bundespol.com is not the Bundespolizei

Another fake Bundespolizei today, bundespol.com is registered through  a Chinese registrar and then is anonymised through a Chinese WHOIS privacy service

The site doesn't resolve yet, but it is almost identical to bundespol.net which is fingered in this attack. In that case, the fake Bundespolizei site was hosted on 188.229.97.2 which is Netserv Consult SRL in Romania (incidentally, blocking 188.229.0.0/17 will probably do you no harm).

There's a whole bunch of fake Bundespolizei at the moment, but I'm guessing that this particular bunch of scammers may well try the same thing in other countries very soon.

HMRC phish: refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com

Here's a bunch of web sites and domains being used to peddle fake HMRC (UK tax office) refunds:

www.refund1-hmrc.com
www.refund2-hmrc.com
www.refund3-hmrc.com
www.refund4-hmrc.com
www.handler123.com

The fake emails look something like this:

From: HM Revenue & Customs Billing Department [mailto:hmrc@refund1-hmrc.com]
Sent: 22 August 2011 09:36
To: [redacted]
Subject: Billing Notifcation


Refund Notification


This e-mail has been sent to you by HM Revenue & Customs to inform you that we must pay you back 478 GBP.
Please complete all the information to process your refund

Please allow 2 weeks for you money to be availabe in your account. (eg: address, phone)
Total refund amount: 478 GBP

To ensure that your service is not interrupted, we request you to confirm and update your information today by following the link below:

Refund Notification


Thank you for your prompt attention to this matter. Do not reply to this e-mail.
Mail sent to this address cannot be answered.

Member [redacted]

© HM Revenue & Customs 2011 

The emails actually come from  refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com so

If you click through the link then you get a pretty standard phishing page trying to get credit card details, personal information and passwords.

The HMRC don't send tax refund messages by email, so any such notification should be considered bogus.

The phishing sites are hosted on 211.154.91.246 in China, blocking that IP would be a good idea, but you could go further and block 211.154.64.0/19 as it looks like a cable modem range and there shouldn't really be any legitimate sites hosted here.

Domain registration details are clearly fake:


Domain Name.......... refund1-hmrc.com
  Creation Date........ 2011-08-22
  Registration Date.... 2011-08-22
  Expiry Date.......... 2012-08-22
  Organisation Name.... scotia bank
  Organisation Address. hah
  Organisation Address.
  Organisation Address. there
  Organisation Address. 123131
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... scotia bank
  Admin Address........ hah
  Admin Address........
  Admin Address........ there
  Admin Address........ 123131
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... bbuubbh2@yahoo.com
  Admin Phone.......... +1.1233213121
  Admin Fax............

Tech Name............ scotia bank
  Tech Address......... hah
  Tech Address.........
  Tech Address......... there
  Tech Address......... 123131
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... bbuubbh2@yahoo.com
  Tech Phone........... +1.1233213121
  Tech Fax.............
  Name Server.......... ns1.refund1-hmrc.com
  Name Server.......... ns2.refund1-hmrc.com


The nameservers are hosted on 200.29.238.90 in Colombia (CONSULNETWORK LTDA).

Fake HMRC site: confirm-hmrc.com / onlineservice.confirm-hmrc.com

This is a rather new phishing site, pretending to be a tax refund from the UK's HMRC agency pointing to the domain confirm-hmrc.com (subdomains www.confirm-hmrc.com and onlineservice.confirm-hmrc.com).

Although the phish looks convincing, the HMRC don't do tax refunds in this way. Usually they will just transfer the money to your bank account or alternatively send you a cheque. Furthermore, in my experience the HMRC only communicate by post and not electronic mail.

The site hosted on 218.108.75.53 in China. The same server also has the fraudulent domains account-update-westernunion.com, account-westernunion.com and accounts-westernunion.com. The domain registration details are fake:

Domain Name.......... confirm-hmrc.com
  Creation Date........ 2011-07-12
  Registration Date.... 2011-07-12
  Expiry Date.......... 2012-07-12
  Organisation Name.... wu wu
  Organisation Address. 12 na
  Organisation Address.
  Organisation Address. miami
  Organisation Address. 12311
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... wu wu
  Admin Address........ 12 na
  Admin Address........
  Admin Address........ miami
  Admin Address........ 12311
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... sadasda@re.com
  Admin Phone.......... +1.12312312312
  Admin Fax............

