p2pnet news | Advertising:- Recently, the site fielded by Britain’s famous Scotland Yard was hacked by ‘officer brobee’ and a furry green crittur with orange lips ensconced there.

Scotland Yard is no doubt rigorously investigating the incident to discover the identity of the hacker. But Federal Suppliers Guide, which describes itself as a “small business that places other small businesses, across the United States, in front of federal purchasing agents for government work,” won’t have to go to that kind of trouble.

It’s site, too, was hacked but this time the perpetrator, Alex Papadimoulis, didn’t try to hide.

Not too long ago, posts Papadimoulis on The Daily WTF, he added his company, Inedo, to the federal government’s Central Contractor Registration system because he, “just didn’t want to miss out on all the fun every one seems to have with government work”.

Soon after, he heard from a Federal Suppliers Guide rep and >>>

FSG Rep: Hi Alex, I’ve got some great news for you!
(Let me guess… you can save me a lot of money on something…)

Me: Okay…

FSG Rep: We’ve reviewed your CCR registration, and it looks like your company could be eligible for placement in our guide!
(Wow, that *is* great news!)

Me: Your guide?

FSG Rep: The Suppliers Guide! It’s used *exclusively* by state and federal agencies to purchase services and products. Anyway, to confirm your eligibility, I’ll need to ask a few questions. First, where are you located?

— snipped a total of three questions asked —

FSG Rep: Okay… well, let me punch this in here — clickity clickity clicky — wow! This is really good! You are, in fact, eligible for the guide! Would you like to be in our guide?
(There’s no possible way there could be any sort of catch here…)

Me: Sure! Why not?

FSG Rep: Fantastic! There’s just a nominal fee to get started, so if you’ll just get me your credit card number we can–

Me: How much is the nominal fee?

FSG Rep: Heh, it’s really very little actually. It’s a fantastic investment that ranges anywhere from six hundred to several thousand.

Me: I can’t make that decision right now; can you send me over some information?

FSG Rep: Oh. You can’t? Well, I mean, I guess I could send you more information… but you know, I can just answer any questions you have now. I mean, I’d hate for you to lose your eligibility, that’s all!
(What a nice guy! And this whole time, I thought he was a fast-talking salesman…)

Me: I guess we’ll just have to take that risk; can you also send me a copy the guide, too?

FSG Rep: Err, gee… well, you know… that’s the one thing I can’t do. You see, these guides are to be used *exclusively* by government agents. We can’t just give them to anyone, you know.
(And to think, I was questioning whether they were even legitimate!)

Me: Okaaaay… just send me what you can then.

Papadimoulis says the FSG guy showed him the company’s sample ads, “a 7mb PDF with sixteen pages of seemingly real companies, all with the same phone number (555-555-5555) and the same website (00000000000.com),” but somehow, he wasn’t convinced enough to want to ‘invest’ several hundred dollars, “so the salesman faxed over some more information with a single, real ad.”

A single, real, ad, eh?

Yup, and, “As I eagerly waited for the follow-up call later that day, I thought I’d take a minute or two to check out their website,” Papadimoulis says, going on, “Almost immediately, I came across their Federal Procurement Officers Only page. Out of curiousity, I entered a username and password, and then clicked the Login button. Instantly, a JavaScript dialog popped-up.”

Considering there was, “only one thing that could cause such a dialog to pop-up so fast,” Papadimoulis checked the source code and Lo!

<script language=”javascript”>
<!–//
/*This Script allows people to enter by using a form that asks for a
UserID and Password*/
function pasuser(form) {
if (form.id.value==”buyers”) {
if (form.pass.value==”gov1996″) {
location=”http://officers.federalsuppliers.com/agents.html”
} else {
alert(”Invalid Password”)
}
} else { alert(”Invalid UserID”)
}
}
//–>
</script>

The URL led Papadimoulis to the, “SECURE Federal Suppliers Guide Listings for Agents” [sic] page, a “comprehensive small business guide to securing government work and contracts by advertising to the federal and state governments,” as the site code says.

He phoned a few of the companies listed and, “The response was overwhelmingly the same: we spent several [hundred|thousand] bucks on this ad, and haven’t had a single call — aside from yours just now – in [one|two|three] year[s] regarding it.”

When he told the FGS rep what he’d done, “and learned none of them had received a single lead” >>>

FSG Rep: Wait-wait-wait… clients? You called our clients? How did you–

Me: Err, well, I just clicked the “Agents” link–

FSG Rep: You can’t access that page! That’s for Federal Procurement Officers Only! It’s password protected!

Me: Well, umm, the password was right there on the–

FSG Rep: So you hacked our site!? You can’t do that! It’s SECURE! You can get in a lot of trouble for hacking!

The conversation quickly went downhill from there. Needless to say, I decided against investing in the guide.

But the good news is, despite hacking their site, I’m still eligible for inclusion in the guide!

(Thanks, Mark )

Slashdot it!

Also See:
ensconced there – Scotland Yard web site hacked, February 27, 2008
The Daily WTF – So You Hacked Our Site!?, February 29, 2008

---

Use free p2pnet newsfeeds for your site. It’s really easy!

Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php

---

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details. Download here.

This entry was posted on Friday, February 29th, 2008 at 12:31 pm and is filed under Advertising. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

HOME

Viewed 4354 times