24.3.17

Ramiro Helmeyer & RaFa new reputation-cleaning online technique: DDoS & IoT


UPDATED 28/03/2017 - 15:42GMT* - In the latest chapter of new and creative forms of silencing / eliminating from view, accurate and relevant information about certain characters of Venezuela's underworld, this week I've been battling with yet another DDoS attack against my first, now inactive, website: vcrisis.com. This time round, thousands of smartphones are being used, presumably without owners consent, to direct traffic (POST and GET requests) to my site. But the more interesting aspect is that most traffic comes from a handful of Google Cloud's IP addresses.

You read that right, DoSers are using Google's power to crash my server. For public benefit and future reference, abused addresses are:

104.199.239.63
104.155.223.136
35.185.97.148
35.185.71.234
104.198.44.92
104.154.156.18

The requests being made, by the thousands, look like this:

www.vcrisis.com 35.185.71.234 - - [23/Mar/2017:00:01:13 -0400] "POST /index.php?content=archive HTTP/1.1" 200 498751 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en)

www.vcrisis.com 35.187.34.71 - - [23/Mar/2017:00:01:11 -0400] "POST /index.php?content=archive HTTP/1.1" 200 498752 "-" "Mozilla/5.0 (Linux; U; Android 2.3.3; de-ch; HTC Desire Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

www.vcrisis.com 104.155.223.136 - - [23/Mar/2017:00:01:11 -0400] "POST /index.php?content=archive HTTP/1.1" 200 498764 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; Nokia;N70)"

www.vcrisis.com 104.155.223.136 - - [23/Mar/2017:00:01:07 -0400] "GET /? HTTP/1.1" 200 22781 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"

www.vcrisis.com 35.187.34.71 - - [23/Mar/2017:00:01:07 -0400] "POST /index.php?content=archive HTTP/1.1" 200 498759 "-" "Opera/9.80 (J2ME/MIDP; Opera Mini/9 (Compatible; MSIE:9.0; iPhone; BlackBerry9700; AppleWebKit/24.746; U; en) Presto/2.5.25 Version/10.54"

Logs show thousands of such requests, to the extent that the server has been shut down and special measures have been put in place by my web hosting provider. I have, of course, shared relevant data with Google's Project Shield, whose staff alerted me to increased traffic towards my vcrisis.com site the other day.

One of the benefits of this new association with Project Shield is that I get to see things that I couldn't / wasn't aware of before, such as the number of removal requests made on articles posted on my website. The one reprinted below, for instance, which is a post written by blog friend, financial crime consultant Ken Rijock, seems to be causing some discomfort to criminal Ramiro Helmeyer and his community manager, also convicted criminal, RaFa the hacker

My dashboard shows that since 27 September 2016, 54 removal requests have been made on stuff posted on vcrisis.com, almost all of them to have the article below removed. Checking on removal requests made on articles posted in my other site, infodio.com, I noticed that all 368 such requests, from the first one made also on 27 September 2016, are either articles on RaFa, or those exposing his who's who list of thuggish / criminal Venezuelan clients, from convicted Helmeyer, to more recently convicted Roberto Rincon...

Some time ago I alerted Matt Cutts about RaFa's astroturfing. I guess he's having to do all the criminals' white washing again. And he's succeeding at it I reckon. Google searches for Ramiro Helmeyer return these results these days: surely David Beckham, Alec Baldwin and Jesse Eisenberg wouldn't be proud of such usage of their images.



* An update: the good folks at Project Shield sent a message saying "It was a Layer 7 HTTP flood DDoS attack." Further investigation revealed that Project Shield own IP addresses were indeed used in the DDoS attack. What interests me is the level of sophistication Venezuelan crooks are employing to scrub their reputations. Considering the staggering amounts of money they've gotten through corruption, and the kind of services employed, is not difficult to foresee that their past misdeeds will be eliminated from public domain.

24.2.17

[UPDATED] DDoS, DMZHOST, spam, Project Shield...


This post was intended to be posted in infodio.com. Evidently, my contentment about having defeated the DDoS attack was premature... Please see updates at bottom.

It's been a busy week. As I was chatting to a source in Caracas the other day, I noticed that this site was down. Asked my web host (shout out to the excellent folks at LeaseWeb), and was informed that -yet another- DDoS attack had been launched against us. This is the third time a DDoS attack has been directed to my websites: once at vcrisis.com and twice at infodio.com

This is how it looked this morning...

 I must wonder, of course, at the reasons. Why would anyone seek to prevent the general public from learning about the stuff I publish? Is it because we expose Venezuela's rampant corruption? For those who are yet to get acquainted with the situation, Venezuela is a Spanish speaking country, of some 30 million. It is, after 17 years of chavista rule, a failed nation in the fullest sense of the term. But this site does not cater for a Venezuelan readership. It seeks to inform the wider world about who's who in the Boliburgeoisie, a new extremely wealthy and, equally, extremely inept class of 'businessmen' that could only become minted under the shadow of Hugo Chavez's so called socialist revolution. We talk about the Alejandro Betancourts of this world, the Juan Carlos Escotets, the Victor Vargas, the Danilo Diazgranados, the Francisco D'Agostinos and Luis Obertos... we investigate the origin of their newly found riches, we track their operations across many different jurisdictions, we expose those who enable, aid and abet them, like Adam Kaufmann, Glenn Simpson, Al Cardenas, or even Baltazar Garzon, we uncover their deals, in Africa, Europe, Russia, Asia, in sum, we shed a glimmer of sunlight on their otherwise opaque underworld.

It is, therefore, to be expected that such work would attract the ire of nasty, criminal, yet extremely resourceful thugs (dirty money is welcomed by everyone everywhere nowadays). Dealing with this lot exposes us to very dangerous vendettas. They operate in a world without border / immigration barriers. They criss-cross the globe in their own private jets: one day they're having Heston Blumenthal cooking for them, the next they're in St. Barths hanging with Roman Abramovich, and the third meeting with ex-WSJ hacks, former Manhattan prosecutors and leaders from America's GOP, when not cavorting with the very best of Sloanes in London. Their reach knows no constraints either. A London raid can be easily organized from Caracas, without as much as a worry of ever getting caught. That's the kind this site deals with.

The latest comes from Russia, or more specifically, an IP address controlled from Russia (191.96.249.70). A vulnerability in the Wordpress blogging platform allows the pingback method to be used to launch DDoS attacks (explanation here). Basically, someone makes use of that vulnerability to ping a target website. Checking my server logs, I noticed the following pattern:

"GET / HTTP/1.1" 200 32295 "http://infodio.com/" "WordPress/4.7.2; https://www.customescaperoom.com; verifying pingback from 191.96.249.70"


"GET / HTTP/1.1" 200 32293 "http://infodio.com/" "WordPress/4.6.3; http://www.toptasting.com; verifying pingback from 191.96.249.70"


"GET / HTTP/1.0" 200 145833 "-" "WordPress/4.0.15; http://wisecleaner.online; verifying pingback from 191.96.249.70"


When that request is repeated many thousands of times per second servers tend to collapse due to increased traffic, as was the case with mine. Thousands of such requests, as well as POST and HEAD requests, were launched from servers around the world.

However, IP 191.96.249.70, as all others, is associated to a host provider, in this case DMZHOST.CO. Said domain, as all others, is in turn registered by a person, somewhere, in this case a Christian P, with an address in the Seychelles very similar to that of Mossack Fonseca (Oliaji Trade Centre, Francis Rachel Street, Victoria Mahe, Seychelles).


Every domain has to have a person or organization responsible. In the case of DMZHOST.CO it initially had Dmzhost Limited as responsible party, but seems to have passed control to JUPITER 25 LIMITEDA search for Jupiter brings us closer to home, to 35 Firs Avenue, N11 3NE, London, United Kingdom. Please do note, in the last link, that there's a chris@dmzhost.co as contact for Jupiter. Could this be the same person as Christian P in the Seychelles? 

There are hundreds of companies registered in 35 Firs Avenue. According to Companies House data, Darren Symes is Jupiter's director, Symes is associated with over 200 companies. Others folks investigating similar attacks have had this to say about DMZHOST in the recent past:


“Bulletproof hosting” providers like DMZHOST provide VPSs that advertise themselves as outside of the reach of Western law enforcement. DMZHOST offers its clients “offshore” VPSs in a “Secured Netherland datacenter privacy bunker” and “does not store any information / Log about user activity.” At the same time, DMZHOST’s terms of service are just as concise. “DMZHOST does not allow anything (related) to the following content: – DDos – Childporn – Bank Exploit – Terrorism – NO NTP – NO Email SPAM”. 

Further investigation of IP 191.96.249.70 and Jupiter 25 Limited indicate that its DNS servers are controlled by yet another London-based company: Host1Plus. This one in turn seems to be a trading name of Digital Energy Technologies Ltd.

Bitcoin payments, obscuring identity of ultimate culprits, are readily accepted by both DMZHOST and Host1Plus. I sent a tweet to Host1Plus' Vincentas Grinius, that was replied in the most ridiculous fashion to avoid dealing with the actual DDoS question. 

I also sent an email request to chris@dmzhost.co, and got an almost immediate reply, asking for logs. Chris sends emails from somewhere around Pavia in Italy (93-36-187-144.ip61.fastwebnet.it). He claims the server used for DDoS attack "has been shutdown", but refuses to say who used the server, who contracted server services with his company, how did he get paid, and refuses to provide his full identity or that of his client/s. If he ever identifies himself fully, and provides proper explanations as to use of his platform to DDoS this site*, I shall add his comments here, alas I have no hope: while asking him to reconsider, my inbox has been rendered almost dysfunctional in a matter of minutes by an avalanche of spam (see below), which started after my third email to Chris. So the server "has been shutdown" alright, but the attack has morphed...


Despite denials, queries per second peaked minutes after
confronting Chris@dmzhost.co as per Project Shield's data.
Not all has been bad though. Right after Brian Krebs suffered the largest ever DDoS attack I remember having read about how Google had come to the rescue. Through Twitter I got in touch with Nicholas Platt, Digital Media Producer of Jigsaw, a technology incubator of Alphabet (Google's parent co) and got an invite to join Project Shield, which is the Google platform that defeated Krebs attackers. I will be forever grateful for this. The folks from LeaseWeb, my web hosting provider, must also receive my public gratitude: rather than kicking me out -after all the attack caused a lot of disruption and man hours to solve, Tom, Reece and Bagata kept their Dutch cool and were tremendously helpful.


Virtual crooks are getting more brazen by the day, though I seriously doubt they will ever reach Google's levels of computing power. The silver lining is that due to the latest DDoS attack, no amount of stolen Venezuelan money will ever be able to knock this site offline again. It is yet to be determined which of the thugs normally exposed here is behind the latest attack, though we will carry on investigating, exposing, and shedding light upon corruption and the Boliburgeoisie. The latest findings put to rest the no-bid contracts given to Derwick, Diazgranados intentions to buy a sizeable portion of Compagnie Bancaire Helvetique, Charles Henry de Beaumont's dirty dealings with Oberto and other thugs in the Caribbean, the direct links between corrupt chavistas and their preferred contractors, etc.

* Right after confronting chris@dmzhost.co this afternoon, DDoS attack against infodio.com was relaunched, with the added bonus of a huge spam avalanche in my inbox. Chris claims that neither him nor his company were behind DDoS attack, and added that he "c­ould help you on miti­gating ALL attacks. W­e are experienced on ­mitigating attack sin­ce also us receice ma­ny attacks"... (sic)



Further investigations indicate that Chris' UK proxy, Darren Symes, has had a colourful past fronting for other scam artists grouped under Claremont Partnerships and Noble Rock Partners.

UPDATE 25.02.2017 13:38GMT: My server logs are providing more clues as per nature of attack. Project Shield's visits started yesterday morning:
104.196.28.249 - - [24/Feb/2017:10:26:29 +0100] "GET / HTTP/1.1" 200 146265 "-" "Mozilla/5.0 (compatible; ProjectShield-UrlCheck; +http://g.co/projectshield)"
This continued, more or less uninterruptedly, until early afternoon and was coupled with spidering by Google bots, etc.:
35.184.90.184 - - [24/Feb/2017:14:24:36 +0100] "GET / HTTP/1.1" 200 146265 "-" "Mozilla/5.0 (compatible; ProjectShield-UrlCheck; +http://g.co/projectshield)"
Then this happened:
104.155.70.96 - - [24/Feb/2017:14:26:09 +0100] "GET / HTTP/1.1" 200 145833 "-" "WordPress/4.4.2; http://jazzjackrabbit.org; verifying pingback from 191.96.249.54
104.199.6.69 - - [24/Feb/2017:14:26:09 +0100] "GET / HTTP/1.1" 200 32299 "http://infodio.com/" "WordPress/4.7.2; https://www.virtualsunburn.com; verifying pingback from 191.96.249.54
104.199.61.249 - - [24/Feb/2017:14:26:09 +0100] "GET / HTTP/1.1" 200 32299 "http://infodio.com/" "WordPress/4.6; http://pironsecurity.com; verifying pingback from 191.96.249.54"
At 14:24, chris@dmzhost.co sent an email saying:
"Do not threat since for be clear we are not who launch you the attack. And we have take immediate action suspending the server so lawfully speaking we are total ok." (sic)
About two minutes passed between his "lawfully speaking we are total ok" and the restart of DDoS and further spam avalanche. However the IP had been changed, from previous 191.96.249.70 to 191.96.249.54, both controlled by his DMZHOST company.

Email headers suggests that his email server (mail.ru) is located in a GMT +0300 time zone (Russia) and then routes it through Italy's Fastweb. His browser appears to be configured in Italian and he visited some of my sites from a Fastweb server at around same time:


I've sent an email to abuse@corp.mail.ru, however I have little expectation of ever getting a straightforward and appropriate reply (Added: mail.ru did reply, claiming chris@dmzhost.co is not a registered client despite email header evidence to the contrary). The spamming of my inbox continues in earnest: my last email was not replied, I guess Chris did not appreciate my confronting him and details in this post (Added: eventually a couple of emails made it into my inbox over the weekend, one from usual @dmzhost.co address and the other from dmzhosts@protonmail.com, whereby our DDoSer and spammer claims "IF YOU ARE RECEIVING THIS MAIL ITS BECAUSE WE CANNOT REACH YOU FROM OUR MAIN MAIL. Please provide another mail which is not being spammed.. or skype account").

DDoS Attacks directed to the site are still crippling functionality and access, with five outages in the last seven days.



UPDATE 01.03.2017 07:46GMT: infodio.com has been back online for over 48 hours, and is updated.

Looking at the latitude and longitude details of attacking IPs 191.96.249.70 and 191.96.249.54 in Google Maps, I noticed Rosneft HQ location. Further research reveals that Rosneft.ru has exactly the same latitude and longitude details that IPs from where DDoS attack against my site were launched. Considering chavismo's relations with Russian 'state' companies, isn't that just an extraordinary coincidence?




12.1.17

FusionGPS steps in it (again): now about Trump

Let us start with the NYT's headline "How a Sensational, Unverified Dossier Became a Crisis for Donald Trump", and a quote:
Fusion GPS, headed by a former Wall Street Journal journalist known for his dogged reporting, Glenn Simpson, most often works for business clients. But in presidential elections, the firm is sometimes hired by candidates, party organizations or donors to do political “oppo” work — shorthand for opposition research — on the side. 
It is routine work and ordinarily involves creating a big, searchable database of public information: past news reports, documents from lawsuits and other relevant data. For months, Fusion GPS gathered the documents and put together the files from Mr. Trump’s past in business and entertainment, a rich target.
Report from Guido Fawkes site.
News about the unverified dossier have gone round the world a few times by now. Buzzfeed, the site that decided to go public with the "report" produced by Fusion GPS, certainly hasn't covered itself in glory: some of the most reputed liberal media outlets (BBC, NYT, The Guardian and WaPo) refused to touch it, even though they'd love to claim Trump's scalp.

There's already some talk about the similarities between Hugo Chavez and Donald Trump, especially in the way the president-elect treats non-compliant media. But I digress.

What I'm finding remarkable about this, is that Fusion GPS was in the news in the past for, precisely, its ethical and moral deficit. Here's a quote attributed to Simpson:

"We’re hoping that people who have an interest in bringing things out, to do something about corruption, fraud, will come to us."

Well, if attempting to destroy Republican donors -or its perceived GOP enemies- doesn't work, there's always a gig to be had with the Democrats. It does crack me up however, to read, in The Guardian no less, stuff like: "Fusion GPS, led by former journalists skilled in digging up secrets on public figures." Skilled?

I know better. Fusion GPS were (may still be?) in the employ of Derwick Associates, without a shred of a doubt one of the most corrupt group of thugs ever to have come out of Venezuela. The sort of "businessmen" that have no qualms in stealing over one billion USD from an almost destitute country. Fusion's "former journalists", of course, don't have a problem with corruption, so long as billable hours keep adding up.

Glenn Simpson managed to get a few quid from the Derwick thugs. He dispatched his sidekick Peter Fritsch to Caracas once upon a time, along with another equally contemptible and disgusting former "prosecutor", basically to impede journalists from carrying on with, erm, corruption reporting.

Fusion GPS's Peter Fritsch's record of visit to Hotel Lido in Caracas in July 2014.
I happen to know one of the "skilled" journalists at Fusion GPS, Tom Catan. He covered Venezuela's 2006 presidential race for The Times of London, and as I was shadowing the opposition candidate, I was asked to organise an interview. We met a few years later, in Spain, when, again, I helped with another interview. I invited the guy to my house for dinner, we broke bread together, talked, had a few drinks with my family... He seemed, then, a decent enough person. Imagine my surprise when I found out that his firm was retained to destroy me on behalf of Derwick Associates. I confronted him with the kind of tactics they so readily employ with their targets. His reply dispelled my doubts as to his integrity.

But then, Derwick thugs decided to crank it up a little. My family was the subject of illegal surveillance in London. We were photographed going about our daily affairs for months. The operation culminated with a break into my flat, theft of my laptops, and threats of sexual abuse against my daughters. Now that I read about Simpson's connection to a former British MI6 agent, I wonder: did Fusion GPS participated in the attack against my family? Did it subcontract former British intelligence officers to track me down in London?

To be frank, I doubt that British spooks -regardless of how spineless and money driven they may be- could be as inept as to allow themselves to be caught in CCTV in the process of carrying out criminal activity. However, it is entirely feasible -considering its clients- that Fusion GPS asked its British counterparts for my whereabouts, and once determined the information was passed along to other more (let's say) blunt operatives, who may have been sent from Venezuela, or Spain, to assault my flat in broad daylight. I will carry on digging, though I guess, for really skilled hacks like Fusion's, there's always the possibility of joining Russia Today, or better yet, Wikileaks.

The story about Venezuelan monumental corruption is, still, to play out. One thing seems certain though, when it does, Fusion GPS hacks will find impossible to justify their association with criminals.

Addendum: just read this morning a piece by David Satter, regarding Fusion GPS's and Christopher Steele's kompromat fabrications, which included "reporting" Trump having been filmed with prostitutes, doing "golden showers", etc. Did I mention that whoever masterminded the attack against me also took the trouble to spread online totally unsubstantiated stories about my alleged "connection" to drug trafficking, extortion, car theft, and (a Russian favourite) "involvement" in paedophilia? The most implausible of all was of course an accusation regarding my mother, who having died of cancer in 1983 was somehow revived and placed, by my creative accusers, as the leader of a drug cartel in 2006!