Sponsored by..

Showing posts with label Money Mule. Show all posts
Showing posts with label Money Mule. Show all posts

Wednesday, 21 October 2015

Fake job offer: helicoptersjob.com

This job offer is a fake:

From:    victim@victimdomain.com
To:    victim@victimdomain.com
Date:    21 October 2015 at 14:35
Subject:    Staff Wanted

Good day!

We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

Our firm specializes in consultation services in the matter of bookkeeping and business administration.
We cooperate with different countries and currently we have many clients in the US.
Due to this fact, we need to increase the number of our destination representatives' regular staff.

In their duties will be included the document and payment control of our clients.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1000 up to $3,000 per month.

If you are interested in our offer, mail to us your answer on conrade@helicoptersjob.com and we will send you an extensive information as soon as possible.

Respectively submitted
Personnel department

The email appears to originate from the recipients own email address,  but this is just a forgery and is nothing to worry about.

The job being offered is actually part of a criminal organisation, such as money laundering or some other fraud such as a parcel reshipping scam.

The domain helicoptersjob.com was registered just today to a registrant in China. It is connected with several other long-running job scams going back several years. Avoid.

Tuesday, 24 June 2014

jobcenterusa.org fake job offer

This fake job offer is either money laundering, a parcel reshipping scam or some other activity that will get you into serious trouble with the authorities.

Date:      23 Jun 2014 13:11:56 -0600 [15:11:56 EDT]
Subject:      we are interested in your CV
Priority:      normal

We would like to greet you in our big and friendly company, thank you for applying to our HR and your interest to our company business.

Right now due to increasing of expansion policy we are offering promotional positions in our US company branches.
This opportunity is for highly motivated and energetic people who wants to join our family business whose main routine will be providing
administrative logistical and human resources support for our clients.

The work involves variety of logistical, administrative, and office management tasks, directions and guidelines you will be
receiving from your personal manager.

If you have an ability to establish and organize productive relations with clients;
strong communication skills, if you posses good team work skills, if you have an ability to revise plans for shifting priorities,
work under supervision and if you respect deadlines - apply, fill in short registration form and send it to us,
take your chance and maybe really soon you will receive a reply back from us and you phone will rang,
and one day you may become a part of our team:

Company registration form:
-Full name;
-Contact mobile & land line phone number;
-Email address;
-Current residence.

Please call or email us for any further assistance: Hillary@jobcenterusa.org
If you reply to this message, it gets routed to a server mx.jobcenterusa.org hosted on 5.202.129.73 in Iran. The WHOIS details for the domain are also fake:

Registrant ID:orghk03546035062
Registrant Name:Heidi Kissell
Registrant Organization:Heidi R. Kissell
Registrant Street: 223 Rainbow Road
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90017
Registrant Country:US
Registrant Phone:+1.6262646624
Registrant Phone Ext:
Registrant Fax: +1.6262646624
Registrant Fax Ext:
Registrant Email:info@jobcenterusa.org


The spam I saw originated from a Mexican cable subscriber on 187.247.113.56 and had a fake Italian address on it. Basically, everything screams fake job offer.

These domains are all releated:
trabajogov.com
lights-usa.net
lavoroit.org
profesia-cz.co

jobcenterusa.org

This video explains about the parcel reshipping scam which is a likely "logistics" task for anyone who gets involved in this fake company.


Thursday, 24 April 2014

"Atlanta Consulting" fake job offer, atlantaconsulting.net / atlantaconsulting.us / atlantaconsulting.co

This fake job offer comes from a bunch of scammers passing themselves off as "Atlanta Consulting" (not to be confused with several legitimate firms of similar names)

From:     Gertrude Holden [multivariate88@afes.com]
Date:     24 April 2014 14:16
Subject:     Vacancy

Good Day!

A new advanced vacant position is available!

I am a chief personnel officer of an Australian consulting company. We deal with non-typical business solutions. Also we introduce different outsourcing solutions. Presently we have many clients in Europe. To anticipate our cooperation with them, we need to find few regional managers.
We offer a part-time employment and opportunity to advance. Also we provide free elementary training. Initial salary is 2000 euro. If our offer is interesting to you, please send your answer on our e-mail:

info @ atlantaconsulting . net   (remove spaces before sending email)

specifying your country, city of residence, contact telephone number and desired time for call. Our managers work 24 hours for you!

Best regards!
GERALD DAMIEN
The following domains are all part of the same scam:
atlantaconsulting.net
atlantaconsulting.co
atlantaconsulting.us


The WHOIS details for the domains are undoubtedly fake and are certainly not Australian:

Administrative Contact ID:                   COCO-5041
Administrative Contact Name:                 John Carpenter
Administrative Contact Address1:             831 Ridgeview Dr
Administrative Contact City:                 Frankfort
Administrative Contact State/Province:       KY
Administrative Contact Postal Code:          40601
Administrative Contact Country:              United States
Administrative Contact Country Code:         US
Administrative Contact Phone Number:         +1.6064521498
Administrative Contact Email:                jjcarp9@gmail.com


There's a flashy website with no real substance..


The sites are hosted on 151.236.22.16 (EDIS GmbH, US) and the email in this case originated from 190.67.150.55 in Colombia.

The so-called job is going to be money laundering, or perhaps parcel reshipping (described in the video below) or some other scam which will involve you doing something illegal. Avoid.


Sunday, 2 March 2014

seekcousa.com / seekconz.com fake job offer

This job offer from seekcousa.com or seekconz.com is bogus:

Date:      1 Mar 2014 15:53:11 +0700 [03:53:11 EST]
Subject:      Offer

We are offering a shipping manager assistant position.
We are offering a distant job.

The job routine will take 2-3 hours per day and requires absolutely no investment.
You will work with big shops, suppliers, factories all around the States.
The communication line will flow between you and your personal manager, you will receive orders via email and phone,
and our trained manager will be with you while every step to help you to work out first orders and answer any questions which may appear.
The starting salary is about ~2800 USD per month + bonuses.

You will receive first salary in 30 days after you will successfully complete your first task.
When the first working month will be over you will have a right to receive salary every 2 weeks.
The bonuses are calculated on the very last working day of each month,
and paying out during a first week of the next month.

We will accept applications this week only!
To proceed to the next step we should register you in HR system so we will need a small piece of your personal information.

Please fill in the fields:
Full_name:
Phone_number:
Email_address:
City_of_residence:

We need your personal information to create HR file only,
it will stay secure on the separate server till the moment it will be deleted (which take place every 2 days),
and only HR people will have access to it.

Please send your answer to my secured email manager@seekcousa.com
 I will reply you personally as soon as possible.

Sincerely,
Rudy 
From the job description, this appears to be some sort of parcel mule scam or other criminal activity. This video explains how a parcel reshipping scam works:


seekcousa.com is regsitered with Chinese registrar BIZCN, and the WHOIS details are fake:
Registrant Name: Ernest Dubose
Registrant Organization: Ernest D. Dubose
Registrant Street: 129 Oakridge Lane
Registrant City: Irving
Registrant State/Province: TX
Registrant Postal Code: 75038
Registrant Country: us
Registrant Phone: +1.4699959821
Registrant Phone Ext:
Registrant Fax: +1.4699959821
Registrant Fax Ext:
Registrant Email: info@seekcousa.com
Registry Admin ID:



seekconz.com is also registered with BIZCN, but with different fake details:
Registrant Name: Nickolas Gordon
Registrant Organization: Nickolas R. Gordon
Registrant Street: 4930 Clarence Court
Registrant City: Ontario
Registrant State/Province: CA
Registrant Postal Code: 91762
Registrant Country: us
Registrant Phone: 909-988-6071
Registrant Phone Ext:
Registrant Fax: 909-988-6333
Registrant Fax Ext:
Registrant Email: info@seekconz.com


There is no website associated with either of these domains, but there are mail records of mx.seekconz.com and mx.seekcousa.com pointing to 93.190.137.5 (Worldstream, Netherlands). Nameservers involved in the fraud are ns1.friscolakesgc.net hosted on the same IP and ns2.friscolakesgc.net hosted on 32.21.129.43 (AT&T, US).

We can dig a little deeper on those nameserver records, they have fake WHOIS details as well:
Registrant Name: ROSEMARY CARPIO
Registrant Organization:
Registrant Street: 701 Collins Ave, Apt 4B
Registrant City: MIAMI BEACH
Registrant State/Province: FL
Registrant Postal Code: 33139-6203
Registrant Country: US
Registrant Phone: +1.7868777722
Registrant Phone Ext.:
Registrant Fax:
Registrant Fax Ext.:
Registrant Email: haveacupoft@gmx.us
Registry Admin ID:


These fake details also appear on a domain airnavrace.net which is used as a namserver domain for the following domains and uses the following IPs:
quarter.su
147.249.171.10 (IDD Information Services, US)
42.96.195.183 (Alibaba, China)

.su domains are usually bad news, and I suspect that quarter.su is up to no good. The WHOIS details for this domain don't give much detail..

domain: QUARTER.SU
nserver: ns1.aim-darts.net.
nserver: ns1.airnavrace.net.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: bartels@xrbox.com
registrar: R01-REG-FID
created: 2013.12.09
paid-till: 2014.12.09
free-date: 2015.01.11
source: TCI


That domain is multihomed on a bunch of IPs:

176.53.125.6 (Radore Veri Merkezi Hizmetleri, Turkey)
37.255.241.29 (TCE, Iran)
108.81.248.139 (William Allard / AT&T, US)
65.27.155.176 (Time Warner Cable, US)
203.235.181.138 (KRNIC, Korea)
95.57.118.56 (Dmitry Davydenko , Kazakhstan)
186.214.212.64 (Global Village Telecom, Brazil)
89.39.83.177 (C&A Connect SRL, Romania)

This, it turns out is the tip of a very large iceberg of malicious domains and IPs which I will cover in the next post.

Saturday, 25 January 2014

"MVL Company" fake job offer

This job offer is a fake, and in reality probably involves money laundering or handling stolen goods:

From: Downard Bergstrom [downardkrjbergstrom@outlook.com]
Subject: Longmore
Date: Fri, 24 Jan 2014 18:52:49 +0000

Hello,
Today our Company, MVL Company, is in need of sales representatives in United Kingdom.

