Sponsored by..

Showing posts with label PayPal. Show all posts
Showing posts with label PayPal. Show all posts

Wednesday, 11 November 2015

Malware spam: "Refund from Bowater Incorporated" / PayPal

This fake PayPal email leads to malware:

From:    service@paypal.co.uk
Date:    11 November 2015 at 16:27
Subject:    Refund from Bowater Incorporated

PayPal

Bowater Incorporated has just sent you a refund

Wed, 11 Nov 2015 17:27:26 +0100
Transaction ID: 47E30904DC4145388
Dear Customer,
Bowater Incorporated has just sent you a full refund of £7849.90 GBP for your purchase.
If you have any questions about this refund, please contact Bowater Incorporated
The refund will go to your PayPal account. It may take a few moments for this transaction to appear in your account.
To see all the transaction details, please download and view from the link below.
https://www.paypal.com/uk/cgi-bin/webscr?cmd=view-a-trans&id=47E30904DC4145388
Merchant information
Bowater Incorporated
Note from merchant
None provided




Original transaction details
Description Unit price Qty Amount
Purchase from Bowater Incorporated £7849.90 GBP 1 £7849.90 GBP
Insurance: ----
Total: £7849.90 GBP
Refund to PayPal Balance: £7849.90 GBP
Invoice Number: 59266315
Yours sincerely,
PayPal
Please do not reply to this email because we are not monitoring this inbox. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright Š 1999-2015 PayPal. All rights reserved.

PayPal (Europe) S.a.r.l. et Cie, S.C.A.
Societe en Commandite par Actions
Registered office: 64-75 Boulevard Royal, L-3369 Luxemburg
RCS Luxemburg B 205 162
PayPal Email ID PP1479 - nsjwiqin1ob5c

The link in the email goes to a download location at sharefile.com which leads to a file transaction details.zip containing a malicious executable transaction details.scr.

This binary has a VirusTotal detection rate of just 1/55. The Hybrid Analysis report shows network traffic consistent with Upatre download the Dyre banking trojan. One key IP address in 197.149.90.166 (Cobranet, Nigeria) which is well worth blocking.

MD5:
28989811c6b498910637847d538e43bf

Thursday, 30 April 2015

Nepal Earthquake scam: savenepal.org

I was tipped off to this site by a contact, but it appears that there are some particularly dispicable scammers who have registered a fake website called savenepal.org which is soliciting donations via PayPal.

The site largely cloned from the legitimate ActionAid site which is genuinely seeking donations to go to Nepal.

ActionAid is "Registered charity no 274467" (it says so on the bottom of the page). SaveNepal.org claims to be "Registered charity no 276187", but we can check at the UK charities commission and we can see that the charity with this number is actually an orchestra.


Clicking "Donate" on the scam site leads to PayPal. It doesn't give much of a clue about the ownership of the fake site:


The WHOIS details for the domain are hidden using WhoIsGuard. These other sites appear to be live on the same server:

com-indexhtml.link
com-indexhtml.us
grantsekit.com

Out of these, only com-indexhtml.us has a non-anonymous WHOIS entry:

Registrant ID:                               C4E83B25FA8AD52D
Registrant Name:                             Frank J. Moore
Registrant Address1:                         2441 Byers Lane
Registrant City:                             Davis
Registrant State/Province:                   CA
Registrant Postal Code:                      95616
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.5307574940
Registrant Email:                            uscustomerhelp@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


I'm pretty sure that those contact details are fake. Going back through historical WHOIS comes up with different contact details:

Registrant ID:                               29B0B5BBD7190398
Registrant Name:                             dinna  james
Registrant Address1:                         po box 876
Registrant City:                             dl
Registrant State/Province:                   dl
Registrant Postal Code:                      110098
Registrant Country:                          India
Registrant Country Code:                     IN
Registrant Phone Number:                     +1.918978978
Registrant Email:                            helpot80@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


Of course, these contact details could also be false and there's no definite connection to savenepal.org yet. But out of curiosity, who is helpot80@gmail.com?  Googling doesn't reveal much, but it does show a copy of a conversation in the news.admin.net-abuse.email where someone who is claiming to use this email address is complaining about spam. If we then use Google Groups to find the original newsgroup post we see it was posted from an IP of 182.68.85.242 which is a dynamic Bharti Airtel IP in India, which does at least match the country in the WHOIS details.

Another Google result is this Phishtank entry listing social2013.com/rockgrade/ which appears to be a copy of the Rock Grade Management scam site I covered way back in 2011, indicating that perhaps these two scams are related. helpot80@gmail.com was listed as the owner of social2013.com before it expired in February 2015.

