Audit Weak Local Passwords in Windows using PowerShell

Audit Weak Local Passwords in Windows using PowerShell

Issue: Devices not joined to Active Directory may not have Group Policies or other settings applied to enforce password complexity. For example, they may be managed by Okta, Datto RMM, and other tools but have yet to be joined to AzureAD. In this case, auditing for weak passwords on local accounts can be challenging.

Solution: Custom Bad Password.ps1 + passwordlist.txt in the same directory will produce output with the lousy password if there’s a match on the local host. It’s also configured to test for blank passwords, which would immediately drop the user at the desktop:

(Datto RMM with custom Post-Conditions)

Note: A custom rule I had in my Firewall blocking inbound TCP/445 broke the script by displaying this error:  Exception calling “Validate Credentials” with “2” arguement(s): The network path was not found. (Script location).

Unfortunately, I haven’t included a password list right now. I’d recommend starting with the classic ‘password’ ‘letmein’ ‘123456…’ and others versus loading an entire dictionary, though a large list doesn’t appear to slow the process down by much, so it’s extensible.


Function Test-UserCredential {
Param($username, $password)
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Machine, $env:computername
$pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $ct
$Result = $pc.ValidateCredentials($username, $password).ToString()

Function Get-PasswordList

$txtFileLocation = $Path

$Path = Join-Path $(Split-Path -Parent $PSCommandPath) -ChildPath "passwordlist.txt"
$txtFileLocation = $Path
$reader = [System.IO.File]::ReadLines($txtFileLocation)

$found = 0
$users = (Get-LocalUser | where enabled -eq $true).name
$passwordlist = Get-PasswordList #this change makes it easier to extend via file input or adding more entries to the list
foreach ($user in $users){
foreach($password in $passwordlist)
$result = Test-UserCredential -username $user -password $password -eq $true

if ($result -eq $true -and $password -eq "")
Write-Host "$user was found to have the password: blank.";$found += 1

elseif ($result -eq $true)
Write-Host "$user was found to have the password: $password.";$found += 1


if ($found -eq 0){write-host "No user accounts with weak passwords."}
if ($found -eq 1){write-Host "$found account found with weak password."}
if ($found -gt 1){Write-Host "$found accounts found with weak passwords."}

Migrate Box via API to SharePoint

Migrate Box via API to SharePoint

Issue: As part of a Box migration, tools like ShareGate, and Kernel Migrator can miscopy files at 0KB or have other problems. Admins may also need a lean way to migrate lists of Box files into SharePoint without using third-party tools.

Solution: Custom script to migrate from Box API to SharePoint. It uses a source/destination list of files from Box to the SharePoint site collection. Note that files with ‘[ ]’ have issues with this method due to API/script limitations.

Create folder structure:
a. Logs – to keep the logs created by the PowerShell script.
b. Scan – to keep all CSV files from where the PowerShell script will read the file path.
c. Temp – A folder to temporarily keep the downloaded files from Box API. Those files will be uploaded to SharePoint.

Access Token:
Copy the Access Token and use in PowerShell script. This token is valid for next 60 minutes. You should follow the steps again to generate a new token.

CSV Format:
SiteCollectinURL FilePath

<# Box to SharePoint Copy Script
create host header including 'Access Token'
Access Token generated through a manual process which will expire in 60 minutes.
Login, try the API

$headers = @{
'Authorization' = 'Bearer TOKEN'
'Content' = 'application/json'

#Path to read CSV file
$path = "C:\temp\Scans\List of Files.csv"
$csv = Import-Csv -path $path

$SharePointRootSiteURL = "";

#Change site collection URL to upload files
$SiteCollectionURL = "/sites/TargetSite/"

#Path to save log files
$logFilePath = "E:\temp\logs\Private-Log-$(get-date -f yyyy-MM-dd-HHmmss).log"

