Sponsored by..

Tuesday 15 February 2011

Scam: "North American Program Planning and Policy Academy (NAPPPA)"

NOTE: You can find out who was operating NAPPPA here

Fake seminars are an unusual way of scamming money from people, but this one appears to be such a pitch.

Using the domains napppa.org, napppaweb.com, napppanetwork.com, napppanetwork.org and napppa.com the "North American Program Planning and Policy Academy (NAPPPA)" claims to have been around for 50 years, but it only seems to have gotten around to registering its domains in the past two months with anonymous registrations. A Google search comes up with nothing but these recently registered websites and some spam, so it certainly appears that this is a wholly bogus outfit.

In this case the email is routed via 96.43.142.170 in the US, which also hosts napppanetwork.com.

Update: these emails appear to be originating from 173.55.115.38, a Verizon customer in Hacienda Heights, California (near Los Angeles).

From: NAPPPA Announcements <announcements@napppanetwork.com>
Date: 15 February 2011 14:40
Subject: Strategy Session: Academic Research Funding (April 25-26, 2011: Seattle University, Seattle, WA)
Signed by: napppanetwork.com

The North American Program Planning and Policy Academy (NAPPPA) will be sponsoring an Academic Research Funding Strategy Session at Seattle University in Seattle, WA on April 25-26, 2011.  Interested science, technology, and medical professionals, researchers, faculty, and graduate students should register as soon as possible, as demand means that seats will fill up quickly. Please forward, post, and distribute this e-mail to your colleagues and listservs.

For more information call (800) 649-6522 or visit The NAPPPA website at http://www.napppaweb.com.

Please find the program description below:

As a response to increased demand and competition for academic research funding support and training, as well as the high cost of many programs, we offer this two day strategy session through the proposal writing and development process. This strategy features two modules: 1) Practicum I: Focusing on the format and structure of the successful research funding proposal, this module provides attendees with an overview of each part of the research funding proposal, avenues for researching available grant programs, and concludes with fundamental proposal writing techniques. 2) Practicum II: Drawing from practical exercises and techniques developed in Practicum I and the Pre-Session coursework, participants are guided through the completion of a Research Funding Dossier, which acts as the culminating work product of the session.
This session is ideal for the researcher with a targeted program, but is equally effective for those who can identify their research interests. Completion of the Pre-Session Interview and Assignments is essential to program success and value.


Academic Research Funding Strategy Session  will cover the following topics:

* Fundamentals of the Research Funding Proposal Process
* Basic Elements of the Standard Research Proposal
* Essentials of Researching Funding Opportunities
* Types of Research Funding Opportunities
* Online Tools and Traditional Publications for Research
* Successful Proposal Writing Techniques
* The Do's and Don'ts of Proposal Writing
* The Strategic Grant Acquisition Effort

Tuition for this two day strategy session is $398.00.

    Strategy Session Registration

    1. Participants tentatively reserve a seat online at www.napppaweb.com, by calling the Program Office toll-free at (800) 649-6522, or by sending their name and contact information via email to registrar@napppaweb.com.

    2. A confirmation email is sent to registrants that includes session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements. An invoice and agency W9 is also included.

    3. Upon attendance confirmation, registrants will receive (usually via email) a Pre-Session packet that will include 1) a Pre-Session Interview, 2) A Pre-Session Reading Packet, 3) Three exercises to be completed, 4) a Session Agenda and Schedule, and 5) a receipt.



You have received this invitation due to specific educational affiliation. We respect your privacy and want to ensure that interested parties are made aware of NAPPPA strategy sessions and schedules. This is intended to be a one-time announcement. In any event, you should not receive any more announcements unless there is a program next year in your area. To be unlisted from next year's announcement, send an email to remove@napppaweb.com and write "Unlist" in the subject line.

The (800) 649-6522 number comes up on Google quite often, and should probably serve as a warning if you ever see it in an email. Avoid.

Update 17/5/11: there's been a lot of interest in this "Academy", so here are some more details

The napppa.org domain is registered to a presumably rented box at "Mailboxes & More" in Los Angeles.