This WHOISology report links the address to several domains:

beauty6k.com
social2013.com
droughty.com
auto36.us
secure2013.us

Also, 94.242.255.129 has hosted many other domains, many of which appear to be scammy.

com-13.pw
com-21.us
com-indexhtml.us
news7d.com
mynews360.com
grantsekit.com
social2013.com
secured2014.com
usgrantskit.com
savenepal.org
com-indexhtml.link
huffingtonpost.com-indexhtml.link
dear.graphics

Many of these have the helpot80@gmail.com address listed in their historical WHOIS entries.

What else can we find out?

The email address is connected with this scammy looking Facebook page allegedly giving away "free laptops"



The email address also links to this Google+ profile naming them as "N. Al.". It also links to this YouTube channel with a single video about Payoneer. These Profiles indicate that helpot80@gmail.com has an interest in affiliate marketing, an activity with a mixed reputation.

I cannot prove that helpot80@gmail.com is connected with the savenepal.org, but they probably know whoever is behind it.

Remember, if you want to donate to ANY disaster charity, it is worth checking very carefully that you are dealing with the real thing and not a bunch of scammers.

Monday, 20 January 2014

"Thank you for scheduling a payment to Bill Me Later" spam

This fake Bill Me Later spam has a malicious attachment:
Date:      Mon, 20 Jan 2014 14:23:08 +0000 [09:23:08 EST]
From:      Bill Me Later [service@paypal.com]
Subject:      Thank you for scheduling a payment to Bill Me Later

BillMeLater
   
Log in here
       
Your Bill Me Later® statement is now available!

Dear Customer,

Thank you for making a payment online! We've received your
Bill Me Later® payment of $1603.57 and have applied it to your account.

For more details please check attached file

Summary:

Your Bill Me Later Account Number Ending in: 0266

You Paid: $1603.57

Your Payment Date*: 01/20/2014

Your Payment Confirmation Number: 971892583971968191

Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.

BillMeLater

*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.

Bill Me Later accounts are issued by WebBank, Salt Lake City Utah

PQW688PP1

Attached is an archive file PP_03357442.zip which in turn contains a malicious executable PP_03357442.exe which has a VirusTotal detection rate of just 4/45. Automated analysis tools [1] [2] show an attempted connection to jatit.org on 72.9.158.240 (Colo4, US) which appears to be a legitimate (but presumably compromised) site.

Wednesday, 13 November 2013

PayPal "Identity Issue" spam / Identity_Form_04182013.zip

This fake PayPal (or is it Quickbooks?) spam has a malicious attachment:

Date:      Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
From:      Payroll Reports [payroll@quickbooks.com]
Subject:      Identity Issue #PP-679-223-724-838

We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@paypal.com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-TEBY66KNZPMU

For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (PayPal , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies.  Thank You

PayPal Email ID PP89759 

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.

The detection rate for this at VirusTotal is 9/47, automated analysis tools [1] [2] [3] shows an attempted connection to signsaheadgalway.com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP.

Wednesday, 4 September 2013

PayPal spam / dshapovalov.info

This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov.info:

Date:      Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      History of transactions #PP-011-538-446-067

ID

Transaction: { figure } {SYMBOL }

On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now

Sincerely, Services for protection

Department

PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.

To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.

Copyright © 1999-2013 PayPal. All rights reserved.

PPID PP {DIGIT } The history of monetary transactions 

The link in the email goes through a URL shortening service at [donotclick]url7.org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23/observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169/garrotting/rumples.js
[donotclick]northeastestateagency.co.uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro,com/peps/dortmund.js

From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack. There are other hijacked GoDaddy domains on the same domain (listed below in italics).

Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
journeyacrossthesky.com
dshapovalov.info
watchfp.net
dshapovalov.info

mineralmizer.webpublishpro.com
northeastestateagency.co.uk
81.143.33.169

Tuesday, 3 September 2013

PayPal spam / londonleatheronline.com

This fake PayPal spam leads to malware on londonleatheronline.com:

Date:      Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      Identity Issue #PP-716-472-864-836

We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.

Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@paypal.com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details

Your case ID for this reason is PP-U3PR33YIL8AV

For your protection, we might limit your account access. We apologize for any inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE:

This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (PayPal , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

PayPal Email ID PP53161

The link in the email goes to a legitimate hacked site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni.com/liquids/pythias.js
[donotclick]tuviking.com/trillionth/began.js
[donotclick]walegion.comcastbiz.net/wotan/reuses.js

These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack, along with a number of other hijacked domains which are listed in italics below.

