Sponsored by..

Tuesday, 30 October 2012

reedcouk.com fake job offer / Fort Huachuca hacked?

This fake job offer from "reedcouk.com" is trying to recruit people for money laundering or other criminal activities, it is not from the real reed.co.uk. However, part of the infrastructure supporting this scam appears to belong the the US military.

From:     sales@[victimdomain].com
To:     sales@[victimdomain].com
Date:     30 October 2012 22:33
Subject:     Employment opportunity

I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.

If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.

Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is 2000 GBP per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (UK time).

Region: United Kingdom.

Please note that there are no startup fees or deposits to start working for us.

To request an application form, schedule your interview and receive more information about this position
please reply to Bob@reedcouk.com with your personal identification number for this position IDNO: 0797
The spam appears to come "from" the recipients own email address (here's why). The bogus domain reedcouk.com is registered as follows:

   Lavern E. Davis
   Lavern Davis info@reedcouk.com
   816-680-7849 fax: 816-680-7331
   4218 White Oak Drive
   Strasburg MO 64090
   us


The domain was registered on 30th October 2012 (today!) via BIZCN.COM, a crime-friendly domain registrar in China. Mail for this domain is handled by a server at 46.249.46.161 (Serverius, Netherlands) which is also ns1.zupyx.net, one of the nameservers for the fake reedcouk.com domain. Who owns zupyx.net? That looks like another fake registration:

      Vivian L Resnick
      221 Shaker Road
      Northfield, NH 03276-4444
      US
      Phone: +1.6032868211
      Email: clinicadelta@aol.com


zupyx.net was only registered on 19th September 2012. But the plot thickens if we look at ns2.zupyx.net (the other namesever being used by reedcouk.com) we can see that it is hosted on 132.79.132.67 which appears to be a hacked US military server at Fort Huachuca:

NetRange:       132.79.0.0 - 132.79.255.255
CIDR:           132.79.0.0/16
OriginAS:      
NetName:        NGB-NGNET
NetHandle:      NET-132-79-0-0-1
Parent:         NET-132-0-0-0-0
NetType:        Direct Assignment
RegDate:        1990-03-05
Updated:        2008-12-24
Ref:            http://whois.arin.net/rest/net/NET-132-79-0-0-1

OrgName:        Headquarters, USAISC
OrgId:          HEADQU-3
Address:        NETC-ANC CONUS TNOSC
City:           Fort Huachuca
StateProv:      AZ
PostalCode:     85613
Country:        US
RegDate:        1990-03-26
Updated:        2011-08-17
Ref:            http://whois.arin.net/rest/org/HEADQU-3

OrgTechHandle: REGIS10-ARIN
OrgTechName:   Registration
OrgTechPhone:  +1-800-365-3642
OrgTechEmail:  registra@nic.mil
OrgTechRef:    http://whois.arin.net/rest/poc/REGIS10-ARIN


You have to bear in mind that this military installation deals with military intelligence.. although you can be pretty certain that whatever server is running this bogus nameserver is public facing only. Hopefully.

This IP address also hosts a suspicious domain called trabalharpt.com:

   Samantha K. Haley
   Samantha Haley info@trabalharpt.com
   +1.8127473193 fax: +1.8127473193
   778 Heliport Loop
   Blue Ash IN 45242
   us

Again, this is registered through BIZCN.COM in China, and was only registered one week ago on 24th October 2012. There's no reason for a domain like this to be hosted on what appears to be a US military server.

There are probably some other bad domains being supported by these nameservers, but I haven't been able to identify them yet.

5 comments:

1 said...

You can set anything you want as a nameserver for a domain. The IP referenced for NS2 doesn't respond to DNS requests so it's likely that they just tapped in an IP and randomly got that range or were having a laugh. It's not actively participating.

> reedcouk.com
Address: 132.79.132.67

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.

frazelle09 said...

Wow! You guys are awesome!

i was going to send this to Spam anyway, but i thought i'd just look it up for "kicks" - lol.

Thanks very much for keeping an eye out for the 'rest of us' and

have a wonderful evening! :)

Conrad Longmore said...

@1: yes, perhaps that's what is happening here, although the presence of trabalharpt.com on the same IP makes me think that there is something odd going on. Still, I pinged the Army guys with the issue and asked them to have a look.

Heather McCalley said...

I have seen the clinicadelta email address previously associated with fraudulent BHEK domains

iw said...

Let us know how to stop these coming through. I'm getting between 6 -10 a day.