Sponsored by..

Showing posts with label Job Offer Scams. Show all posts
Showing posts with label Job Offer Scams. Show all posts

Thursday 18 February 2016

Fake job: resume@gbjobsite.com

This fake job offer looks like it might be from the creators of the Dridex banking trojan. It comes with various subjects:
Cooperation with the great company
We offer new vacancy
employees needed
cooperation with an international company
hi!
The crisis has finished! Work with us!
beneficial offer
Wanted regional manageres
Hello!
partial occupation
Working with partial occupancy
beneficial proposition
The part-time employment

The body text is always very similar:
Hello!

We are looking for employees working remotely.

My name is yvon, am the personnel manager of a large UK company.
Most of the work you can do from home, that is, at a distance.
Salary is 1000£ - 4000£.

If you are interested in our offer, mail to us your answer on resume@gbjobsite.com and we will send you an extensive information as soon as possible.
Best regards!
Personal Staff 
The spam appears to originate from within the sender's own domain, but this is just a simple forgery. Emails sent to the domain gbjobsite.com are sent to an innocuous-looking but nonetheless evil IP of 172.246.47.65 (Enzu Inc, US). Nameservers are using the domain abcdns.biz. Domain registration details are either fake or anonymous.

The nature of the job is illegal, and will most likely involve money laundering, handling stolen goods or other fraudulent activities. Avoid at all costs.

Fake job: "Personal Assitant and Administrative officer needed." / Walter.Smith [sales@ema.su]

This job offer is a fake, and is actually intended to recruit people for criminal activities such as money laundering or receiving stolen goods.

From:    Walter.Smith [sales@ema.su]
Reply-To:    waltersmith7@ig.com.br
Date:    17 February 2016 at 23:54
Subject:    Re: Personal Assitant and Administrative officer needed.

Hello,

I'm looking for someone who can handle my business & personal errands at his/her spare time as I keep traveling a lot. Someone who can offer me these

services mentioned below:

* Mail services (Receive my mails and drop them off at UPS or USPS)
* Shop for Gifts
* Bill payment (pay my bills on my behalf, access to the funds would be provided by me)
* Sit for delivery (at your home) or pick items up at nearby post office at your convenience.

Let me know if you will be able to offer me any or all of these services and 10% of my income weekly would be your weekly payment. If you will be available for this job position ,send me a confirmation e-mail and send me your details like complete name/address/country/state/ city/zip/phone or you could even attach your resume.I do have a pile up of work and a number of unattended duties which you can assist me with soon.

Please note that this job DOES NOT require any financial obligation of any sort from you as I would be catering for all expenses.

I look forward to hearing from you.

Sincerely,

Mr.Walter.Smith.
It appears to come from the domain ema.su (".su" is the old domain for the Soviet Union, still around today) but in face the Reply-To address is waltersmith7@ig.com.br. The email was routed through an insecure server at 50.47.43.21 (mail.plantsmartsales.com) and apparently originated from 71.2.1.212 (apparently in Warren, Ohio).

Despite appearing to be a "no risk" proposition with a 10% payoff, all the money being handled is actually stolen, and the person handling it will be liable for 100% of the loss and could face legal action. Any goods handled and reshipped will be stolen, and any correspondence sent and received will be fraudulent. Avoid this at all costs.

Wednesday 21 October 2015

Fake job offer: helicoptersjob.com

This job offer is a fake:

From:    victim@victimdomain.com
To:    victim@victimdomain.com
Date:    21 October 2015 at 14:35
Subject:    Staff Wanted

Good day!

We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in consultation services in the matter of bookkeeping and business administration.
We cooperate with different countries and currently we have many clients in the US.
Due to this fact, we need to increase the number of our destination representatives' regular staff.

In their duties will be included the document and payment control of our clients.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1000 up to $3,000 per month.

If you are interested in our offer, mail to us your answer on conrade@helicoptersjob.com and we will send you an extensive information as soon as possible.

Respectively submitted
Personnel department

The email appears to originate from the recipients own email address,  but this is just a forgery and is nothing to worry about.

The job being offered is actually part of a criminal organisation, such as money laundering or some other fraud such as a parcel reshipping scam.

The domain helicoptersjob.com was registered just today to a registrant in China. It is connected with several other long-running job scams going back several years. Avoid.

Thursday 24 September 2015

Evil network: 64.20.51.16/29 (Interserver Inc and Muhammad Naeem Nasir)

This DHL-themed phish got me looking at an IP address range of 64.20.51.16/29 which is a range belonging to Interserver Inc in the US, but which has been reallocated to a customer. But who? Because the WHOIS details for that block are not valid..
%rwhois V-1.5:003fff:00 city.trouble-free.net (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-INTSRV.64.20.32.0/19
network:Auth-Area:64.20.32.0/19
network:Network-Name:INTSRV-64.20.51.16
network:IP-Network:64.20.51.16/29
network:Org-Name:N/A N/A
network:Street-Address:N/A
network:City:N/A
network:State:na
network:Postal-Code:N/A
network:Country-Code:US
network:Created:20150624
network:Updated:20150922
network:Updated-By:abuse@interserver.net
Well, that's quite a sloppy move by Interserver to allow that, but it doesn't mean that the block is evil. However, an analysis of the sites currently and formerly hosted in that range indicate a very high proportion of phishing sites.. in fact, the range is a hotbed of sophisticated fraud sites, many of which seem to be undiscovered.

I combined current reverse IP data from DomainTools and current and historical data from DNSDB and then ran them through an IP lookup and a check against the Google Safe Browsing and SURBL reputations. The results [csv] show a very large number of sites flagged by SURBL in particular, amounting to 47 out of 167 sites (i.e. 28%) that I can identify as being currently hosted in that range.

In addition, a large number of phishing and other malicious sites have been hosted on 64.20.51.16/29 in the past and are now hosted elsewhere.

nswo.co.uk / "La Casa Limpia - a Balaeric Island Villa"


At first glance, some of the remaining sites look legitimate. Consider nswo.co.uk entitled "La Casa Limpia - a Balaeric Island Villa".

It looks utterly legitmate, although it is an odd domain name for a villa in Spain. Let's check those WHOIS details..

    Domain name:
        nswo.co.uk

    Registrant:
        P J Green

    Registrant type:
        UK Sole Trader

    Registrant's address:
        100 Malderen Road
        Islington
        London
        Greater London
        LN23 6AU
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data source on 10-Dec-2012
Despite Nominet claiming to verify the address, there is no such road as "Malderen Road" anywhere in the United Kingdom, and the post code of "LN23 6AU" is also completely invalid and exists nowhere in the UK. A bit of investigation shows that the site is almost a complete rip-off of  a legitimate site at palmyramenorca.com.. but with different contact details.

dominioncollege.ca / "Dominion College"


Consider also dominioncollege.ca - a professional looking website billing itself as Dominion College of Canada.


Apparently, Dominion College is the "Highest Ranking Creative Arts University". But there is no such university in Canada, and the domain for this "150 year old" institution was only registered in August 2015.

Domain name:           dominioncollege.ca
Domain status:         registered
Creation date:         2015/08/14
Expiry date:           2016/08/14
Updated date:          2015/08/19
DNSSEC:                Unsigned

Registrar:
    Name:              PublicDomainRegistry.com Inc
    Number:            3059041
The "About Us" page gives another clue.


That is actually Old Dominion University in Virginia, United States. A completely different and wholly legitimate institution.

hkbbr.org / "Hong Kong Business Bureau Registry"

Consider hkbbr.org billing itself as the Hong Kong Business Bureau Registry..

Yet a Google search for that term only returns hardly anything except content from the site itself, indicating that there is no such organisation.


The domain was registered in 2013 to an anonymous registrant. What is the point of this site? Well, it looks like it is a register of legitimate Hong Kong businesses. You can search for business in their online services page..


Well, it looks like a search.. but in fact it just loads results from a page www.hkbbr.org/entity/ which has an open directory.. so you can see that there actually only 43 companies in the database. One or more of which will be fake.

Presumably this forms part of a scam where the victim has to deal with a fake company, and the scammers use this web site to try to convince the victim that they are dealing with a legitimate company.

tricountysalesmexia.com / "Tri County Sales Mexia"


Consider tricountysalesmexia.com, entitled "Tri County Sales Mexia's Premier Pre-Owned Late Model Luxury and Exotic Vehicle Dealer - Mexia | Texas"


We added up the value of the cars listed on this "Tri County Sales" site. There were 218 cars valued at around $13.2 million, or around $60,000 per car.

Their website shows plush offices..


Now, Tri County Sales is a real company and I suspect a reliable vendor of used vehicles. But in reality the company's premises look like this:


Does it look like somewhere that stocks $13 million dollars worth of high-end exotic vehicles? Of course not. Let's take a look at one of the more notable cars on the website.


This is a pretty rare car. But look closely at the partial logo in the top left hand corner of the large photo..


It's the logo of Southlake Motorcars, where the image was stolen from..


Several of the other vehicles also turn up on other sites. You can be assured that although Tri County Sales is a real company, this website does not belong to them and is a scam.

goldwestgroup.com / "Gold West Group"

Consider goldwestgroup.com calling itself "Gold West Group"..


It's a bit vague about where it has mines, but the facility pictured at the top is the Obuasi Gold Mine in Ghana belonging exclusively to AngloGold Ashanti and no-one else.

The site itself mentions a Chile address, and the WHOIS details are consistent.

Registrant Name: Manu DeSouza
Registrant Organization: Gold West Group
Registrant Street: Europa Oficinas
Registrant Street: Guardia Vieja 255
Registrant City: Providencia
Registrant State/Province: Santiago
Registrant Postal Code: 2103
Registrant Country: Chile
Registrant Phone: +56.22997704
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: webmaster@goldwestgroup.com
But AngloGold Ashanti have no operations in Chile. This site is a scam.

edichem.com / "Edible Chemical Inc"

Consider edichem.com describing itself as "Edible Chemical Inc"..



This site is riddle with spelling errors and has some comically bad photo manipulation.