Recommended blocklist:
173.246.104.184
jerseycitybags.com
jerseyluggage.com
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
london-leather.com
londonleatheronline.com

ftp.casacalderoni.com
tuviking.com
walegion.comcastbiz.net

Monday, 29 April 2013

"Requested Reset of Yoyr PayPal Password" spam / frustrationpostcards.biz

This fake PayPal spam leads to malware on frustrationpostcards.biz:

 Date:      Mon, 29 Apr 2013 13:22:03 -0500
From:      "service@paypalmail.com" [chichisaq0@emlreq.paypalmail.com]
Subject:      Requested Reset of Yoyr PayPal Password
  
Your account will stay on hold untill password reset.
How to reset your PayPal password

Hello [redacted],

To get back into your PayPal account, you'll have to create a new password.

It's easy:

    Click the link below to open a secure browser window.
    Confirm that you're the owner of the account, and then follow the instructions.

  Reset your password now

If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.

  
Help Center | Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.

PayPal Email ID 2A7X1
The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards.biz/news/institutions-trusted.php (report here) hosted on the following IPs:

82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)


TheWHOIS details identify this domain as belonging to the Amerika gang:

Registrant ID:                          INTEGOY3JBV8IIHG
Registrant Name:                        Shouli Cowper
Registrant Address1:                    40 W 17th St
Registrant City:                        New York
Registrant Postal Code:                 10011
Registrant Country:                     United States
Registrant Country Code:                US
Registrant Phone Number:                +1.4682697453
Registrant Email:                       shouli_cowper563@bikeracer.com

 
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
miniscule.pl
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
priorityclub.pl
smartsecurity-app.com
zonebar.net

Wednesday, 17 April 2013

PayPal spam / dialupwily.org

This fake PayPal spam leads to malware on dialupwily.org:

From: service@paypal.com [mailto:criticizea@seneseassociates.com]
Sent: Wed 17/04/2013 18:49
Subject: Receipt for your PayPal payment to Konrad Rotuski

Feb 18, 2013 10:54:32 PDT
Transaction ID: 4F1UGYHLFMRAG1AVY

Hello,

You sent a payment of $149.49 USD to Konrad Rotuski (criticizea@seneseassociates.com)
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.

It may take a few moments for this transaction to appear in your account.

--------------------------------------------------------------------------------

Seller
Konrad Rotuski
criticizea@seneseassociates.com Note to seller
You haven't included a note.
Shipping address - unconfirmed
218 E CHURCH ST
FAYETTEVILLE, TX 09557-2446
United States
 Shipping details
USPS Priority Mail
Description Unit price Qty Amount
TAG Heuer Men's WAU6277.BA3900 Formula 1 White Dial Stainless Steel Watch
Item# 566741455709 $149.49 USD 1 $149.49 USD
 Shipping and handling $0.00 USD
Insurance - not offered ----
Total $149.49 USD
Payment $149.49 USD
Charge will appear on your credit card statement as PAYPAL Konrad Rotuski
Payment sent to criticizea@seneseassociates.com 


Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

To receive email notifications in plain text instead of HTML, log in to your PayPal account, go to your Profile, and click Notifications.


PayPal Email ID PP387

The link in the email goes through a hacked Wordpress site to a malicious landing page at [donotclick]dialupwily.org/closest/incomming_message.php (report here) hosted on 188.225.34.36 (Transit Telecom, Russia). More malware domains to come..

Thursday, 6 December 2012

eBay, PayPal spam / ibertomoralles.com

These spam messages lead to malware on ibertomoralles.com:


Date:      Thu, 6 Dec 2012 13:12:16 -0600
From:      "PayPal" [service@paypal.com]
Subject:      Your Ebay.com transaction details.

    Dec 5, 2012 09:31:49 CST

Transaction ID: U5WZP603SNLLWR5DT
Hello [redacted],

You sent a payment of $363.48 USD to Normand Akers.

It may take a several minutes for this transaction to appear in your transactions history.

Seller

Normand-Akers@aol.com

    Instructions to seller

You haven't entered any instructions.
Shipping address - confirmed
Hyde Rd
Glendale SC 58037-0659
United States
    Shipping details
The seller hasn't provided any shipping details yet.
Description     Qty.     Amount
NordicTrack Mini Cycle

Item# 118770508253     24     $363.48 USD
Shipping and handling     $24.99 USD
Insurance - not offered     ----
Total     $363.48 USD
Payment     $363.48 USD

Payment sent to Normand Akers    

Receipt ID: D-69NQRGN113A3A9UQ3

Issues with this transaction?

You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Please do not reply to this message. auto informer system unable to accept incoming messages. For immediate answers to your issues, visit our Help Center by clicking "Help" located on any PayPal page.

PayPal Email ID PZ147

==========


Date:      Thu, 6 Dec 2012 19:57:37 +0100
From:      "PayPal" [noreply@paypal.com]
Subject:      Your Paypal.com transaction confirmation.