Our Company deals with designer goods and branded items. We've been providing our customers with exclusive products for more than five years, and we believe that the applicant for the position must have great communication skills, motivation, desire to earn money and will to go up the ladder. All charges related to this opening are covered by the Company. Your main duties include administrative support on orders and correspondence, controlling purchase orders and expense reports.

Part-time job salary constitutes 460GBP a week.
Full-time job is up to 750GBP per week .
Plus we have bonus system for the best workers!

To apply for the vacancy or to get more details about it, please email us directly back to this email.

Hope to hear from you soon!
Best regards,
Downard Bergstrom
The spam is somewhat unusual in that it addresses me by my surname, indicating that the email data might have been stolen from a data breach (Adobe perhaps). The email originates from a freee Microsoft Outlook.com account and gives no clues as to its real origins. A look at Companies House Webcheck confirms that there is no company of this exact name, although there are several innocent companies with similar names.

Avoid.

Tuesday, 17 December 2013

Video: Parcel Reshipping Scams, Parcel Mules and Fake Job Offers

A brief presentation on how parcel reshipping scams work, and the role of parcel mules and fake job offers.

Wednesday, 4 December 2013

"british-googleapps.com" (and other googleapps.com domains) job scam

This following spam email is attempting to recruit money mules:

From:     arwildcbrender@victimdomain.com
to:     arwildcbrender@victimdomain.com
date:     4 December 2013 07:49
subject:     Employment you've been searching!

Hello, We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.

An at home Key Account Manager Position is a great opportunity for stay at home parents
or anyone who wants to work in the comfort of their own home.

This is a part time job / flexible hrs for European citizens only,This is in view of our not having a branch office presently in Europe,
also becouse of paypal and ebay policies wich is prohibit to work directly with residents of some countries.

Requirements: computer with Internet access, valid email address, good typing skills.
If you fit the above description and meet the requirements, please apply to this ad stating your location.

You will be processing orders from your computer. How much you earn is up to you.
The average is in the region of 750-1000 GBP per week, depending on whether you work full or part time.

Region: United Kingdom only.

If you would like more information, please contact us stating where you are located and our job reference number - 42701-759/3HR.
Please only SERIOUS applicants.

If you are interested, please reply to: Gene@british-googleapps.com
Sample subjects include:
Employment you've been searching!
Career opportunity inside
Job ad - see details! Sent through Search engine


Other "reply-to" addresses spotted:
Gene@british-googleapps.com
Dewitt@british-googleapps.com
Robbie@british-googleapps.com
Leila@british-googleapps.com


british-googleapps.com is registered with completely fake details and uses a mail server on 50.194.47.186 (Comcast Business, US) to process mail. There are several other similar domain names being used for the same scam:

british-googleapps.com
germany-googleapps.com
consulting-googleapps.com
usa-googleapps.com
us-googleapps.com
canada-googleapps.com
consult-googleapps.com
arbeit-googleapps.com
consulting-googleapps.com
job-googleapps.com


In addition to those, all these following IPs and domains are in use by the scammers either now or recently. All the domains are registered through scam-friendly Chinese registrar BIZCN to ficticious registrants.

50.194.47.186
175.67.90.27
95.94.135.113
220.67.126.175

googleapps-works.com
googleapps-work.com
googleapps-career.com
googleapps-consult.com
googleapps-jobs.com
googleapps-offer.com
googleapps-cz.com
googleapps-espana.com
googleapps-euro.com
googleapps-us.com
googleapps-usa.com
googleapps-pl.com
googleapps-work.com
googleapps-japan.com
googleapps-italy.com
googleapps-ro.com
googleapps-nl.com
googleapps-spain.com
googleapps-gb.com
googleapps-greece.com
googleapps-group.com
googleapps-japan.com
googleapps-nz.com
googleapps-offer.com
googleapp-consult.com

carrer-trade.com
us-trades.com
worlds-trade.com
google-trade.com
trades-consult.com
googletrade-usa.com
google-usatrade.com

careerin-google.com
google-lavorare.com
works-google.com
consult-google.com
consulting-google.com

apple-praca.com
careerin-mac.com‎
apple-euro.com
job-in-apple.com
jobin-apple.com

jobin-usa.com
jobin-za.com
jobin-google.com
jobin-yahoo.com
job-italia.com
job-newzealand.com
job-greece.com

munca-bucuresti.com
romania-work.com
outsourcing-lavoro.com
outsourcing-consult.com
jobs-consult.com
jobmark-eu.com
worlds-diploms.com
italia-lavorare.com
lavoro-it.com
trade-outsource.com
warszawapraca.com
usa-findjob.com

medshorediet.com
hotalibre.com
wickedpl.com
eventlore.net
elcacareo.net
washin-factory.net
australia-attractions.net
conawaystrickler.net



Thursday, 28 February 2013

usanewwork.com fake job offer

This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:

Date:      Thu, 28 Feb 2013 14:57:55 -0600
From:      andrzej.wojnarowski@[victimdomain]
Subject:      There is a vacancy of a Regional manager in USA:

If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.