The offices in the picture actually belong to a company called APAG.

Let's have a look at that so-called CEO..


"Birningham University"? Quite a typo. And that photo is of a completely different person called Peter Westenthaler.

This fake company has even gone to the effort of setting up a Facebook page at www.facebook.com/edichem.biz:


cllinternational.com / "Courier Logistics Limited"

Consider cllinternational.com calling itself "Courier Logistics Limited":


In what way is this logo meant to reflect "Courier Logistics Limited"?

It doesn't.. it belongs to the IEEE Robotics and Automation Society.

The purpose of this site appears to be to generate fake courier tracking numbers, so a victim who has ordered a product will assume that it is actually on it's way. The tracking lookup seems to respond to a six-digit tracking code. The fake tracking site is on another IP, 185.24.233.16 in Ireland.


steadyprivateloan.com / "Steady Private Loan"

Most of the fake companies I have found so far have zero internet footprint. This fake finance company has at least attractive a couple of complaints:

Edmond L.
Beware !!! Do not deal with TERRANCE CLARK / CLARK BRIAN of Goldmine Private Loan now with a new name "Steady Private Loan". These are scam artist.
8 months ago

Sharon Todd
I agree. We fell for their Goldmine Loan and now Steady Private Loan owe us $21,195 ...They look fantastic but do not fall for them. We are reporting them to the FBI
7 months ago

Unlike some of the other sites, this is a bit more amateurish and generic.



It claims to be based in Delaware.



The bottom line here is that there is no such corporation as "Steady Private Loan" in Delaware. This site is a scam.

madrewson.net / "Madrewson Consult"

Consider madrewson.net calling itself "Madrewson Consult". This bills itself as some sort of HR consultancy, but you can guarantee that everythig it touches is fake.


There are a bunch of testimonials on the "About Us" page.

These are all attractive, well-photographed people aren't they? And they pop up in so many places. The photo of "Helen Pyzowski" turns up in a bunch of places. "Adam Smith" is a stock image. "Kristin Malie" turns up in a bunch of places. "John L. Skelley" turns up in a bunch of places. The testimonials are fake, as is this so-called company.

mobgifts.net / "Coca Cola Promo"


"Coca Cola" themed prize scams are well known (and documented on the Coca Cola corporate site) but I've never seen anyone go to the effort of creating a fake website to go with it.


There are several photos of people being handed cheques. But what is that cheque exactly?


This is someone winning a prize alright.. but for developing a mobile app, not a lottery. All the other pictures of people getting cheques are similarly bogus. There is no such thing a the Coca Cola Promo free lottery.

braincure-biotech.com / "Braincure Biotech"

Consider this so-called Taiwanese biochemistry firm, "Braincure Biotech" (braincure-biotech.com)


The site looks professional but very generic. But is it genuine? Unfortunately, the Taiwanese companies registry is in Chinese only and is quite difficult to use. So let's just Google it.


There are virtually zero references to this "company" apart from its own website. And by the time you look, probably this blog. A quick check of the body text of the site reveals that it is copied from other genuine biotech sites. This company does not exist, but presumably is there as part of an investment or employment scam.

What else is there?

Trawling through the IP address range shows many fake blogs (set up to promote goodness only knows what), some Bitcoin and make-money-fast sites and a whole load of sites that appear to be suspended. I cannot confirm a single legitimate site in this range.

Who is behind this?

Although the IP address range is owned by Interserver Inc it is allocated to a customer. However, Interserver seems to have displayed poor governance here because it not only has allocated the range to an anonymous registrant, but it has not acted on the extremely high concentration of fraudulent sites.

Looking at the range, I can see several nameservers..

ns3.boldhosts.com
64.20.51.18

ns4.boldhosts.com
64.20.51.19

ns2.paidhoster.com
64.20.51.20

ns1.ok2host.com
64.20.51.21

ns2.ok2host.com
64.20.51.22

ok2host.com has anonymous WHOIS details, but the other two are related:

BOLDHOSTS.COM
Registry Registrant ID:
Registrant Name: Abdul Razzaq
Registrant Organization: Boldhosts
Registrant Street: Street 18 Clifton Block 8  
Registrant City: Karachi
Registrant State/Province: Sind(en)
Registrant Postal Code: 75500
Registrant Country: PK
Registrant Phone: +92.2135491130
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@boldhosts.com


PAIDHOSTER.COM
Registrant Name: Sajid Mahmood
Registrant Organization: GroomHost
Registrant Street: Progressive Center Shahrah e Faisal  
Registrant City: Karachi
Registrant State/Province: Sind(en)
Registrant Postal Code: 75400
Registrant Country: PK
Registrant Phone: +92.215681734
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@boldhosts.com

Although paidhoster.com does not resolve, both boldhosts.com and ok2host.com do and are hosted on adjacent IPs of 76.73.85.141 and 76.73.85.142 respectively, indicating that they might be the same company. Groomhost.com is also mentioned in the WHOIS details above, and that is hosted on 76.73.85.140.