Registrant Name:Program Director
Registrant Organization:NAPPPA
Registrant Street1:655 S Flower Street
Registrant Street2:
Registrant Street3:
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90017
Registrant Country:US
Registrant Phone:+1.7602023597
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:cadiyadvisor@gmail.com


You can see the store here (note the "655" number on the left door)


View Larger Map

Most of the other domains are anonymised, apart from napppa.com which is also registered to what appears to be a box in at Wilshire Mailbox in LA.

Programs, NPPPA  cadiyadvisor@gmail.com
    5042 Wilshire Boulevard Ste 15699
    Los Angeles, CA 90017
    US
    +1.7602023597

There is also a new anonymised domain called napppaprograms.org that is in use.

Update:  two new anonymous domains have emerged, napppanet1.org (212.38.176.159) and napppanet2.org (69.57.166.88). These appear to be used for sending spam mail.

Update:  as of August 2011, these spam emails are still continuing:


From: NAPPPA Announcements idaho@napppanet1.org
Date: 7 August 2011 22:15
Subject: Strategy Session: Program Planning, Evaluation, and Proposals (August 18 - 19, 2011: University of Idaho - Boise)

The North American Program Planning and Policy Academy will be conducting the Program Planning, Evaluation, and Proposals Strategy Session at University of Idaho - Boise in Boise, Idaho on August 18 - 19, 2011.  Interested development professionals, researchers, faculty, and graduate students should register as soon as possible, as demand means that seats will fill up quickly. Please forward, post, and distribute this e-mail to your colleagues and listservs.
For more information call (800) 649-6522 or visit The NAPPPA website at http://napppaPROGRAMS.org. Please find the program description below: 
The Program Planning, Evaluation, and Proposals Strategy Session  is a hands-on, intensive session that leads participants through the entire grant proposal and funding research processes. Through an intense two day practicum, participants will receive an overview of program planning concepts along with advanced writing techniques to develop successful proposals. This results-based session combines individual exercises with group collaboration to allow each participant to leave the session with a Program Planning and Funding Dossier. Exercises leading up to the dossier and organization narrative include a thorough proposal outline, completed worksheets necessary for proposal submissions, and a starting collection of publications and resources to build a development library. Strategy Sessions is designed to provide your organization with the competitive advantage necessary in our modern grants award environment.
This session is ideal for those with a targeted program, but is equally effective for those who can identify their program and funding interests. Completion of the Pre-Session Interview and Assignments is essential to program success and value. Each participant will receive a selection of funding programs tailored to their program and/or areas of interest. Participants without a program will be provided a working example during Pre-Session.

The Program Planning, Evaluation, and Proposals Strategy Session will cover the following during the two day session:

(1) Fundamentals of Program Planning

This session will teach professional program development essentials and program evaluation. While most grantsmanship  "workshops" treat program development and evaluation as separate from the writing of a proposal, this will teach students the relationship between overall program planning and proposal writing.

(2) Strategic Funding Research

At its foundation, this session will address the basics of foundation, corporation, and government grant research. However, this course will emphasize a strategic funding research approach that encourages writers to see research not as something they do before they write a proposal, but as an integrated part of the grant  seeking process. Students will be exposed to online database research tools, as well as publications and directories that contain information about foundation, corporation, and government grant opportunities. Focusing on funding sources and basic social science research, this course teaches students how to use research as part of a strategic grant  acquisition effort.

(3) Professional Proposal Writing

Designed to obtain tangible results, this session will make each student an overall proposal writing   specialist. In addition to teaching the basic components of a grant proposal, successful approaches, and the do's and don'ts of grant writing, this session is infused with expert principles that will lead to a mastery of the process. Strategy resides at the forefront of this session's intent to illustrate grant writing as an integrated, multidimensional, and dynamic endeavor. Each student will learn to stop writing the grant  and to start writing the story. Ultimately, this session will conclude with a completed proposal outline.

Tuition for this two day strategy session is $398.00.