If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:

Please email us for details: Paulette@usanewwork.com
In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):

   Sarah Shepard info@usanewwork.com
   360-860-3630 fax: 360-860-3321
   4478 Pratt Avenue
   Tukwila WA 98168
   us

The domain was only registered two days ago on 28/2/13.


The nameservers ns1.stageportal.net and ns2.stageportal.net are shared by several other domains offering similar fake jobs:

arbeitsagentura.com
stepstonede.com
europswork.com
usanewwork.com
euroconsaltinn.com
europsconsult.com
stageportal.net

IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)

This job offer is best avoided unless you like prison food.

For the record, these are the other registrant details.

stageportal.net:

      LAUREEN FREEMAN
      7538 TRADE ST.
      SAN DIEGO, CA 92121
      US
      Phone: +1.8585668488
      Email: wondermitch@hotmail.com

arbeitsagentura.com:

   Michael B. Jackson
   Michael Jackson info@arbeitsagentura.com
   909-542-7178 fax: 909-542-7311
   3832 Gordon Street
   Pomona CA 91766
   us

stepstonede.com:

   John L. Irizarry
   John Irizarry info@stepstonede.com
   858-450-8875 fax: 858-450-8811
   4808 Hamill Avenue
   San Diego CA 92123
   us

europswork.com:

   Connie J. Grooms
   Connie Grooms info@europswork.com
   626-448-5229 fax: 626-448-5211
   2815 Woodstock Drive
   El Monte CA 91731
   us

euroconsaltinn.com:

   Mamie W. Murray
   Mamie Murray info@euroconsaltinn.com
   920-245-0475 fax: 920-245-0411
   3390 Rockford Mountain Lane
   West Allis WI 53227
   us

europsconsult.com:

   Regina P. Clay
   Regina Clay info@europsconsult.com
   212-241-1581 fax: 212-241-1211
   408 Bell Street
   New York NY 10029
   us


Tuesday, 4 December 2012

"ARK Bureau" (arkbureau.com) fake job offer

The ARK Architecture Bureau is a genuine company. This fake job offer is not from ARK Bureau, but is some sort of illegal activity such as money laundering.

Update: I didn't look closely enough at the site, I discovered that arkbureau.com is also fake, as is this email. See more below. This is still trying to recruit people for money laundering though.

From: Odette Holcomb [mailto:nbnian@esonchem.co.kr]
Sent: 03 December 2012 12:32
Subject: Help wanted.

POSITION: Customer Assistant

ABOUT COMPANY:
ARK Bureau has served hundreds of clients in the United Kingdom, Poland, France and Germany since 1998.

The firm was created by Lorinda Rogers, a young architect of Canadian origin. From its inception, ARK Bureau.s vision for design and construction was based on system approach, incorporating both building and landscape design. That philosophy has always meant the highest quality for our clients. That.s probably why ARK Bureau enjoys a strong loyalty from the past customers.

Now we have open vacancy in the U.S.: Customer Assistant

RESPONSIBILITIES:
- Process payments from customers;
- Filing invoices, statements and associated documents;
- Meet and exceed performance and time management goals;
- Other duties as required.

GENERAL SKILLS:
- High communication skills;
- Strong problem solving and planning skills;
- Experienced computer & internet user.

APPLY:
To apply please: arkbureaumanager@nokiamail.com
An alternative version uses the email address of arkbureau_manager@nokiamail.com. The two samples that I have seen have originating IP addresses of 174.52.171.8 (Comcast, US) and 109.173.54.245 (NCNET, Russia).

You should give this fake company a wide berth unless you want to end up in serious trouble with law enforcement.

Update: I had originally assumed from the amateurish spam email that arkbureau.com belonged to a genuine company. However, a search of UK company records shows no such company, the domain was only registered a month ago to an address which is actually consistent with the one on the site:

Domain Name: ARKBUREAU.COM     
                                  
 Registrant:                      
     N/A
    Allen Hart        (arkbureau@aol.com)
    108 Broadwick Street
    London
    London,W1F 8MT
    GB
    Tel. +44.448715283620    
                                  
 Creation Date: 16-Nov-2012 
 Expiration Date: 16-Nov-2013 


Their site is full of stock images (like the one below) which can be found in many other places, most of which appear to be in the US (where they don't have an office).

Fundamentally, the whole thing is a fake. A good-looking fake, but a fake nonetheless.

These contact details are presumably also bogus:
Int'l Customer Care: +1 646 583 0506

Our head office is located in London, UK:

108 Broadwick Street, London, W1F 8MT, UK
Phone: +44(0) 20 3290 1280
Fax: +44(0) 871 528 3620
Email: info@arkbureau.com

Since 2010 we also run a branch in Warsaw, Poland:

Pl. Pilsudskiego 3, 00-078 Warszawa, Poland
Phone: +48 22 208 4722
E-mail: info@arkbureau.com 
Well, a quick Google of "108 Broadwick Street" indicates that it probably doesn't exist. If we get down on the ground with Google Streetview we can see that Broadwick Street only goes up to number 76 which is a bank of cash machines. Also, the quoted postcode of W1F 8MT is wrong, that belongs to somewhere which is quite a walk from Broadwick Street.