It turns out that there is another IP block of 76.73.85.136/29 hosting a variety of possibly white-label web hosts:

network:Auth-Area:76.73.0.0/17
network:Class-Name:network
network:OrgName:Naeem Nasir
network:OrgID;I:FDC-11211
network:Address:Street number 18 clifton block 8
network:City:Karachi
network:StateProv:Sindh
network:PostalCode:75500
network:Country:PK
network:NetRange:76.73.85.136 - 76.73.85.143
network:CIDR:76.73.85.136/29
network:NetName:FDC-11211-76.73.85.136

The WHOIS details for the IP range don't give a lot of data, but we can also find the same registrant details for the domain sandhost.com:

Registry Registrant ID:
Registrant Name: Muhammad Naeem Nasir
Registrant Organization:
Registrant Street: Street  18  clifton block 8
Registrant City: Karachi
Registrant State/Province: Sindh
Registrant Postal Code: 75500
Registrant Country: Pakistan
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: naeem.nasir@yahoo.com
The AA419 database shows several hits for this email address going back to 2011, so it seems that whoever this Pakistani web host is, they have been tolerating this activity on their network for several years, even if they are just providing hosting services rather than perpetrating fraud.

Conclusion

I really just skimmed the surface with my analysis here, but it is clear that the 64.20.51.16/29 block is being used almost exclusively for fraud. Moreover, the fraud is extremely sophisticated involving things like fake business registries and couriers. It is also clear that the Pakistani web hosts apparently providing these services have been doing so for some time.

Recommended blocklist:
64.20.51.16/29
76.73.85.136/29
185.24.233.16

Friday 6 March 2015

Fake job offer: jobinituk.com / jobsinits.com / workincroatia.com

This spammed out "job offer" is actually an attempt to recruit people into criminal money laundering.
Date:    6 March 2015 at 21:00
Subject:    Hello

Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.

We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.

Part-time employment is currently important.
We offer a wage from 3100 GBP per month.

If you are interested in our offer, mail to us your answer on andonis@jobinituk.com and
we will send you an extensive information as soon as possible.
Respectively submitted

Personnel department
There are four related domains:

jobinituk.com
jobsinits.com
workincroatia.com
sati-haus.net


If you receive a job offer soliciting replies to one of these domains, then the job offer is bogus. If you were to accept it, you could well be liable to repay back the money you helped launder, or even face arrest or jail time.

UPDATE: There is a second version of the spam circulating..

Date:    9 March 2015 at 15:23
Subject:    Offer

If you have
- excellent administrative skills
- knowledge of Microsoft Office
- a keen eye for details

If you
- present yourself well
- can understand and execute instructions

If you are
- a team player with the ability to work independently
- organized
- reliable and punctual person
- determined to work hard and succeed

Then We need you in Our Advertising Company!

Please email us for details of the job: Benito@jobinituk.com


Sunday 1 March 2015

Fake job offer: "ukhomejob.com" and many others

This spam email for a fake (and illegal) job is soliciting replies to ukhomejob.com. It is part of a nework of fraudulent domains, attempting to recruit victims into money laundering and other illegal activities.

From:    Victim
To:    Victim
Date:    1 March 2015 at 22:09
Subject:    Advice

Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.

We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.

Part-time employment is currently important.
We offer a wage from 3500 GBP per month.

If you are interested in our offer, mail to us your answer on hermie@ukhomejob.com and
we will send you an extensive information as soon as possible.
Respectively submitted

Personnel department

This is related to this scam. Now though the IP used to receive emails is a Comcast IP of 98.221.25.74. The following domains are also related and are all fraudulent:

globbalpresence.com
recognizettrauma.net
gbearn.com
comercioes.com
eurohomejob.com
fastestrades.com
usaearns.com
idhomejob.com
ukhomejob.com
eurhomejob.com


The most likely "job" is money laundering, typically moving money out of stolen bank accounts and then passing on to someone in Eastern Europe. This activity is illegal, and there is a chance that you'll end up in jail at worst, or having to repay back the stolen money at best. Avoid.

Saturday 28 February 2015

Fake job offer: tradeconstruction.co.uk, spoofing the legitimate Trade Construction Company LLC

This fake job offer claimed to be from a UK-based company called Trade Construction Company LLC using a website at tradeconstruction.co.uk. However, no such company exists in the UK, and this is a rip-off of a wholly legitimate US firm that is actually called Trade Construction Company LLC who are not involved in this scam at all.

From:    JOB ALERT [klakogroups@gmail.com]
Reply-To:    klakogroups@gmail.com
To:    Recipients [klakogroups@gmail.com]
Date:    27 February 2015 at 18:37
Subject:    NEW JOB VACANCIES IN LONDON.

Trade Construction Company,
L.L.C,
70 Gracechurch Street.
EC3V 0XL, London. UK

We require the services of devoted and hardworking workers, who are ready to work after undergoing enlistment training. in all sectors
as The Trade Construction Company Management intends to increase its man power base due to increasing number of customers and contract in the Company.


Available Positions

QUANTITY SURVEY, HEALTH EDUCATOR,CIVIL ENGINEER, FIELD SURVEY SUPERVISION, WELDER,MACHINES SUPERVISOR, MECHINARY OPERATOR,
CHEMICAL ENGINEER, AUTOMOTIVE MECHANIC, DESK OFFICER, ELECTRICAL ENGINEER, CONFERENCE & BANQUETING OPERATIONS MANAGER,
STORE KEEPER,ACCOUNT MANAGER, CASHIER, ASSISTANT MANAGER OF FRONT OFFICE, RECEPTIONIST, CLEANER, FOREIGN/INTERNATIONAL LANGUAGE INTERPRETERS,
MARKETING ASSISTANT, COMPUTER OPERATOR, INTERNET SERVICE EXPERT, SECURITY PERSONNEL, HR ASSISTANT,

The Company Management would be responsible to pay for your Flight Ticket and Accommodation.

All other information about benefits which would be received by new employees would be given in their application process.

So if interested, kindly send your CV/Resume via email to recruitment@tradeconstruction.co.uk



You can also apply directly at.

http://www.tradeconstruction.co.uk/apply_online.html
website: http://www.tradeconstruction.co.uk
Phone: +447990402584
   
The tradeconstruction.co.uk site is almost a bit-by-bit copy of the genuine tradeconstruction.com website.

The difference in content is minimal, but the fake site contains the following contact details:

Office Address:
TRADE Company House
70 Gracechurch Street London
EC3V 0XL
United Kingdom
Phone: +447990402584

Shop Addresses:
Office 208
3 Brindley Place
Birmingham, West Midlands
B1 2JB
United Kingdom
Fax: 225-658-8067 
These are actually the contact details for XL Insurance, who are obviously completely unconnected to this scam.

The fax number is invalid for the UK, and is actually just copied-and-pasted from the genuine site. The telephone number +447990402584  (07990 402584) is valid for the UK but it's a mobile phone number (possibly an untraceable prepay handset) so it could be anywhere.

As I said before, there is no company in the UK called Trade Construction Company and "LLC" is not a recognised type of UK company (typically they would be "Ltd", "PLC" or "LLP").

The WHOIS details for the domain are incomplete and unverified:

Domain name:
        tradeconstruction.co.uk

    Registrant:
        tradeconstruction

    Registrant type:
        Unknown

    Registrant's address:
        SOUTH ROAD
        ERDINTON
        BIRMINGHAM
        Birmingham
        B23 6EL
        United Kingdom

    Data validation:
        Registrant name and address awaiting validation


This is a residential area of Birmingham in the UK, but there is no house number and "Erdington" is spelled incorrectly. It certainly doesn't match the other contact addresses given.

Let's have a look at the mail headers to see if we can determine where this email actually came from.

Received: from mx.giki.edu.pk (mx.giki.edu.pk [121.52.146.229])
    by [redacted] (Postfix) with ESMTP id 91B60ED199
    for [redacted]; Sat, 28 Feb 2015 06:29:19 +0000 (UTC)
X-ASG-Debug-ID: 1425104952-04b09a633509b40001-Ozk3QL
Received: from mail.giki.edu.pk (mail.giki.edu.pk [121.52.146.226]) by mx.giki.edu.pk with ESMTP id 6NnzvLRyt5l62CxM; Sat, 28 Feb 2015 11:29:12 +0500 (PKT)
X-Barracuda-Envelope-From: klakogroups@gmail.com
X-Barracuda-Apparent-Source-IP: 121.52.146.226
Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.giki.edu.pk (Postfix) with ESMTP id 1127A11414ED;
    Sat, 28 Feb 2015 06:42:31 +0500 (PKT)
Received: from mail.giki.edu.pk ([127.0.0.1])
    by localhost (mail.giki.edu.pk [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id m27tNjcw-XxF; Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.giki.edu.pk (Postfix) with ESMTP id 9E5A111414D7;
    Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
X-Virus-Scanned: amavisd-new at mail.giki.edu.pk
Received: from mail.giki.edu.pk ([127.0.0.1])
    by localhost (mail.giki.edu.pk [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id n3YhjtqX2niQ; Sat, 28 Feb 2015 06:42:30 +0500 (PKT)
Received: from [172.245.45.23] (unknown [172.245.45.23])
    by mail.giki.edu.pk (Postfix) with ESMTPSA id 214E611414ED;
    Sat, 28 Feb 2015 06:42:23 +0500 (PKT)
We can definitely say that this email spent a while bouncing around the Ghulam Ishaq Khan Institute of Engineering Sciences and Technology in Pakistan. It appears that it originated from a server at 172.245.45.23 which is a ColoCrossing IP suballocated to:

NetRange:       172.245.45.0 - 172.245.45.31
CIDR:           172.245.45.0/27
NetName:        CC-172-245-45-0-27
NetHandle:      NET-172-245-45-0-1
Parent:         CC-14 (NET-172-245-0-0-1)
NetType:        Reallocated
OriginAS:       AS36352
Organization:   naa (NAA-21)
RegDate:        2013-06-07
Updated:        2013-06-07
Ref:            http://whois.arin.net/rest/net/NET-172-245-45-0-1

