Hacker's ramblings

The classic Formlife-scam popped up again. This is widely documented by authorities around the world. For example Finnish Competition and Consumer Authority have two articles about Formlife ja Vital Nordic (in Finnish): Kuluttaja-lehti 2/2013 about number of Formlife complaints and bulletin about Corex and Life Detox products from May 2012.

Formlife-scam has very simple modus operandi: They lure you in, from example from Facebook ad like this: and you end up in a web page. In this case the web page is http://wnmobile.com/fin/. In the page there is lot of health-related stories about how good their product is including customer testimonials. In the page they offer you an opportunity to purchase a sample package with 4 €. The price is not too bad, unsuspecting victims enter their credit card details and submit the order for a sample. Since I don't think that web site will survive very long, I have the web page as a PDF here. http://wnmobile.com/fin/ as a PDF

That scam-site of wnmobile.com is hosted by liquidweb.com in Lansing, Michigan, USA. It is obvious, that Network Solutions, Inc. has nothing to do with this scam. They simply are a hosting company.

Nowhere in their page they reveal anything about Health-C-P, nor Formlife, nor any of those already "burned" words. When postal services deliver the "sample" package, it does not contain a sample, but the full product, actually two separate products. Also it appears that they billed your credit card twice for the amount of 165 €. A shipping manifest will look like this:

It clearly states the fact that you have been scammed! They even mention, that your next shipment will arrive in a three months time. I don't think that they are that consumer oriented, and I strongly suspect that the next shipment will never arrive. If it will, they'll charge you for another 330 €.

The sender address of shipment is:

Health Care Payment
Postboks 313
9100 Aalborg
Denmark

According to GoDaddy domain information, the domain of health-c-p.com is registered to:

Anders Dahl Pallesen
Health Care Payment
Lyngby Hovedgade 10
2800 Kongens Lyngby
Denmark

The above address is real. Such an address exists, but I have no means on verifying what is in the building there. These two addresses are 400 km apart. The ownership of domain wnmobile.com is protected by WhoisGuard and cannot be accessed without government official involvement.

Company site of Health-C-P is (as you can expect) a rush job. In the bottom of the page it also has the address of Lyngby Hovedgade 10.

It breaks often. Especially when you try to access their customer service.

It is alwo worth noting that their customer support number of +44 203 598 2170 is in UK. It was operational when I called it, but it contained a recording saying that their "customer support is under maintenance and nobody can answer the call". The website of health-c-p.com is hosted by Hetzner Online AG in Gunzenhausen, Germany. Hetzner Online is well known for two things: cheap hosting of websites/e-mail/shell and ton of suspicious activity from those cheap accounts. It is generally listed as an Internet Bad Neighbourhood.

I'm sure that the same website will appear with another name and/or domain in a near future. The delivered product has the name of Formlife in it, so it is confirmed that this case is part of the long-running Danish/Swedish health product -scam.

Update (Sep 2013):

Finnish police publicly announced, that they won't investigate any foreign scams further, unless the damages exceed value of 5000 €. For the bad people, this is a license to keep on scamming. There is zero possibility of getting caught, because there won't be an international investigation.

In the above case the credit card company informed the victim that some money will be returned, if possible all of the lost money. Anyway, it will take months for the credit card company to process the issue.

Getting Parallels Plesk Panel to do something without admin's interaction is not tricky. My favorite method of remote-controlling Plesk is via its RPC API. I am a co-author of Perl-implementation API::Plesk, which is available in CPAN.

All XML RPC -requests should be directed towards your Plesk-server at URL
https://-your-plesk-box-here-:8443/enterprise/control/agent.php

Raw XML

First we'll need to get the internal site ID of a domain. A request to get all the subscriptions looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.3.5">
    <webspace>
        <get>
            <filter/>
            <dataset>
                <gen_info/>
            </dataset>
        </get>
    </webspace>
</packet>

Note: It would have been possible to filter a specific subscription by domain name, but in this case we just wanted a list of all.

A response to it will contain domain names and their Ids:

<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.3.5">
    <webspace>
        <get>
            <result>
                <status>ok</status>
                <filter-id>1</filter-id>
                <id>1</id>
                <data>
                    <gen_info>
                        <name>www.testdomain.org</name>
                    </gen_info>
                </data>
            </result>
        </get>
    </webspace>
</packet>

The response packet contains internal ID and name. We'll be using the internal ID of 1 to get all the DNS-records of the zone:

<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.3.5">
    <dns>
        <get_rec>
            <filter>
                <site-id>1</site-id>
            </filter>
        </get_rec>
    </dns>
</packet>

A response packet will look like this:

<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.3.5">
    <dns>
        <get_rec>
            <result>
                <status>ok</status>
                <id>111</id>
                <data>
                    <site-id>1</site-id>
                    <type>CNAME</type>
                    <host>www.testdomain.org.</host>
                    <value>testdomain.org.</value>
                    <opt/>
                </data>
            </result>
        </get_rec>
    </dns>
</packet>

There seems not to be any other way of picking a specific record. A filter with type/name would be welcome. Any further operations would be done with the domain record's ID. In this case it is 111.

Perl-code

With a software library, the access is much easier. The same requests would be something like this in Perl:

my $plesk_client = API::Plesk->new('api_version' => '1.6.3.5',
  'secret_key' => $plesk_api_key,
  'url'=>'https://-your-plesk-box-here-:8443/enterprise/control/agent.php',
  'debug'        => 0);

$res = $plesk_client->webspace->get();
die "Subscriptions->get() failed!\n" . $res->error . "\n" if (!$res->is_success);

my @domains = @{$res->results()};
my $cnt = $#domains + 1;
for (my $idx = 0; $idx < $cnt; ++$idx) {
    my $domainId = $domains[$idx]{"id"};
    $domainId += 0;    # toInt

    my $res = $plesk_client->dns->get('site-id' => $domainId);
    die "DNS->get() failed!\n" . $res->error . "\n" if (!$res->is_success);
    my %dns = %{@{$res->results()}[0]};
    print Dump::Dumper(%dns);
}

That is pretty much it.

Update (2nd Nov 2013)

To get all of the domains will require a two-step process (order does not matter): 1) get all the subscriptions (kind of main domains) and 2) get the other domains under subscriptions.

In my Perl-code I do it like this:

# NOTE: This is from the above code
# 1st round:
# Get all the subscriptions.
# There we have the "main" domains
$res = $plesk_client->webspace->get();
die "Subscriptions->get() failed!\n" . $res->error . "\n" if (!$res->is_success);

# NOTE: New one:
# 2nd round:
# Get all the sites.
# There we have the "non-main" domains
$res = $plesk_client->site->get();
die "Sites->get() failed!\n" . $res->error . "\n" if (!$res->is_success);
@domains = @{$res->results()};

In my case, the $res-hash is fed into a ExtractDomains()-function to get the details I need from them. If only the name is required, then no further processing is necessary.