#Login to the SharePoint site collection
Connect-PnPOnline -Url "" -UseWebLogin

#Create log entries
Write-Output "Reading CSV file: $($path)..." >> $logFilePath;

foreach($line in $csv)
#Count number of files scanned
$count = $count + 1

#Read columns from csv
$properties = $line | Get-Member -MemberType Properties

#Read file path from csv under 'FilePath' column
$columnvalue = $line | Select -ExpandProperty "FilePath"

#Split the path to extract file name with extension
$arr = $columnvalue.Split("/")
$fileName = $columnvalue.Split("/")[($arr.length)-1]

#Create log entries
Write-Output "File Name: $($fileName)" >> $logFilePath

#Extract target folder path from filepath to upload file in SharePoint
$targetURL = $line | Select -ExpandProperty "FilePath"
$folderPath = $targetURL.Substring(0, $targetURL.lastIndexOf("/"))
$folderPath = $folderPath.replace($SiteCollectionURL,'');

#Create log entries
Write-Output "Folder Path: $($folderPath)" >> $logFilePath

#Folder Path to upload file temporarily on local folder
$PathToSave = 'E:\temp\' + $fileName

#Ceate Box API URL
$RESTURL = ',size&limit=1&query=' + $fileName + '&type=file'

#Call API
$response =Invoke-RestMethod -Uri $RESTURL -Headers $headers -Method Get

#Convert output to JSON
$output = $response | ConvertTo-Json

#Extract id from JSON output
$entries = $output |ConvertFrom-Json | Select-Object -ExpandProperty "entries"

#Create log entries
Write-Output "File Id from Box: $($ and Size: $($entries.size)" >> $logFilePath

#Download file from BOX based on ID
$url = '' + $ + '/content'

#Save file from JSON to local folder
Invoke-RestMethod -Uri $url -Headers $headers -Method Get -OutFile $PathToSave

#Create log entries
Write-Output "Local file Path: $($PathToSave)" >> $logFilePath

Write-Output "Uploading to SharePoint..." >> $logFilePath

#Upload file to SharePoint
Add-PnPFile -Folder $folderPath -Path $PathToSave -ErrorAction Stop

#Delete temp file from local folder after uploading to SharePoint
Remove-Item -Path $PathToSave -Force

#Create log entries for Exception
Write-Output "Error: $($Error)" >> $logFilePath


0KB Files in SharePoint Online – ShareGate Migration

0KB Files in SharePoint Online – ShareGate Migration

Issue: Opening a 0KB file in Excel produces the error “The workbook cannot be opened” via Web. On Desktop, it says, “Excel cannot open the file X because the file format or file extension is not valid,” Other files like Docx and PPTx appear blank when opened for the first time and don’t throw errors but will save the file and update the size.

The file Size in SharePoint is blank for these files:

Solution: In our scenario, the problem was caused by copying with ShareGate. Every piece of file migration software has some issues, some worse than others, but you should never fully trust this kind of software without testing the results. Unfortunately, this copy job in ‘Insane’ mode seems to have created 0KB empty files, and since the file now exists, and the timestamps align, other copy jobs aren’t looking at the hash or size of the files and skipping them. This is a nightmare, given there are many files and sub-folders to go through, so I’ve devised an amateur scripting solution to recursively identify these 0KB files within all Document Libraries in a Site Collection.


# Checks all Document Libraries within the Site Collection recursively

$allSites = @("", "SITEURL2")

# File is automatically created in this directory. Specify a path to write it
$tempFolder = "C:\Users\YourProfile\"

function Scan-site {
param (

write-host "connecting"
Connect-PnPOnline -Url $siteUrl -Interactive
$DocumentLibraries = Get-PnPList -Includes DefaultDisplayFormUrl | Where-Object { $_.BaseTemplate -eq 101 -and $_.DefaultDisplayFormUrl -notlike "*Style Library*" -and $_.DefaultDisplayFormUrl -notlike "*FormServerTemplates*" -and $_.DefaultDisplayFormUrl -notlike "*SiteAssets*" }

