Sponsored by..

Monday 8 September 2008

"Job Opportunity at Luksus" / luksus-jobs.org scam

Luksus Media is a wholly legitimate Finnish company, but this attempt to recruit a money mule does not come from Luksus, just from a company trying to trade on its name.

This scam is being run by the same people behind the Asprox SQL injection attacks that have been doing to rounds (more information after the email).




Subject: Job Opportunity at Luksus

We have reviewed your resume and would like to introduce you to our
current vacancy.
Luksus, with headquarters in Helsinki, Finland, serves the luxury
lifestyle and offers unparalleled access to the finest luxury
goods. We offer a unique mix of brands, partnerships, and product
expertise. We are currently hiring, work at home positions, to
provide administrative assistance with sales in North America.
Candidates for the job should possess excellent organizational
skills as well as the ability to efficiently multi-task. Ideal
candidates have a strong focus on day-to-day operational
excellence. The candidate should be motivated, proactive, be able
to learn and adapt quickly.

Other duties include, but are not limited to:

* Incorporating effective priorities for the virtual office function
* Administer day-to-day financial responsibilities for clients
* Reporting online daily
* Preparing brief summary reports, and weekly financial reports

Salary part-time (3 hours per day, Monday-Friday): $1,200/month,
plus commission.

If you are interested in this position please send us an email to
Sandra.Collins@luksus-jobs.org expressing your interest and we will
forward you the detailed job description and the working agreement.

Thank You,
Luksus Team



Normally, WHOIS data is pretty useless, but sometimes the email address can give a clue:

Domain ID: D153950800-LROR
Domain Name: LUKSUS-JOBS.ORG
Created On: 28-Aug-2008 11: 34: 57 UTC
Last Updated On: 28-Aug-2008 14: 23: 25 UTC
Expiration Date: 28-Aug-2009 11: 34: 57 UTC
Sponsoring Registrar: Bizcn.com, Inc. (R1248-LROR)
Status: CLIENT TRANSFER PROHIBITED
Status: TRANSFER PROHIBITED
Registrant ID: orgfm19923291709
Registrant Name: Fero Muia
Registrant Organization: Fero Muia
Registrant Street1: 3213 po box
Registrant Street2:
Registrant Street3:
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 12310
Registrant Country: US
Registrant Phone: +1.9917721121
Registrant Phone Ext.:
Registrant FAX: +1.9917721121
Registrant FAX Ext.:
Registrant Email: druid00091@aol.com
Admin ID: orgfm19923292728
Admin Name: Fero Muia
Admin Organization: Fero Muia
Admin Street1: 3213 po box
Admin Street2:
Admin Street3:
Admin City: New York
Admin State/Province: NY
Admin Postal Code: 12310
Admin Country: US
Admin Phone: +1.9917721121
Admin Phone Ext.:
Admin FAX: +1.9917721121
Admin FAX Ext.:
Admin Email: druid00091@aol.com
Tech ID: orgfm19923293349
Tech Name: Fero Muia
Tech Organization: Fero Muia
Tech Street1: 3213 po box
Tech Street2:
Tech Street3:
Tech City: New York
Tech State/Province: NY
Tech Postal Code: 12310
Tech Country: US
Tech Phone: +1.9917721121
Tech Phone Ext.:
Tech FAX: +1.9917721121
Tech FAX Ext.:
Tech Email: druid00091@aol.com
Name Server: NS1.RELEASEBPB.COM
Name Server: NS2.RELEASEBPB.COM


druid00091@aol.com is an address being used to register today's latest SQL injection domains too, proving that they are linked. releasebpb.com is a set of name servers which are only associated with malware domains, ns1.releasebpb.com is on 194.150.120.47 on ns2.releasebpb.com is on 20.31.85.15.

This type of fraud doesn't use a website to entice people, but it is looking for an email response. In this case, email is delivered to mx.luksus-jobs.org on 12.192.82.225 which is on the AT&T network.

It's hard to tell which of these IPs are part of the Asprox botnet and which ones are rented (usually with fake credit card details). Nonetheless, it gives a glimpse into just how large and efficient these operations can be.

No comments: