Subject: Refund of Duplicate Payment
From: "Customer Care Center" <firstname.lastname@example.org>
Date: Sat, June 20, 2009 8:12 pm
Dear Business Partner!
Enclosed is our e-check in the amount of EURO 1,750.00 which represents a refund for your inadvertent duplicate
remittance for payment of transaction no. 267.
We are pleased that our bookkeeping department discovered this overpayment so quickly.
Instant Number Accounts
Credit Cards Bulk and Wholesale
Yes, you'd think that there's a malware payload or something, but there isn't. Let's check out the domain registrations details - hosted at 18.104.22.168 in Austria:
owner-organization: MIBUG CREDIT UG
owner-street: Menzingerstrasse 130
This is meant to be some sort of financial services site, but it was only registered on 8th June 2009.
The site does very little, you can try to open an account (which requires you handing over a bunch of personal information), but there's no way of getting this "refund". There are a few links to wiremouse.com on the site, something that's hosted on the same server.. so let's have a look at what else is on 22.214.171.124:
Registrant ID: C6565959-B-CO
Registrant Name: Georg BENDL
Registrant Address1: Bacherstrasse 7
Registrant City: GRIES
Registrant Postal Code: A5662
Registrant Country: Austria
Registrant Country Code: AT
Registrant Phone Number: +43.66492436352
Registrant Email: WMT5549@kunde.wmtech.net
Hmmm.. OK, well what about wiremouse.com?
owner-organization: Managed Offshore Payment Services Limited
owner-fname: Nikolas owner-lname: MAKIN
owner-street: Cariocca Business Park 2 Sawley Road
owner-zip: GM40 8BB
So, it's based in the UK? Well, the postcode is incorrect.. but in fact, Companies House does have a firm of the name Managed Offshore Payment Services Limited registered. But its accounts are overdue and there is a proposal to "strike off" the firm:
Let's look at bmc-london.co.uk on the same server:
38 Homer Street
Key-Systems GmbH [Tag = KEY-SYSTEMS-DE]
Registered on: 04-Sep-2008
Renewal date: 04-Sep-2010
Registered until renewal date.
This Georg Bendl chap moves around a lot. The address is valid although it's hard to verify if there's a real company operating from that address.
In fact, most domains seem to be registered to "Georg Bendl", but the address is different in almost every case (although Salzburg features more than once).
It's hard to fathom what this spam is about, although these sites do consistently link back to wiremouse.com. Some sort of SEO? A Joe Job? A phish? Email marketing gone horribly wrong? I don't know.
The final clue is the the sending IP address is 126.96.36.199 which is an ADSL subscriber in Austria. Draw your own conclusions, but I would be tempted to give all of these domains a wide berth.