Upham's Corner Online
blank

Harry Potter Hacking Email in Uphams Corner?

Caution - Don't Click - Warning: Email from Hacked Address

Uphams Corner News received an email from what appears to be a hacked email address that makes reference to Harry Potter characters in its coding. This article details how the questionable IP address referenced in the link was investigated.  Research led from Nobis Technology Group (ISP) in Phoenix, AZ to the same company name located in Chengdu, Sichuan, China. A guide on how you can carry out your own investigation.

Step 1.  View Full Text (Gmail)
Step 2.  Identify what is important
Step 3.  Where is the IP address located?

Site #1 - IP Location Tools
Site #2 - WHOIS and Domain Research
Site #3 - American Registry for Internet Numbers
Site #4 - IP Geolocation and Network Intelligence website
Site #5 - MYIP.MS - a "hosting info, websites and IP database" website.

Step 4.  Locate Nobis Technology Group Contact Info
Site #1 - InsideView
Site #2 - Nobis Technology Digital Millennium Copyright Act Statement
Site #3 - Better Business Bureau

Step 5.  Speak with Nobis Technology Group
Step 6.  Submit Complaint


What Happened

The danger in the streets here in Uphams Corner notwithstanding, what impacts UC News more disastrously (and our subscribers) is the harm inflicted by ill-willed individuals throughout cyberspace, most of whom originate via server farms in the United States but who may live elsewhere.

UCNews received a suspicious email, "I've sent you a facebook notification" with an invitation to click to see the full report.  Not that we had even seen a partial report.  At the same time, the email was from a legitimate UCNews subscriber, easy enough to assume the email was legitimate. 

In the past this editor has been too quick to click on the "Click here" or open link option and all "hell" has broken loose and UC News subscribers have been inflicted with the perpetrator's intended harm, usually getting their email addresses stolen from my contact list.


Best solution?  Report the email as spam and get on with life.

However, following a Path of Curiosity is much more interesting as long as it does not lead to a Path of No Return.  So here is the investigation performed and what was discovered in the process.


Facebook Notification Email (Harry Potter)

Shown below is email from the subscriber entitled " Get Over It, Ki d " and notice the space in the word "Ki d".  That alone is a clue that something is wrong. 

Harry Potter hacking email in Uphams Corner
 

Step 1.  View Full Text (Gmail)

The down arrow to the right of the email opens a drop-down menu of additional Gmail utilties.  Click on "Show Original." 

Harry Potter Hacking Email in Uphams Corner


What displays is not user friendly but after comparing the Show Original text to the Gmail text, you will undoubtedly make some interesting observations and bring useful data to light. 

The bottom of the email shows informative and interesting text but for techies, the entire Show Original text is important. 


<style>Very good said Lupin smiling Right then  ready to try it on a Dement=or=20</style>
<p></p>
<i>i've sent you a facebook notification</i><p></p>
<a href=
=3D"http://147.255.184.217/?l2=3D6&cugi=3Def2e00c98e44&1=3Duphamscornernews=
@gmail.com" id=3D"tu">review the full report here</a>





Step 2.  Identify What's Important

Clearly, some of the text is HTML formatting tags but right from the start, the mal-intent of the real sender appears to be clear.  Notice the name of the

<STYLE> - "Very good said Lupin smiling Right then   ready to try it on a Dementor=20"</style>

We imagine Lupin is smiling as in the 1920's silent era film, Dr. Jekyll and Mr. Hyde, where Dr. Jekyll is in his laboratory experimenting, and cackling at the thought of his future deeds.  "Ready to try it on a Dementor." 

At the same time, the names Lupin and Dementor seem much too creative to be random words invented by a  perpetrator.  Research indicates these names come from the world of Harry Potter as shown below in an excerpt from the Harry Potter wiki.

http://harrypotter.wikia.com/wiki/Dementor

    "Dementors are among the foulest creatures that walk this earth. They infest the darkest, filthiest places, they glory in decay and despair, they drain peace, hope, and happiness out of the air around them... Get too near a Dementor and every good feeling, every happy memory will be sucked out of you. If it can, the Dementor will feed on you long enough to reduce you to something like itself...soulless and evil. You will be left with nothing but the worst experiences of your life."
    —Remus Lupin to Harry Potter[src]



Step 3.  Where in the World?

So our lovely email appears to be motivated by evils in the world of Harry Potter.  Are these kids / adults / hackers playing evil games?  Do they live in the United States or elsewhere?

This can probably be determined, or you can at least get clues, from the link content which directs you to the potentially dangerous event "(click here)".  Since UC News has not clicked on this link, for all we know, it is just a Harry Potter joke.  At the same time, because it is not likely an email sent by our subscriber [redacted name], at a minimum, whoever sent the email is operating with "stolen goods."

<a href=3D"http://147.255.184.217/?l2=3D6&cugi=3Def2e00c98e44&1=3Duphamscornernews=@gmail.com" id=3D"tu">review the full report here</a>

Notice the <a href=3D"xxxx."  According to Actionscript.org,

the "href=3D" is part of an encoding process pretty much just used for email. I believe it's called quoteable print. It has to do with SMPT only sending 7 of 8 bits data where the 8th bit is a check. Certain characters over 128 can get muddled as well as other characters like = and space. … Amazon uses this technique and so does Gmail.


With that coding question out of the way, the most important part of the email source, the IP address, 147.255.184.217 takes center place.  So reminiscent of the many puzzles, books and game shows dedicated to Carmen Sandiego, we ask,

"Where in the world is the IP address 147.255.184.217?"

Entering the IP address, 147.255.184.217, into an internet search generates many websites with information about the location / manager of the IP address. 



Site #1 IP Location Tools


http://www.iplocationtools.com/147.255.184.217.html

Following is an edited version of what displays when you request information about 147.255.184.217 from their website.
 
Harry Potter hacking email in Uphams Corner
So we learn that Nobis Technology Group out of Phoenix owns/manages the IP address being used in the potentially dangerous link.  According to the Nobis Technology Group facebook page,

Nobis Technology Group, LLC is the parent holding company to roughly a dozen specialized companies and a broad spectrum of websites. We are privately-held, employee-owned, and have been involved in a number of very lucrative Internet services companies of many names since 2002.

However, their Facebook page does not include either phone number or email address.  Same with their website.




Site #2 WHOIS and Domain Research

http://www.whois.sc/

WhoIs describes themselves as the #1 WHOIS and Domain Research site on the Internet.  After entering the IP address into their serach box, you are taken to the DomainTools website which offers indepth information.    Important to note:  The IP address location is Nobis Technology Group, but the Resolve Host is Ubiquity Hosting.

http://whois.domaintools.com/147.255.184.217

Harry Potter Hacking Email in Uphams Corner



Site #3 American Registry for Internet Numbers

Domain Tools shows the Whois Server as http://whois.arin.net, which is the American Registry for Internet Numbers. 

Enter the IP address in their search box for current information.  What displays is owners/managers of blocks of IP addresses, as registered with ARIN.
  • the Parent is "NETBLK-NOBIS-TECHNOLOGY-GROUP-13 (NET-147-255-0-0-1) "
  • the "Name" assigned to the block of IP addresses is:  "NETBLK-UBIQUITY-PHOENIX-147-255-184-0"



Site #4  IP Geolocation and Network Intelligence website

http://db-ip.com/147.255.184.217

According to www.db-ip.com, all of 147.255.184.xxx belongs to 147.255.184 - Nobis Technology Group in Chengdu, Sichuan, the People's Republic of China. 

  Harry Potter Hacking Email in Uphams Corner


Notice the geolocation coordinates above - 30.8498, 104.416.  Following is a map showing the location of Chengdu relative to Hong Kong - less than 300 miles.  Use OpenStreetMap.org to geographically where this company is located.

Click the link following to geographically explore around Chengdu, Suchuan. 

http://www.openstreetmap.org/search?query=22.19%2C110.61#map=8/22.269/112.327

x



Site #5 MYIP.MS - a "hosting info, websites and IP database" website.

http://myip.ms/info/whois/147.255.184.217#w

Of all the websites identified thus far, MYIP provided the most detailed information about the location of the company as well as information about additional company connections within China.
Harry Potter Hacking Email in Uphams Corner




Step 4.  Locate Nobis Technology Group Contact Info

As interesting as all of this might be, we still do not have contact information.  What we want is to talk with someone who has an answer to the question: WHO is sending potentially dangerous email from a hacked email address?

Searching the internet using "how to contact nobis technology group" yielded many website options.



Website #1: InsideView
http://www.insideview.com/directory/nobis-technology-group-l-l-c





Website #2 - Nobis Technology Digital Millennium Copyright Act Statement
http://nobistech.net/dmca

Although this page would not ostensibly seem to have anything to do with email hacking, it turns out the contents are quite useful.

  Harry Potter Hacking Email in Uphams Corner


Website #3 -  Better Business Bureau

http://www.bbb.org/central-illinois/business-reviews/internet-services/nobis-technology-group-in-phoenix-az-90003793

Of all the sites examined, the Better Business Bureau provided the most complete and current information.   
Harry Potter Hacking Email in Uphams Corner



Step 5.  Speak with Nobis Technology Group

The conversation with the HelpDesk person was funny and what you would expect - a locked door to information about the perpetrator.

Whoever answered the phone at 312.281.5101 wanted to know if I had a contract with them and seemed reluctant to answer questions because I said, "No." 
Telling him what I wanted didn't help much either, especially the part about Harry Potter and a dangerous link.


