Sponsored by..

Sunday, 2 March 2014

seekcousa.com / seekconz.com fake job offer

This job offer from seekcousa.com or seekconz.com is bogus:

Date:      1 Mar 2014 15:53:11 +0700 [03:53:11 EST]
Subject:      Offer

We are offering a shipping manager assistant position.
We are offering a distant job.

The job routine will take 2-3 hours per day and requires absolutely no investment.
You will work with big shops, suppliers, factories all around the States.
The communication line will flow between you and your personal manager, you will receive orders via email and phone,
and our trained manager will be with you while every step to help you to work out first orders and answer any questions which may appear.
The starting salary is about ~2800 USD per month + bonuses.

You will receive first salary in 30 days after you will successfully complete your first task.
When the first working month will be over you will have a right to receive salary every 2 weeks.
The bonuses are calculated on the very last working day of each month,
and paying out during a first week of the next month.

We will accept applications this week only!
To proceed to the next step we should register you in HR system so we will need a small piece of your personal information.

Please fill in the fields:
Full_name:
Phone_number:
Email_address:
City_of_residence:

We need your personal information to create HR file only,
it will stay secure on the separate server till the moment it will be deleted (which take place every 2 days),
and only HR people will have access to it.

Please send your answer to my secured email manager@seekcousa.com
 I will reply you personally as soon as possible.

Sincerely,
Rudy 
From the job description, this appears to be some sort of parcel mule scam or other criminal activity. This video explains how a parcel reshipping scam works:


seekcousa.com is regsitered with Chinese registrar BIZCN, and the WHOIS details are fake:
Registrant Name: Ernest Dubose
Registrant Organization: Ernest D. Dubose
Registrant Street: 129 Oakridge Lane
Registrant City: Irving
Registrant State/Province: TX
Registrant Postal Code: 75038
Registrant Country: us
Registrant Phone: +1.4699959821
Registrant Phone Ext:
Registrant Fax: +1.4699959821
Registrant Fax Ext:
Registrant Email: info@seekcousa.com
Registry Admin ID:



seekconz.com is also registered with BIZCN, but with different fake details:
Registrant Name: Nickolas Gordon
Registrant Organization: Nickolas R. Gordon
Registrant Street: 4930 Clarence Court
Registrant City: Ontario
Registrant State/Province: CA
Registrant Postal Code: 91762
Registrant Country: us
Registrant Phone: 909-988-6071
Registrant Phone Ext:
Registrant Fax: 909-988-6333
Registrant Fax Ext:
Registrant Email: info@seekconz.com


There is no website associated with either of these domains, but there are mail records of mx.seekconz.com and mx.seekcousa.com pointing to 93.190.137.5 (Worldstream, Netherlands). Nameservers involved in the fraud are ns1.friscolakesgc.net hosted on the same IP and ns2.friscolakesgc.net hosted on 32.21.129.43 (AT&T, US).

We can dig a little deeper on those nameserver records, they have fake WHOIS details as well:
Registrant Name: ROSEMARY CARPIO
Registrant Organization:
Registrant Street: 701 Collins Ave, Apt 4B
Registrant City: MIAMI BEACH
Registrant State/Province: FL
Registrant Postal Code: 33139-6203
Registrant Country: US
Registrant Phone: +1.7868777722
Registrant Phone Ext.:
Registrant Fax:
Registrant Fax Ext.:
Registrant Email: haveacupoft@gmx.us
Registry Admin ID:


These fake details also appear on a domain airnavrace.net which is used as a namserver domain for the following domains and uses the following IPs:
quarter.su
147.249.171.10 (IDD Information Services, US)
42.96.195.183 (Alibaba, China)

.su domains are usually bad news, and I suspect that quarter.su is up to no good. The WHOIS details for this domain don't give much detail..

domain: QUARTER.SU
nserver: ns1.aim-darts.net.
nserver: ns1.airnavrace.net.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: bartels@xrbox.com
registrar: R01-REG-FID
created: 2013.12.09
paid-till: 2014.12.09
free-date: 2015.01.11
source: TCI


That domain is multihomed on a bunch of IPs:

176.53.125.6 (Radore Veri Merkezi Hizmetleri, Turkey)
37.255.241.29 (TCE, Iran)
108.81.248.139 (William Allard / AT&T, US)
65.27.155.176 (Time Warner Cable, US)
203.235.181.138 (KRNIC, Korea)
95.57.118.56 (Dmitry Davydenko , Kazakhstan)
186.214.212.64 (Global Village Telecom, Brazil)
89.39.83.177 (C&A Connect SRL, Romania)

This, it turns out is the tip of a very large iceberg of malicious domains and IPs which I will cover in the next post.

4 comments:

abuse said...

JOBINHUNGARY.COM is another spamvertized "work-at-home" advance fee fraud scam domain, with a supporting domain "SECURETHOUGHT.NET".
Note the "haveacupoft@gmx.us" throwaway email account... Shared by D.Duffin and R.Carpio... :-]

Domain Name: JOBINHUNGARY.COM
Creation Date: 2014-03-23T10:45:40Z
Registrar: Bizcn.com,Inc.
Registrant Name: Clarissa French
Registrant Organization: Clarissa B. French
Registrant Street: 1264 Kessla Way
Registrant City: Daniel Island
Registrant State/Province: SC
Registrant Postal Code: 29492
Registrant Country: us
Registrant Phone: 843-330-4098
Registrant Fax: 843-330-4212
Registrant Email: info@jobinhungary.com
Name Server: ns1.securethought.net
Name Server: ns2.securethought.net


Domain Name: SECURETHOUGHT.NET
Creation Date: 2014-02-28 10:06:08
Registrar: TUCOWS, INC.
Registrant Name: Donna Duffin
Registrant Organization: Donna Duffin
Registrant Street: 12994 Spring Lake Dr
Registrant City: COOPER CITY
Registrant State/Province: FL
Registrant Postal Code: 33330-2749
Registrant Country: US
Registrant Phone: +1.9544349033
Registrant Email: haveacupoft@gmx.us
Name Server: NS1.SECURETHOUGHT.NET
Name Server: NS2.SECURETHOUGHT.NET

abuse said...

JOBINHUNGARY.COM is another spamvertized "work-at-home" advance fee fraud scam domain, with a supporting domain "SECURETHOUGHT.NET".
Note the "haveacupoft@gmx.us" throwaway email account... Shared by D.Duffin and R.Carpio... :-]

Domain Name: JOBINHUNGARY.COM
Creation Date: 2014-03-23T10:45:40Z
Registrar: Bizcn.com,Inc.
Registrant Name: Clarissa French
Registrant Organization: Clarissa B. French
Registrant Street: 1264 Kessla Way
Registrant City: Daniel Island
Registrant State/Province: SC
Registrant Postal Code: 29492
Registrant Country: us
Registrant Phone: 843-330-4098
Registrant Fax: 843-330-4212
Registrant Email: info@jobinhungary.com
Name Server: ns1.securethought.net
Name Server: ns2.securethought.net


Domain Name: SECURETHOUGHT.NET
Creation Date: 2014-02-28 10:06:08
Registrar: TUCOWS, INC.
Registrant Name: Donna Duffin
Registrant Organization: Donna Duffin
Registrant Street: 12994 Spring Lake Dr
Registrant City: COOPER CITY
Registrant State/Province: FL
Registrant Postal Code: 33330-2749
Registrant Country: US
Registrant Phone: +1.9544349033
Registrant Email: haveacupoft@gmx.us
Name Server: NS1.SECURETHOUGHT.NET
Name Server: NS2.SECURETHOUGHT.NET

abuse said...

domains used by these scammers/spammers:

part1:

world-jobsearch.com
web-newcareer.com
new-joboffers.com
europe-career.com
it-jobsearch.com
simple-jobneed.com
careerinhubs.com
career-lists.com
europjobshire.com
europasciencejob.com
businesinsiders.com
europjobs.eu
eucvs.com (14-FEB-2013) - DOMAINOS.CA INC. - Intersolved, LLC
seekeur.com
jobsineuropa.com
nationaljobeur.com (27-FEB-2013) - CLASSDOMAINNAMES.COM, INC. - Intersolved, LLC - 66.151.181.32
eurjobware.com
jobsinhubbs.com
jobbsineu.com
obbsineuropa.com (14-MAR-2013) - BACKUP.CA CORPORATION - Intersolved, LLC - 66.151.181.32
jobbsrapido.com
careersbuilders.net
expoeujob.com
fastjob-europe.com
internationaljobbs.com
europnewcareer.com
exposurejobbs.com
mycareereurop.com
eurowebjobs.com
eurjobplus.com
eurojoboard.com
eurojobbs.com
europa-career.com
europacareer.com
europjobcareer.com
renovation-corp.biz
eurjobseek.com
eceurop.com
jobeuractiv.com
eceuropaeu.com
bgtiptopjob.com
employmenteu.com (2014-01-10 10:53:30) - GoDaddy.com, LLC - Red-mans - 208.109.181.9
eurojobbnet.com (25-SEP-2013) - BACKUP.CA CORPORATION - Intersolved, LLC - 208.73.211.152, 208.73.211.172, 208.73.211.196, 208.73.211.199, 208.73.211.235
ukitcareer.com (2013-10-19T00:00:00Z) - HEBEI GUOJI MAOYI (SHANGHAI) LTD DBA HEBEIDOMAINS.COM - Privacy Protection Service - 69.43.160.200
wingstrans.org
jobsasuk.com
pracainteria.com
xpatjobsuk.com
workeuropenet.com (2014-01-12 20:27:08) - GoDaddy.com, LLC - Domains By Proxy, LLC - 174.137.132.45
eurocitieseu.com
wikijobcouk.com
eurocitieseu.com
wikijobcouk.com
workeuropaeu.com
eurobrussell.com
jobbinamsterdam.com
careerabroadinfo.com
newcareerbuildes.com
e-commerceeu.com (21-jan-2014) - DOMAINHYSTERIA - 69.43.161.134
pluseurojob.com (23-jan-2014) - BURNSIDEDOMAINS - 69.43.161.134
karriereat.com (23-jan-2014) - DOMAINSURGEON - 69.43.161.134
europ-commerce.com
germanyjobb.com
ceo-europ.com
munkahu.com
neweurowork.com
job-ineurop.com
1hungary-job.com
italialavoroit.com (07-mar-2014) - OLDTOWNDOMAINS - 208.73.211.152, 208.73.211.172, 208.73.211.196, 208.73.211.199, 208.73.211.235
new-eurojob.com
munka-hu.com
jobmonitorhu.com