Emails to info@arkbureau.com bounce, there is no such user configured on the server.

arkbureau.com itself is hosted on 64.191.88.71 (HostNOC, US). There are several other sites on the same server that look dedicated to either fraud or fake pharma. I would recommend that all of these sites are avoided:

abcforwarding.com
actualcard.net
afpeasttexas.org
agea-usa.com
arkbureau.com
armorebeauty.com
autosales.com.do
beauty-wish-list.info
bestdesignstudios.ru
bestdietpillsreviews.org
buycanadianviagraonline.com
byabovegroundpools.com
canada-cialis.net
canadian-viagra.org
cialis-40-mg.com
cialis-5-mg.org
cialisprofessionals.com
cr-goods.com
ctrlpack.com
curiote.com
debtcptl.com
dioxidesoftware.com
discount-levitra.com
diybeautifulbody.com
encom-fg.com
engagement-rings-gallery.com
executivehomeswaco.com
executivehomeswacotexas.com
fantastic-male-size.com
firstransfer.com
getmattresswarehouse.com
getusedhorsetrailers.com
globalmg.org
godrop.biz
hallgg.pl
happychickengrill.com
heidtgroup.com
hiphopsongs.us
iceraysfancard.com
ixcongroup.com
jaffe-inc.com
livesecurity.pro
livesecuritypro.org
magnitogorsk.ws
myparcelforwarding.com
newboxcenter.com
nhsgroup.net
nowamarket.com
parcelunited.net
paydayloan-assistant.com
plate-flipper.com
politcenter.org
power-meds.com
pragueprivate.com
preventpainnow.org
prolivesecurity.org
propackage.biz
provenlovetabs.com
purchase-tadalafil.com
releasebg.com
rezzonans.net
rezzonans.org
ruskombat.info
rxtabsworld.com
securitylive.pro
shengfangtex.com
stafer.pro
starbuckscorp.com
sterece.com
stuffarea.biz
thefce.com
top-email-software.com
travelscom.net
traversestate.com
trustedmensmeds.com
uniteddigitalmedia.com
usheadway.com
usstyle.org
vendconsulting.com
viacton.com
viagra-super-force.org
virodex.com
virtualizare.net
wedding-bouquets-gallery.com
weddingshoesbridalonline.com
your-drug-blog.com

Saturday, 5 May 2012

Fake job offer: HRT F1 TEAM

The HRT F1 Team is a real team engaged in motor racing. This email is not from the HRT F1 Team.

Date:      Sat, 5 May 2012 16:43:33 +0300
From:      "Rebecca Hoffmeister / HRT F1 TEAM" [gormon.82@digiton.ru]
Subject:      Job Offer - Payment Department

Hello !


We are a first-rate company specializing in the implementation of accessories for cars. Apart from this primary mission, we also provide full support to our clients during all stages of the purchase of our product, from the resolution of the contract to the payment and delivery of the product to the customer. To that end, the subdivisions of our company form a quite large network.

At the present time, there is one position open in our company as an agent in the department of payment control. The first month of work will be probationary and will include training programs on corporate ethics and also the basics of inspection and control of payment between parties in a transaction.

We guarantee:
- A suitable wage

- We guarantee you sufficient money to be added to your main salary, provided you have a wish to work hard and to follow all our instructions on time

- Benefits package
- Free training

Our requirements for candidates:
- Punctual and diligent fulfillment of directions from the manager
- Ability to effectively organize work time

- Process work requests necessary to maintain an effective payments transfer program

- Close access to the infrastructure of our city
- Uphold a high level of integrity and ethics
- Good time management skills


If you are interested in this position, send us a short resume by e-mail: hrtf1team@juno.com

Rebecca Hoffmeister - Payment Manager
HRT F1 TEAM


Instead this is a money mule (money laundering) operation which will end up with serious trouble with the police and your bank. Avoid.

Sunday, 4 March 2012

AVB Logistic Company (avb-logistic.com) is a scam

AVB Logistic Company (avb-logistic.com) looks very much like a real company from the website, but in fact it is a scam operation laundering money, targeted primarily at people in Greece and Italy. It also appears to be related to a similar scam site called Landexpo Logistic (landexpo-logistic.com).

This fake company came to my notice because of a series of comments in another thread (original / Google Translated) which indicates that they may have been recruited through a spam run last year.

The AVB Logistics web site looks professional enough, but there's a reason for that which will become apparent:

AVB gives the following "facts" about itself on the web site:

As an external partner, AVB (Manchester), develops a comprehensive range of logistics and service solutions for trade and industry. In 2007, the group generated sales of 2.0 billion euros and currently employs approximately 8,500 staff in 44 countries. AVB operates in all important markets worldwide and has over 400 locations across all continents
It also claims its address to be:

United Kingdom:     AVB
Zenith,
Paycocke Road,
Basildon, Essex
SS14 3DW
   
E-Mail:     contact@avb-logistic.com
Although there is some evidence that they recently changed this from:

AVB Norris road 57. M29 8FH Manchester. Tel.: +44 161 408 1090.
They claim that their shares have been listed in London since 2000 under the stock ticker symbol TGH.


So, what's wrong with this picture. Well, in reverse order..

TGH is indeed a share on the London Stock market, but it belongs to Textainer Group Holdings Limited (as you might expect a with share with those initials).