    Dec 5, 2012 09:50:54 CST

Transaction ID: 8P7D295HFIIIMUC4Q
Hello [redacted],


You done a payment of $894.48 USD to Carol Brewster.

It may take a few moments for this transfer to appear in your transactions history.

Merchant

Carol-Brewster@aol.com

    Instructions to seller

You haven't entered any instructions.
Shipping address - confirmed
Pharetra Street
Manlius NY 74251-6442
United States
    Shipping details
The seller hasn't provided any shipping details yet.
Description     Qty.     Amount
TaylorMade R11 Driver Golf Club

Item# 703099838857     54     $894.48 USD
Shipping and handling     $14.49 USD
Insurance - not offered     ----
Total     $894.48 USD
Payment     $894.48 USD

Payment sent to Carol Brewster    

Receipt ID: H-K01U2WSTLZZMRAB90

Issues with this transaction?
You have 45 days from the date of the purchase to issue a dispute in the Resolution Center.

Please DO NOT reply to this message. auto-notification system can't accept incoming mail. For fast answers to your subjects, visit our Help Center by clicking "Help" located on any PayPal page.

PayPal Email ID P8695

The malicious payload is at [donotclick]ibertomoralles.com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server:

addon.su
ansncm.org
codemark.net
hfeitu.net
ibertomoralles.com
icobag.com
labpr.com
minevi.com
moid.pl
naky.net
namelesscorn.net
porkystory.net
proscitomash.com
robertokarlosskiy.su
roketlauncherskiy.org
romoviebabenki.ru
securityday.pl
seldomname.com
shopgreatvideonax.com
svictrorymedia.ru
tradenext.net
winterskyserf.ru
ygsecured.ru
zindt.net


Wednesday, 3 October 2012

PayPal spam / lenindeads.ru

This fake PayPal spam leads to malware on lenindeads.ru:


Date:      Wed, 3 Oct 2012 09:41:01 -0500
From:      "service@paypal.com" [service@paypal.com]
To:      [redacted]
Subject:      Welcome to PayPal - Choose your way to pay

   
Welcome

Hello postinialerts,

Thanks for paying with PayPal.

We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.


Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[redacted]
Confirmation Code
2188-9944-1312-3905-5127
   
Transfer Information
Amount: 31549.96 $
Reciever: Merrill Prather
E-mail: Rogers40144@[redacted]
Accept Decline

   
Help Center | Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP1529

==========



Date:      Wed, 3 Oct 2012 01:04:29 +0300
From:      "service@paypal.com" [service@paypal.com]
To:      [redacted]
Subject:      Welcome to PayPal - Choose your way to pay

   
Welcome

Hello [redacted],

Thanks for paying with PayPal.

We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.


Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[redacted]
Confirmation Code
5554-8629-5683-9807-4239
   
Transfer Information
Amount: 38567.21 $
Reciever: Anabel Cordero
E-mail: Travis68451@[redacted]
Accept Decline

   
Help Center | Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP7370
The malicious payload is at [donotclick]lenindeads.ru:8080/forum/links/column.php hosted on:

202.3.245.13 (MANA, Tahiti)
203.80.16.81 (MYREN, Malaysia)
213.251.162.65 (OVH, France)

The following domains and IPs are all related:
202.3.245.13
203.80.16.81
213.251.162.65
limonadiksec.ru
rumyniaonline.ru
sonatanamore.ru
ioponeslal.ru
onlinebayunator.ru
uzoshkins.ru
moskowpulkavo.ru
omahabeachs.ru
sectantes-x.ru

Added:
pionierspokemon.ru
appleonliner.ru

Monday, 6 August 2012

"Welcome to PayPal" spam / spb-koalitia.ru

This fake PayPal spam leads to malware on spb-koalitia.ru:

Subject: Welcome to PayPal - Choose your way to pay



Welcome
Hello [victim],
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.

Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[reciptient]@victimdomain.com

Confirmation Code
1509-3962-8257-3886-7087
    Transfer Information
Amount: 18217.81 $
Reciever: Marcie William
E-mail: [another-recipient]@victimdomain.com


Accept Decline

 Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP9335

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________




The malicious payload is on [donotclick]spb-koalitia.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following (familiar looking IPs):

67.227.183.77 (LiquidWeb / SourceDNS, US)
203.80.16.81 (Myren Infrastructure, Malaysia)
213.170.99.11 (Quantum Communications, Russia)


The following domains and IPs are all related:
41.66.137.155
41.168.5.140
62.76.188.138
62.76.190.208
67.227.183.77
78.83.233.242
87.120.41.155
87.204.199.100
173.224.208.60
41.66.137.155
199.71.212.78
203.80.16.81
203.172.140.202
213.170.99.11

moskow-carsharing.ru
mysqlfordummys.ru
leprisoruim.ru
onerussiaboard.ru
online-gaminatore.ru
spb-koalitia.ru
zenedin-zidane.ru

Tuesday, 24 July 2012

PayPal Spam / teloexpressions.org

These fake PayPal spams lead to malware on teloexpressions.org:


Date:      Tue, 24 Jul 2012 18:06:49 +0330
From:      "Allan Marquez" <notify@paypal.com>
Subject:      Paypal has sent you a bank transfer.

<tr =="" valign="top">
<table =="" border="0" cellpadding="0" cellspacing="0" width="100%">

We are moving funds from Your Paypal account to your bank account.

Total amount transferred     $ 131.54
Bank account     BANK OF AMERICA
Transaction ID     59566237893344612

<div style="text-align: center;" class="footerLinks" 5px="" 0;="" padding:="">Help Center Resolution Center Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

==========


Date:      Tue, 24 Jul 2012 11:33:00 -0300
From:      "Jody Wade" <notify@paypal.com>
Subject:      Paypal transfer to your bank account initiated.

<tr =="" valign="top">
<table =="" border="0" cellpadding="0" cellspacing="0" width="100%">

We are transferring funds from Your Paypal account to your bank account.

Total amount transferred     $ 944.68
Bank account     BANK OF NORTH CAROLINA
Transaction ID     67081555155766933

<div style="text-align: center;" class="footerLinks" 5px="" 0;="" padding:="">Help Center Resolution Center Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

==========


Date:      Tue, 24 Jul 2012 11:10:58 -0300
From:      "Evan Battle" <notify@paypal.com>
Subject:      We have sent you a bank transfer.

<tr =="" valign="top">
<table =="" border="0" cellpadding="0" cellspacing="0" width="100%">

We are sending funds from Paypal to your bank account.

Total amount transferred     $ 123.59
Bank account     CITYBANK
Transaction ID     55273357044211327

<div style="text-align: center;" class="footerLinks" 5px="" 0;="" padding:="">Help Center Resolution Center Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

==========


Date:      Tue, 24 Jul 2012 19:15:46 +0530
From:      "service@paypal.com" <service@paypal.com>
Subject:      Paypal transfer to your bank account initiated.

<tr =="" valign="top">
<table =="" border="0" cellpadding="0" cellspacing="0" width="100%">

We are moving funds from Paypal to your bank account.

Total amount transferred     $ 425.21
Bank account     BANK OF NORTH CAROLINA
Transaction ID     17744199446279262

<div style="text-align: center;" class="footerLinks" 5px="" 0;="" padding:="">Help Center Resolution Center Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

==========


Date:      Tue, 24 Jul 2012 09:45:45 -0400
From:      "service@paypal.com" <service@paypal.com>
Subject:      Paypal has sent you a bank transfer.

<tr =="" valign="top">
<table =="" border="0" cellpadding="0" cellspacing="0" width="100%">

We are moving funds from Your Paypal account to your bank account.

Total amount transferred     $ 191.22
Bank account     CITYBANK
Transaction ID     64722827521858421

<div style="text-align: center;" class="footerLinks" 5px="" 0;="" padding:="">Help Center Resolution Center Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.


The malicious payload is at [donotclick]teloexpressions.org/main.php?page=9aca5bbc34d3ebd6 (report here) hosted on 221.131.129.200 which we have seen before and is definitely worth blocking.

Tuesday, 12 June 2012

PayPal / eBay spam and kidwingz.net

These fake PayPal / eBay emails lead to malware:

Date:      Tue, 12 Jun 2012 16:56:54 +0200
From:      "PayPal" [notify@paypal.com]
To:      xxxxxxxxxxxxx
Subject:      Your Ebay.com transaction details.


    Transaction ID: 24818126
Hello xxxxxxxxxxxxx,

You sent a payment of $847.48 USD to Quentin Cotton

Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
   

It may take a few moments for this transaction to appear in your account.

Seller

Fernando.Edwards@yahoo.com     Note to seller
You haven't included a note.
Shipping address - confirmed
4787 Hyde Rd
NY 13104-9402
United States
    Shipping details
The seller hasn't provided any shipping details yet.

Description     Unit price     Qty     Amount
PHOTAX PLASTIC SLIDE CASE PLUS 175 x 35mm SLIDES
Item# 263420914
    $847.48 USD     23     $847.48 USD
   
Shipping and handling     $0.00 USD
Insurance - not offered     ----
Total     $847.48 USD
Payment     $847.48 USD


   

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP108

===================


Date:      Tue, 12 Jun 2012 16:52:26 +0200
From:      "PayPal" [notify@paypal.com]
To:      xxxxxxxxxxxxx
Subject:      Your Paypal.com transaction confirmation.