$context = Get-PnPContext

$DocumentLibraries | % {
$currentLibrary = $_
# Work on the root folder
Scan-folder -Folder $currentLibrary.RootFolder -siteCollectionUrl $siteUrl
# Work on the first-level folders
$currentLibrary.RootFolder.Folders | % {
Scan-folder -Folder $_ -siteCollectionUrl $siteUrl



function Scan-folder {
param (
write-host "Working on folder " $Folder.ServerRelativeUrl
$files = $Folder.Files
$files | % {
$currentFile = $_
if ($currentFile.Length -eq 0) {
Add-Content -Path $filePath -Value ("{0};{1}" -f $siteCollectionUrl, $currentFile.ServerRelativeUrl)
Write-Host $currentFile.ServerRelativeUrl " size : " $currentFile.Length -BackgroundColor Red

write-host "Working on subfolders of " $Folder.ServerRelativeUrl
$Folder.Folders | % {
Scan-folder $_ -siteCollectionUrl $siteCollectionUrl

$fileName = "{0}.csv" -f (Get-Date).Ticks
$filePath = "{0}{1}" -f $tempFolder, $fileName

Set-Content -Path $filePath -Value "SiteCollectinURL;FilePath"

$allSites | % {
Scan-site -siteUrl $_

You’ll end up with a randomly named CSV file with all of the 0KB files listed when the scan completes. Ignore what’s on the console unless you want to keep an eye on things, but capturing that data won’t be necessary as it scrolls in PowerShell.

If you get errors, make sure you have done Install-Module MSOnline, AzureAD, and Microsoft.Online.SharePoint.PowerShell, SharePointPnPPowerShellOnline, and all modules are on the latest versions if they already exist on the box.

How to Install the PnP PowerShell Module

If you’re seeing Throttling, I do have a version of this script that works as an AzureAD registered app, versus using credential authentication.

I tried testing other migration tools, all the ones you’d find on Google, and it’s pretty bad out there right now. If they can even hook into your tenant, the UIs are wonky, and you get none of the visibility or configurability in other tools. But, now, amongst many other bugs, you can see that in the case of ShareGate, that 5k gets you problems like this one, which admittedly, are a nightmare considering there are over 1/4 million files to search through looking for these 0KB stubs that have replaced valid data due to the bug.

SharePoint Online – Last Modified

SharePoint Online – Last Modified

Issue: SharePoint Online document libraries don’t, by default, float up the ‘Last Modified’ time when you make changes within a folder hierarchy. This will bring hate mail from your users, especially if they’ve moved from, where it works this way for any changes deep in the structure. Plenty of old online articles try to cover this, but the solution has been evasive until I spent the better half of a day trying to figure it out in PowerApp while on my honeymoon in Hawaii. *flips Cray hat backward*

Solution: Screenshots of the PowerApp are below. I’ll work to write out the steps soon and go into depth. The only limitation of this solution is that if you put an empty folder within a folder structure, it doesn’t trigger the update; only files within folders work. That applies to folder -> folder -> folder  -> folder -> folder -> file or as deep as you need to go, and it works very quickly, usually within a minute.

    1. Create a new automated app named ‘FolderModified.

When a file is created or modified (properties only)


2. ‘CFileName

    "inputs": "@{triggerOutputs()?['body/{FilenameWithExtension}']}[email protected]{equals(triggerOutputs()?['body/IsFolder'],false)}",
    "metadata": {
        "operationMetadataId": "c697bc2a-8bcd-44ad-80bf-87f29e9b4455"


3. ‘CFolderPath

    "inputs": "@triggerOutputs()?['body/{Path}']",
    "metadata": {
        "operationMetadataId": "ebace1b1-1fa1-4f76-8e97-4344ffe8c11b"


4. ‘VArrFolderPath
    "inputs": {
        "variables": [
                "name": "VArrFolderPath",
                "type": "array",
                "value": "@split(outputs('CFolderPath'),'/')"
    "metadata": {
        "operationMetadataId": "c4aa6183-5a4c-4451-b045-97a8c020a83f"