Tech Name............ wu wu
  Tech Address......... 12 na
  Tech Address.........
  Tech Address......... miami
  Tech Address......... 12311
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... sadasda@re.com
  Tech Phone........... +1.12312312312
  Tech Fax.............
  Name Server.......... ns2.confirm-hmrc.com
  Name Server.......... ns1.confirm-hmrc.com

Blocking traffic to 218.108.75.0/24 will probably do no harm.

ygnetwork-ltd.com domain scam

This scam has been around for years - basically, you get an unsolicited email from a company claiming to be a domain registrar in China (it is usually China) that says that someone is trying to register a domain similar to one that you already own. The idea is that the recipient will panic and buy an overpriced and basically worthless domain from them.

If you are worried about domain poaching, then usually the best place to start is your own domain registrar or another well-known reliable vendor, rather than responding to this unsolicited approach.

From: John <john.chen@ygnetwork-ltd.com>
Date: 22 April 2011 06:26
Subject: Urgent notice of Intellectual Property protection

Dear Manager:

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On April 21st 2011. We received HAITONG  company's application, they want to register " dynamoo" as its Internet keyword and CN/Asia domain names. It is china and Asia domain names. But after checking we find this domain name conflict with your company, in order to deal with this matter better, so we send you email, and want to confirm whether this company is your distributor or business partner in China?

I'm looking forward to hearing from you!

Best Regards,

John
Oversea marketing manager
Office: +86(0)21 6191 8696
Mobile: +86 1366152 9704
Fax: +86(0)21 6191 8697
web: www.ygnetwork-ltd.com

"Toyton Ltd" / todayisp.com / dboxs.org scam

We've seen this scam before, an alleged Chinese registrar claims that someone is buying a domain name similar to the one that you want in an attempt to scare you into buying overpriced domains that you do not need.

From: owen@dboxs.org
To: help@[domain name redacted]
Date: 30 July 2010 06:16
subject: [domain name redacted]

Dear [domain name redacted] team,

Our organization received a formal application from a company who is called Toyton Ltd are applying to register "[domain name redacted]" as their domain name and Internet keyword. In order to prevent cyber piracy,Please explain:

1: Whether this company is your IT supplier or distributor.

2: Whether you are interested in registering these domains first to preservation your company’s brand. (.cn .com.cn .net .asia .eu and keyword etc…)

We are now obligated to inform you this issue ,So we will handle the next step after this audit procedure. Pls understand.

Best regards       
Owen
Mww Group
Internet: www.todayisp.com
Internet: www.dboxs.org 
Email: Owen@dboxs.org

Confidentiality Statement:
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not an intended recipient, any disclosure, copying, distribution, or other action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this message in error please be advised of your obligation to immediately notify sender of the error in transmission, and to destroy all associated documentation.

I always love confidentiality statements on spam!

Both domains are Chinese registered and are hosted in Hong Kong. The email comes from a Chinese IP address.

Registrars are not responsible for checking trademarks. If they were then domains registration would take days and cost a fortune.This is simply an attempt to rip you off.

Uh.. what?

A case of "WTF is this spam trying to do"? It looks like this noobie spammer thinks that sending out millions of copies of their banking details is going to be the path for riches.. rather than (say) identity theft. Spam originates from 123.139.106.235 in Shannxi Province, China which matches with the banking details.

Out of a possibly misguided sense of pity, I have omitted some of the digits from the account number!

Subject: Electronic mail messages webmaster:
From: "The webmaster"

HELLO:
You will actively support god. Each user donated $500 a lifelong use
email. As senior members...