abuse said...

part 2:

ineurojob.com (05-feb-2013) - BIZCN.COM, INC.
jobeuronet.com (06-feb-2013) - BIZCN.COM, INC.
jobpilotde.com (10-feb-2013) - BIZCN.COM, INC.
professionhu.com (11-feb-2013) - REGTIME LTD.
jobpilotde.com (10-feb-2013) - BIZCN.COM, INC.
jobeuronet.com (06-feb-2013) - BIZCN.COM, INC.
europswork.com (2013-02-24T17:59:35Z) - Bizcn.com,Inc. - Connie J. Grooms - 68.68.105.171
jobseuropenet.com (2013-03-12T17:17:01Z) - Bizcn.com,Inc. - Krystin B. Williams - 68.68.105.171
europacareers.com (2013-03-24T17:44:42Z) - Bizcn.com,Inc. - Nelson H. Garcia
consultinevropa.com (2013-03-24T17:43:38Z) - Bizcn.com,Inc. - Marybeth J. Velazco
myjobbg.com (2013-04-02T11:13:50Z) - Bizcn.com,Inc. - Stuart S. Webb
eurojobsconsulting.com (06-apr-2013) - BIZCN.COM, INC.
euro-jobsconsulting.com (2013-04-08T07:39:46Z) - Bizcn.com,Inc. - Robert A. Spurlock
myjobde.com (2013-04-08T21:08:12Z) - Bizcn.com,Inc. - Willie L. Shores
google-germany.com (2013-05-20T20:35:33Z) - Bizcn.com,Inc. - Brenda J. Landis
google-eurojob.com (2013-05-12T11:46:14Z) - Bizcn.com,Inc. - Ellen E. Palmer
googlein-de.com (2013-05-26T13:48:06Z) - Bizcn.com,Inc. - Marilyn J. Rader
jobgoogle-eu.com (2013-06-03T22:22:34Z) - Bizcn.com,Inc. - Richard N. Tetreault
googlejob-eu.com (2013-06-10T21:31:34Z) - Bizcn.com,Inc. - Stephen E. Black
europcv.com (2013-07-23T07:07:41Z) - Bizcn.com,Inc. - Sandra C. Engel - 199.59.243.107, 199.59.243.108, 199.59.243.109, 199.59.243.105, 199.59.243.106
googleapps-gb.com (2013-08-07T11:53:47Z) - Bizcn.com,Inc. - John V. Perry - 199.59.243.106, 199.59.243.107, 199.59.243.108, 199.59.243.109, 199.59.243.105
googleapps-euro.com (2013-08-14T14:38:33Z) - Bizcn.com,Inc. - Jeannette M. Clark
carrer-trade.com (2013-08-20T15:55:51Z) - Bizcn.com,Inc. - Willie W. Cooper
neweurowork.com
worlds-diploms.com (2013-08-26T18:35:35Z) - Bizcn.com,Inc. - Boudreau ltd
evropa-career.com (04-sep-2013) - BIZCN.COM, INC.
europcareer.com (2013-09-08T19:43:14Z) - Bizcn.com,Inc. - Helen J. Samples
googleapps-jobs.com (2013-09-18T20:18:32Z) - Bizcn.com,Inc. - Ruth J. Carrington - 199.59.243.108, 199.59.243.109, 199.59.243.105, 199.59.243.106, 199.59.243.107
jobmark-eu.com (2013-09-20T13:50:35Z) - Bizcn.com,Inc. - Larry J. Stevenson
england-trading.com (2013-10-04T20:27:40Z) - Bizcn.com,Inc. - Lisa J. Carter
jobs-consult.com (2013-10-14T19:34:49Z) - Bizcn.com,Inc. - John L. Ontiveros
consult-trading.com (2013-10-03T17:42:58Z) - Bizcn.com,Inc. - John W. Barker
jobshungary.com (2014-01-23T15:44:29Z) - Bizcn.com,Inc. - Paula B. Knight
jobinhungary.com (2014-03-23T10:45:40Z) - Bizcn.com,Inc. - Clarissa B. French - MAIL(1st): mx.jobinhungary.com -> 108.59.249.55