This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Is there a way to report the scammer responsible for the phony Firefox update redirect?

more options

As was pointed out to me, the phony update download domain changes on a daily basis.

This time the phony site was IERAIDREAMLAND.ORG

I immediately went to the ICANN whois page and looked it up -- this phony update page was created by the EXACT SAME individual that did the last one (keeshelcuara.net) that popped up.

When I looked keeshelcuara.net yesterday, the record came up. Today ICANN Whois says it doesn't exist. However, I saved the page from that whois lookup, and from today's phony update popup.

Aside from the domain name,, all the other information matches - from the persons name to their address to their phone number. While this information is probably also phony, it would be great if there was an avenue for reporting this jerk.

At: https://whois.icann.org/en/lookup?name=ieraidreamland.org (created 2016.09.08)

The person's info is:

Showing results for: IERAIDREAMLAND.ORG Original Query: ieraidreamland.org Contact Information Registrant Contact Name: Chad N. Wessels Organization: NA Mailing Address: 4145 Diane Street, Atascadero California 93422 US Phone: +1.8054618382 Ext: Fax: Fax Ext: Email:wesselsch@tutanota.com

The jerks Registrar is:

Registrar WHOIS Server: URL: http://www.PublicDomainRegistry.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com IANA ID: 303 Abuse Contact Email: Abuse Contact Phone

Is there anything that can be done?

As was pointed out to me, the phony update download domain changes on a daily basis. This time the phony site was IERAIDREAMLAND.ORG I immediately went to the ICANN whois page and looked it up -- this phony update page was created by the EXACT SAME individual that did the last one (keeshelcuara.net) that popped up. When I looked keeshelcuara.net yesterday, the record came up. Today ICANN Whois says it doesn't exist. However, I saved the page from that whois lookup, and from today's phony update popup. Aside from the domain name,, all the other information matches - from the persons name to their address to their phone number. While this information is probably also phony, it would be great if there was an avenue for reporting this jerk. At: https://whois.icann.org/en/lookup?name=ieraidreamland.org (created 2016.09.08) The person's info is: Showing results for: IERAIDREAMLAND.ORG Original Query: ieraidreamland.org Contact Information Registrant Contact Name: Chad N. Wessels Organization: NA Mailing Address: 4145 Diane Street, Atascadero California 93422 US Phone: +1.8054618382 Ext: Fax: Fax Ext: Email:wesselsch@tutanota.com The jerks Registrar is: Registrar WHOIS Server: URL: http://www.PublicDomainRegistry.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com IANA ID: 303 Abuse Contact Email: Abuse Contact Phone Is there anything that can be done?

Chosen solution

Just to followup, James -- Since I submitted the report at http://www.PublicDomainRegistry.com as you suggested, the phony update page has not come up even once for me.

I don't know if that means that the person named as registrant has been stopped or apprehended [if it was actually real info and not an alias], but I find it interesting that it hasn't happened since. Even if it just stops the jerk for a short time, it may be a way to keep knocking his phony update page off the web each time he tries bringing it back.

I greatly appreciate the responses you gave. It really helped.

Thanks.

Henry

Edited for spelling 2016.09.13@21:16

Read this answer in context 👍 0

All Replies (13)

more options

You can try to report the sites at https://publicdomainregistry.com/report-abuse-2/

Even if they deal with the sites registered by a person the persons or group behind this can just register with new details.

more options

I have no idea why the text layout changed. I'll try it again:


Showing results for: IERAIDREAMLAND.ORG Original Query: ieraidreamland.org Contact Information Registrant Contact Name: Chad N. Wessels Organization: NA Mailing Address: 4145 Diane Street, Atascadero California 93422 US Phone: +1.8054618382 Ext: Fax: Fax Ext: Email:wesselsch@tutanota.com

The jerks Registrar is:

Registrar WHOIS Server: URL: http://www.PublicDomainRegistry.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com IANA ID: 303 Abuse Contact Email: Abuse Contact Phone

BTW, I saved the complete whois listing page for both of the domains I mentioned above, so if any info is needed from it, I will be happy to put it up -- especially since the domain listings seem to disappear from the whois database within days of being created.

more options

James; I did fill out the form at the website you listed. I have no idea if they received it since there was no acknowledgement block - the page just went back to a blank submission for page. I hope they got it though.

I attached a text file that had the Raw WHOIS Record for today's 'domain'. While that info will probably be gone from the whois page in the next day or so, the owner info was the same as previously, so maybe that will help them narrow down who this jackass is.

Thanks for your assistance.

Henry

Edited for spelling @20:31

Modified by HenryELenz

more options

FYI, there is a lengthy contributors support thread over here - https://support.mozilla.org/en-US/forums/contributors/712056 - where the topic of fake updates is being followed and updated by many support contributors here.

more options

Chosen Solution

Just to followup, James -- Since I submitted the report at http://www.PublicDomainRegistry.com as you suggested, the phony update page has not come up even once for me.

I don't know if that means that the person named as registrant has been stopped or apprehended [if it was actually real info and not an alias], but I find it interesting that it hasn't happened since. Even if it just stops the jerk for a short time, it may be a way to keep knocking his phony update page off the web each time he tries bringing it back.

I greatly appreciate the responses you gave. It really helped.

Thanks.

Henry

Edited for spelling 2016.09.13@21:16

Modified by HenryELenz

more options

Well, the jackass is at it again and the whois info at ICANN is identical to previous.

For the moment, you can see it here:

https://whois.icann.org/en/lookup?name=raefughst.net

Too bad law enforcement is apparently content to let him spread his viral BS.

Modified by HenryELenz

more options

Hopefully I am not speaking too soon but after again reporting the joker to his registrar, I also sent the information from the whois report to the FBI, and so far I haven't had the phony redirect come up once.

Of course that could also be because of the latest Firefox patches and, even though they have caused other issues, they may be the reason the phony update page hasn't come up.

more options

PDR has been the registering company for a long time. Their abuse department cancels the URL and there is no cost for the initial registration. The Name/address of the person has altered but is currently constant. Abuse said they would take steps to prevent reoccurance. They lied; new URL's daily. PDR has a NJ phone number but the fax is in Minn. The company seems to actually be in the middle east (Saudi or Amaridsomething) The trace always ends in NJ, and so far is always via the ISP of Coopa and their machines are in NJ and Chicago.

Reliable, and PDR refuse to give any info. I've asked. PDR has a legal requirement to know the person registering. Their legal department has not responded to my inquiry, nor their CS dept which has grown tired of my "cancel this URL with its spread of malware" emails.

I never filed anything with ICANN because of the complexity. And IMO they would do no more than say "stop it." As for legal action (FBI? Really? Any proof of $ loss? IMO that is what they would require), I would hope but think no aid is coming, and if anything is outside the US, well, the word impossible comes to mind. I've sent email to web sites asking about their advertisers and if they know of the orange screen. Their own forums are sometime mini-Mazolla forums. Denyability, silence, or a 'give us an example' have been read. The result so far, from trying to get the orange screen, is more sites are using multiple ads in one space which rotate and/or get downloaded. Puts a burden on my CPU and lags are like using a 56K dialup modum. My latest is waiting for a response from the httpS firm always involved, but you know privacy ....

Modified by cliffontheroad

more options

henry, the URL you supplied has been reregistered and ther server is in Austrilia. This happens routinely after a few days. I do not recommend going there - it downloads something new

altered url: aphocpreviewNULLyoursites.net

more options

HenryELenz said

I have no idea why the text layout changed. I'll try it again: Showing results for: IERAIDREAMLAND.ORG Original Query: ieraidreamland.org Contact Information Registrant Contact Name: Chad N. Wessels Organization: NA Mailing Address: 4145 Diane Street, Atascadero California 93422 US Phone: +1.8054618382 Ext: Fax: Fax Ext: Email:wesselsch@tutanota.com The jerks Registrar is: Registrar WHOIS Server: URL: http://www.PublicDomainRegistry.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com IANA ID: 303 Abuse Contact Email: Abuse Contact Phone BTW, I saved the complete whois listing page for both of the domains I mentioned above, so if any info is needed from it, I will be happy to put it up -- especially since the domain listings seem to disappear from the whois database within days of being created.

There is a new Fake Firefox update page as of 10/05/2016 chooymusica2012nueva.org

Chad N. Wessels is associated with 58 domains. All of them hosting bad stuff. Unless there is a Diane Street in Atascadero, CA this is fake: Contact Information Registrant Contact Name: Chad N. Wessels Organization: NA Mailing Address: 4145 Diane Street, Atascadero California 93422 US

All of these domains have hosted the same exploit in the last 90 days: eepahuntweeps.net ekiriubuntuupdates.net vangecanadianfamily.net engeesuperedo.net afahshowtosay.net elaetbucketexplorer.net

Maybe Mozilla isn't able to stop it?

more options

BlueDreamer23 said

Maybe Mozilla isn't able to stop it?

That is correct!

The only legal grounds that Mozilla would to shut that guy down is over the misuse of Mozilla registered trademarks.

"Social engineering", by way of trying to fool users or intimidate users into downloading a fake "update" from a domain that clearly isn't legitimate, isn't against the law, anywhere.

Bottom line is install an ad blocker like uBlock Origin or Adblock Plus and never see those fake "update" pages again. When this "thing" started back in June I had to turn off uBlock Origin to "see" what user's were complaining about, and even then is was hard to "see" it because multiple new domains are created daily and the existing domains disappear quickly, to stay ahead of getting blocked by Safe Browsing databases that would block those domains.

What can each user do when they encounter a website like that? Help > Report Web Forgery... to get the domain added to the Safe Browsing database at Google. A service that Google and Mozilla jointly developed over 10 years ago - before Google even had their own web browser, which was in the initial stages of development.

more options
BlueDreamer23 said
Maybe Mozilla isn't able to stop it?

Even Google with all of their resources has not stopped it as Chrome users on Windows are getting hit by a very similar fake update scam on same disposable websites.

For example in end of thread https://productforums.google.com/forum/#!topic/chrome/HcXgFFaO9WU the image has bahtisoo-boo.net which was reported by a Firefox user in https://support.mozilla.org/en-US/questions/1141947

more options

Thanks go to BlueDreamer23 for registering here and taking the time.

I read some of the related links, including the comments from the software engineer (who, like all of us, experienced the orange page and did a little follow up. (Oh, if he or she only knew ....lol))

The OrangeScreen sites work for one day and don't cost the bad guy any money, get unregistered although some whois sites retain the whois info a bet into the void period. They will get registered, but we don't know for what purpose but I could make an educated guess. The original O.S site registration name has been consistant but has been totally useless in helping prevent the O.S from happening again. (blame upon the company akin to selling known defective stuff to you with a no-refund policy.)

One bad guy site (O.S site) was registered behind a proxy service. Since they paid for that, they didn't bother to un-then-re register the site overseas. Interestingly, the routing using that URL jumped around the US, jumped to the UK then came back to California.

At one point I found a 'mozilla' javascript command which ignored the rest of the program section, to which I thought "how smart of the bad guy. For someone looking at source code, unless the fluke was known, the buk of the coding instruction being inspected was a "red herring". The source we can view and the source that's more readable is not, IMO, always the same. Sorry that I am not explaining this fully to make it understandable here, even for/to another programmer.

I did find one web site that described and predicted exactly what is happening. Saddly it says there is not a solution and says it is not the fault of the advertisers which we heitherfor have been blaming. IMO that helpful site PAGE is near completely like the Wikipedia of our problem.

As for "no company has be able to solve this" (someone wrote), I'm not convinced they have applied enough resources. I think I am too old to understand JavaScript (or know how the little man in the box (real OS or DBMS) works) but I was happy to read that (paraphrased) on a 'native level' (deep code which runs the programs,) the Orange Screen can not load malware from another web site. Anyone notice the URL beginning is always the same?

Modified by cliffontheroad