There is no such company visible in the list of UK Companies (Companies House Webcheck) as AVB Logistic or AVB (Manchester) although there are plenty of innocent companies with the same name.

The address in Basildon belongs to a different company, Cosco Logistics. There are several companies nearby, none of which are called AVB. There appears to be no company called AVB in Basildon at all according to business listings.

There is no Norris Road in the postcode M29 8FH, but there is a Norris Street. Norris Street is very short, it only has about 4 properties on it, so there is no number 57. A Google search for "44 161 408 1090" reveals no credible references, but it does reveal an apparent scam site called landexpo-logistic.com sharing the same number.

According to their website, AVB Logistic has been in business since at least 2000, but their domain name was only registered on 15th January 2012 through a registrar in Russia with anonymous details:

Registration Service Provided By: RU-TLD.RU
Contact: +007.4012971111

Domain Name: AVB-LOGISTIC.COM

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Creation Date: 15-Jan-2012 
Expiration Date: 15-Jan-2013

Domain servers in listed order:
    ns1.avb-logistic.com
    ns2.avb-logistic.com

It is unlikely that a large and well-established company would only just have created their web site.

The site is hosted on 46.4.30.11, an IP address allocated to Hetzner in Germany, but then rented out to a Russian hosting company called reserver.ru

And the reason the site looks so professional? Most of it has been copied directly from a legitimate company called Logwin Logistics, you can see this very clearly on some pages. For example, Logwin's page about Graduates looks like this.



The AVB page at avb-logistic.com/university.htm looks like this:


There are several other pages that are a direct copy.

It's obvious that AVB Logisitic is a fake. But what does it do? Basically, it is a money mule operating being used to launder stolen money - typically from hacked bank accounts.

The "mule" is recruited to receive the stolen money from one account, and then send it out via Wire Transfer (for example, Western Union), taking a percentage of the money as commission along the way. So, for example, a bank account is hacked with €10,000 in it, the money is transferred to the "mule" who keeps 10 (€1000) and wires €9000 off to somewhere else (typically Russia or Ukraine).

But what happens next is that the original theft of €10,000 is discovered - but the mule is liable for the whole amount of money, and often this is where the police get involved. At best, the mule has to repay all €10,000, at worst there could be a criminal investigation.

So.. if approached by these people, probably the best thing to do is ignore them completely and do not reply. If you have moved money through your accounts for these people, then the best thing to do is speak to your bank right away.

Sunday, 29 January 2012

Fake jobs: euro@ultraups.com

The "Lapatasker" money mule recruiters have been fairly quiet for a while, but here is a new one:

From:  Barrmanager@pacbell.net maurogonzal22@gmail.com
Date: 28 January 2012 01:39
Subject: Parttime Job

Compliments

I am the personnel department manager and I am appealing to you in the name of the large-scale and first-rate partnership.

Our company is met in many departments, such as:
- property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.

We need a person to fill the vacancy of a regional manager in Europe:
- salary 2.600 euro + bonus
- 2 - 3 working hours per day
- individual time-table


If our offer is interesting for you email us the required information:
e u r o @ u l t r a u p s . c o m (Please Delete Spaces In Email Address Before Mailing Us)
Full name:
Country:
City
E-mail:
Contact phone number:



Attention! We need just the people residing in EU.

Please, write your Telephone Number and our manager will contact with you and answer all your questions. 

The "jobs" offered are illegal activities such as money laundering, so signing up to them could land you in serious trouble with law enforcement and seriously out of pocket.

The domain was registered a while ago, probably with fake registrant details:
    Alexis Putt
    Email: alexisputt@yahoo.co.uk
    Organization: Alexis Putt
    Address: St Katharine's Way 12
    City: London
    State: London
    ZIP: E1W 1DD
    Country: GB
    Phone: +44.0113343341

If you have any more example emails, please consider sharing them in the comments.

Saturday, 26 November 2011

Fake jobs: working-ca.com

Another fake job domain, working-ca.com seems to be part of this long-running scam. I hadn't spotted this one before, so thanks to our reader who sent it in. Note that this is not connected with the legitimate site WorkingCA.com . The jobs offered are actually illegal activities such as money laundering.


Hello, We have an excellent opportunity for an apprentice applicant to
join a rapidly expanding company.

An at home Key Account Manager Position is a great opportunity for stay
at home parents
or anyone who wants to work in the comfort of their own home.

This is a part time job / flexible hrs for Canadians only,This is in
view of our not having a branch office presently in Canada,
also becouse of paypal and ebay policies wich is prohibit to work
directly with residents of some countries.

Requirements: computer with Internet access, valid email address, good
typing skills.
If you fit the above description and meet the requirements, please apply
to this ad stating your location.

You will be processing orders from your computer. How much you earn is
up to you.
The average is in the region of CA$750- CA$1000 per week, depending on
whether you work full or part time.

Region: Canada only.

If you would like more information, please contact us stating where you
are located and our job reference number - 70570-868/4HR.
Please only SERIOUS applicants.

If you are interested, please reply to: Weldon@working-ca.com

and

Hello, We have an excellent opportunity for an apprentice applicant to
join a rapidly expanding company.

An at home Key Account Manager Position is a great opportunity for stay
at home parents
or anyone who wants to work in the comfort of their own home.

This is a part time job / flexible hrs for Canadians only,This is in
view of our not having a branch office presently in Canada,
also becouse of paypal and ebay policies wich is prohibit to work
directly with residents of some countries.

Requirements: computer with Internet access, valid email address, good
typing skills.
If you fit the above description and meet the requirements, please apply
to this ad stating your location.

You will be processing orders from your computer. How much you earn is
up to you.
The average is in the region of CA$750- CA$1000 per week, depending on
whether you work full or part time.

Region: Canada only.

If you would like more information, please contact us stating where you
are located and our job reference number - 35097-781/2HR.
Please only SERIOUS applicants.

If you are interested, please reply to: Tristan@working-ca.com


The registrant details for the domain are probably fake, but here they are anyway:

Kevin Tesalo
    Email: kevintesalo@yahoo.fr
    Organization: Kevin Tesalo
    Address: 2 avenue des Beguines
    City: Cergy Saint Christophe
    State: Cergy Saint Christophe
    ZIP: 95811
    Country: FR
    Phone: +33.124335612 

Sunday, 6 November 2011

Fake jobs: europcareers.net

One more fake job domain to avoid, europcareers.net follows on from the ones spotted yesterday and uses the fake (probably fake) registration address:


frederic benou
    Email: fredericabenou@yahoo.fr
    Organization: frederic benou
    Address: 23 rue des Camelias
    City: Alfortville
    State: Alfortville
    ZIP: 94112
    Country: FR
    Phone: +33.0148931456 

The emails may appear to come from yourself (here's why). The jobs offered are actually criminal activities such as money laundering. If you have any example emails, please consider sharing them in the Comments.

Friday, 4 November 2011

Fake jobs: jobsearchoo.com, newstatejob.com and usanewjobgov.com

Three more domains being used to recruit money laundering jobs and other illegal activities:

jobsearchoo.com
newstatejob.com
usanewjobgov.com


The jobs form part of this long running scam.Email messages may appear to come from yourself (here's why). The domain is registered to the following (probably fake) address:

    frederic benou
    Email: fredericabenou@yahoo.fr
    Organization: frederic benou
    Address: 23 rue des Camelias
    City: Alfortville
    State: Alfortville
    ZIP: 94112
    Country: FR
    Phone: +33.0148931456 


If you have any examples of emails using these domains, then please consider sharing them in the Comments. Thanks!

Wednesday, 2 November 2011

Fake jobs: expoeurojob.com, newjobsineurope.com and thenewjobbs.com

Three new domains offering jobs which will actually turn out to be money laundering or reshipping stolen goods. This scam has been going on for years.

expoeurojob.com
newjobsineurope.com
thenewjobbs.com


The emails may appear to come "from" your own email address (here's why). The (probably fake) registrant details for this domain are:

    Francisco Getz
    Email: franciscogetz@yahoo.fr
    Organization: Francisco Getz
    Address: 43 rue Mazarine
    City: Paris
    State: Paris
    ZIP: 75002
    Country: FR
    Phone: +33.191282216

If you have any samples of spam using these domains, please consider sharing them in the Comments. Thanks!

Friday, 28 October 2011

Fake jobs: jobbslists.com, jobbsearcher.com, gbjobb.com and greecejobb.com

Yet more fake job offers, following on from this long-running scam. This time the following domains are in use to solicit replies:

jobbslists.com
jobbsearcher.com
gbjobb.com
greecejobb.com

The spam emails adveritising these may appear to come from your own email account (here's why). The "jobs" on offer are actually illegal activities such as money laundering.

For the record, the registrant details for those domains (which are almost definitely fake) are:

    Lorian Kern
    Email: loorjaan@yahoo.dk
    Organization: Lorian Kern
    Address: Sonderskovvej 22
    City: Lystrup
    State: Lystrup
    ZIP: 8124
    Country: DK
    Phone: +45.83743412 

If you have any example emails, please consider sharing them in the Comments. Thanks!

Monday, 24 October 2011

Scam sites on 84.22.161.169

84.22.161.169 (IOMART Ltd, UK) seems to have some problems with scam sites, such as the one mentioned in this post. I haven't had time to check the whole range, but most of the sites they host are legitimate, these however appear to be bogus.

mailukrsoft.com

    Rogers, Sid  via@viagrasuperpills.com
    March St 43
    San Antonio, Tx 7820 1
    US
    +1.2103354574

mailopal.com

    Weis, Albert  albert.weiso@yahoo.com
    56 Dashington Avenue
    New York State, West  Stay Ville 1179 6
    US
    +1.016312918436

ukraiansoftware.com

    Mitch, Ray  vpx@vpxlpillstore.com
    Po Box 434
    Grand Prairie, Tx 7505 0
    US
    +1.5743436654

ukrdevonline.net

    SMITH, THOMAS  akky@buyaccutane.us
    14664 State Hwy B
    Marshfield, Mo 6570 6
    US
    +1.4177377167

