn't / wasn't aware of before, such as the number of removal requests made on articles posted on my website. The one reprinted below, for instance, which is a post written by blog friend, financial crime consultant Ken Rijock, seems to be causing some discomfort to criminal Ramiro Helmeyer and his community manager, also convicted criminal, RaFa the hacker

My dashboard shows that since 27 September 2016, 54 removal requests have been made on stuff posted on vcrisis.com, almost all of them to have the article below removed. Checking on removal requests made on articles posted in my other site, infodio.com, I noticed that all 368 such requests, from the first one made also on 27 September 2016, are either articles on RaFa, or those exposing his who's who list of thuggish / criminal Venezuelan clients, from convicted Helmeyer, to more recently convicted Roberto Rincon...

Some time ago I alerted Matt Cutts about RaFa's astroturfing. I guess he's having to do all the criminals' white washing again. And he's succeeding at it I reckon. Google searches for Ramiro Helmeyer return these results these days: surely David Beckham, Alec Baldwin and Jesse Eisenberg wouldn't be proud of such usage of their images.

* An update: the good folks at Project Shield sent a message saying "It was a Layer 7 HTTP flood DDoS attack." Further investigation revealed that Project Shield own IP addresses were indeed used in the DDoS attack. What interests me is the level of sophistication Venezuelan crooks are employing to scrub their reputations. Considering the staggering amounts of money they've gotten through corruption, and the kind of services employed, is not difficult to foresee that their past misdeeds will be eliminated from public domain.