Sponsored by..

Sunday 25 September 2011

Fake jobs: hire-position.com and work-position.net

Two new fake job domains with a twist, possibly the same scammers who are behind this long-running spam/scam campaign.

hire-position.com
work-position.net

Domains were registered just yesterday via a Russian registrar to an address in Spain which is most likely fake:

    Ivan Gonsalez
    Email: ivan4gonzalez@yahoo.es
    Organization: Ivan Gonsalez
    Address: P. de Extremadura 151
    City: Madrid
    State: Madrid
    ZIP: 28011
    Country: ES
    Phone: +34.914641145 

This rabbit hole goes a bit deeper than usual, because the ivan4gonzalez@yahoo.es email address has been used before, for the domain girsland.ru

domain: GIRSLAND.RU
nserver: ns1.strategy-recruiting.org.
nserver: ns2.strategy-recruiting.org.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
e-mail: ivan4gonzalez@yahoo.es
registrar: REGTIME-REG-RIPN
created: 2011.07.26
paid-till: 2012.07.26
source: TCI

Girsland.ru has a reputation for being spammy and it looks like a typical romance scam site. As with hire-position.com and work-position.net, it's odd that a Spanish address is being used for domains that are either Russian TLD or are being registered through a Russian registrar.

Girsland.ru is hosted on 173.234.8.215 at Ubiquity Server Solutions Atlanta, although it looks like the IP block might be rented out to a company called Nobis Technology Group LLC in Arizona.There are some nasty things going on in that IP neighbourhood according to SiteVet.

What else can we find on 173.234.8.215? It turns out that there's a rich vein of nastiness here.

actionfg.com - "Action Financial. All of your financial services in one place."
Chinese registrar, fake WHOIS details. Fake check scam. [1] [2]
Michael L. Walter
Michael Walter MichaelLWalter@teleworm.com
314-849-7082 fax: 314-849-7011
2523 Ash Avenue
Saint Louis MO 63126
us
NS: ns1.wapcco.net and ns2.wapcco.net

adena-job.com.
Chinese registrar, fake WHOIS details. Fake job offers. [3]
Name: Ana Bates
Organization: Ana N. Bates
Address: 789 Pinchelone Street
City: Herndon
Province/state: VA
Country: us
Postal Code: 22090
Email: AnaNBates@ymail.com
NS: ns1.needafishingboat.net and ns2.needafishingboat.net

adenafinance.com - "Adena Finance. All of your financial services in one place."
Chinese registrar, fake WHOIS details.

Eric M. Dillinger
Eric Dillinger EricMDillinger@gmail.com
+1.5305125808 fax: +1.5305125808
1467 Hill Croft Farm Road
Sacramento CA 95814
us
NS: ns1.needafishingboat.net and ns2.needafishingboat.net

arrowfg.com - "Arrow Financial Group"
Chinese registrar, fake WHOIS details. Money mule scam [4] [5]
William K. Breen
William Breen WilliamKBreen@teleworm.com
606-542-3946 fax: 606-542-3922
62 Meadowcrest Lane
Flat Lick KY 40982
us
NS: ns1.careerhiring-solutions.org and ns2.careerhiring-solutions.org

freeblogpro.org - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution. [6] [7]
Registrant ID:TOD-42629838
Registrant Name:Gertrude Mcmillan
Registrant Organization:Gertrude D. Mcmillan
Registrant Street1:250 Reynolds Alley
Registrant Street2:
Registrant Street3:
Registrant City:Long Beach
Registrant State/Province:CA
Registrant Postal Code:90808
Registrant Country:US
Registrant Phone:+1.5623772946
Registrant Phone Ext.:
Registrant FAX:+1.5623772946
Registrant FAX Ext.:
Registrant Email:GertrudeDMcmillan@gmail.com
NS: NS1.SLOWSTATUS.NET and NS2.SLOWSTATUS.NET

krokodilius8.com
Chinese registrar, fake WHOIS details. Malware distribution. [8]

Richard J. Aguilar
Richard Aguilar RichardJAguilar@gmail.com
+1.2523933705 fax: +1.2523933705
3458 Green Acres Road
Swansboro NC 28584
us
NS: ns1.barcellons.com and ns2.barcellons.com

rdm-gool.net - "Surprise!!!"
Chinese registrar, fake WHOIS details. Probably malware distribution.
Lincoln P. Miller
Lincoln Miller LincolnPMiller@gmail.com
+1.4156774378 fax: +1.4156774378
813 Boring Lane
San Francisco CA 94108
us
NS: ns1.slowstatus.net and ns2.slowstatus.net

recruitarrowfg.com
Chinese registrar, fake WHOIS details. Fake job offers [9] [10]
Name: Fletcher Leach
Organization: Fletcher C. Leach
Address: 180 Deer Ridge Drive
City: Millburn
Province/state: NJ
Country: us
Postal Code: 07041
Email: FletcherCLeach@aol.com
NS: ns1.careerhiring-solutions.org and ns2.careerhiring-solutions.org

superblogonline.org - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution [11] [12]
Registrant ID:TOD-42637428
Registrant Name:Ernest Thomas
Registrant Organization:Ernest R. Thomas
Registrant Street1:228 Riverside Drive
Registrant Street2:
Registrant Street3:
Registrant City:Athens
Registrant State/Province:GA
Registrant Postal Code:30606
Registrant Country:US
Registrant Phone:+1.7068186834
Registrant Phone Ext.:
Registrant FAX:+1.7068186834
Registrant FAX Ext.:
Registrant Email:ErnestRThomas@aol.com
NS: NS1.SLOWSTATUS.NET and NS2.SLOWSTATUS.NET

thebloggin.net - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution [13] [14]
Justin R. Martinez
Justin Martinez JustinRMartinez@aol.com
+1.3235224026 fax: +1.3235224026
2898 Evergreen Lane
Pomona CA 91766
us
NS: ns1.slowstatus.net and ns2.slowstatus.net

yourtraveldiary.net - "Surprise!!!"
Chinese registrar, fake WHOIS details. Malware distribution [15]
Name: Paula Huerta
Organization: Paula A. Huerta
Address: 3993 Payne Street
City: Hillsville
Province/state: VA
Country: us
Postal Code: 24343
Email: PaulaAHuerta@gmail.com
NS: ns1.slowstatus.net and ns2.slowstatus.net

Querying the namesevers reveals some more domains that look worth blocking as well. In total, blocking the following related domains will probably be a very good thing to do.

actionfg.com
adenafinance.com
adena-job.com
admnxm.com
adxreport.com
arrowfg.com
barcellons.com
betononasos228.net
careerhiring-solutions.org
club-bork.com
computer-giga.net
com-watch-id2181222ooo.info
dramchinatea.net
estatediary.com
findepotdirect.com
finwizonline.com
forfreeblog.net
freebloghub.com
freeblogpro.org
freetrialmail.com
friendsadirect.com
fun-bork.com
generalcreate.net
girsland.ru
hire-position.com
hostfrontpage.com
krokodilius8.com
latinitjobs.com
needafishingboat.net
obellisk.com
ouroldfriends.com
rdm-gool.net
recruitarrowfg.com
slowstatus.net
superblogonline.org
thebloggin.net
trialreg.com
wapcco.net
workasite.com
work-position.net
yourtraveldiary.net

1 comment:

Lolo 83 said...

Thank you for taking the time to post this information onto your blog. I recently received an email from a supposed recruiter looking for serious applicants only for a work at home database management position. The details of the position made the job seem to good to be true so I decided to do a google search using the domain name provided as the contact email address. They wanted me to reply with my name and location and then they would reply back. Thankfully I saw this first before responding with information that may have eventually led to stealing my money or identity or worse!