OrgName:        naa
OrgId:          NAA-21
Address:        530 W. 6th Street Suite 901
City:           Los Angeles
StateProv:      CA
PostalCode:     90014
Country:        US
RegDate:        2013-06-07
Updated:        2013-06-07
Ref:            http://whois.arin.net/rest/org/NAA-21

OrgAbuseHandle: BRBA-ARIN
OrgAbuseName:   Baker, Rusdi bin abu
OrgAbusePhone:  +1-940-238-5499
OrgAbuseEmail:  rusdi.bin.abu.bakar@gmail.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/BRBA-ARIN

OrgTechHandle: BRBA-ARIN
OrgTechName:   Baker, Rusdi bin abu
OrgTechPhone:  +1-940-238-5499
OrgTechEmail:  rusdi.bin.abu.bakar@gmail.com
OrgTechRef:    http://whois.arin.net/rest/poc/BRBA-ARIN


Note that this isn't saying that this "Rusdi bin abu Bakar" is sending the email, but a customer of theirs is.

Nothing about this job offer is legitimate. It does not come from who it appears to come from and should be considered to be a scam, and avoided.







Monday 16 February 2015

Money mule scam: gbearn.com / usaearns.com

This spam email is attempting to recruit people to aid with money laundering ("money mules") and other illegal operations.

Date:    16 February 2015 at 21:29
Subject:    New offer

Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.

We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.
Part-time employment is currently important.
We offer a wage from 3500 GBP per month.

If you are interested in our offer, mail to us your answer on riley@gbearn.com and
we will send you an extensive information as soon as possible.
Respectively submitted

Personnel department
The reply-to address of gbearn.com has recently been registered by the scammers with false WHOIS details. There is also an equivalent domain usaearns.com for recruiting US victims.

Although there is no website, both domains have a mail server at 93.188.167.170 (Hostinger, US) which also serves as one of the nameservers for these domains (ns1.recognizettrauma.net). The other nameserver (ns2.recognizettrauma.net) is on 75.132.186.90 (Charter Communications, US).

Be in no doubt that the job being offered here is illegal, and you should most definitely avoid it.

Friday 7 November 2014

europejobdays.com and other fake job sites to avoid 7/11/14

This tip from @peterkruse about a spam run pushing fake jobs using the domain europejobdays.com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain.

These fake job sites tend not to go alone, and a look a the other domains using  the same namesevers comes up with a whole list of related fake sites that you should also avoid:

europejobdays.com
bamfde.com
myjobuk.com
usajobid.com
jobsiniteu.com
mycareerau.com
trabajoses.com
infopracapl.com
itjobrapido.com
jobstreetmy.com
jobstreetus.com
myjobromania.com
trabajospain.com
profesiaczech.com
careersprocanada.com
subitoit.net
stemcellcounseling.net

You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below.

Thursday 11 September 2014

"LLC INC" / llcinc.net fake job offer

This fake company's name looks like it has been designed to be hard to find on Google. The so-called LLC INC using the domain llcinc.net does not exist.
Date:      Wed, 10 Sep 2014 19:51:50 -0400 [09/10/14 19:51:50 EDT]
From:      LLC INC
Reply-To:      recruiter@llcinc.net
Subject:      EMPLOYMENT OFFER

Hello,
  Good day to you overthere we will like to inform you that our company is currently
opening an opportunity for employment if you are interested please do reply with your resume
to recruiter@llcinc.net

Thanks
Management LLC INC 
This so-called job is going to be something like a money mule, parcel mule or some other illegal activity.

The domain llcinc.net was registered just a few days ago with fake details:
Registry Registrant ID: 
Registrant Name: BEATRIZ G SANDERS
Registrant Organization: LLCINC
Registrant Street: PO BOX 33100
Registrant City: SAN ANTONIO
Registrant State/Province: TEXAS
Registrant Postal Code: 78265
Registrant Country: US
Registrant Phone: +1.2102605808
Registrant Phone Ext:  
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: JOETOMMY456@YAHOO.COM
There is no website. The email originates from 209.169.222.37, the mail headers indicate that this is probably a compromised email server mail.swsymphony.org.

Avoid.



Friday 4 July 2014

Scam: advocatesforyouths.org, Eem Moura, Tee Bello and other fake sites

Advocates for Youth is a legitimate campaign organisation that says that it "champions efforts to help young people make informed and responsible decisions about their reproductive and sexual health." It has a website at www.advocatesforyouth.org which was registered in 1996.

However, the domain advocatesforyouths.org is a completely fake rip-off of the legitimate advocatesforyouth.org site (note the extra "s") which is advertising itself through spam:

From:     Advocates for Youth [inboxteam6@gmail.com]
Reply-To:     Advocates for Youth [ljdavidson@advocatesforyouths.org]
Date:     2 July 2014 21:52
Subject:     Say No to FORCED MARRIAGE and HIV/AIDS
Mailing list:     xkukllsbhgeel of 668
Signed by:     gmail.com

Invitation Ref No: OB-22-52-30-J

OUR 12TH INTERNATIONAL YOUTH CONFERENCE ON “ EFFECTS OF TEENAGE MARRIAGE AND HIV/AIDS "

Advocates for Youth and co-organizers of the 12th international NGO's & CBO's conference on community Development and Development Planning have the pleasure to invite Youth Organizations, Socio Cultural Organizations, Community Based Organizations (CBO) Scholars, Researchers, Health Organizations, Professionals, Business Organizations (NGOs) Religion Organizations, Human Right Organizations & Women Groups to the International Conference on" Effects of Teenage Marriage and HIV/AIDS " taking place from Wednesday 20th - Friday 22nd August 2014 in U.S.A and Monday 25th August - Friday 29th August 2014 in The NETHERLANDS respectively.

