Sponsored by..

Showing posts with label Scams. Show all posts
Showing posts with label Scams. Show all posts

Thursday 10 April 2014

"CCAHC: Climate Change And Health Conference 2014" scam

This spam is a form of advanced fee fraud scam:

From:     CCAHC ccahc@live.com
Reply-To:     ccahc@e-mile.co.uk
Date:     10 April 2014 16:04
Subject:     Call for Poster

CCAHC: Climate Change And Health Conference 2014


Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014. 
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues.
The main theme for this year's poster session is:  "Impacts of Climate Change in Health and Nutrition"
While this is the main theme for the poster session it is not exclusive and you are welcome to submit a poster outside of this theme.
CCAHC 2014 showcases yet another exceptional programme with the latest scientific and best practice consensus on sustainable environment, biometeorological adaptation, global warming, climate change, waste management, greenhouse gas, pollution control, heart health, obesity, weight management, diabetes, child health, gut health, food sensitivity, healthy living and many other hot topics.
Why Attend:
  • Receive current updates on a range of topics, from leaders and expert practitioners.
  • Understand the latest scientific research in detail and discover its implications for your work.
  • Explore and debate controversial topics, discuss what is best for your clients and patients.
  • Sponsorship of air ticket, travel insurance, visa fees and per diem.
  • Enhance your skill set and progress your career.
  • Network with hundreds of other professionals involved in diet, nutrition, environment, health and lifestyle.
  • Participate in the Exhibitor Trail and win prizes!
  • Present your research, project, product or campaign, attract attention and promote your achievements
  • Registration is free of charge for participants from developing countries.
Paper Submissions:
Fax or e-mail up to 300 words describing your proposed paper on or before 18th April 2014. The paper will then be sent to the Advisory Board for evaluation and authors will be given feedback on or before 25th April 2014. The highest rated papers will be invited to present at the conference.
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom.
Tel: +44 (0)70 8764 2424 | +44 (0)70 2404 4920
Fax: +44 (0)843 562 2173
The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using free email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap.

According to this article at 419scam.org the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will vanish, taking their mythical conference with them.

Avoid.

Thursday 30 January 2014

"Adopt a puppy scam" is a new twist

This offer to adopt a puppy for free is a scam:

From:     Shirley Eason shirleyeason5@gmail.com
Reply-To:     shirleyeason5@gmail.com
Date:     30 January 2014 09:29
Subject:     Adopt this little puppy @ 0$

My name is Shirley Eason, Presently diagnosed of acute brain injury from a ghastly car accident that led to lost of my son and husband 3 years ago.

I'm looking for a good heart fellow to take over my 9weeks English Bulldog,right now I have been ask to move to Aged home. ofcourse I'm not allowed to take webster.

I'm willing to send Webster overseas if you can convince me he's on good hands.

I want to share the love I have for Webster across the world to anyone who have passion for animals.

You will receive more photos on response to this mail.
http://www.sendspace.com/file/pa5p12
http://www.sendspace.com/file/ytalxs

Hugs and kisses from a beautiful heart

Warm Regards
What's on the end of those Sendspace links? Well, indeed there are a couple of pictures of a puppy.

So.. it's a free puppy? What could possibly go wrong? Well, lots..

Let's do a bit of detective work starting with finding the origin of those photos. A trip to Google Images followed by a click of the camera icon allows you to upload a picture to do a reverse image search. We can easily find a match for that photo here and here, and it turns out that although the dog really is called Webster he's not up for adoption at all, but is for sale by a reputable and unconnected party who has had their photo stolen.

So, what is the scam? Bearing in mind that poor old Webster is worth a couple of thousand dollars but the scammer is asking for nothing? Well, as with all advanced fee fraud scams there are going to be up-front expenses that aren't mentioned, such as shipping fees, vet bills, certificates and all sort of other things.. and once the victim has paid all the money then Webster will still not turn up because of course the scammer doesn't actually have the dog to begin with.

Now, we're pretty sure that you won't try to acquire a dog advertised by spam.. but if you are, well.. don't.

Incidentally, the origins of the email appear to be a computer at 75.130.67.30 (Charter Communicaations, Tennessee) via a server at 68.15.225.129 (ommailex1.iiiinc.com) although it is unlikely that the owner of either of those two systems is aware of the scam either.

Monday 27 January 2014

"Carnival Cruise Line Australia" fake job offer

This fake job offer does NOT come from Carnival Cruise lines:

From:     Mrs Vivian Mrs Vivian carnjob80@wp.pl
Date:     27 January 2014 09:59
Subject:     JOB ID: AU/CCL/AMPM/359/14-00
Signed by:     wp.pl

Carnival Cruise Line Australia
15 Mount Street North Sydney
NSW 2060, Australia
Tel (2) 8424 88000

JOB ID: AU/CCL/AMPM/359/14-00

What is your idea of a great career? Is it a job that allows you to travel to beautiful destinations on a spectacular floating resort, being part of a multi-cultural team with co-workers from more than 120 different nationalities? Or is it a job that allows you to earn great money while you learn, grow and fulfill your dreams and career ambitions?
It’s Carnival Cruise Line policy not to discriminate against any employee or applicant for employment because of RACE, COLOR, RELIGION, SEX, NATIONAL ORIGIN, AGE, DISABILITY, MARITAL OR VETERAN STATUS.
PLEASE NOTE THESE FOLLOWING: 
Employment Type:               Full-Time/Part-Time
Salary:                                  USD $45,000/ USD $125,000 per annual
Preferred Language of Resume/Application: English
Type of work:            Permanent / Temporary
Status:                        All Vacancies
Job Location:              Australia
Contract Period:          6 Months, 1 Year, 2 Years and 3 Years
Visa Type:                  Three Years working permit


The management will secure a visa/working permit for any qualified applicant. VISA FEE, ACCOMMODATION & FLIGHT TICKET will be paid by the company
We have more than 320 different positions available, interested applicants should forward their RESUME/CV or application letter to Mrs Vivian Oshea via email on (carnivalcareer@globomail.comso we can forward the list of positions available and our employment application form
Note: Applicants from AMERICA, EUROPE, ASIAN, CARIBBEAN and AFRICA can apply for these vacancies.

Regards
Management
Carnival Cruise Line Australia

Despite the appearance of Carnival's actual web sites in the email, the reply address is NOT a genuine Carnival address and is instead a free email account. The email actually originates from 212.77.101.7 in Poland.

The basic idea behind this scam is to offer a job and then charge the applicant for some sort of processing fees or police check or come up with some other reason why the applicant needs to pay money. Once the money has been taken (and perhaps even the victim's passport or other personal documents stolen) then the job offer will evaporate.

More information on this type of scam can be found here and here.

Monday 6 January 2014

Tracking the fake profiles used by scammers

My interest was grabbed by this weirdly mistranslated email, which appears to have been badly written in English and then put through a translator program that has stumbled over the original email's bad punctuation.

From:     mark dave [markdave440@gmail.com]
Reply-To:     markpetersloanfirm@gmail.com
Date:     6 January 2014 00:37

أنا السيد مارك بيترز مشروعة والمقرض القرض السمعة. نحن
شركة ديناميكية بقروض من assistance.We المالية إلى الأفراد
في حاجة إلى المساعدة المالية، التي لديها سوء الائتمان أو في حاجة الى المال
لتسديد الفواتير، للاستثمار في بأعمال تجارية ترغب في استخدام هذه الوسيلة لأبلغكم
أننا تقديم المساعدة موثوقة والمستفيد كما نكون سعداء لتقديم لكم
وloan.contact بنا عبر عنوان البريد الإلكتروني: markpetersloanfirm@gmail.com
وتشمل الخدمات المقدمة؛ إعادة تمويل، تحسين المنزل، قرض الاستثمار، السيارات
القروض، وتوطيد الدين، خط الائتمان، والرهن العقاري الثانية، والأعمال التجارية
القروض، والقروض الشخصية، قروض السيارات، قروض السيارات.

يرجى الكتابة الى الوراء اذا كانت مهتمة.

الاسم الكامل:
البلد والدولة:
المدينة:
الجنسية:
مبلغ القرض المطلوب:
الجنس:
الإيجار الشهري:
الاتصال الهاتف:
الرمز البريدي:
مدة القرض:
هل تتكلم اللغة الإنجليزية:
This translates roughly as:

I Mr. Mark Peters legitimate and reputable loan lender. We
Dynamic company with loans from financial assistance.We to individuals
In need of financial assistance, that have a bad credit or in need of money
To pay bills, to invest in the business want to use this medium to inform you
We provide reliable and beneficiary assistance as be glad to offer you
And loan.contact us via e-mail address: Markpetersloanfirm@gmail.com
The services provided include; refinance, home improvement, investment loan, car
Loans, debt consolidation, credit line, and a second mortgage, and business
Loans, personal loans, car loans, car loans.

Please write back if interested.

Full name:
Country and State:
City:
Nationality:
The loan amount required:
Gender:
Monthly rent:
Contact Phone:
Zip Code:
Loan term:
Do you speak English:

We are waiting for your responds. 
Obviously this is a scam, but it turns out the "Mark Dave" has a Google+ profile with the following photo:


So who is this a photo of? Well, if you haven't checked out Google Images you might not know just how good the reverse image search is. Clicking the camera icon allows you to upload an image or reverse search an image by URL:



The results for that photo are pretty revealing and lean heavily towards scams:

This thread on RomanceScam.com explains what is going on very well. The pictures belong to an innocent person called Stuart James who has had their online photo collection plundered by scammers in what adds up to a particularly cruel type of identity theft. It is perhaps an object lesson in not sharing too much online, and it seems to be a particular risk for anyone good looking and/or in the military.

ScamDigger also has a gallery of images commonly used by scammers, with the caveat that the people pictured are all innocent parties which makes interesting (but depressing) viewing.

A reverse image search is certainly useful sometimes at uncovering fake profiles, and it's something that anyone with basic computer skills should be able to do. Note that you can also use TinEye to do a similar search with a slightly different set of results, and I guess there are other reverse image search engines available. but between Google and TinEye you should be able to uncover fake profiles with ease.

Tuesday 17 December 2013

Video: Parcel Reshipping Scams, Parcel Mules and Fake Job Offers

A brief presentation on how parcel reshipping scams work, and the role of parcel mules and fake job offers.

Monday 16 December 2013

Video: Chinese domain scams


yiyu-ipr.org domain scam

Yet another Chinese domain scam, this time trying to punt the "Tiger Direct" trademark (which I don't own!).

From:     lisa [lisa@yiyu-ipr.org]
Date:     16 December 2013 04:04
Subject:     International Trademark " tigerdirect"

(Please forward this to your CEO or President, because this is urgent. Thank you.)

Dear President & CEO,

We are an IPR registration service law office in China. On Dec.13, 2013, we received an application from "TD Investment Co., Ltd." wants to register the following Trademark and Domains:

Trademark:
tigerdirect

Domains:
 tigerdirect.com.hk
 tigerdirect.com.tw
 tigerdirect.hk
 tigerdirect.net.cn
 tigerdirect.org.cn
 tigerdirect.tw

Based on the registration procedure, we found that the name is the same as your company's name,and we must check these for you. If your company and this "TD Investment Co., Ltd." are the same company,there is no need to reply to us,We will accept their application and will register those for them soon. If your company has no relationships with that company nor authorized,please reply to us asap at latest within 7 workdays. But if we can't get any information from your side over 7 workdays,we will unconditionally approve the application submitted by "TD Investment Co., Ltd." Thanks for your cooperation.


Kind Regards,

Lisa Zeng

***************************************************
Lisa Zeng / Attorney
YIYU Chengdu Office(Head Office)
3/F,1st Building Citang Street No.8,
Qingyang District, ChengDu, China.
Tel: +86 28 8777 5008
Fax: +86 28 6246 5008
Web: http://www.yiyu-ipr.org
This e-mail contains information (including any attachments) intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient or the authorized employee or agent responsible for delivering it to the intended recipient, any dissemination, publication or copying of this e-mail is strictly prohibited and may be illegal. If you have received this communication in error, please notify the sender. Thank you for your cooperation.
P Please consider the environment before you print this e-mail.
This scam has been running for a long time. In reality registrars are in no way responsible for checking trademarks before registration, and my experience is that even after these dire warnings nobody actually registers the domains in any case.

I don't know if the WHOIS details for this domain are genuine, but there are:
Registrant ID:f0dda025f296d026
Registrant Name:David Tang
Registrant Organization:YIYU LAW OFFICE
Registrant Street1:chengdushi
Registrant Street2:
Registrant Street3:
Registrant City:chengdushi
Registrant State/Province:sichuan
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.2887775008
Registrant Phone Ext.:
Registrant FAX:+86.2862465008
Registrant FAX Ext.:
Registrant Email:296304138@qq.com


These other domains are all associated with the same outfit and you can probably assume that any similar pitch from them is a scam.

yiyu-ipr.org
yiyuinternational.com
yiyuit.org
yiyuiprlaw.com
yiyulaw.com
yiyullc.com
yy-ipr.org
yyipr.org
chadlaw.asia
chadlaw.org
chadlawoffice.org
chadiprlaw.org
marchiorousa.asia
wanbaojisige.com

Wednesday 21 August 2013

Laughable advanced fee fraud scam promises $2.5

Two-and-a-half bucks? I think I'll pass.
From:     Mr Anthony Freed [johnewele12@cantv.net]
Reply-to:     dhlcorriadeliveryservice@live.com
Date:     20 August 2013 21:13
Subject:     Attention please!!!

Attention please!!!

We have registered your ATM CARD of (US $2.5) with DHL Express Courier Company with registration code of ( 9665776) please Contact with your delivery
information:
DHL OFFICE:
Name Dr:Mark Jonson.
E-mail: dhlcorriadeliveryservice@live.com //officedhldelivery service
Tel:+229 98270349.

We have paid for the Insurance & Delivery fee.The only fee you have to pay is their Security fee only.Please indicate the registration Number of ( 22-82797457 )and ask Him how much is their Security fee so that you can pay it.
Best Regards.
Rev.Anthony Fred
I don't think I've seen an Advanced Fee Fraud spam so full of fail for a long time..

Monday 22 July 2013

ygregistryltd.net / "Huasheng Ltd" domain scam

This is the same scam as this, this and this. Avoid.

From:     Jim Wang [jim.wang@ygregistryltd.net]
Date:     22 July 2013 15:29
Subject:     Regarding Asia/Cn/Hk domain name & Internet Keyword

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration in China and Asia. We received an application from Huasheng Ltd on July 22, 2013. They want to register " [redacted] " as their internet keyword and China/Asia/Hongkong (CN/ASIA/HK) domain names. But after checking it, we find this name conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.ygregistryltd.net

Note, all these domains are on the same server and can be considered scammy:
ygregistryltd.com
yg-registry.cn
ygregistry.cn
ygregistryltd.net

Friday 19 July 2013

whoswhonetworkonline.com spam

This turd of an email was sent to an info@ email address on a domain I own. It appears to be a classic Who's Who scam.

From:     Who's Who [cpm2@contactwhoswho.us]
Reply-To:     databaseemailergroup@gmail.com
date:     19 July 2013 05:44
subject:     You were recently nominated into Who's Who Amoung Executives

Who's Who Network Online

Hello,

As you are probably aware, in the last few weeks, we at the Who's Who Among Executives and Proefssionals have reached out to several hundred individuals for placement in our upcoming 2013 edition of our directory.  You were contacted, but we did not receive any of your biographical information.  We would like to give you another opportunity to do so.

The publication's editors are now assembling the biographical profiles of today's leaders from the business world into one comprehensive source. Thousands of researchers at medical, academic, public and corporate libraries, as well as journalists and media professionals, rely upon the academic registry as a daily reference tool for obtaining information about the world's most experienced men and women at the C-Level in the private and public sectors. Inclusion in the publication is considered by many as a signal mark of achievement.

To be included in this prestigious publication, you need only provide the requested information by completing our online biographical data form. Please Click Here to fill out your form.

The information you provide will be evaluated according to the selection standards that the NAPN have developed over many years as the world's premier biographical compiler. If your data passes our initial screening, we will prepare your biography and send you a pre-publication proof for your verification and approval.

I congratulate you on the achievements that have brought your name to the attention of our editorial committee. We look forward to hearing from you.

Please remember: Inclusion of your biography in the Who's Who Registry carries neither cost nor commitment to you of any sort. Our continuing mission with each new edition is to prepare a biographies spanning the spectrum of noteworthy and accomplished men and women across all areas of the professional world.

                                             FILL OUT FORM HERE

Who's Who Network Online
2280 Grand Avenue, Baldwin, NY 11510

------------------------------------------

This email is intended only for the recipient(s) and is private.
If you receive our invitation in error please reply with unsubscribe in the subject line

Clicking on the link takes you to whoswhonetworkonline.com hosted on 66.11.129.87 (Stafford Associates Computer Specialists Inc., New York). The WHOIS details are hidden.

There's no clue anywhere on the site or in the email about who is behind the spam. There is no corporation in New York with the exact name "Who's Who Network Online" although there are several similar sounding entities.

However, there are some clues in the headers of the email that link it through to another recent and similarly-themed spam.

Received: from cpm2@contactwhoswho.us by [redacted] by uid 1002 with qmail-scanner-1.22
 ( Clear:RC:0(192.217.104.157):.
 Processed in 0.464627 secs); 19 Jul 2013 04:45:09 -0000
Received: from unknown (HELO whowho4.servername.com) (192.217.104.157)
  by [redacted] with SMTP; 19 Jul 2013 04:45:08 -0000
Received: from c-174-58-75-1.hsd1.fl.comcast.net ([174.58.75.1]:58694 helo=susie-HP.hsd1.fl.comcast.net.)
    by whowho4.servername.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
    (Exim 4.80.1)
    (envelope-from )
    id 1V02Z1-0000pJ-QW
    for [redacted]; Fri, 19 Jul 2013 08:45:08 +0400
Content-Type: multipart/alternative; boundary="===============0491393293=="


The email originates from a Comcast IP address of 174.58.75.1 in West Florida, and then routes through a server at 192.217.104.157 (NTT America) which has the hostname contactwhoswho.us which is consistent with the cpm2@contactwhoswho.us sender's address. So, who is contactwhoswho.us?

Registrant Name:                Darin Delia
Registrant Address1:            1321 Henry Ave
Registrant City:                Spring Hill
Registrant State/Province:      Florida
Registrant Postal Code:         34608
Registrant Country:             United States
Registrant Country Code:        US
Registrant Phone Number:        +1.5615964330
Registrant Email:               darindelia@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category:      C11


Darin Delia's address is also West Florida (although some way from the theoretical location of the IP address). Darin Delia appears to be the same person who was sending out Spotlite Radio spam. Is Mr Delia merely a contractor sending out an email blast, or is he responsible for this so-called "Who's Who" outfit. I have no evidence one way or the other, but it seems he does have some sort of association with whoever is running these things..

Tuesday 21 May 2013

prospectdirect.org (Emailmovers Ltd) spam

Everything that this spammer says is a lie:

From:     Emily Norton [emily.norton@prospectdirect.org]
To:     [redacted]
Date:     21 May 2013 16:33
Subject:     Cater to your email marketing needs
Signed by:     prospectdirect.org

Hello,

I hope you don’t mind but I just wanted to contact you to discuss your email marketing strategy. If you don’t currently have one that is working for you then our client can help.

The company I am contacting you on behalf of have the dedicated knowledge and services to cater to your email marketing needs.

If you would like a quote please complete this form: http://prospectdirect.org/email-marketing-strategy

Leave your details at the link above or reply with any requirements.

Kind Regards,

Emily Norton

75 Glandovey Terrace, Newquay, Cornwall TR8 4QD

Tel: 0843 289 4698

This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. If you would no longer like to receive emails from us please unsubscribe here http://www.prospectdirect.org/landing/page.php?jq=[snip]
Firstly, the email was send to a scraped address from the website of the Slimeware Corporation and isn't any sort of opted-in address at all. The address of "75 Glandovey Terrace, Newquay, Cornwall TR8 4QD" simply does not exist, and the telephone number of 0843 289 4698 appears to belong to a completely unrelated company. I very much doubt there is anybody called "Emily Norton" involved, and there is no company in the UK with the name "Prospect Direct".

The website prospectdirect.org itself carefully hides any contact details, the WHOIS details are anonymous, the domain was created on 2012-07-19 and is hosted on 109.235.51.98 (Netrouting / Xeneurope , Netherlands). There are no contact details on the website and there is no identifying information at all.. it hasn't just been omitted by accident, the whole thing has been left meticulously clean by a professional spamming outfit.


I would recommend giving these spammers a wide berth given their catalogue of lies.

Update: filling in the request form gets a response from Emailmovers Ltd (emailmovers.com / emvrs.co). More on them soon...

Thursday 11 April 2013

"Spotlite Radio" / spotliteradio2013.com spam

This spam email is promoting an apparent Whos' Who scam hosted on a site called spotliteradio2013.com which purports to be an organisation called "Spotlite Radio". The email is sent to a role account, not a real human being.. marking it out clearly as spam.

From:     Patricia Wu [darin@contacteagle.info]
Reply-Ro:     databaseemailergroup@gmail.com
Date:     11 April 2013 03:42
Subject:     SUPERCHARGE YOUR ONLINE LIFE WITH SPOTLITE RADIO!

Hello,

You were recently chosen as a potential candidate interviewee to represent your professional social media community in the 2013-2014 Spotlite Radio.

We are pleased to inform you that your candidacy was formally approved on April 10th, 2013. Congratulations.

The Social Broadcasting Committee selects potential candidates based not only upon their current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals. Given your background, the Director believes your profile makes a fitting addition to be featured.

There is no fee or obligation to be included. We must receive verification from you that your profile is accurate. After receiving verification, we will validate your candidate listing within seven business days.

Once finalized, your broadcast radio interview will share prominent media space with thousands of fellow accomplished individuals across the globe like yourself, each representing accomplishments within their own specialized area.

To verify your profile and accept the candidacy, please visit here

Our registration deadline for this year's candidates is April 30th. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee, I salute your achievements this year and look forward to welcoming you to our broadcast social network.

Click here to verify your profile.

Warm Regards,

Patricia Wu
Chief of Broadcasting

Spotlite Radio

-----------------------------------------

This email is intended only for the recipient(s) and is private.
If you receive our invitation in error please reply with unsubscribe in the subject line

It isn't clear if the "Spotlite Radio" hosted at spotliteradio.com (currently down) and spotliteradio2013.com are actually related. spotliteradio.com was only registered a few months ago in September 2012 and according to New York State is owned by:

Selected Entity Name: SPOTLITE RADIO LLC
Selected Entity Status Information
Current Entity Name: SPOTLITE RADIO LLC
DOS ID #: 4306578
Initial DOS Filing Date: OCTOBER 11, 2012
County: NEW YORK
Jurisdiction: NEW YORK
Entity Type: DOMESTIC LIMITED LIABILITY COMPANY
Current Entity Status: ACTIVE

Selected Entity Address Information
DOS Process (Address to which DOS will mail process if accepted on behalf of the entity)
SPOTLITE RADIO LLC
14 WALL STREET 20TH FL
NEW YORK, NEW YORK, 10005
Registered Agent
NONE

So this "Spotlite Radio" is properly registered in the state of New York, and it appears to be a sort of social radio site where people can make and broadcast their own shows.  There's nothing obvious on the spotliteradio.com website that makes it look suspicious, although judging by the dormant Twitter account the whole thing ground to a halt in February.

So what can we tell about the spam? Well, spotliteradio2013.com contains Google Analytics code for UA-3676294-22 which belongs to a New York web design company called Webnbeyond (webandbeyond.com / webnbeyond.com) but they may simply be the web designers. All these domains are on the same server of 66.11.129.87.

The email originates from the IP address 70.126.247.237 which appears to be in Tampa, Florida via 192.217.124.43 which is also contacteagle.info (mentioned in the spam email above), registered to:
Registrant ID:CR121682219
Registrant Name:Darin Delia
Registrant Organization:
Registrant Street1:1321 Henry Ave
Registrant Street2:
Registrant Street3:
Registrant City:Spring Hill
Registrant State/Province:Florida
Registrant Postal Code:34608
Registrant Country:US
Registrant Phone:+1.5615964330
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:


Spring Hill is about 40 miles north of Tampa, so there's a good chance that the originating IP and domain belong to one and the same person.

Darin Delia runs a Florida-based company called Contact Page Media, Inc and this is described on his LinkedIn page thusly:
We use Google Search Technology to reach Contact Pages on your Business Targeted Market. We reach thousand of websites per hour using our software, and we have the capabilitity to reach the unique target you just cannot find with email
What this means is that they scrape the email addresses off the web and spam the hell out of them. You'll note that the spam email lacks a contact address (for example) which breaks the CAN-SPAM act. Note also the email address of  Patricia Wu [darin@contacteagle.info] which is either somewhat deceptive, or perhaps Mr Delia likes to be Ms Wu at the weekends. But then probably Mr Delia is only sending promotional emails rather than running the scam.

The privacy policy page on spotliteradio2013.com leads to another site called mywhoswhonetwork.com registered to an address in Texas:

   Whos Who Network
   John Williams (webmaster@mywhoswhonetwork.com)
   +1.8084524561
   Fax:
   2172 Willshire
   College Station, TX 77845
   US

This same company also owns the following domains:
  • americanleadersmagazine.com
  • globalregistryonline.com
  • mywhoswhonetwork.com
  • professionalnetwork2012.com
  • professionalnetwork2013.com
  • pronetwork2012.com
  • taxadvice2day.com
But a hyperlink from one domain to another does not prove ownership, and the privacy policy could simply have been ripped off a competitor's site. So no smoking gun there. In fact, there's no actual evidence of who is responsible for this spam, and probably all we have are some innocent bit part actors.

I can't vouch for the trustworthiness of the actual Spotlite Radio (spotliteradio.com) site one way or another. One the surface it appeared to be a public-access web radio service, and there's nothing wrong with that. As I said, this spam may not even be from them. But it clearly is a spam because the domain role account is not an actual person and the claims made in the spam email are clearly rubbish.

So what does happen if you sign up for this. Well, according to this report they charge you $850 for a worthless plaque and an entry in a pseudo-who's-who guide,:
It was a pleasure speaking with you this morning. Confirming your show date is on January 9th at 3pm EDT. Attached is the invoice for your purchase of the Spotlite Radio Show,Distinguished professional of the year plaque and a half page biography in our 2013 book. If you could sign and send back to us, but make sure you keep a copy for your records as well. This is just confirming that you made a partial payment and were going forward with the program. Once we have your pre interview done for your upcoming show I will be sending you the links to the website. Hope you have a great week and I look forward to speaking with you soon. Call in number is XXXXX -Amanda Lynn 
In other words.. here's some crap. If you record your show then well send you the URL for spotliteradio.com and you can upload it yourself. Best avoided in my opinion.





Thursday 21 March 2013

Facebook spam / scriptuserreported.org

This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on scriptuserreported.org:

Date:      Thu, 21 Mar 2013 10:56:28 -0500
From:      Facebook [update+oi=MKW63Z@facebookmail.com]
Subject:      John Jenkins commented photo of you.

facebook
   
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.

facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}
The malicious payload is at [donotclick]scriptuserreported.org/close/keys-importance-mention.php hosted on 5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:

inetnum:        5.39.37.24 - 5.39.37.31
netname:        n2p3DoHost
descr:          DoHost n2 p3
country:        FR
admin-c:        OTC2-RIPE
tech-c:         OTC2-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered


Let's start with the server at 5.39.37.31 which is distributing the Blackhole Exploit Kit (report here). This server also hosts the following potentially malicious domains:
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Go back a few IPs to 5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01.com
workhomeheres02.com

There's also a work-at-home scam on 5.39.37.24:
makeworkhome12.pl

5.39.37.26 appears to be hosting a control panel for the Neutrino Exploit kit:
myadminspanels.info
supermyadminspanels.info

So you can pretty much assume that 5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at 5.39.37.29 which is the domain rl-host.net. The WHOIS details for rl-host.net are anonymised, but on the day of registration were:

    Queste Julien
    Email:julien@queste.fr
    50 rue Arthur lamendin
    62330 isbergues
    France
    Tel: +33.649836105

Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..

Minimum blocklist:
5.39.37.31
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com

Recommended blocklist:
5.39.37.24/29
makeworkhome12.pl
myadminspanels.info
supermyadminspanels.info
workhomeheres01.com
workhomeheres02.com
rl-host.net
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com


Tuesday 8 January 2013

PPI scam: 0843 410 0078

Short version: 
If you're Googling this number to see who is ringing you, then the short answer is that it is a bunch of scammers trying to get you to make a PPI refund claim. If you end up speaking to a human, then you can either ask them to "remove and suppress" your number, alternatively you can just tell them to fuck off (as there's no real reason to be polite with them).

Long version:
Despite a massive fine handed out to some SMS spammers for pushing PPI and ambulance chasing spam, there are still others about.

One particularly common on is to be called with a recorded message about a PPI refund, and then being given the opportunity to press "5" to connect to an operator.

So, I got one of these today from 0843 410 0078, a number allocated to Jtec UK Ltd (although they are probably just the telecoms provider). It seems that this number block is stuffed full of telepests.

Now, this isn't just spam.. it's a scam. Firstly, I'm not eligible for any PPI refunds, but the scammers are encouraging you to make a fraudulent claim regardless. They're just interested in selling your lead on to the next level in this very seedy world of PPI refund claims.

My conversation with the lady scammer went something like this:

Me: So I'm due a PPI refund am I?

Scammer: Yes, our records indicate that you may be eligible for a refund.

Me: Oh yes? You have records?

Scammer: Yes.

Me: So then, please tell me what my name is.

Scammer: We don't have that information for data protection reasons. [Yeah, but you have my financial records and telephone number, so really you are lying, aren't you?]

At which point I got bored and suggested that the woman fucked off and never called me again, at which point she hung up. I really do recommend being rude to these people incidentally. If you can ruin their afternoon and make them feel shitty about themselves then it's a small victory, they are willing participants in the scam after all.

The problem is that the people working at lead generation at this level will NEVER reveal who they are, and by the time the PPI claim has gotten to someone higher up in the food chain then the lead has been laundered through several middlemen.

Registering with the TPS isn't always as effective as you might think. Mobile numbers seem to expire after a year and need renewing (don't forget, the TPS is run by marketers). If you are TPS registered and still get bombarded with PPI scam calls, then you can try filing an ICO complaint. Or you could try doing it this way. But please remember, if you can make the telepests upset for the whole afternoon then it might make them reconsider their bad career choices..

If you find out who these pests are, or come across any other numbers, please consider sharing them in the Comments. Thanks!

These other numbers appear to be related:
0843 410 2215
0843 410 2576
0843 410 4770
0843 410 0269 (claimed to be from a nonexistant company called "PPI Assistance")

This is the same scam, but may be a different outfit:
01277 509018

Sunday 3 June 2012

"Your Job Application is Pending" / rockingcreditoffer.com scam

We've seen a variant of this "Rock Force Management" scam a couple of times before (here and here).

Date:      Sun, 3 Jun 2012 21:04:25 +0200
From:      "Gracie Vega" [bog@cerex.com]
Subject:      Your Job Application is Pending

Hello Advantage


Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application,
but can not do so until you complete our internal application.

Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

http://5url.net/e7D

Also, the following perks are potentially available:

- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program

Please take the time to follow the directions and complete the entire application process.

---------- 

Then we get bounced through a series of redirectors:
5url.net/e7D  ->
xkteen.com.br/conlact.php?c=rockingcreditoffer&t=com?dejaryfi ->
rockingcreditoffer.com?dejaryfi




One characteristic of these scam pages is the number "(240) 718-4632" which is displayed on each one.

After filling in some basic details, the scam starts to become clear.

All job applicants on this site are now required to check their credit score online and submit them here in order to proceed.


The purpose of this verification is to prevent fraud and authenticate the profile of all our applicants. Please take note this is a verification process only and the result of your credit score will not in any way affect your job application. We just need to know that you are a real person.
There's a button labelled "Please click here to obtain your credit score (Authorized Credit Retrieval Agent)" which is this case leads to a 404 page, but before we have seen it going to a get-rich-quick scam page instead.



The problem is that by the time the scam becomes apparent, you have already furnished the scammers with your personally identifiable information which they will sell on to other scammers and spammers.

In this case the originating IP was 222.253.76.159 in Vietnam, the rockingcreditoffer.com scam site was hosted on 91.217.162.100 (Voejkova Nadezhda, a Russian firm hosting across the border in Ukraine). Give this one a wide berth..

Thursday 24 May 2012

24by7technohelp.com / 24by7onlinesolution.com scam

Technical support scammers call the wrong person in this video..


The website involved is 24by7technohelp.com (there is another site on the same server called 24by7onlinesolution.com doing the same thing). These sites are hosted on 208.91.199.77 (Confluence Networks, British Virgin Islands). I've had the Confluence Networks range of 208.91.196.0/22 blocked for some time with no ill effects..

More on this story here.

[Via]

Friday 11 May 2012

Scamworld: 'Get rich quick' schemes mutate into an online monster

Here's a long and very detailed article from The Verge on how the current crop of get-rich-quick schemes on the Internet work. If it's a case of tl;dr then you can get a flavour of it from this video:


Monday 5 December 2011

Scam: RockSmith Management / rocksmithmanagement.com

This scam has been around for a while, it's part of a nasty cluster of scam sites that have an Australian connection.

The spam comes from a fake address, delivered from an illegally compromised PC. In this example, the spam appears to come from mulattorcxf826@uncw.edu (which is fake) through a well-known spam server in China, 221.212.109.135. Of course, faking the sender address breaks the CAN SPAM act in the US (where the sender pretends to be), as does the lack of real contact details.

Date:      Sat, 3 Dec 2011 11:15:17 +0800
From:      "Ralph Nguyen" [mulattorcxf826@uncw.edu]
Subject:      Please Complete Your Job Application

Dear Applicant

Thank you for expressing your interest in open employment openings in your area.
We are happy to inform you that our placement specialists will be reviewing
available positions for you within the next hour.

Based on your profile, you may qualify for opportunities currently available with a monthly salary in the
$4000 to $8700 range.

To maximize your earnings potential, please complete our full application form first:

http://go.likejav.com/9bcf1f

In addition to a highly competitive base pay, applicants that qualify will also enjoy additional benefits such as:
* 2 wks. paid vacation time (per annum);
* Tuition allowance;
* 401(k)
* full benefits package
* generous retirement plan

To retain your priority placement, please complete your application at your earliest convenience.

We look forward to finding the right job for you.

Rockforce Management
Bringing the best candidates and the right jobs together.


The link forwards to rocksmithmanagement.com (but it could be any one of a variety of similarly named scam sites), as listed here


Of note is the phone number on the first screen - (240) 718-4632 is listed in a number of similar scam sites. I don't know if it is valid or not, it might even belong to a legitimate company. There is no point in ringing it in any case as the scam unfolrd..






The next page is more worrying as it harvests personal details such as your name, phone number and email address. Yes, that would be acceptable for a job site.. but these details are not used at all by this process, so presumably they will be used for spamming purposes.




Once you have signed away your personal details, you get to the "final step" which offers you the chance o check your credit report or view the jobs on offer. On the bottom of the page is a "Privacy Policy" and "Terms of Service" link.. except they aren't links at all, just underlined text. In fact, there is no privacy policy or identifying text anywhere on the site.


If you click on the prominent "Clicking Here" link, you get redirected through referer.us/moxiinternal.go2cloud.org/aff_c?offer_id=2&aff_id=1002&aff_sub=020 to a site called sixfigurekit.com run by an outfit called the "Six Figure Program". The BBB rates the Six Figure Programs as an F in Florida, an F in Illinois but bizarrely a B in New York. On balance it looks pretty poor.




Regardless of where or not the Six Figure Program is a legitimate business or not, it certainly isn't a credit check.. and in this case the spam victim has been duped into clicking the link in order to be exposed to this frankly ridiculous scheme.


So what happens if the victim clicks on the other link on the page? They simply get redirected to a page on indeed.com (branded "RockGrade Management" / rockgrademanagement.com) which returns exactly the same results as if the victim had gone directly to indeed.com in the first place.


But wait.. remember the name, phone number and email address you supplied? What happened to them? They're not needed for indeed.com, so it looks likely that the victim has just given themselves up for even more spam.


All the evidence that I have been able to find links this to a site called websitedesignbrisbane.org in Australia. You can complain about Australian companies at ACMA, although it is difficult to identify exactly which company runs that particular site, but it bills itself as "Jetstream Web Site Design + SEO", presumably of Brisbane.

Thursday 6 October 2011

Scam: "Conference on racism/human trafficking and child abuse 2011"

This fake conference is actually likely to be a form of advanced fee fraud:


From: Ms Regina Linus reginafedrick@yahoo.com
Reply-To: regina.linus200@globomail.com
Date: 5 October 2011 19:53
Subject: Conference on racism/human trafficking and child abuse 2011,,,,,,,,,,
   
Dear Colleagues,

You are cordially invited to participate in a Global Combined conference taking
place from (22ND-25th November 2011) in Atlanta-Georgia, United States of
America at the Hilton Atlanta Conference Center, and from (28th-30th
November2011) in Olympic Stadium Hall Dakar Senegal.

Applicant that are interested and want to represent his/her country should
Contact the conference secretariat via Email :{ csecretaryoffice@aol.com }
{giyf.newoffice@globomail.com } for more details and Information.

Endeavor to inform them that you were invited to participate by (Ms. Regina
Linus). Note that the Organizing Committee is responsible for the air
tickets, visas and lodging accommodation in USA only.

Sincerely Yours,
Ms. Regina Linus.
(regina.linus200@globomail.com)
Of course, there will be "problems" with the Senegal leg which will require a fee payment in advance, and the Atlanta part of the conference will never materialise. If you actually are involved in stopping racism, human trafficking and child abuse then consider just what scumbags these scammers are.

Mail is routed via 41.207.177.16 in Togo from an ADSL subscriber in Dakar (Senegal). Two sample originating IPs are 41.82.79.108 and 41.82.64.163.


Avoid.

Thursday 29 September 2011

lastest-skype-updates.com spam

Here's a spam with a twist.
From: Skype.com skype@[spammer's email redacted for legal reasons]
Reply-To: newsletter@skype-systems.com
Date: 29 September 2011 07:23
Subject: New Updates Have Been Released For Skype ! Download Now‏

This is to notify that new updates have been released for Skype.

http://www.lastest-skype-updates.com/

Following are major new features :

* Up to 5-way group video call.
* Redesigned calling experience.
* Improved video snapshots gallery.
* Improved browser plugins performance on some websites.
* Reduced false positives on browser plugin phone number recognition.
* New presence icons.
* Improved handling of calling attempts made when the user has run out of credit.
* Improved access to sharing functionality

To download the latest version , go to :

http://www.lastest-skype-updates.com/

Start downloading the update right now and let us know what you think
about it.

Talk soon,

The people at Skype
The email has been sent to an address harvested from the Epsilon data breach. That's not surprising.. what is surprising is that it has been sent through a UK company that specialises in selling mailing lists and sending bulk commercial email. Perhaps dealing in stolen data is an honest mistake, but perhaps the ICO would like to make that determination.

DNS resolution for this site seems to flip between 87.106.104.178 [1&1, UK] and 122.224.4.108 [Ninbo Lanzhong Network Ltd, China]. Of these, the Chinese address is the most interesting with the follow slimeware domains hosted:

2011-skype-software-download.com
2011-skype-software-download.net
2011-skype-software-download.org
2011-skype-software-update.net
2011-skype-software-upgrade.com
2011-skype-software-upgrade.net
2011-skype-software-upgrade.org
adobe-acrobat-reader11.com
adobe-acrobat-reader11.net
adobe-acrobat-reader11.org
adobe-acrobat11-download.com
adobe-acrobat11-upgrade.com
adobe-pdf-reader11.com
adobe-pdf-reader11.net
adobe-pdf-reader11.org
adobe-reader11-download.com
adobe-reader11-upgrade.com
adobemailer.org
official-2011-skype-download.com
official-2011-skype-update.com
official-2011-skype-upgrade.com
official-skype-download.com
official-skype-software.com
official-skype-update.com
skype-software-downloads.com
skype-software-downloads.net
skype-software-downloads.org
skypemailer.com

If you live in the UK and have the technical expertise to identify the owner of the sending IP address, please consider filing a complaint with the ICO to make sure that they understand the issue.