Strategy Session Registration
1. Participants tentatively reserve a seat online at http://napppaPROGRAMS.org, by calling the Program Office toll-free at (800) 649-6522, or by sending their name and contact information via email to registrar@napppaprograms.org.
2. A confirmation email is sent to registrants that includes  session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements. An invoice and agency W9 is also included.
3.Upon attendance confirmation, registrants will receive (usually via email) a Pre-Session packet that will include 1) a Pre-Session Interview, 2) A Pre- Session Reading Packet, 3) Three exercises to be completed, 4) a Session Agenda and Schedule, and 5) a receipt.

You have received this invitation due to specific educational affiliation. We respect your privacy and want to ensure that interested parties are made aware of NAPPPA strategy sessions and schedules. This is intended to be a one-time announcement. In any event, you should not receive any more announcements unless there is a program next year in your area. To be unlisted from next year's announcement, send an email to remove@napppaprograms.org and write "Unlist" in the subject line.

Mail routed via 173.254.208.137, but appears to originate from 173.55.115.38 in Hacienda_Heights, California. This is consistent with the first email

Update: 26th September 2011
ABC15 in Arizona have picked up the story. Text transcript is here, or you can see the video below.


Update: 6th October 2011:
NAPPPA has now renamed itself as NA3PA but is still pumping out the same spam.

Please share your experiences by clicking the "comments" link near the bottom of the post.

NOTE: You can find out who was operating NAPPPA here

Thursday 10 February 2011

Evil network: Voejkova Nadezhda / VOEJNA-NET AS51441 (91.217.162.0/24) aka tirexhost.com

Voejkova Nadezhda, aka VOEJNA-NET and also known as tirexhost.com is a netblock allegedly based in the Ukraine, but apparently operated out of St Petersburg, Russia.

The block 91.217.162.0/24 is quite small, but one of the nastiest that I have seen in a while (and it's the new home of worid-of-books.com) with a selection of fake security updates, bogus companies and malware sites and apparently no legitimate sites at all.

Google's safe browsing diagnostics report for AS51441 gives an idea of how nasty it is:

Safe Browsing
Diagnostic page for AS51441 (VOEJNA)

What happened when Google visited sites hosted on this network?

    Of the 755 site(s) we tested on this network over the past 90 days, 295 site(s), including, for example, takofep.co.cc/, camesom.co.cc/, tiruvov.co.cc/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-02-10, and the last time suspicious content was found was on 2011-02-10.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 63 site(s) on this network, including, for example, bali-planet.com/, zxstats.com/, adsensestat.com/, that appeared to function as intermediaries for the infection of 2642 other site(s) including, for example, walhi.or.id/, protagonistasdelacultura.cl/, uvfx.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 318 site(s), including, for example, paimiru.tk/, ua968089679.co.cc/, fenkaololo.com/, that infected 2943 other site(s), including, for example, veryripe.com/, sketchiest.com/, coneofignorance.net/.
Registration details for the netblock are:

inetnum:        91.217.162.0 - 91.217.162.255
netname:        VOEJNA-NET
descr:          Voejkova Nadezhda
country:        UA
org:            ORG-VN12-RIPE
admin-c:        BT1959-RIPE
tech-c:         BT1959-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         VOEJNA-MNT
mnt-routes:     VOEJNA-MNT
mnt-domains:    VOEJNA-MNT
source:         RIPE # Filtered

organisation:   ORG-VN12-RIPE
org-name:       Voejkova Nadezhda
org-type:       OTHER
descr:          Voejkova Nadezhda
address:        Russia, St.Pitersburb
address:        Kupchinskaya 29/1, ap.90
phone:          +7 (812) 7359264
e-mail:        
admin-c:        BT1959-RIPE
tech-c:         BT1959-RIPE
mnt-ref:        VOEJNA-MNT
mnt-by:         VOEJNA-MNT
source:         RIPE # Filtered

person:         Berkevich Taras
address:        Ukraine, Lviv
address:        Povitryana 94, ap. 47
phone:          +38 (032) 7302345
nic-hdl:        BT1959-RIPE
mnt-by:         VOEJNA-MNT
source:         RIPE # Filtered

route:          91.217.162.0/24
descr:          TIREXHOST.COM
origin:         AS51441
mnt-by:         VOEJNA-MNT
source:         RIPE # Filtered

This also fingers the domain tirexhost.com which is protected with an anonymous registration.. but behind that it is actually one Boris Umitbaev:

Umitbaev, Boris  larinkamil@googlemail.com
      Bolshaya Zelenina, 13-80
      St-Petersburg, Leningradskaya Oblast 103008
      Russian Federation
      78127736549      Fax -- 

There's a list of domains, IP addresses and myWOT ratings here, alternatively block the entire 91.217.162.0/24 (91.217.162.0 to 91.217.162.255) range or use the list below:

Tirexhost.com
Np-comp.com
Lee2ip.com
Leemka.com
Company777.com
Traff-shop.net
Zaebalihostingi.com
Funglobal.net
Going-wide.net
Myvafpt.com
Easyiptracker.info
Hscr.info
Ipcounter.info
Soxabi.info
Vecite.info
Benelulz.com
Belikoff.info
Da0s.info
Swindling.info
Termogaz.info
Glhkghjfhhfklffr.com
Drollkenga.com
Fuckzebra.com
Drollcats.com
Drollpinguins.com
Drollumbat.com
Drollzebra.com
Firastbill.com
Funnybarsshow.com
Funnybearsshow.com
Funnymarmotshow.com
Funnypinguinshow.com
Online-network-solution.com
Microsoftwindowssecurity184.com
Microsoftwindowssecurity185.com
Microsoftwindowssecurity199.com
Microsoftwindowssecurity200.com
Microsoftwindowssecurity2011.com
Kdddaber.com
Newprojectbrain.com
Bftop.ru
Rezip.ru
Havephun.org
Molotora.com
Molotorasolutions.com
Turbostat.org
Zaebalikakdolgopizdec.com
98ghwe5p98gh.net
Gwk5ghwo.net
Jok7.com
Xp-scaner.com
Truegeneralporn.com
Mostporntube.com
Lightporntube.com
Xp-scan.com
Xppclapgirl.com
Handbag-review-2010.com
Googlerr.com
Gtrafx.com
Optimumconsult.net
Romanchuk.net
Statsnets.com
Celebsclips.net
Celebsvideos.net
Celebsvidz.net
Fruitvideos.net
Goodpetrovich.com
Rogervideos.net
8fd30g.net
Gsa8f3.net
General-st.info
Worid-of-books.com
Agasi-story.info
New-looking.net
Slowpoke.in
Em-stat.com
Updatewincenter.com
Getacc.net
My-loads.com
Top-ups.net
Getacc2.com
My-loads2.net
Worldstatsgate.com
Zaparena.biz
Rmkstore.us
Lotos2.com
Bog77.com
Dor77.com
Gol77.com
Dangerboom.com
Dangerboom.net
Dangerthree.com
Dangertwo.com
Dangertwo.net
Bgnt.net
Gentix77.net
Googleadstat.com
Halyot.net
Girtac.ru
Protection-pc.org
Berrianguz.com
Irompas.com
Mirotag.com
Mizanticonif.com
Mollotojub.com
Vikanzubik.com
Volgansuk.com
Ruvipxxxa.ru
Mysnom.net
Ejewels.ca
Santa77.com
Bali-planet.com
Sailingaccommodations.com
Zxstats.com
Ntstats.com
Stxstats.com
Excellentcat.com
Golovanerabotaet.com
Groupmind.in
Picheta.net
Pinout.in
Restrovids.net
Toplesson.in
External-top-domains.ru
Justnewleft.ru
Newsdfg.com
Repoiury.com
Rerererererere.com

Monday 7 February 2011

Evil network: Didjief LLC / DIGIEF-NET AS48709 (91.200.242.0/23)

Didjief  LLC - or to give its full (and presumably fake) name "Didjief Internation Kulinari Koncept LLC" - runs a wholly malicious netblock in the 91.200.242.0/23 (91.200.240.0 - 91.200.243.255) range which includes a variety of malware sites, fake businesses, fake software and other malicious sites that should be blocked.

Many of these sites have wholly ficticious WHOIS entries or are registered through known black hat registrars. Some examples and references are:

A simple Google search bring up lots of matches that indicate malicious activity, for example 91.200.240 and 91.200.242. There are also fake business sites such as Adclickmarket.com which gives WHOIS contact details as:

    Ad Click Market Ltd.
    AdClickMarket        (info@adclickmarket.com)
    PO Box 279
    Alderley Edge
    Cheshire,SK9 7UQ
    GB
    Tel. +44.2854327

There is no company in the UK with the name Ad Click Market Ltd according to Companies House.

There is also another group of fake businesses using the "Advertising German Group" name, such as traveleshop.biz (also implicated in malware distribution here):

    Advertising German Group (AGG)
    Niclas Kappel        (niclas.kappel@yahoo.com)
    Kurt-Schumacher-Str. 5
    Bonn
    Nordrhein-Westfalen,D-53110
    DE
    Tel. +490.2284290

According to SiteVet, the AS48709 block has been bad ever since it was allocated late last year. The digief.eu domain associated with it is currently suspended, and it isn't clear if the WHOIS details for the netblock are accurate (they are probably not).

inetnum:        91.200.240.0 - 91.200.243.255
netname:        DIGIEF-NET
descr:          Didjief internation kulinari koncept LLC
address:        112 Kifissias Ave & Sina Str.Marousi
address:        Athens, Greece
phone:          +30 210 6159812
fax-no:         +30 210 6159812
person:         Adonis Mozanakis
abuse-mailbox:  abuse@digief.eu

On the subject of reputation, Google's safe browsing diagnostics for this block are pretty horrible:

Safe Browsing
Diagnostic page for AS48709 (XISOFT)

What happened when Google visited sites hosted on this network?

    Of the 114 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, waistor.com/, 91.200.240.0/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-02-05, and the last time suspicious content was found was on 2011-02-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 21 site(s) on this network, including, for example, geodemy.com/, waistor.com/, 91.200.240.0/, that appeared to function as intermediaries for the infection of 2096 other site(s) including, for example, marchex.com/, semettreauvert.com/, fcolimpi.ge/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 58 site(s), including, for example, waistor.com/, searchalthough.org/, pushot.com/, that infected 4866 other site(s), including, for example, fcolimpi.ge/, interhosting.kr/, schoenweb.nl/.

This is the full list of sites that I have found in this block (or are associated with it) , or you can download a more complete list with MyWOT ratings from here.

49oo.info
Abouthealth.name
Adclickmarket.com
Adobesoft.net
Adobesoftware.net
Allrequestsallowed.com
Allrequestsallowed.net
Animegarrett.com
Arinstasche.com
Avsk.ws
Bubendotcom.com
Chyoexte.com
Clickabundant.org
Clickcareless.org
Clickclumsy.org
Coffeescorer.com
Disdarred.info
Dontess.com
Easyregcleaner.net
Easysellerguide.net
Findcopper.org
Findcousin.org
Findfight.org
Findwild.org
Flashupdates.net
Gampbel.biz
Gnarenyawr.com
Guglionesi.net
Iaqhuberschewis.com
Juiceamount.com
Jukdoout0.com
Julianoserhio.com
Ltc-center.com
Montanessi.com
Negnsrevers.com
Nemotired.org
Offpaymentbiz.com
Olarkstats.com
Pipisutka.com
Qgceneuknash.com
Rammjyuke.com
Ranmjyuke.com
Result-lookup.info
Rinderwayr.com
Searchaddition.org
Searchadvertisement.org
Searchaffect.org
Searchafrica.org
Searchafter.org
Searchalthough.org
Searcharound.org
Searchcold.org
Searchdefeated.org
Searchfindaggressive.org
Searchjewel.org
Searchquiet.org
Searchrainy.org
Searchraspy.org
Selinect.ru
Superbulkmanager.com
Swltcho0.com
Teameter.net
Traveleshop.biz
Turbochange.com
Turboprotect.com
Vvps.ws
Xylylon.ru
Zoness.biz