You are christians, please send email forwarded others thirty times,
and charitable donations to me, god will bless you! God will
organization

hello:

Please send money into my account at Bank of China.
Bank name: the bank of China
A/CNO£º 2979 7702 0007 xxx
INA/CWITH£º Zhang Lu Xi
Address: 38 Juhua Yuan, Xi'an 710001, Shaanxi Prov., China
Swiftcode: BKCH CN BJ 620

You can use high-speed does not capture email


E-mail the webmaster 2009.10.23.

"Yadu Investment Co., Ltd." / ntwifinetwork.com / tech-wifi.com

This email (supposedly from a Chinese domain registrar) follows a well-worn path of trying to sell useless names to owners of existing dot coms.

From: Joy [mailto:Joy@ntwifinetwork.com]
Sent: 10 April 2009 07:47
To: [redacted]
Subject: Notice of Intellectual Property Protection

Dear Sir/Madam: 2009-4-10

We are a domain name registration service company in Asia,
Last week we received a formal application submited by “Yadu Investment Co., Ltd.” Which wanted to use the keyword " [redacted]" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.
After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren’t sure whether you have any relation with this company. Because these domain names would produce possible dispute, now we have hold down this registration, but if we do not get your company’s an reply in the next 5 working days, we will approve his application
In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.

Yours sincerely

Joy

Checking Department


Tel: 86 513 8532 2060
Fax: 86 513 8532 2065
Email :Joy@ntwifinetwork.com
Website: www.ntwifinetwork.com
Mail No.: [redacted]

Registrars DO NOT check trademarks before registrations (the exception is "sunrise registrations" for completely new top-level domains). This is an attempt to get you to buy an overpriced domain name that you don't need.

This mail may come from twifinetwork.com, tech-wifi.com or other domains, the domains are hosted on 174.138.60.95, some of the wording is lifted from asiaregistry.com although it is not possible to tell if they are affiliated.

If you are concerned about securing these domains, then most registrars now deal in Asian TLDs and can register them for you, else you are probably same to ignore it.

btw, the pitch is not new and has been used here, here and here.

"Shanghai QiPeng Network Information Technology" / "Sopper Investment Co. LTD"

This particular pitch has been around for a long time - a domain name registrar (or reseller) who is "checking" about a domain registration that might infringe on your trademarks. Of course, registrars are not responsible for checking trademarks (can you imagine how complicated and expensive the process would be!)

Usually this approach is an attempt to get you to register useless domain names at inflated prices.. and in all probability these domain names they are warning about will never even be registered. If you really are concerned, then register them through a reputable registrar, else you are best off ignoring it.

Subject: Domain Issues for "[redacted]"
From: "Ramon zhang"
Date: Fri, March 27, 2009 9:20 am

If you are not the person who is in charge of this, please forward to the right person/department. Thank you)

Dear CEO,

We , a registrar organization in China, have something to check with you. We received an application today One South Korea company called " Sopper Investment Co. LTD" is applying for "[redacted]" as internet brand and following Asian/.CN domain names to use.
[redacted].com.tw
[redacted].hk
[redacted].in
[redacted].net.cn
[redacted].org.cn
[redacted].tw

After our initial checking, we found the internet brand and keyword of these domain names are as same as your company¡¯s.Because of it involves your company's intellectual property, so we need to check this with your company. If the aforesaid company is your subsidiary company or your business partner, please DO NOT reply us, we will approve the application automatically. If you have no any relationship with this company, please contact us within 7 workdays. If out of the deadline, we will approve the application submitted by "Sopper Investment Co. LTD" unconditionally.
Look forwarding to hearing from you.Thanks.

Best Regards,

Ramon Zhang
Leader Checker
Shanghai QiPeng Network Information Technology Co.,Ltd
Tel£º +86-21-6992-9440 Fax£º +86-21-6992-9447

Postal Code£º 200063
website:http://www.qipeng.org.cn


Shanghai QPNIC Web Property Solutions Limited is a comprehensive company engaged in the Internet intellectual property services that mainly provides network-based service, network intellectual property service.
Company objective: The good faith first, the customer is supreme.

The same approach can be seen here and here.