5. ‘VPath
    "inputs": {
        "variables": [
                "name": "VPath",
                "type": "string"
    "metadata": {
        "operationMetadataId": "9f50d26d-5624-4ef0-b02a-b98a41957d54"


6. ‘CUser
    "inputs": [
            "Key": "@{triggerOutputs()?['body/Editor/Claims']}"
    "metadata": {
        "operationMetadataId": "e80df3fb-feec-4ea5-a683-ad7a5d9b5c65"


7. ‘CModified
    "inputs": "@formatDateTime(triggerOutputs()?['body/Modified'],'g')",
    "metadata": {
        "operationMetadataId": "beb03772-baf0-4615-bc04-7fd5650f46f9"


8. ‘CProperties’
    "inputs": [
            "FieldName": "Editor",
            "FieldValue": "@{string(outputs('CUser'))}"
    "metadata": {
        "operationMetadataId": "178a3d12-1338-456d-ab40-c9d1f4214bea"



9. ‘VFilterFolderPath
    "inputs": {
        "from": "@variables('VArrFolderPath')",
        "where": "@equals(empty(item()), false)"
    "metadata": {
        "operationMetadataId": "4a001a83-8073-4ff1-9e81-5e3a7073b027"


10. ‘IFolders


10.1. ‘Append to VPath’


10.2. ‘IGFPath’


10.3. ‘CValid’


Now edit the ‘HTTP‘ request to SharePoint:


    "inputs": {
        "host": {
            "connectionName": "shared_sharepointonline_1",
            "operationId": "HttpRequest",
            "apiId": "/providers/Microsoft.PowerApps/apis/shared_sharepointonline"
        "parameters": {
            "dataset": "",
            "parameters/method": "POST",
            "parameters/uri": "_api/web/lists/getbytitle('Documents')/items(@{outputs('IGFPath')?['body/ItemId']})/validateUpdateListItem",
            "parameters/body": "{\n\"formValues\": @{outputs('CProperties')},\n\"bNewDocumentUpdate\": false\n}"
        "authentication": "@parameters('$authentication')"
    "metadata": {
        "operationMetadataId": "5c59f1f4-cd00-4bd9-aa59-bde4deaa317d"


*** Note: getbytitle('Documents') refers to the name of the Document Library. '/Shared Documents/ (Default) = Documents', or your 'Custom Name' for it.***




  • Top Folder:


  • Objects within or within the sub-folders shown in the Last Modified above:


  • Short runtimes:


Note: You should DISABLE this before migrating large amounts of data. The jobs tend to trigger 422 throttling errors in bulk and jam up with performance issues on the queue that hangs up jobs. This forces you to recreate the object or copy it to a new version and delete the old one to refresh the job queue.


Note #2: I’ve also noticed that copying files as the same user that the PowerApp is running under can create a loop that says the account keeps touching files/folders long after you’ve completed the job.


Note #3: The easiest way to duplicate this is by creating a template and using the ‘Save As’ feature to clone another copy. You’ll have to run these on each Document Library and if you’ve got a large Intranet that can be quite a few jobs. Note you have to edit 2-3 locations within the job to tune it for the new destination.


Have a better way to do this? Let me know!

Create contact failed. Please enter unique email address for the Contact.

Create contact failed. Please enter unique email address for the Contact.

Issue: O365 may produce an error ‘Create Contact failed. Please enter a unique email address for the Contact.’ when you create a contact that does not exist in the ‘Contacts’ window.

Solution: You have this user listed as a ‘Guest’ in AzureAD. You CAN have a Guest and Contact match, but you have to create the Contact FIRST and then invite them to AzureAD afterward, in that exact order. Delete the Azure invite and rerun it by doing the Contact in O365 user management first.


Outlook Authn Error – Can’t connect to the server then recovers itself

Outlook Authn Error – Can’t connect to the server then recovers itself

No Comments

Problem: Outlook will hang when the client is first opened, saying “Connecting to server…” and then “Can’t connect to the server.”, finally recovering all on its own and working fine. In the Connection Status window with my situation, there was an Authn error ‘ERROR‘ that seems to be blocking the connection.

Solution: None of the traditional rip & replace steps worked to fix this problem. Current, Semi-Annual, Repairs, Clean Wipes, FixIT, and the kitchen sink. Turned off IPv6, and this problem went away instantly.

(Using DNSFilter on Lenovo E14 Laptop.)

Windows Login asking for Temporary Access Pass

Windows Login asking for Temporary Access Pass

No Comments

Problem: Windows Azure may prompt a user to provide an ‘Access Pass’ when it’s not been configured in O365 settings. This will trigger after MOBO replacements from on-site techs when the device comes back up.

Solution: Login as an O365 Admin using RMM tools or accessing the console. AzureAD should start to rejoin automatically, but if it doesn’t, go ahead and do that now. If you reboot, the user should be able to log in to the device with no other changes needed. PS: The correct C:\Users\ folder was used when getting back into the user profile, and it did not create a new one.

Teams Needs an Update Loop

Teams Needs an Update Loop

No Comments

Issue: Teams version was installed using an exe file from the Teams Download site. No matter how often you update, uninstall, or reinstall, there seems to be no change in the behavior at launch. Teams 1.2.x is present on the machine and keeps looping.

  1. Tried to remove it using RevoUninstaller, and all artifacts
  2. Manually scavenged any temporary folders and blew them away

Solution:  The device originally came with ‘Teams System-Wide Installer,’ which was removed manually from add/remove as bloatware in past years. Reintroducing the ‘ Teams Machine-Wide Installer‘ fixed it instantly with no other changes to the machine.

Reboot the device now.

Have you run into any other fixes for this issue? Let me know. I threw the kitchen sink at it and could only get this to work by reintroducing the baseline installer in the image.

OneDrive Right-Click Options Not Showing

OneDrive Right-Click Options Not Showing

No Comments

Issue: OneDrive right-clicks context menus may fail to appear in Windows File Explorer if UAC is disabled or WinRAR is installed.

At times these icons weren’t showing correctly in the Win32 Explorer.exe Shell:

Solution #1:  If installed, go into WinRAR and turn off ‘Integrate WinRAR into Shell‘ via the ‘Integration‘ options. Otherwise, try to identify other applications in the context menu that could be causing a similar issue.

Solution #2: UAC may be turned off on this machine. You will never see these options if you don’t enable them again, even under the local administrator account.

Instagram Account Recovery

Instagram Account Recovery

Is Instagram’s account recovery workflow disappearing on some accounts and devices? We’ve had reports from readers and friends who’ve had hacked Instagrams with no success in using Instagram’s published docs to recover the account once the attacker’s email and phone number have changed.

Here’s a copy of the official Instagram post: I think my Instagram has been hacked.

(Update 12/6 – After testing for weeks over 40 times we can see the option on an Android but at the same time not on his iPhone following the same process. Another user reports the option appeared on an iPhone. We put in the attacker’s email, then see ‘Need more help?‘ but it has to be from a phone that’s logged in before and not a new device.)





The email doesn’t say ‘Revert Change‘ anymore as indicated in the Doc above:

I can’t access this email’ or phone number is no longer in the UI no matter how long you wait or many times you resend the codes:

Clicking ‘Secure your account here‘ brings you to a login page or the Help Center. No workflow triggers an account recovery of any kind, whether from a mobile or web browser:

Password reset emails offer no option to declare you’ve lost access to the email or phone number on the account:

(It usually says ‘Need more help?‘ but that option is missing on some devices)

Instagram mentions its new selfie function to recover accounts, but how? There’s no UI in any apps to trigger the Account Recovery options that lead to this outcome.

How does one recover once a hacker has changed the phone number and email address on the account?.

