Tiltproof Incorporated Document No. Effective Date Revision Date Approval 5.16.

1 04/27/2007 07/27/2007 GN

Handling a New Hoax Site

1.0 Purpose:

This document establishes how to handle a new hoax site.

2.0 Persons Affected:

1) Supervisors and above.

3.0 Forms, Checklists, Flowchart:

1) Printable version: \\tpfs1nw\workflow$\HANDBOOK\Print Versions\5.16.1 Handling a New Hoax Site.doc

4.0 Policy:

5.0 Procedure:

A) Reporting a New Hoax Site 1) 2) 3) 4) 5) Alert the Hoax Team at <hoaxteam@tiltproof.ca> and CC <supervisors@tiltproof.ca> immediately if you become aware of a new hoax website. A member of the Hoax Team or a Supervisor will do the following. Go to <www.dnsstuff.com> and enter the web address into the WHOIS and Abuse Lookup fields. Find out who is hosting the website, most likely Yahoo. Select get results with the E-mail addresses to find the contact email address for the hosting site. Send the template email below to the contact email address/es with the appropriate CC: from the Fraudoperations@fulltiltpoker.com email address, and BCC: pmclaughlin@pocketkings.ie (You should never send email to any non-Tiltproof or non-Pocket Kings party from your personal Tiltproof.ca address.).

Tiltproof Incorporated 6) Follow the steps below while waiting for a reply (Section B). 7) Once you receive a reply from the company hosting the site saying that the website has been removed, please forward to <supsopsscsrs@tiltproof.ca>, <iimrich@ijilaw.com>, < fraudsquad@tiltproof.ca> if they werent CC:ed in the reply. a) CC the specific processor if the hoax site was asking for the particular processors account numbers. These are INTERNAL and not to be given to players. NETELLER < Investigations@neteller.com > MyWebATM < charles@opusfinancials.com > ePassporte < brian.branam@epassporte.com >, and < annelies.manuel@epassporte.com > Click2Pay < martin.osterloh@wirecard.com > B) Procedure to Follow While Waiting for a Reply 1) Alert the Supervisor to get a message out to the current shift about the site, and to suggest they review the PR document in the handbook about handling responses to hoax emails. C) Supervisors Procedure to Follow While Waiting for a Reply 1) Assign someone to run a chat scan for the hoax website every 5-10 minutes. Run the ChatScan macro or manually do this by typing FTT_Followd chatscan 1 ".com" 1>chatscan.txt into the command prompt 2) Add the hoax website to the Announcements Page Huddle Notes [S:\FTP_Fraud_Department\Hoax\Hoax Site Log.xls] White Boards (if needed) D) Email Template To: (If Yahoo) <reportabuse@yahoo-inc.com>, <abuse@yahoo-inc.com>, <copyright@yahoo-inc.com>, <domains-abuse@cc.yahoo-inc.com> Cc: <supsopsscsrs@tiltproof.ca>, <iimrich@ijilaw.com>, <hoaxteam@tiltproof.ca>, the processors should be CCd when appropriate. Content: Hello, It has come to our attention that you may be hosting a site which is attempting to

Tiltproof Incorporated defraud customers of FullTiltPoker.com. Please review your hosting for: _____________________ XXXFOR SCAM SITESXXX This is a site which is attempting to "scam" users passwords for their FullTiltPoker logins, as well as many transaction processor websites (essentially online banks) such as NETELLER, ePassporte, PayPal, and Moneybookers. The site is also in breach of copyright laws. XXXFOR KEYLOGGING SITESXXX This site attempts to install malicious key-logging software onto unsuspecting player's computers and is in breach of copyright laws. We request that you remove the offending site as expeditiously as possible. Please contact us with any concerns or questions. Thank you for your prompt cooperation in this matter. ********NAME******** On behalf of Full Tilt Poker E) Finding a Back End Server Location 1) Open the suspected hoax site 2) Right click the webpage 3) Select View 4) Select Source or View Source to bring it up in text form. 5) Save a copy of this in [S:\ FTP_Fraud_Department\HOAX\Scam Website Source Code] with the same name as the web address Scam-websitedotcom.txt 6) If it is similar to our previous scam websites, it will have a form that sends information to another website. It will look similar to this: <form action="http://00642EF.NETSOLHOST.COM/login.php" method="post"> 7) Follow the steps in Reporting a New Hoax Site with the web address located next to form action. <http://00642EF.NETSOLHOST.COM/login.php> F) Investigating Players Affected by the Hoax Site 1) Create a new folder in [S:\FTP_Fraud_Department\HOAX\2007] named [Hoax Site mm yy]

Tiltproof Incorporated Investigators save their know100s and all related files in this folder. 2) Start a spreadsheet tracker for all victims of this new hoax site. G) Spreadsheet Account Security/Limits Section 1) Confirm that the players account is clean with no foreign logins. 2) Open their account in WAT. a) Select the Security & Limits tab. b) Select No Play, No Mixed Games, No Chat, No Deposit and No Transfer for added security. c) Select Submit. 3) Email the player requesting that they reset their password and contact us back immediately. 4) Once the player writes back we can reinstate their account fully, and give them back all privileges to the account. 5) In the spreadsheet, highlight the players account green once they have confirmed that the password has been changed and the playing rights have been given back.

6.0 Definitions:

Back End Server = is what the recent (Feb 2006) scammer used to record all of the account particulars. Basically there is the front end website which is where they direct everyone to go (www.500free-fulltiltpoker.com). Once they enter the information, they are redirected to another website that is hosted by a different company that is invisible to the human eye. This is a form of disguise by the scammer to prolong the exposure of the website and it also will protect the information the hoaxer has received for a longer period of time. July 27/07 BCC pmclaughlin@ July 20/07 New Fraud Team email addresses and folders Edit to email template Added more restrictions to accounts in G) July 5/07 New Yahoo email added to template June 19/07 Send emails from the Operations addy April 24/07 Email supsopsscsrs not management. Email processors when needed. Template altered. April 12/07

7.0 Revision History:

Tiltproof Incorporated Template no office ph# and added On behalf of to signature