"I am looking for anyone who can tell me why somebody at China's Nobis Technology Group sent out an e-mail that included references to Harry Potter and probably had a dangerous link in it."


Will, I'm sure, was confused.  He insisted they were an Internet Service Provider for that address space. 

So I repeated myself, "The owner of the IP address (you) has rented out this particular address to a website in China, right?"  He suggested I didn't know what I was talking about, that I didn't know what a hosting provider was.  However, he elected to not explain it to me but rather moved to a more remote tone of voice.

"If you have specific questions relating to our services, I can answer them."

I told him the hostname for the IP address of concern was: 147.255.184.217.rdns.ubiquity.io. "I'm reading it right off the Internet" to which he brought out his best sarcasm, "If you say so."

I told him about the geolocation service provided by www.DP-IP.com, indicating the address was located in China.  "Whoever's using the hostname or I should say the IP address, is sending out problematic e-mails. So how do I find out who that person is who is using the IP address?"

He repeated the question:  "You want to find out who is using it?"

Yes, I told him.  I want to "find out who is sending the e-mail because that person is using a hacked e-mail address that had in its contact list my email address.  So now I am receiving fake emails from one of my subscribers. If you look at the Show Original in Gmail, it shows text about Harry Potter. So we know there is something wrong.  What I'm trying to do is identify who is sending this e-mail because it also includes a link with an IP address that belongs to you and that link could be dangerous."

Of course I knew what the reply would be.  "We would not be able to release any subscriber information unless we were compelled to do so by service of process." (the courts)  He also said that information is completely private and not available anywhere on the internet, 

"That's what I thought. It's all private to your organization, right".  "Yes," he said, "That's right." 

That's when it dawned on me that I wasn't talking to Nobis.  "The company you called," he said, "is Ubiquity Hosting," which is consistent with the hostname 147.155.184.217.rdns.ubiquity.io. 

I wasn't even sure he would answer this question, "Is Ubiquity Hosting owned by Nobis Technology Group?"  "That's right."
"And are you just one of a bunch of companies that make up Nobis?"  "That's right.

Till this point, I still didn't know his name.  "Will," he said, and "No," he didn't want to give me his last name.  "That's what I thought," and laughed heartily.  But he was willing to share an email address where I could send a statement of concern.  He even told me how to make sure the "Show Original" was included.  Otherwise, they could not begin to deal with the problem.  

abuse@nobistech.net

"Be truthful," a lawyer advised recently and in the spirit of not wanting to participate in a tee-up or performative, as described in a January 20, 2014 article in the Wall Street Journal by Elizabeth Bernstein, I told Mr. Will him how I felt our conversation went.

"Will, even though you don't have a last name and you've been somewhat cautious and defensive sounding, you've actually been very helpful. Thank you so much." 

He seemed friendlier than I had heard before, "I'm glad I could help. Have a nice day."



Step 6.  Submit Complaint

Per Will's instructions, a complaint was submitted.  Ubiquity responded with trackiing information which showed a "low" priority.  Minutes later, they closed the ticket saying they had forwarded the information to their customer.  At a minimum, Ubiquity has acknowledged that it was their customer that is responsible for the problem email. 

 [#ANV-816-63784]: Re: Get Over It, Ki d

Ubiquity Hosting Solutions <abuse@nobistech.net>     Fri, Jan 24, 2014 at 9:49 PM
Reply-To: abuse@nobistech.net
To: editor.ucnews@gmail.com

Thank you for contacting us. For your records, the details of the ticket are listed below.
        Ticket ID: ANV-816-63784
        Subject: Re: Get Over It, Ki d
        Department: Mailroom
        Type: Issue
        Status: Open
        Priority: Low

You can check the status of or reply to this ticket online at:
https://support.ubiquityhosting.com/index.php?/default_import/Tickets/Ticket/View/ANV-816-63784

Kind regards,

Ubiquity Hosting Solutions

Note:  The first response occurred as shown above at 9:49 pm.  At 10:01 PM they closed the ticket with the following statement: 
We have forwarded your complaint to our customer. Thank you!

https://support.ubiquityhosting.com/index.php?/default_import



Posted: Jan 24, 2013     Nancy J Conrad


Your comments will be posted here and in the Letters to the Editor after processing.


Mon Jan 27, 2014 1:36:44

Hi Nancy
WOW...this is the best and most comprehensive explanation of this whole hacking business.  We, too, have had a similar experience and every email went astray while I was pleading for money from Cypress.  It is scary and invasive.  Thank you for sharing all of this with your readers.  Best.

Patti Violette
Executive Director
Shirley-Eustis House
blank

| Copyright © 2010-2014 Uphams Corner News - All Rights Reserved |