Card Fraud – Express Store 2401

Card Fraud – Express Store 2401

*** Update 9/12/22 *** – Thousands of people are visiting this blog regularly due to card fraud of their own via Express Store 2401. I have not been able to gather any more information from the companies involved, but I continue to dig deeper into how they’re stealing these cards and other parts of the operation. It’s ridiculous that it’s been going on this long and that Wells Fargo isn’t concerned with somebody stealing a card that’s never been used.



Wells Fargo texted me the other night about its fraud system. The issue was an attempted charge from EXPRESS 2401 in Columbus, Ohio. After a bit of Google research, I found that the world is no stranger to fraud coming from this location.

I’ve never once used this card with any other merchant or website. It was activated in June of 2021 and then locked in a cabinet. It also seems that if something were purchased on, it would show up as CORP, not a particular store location.

Here is the response from Express:

As a part of the investigation, I’ve set out to answer a few questions about this particular scenario:

  1. How could the attackers steal a card that’s never been used before?
  2. Did attackers hijack the Express merchant account for this location?
  3. Why does fraud persist at store #2401 despite reporting to the banks and Express for over 8 months?

The story will be updated as more information is obtained about this issue at Express Stores.


Ben Damman aka TypeSend

Ben Damman

Ben Damman aka TypeSend

In our opinion, Ben Damman (CEO of Aliens From The Future, Inc.) is not a reliable person. He took $8,041.67 from us to work on a project in September 2020, where he has yet to make any progress. By that, I mean he failed to show up for most meetings, made endless excuses, did near-zero code commits, took on new business, and did the same thing to other people on UpWork in the interim – all while continuing to post code to his own open-source projects.

Ben Damman


Ben manually logged ~66 hours, including a twelve-hour day, and reportedly worked a weekend where he never committed any code aside from a bare-bones Elixir framework. He would send reassurances like “I’m going to commit a release soon,” “There’s going to be a big unveiling…” and “I don’t have any problem paying you back. The check is on the way“. Despite his reassurances when he was communicating, he’s never delivered on anything he’s promised, at any time, in any way.

Ben Damman

Ben publicly brags about working at the White House

Ben publicly brags about working at Apple

Ben publicly brags about being an expert developer.

He just wouldn’t do anything he said he would do, even though he was capable of it…

The cancellations and last-minute changes with meetings became the only time we’d ever have a chance to communicate:

Ben’s “beast mode” approach didn’t work out for me because he never sent those screenshots, links, or instructions.

Here’s an example where Ben used the January invasion with a simultaneous stomach bug to deflect an email asking how he was doing, given he hadn’t created anything or been communicating at that point ninety-one days after the project began:

(After replying within an hour, providing various times we could have a call, there was no further communication…)

Ben told me he wanted a bonus because he was “low on money” (unemployed) during this time. I generously gave him $1k out of my pocket as a bonus for the proposal win he had come up with to help with this personal project. At that point, all he’d done was create a 1.5-page document that might’ve taken an hour for him to prepare; and he did that only after canceling the meeting to unveil it…

Here’s a review from another client he took money from only eight days after I canceled his contract from Oct 14, 2020 – Jan 19, 2021:

Ben Damman Aliens From The Future TypeSend
Ben Damman Aliens From The Future Typesend

Ben’s original excuse was a death in the family (Uncle) back in December timeframe. If that caused him to be unable to work on our project, why would he take on another one a week after being fired from this one? He also displayed the same behaviors, taking the money and never getting any work done. This is where you start to see the pathology of Ben surviving by selling dreams to anybody who’ll give him money.

That happened to be 13k between our two organizations.

Imagine looking at a freelancer’s Instagram while they travel, eat out at excellent restaurants, and move to a beautiful new place, all while not communicating with you and living off of your hard-earned money for doing absolutely nothing in return and then watching them do it to another business right after you buy into a waterfall of pitiful excuses!

Ben is in Missoula now and has hired two new employees. One of them describes the outfit as follows “Aliens from the Future is a venture studio based in Missoula, Montana. Our mission is to partner with and nurture the development of emerging ventures“. Would you trust somebody who did this to my venture concept with yours?

Ben legitimately hurt our future endeavors by initiating this con, holding the project back for months and wasting valuable time getting to the market. Ben was initially hired to troubleshoot an existing environment, which he could not do, and instead convinced us to build an entirely new one using his preferred frameworks.

If it weren’t for this picture of President Obama and references to the White House, Apple, Google, and other trustworthy organizations in his social media, I would not have hired him to help me build out this concept. It’s sad, but I bought into this precarious ‘My jobs are my identity’ delusion, somehow thinking it would guarantee reliability, but it produced nothing.

Ben Damman Aliens From the Future Developer Missoula Montana

Ben should pay back the money he owes because he did not perform meaningful work when the project was engaged. Ben’s approach was to do harm first (Nocere primo) by separating us from our limited capital, wasting our time, and moving out of town to never be seen or heard from again.

Meanwhile, he’s familiar with issues of the financial kind, so I’m still determining if I’ll ever get my funds back. Much like these creditors below, who had to use courts to force Ben to pay his bills, we’ll probably have to go this route at some point:


$4,306 to Express Personal Services
$9,802 to Asset Acceptance, LLC
$3,600 GB, LLC
$1,640 Capital One Bank
~20k in legal judgments.

You decide if you want to do business with this individual. He’s never attempted to pay back $1 despite being given options to return a significantly reduced amount with open terms. i.e., Ben wouldn’t finalize a very generous agreement to pay even half back with open terms on how much he’s paying at a time and the schedule of payments.

Thanks for your time, and good luck in your endeavors.

Google Spamdexing Attack

Google Spamdexing Attack

No Comments

Found an interesting Google Results injection against sites running Solr search. Attackers created links in an unknown place with search parameters being passed to the websites. Google crawled these source pages, following the links and accepting them as content. It’s not all that sophisticated, but remember, it’s results that matter in this game.

Many more are on my Twitter from notifying the organizations of this clever little hack against Google’s results.

911: Google Webmaster Removal Tool





In an example URL from, notice how they’re passing a parameter to ?s= that the site appends into the code of the search results page. Somehow they’ve added this to Attacker Page 1, which was then crawled by Google, and it’s creating an XSS (cross-site) on the destination page, picking the search up as content.

The result is that Google is picking up keywords from those pages in its results effectively promoting them:




Definitely don’t try this at home! ‘Snorting Viagra‘ hosted on


Check out all of the other organizations that have the search hack: (Pages 1-7) (“Order without Prescription“)

You can take any of the domains found in the broad results and cross-check with a more specific search, for example, “viagra”

Here’s a gallery of different University sites showing thousands of results with the pill advertisements. Hit escape if the gallery runs off the top of your screen:

Pages that show whatever you put into?s= Solr search. If the search parameter is replayed into the page, it creates the appearance of content. The attackers must’ve linked these from other locations to get them on Google:

In a similar scam where the attackers actually inject a real page into the site, these organizations were impacted. Some were the University of Massachusetts Medical Center, Hastings Library, and The City of Dry Rock, where the pages have been injected since at least December of 2020:


Destinations of these links being advertised are some of the following sites like ‘WebMD(dot)shop,’ which is brazen:

All of these domains above are landing pages that eventually lead to anonymrxonline[.]com

Phone: 888-524-7141 [ANI: VIGAR]

This phone # has over 5k Google results and shows signs of being in use for pill dealing for over 6+ years. It was formerly advertised by

[email protected]
Skype Gina24Rx [BDay: 9/16]
Location: Costa Rica.

Uses another phrase ‘MyPharmaCash’ from this affiliate program: and Twitter activity ceased in early to mid-may of 2015.

Skype resets are af***** and gi***** or phone number (***) ***-**61

The registrant of before it went private in 2016 was Mariano Bolanos in San Jose, Costa Rica. This is the same location as ‘Gina24Rx‘ this time using an email [email protected].

