Welcome to the spam factory

ur1-sms
Does this text message look familiar to you?

Been involved in a car accident in the last 3 years that was not your fault? Then you can claim compensation, to find out how much click www.ur1.click/********

I routinely forward messages like this to 7726 (which spells out “SPAM” on the phone keypad) in the hope that the mobile phone operator will do something to stop it. It never seems to be particularly effective, though. The same old URLs like www.accidentinjuryclaim.so seem to keep cropping up no matter what.

However, ur1.click was new to me. According to whois, the domain is registered in Panama, and its IP address (104.219.250.52) is assigned to a US web host called Namecheap.

I decided to have a quick poke around on their web server, and discovered that the spammers are publishing a lot more information than they probably intended to — all their spam messages and phone number lists are publicly accessible. I don’t want to link directly to this content, but I can tell you that it includes dozens of CSV files containing many thousands of UK mobile phone numbers.

Inside the spam server:

Here’s an excerpt from one of these CSV files (with some digits replaced with asterisks):

79663840**,"Is your debt causing you stress and anxiety? For expert advice on managing your debt visit www.ur1.click/767b94** or to optout reply STOP"
77531043**,"Is your debt causing you stress and anxiety? For expert advice on managing your debt visit www.ur1.click/767b93** or to optout reply STOP"
79806446**,"Is your debt causing you stress and anxiety? For expert advice on managing your debt visit www.ur1.click/767b92** or to optout reply STOP"
75530413**,"Is your debt causing you stress and anxiety? For expert advice on managing your debt visit www.ur1.click/767b92** or to optout reply STOP"
74192985**,"Is your debt causing you stress and anxiety? For expert advice on managing your debt visit www.ur1.click/767b91** or to optout reply STOP"
75405329**,"Is your debt causing you stress and anxiety? For expert advice on managing your debt visit www.ur1.click/767b90** or to optout reply STOP"
74053775**,"Is your debt causing you stress and anxiety? For expert advice on managing your debt visit www.ur1.click/767b90** or to optout reply STOP"
79444301**,"Is your debt causing you stress and anxiety? For expert advice on managing your debt visit www.ur1.click/767b8f** or to optout reply STOP"
74321371**,"Is your debt causing you stress and anxiety? For expert advice on managing your debt visit www.ur1.click/767b8f** or to optout reply STOP"
75438700**,"Is your debt causing you stress and anxiety? For expert advice on managing your debt visit www.ur1.click/767b8e** or to optout reply STOP"

The digits at the start of each line are the phone numbers that these messages were sent to, without the initial zero. (I searched for my own number in these files, and sure enough it was listed there next to the message I’d received earlier.) There were over a quarter of a million more records in the file shown above. Another file contained messages for 764,532 numbers, promising each and every one of them £2886.21 “for the accident you had”. That amounts to a grand total of £2.2 billion in unclaimed compensation payouts. Yeah, right.

As you probably guessed already, anyone who follows one of these ur1.click links will be redirected to another site. After following the first link in each CSV file, I obtained this list of target domains:

claim4pi.com (192.64.116.30)
claimpinow.com (192.64.116.30)
energysaver.deals (162.213.255.133)
freedebttoday.com (162.213.250.36)
injury.center (199.188.206.216)
injuryaid4u.com (192.64.118.154)
reviewteam.info (111.90.147.108)
solarsaver.today (162.213.255.134)
urclaim4ppi.com (192.64.116.30)

The domain reviewteam.info is hosted in Malaysia somewhere, but all the others are hosted by … surprise, surprise … Namecheap. So Namecheap are not only hosting a rather large SMS spamming enterprise, but are also hosting most of the websites that are promoted by this spam.

I emailed Namecheap’s abuse contact about this three days ago, but nobody replied and nothing has been done. So I can only assume that Namecheap are perfectly happy to continue supporting their spammy clients.

Conclusions

  • If you get a text message containing a link to www.ur1.click, forward the message to 7726. Don’t follow the link.
  • Avoid these domains:
    • claim4pi.com
    • claimpinow.com
    • energysaver.deals
    • freedebttoday.com
    • injury.center
    • injuryaid4u.com
    • reviewteam.info
    • solarsaver.today
    • urclaim4ppi.com
  • Don’t host your website with Namecheap. Find somewhere reputable.
Posted in rant Tagged with:
One comment on “Welcome to the spam factory
  1. Peter Williams says:

    I have received several SMS messages which end with Stop? ur1.me

    I forward to 7726 but still keep coming with different links. Usually no number given just a name

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Please enter the missing number: *