This is the most important event in the framework of the fight to Educate the Youth on HIV/AIDS, Child Abuse, human and community development which will take place in Washington DC, United States of America from Wednesday 20th - Friday 22nd August 2014 in U.S.A and Monday 25th August - Friday 29th August 2014 in The NETHERLANDS respectively.

Advocates for Youth is registered 501(c) Non profit international organization whose aims & objectives are to empower individuals and communities worldwide through offering grants for business, education, economic enhancement, community development and environmental conservation, to support groups and organizations addressing social issues, youth ad women empowerment, and a variety of philanthropic projects through grants to non-profit organization; to provide education & information with view of limiting abuse and child molestation, to support and advocate on behalf of those infected and affected by the menace or abuse and neglect to promote the well-being of mankind by empowering the capacity of charitable organization to provide effective programs of quality.

This conference will bring together 1026 representatives of NGOs/CBOs and numerous numbers of interested individual participants from all over the world. The conference will be conducted on participatory bases with satellite plenary and simultaneous sessions followed by general and small group discussions.

SUPPORT: The conference receives financial support from CitiBank New York and United Nations Youth Commission etc. This sponsorship covers the following:

1. Return Airplane travel tickets for selected delegates from their home countries to venues of the event in Washington DC ( United States of America ) and The Hague City (The Netherlands), then back to their home countries.

2. Hotel accommodations in Washington DC ( United States ) only for selected delegates and their friends.

3. Medical insurance cover for delegates throughout the entire conference duration.

Advocates for Youth will not assume the responsibilities of any other costs other than those listed above.

NOMINATION & SELECTION OF PARTICIPANTS: Intending participants are requested to nominate between Five (5) to Ten (15) active members to participate. Participants should be from 14 years and above (Male or Female).

REGISTRATION PROCESS: To register to take part in this Conference, please request for the International Delegates Registration form and other conference information. The request for registration form and other conference information should be addressed to the Secretary:

Linara J. Davidson
Secretary, Advocates for youth
2000 M Street, NW Suite 750,
Washington DC 20036,
United States of America,
Tel: +1 202.600.9543
Fax: + 1 650.747.4401
Email: ljdavidson@advocatesforyouths.org
Website: http://www.advocatesforyouths.org

While we anticipate your earliest response, you are advised to contact the Secretary by email and we look forward to meeting up with you and your group in Washington DC and The Hague City to assert a new change for a stronger society.

Announcer !!!

Debra Hauser
President, Advocates for youth,
Washington DC
U.S.A.
Email: debra.hauser@advocatesforyouths.org

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer: The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask mailers to stop spamming them. The above mail is in accordance to the Can Spam act of 2003: There are no deceptive subject lines and is a manual process through our efforts on World Wide Web. You can opt out by sending mail to email id mention here and we ensure you will not receive any such mails.
In this case the email originates from 217.120.44.73 (Ziggo / Groningen, Netherlands) and was sent to a spam trap.

The fake site is almost a bit-for-bit copy of the fake site, but things like the Contact Details page are slightly different:


The fake site has a telephone number of 202.600.9543 and a fax number of 650.747.4401. The fax number is in California, but the "202" telephone number appears to be Washington.. but on closer examination it looks like a VOIP (internet phone) number which could possibly be anywhere in the world.


But the fake site looks utterly convincing. Mostly because it is cloned directly from the legitimate site. (See screenshot above)

The domain advocatesforyouths.org was registered on 24th May 2014 with anonymous details, and the mail handler is mailhostbox.com who are a legitimate commercial provider. But what most visitors to advocatesforyouths.org will not spot is that the domain just does a framed forward to another site googleones.in/advocates4youth/ which is where things get more complicated.

googleones.in is hosted on 74.122.193.45  a Continuum Data Centers IP reallocated to:

OrgName:        Ajay Kumar
OrgId:          AK-7
Address:        801 Main St NW
City:           Lenoir
StateProv:      NC
PostalCode:     28645
Country:        US
RegDate:        2012-11-30
Updated:        2012-11-30
Ref:            http://whois.arin.net/rest/org/AK-7

OrgAbuseHandle: SNM9-ARIN
OrgAbuseName:   machiwala, shazim nizar
OrgAbusePhone:  91 22 26782833
OrgAbuseEmail:  shazim@ideastack.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/SNM9-ARIN

OrgTechHandle: SNM9-ARIN
OrgTechName:   machiwala, shazim nizar
OrgTechPhone:  91 22 26782833
OrgTechEmail:  shazim@ideastack.com
OrgTechRef:    http://whois.arin.net/rest/poc/SNM9-ARIN


The domain is registered to:

Registrant Name:Ziggo Ziggo
Registrant Organization:N/A
Registrant Street1:stadhoudersstraat
Registrant Street2:
Registrant Street3:
Registrant City:rijswijk
Registrant State/Province:Zuid-Holland
Registrant Postal Code:2282pm
Registrant Country:NL
Registrant Phone:+31.0657392939
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:alzaidaemirates@hotmail.com


The "alzaidaemirates@hotmail.com" doesn't really seem to tally with the Netherlands address, but it does link in with some other contents of the server. Incidentally, Rijswijk isn't very close to Groningen being a 233Km drive so the spammer's IP doesn't match the WHOIS details.

Interesting, the root directory of googleones.in is open and this is where it gets complicated.

We can see folders with the following names:
  • advocates4youth/
  • alz/
  • cgi-bin/
  • eem/
  • eemtholland/
  • tbello/
"advocates4youth" contains the fake Advocates For Youth Siteas already discussed

Al-zaida Emirates

"alz" is a site called "Al-zaida Emirates" which is a ripoff of the legitimate Zamil Group Holding Company. Probably the obvious different to that the "Al-zaida" site has an "Apply For Loan" button which marks it out as some sort of finance scam.

EEM Moura and TEE Bello (part 1)

The next fake site is under "eem" which advertises itself as "EEM MOURA & TEE BELLO Group of Companies". This site is a slightly-altered copy of the legitimate Alpha Group.


There is perhaps a clue here under "Shipping" which could be advertising for a Parcel Mule job (i.e. laundering stolen goods).

EEM MOURA & TEE BELLO (part 2) [eemthollandbv.nl]

There is another fake "EEM MOURA & TEE BELLO" site in the folder "eemtholland" (and using the forwarder domain eemthollandbv.nl). This is different from the other site being a fake shopping site, a poor copy of the legitimate HollandForYou.com site.


This fake site is also likely to be recruiting people for a parcel reshipping scam.

Hotel T. Bello

The final fake site is filed under "tbello" (sounds familiar?) and is supposedly the "Hotel T. Bello" in Den Haag (The Hague). It is a poor copy of the InterContinental Amstel Amsterdam.


Perhaps the "Hotel T Bello" is a fake hotel for the delegates to the fake "Advocates for Youth" conference that was advertised in the original spam.. that is certainly one way that these conference scams work.

There is not a single legitimate site on this server. Avoid.

Monday 30 June 2014

Fake job offer: Edwards Electrical and Mechanical / Edward Electricals Y Mecánicos (edwards-elec.com)

Edwards Electrical and Mechanical is a wholly legitimate contraction based in Indianapolis in the US. This spam message is not from them, but someone abusing their name.

From:     Charles Benneth [tonyudeani@n-tocomisltd.com]
Reply-To:     charles_trading@outlook.com
To:   
Date:     30 June 2014 01:49
Subject:     Part-Time Job Offer


Estimado Señor / Señora

Tenemos una vacante para el puesto de oficial de cuentas por cobrar. ¿Te
gustaría trabajar desde su casa y obtener semanal remunerado? Estamos
ofreciendo esta posición a todos los solicitantes interesados. Por favor,
lea atentamente. Esta oportunidad de empleo está dirigido a proporcionar
parte / los solicitantes de empleo a tiempo completo, y también a las
personas que quieran trabajar desde casa, y se les paga semanalmente por
la recepción de pagos de nuestros clientes de deducir la comisión y
remitir el equilibrio. Envíe sus informaciones para obtener más detalles.

Nombre Completo
Contacto Inicio Dirección Plus Código Postal (No P O Box)
número de teléfono
edad
Fax Si Cualquiera
Un reconocimiento rápido de la recepción de este correo electrónico será
apreciada.

Gracias por su comprensión total.

Charles Benneth
Presidente / CEO
Edward Electricals Y Mecánicos.
http://www.edwards-elec.com/index.php
This translates roughly as:

Dear Sir / Madam

We have a vacancy for the position of Accounts receivable officer. Do you
would like to work from home and get paid weekly? We are
offering this position to all interested applicants. Please
read carefully. This employment opportunity is targeted at providing
part / applicants for full-time employment, and also to
people who want to work from home and get paid weekly by
receiving payments from our clients, and deducting fees
remit the balance. Send information for details.

Full Name
Contact Home Address Plus Zip (No PO Box)
phone number
age
Fax If Any
A quick recognition of the receipt of this email will
appreciated.

Thank you for your full understanding.

Charles Benneth
President / CEO
Edward Electricals and Mechanical.
http://www.edwards-elec.com/index.php 

The job is actually money laundering, which is a criminal activity. The email solicits replies to the free email address of charles_trading@outlook.com and originates from from 41.58.2.22 (Swift Networks, Lagos, Nigeria) via 188.40.62.68 (node3.trudigits.com / Hetzner, Germany).

Unless you want to spend some time in jail, I would recommend giving this particular Nigerian scam a wide berth.