The owner Marianos Bolanos has numerous domains for pill-related items. His activity has died down since 2016. Many of the domains are active, though I have not investigated all of them.

Domain belongs to the National Chamber of Agriculture and Agroindustry in Costa Rica. In the footer, it’s signed ‘Web development by Bernetz’ (WayBack)

Domain belongs to the company Bernetz IT Services that’s also registered to Marcos Bolanos:


Still putting some pieces together on this one…

Organizations I’ve notified about being listed on Google under these kinds of reflective (XSS) and direct injection attacks today:

American Association of State Highway
Alabama Theatre
Arizona Department of Health Services
Berkeley Materials Science & Engineering
BainBridge Island Museum of Art
Califonia Digital Library
Children’s Community Day School
City of Dry Ridge, Kentucky
City of Tullahoma, Tennessee
Columbus Tech
Columbia University
Dickerson Park Zoo
Eastern New Mexico University
Ewing Marion Kauffman Foundation
FPrime Capital
Generation Citizen
Gulf of Mexico Fishery Management Council
Hudson River Museum
Monroe County History Center
Museum of Durham History
Miami Music Project
Multiple YMCAs
Methodist University
Palm Harbor Fire Rescue
Pathways 2 Life
Philly Expo Center
QuickLogic Software
SAE Institute
Schoharie County NY
Iowa State University
Irish American Heritage Center
Illinois State University
The City University of New York
The Port of Philadelphia
Toledo Zoo
University of Southern California
University of California San Diego
University of Minnesota
University of Mary Washington
Unmanned Systems Labs @ Texas A&M
Virginia Commonwealth University
Washington Internation Trade Association
Wisconsin Small Business Development Center
We Fest – Country Music Festival
WinterThur Museum
Wheaton Arts
Working Men’s Institute (Indiana)

Impacted Orgs: Google Webmaster Removal Tool 

Phish Gallery & Blog Update

Phish Gallery & Blog Update


Why has the blog been so dry? Well, it’s complicated. There are always people who don’t want to see you expressing yourself in a public way. These invisible haters will try to make connections between your personal activities, i.e., Blogging and work-related things, in any way they desperately can. I win those battles; it’s just tiring to explain to the suits how free speech works. Support the ACLU and EFF. 

Visit my Twitter Feed to see screenshots of various threats that come my way from readers, and my own mailboxes being flooded with threats. Many of them turn into future news articles in the days or weeks to come, so you get a head start. Otherwise, I tend to post the news I’ve been personally reading throughout the day. Maybe you’ll find something interesting. Thanks for reading. I’ll be back as soon as I finish realigning my career goals and getting myself in a good place to write again.

Phishing Gallery

It’s been a CRAZY year for breaches, ransomware, and other cyber terrorism. Truly a daily occurrence all over the world. A collection of phishing screenshots I’ve collected this year from various honeypots and other sources. We’ve worked with many organizations over the years to take down infrastructure related to these attacks. The trend I’ve seen across security products is that they block effectively, but it takes days. Secondly, the sites and email sources tend to go largely unreported.  If you want to make a difference: Protect future victims by sending the abuse emails. It may take hours, but it’ll take days or even weeks as everyone shields themselves without bringing the sites down. Many providers I reach out to will respond quickly to eliminate the artifacts.

Useful Links: 


(Click the right > key to move through the screenshots. I need to fix the jumping around with different sizes)

Emails + Attachments:

AlphaRacks Offline

AlphaRacks Offline

No Comments

We reported a massive phishing operation taking place back in July of 2018 at Alpharacks. The spam, child porn, malware, and phishing never stopped for a moment since writing about Alpharacks back in 2018. The [email protected] team never responded to any direct emails between Quadranet and myself. The blog is under development but at this time Alpharacks is still offline as of 5/26/19. Here is the most recent Statement from Alpharacks

See our article: Phishing – A Master Anglers Toolbox

Recent updates: