Sponsored by..

Showing posts with label Scams. Show all posts
Showing posts with label Scams. Show all posts

Tuesday, 8 September 2015

Evil network: 89.144.2.0/24 / spoofing Echo Romeo LLP (AS199762)

This post at malware.kiwi caught my eye after a sort-of challenge by Techhelplist. Well, the bottom line is that these get-rich-quick schemes are run by serious organised criminals who tend not to leave too many traces behind.

This appears to be a binary options scam that is using illegally hacked sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit.me, more of which in another post.

It turns out that dailybusinessdirect.com is hosted alongside a cluster of related domains on a set of IPs apparently belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they are listed as the owner 89.144.2.0/24 which seems to be almost completely full of spam, scam and malware sites.

UPDATE: there is evidence that Echo Romeo are the victim of a type of corporate identity theft. Scroll to the bottom for me.

Here's an oddity - Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, none of those customer sites are actually hosted in this IP address range.

The first thing I noticed was a cluster of sites and IPs that appear to be closely related to dailybusinessdirect.com:

89.144.2.85
topinvestmentnews.com
news-finance-today.com

89.144.2.86
profit-method.biz
thesknews.com
huffnewstoday.com
businessnewsclub.com
businessdailygroup.com
investmentnewstoday.com

89.144.2.157
24-finances-news.com
finance-news-cbm.com

89.144.2.158
finances24-news.com
businessinfodaily.com
finance-today-news.com
dailybusinessdirect.com

Some of these domains have anonymous WHOIS details, some have details that look fake. I have not found any way to trace ownership of these domains.. after all, these are not amateurs, these are professional fraudsters who tend not to make silly mistakes.

I checked all the active sites in the 89.144.2.0/24 range against SURBL which came up with these results [csv]. Out of 56 sites identified, 13 are identified by SURBL as being spamming and/or phishing. But what of the rest?

A look at the Google Safe Browsing Diagnostic for AS199762 gave some interesting results:

Safe Browsing

Diagnostic page for AS199762 (ECHOROMEO-AS)

What happened when Google visited sites hosted on this network?
Of the 13 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, 89.144.2.0/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2015-09-07, and the last time suspicious content was found was on 2015-08-24.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, this network has not hosted any sites that appeared to function as intermediaries for the infection of any other sites.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, t9e.net/, 89.144.2.0/, that infected 7 other site(s), including, for example, kgdbase.com/, kgdbase.eu/, softbase.xyz/.
Drilling down to the Google diagnostic for t9e.net is surprising:

Safe Browsing

Diagnostic page for t9e.net

What is the current listing status for t9e.net?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 150 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 22277 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-09-07, and the last time suspicious content was found on this site was on 2015-08-24.Malicious software includes 25596 trojan(s), 61 exploit(s).
This site was hosted on 2 network(s) including AS199762 (ECHOROMEO-AS), AS35042 (ISP4P).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, t9e.net did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including kgdbase.com/, kgdbase.eu/, softbase.xyz/.
25,596 trojans and 61 exploits? I think that's a site to avoid, and as you might guess t9e.net has anonymous WHOIS details.

Also in this range:
  • The domains travsolut.com and travsolut.org on 89.144.2.143 are associated with suspect-looking job offers and claim to have been founded in 2002 in Australia, yet the domains were only created in 2015 with the .org being registered to an address in Spain.
  • On 89.144.2.148, the domains weksrubaz.ru, linturefa.ru and xablopefgr.ru are all associated with with the POSeidon malware.  On the same IP, srachechno.com is associated with a later version of the same malware.
  • Meanwhile on 89.144.2.149, dornegromant.com is also associated with POSeidon [pdf]
  • On 89.144.2.150 another POSeidon domain lurks, repherfeted.com.
  • And on 89.144.2.151 there is litramoloka.com which is again POSeidon, as is cawasuse.ru on 89.144.2.152.
  • On 89.144.2.153 is the domain ranferolto.com tagged as Infostealer.Posfind by Symantec. 
  • On 89.144.2.154 the domains gowasstalpa.com and nasedrontit.com are associated with the Pony Downloader
  • On 89.144.2.180 the website clarkgrp.org has been accused of being fake. If that is the case, then marlin-staff.com on the same IP will probably be too.
Overall, the evil-ness factor of 89.144.2.0/24 seems very high indeed (for example, this Damballa report on POSeidon shows how the bad guys moved to this netblock), and yet Echo Romeo LLP seems to be completely legitimate. I even went to the effort of checking them out at Companies House, and all seems OK. I wonder if perhaps the bad guys have either gained control of the IP block or have popped a large number of their servers?

UPDATE:
I asked Echo Romeo about this and their response was very quick..

Echo Romeo had pointed out something that I had missed. The registrant details for the IP block were very similar to their real details..

organisation:   ORG-ERL2-RIPE
org-name:       ECHO ROMEO LLP
org-type:       OTHER
address:        47 GLENMOOR ROAD , WEST PARLEY , FERNDOWN , DORSET , UNITED KINGDOM
admin-c:        JL7999-RIPE
phone:          +44 1202872908
e-mail:         info@echoromeonet.co.uk
abuse-mailbox:  abuse@echoromeonet.co.uk
mnt-ref:        echoromeo-mnt
mnt-by:         echoromeo-mnt
changed:        info@echoromeonet.co.uk 20140128
created:        2014-01-28T17:28:45Z
last-modified:  2014-02-17T12:18:41Z
source:         RIPE


But in fact, their domain name is just echoromeo.co.uk and not echoromeonet.co.uk at all. The WHOIS details for the fake domain are:

Domain name:
        echoromeonet.co.uk

    Registrant:
        ECHO ROMEO LLP

    Registrant type:
        Unknown

    Registrant's address:
        47 GLENMOOR ROAD
        WEST PARLEY
        FERNDOWN
        BH22 8QE
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data
source on 25-Jan-2014

    Registrar:
        101Domain, Inc. [Tag = 101INC-US]
        URL: https://101domain.com

    Relevant dates:
        Registered on: 25-Jan-2014
        Expiry date:  25-Jan-2016
        Last updated:  03-Nov-2014

    Registration status:
        Registered until expiry date.

    Name servers:
        ns1.echoromeonet.co.uk    212.38.166.68
        ns2.echoromeonet.co.uk    5.133.179.64

These closely match the real contact details of Echo Romeo. The fake website itself is hosted on 212.38.166.68 (one of the nameservers). It looks very different from the real website.

But all the contact details on the FAKE website point to the REAL Echo Romeo. The whole site looks like a fake created just to get hold of a range of IP address.

Let's go back to these IPs..

The 89.144.2.0/24 range with the fake registration details is carved out of an IP block belonging to isp4p.net (IP Interactive UG, Germany). Presumably the bad guys used the fake Echo Romeo domain and name to persuade IP Interactive to lease them a set of IP addresses.

Although the nameservers of 212.38.166.68 and 5.133.179.64 appear to be on very different blocks, they are actually allocated to the same person:

inetnum:        5.133.179.0 - 5.133.179.255
netname:        IPSERVER
descr:          IPSERVER WORLD LTD
remarks:        abuse-mailbox: abuse@ipserver.su
country:        GB
admin-c:        ON929-RIPE
tech-c:         ON929-RIPE
status:         ASSIGNED PA
mnt-by:         RAPIDSWITCH-MNT
changed:        abuse@rapidswitch.com 20120918
created:        2012-09-18T09:09:38Z
last-modified:  2015-08-12T07:25:02Z
source:         RIPE

person:         Oleg Nikol'skiy
address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
phone:          +18552100465
e-mail:         abuse@ipserver.su
nic-hdl:        ON929-RIPE
mnt-by:         IPSERVER-MNT
changed:        abuse@ipserver.su 20150528
created:        2015-05-28T11:11:09Z
last-modified:  2015-05-28T11:11:09Z
source:         RIPE

route:          5.133.176.0/21
descr:          RapidSwitch
origin:         AS20860
mnt-by:         RAPIDSWITCH-MNT
mnt-routes:     GB10488-RIPE-MNT
changed:        richard@iomart.com 20120712
created:        2012-07-12T15:08:31Z
last-modified:  2012-07-12T15:08:31Z
source:         RIPE


Both have been leased from Iomart in the UK. .SU domains such as ipserver.su are such a strong indicator of badness that I even have a little graphic for them.

A quick look at the 5.133.179.0/24 and 212.38.166.0/24 ranges indicates they are full of crap. There may be legitimate sites hosted there, but I would recommend blocking them.

The evidence that I can find does seem to point toward this spoof IP range being set up by organised criminals in Russia, and my opinion is that Echo Romeo LLP have nothing to do with this at all and are the good guys.

Recommended blocklist:
89.144.2.0/24
5.133.179.0/24
212.38.166.0/24

Thursday, 30 April 2015

Nepal Earthquake scam: savenepal.org

I was tipped off to this site by a contact, but it appears that there are some particularly dispicable scammers who have registered a fake website called savenepal.org which is soliciting donations via PayPal.

The site largely cloned from the legitimate ActionAid site which is genuinely seeking donations to go to Nepal.

ActionAid is "Registered charity no 274467" (it says so on the bottom of the page). SaveNepal.org claims to be "Registered charity no 276187", but we can check at the UK charities commission and we can see that the charity with this number is actually an orchestra.


Clicking "Donate" on the scam site leads to PayPal. It doesn't give much of a clue about the ownership of the fake site:


The WHOIS details for the domain are hidden using WhoIsGuard. These other sites appear to be live on the same server:

com-indexhtml.link
com-indexhtml.us
grantsekit.com

Out of these, only com-indexhtml.us has a non-anonymous WHOIS entry:

Registrant ID:                               C4E83B25FA8AD52D
Registrant Name:                             Frank J. Moore
Registrant Address1:                         2441 Byers Lane
Registrant City:                             Davis
Registrant State/Province:                   CA
Registrant Postal Code:                      95616
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.5307574940
Registrant Email:                            uscustomerhelp@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


I'm pretty sure that those contact details are fake. Going back through historical WHOIS comes up with different contact details:

Registrant ID:                               29B0B5BBD7190398
Registrant Name:                             dinna  james
Registrant Address1:                         po box 876
Registrant City:                             dl
Registrant State/Province:                   dl
Registrant Postal Code:                      110098
Registrant Country:                          India
Registrant Country Code:                     IN
Registrant Phone Number:                     +1.918978978
Registrant Email:                            helpot80@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


Of course, these contact details could also be false and there's no definite connection to savenepal.org yet. But out of curiosity, who is helpot80@gmail.com?  Googling doesn't reveal much, but it does show a copy of a conversation in the news.admin.net-abuse.email where someone who is claiming to use this email address is complaining about spam. If we then use Google Groups to find the original newsgroup post we see it was posted from an IP of 182.68.85.242 which is a dynamic Bharti Airtel IP in India, which does at least match the country in the WHOIS details.

Another Google result is this Phishtank entry listing social2013.com/rockgrade/ which appears to be a copy of the Rock Grade Management scam site I covered way back in 2011, indicating that perhaps these two scams are related. helpot80@gmail.com was listed as the owner of social2013.com before it expired in February 2015.

This WHOISology report links the address to several domains:

beauty6k.com
social2013.com
droughty.com
auto36.us
secure2013.us

Also, 94.242.255.129 has hosted many other domains, many of which appear to be scammy.

com-13.pw
com-21.us
com-indexhtml.us
news7d.com
mynews360.com
grantsekit.com
social2013.com
secured2014.com
usgrantskit.com
savenepal.org
com-indexhtml.link
huffingtonpost.com-indexhtml.link
dear.graphics

Many of these have the helpot80@gmail.com address listed in their historical WHOIS entries.

What else can we find out?

The email address is connected with this scammy looking Facebook page allegedly giving away "free laptops"



The email address also links to this Google+ profile naming them as "N. Al.". It also links to this YouTube channel with a single video about Payoneer. These Profiles indicate that helpot80@gmail.com has an interest in affiliate marketing, an activity with a mixed reputation.

I cannot prove that helpot80@gmail.com is connected with the savenepal.org, but they probably know whoever is behind it.

Remember, if you want to donate to ANY disaster charity, it is worth checking very carefully that you are dealing with the real thing and not a bunch of scammers.

Wednesday, 29 April 2015

cnwebregistry.cn / chinaygregistry.com scam and "Huayu Ltd"

This spam email is actually part of a long-running Chinese scam.

From:    Jim Bing [jim.bing@cnwebregistry.cn]
Date:    29 April 2015 at 14:27
Subject:    Re:"[redacted]"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.
We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cnwebregistry.cn
Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a rogue Chinese domain registrar to get you to buy overpriced and worthless domains.

In this case the spam mentions the domain cnwebregistry.cn, but chinaygregistry.com is also on the same server and will be similarly fraudulent.

This video I made a while ago explains the scam in more detail:



Friday, 17 April 2015

Scam: "Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK)," / "Royal Queens Hotel"

This spam email forms part of a Conference Scam:


From:    United Nations Summit [no_replytoold@live.com]
Reply-To:    unitednation.unt@gmail.com
Date:    16 April 2015 at 17:59
Subject:    Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),

Dear Invitee, Nonprofit/NGO Colleague,

UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.

Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.

The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel.

Venue: Queen Elizabeth II Conference Centre (QEIICC)
Date:5th-9th May, 2015.
Conference Theme:Impact and implications of the global financial and economic crisis on sustainable development & climate change proposals for an integrated global response to the crisis.

For further details about registration form,visa,flight ticket and other details, write an acceptance letter to be part of this event and send it directly via our Official e-mail together with your cellphone number for confirmation.

Send us e-mail:
unitednations_summit@secretary.net
unitednations.summit@aol.fr
or Call Dr. Pitt Thomas for more information +44703-597-1620.

We look forward to meeting you at the forthcoming Global Financial and Economic Crisis conference.

Register Now!!!!

Mrs.Kathleen Fitzpatrick
(Organizing Secretary)
Communication and Public Affairs.

United Nations-Nations Unites
Division for Social Policy and Economic Development Department of Economic
and Social Affairs Room UK2-1324, 2 United Nations Plaza, England, United
Kingdom.
What's the scam? Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." These is no hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then vanish with your money.


There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a fake hotel website to make the scam more credible.

Avoid.

Wednesday, 15 April 2015

pdatamc.org / publicdmc.cn domain scam

This email message is actually a spam promoting a long-running scam where an unscrupulous party is attempting to sell overpriced and worthless domains to their intended victim.

From: Bruce Lo [mailto:bruce@publicdmc.cn]
Date: 14:59 Wednesday 15th April 2015
Subject: [victimdomain] Registration
Priority: High

To whom it may concern:

We are the Registrars accredited by China Internet Network Information Center. We have something to confirm with you. On April 7, 2015, we received an application in which a company by the name Presg Group applied to register " victimdomain " as their Brand Name and some Asia domain names through our firm.

Now we are handling this registration. After our initial checking, we found that the name are identical to your company's. We need to check with you whether your company has authorized that company to register these names. If you have authorized this, we will finish the registration at once. If not, please let us know within 7 workdays, in which case we will dicuss the matter more thoroughly. If not otherwise advised within that time limit we will proceed with the registration for Presg Group . We will be waiting for your reply. Have a nice day!

Best Regards

Bruce Lo
Registration Dept.
Phone: +86.55165184482
Fax:    +86.55165128724
Website:http://www.pdatamc.org/
Address: No. 789, XiYou Road, Zhengwu District, HeFei City, AnHui Province, China  
I've explained this particular scam so many times that I made a video explaining it..

businessexecutives01.com / theexecutivesbrand.com scam

This is a grubby "Who's Who scam"

From:    Sterling Hudson
Date:    15 April 2015 at 14:12
Subject:    Re: you were chosen as a potential candidate...

Dear,

You were recently chosen as a potential candidate to represent 2015 Worldwide Branding Registry of Distinguished Professionals and Executives.
We are pleased to inform you that your candidacy was formally approved May 2nd. Congratulations. The Publishing Committee selects potential candidates based not only upon their current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals.
Given your background, the Director believes your profile makes a fitting addition to our publication. There is no fee nor obligation to be listed. As we are working off of secondary sources, we must receive verification from you that your profile is accurate. After receiving verification, we will validate your registry listing within seven business days.
Once finalized, your listing will share prominent registry space with thousands of fellow accomplished individuals across the globe, each representing accomplishments within their own geographical area.
To verify your profile and accept the candidacy, please visit here.

Our registration deadline for this year's candidates is May 28th. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee, I salute your achievement and look forward to welcoming you to our association.
Sincerely,

Benjamin Morisson
Editor in Chief
Worldwide Selection Committee 2015

If you don't want to receive emails any more, please Unsubscribe
The link in the email does to www.businessexecutives01.com:8133/wayne/ which is an anonymously registered domain hosted on a spam server at 123.249.39.89 in China. The links on businessexecutives01.com  website all lead to theexecutivesbrand.com which is basically a mirror of the content.

There are a number of this scammy spam sites on the same servers. I recommend that you block all the following sites as spam:

businessexecutives01.com
dirtyemojis.ru
foldemholdem.com
ironchampusa.ru
truepeptide.net
theexecutivesbrand.com




Monday, 26 January 2015

Very lazy Walmart raffle ticket scam spam

Sometimes I see some very sophisticated scams with lovely websites and a credible and convincing pitch to snare the unwary. This isn't one of those, but it is a remarkably lazy piece of crap instead.

From:    Walmart [clarkscott75875@gmail.com]
Reply-To:    mrwilliamm234@gmail.com
Date:    26 January 2015 at 17:23
Subject:    Walmart


Walmart,

This is to announce to the Public that the Wal-Mart Stores, Inc., have
started selling raffle ticket for the 2015 with the effect from today
been 1/26/2015, for more inquiries, contact our Publicity Department
below:

Wal-Mart Public Department
E-mail: publicityonwalmart@publicist.com
                 or
Mr. William Morgan
E-mail: mrwilliamm234@gmail.com

You will be directed on what to do to pick your form

Thanking you In Advance
Dennis Harrison
Walmart, Arkansas USA
I've heard it said that the scammers deliberately choose really stupid scams that only an idiot would fall for.. in order to filter out all those people who aren't idiots. So perhaps there is a point to all this half-arsed crappiness after all.

Saturday, 22 November 2014

Oplamo Herbal Root scam

As far as I can tell, there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.

From:     Mr. Tom Good Hope [mrtomgood@gmail.com]
Reply-To:     mrtomgoodhope@gmail.com
Date:     22 November 2014 02:24
Subject:     SUPPLY BUSINESS OF OPLAMO

My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company.

I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase.


OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD,while they supply to our company at the rate of $430 USD.

Recently i got the contact information of a local producer in India that preserve {OPLAMO} herbal root to the quality our company needs for production and i came to know that this product can be purchase at rate of $280 US dollar per sachet in India.

Note that i can not release the contact information of the local producer easily to anybody that can not follow up with guidelines on how to make this supply on this first supply,because if any mistake occurs and my company finds out that i'm involve in given information to someone to supply this product to them they will consult a legal petition against me and i can not go to India to buy and supply this product to our company because i do not have money to handle this business and i don't want to release this information to our company management.

Our company buys 3000 sachets (each sachet contains 5 grams),but on the first order with any producer they want to give a trial order of 300 or 500 sachets and payment method for this first order is COD- cash on delivery, upon their satisfaction on this first order they would be making payment on T/T in advance.

Please read this business proposal very well before you reply me,if you can not handle this business according to my guideline its better you don't reply me,because i want you and i to be on safer side in this transaction.

Upon your reply i will clarify you more on how to start this business immediately,please drop your contact phone number for me to be able to contact you ASAP.

Thanks,

Mr Tom Goodhope

Company Secretary

mrtomgoodhope@gmail.com
"Tom Goodhope" sounds more Nigerian than British, but the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost.com] in the US.

Given that all the search results I can find for "Oplamo Herbal Root" or "Oplamo Root" seem to be similar scams, I would suggest that this doesn't even qualify as snake oil and I would give it a very wide berth.

Thursday, 9 October 2014

chinaregistry.org.cn domain scam

This is an old scam that can safely be ignored.
From:     Henry Liu [henry.liu@chinaregistry.org.cn]
Date:     9 October 2014 07:53
Subject:     [redacted] domain and keyword in CN

(Please forward this to your CEO, because this is urgent. Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 7, 2014, we received an application from Huaya Holdings Ltd requested "[redacted]" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?Kind regards

Henry Liu 
General Manager 
China Registry (Headquarters)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai, China
Tel: +86 21 6191 8696
Mobile: +86 138 1642 8671
Fax: +86 21 6191 8697
Web:
www.chinaregistry.org.cn

Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either.

I created a brief video explaining the scam that you can view below:

Friday, 29 August 2014

cars4cashuk.com scam and Cyber Cast International (CCIHosting), Panama [190.97.160.0/21]

I spotted this scam warning on the Autotrader website:
We have received reports of customers receiving a text message asking them to visit www.cars4cashuk.com to sell their cars quickly for cash. Customers are asked to pay a deposit in order to secure the sale of their vehicle. This website is not genuine and in no way affiliated with AutoTrader. We are currently working to have this website shut down.

For more information please contact our Customer Security team on 0330 303 9001.
The site is a crude attempt to extract money from unsuspecting people trying to trade their car, but it does feature the AutoTrader logo prominently.


If you're trying to sell your car then probably all you need to know is that it's a scam, and you probably don't need to read any further. But if you read my blog regularly then you might want to read on..

The site has no ownership information, but a check of the WHOIS details show the following contacts:

Domain Name: CARS4CASHUK.COM
Registry Domain ID:
Registrar WHOIS Server: whois.1api.net
Registrar URL: http://www.1api.net
Updated Date: 2014-08-10T15:31:12Z
Creation Date: 2014-08-10T15:31:12Z
Registrar Registration Expiration Date: 2015-08-10T15:31:12Z
Registrar: 1API GmbH
Registrar IANA ID: 1387
Registrar Abuse Contact Email: abuse@1api.net
Registrar Abuse Contact Phone: +49.68416984x200
Reseller: www.sky-ip.com http://www.sky-ip.com/
Domain Status: ok - http://www.icann.org/epp#OK
Registry Registrant ID:
Registrant Name: José Castrellón
Registrant Organization: CyberCast
Registrant Street: Ricardo J. Alfaro, El Dorado
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code: 0819-06448
Registrant Country: PA
Registrant Phone: +507.3014841
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@sky-ip.com
Registry Admin ID:
Admin Name: José Castrellón
Admin Organization: CyberCast
Admin Street: Ricardo J. Alfaro, El Dorado
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code: 0819-06448
Admin Country: PA
Admin Phone: +507.3014841
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@sky-ip.com
Registry Tech ID:
Tech Name: José Castrellón
Tech Organization: CyberCast
Tech Street: Ricardo J. Alfaro, El Dorado
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code: 0819-06448
Tech Country: PA
Tech Phone: +507.3014841
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@sky-ip.com
Name Server: ns1.cybercastco.com
Name Server: ns2.cybercastco.com


So who are José Castrellón and CyberCast (aka CyberCast International). Are they the scammers? Well, no.. CyberCast (through their website at ccihosting.com) offer anonymous offshore hosting and domain registrations. The sort of things that scammers love, although of course there are legitimate uses for such things. CyberCast presumably are not doing the actual scamming, but I'd suggest that they could be accused of some level of complicity.


So.. you can buy a domain and web hosting using an anonymous payment system like Bitcoin or Perfect Money and it seems more-or-less do what you like with it. Now, that's great if you are running a web site dedicated to overthrowing an oppressive regime (for example) but the bulk of the sites hosted by CyberCast are a lot less savoury, including phishing sites, sites selling DDOS services, counterfeit goods, trading stolen credit card information, piracy sites, spam, cybersquatting, illegal or fake pharmacies, hacking sites and a little bit of porn as well.

There may well be some legitimate sites hosted by this company, I spotted some local Panamanian sites for example, but the overwhelming majority of the CyberCast / CCIHosting address space is completely toxic, therefore I would strongly recommend that you block access to the 190.97.160.0/21 range from your network.

There is not a lot of reputation data for the sites in this /21, but I have compiled a list of sites, IPs, WOT ratings and Google and SURBL prognoses here [csv].

Thursday, 24 July 2014

Scam: "brunerinvestment.com" is not The Brunner Investment Trust PLC

This simple spam is backed up by a fairly sophisticated fake website.

From:     brunner investment [investment@brunner.com]
Reply-To:     brunnerinvestment@gmail.com
To:     50
Date:     24 July 2014 12:08

Dear

The Brunner Trust PLC, is working on expanding its international portfolio Globally and financing projects in form of debt financing from the tune of $1million to $500million,
we also offer personal and business loans from the tune of $100,000 USD to $1,000,000.00 USD

We would be happy to receive an Executive summary to see if you have any Viable project we can finance and partner together
by making financial investment in Form of soft loans.

Email your projects summary to us at: info@brunerinvestment.com

Regards,
Stefan Hofrichter
Chief Economist and Head of Global Economics & Strategy
The Brunner Investment Trust PLC is a real organisation with a website at brunner.co.uk - the domain that the spammers are soliciting replies to is brunerinvestment.com (note the missing "n" in "brunner"). It was registered on 31st May 2014 with anonymous WHOIS details.

This is the real Brunner Invesment Trust site:

And this is the fake one:


The differences are subtle:

Of course the main purpose of the web site is to encourage you to think that you are talking to a real person, to which end the contact details are completely fake:

Although the postal address is correct, the rest of the details are fake:

Brunner Investment Trust Plc
199 Bishopsgate,
London, EC2M 3TY
Tel:+44 703 195 6304
Tel/Fax: +44 745 227 1933
Email: info@brunerinvestment.com
brunnerinvestment@gmail.com
The telephone numbers quotes appear to be "follow me anywhere" numbers that forward to another number, which could be anywhere in the world.

So what's the scam? Well, there's probably an up-front fee to even discuss financing.. and if it's like this recent scam it could be tens of thousands of dollars. Of course, there is no financing available (remember that this is a fake site, not the Brunner Investment Trust) and once the scammers have your money they will vanish.

I note as well that the site is fairly well done although somewhat buggy (and it randomly pops up adverts) which looks rather like the same cloned websites I discussed earlier this month.

Some technical details for this - the site is hosted on 93.188.160.4 which is allocated to Hostinger International in Lithunia (although the servers might be in Amsterdam). The spam originates from 168.167.134.124 (Botswana Telecommunications Corporation) via an unknown mail relay on 82.105.253.84 (Telecom Italia, Verona, Italy).

Avoid.

Monday, 14 July 2014

Scam: "CNnet Dispute Solutions Ltd" cn-network.com / cn-network.org

This email from a Chinese domain registrar styling itself as "CNnet Dispute Solutions Ltd" is a scam.

From:     james@cn-network.org
Date:     14 July 2014 11:12
Subject:     About Internet Trademark Issue: [redacted]


Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

We are a organization specializing in trademark consulting and domain name registration services in China. We just received an application sent from "HaiTon Importing Co., Ltd" on 13/07/2014, requesting for applying the "[redacted]" as the Internet Brand and some Chinese domains such as .cn/.com.cn/.hk/.asia ect... for their business running. Though our preliminary review and verification, we found that this keyword is currently being used by your company and is applied as your domain name. In order to avoid any potential risks in terms of trademark dispute and impact on your market businesses in China and Asia in future, we need to confirm with you whether "HaiTon Importing Co., Ltd" is your own subsidiary or partner.

Will your businesses in China and Asia be impacted potentially if they apply for this trademark? And will you agree this company to apply for this trademark? Please contact us immediately within 10 working days, otherwise, you will be deemed as waived by default.

Please contact us in time in order that we can handle this issue better.


Best Regards,

James Tan

Auditing Department.

Registration Department Manager
4/F,No.9 XingHui West Street,

JinNiu ChenDu, China

Office: +86 2887662861

Fax: +86 2887783286

Web: http://www.cn-network.com



Please consider the environment before you print this e-mail.
Don't worry, this is a scam. There is no such company as "HaiTon Importing Co". Nobody is trying to register these worthless domains, there is really nothing to worry about. I've explained it all in this video.

They have a website at cn-network.com and are soliciting replies to cn-network.org. Registration details are as follows:

Registry Registrant ID:
Registrant Name: Wang XiaoGang
Registrant Organization: Cheng Du Chuang Ning Wang Luo Ke Ji You Xian Gong Si
Registrant Address: No. 69  JinFangYuanDong Road  ChengDuJinNiu District
Registrant City: ChengDuShi
Registrant Province/state: SC
Registrant Country: CN
Registrant Postal Code: 610000
Registrant Phone: +86.2887783286
Registrant Phone EXT: +86.2887783286
Registrant Fax: +86.2887783286
Registrant Fax EXT: +86.2887783286
Registrant Email: 253885777@qq.com
Registrant Email EXT: 253885777@qq.com
Registry Admin ID: 42771277


I can find the following domains that use the same contact details:

cn-nic.org
cn-network.org
cn-network.com
cn-network.net
cnnetcor.com
cnnetpro.com


This scam has been going around for years, and it is just being randomly spammed out and you should simply ignore it.

Video: Chinese Domain Scams


Tuesday, 8 July 2014

Scam: "All Company Formation" (allcompanyformation.com / businessformation247.com)

Sometimes it isn't easy to see what a scam is, but this email hit my spamtrap advertising an outfit that can allegedly create offshore companies and acquire all sorts of trading licences and things like SSL certificates.


From:     All Company Formation [info@allcompanyformation.com]
Date:     7 July 2014 12:58
Subject:     [Info] Worldwide Company Formation Services - EV SSL Approval Services


We have a team of agents in different countries we are providing Company Registration services in the following Countries:

-United Kingdom
-USA
-Malaysia
-Syschelles
-Hong Kong
-Indonesia
-Dominica
-UAE
-South Africa
-switzerland
-Singapore
-India
-Panama
-Anguilla
-Belize
-Nevis
-Cyprus

If you need other than above countries so please contact us for more information..we are also providing offshore bank account services:

Bank locations are :

-Mauritius
-Belize
-Seychelles
-Cayman Islands
-Cyprus
-Hong Kong
-St. Vincent & Grenadines
-Latvia
-St. Lucia
-Brokerage Account in Panama
-Nevis Bank Account

other services:

-Comodo EV ssl Approval and documentation
-Geo Trust ssl Approval and documentation
-Symantec ssl Approval and documentation
-Veri Sign Approval and documentation
-Trustwave Approval and documentation
-Trust Guard Approval and documentation
-Valid safe Approval and documentation
-Truste Approval and documentation
-Others (as per your request)


For order and need more informations kindly contact us : www.allcompanyformation.com

Email: info@allcompanyformation.com

skype : companiesformations
The spam originates from 209.208.109.225 which belongs to Internet Connect Company in Orlando, Florida.. Orlando being a hotbed of fraud which would make it ideal for twinning with Lagos. The spam then bounces through a WebSiteWelcome IP of 192.185.82.77. None of those IP give a clue as the the real ownership of the site.

The spamvertised site of allcompanyformation.com (also mirrored at businessformation247.com) looks generic but professional.


It is plastered with logos from legitimate organisations, presumably to give it an air of respectability.


You can pay for these "services" using any one of a number of obscure payment methods:

EgoPay: e.allcompanyformation@gmail.com
OK Pay: ondrejpavilic@gmail.com
Perfect Money: U3128238


I wouldn't bet on "ondrejpavilic" being a real person, it sounds suspiciously like this ice hockey player.

The contact information seems deliberately vague and there are no physical contact addresses or company registration details anywhere on the website:

E-mail: info@allcompanyformation.com
Telephone: 315-944-0992
Skype: CompaniesFormations


The telephone number looks like a US one, but on closer examination appears to be a Bandwidth.com VOIP forwarder to another number (which could be anywhere in the world). These 315-944 numbers seem to be often abused by scammers.

The WHOIS details are anonymous, and the website has been carefully excised of any identifying information.

Most of the text (and indeed the whole concept) has been copy-and-pasted from Slogold.net who seem to be a real company with real contact details. They even go so far as to warn people of various scams using the Slogold name.

The following factors indicate that this is a scam, and sending them money would be a hugely bad idea:
  1. The site is promoted through spam (this sample was sent to a spamtrap)
  2. The domain allcompanyformation.com has anonymous registration details and was created only in December 2013.
  3. There are no real contact details anywhere on the site.
  4. The text is copy and pasted (i.e. stolen) from other sites, primarily Slogold.net.
Avoid.


Friday, 4 July 2014

Scam: advocatesforyouths.org, Eem Moura, Tee Bello and other fake sites

Advocates for Youth is a legitimate campaign organisation that says that it "champions efforts to help young people make informed and responsible decisions about their reproductive and sexual health." It has a website at www.advocatesforyouth.org which was registered in 1996.

However, the domain advocatesforyouths.org is a completely fake rip-off of the legitimate advocatesforyouth.org site (note the extra "s") which is advertising itself through spam:

From:     Advocates for Youth [inboxteam6@gmail.com]
Reply-To:     Advocates for Youth [ljdavidson@advocatesforyouths.org]
Date:     2 July 2014 21:52
Subject:     Say No to FORCED MARRIAGE and HIV/AIDS
Mailing list:     xkukllsbhgeel of 668
Signed by:     gmail.com

Invitation Ref No: OB-22-52-30-J

OUR 12TH INTERNATIONAL YOUTH CONFERENCE ON “ EFFECTS OF TEENAGE MARRIAGE AND HIV/AIDS "

Advocates for Youth and co-organizers of the 12th international NGO's & CBO's conference on community Development and Development Planning have the pleasure to invite Youth Organizations, Socio Cultural Organizations, Community Based Organizations (CBO) Scholars, Researchers, Health Organizations, Professionals, Business Organizations (NGOs) Religion Organizations, Human Right Organizations & Women Groups to the International Conference on" Effects of Teenage Marriage and HIV/AIDS " taking place from Wednesday 20th - Friday 22nd August 2014 in U.S.A and Monday 25th August - Friday 29th August 2014 in The NETHERLANDS respectively.

This is the most important event in the framework of the fight to Educate the Youth on HIV/AIDS, Child Abuse, human and community development which will take place in Washington DC, United States of America from Wednesday 20th - Friday 22nd August 2014 in U.S.A and Monday 25th August - Friday 29th August 2014 in The NETHERLANDS respectively.

Advocates for Youth is registered 501(c) Non profit international organization whose aims & objectives are to empower individuals and communities worldwide through offering grants for business, education, economic enhancement, community development and environmental conservation, to support groups and organizations addressing social issues, youth ad women empowerment, and a variety of philanthropic projects through grants to non-profit organization; to provide education & information with view of limiting abuse and child molestation, to support and advocate on behalf of those infected and affected by the menace or abuse and neglect to promote the well-being of mankind by empowering the capacity of charitable organization to provide effective programs of quality.

This conference will bring together 1026 representatives of NGOs/CBOs and numerous numbers of interested individual participants from all over the world. The conference will be conducted on participatory bases with satellite plenary and simultaneous sessions followed by general and small group discussions.

SUPPORT: The conference receives financial support from CitiBank New York and United Nations Youth Commission etc. This sponsorship covers the following:

1. Return Airplane travel tickets for selected delegates from their home countries to venues of the event in Washington DC ( United States of America ) and The Hague City (The Netherlands), then back to their home countries.

2. Hotel accommodations in Washington DC ( United States ) only for selected delegates and their friends.

3. Medical insurance cover for delegates throughout the entire conference duration.

Advocates for Youth will not assume the responsibilities of any other costs other than those listed above.

NOMINATION & SELECTION OF PARTICIPANTS: Intending participants are requested to nominate between Five (5) to Ten (15) active members to participate. Participants should be from 14 years and above (Male or Female).

REGISTRATION PROCESS: To register to take part in this Conference, please request for the International Delegates Registration form and other conference information. The request for registration form and other conference information should be addressed to the Secretary:

Linara J. Davidson
Secretary, Advocates for youth
2000 M Street, NW Suite 750,
Washington DC 20036,
United States of America,
Tel: +1 202.600.9543
Fax: + 1 650.747.4401
Email: ljdavidson@advocatesforyouths.org
Website: http://www.advocatesforyouths.org

While we anticipate your earliest response, you are advised to contact the Secretary by email and we look forward to meeting up with you and your group in Washington DC and The Hague City to assert a new change for a stronger society.

Announcer !!!

Debra Hauser
President, Advocates for youth,
Washington DC
U.S.A.
Email: debra.hauser@advocatesforyouths.org

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer: The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask mailers to stop spamming them. The above mail is in accordance to the Can Spam act of 2003: There are no deceptive subject lines and is a manual process through our efforts on World Wide Web. You can opt out by sending mail to email id mention here and we ensure you will not receive any such mails.
In this case the email originates from 217.120.44.73 (Ziggo / Groningen, Netherlands) and was sent to a spam trap.

The fake site is almost a bit-for-bit copy of the fake site, but things like the Contact Details page are slightly different:


The fake site has a telephone number of 202.600.9543 and a fax number of 650.747.4401. The fax number is in California, but the "202" telephone number appears to be Washington.. but on closer examination it looks like a VOIP (internet phone) number which could possibly be anywhere in the world.


But the fake site looks utterly convincing. Mostly because it is cloned directly from the legitimate site. (See screenshot above)

The domain advocatesforyouths.org was registered on 24th May 2014 with anonymous details, and the mail handler is mailhostbox.com who are a legitimate commercial provider. But what most visitors to advocatesforyouths.org will not spot is that the domain just does a framed forward to another site googleones.in/advocates4youth/ which is where things get more complicated.

googleones.in is hosted on 74.122.193.45  a Continuum Data Centers IP reallocated to:

OrgName:        Ajay Kumar
OrgId:          AK-7
Address:        801 Main St NW
City:           Lenoir
StateProv:      NC
PostalCode:     28645
Country:        US
RegDate:        2012-11-30
Updated:        2012-11-30
Ref:            http://whois.arin.net/rest/org/AK-7

OrgAbuseHandle: SNM9-ARIN
OrgAbuseName:   machiwala, shazim nizar
OrgAbusePhone:  91 22 26782833
OrgAbuseEmail:  shazim@ideastack.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/SNM9-ARIN

OrgTechHandle: SNM9-ARIN
OrgTechName:   machiwala, shazim nizar
OrgTechPhone:  91 22 26782833
OrgTechEmail:  shazim@ideastack.com
OrgTechRef:    http://whois.arin.net/rest/poc/SNM9-ARIN


The domain is registered to:

Registrant Name:Ziggo Ziggo
Registrant Organization:N/A
Registrant Street1:stadhoudersstraat
Registrant Street2:
Registrant Street3:
Registrant City:rijswijk
Registrant State/Province:Zuid-Holland
Registrant Postal Code:2282pm
Registrant Country:NL
Registrant Phone:+31.0657392939
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:alzaidaemirates@hotmail.com


The "alzaidaemirates@hotmail.com" doesn't really seem to tally with the Netherlands address, but it does link in with some other contents of the server. Incidentally, Rijswijk isn't very close to Groningen being a 233Km drive so the spammer's IP doesn't match the WHOIS details.

Interesting, the root directory of googleones.in is open and this is where it gets complicated.

We can see folders with the following names:
  • advocates4youth/
  • alz/
  • cgi-bin/
  • eem/
  • eemtholland/
  • tbello/
"advocates4youth" contains the fake Advocates For Youth Siteas already discussed

Al-zaida Emirates

"alz" is a site called "Al-zaida Emirates" which is a ripoff of the legitimate Zamil Group Holding Company. Probably the obvious different to that the "Al-zaida" site has an "Apply For Loan" button which marks it out as some sort of finance scam.

EEM Moura and TEE Bello (part 1)

The next fake site is under "eem" which advertises itself as "EEM MOURA & TEE BELLO Group of Companies". This site is a slightly-altered copy of the legitimate Alpha Group.


There is perhaps a clue here under "Shipping" which could be advertising for a Parcel Mule job (i.e. laundering stolen goods).

EEM MOURA & TEE BELLO (part 2) [eemthollandbv.nl]

There is another fake "EEM MOURA & TEE BELLO" site in the folder "eemtholland" (and using the forwarder domain eemthollandbv.nl). This is different from the other site being a fake shopping site, a poor copy of the legitimate HollandForYou.com site.


This fake site is also likely to be recruiting people for a parcel reshipping scam.

Hotel T. Bello

The final fake site is filed under "tbello" (sounds familiar?) and is supposedly the "Hotel T. Bello" in Den Haag (The Hague). It is a poor copy of the InterContinental Amstel Amsterdam.


Perhaps the "Hotel T Bello" is a fake hotel for the delegates to the fake "Advocates for Youth" conference that was advertised in the original spam.. that is certainly one way that these conference scams work.

There is not a single legitimate site on this server. Avoid.

Monday, 30 June 2014

Fake job offer: Edwards Electrical and Mechanical / Edward Electricals Y Mecánicos (edwards-elec.com)

Edwards Electrical and Mechanical is a wholly legitimate contraction based in Indianapolis in the US. This spam message is not from them, but someone abusing their name.

From:     Charles Benneth [tonyudeani@n-tocomisltd.com]
Reply-To:     charles_trading@outlook.com
To:   
Date:     30 June 2014 01:49
Subject:     Part-Time Job Offer


Estimado Señor / Señora

Tenemos una vacante para el puesto de oficial de cuentas por cobrar. ¿Te
gustaría trabajar desde su casa y obtener semanal remunerado? Estamos
ofreciendo esta posición a todos los solicitantes interesados. Por favor,
lea atentamente. Esta oportunidad de empleo está dirigido a proporcionar
parte / los solicitantes de empleo a tiempo completo, y también a las
personas que quieran trabajar desde casa, y se les paga semanalmente por
la recepción de pagos de nuestros clientes de deducir la comisión y
remitir el equilibrio. Envíe sus informaciones para obtener más detalles.

Nombre Completo
Contacto Inicio Dirección Plus Código Postal (No P O Box)
número de teléfono
edad
Fax Si Cualquiera
Un reconocimiento rápido de la recepción de este correo electrónico será
apreciada.

Gracias por su comprensión total.

Charles Benneth
Presidente / CEO
Edward Electricals Y Mecánicos.
http://www.edwards-elec.com/index.php
This translates roughly as:

Dear Sir / Madam

We have a vacancy for the position of Accounts receivable officer. Do you
would like to work from home and get paid weekly? We are
offering this position to all interested applicants. Please
read carefully. This employment opportunity is targeted at providing
part / applicants for full-time employment, and also to
people who want to work from home and get paid weekly by
receiving payments from our clients, and deducting fees
remit the balance. Send information for details.

Full Name
Contact Home Address Plus Zip (No PO Box)
phone number
age
Fax If Any
A quick recognition of the receipt of this email will
appreciated.

Thank you for your full understanding.

Charles Benneth
President / CEO
Edward Electricals and Mechanical.
http://www.edwards-elec.com/index.php 

The job is actually money laundering, which is a criminal activity. The email solicits replies to the free email address of charles_trading@outlook.com and originates from from 41.58.2.22 (Swift Networks, Lagos, Nigeria) via 188.40.62.68 (node3.trudigits.com / Hetzner, Germany).

Unless you want to spend some time in jail, I would recommend giving this particular Nigerian scam a wide berth.

Thursday, 15 May 2014

"Advertising for Red Bull (Energy Drink)" car wrap scam

This spam does not come from Red Bull or anybody related to them:

From:      RED-BULL CARADVERT
Reply-To:      rolandbest196@gmail.com
Subject:      Advertising for Red Bull (Energy Drink) 05/13 /2014

Hello,

We are currently seeking to employ individualÃÔ world wide. How would you like to make money by simply driving your car advertising for RED BULL.

How it works?

HereÃÔ the basic premise of the "paid to drive" concept: RED BULL seeks people -- regular citizens,professional drivers to go about their normal routine as they usually do, only with a big advert for "RED BULL" plastered on your car. The ads are typically vinyl decals, also known as "auto wraps,"that almost seem to be painted on the vehicle, and which will cover any portion of your car's exterior surface.

What does the company get out of this type of ad strategy? Lots of exposure and awareness. The auto wraps tend to be colorful, eye-catching and attract lots of attention. Plus, it's a form of advertising with a captive audience,meaning people who are stuck in traffic can't avoid seeing the wrapped car alongside them. This program will last for 3 months and the minimum you can participate is 1 month.

You will be compensated with $300 per week which is essentially a "rental"payment for letting our company use the space no fee is required from you RED BULL shall provide experts that would handle the advert placing on your car. You will receive an up front payment of $300 inform of check via courier service for accepting to carry this advert on your car.

It is very easy and simple no application fees required contact email along with the following you are interested in these offer.
rolandbest195@gmail.com

Full Name:
Address:
City:
State:
Zip code:
Country:
Make of car/ year:
Telephone numbers:

We shall be contacting you as soon as we receive this information.

Kind Regards
Roland Best
Hiring Manager,
Red Bull™
It's a scam.. but what is the scam exactly? The whole process is nicely detailed here, but essentially the scammers send you a fake cheque ("check" I in the US) as payment. This cheque includes an amount that you are meant to pay the "graphic artist" for the work needed to create the wrap. Of course, once you have sent your own money to the "artist" (in reality a scam artist) then the fake cheque will be rejected, and you will end up out of pocket (and possibly in trouble with the police or bank for fraud).

The overpayment scam is a common one, and it is used in all sorts of different set-ups. If anyone sends you a cheque and then asks you to pay it in and forward some of the money elsewhere then you can almost guarantee that someone is trying to rip you off.

Wednesday, 7 May 2014

unitedtraderegister.eu / europeantraderegister.net spam

This spam is attempting to solicit signups for a worthless "World Trade Register" website.

From:     utr@unitedtraderegister.eu
Date:     7 May 2014 00:04
Subject:     Are you ready?
Signed by:     unitedtraderegister.eu

Dear Partner,

In order to have your company inserted in the
global trade register of partner companies for
the 2015/2016 edition you must print, complete
and send the enclosed form before the end of
next week to the following address:

World Trade Register
P.O. Box 3079
3502 GB Utrecht
The Netherlands

or fax it to:
Fax: +31 205 248 107

or reply to this email and attach the form to it.

Updating is free of charge!
To unsubscribe please visit this link:
unitedtraderegister.eu/unsubscribe.php?email=info@[redacted]
In case the form is missing you can download it here:
unitedtraderegister.eu/wtr.pdf
The company behind this spam is a ROKSO-listed organisation called World Company Register / EU Business Register. A ROKSO listing basically means that this is one of the worst spammers currently in the world.

unitedtraderegister.eu forwards to europeantraderegister.net (and worldtraderegister.net is on the same server). This is an old-fashioned directory scam and it should be ignored.

Thursday, 24 April 2014

"Atlanta Consulting" fake job offer, atlantaconsulting.net / atlantaconsulting.us / atlantaconsulting.co

This fake job offer comes from a bunch of scammers passing themselves off as "Atlanta Consulting" (not to be confused with several legitimate firms of similar names)

From:     Gertrude Holden [multivariate88@afes.com]
Date:     24 April 2014 14:16
Subject:     Vacancy

Good Day!

A new advanced vacant position is available!

I am a chief personnel officer of an Australian consulting company. We deal with non-typical business solutions. Also we introduce different outsourcing solutions. Presently we have many clients in Europe. To anticipate our cooperation with them, we need to find few regional managers.
We offer a part-time employment and opportunity to advance. Also we provide free elementary training. Initial salary is 2000 euro. If our offer is interesting to you, please send your answer on our e-mail:

info @ atlantaconsulting . net   (remove spaces before sending email)

specifying your country, city of residence, contact telephone number and desired time for call. Our managers work 24 hours for you!

Best regards!
GERALD DAMIEN
The following domains are all part of the same scam:
atlantaconsulting.net
atlantaconsulting.co
atlantaconsulting.us


The WHOIS details for the domains are undoubtedly fake and are certainly not Australian:

Administrative Contact ID:                   COCO-5041
Administrative Contact Name:                 John Carpenter
Administrative Contact Address1:             831 Ridgeview Dr
Administrative Contact City:                 Frankfort
Administrative Contact State/Province:       KY
Administrative Contact Postal Code:          40601
Administrative Contact Country:              United States
Administrative Contact Country Code:         US
Administrative Contact Phone Number:         +1.6064521498
Administrative Contact Email:                jjcarp9@gmail.com


There's a flashy website with no real substance..


The sites are hosted on 151.236.22.16 (EDIS GmbH, US) and the email in this case originated from 190.67.150.55 in Colombia.

The so-called job is going to be money laundering, or perhaps parcel reshipping (described in the video below) or some other scam which will involve you doing something illegal. Avoid.