ukrsoft.org

Registrant ID:tu1tWtvki2quecE9
Registrant Name:raymond russ
Registrant Organization:raymond russ
Registrant Street1:229 west 78 street
Registrant Street2:
Registrant Street3:
Registrant City:new york
Registrant State/Province:newyork
Registrant Postal Code:10024-6646
Registrant Country:US
Registrant Phone:+1.2125953001
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:raymondruss@yahoo.com

ukrsoftmail.com

    Smith, David  david.smith791@yahoo.com
    1845 east northgate drive
    Irdi ange, Texas 75062- 47 36
    US
    +1.019277214101

westmailwug.com

    morrison, dennis  morrison.wug78@yahoo.com
    575
    texas, texas fghhy2
    US
    +1.9723479881

westunionhome.com

    Walters, Hank  doggerellhlog@gmail.com
    Railway Circle 55
    Hannibal, Mo 6340 1
    US
    +1.5734564433

westunionweb.com

    Jacks, Michael  griswoldmopar@gmail.com
    Forest Ave 65
    Oak Park, Illinois  6030 1
    US
    +1.7085561232

taurus-analityc.com

    De Gaetano, Richard  xsponger@gmail.com
    1001 Lincoln Avenue
    Lockport, Newyork 14094
    US
    +44.017164336832

taurus-mac.com

    Vanko, Ken  eudociafrequk@gmail.com
    16st 65 Ap 44
    San Diego, Ca 9210 1
    US
    +1.4342268876

mailukrsoft.com: job scammers in action

A post over at woozoo.nl caught my eye (in Nederlands, Google Translated to English) about the netherlandjobb.com scam. Robert Krom goes several steps further than I usually do with a good investigation into how the scammers try to rope people in.

Robert identifies mailukrsoft.com  as the next stage in the scam. To me, it looks like it is run by a different crew, but scammers tend to oursource activities to others these days. It appears that one group of scammers may be looking for money mules and then selling them on to others.

Sunday, 23 October 2011

Fake jobs: jobbworld.com and yourjobb.com

Two new domains being used to recruit for fake jobs, which actually turn out to be illegal activities such as money laundering.

jobbworld.com
yourjobb.com

This is part of a long-running scam that has been going on for ages. One characteristic of the spam received is that it appears to come from your own email address (here's why).

If you have any examples of spam using these domains for reply addresses, please consider sharing them in the Comments.

Here is one sample:

Date: 24 October 2011 20:15
Subject: Deeltijdarbeid
   
Ik wil uw aandacht brengen en u te informeren dat Consulting Bedrijf beginnen  proces te inhuren en geven u een
grote kans om carrière te beginnen  nu met veel voordelen en de voordelen van dit werek.

Als u besloten om onderbreking in uw carrière te maken, of u op een moederschapsverlof bent,
onlangs gepensioneerde of gewoon op zoek naar enkele aanvullende tijdelijk baan, dit standpunt is enkel voor u gemaakt.

Werkende uuren: Flexibele tijdschema van van 1 tot 3 uur per dag. We garanderen ongeveer 20 uur een week bezetting.
Salaris en voordelen: begin salaris is variërend van 2000 tot 2500 euro per maand,
vermeerderd met extra commissie als u alle taken nauwkeurig vervullen.

Regio: Europese Unie.

Houd er rekening mee dat er geen betalingen of elke andere trucs om te gaan werken voor ons zijn.

Indien geïnteresseerd en wil u verzoeken een aanvraagformulier toepassen voor deze positie,
uw interview plannen en of gewoon meer informatie ontvangen over deze positie voordat u toepast,
kunt u antwoord op deze e-mail en stuur ons uw contact informatie.

In het onderwerp van e-mail Geef uw persoonlijk identificatienummer voor deze positie IDNO: 04459

Als u geïnteresseerd bent, kunt u reageren op: Damion@yourjobb.com,bedank!

And another one that seems to drift between Dutch and Czech for a while..

Subject: Vacature
   
Ik wil uw aandacht brengen en u te informeren dat Consulting Bedrijf beginnen  proces te inhuren en geven u een
grote kans om carričre te beginnen  nu met veel voordelen en de voordelen van dit werek.

Als u besloten om onderbreking in uw carričre te maken, of u op een moederschapsverlof bent,
onlangs gepensioneerde of gewoon op zoek naar enkele aanvullende tijdelijk baan, dit standpunt is enkel voor u gemaakt.

Werkende uuren: Flexibele tijdschema van van 1 tot 3 uur per dag. We garanderen ongeveer 20 uur een week bezetting.
Salaris en voordelen: begin salaris is variërend van 2000 tot 2500 euro per maand,
vermeerderd met extra commissie als u alle taken nauwkeurig vervullen.

Regio: Europese Unie.

Houd er rekening mee dat er geen betalingen of elke andere trucs om te gaan werken voor ons zijn.

Indien geďnteresseerd en wil u verzoeken een aanvraagformulier toepassen voor deze positie,
uw interview plannen en of gewoon meer informatie ontvangen over deze positie voordat u toepast,
kunt u antwoord op deze e-mail en stuur ons uw contact informatie.

In het onderwerp van e-mail Geef uw persoonlijk identificatienummer voor deze positie IDNO: 64594

Als u geďnteresseerd bent, kunt u reageren op: Fidel@yourjobb.com,bedank!