    Transaction ID: 59064148
Hello xxxxxxxxxxxxx,

You sent a payment of $977.48 USD to Elijah Bray

Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
   

It may take a few moments for this transaction to appear in your account.

Seller

Abby.Ford@yahoo.com     Note to seller
You haven't included a note.
Shipping address - confirmed
4787 Hyde Rd
WY 48034
United States
    Shipping details
The seller hasn't provided any shipping details yet.

Description     Unit price     Qty     Amount
Vintage photo sexy college girls 1990's or 2000's
Item# 347197370
    $977.48 USD     23     $977.48 USD
   
Shipping and handling     $0.00 USD
Insurance - not offered     ----
Total     $977.48 USD
Payment     $977.48 USD


   

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP646
The malicious payload is at [donotclick]kidwingz.net/main.php?page=614411383eef8d9 (report here) which is hosted at 68.71.222.8 (Disney Online, Florida) which is the same IP address used in this similar attack and is therefore definitely worth blocking.

Monday, 11 June 2012

PayPal Spam / itscholarshipz.net

These two PayPal spams lead to malware on itscholarshipz.net :

Date:      Mon, 11 Jun 2012 16:06:45 +0200
From:      "PayPal" [notify@paypal.com]
Subject:      Your Paypal Ebay.com payment.


    Transaction ID: 35580191
Hello xxxxxxxxxxxxxxx,

You sent a payment of $777.48 USD to Xavier Parrish

Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
   

It may take a few moments for this transaction to appear in your account.

Seller

Alexis.Brady@yahoo.com     Note to seller
You haven't included a note.
Shipping address - confirmed
419-4138 Pharetra Rd.
AL 43438
United States
    Shipping details
The seller hasn't provided any shipping details yet.

Description     Unit price     Qty     Amount
Vintage photo sexy college girls 1990's or 2000's
Item# 908906055
    $777.48 USD     23     $777.48 USD
   
Shipping and handling     $0.00 USD
Insurance - not offered     ----
Total     $777.48 USD
Payment     $777.48 USD


   

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP387

=====================


From: PayPal [mailto:notify@paypal.com]
Sent: 11 June 2012 15:09
Subject: Your Paypal.com transaction confirmation.




Transaction ID: 20148689

Hello xxxxxxxxxxxxxxx,
You sent a payment of $754.48 USD to  Quentin Cotton
Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.   
It may take a few moments for this transaction to appear in your account.
________________________________________

Seller

Myron.Newton@yahoo.com
Note to seller
You haven't included a note.
Shipping address - confirmed
Ap #834-5784 Venenatis Street
AL 43438
United States    Shipping details
The seller hasn't provided any shipping details yet.

Description    Unit price    Qty    Amount
TaylorMade R11 Driver Golf Club
Item# 003187238    $754.48 USD    23    $754.48 USD


Shipping and handling    $0.00 USD
Insurance - not offered    ----
Total    $754.48 USD
Payment    $754.48 USD
   



Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP426

The malicious payload is at [donotclick]itscholarshipz.net/main.php?page=888c5b8a2e6174bc hosted on
68.71.222.8 (Disney Online, US) (report here). "Disney Online" appears to be some sort of ISP in Florida.

These other two domains are also hosted on that server and are probably worth avoiding:
defencesupernow.com
homeofficecaptioning.ru

Monday, 4 June 2012

"Your Paypal Ebay.com payment" spam / adnroidsoft.net

This fake PayPal spam leads to malware at adnroidsoft.net.

Date:      Mon, 4 Jun 2012 10:43:57 -0400
From:      "PayPal" [notify@paypal.com]
Subject:      Your Paypal Ebay.com payment.


    Transaction ID: 73013749
Hello -----------,

You sent a payment of $950.48 USD to Quentin Cotton

Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
  

It may take a few moments for this transaction to appear in your account.

Seller

Carroll.Dickinson@yahoo.com     Note to seller
You haven't included a note.
Shipping address - confirmed
4787 Hyde Rd
Manlius
United States
    Shipping details
The seller hasn't provided any shipping details yet.

Description     Unit price     Qty     Amount
1927 Supermarine S.5 & Gloster seaplane Schneider Trophy Race Photograph
Item# 059770363
    $950.48 USD     23     $950.48 USD
  
Shipping and handling     $0.00 USD
Insurance - not offered     ----
Total     $950.48 USD
Payment     $950.48 USD


  

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP303

The link in the email goes to a malicious payload at [donotclick]adnroidsoft.net/main.php?page=017f3bb5c2be6a41 (report here) hosted on 120.197.89.124 (China Mobile Communications Corporation). Unless you do business with China, you might want to consider blocking 120.192.0.0/11 to be on the safe side.

Other sites on the same IP which may also be malicious are:
bestcompdefence.net
lifelovework.net

Tuesday, 1 May 2012

PayPal Spam / 72.46.140.14

This fake PayPal spam leads to malware on 72.46.140.14:

Date:      Tue, 1 May 2012 14:31:26 +0300
From:      "PayPal" [notify@paypal.com]
Subject:      RE:You just sent a payment to Enrique Peterson

   
You just sent a payment
    Transaction ID: 2SM69324P0770102B
Hello xxxxxxxxxxxxxx,
Thanks for using PayPal. It may take a few moments for this transaction to appear in your account.
Merchant
Enrique Peterson
wcEnrique22@hotmail.com
    Note to Thad Peterson
You haven't sent a note.
Shipping address - confirmed
Michael Pepe
P.O. Box 173
Cheektowaga, NY�14225
United States
Total     $140.00 USD
Payment     $60.00 USD
Payment sent to Enrique Peterson

   
Help Centre | Resolution Centre | Security Centre

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP1526

The malicious payload is on 72.46.140.14/showthread.php?t=9d77a9163cda8dbe (report here) and is hosted by Versaweb in the US, suballocated to "Silver Knight Enterprises Corp" of Las Vegas.

Update: here is another variant

Date:      Tue, 1 May 2012 19:54:34 +0700
From:      "PayPal" [notify@paypal.com]
Subject:      RE:You just sent a payment to Jame Peterson


   
You just sent a payment
    Transaction ID: 2SM69324P0770102B
Hello xxxxxxxxxxxxxxx,
Thanks for using PayPal. It may take a few moments for this transaction to appear in your account.
Merchant
Jame Peterson
wcJame22@hotmail.com
    Note to Thad Peterson
You haven't sent a note.
Shipping address - confirmed
Michael Pepe
P.O. Box 173
Cheektowaga, NY�14225
United States
Total     $100.00 USD
Payment     $60.00 USD
Payment sent to Jame Peterson

   
Help Centre | Resolution Centre | Security Centre

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP1526

Saturday, 27 June 2009

flyrating.com scam

Flyrating.com is a re-run of the flyappraisals.com scam - a fake domain name evaluation service that is spamvertised through a bogus offer to buy a domain.


Although the servers are hosted in Malaysia, there is strong evidence linking these to a person of German origin living in Canada. More information here.

Monday, 1 June 2009

flyappraisals.com scam

Part of an ongoing domain name scam, flyappraisals.com is a fake domain name appraisal used in conjunction with a bogus unsolicited offer to buy a domain, similar to the following:

We are interested to buy your domain name [redacted] and offer to buy it from you for 65% of the appraised market value.

As of now we accept appraisals from either one of the following leading appraisal companies:

sedo.com
flyappraisals.com
accuratedomains.com


If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use Paypal for amounts less than $2,000 and escrow.com for amounts above $2,000) as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,
Out of these three "appraisal" companies, flyappraisals.com is the cheapest. So, naturally a lot of people will part with some money for an appraisal. Of course, the offer to buy the domain name never comes through and the domain name owner is out of pocket.

It looks like this scam is being run out of Canada, and we have covered it many times before: here, here, here and here. If you live in Canada and have been ripped off, then reporting it to the RCMP may get some results. You should also raise a dispute with PayPal to get a refund.


This particular site has a jolly bit of flash on it, unlike the plain HTML of the old sites. It is hosted on 124.217.231.209 in Malaysia.

Tuesday, 17 March 2009

pedma.com domain appraisals?

From time-to-time I get a unsolicited offers to buy domains that I hold, so it isn't wholly unexpected to get the occasional email about them. Here's one that came in today:

Subject: Regarding your domain [REDACTED].COM
From: "James Johnson" j.johnson98@rocketmail.com

Hello,
I came across your domain name [REDACTED]COM and I would be interested in buying it from you.
Here is my offer, you have to send me a professional appraisal from one of the following companies. and I will pay you 85% of the appraised price.
For payments under $2000 I prefer to use paypal. And for larger amounts of money I prefer if we used escrow.com

I accept appraisals from any of these companies:

-sedo.com
-pedma.com
-accuratedomains.com

If you already have an appraisal from one of those companies please forward it to me, and we will do business.

Regards,
James Johnson
For reference, the relevant mail headers are:

Received: from eatfire.nexcess.net (208.69.122.200)
by [redacted] with SMTP; 17 Mar 2009 10:07:22 -0000
Received: (qmail 10697 invoked by uid 108); 17 Mar 2009 10:06:16 -0000
Received: from unknown (HELO LYNKSIS) (admin@1nb0x.com@174.133.179.205)
by eatfire.nexcess.net with ESMTPA; 17 Mar 2009 10:06:16 -0000
From: "James Johnson"
Subject: Regarding your domain [redacted]
To: [redacted]
Well, my spidey sense started to tingle. The domain in question is not great and I'm really holding it for a future project that I haven't gotten around to. So I have certainly never had it professionally appraised.

So, let's say that I'm interesting in selling this domain and want to get a professional appraisal. Sedo charge $29, Accurate Domains charge $27 and Pedma charges $22.95. What's more, Pedma promises to refund your appraisal money or buy the domain itself if you don't sell it within 6 months.

Pedma looks like the best option. But who are they exactly?

Here's the thing - there is almost nothing about them in Google. It looks like they have been in the domain appraisal business for hardly any time at all. So isn't it odd that they are being recommended?

Let's look at the WHOIS details:

Registrant:
Billy McDOW
366 Kingswood Dr
Bedford, Nova Scotia B4B 1T8
Canada

Domain Name: PEDMA.COM
Created on: 01-Jul-08
Expires on: 01-Jul-09
Last Updated on: 12-Mar-09

Administrative Contact:
McDOW, Billy support@pedma.com
366 Kingswood Dr
Bedford, Nova Scotia B4B 1T8
Canada
9024950112 Fax --

Technical Contact:
McDOW, Billy support@pedma.com
366 Kingswood Dr
Bedford, Nova Scotia B4B 1T8
Canada
9024950112 Fax --

Domain servers in listed order:
NS1501.HOSTGATOR.COM
NS1502.HOSTGATOR.COM
It's hard to say if the details are genuine or not, but it certainly isn't an obvious fake. But a few days ago, pedma.com was registered to someone else:

Registrant:
Manuel Fichter
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada

Domain Name: PEDMA.COM
Created on: 01-Jul-08
Expires on: 01-Jul-09
Last Updated on: 05-Mar-09

Administrative Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024950112 Fax --

Technical Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024950112 Fax --

Domain servers in listed order:
DNS53-1.NEXCESS.NET
DNS53-2.NEXCESS.NET
About the same time, the IP address of pedma.com changed from 208.69.122.200 to 174.132.194.58. Now, the 208.x.x.x address was mentioned a few days ago on another blog for questionable domain practices, so you might suggest that this is not a coincidence.

The site itself seems to be free of malware, so poking around at the pedma.com site reveals a few other interesting things.

Click through to the Contact page:

The following contact details are listed:

20 Crawford Street
London
W1H 1PJ
United Kingdom

Email: support@pedma.com
It looks like this may be an accommodation address or perhaps a virtual office of some sort, probably located above a shop [sorry, IE required]. Definitely not Canada. (Update: it looks like a branch of Mail Boxes Etc thanks to Google's new UK streetview.)

Clicking through on the "Buy Now" link takes you to a PayPal page, also mentioning Canada:


The payee is "Unique Desktop". Whoever they are. This is one of the weakness of PayPal - I don't really have an idea who I am dealing with here. I don't advise that you pay them anything, indeed there is no part of the payment process that actually specified what domain you want appraising or your contact details.

A further clue that something is wrong comes from their "Service" page which contains the following text:


How much is your domain really worth? An expert evaluation of a domain name's value is critical intelligence for domain buyers and sellers looking to determine a fair market price. An appraisal is your first step to making a great sale!

Every appraisal individually researched by domain industry pros, because no software is a substitute for real-world experience.

Your domain name could be worth thousands of dollars and may even be tax deductible!

Join many others who discovered what their domains were worth using our Domain Name Appraisal Service! Your domain will be appraised based on a number of separate factors including marketability, brand recognition, unique type in traffic, and comparison with other domain name sales. In addition to the following criteria:

* TLD Value
* Length
* Hyphen
* Web Frequency
* Search Frequency
* Industry Value

After you make your first purchase we will email you your Pedma Account log in information. Once you are logged in, you will find all your domain appraisals neatly organized (including appraisal reports, and appraisal banners). We make it easy to keep track of all your appraisals!
In fact, the majority of this text is stolen directly from Sedo and Moniker - it's a straight copy-and-paste job.

So: this "appraisal" site appears to have been active for just a few days, the site content is stolen from others, the contact details on the page do not match the WHOIS, the payment process does not allow you to specify the domain to appraise and your contact details, and the IPs have recently been connected to another dubious domain name pitch.

It looks on the surface as if this is an attempt to get people to sign up for this so-called appraisal service, and nothing more. Pedma.com is certainly not a recognised or trustworthy site, so it is likely that the offer to buy the domain is similarly dubious. Of course, if you work for Pedma.com, please feel free to correct any errors in the comments section below.

If you have spent any money on the appraisal, then I would advise you to start a PayPal dispute to recover the money as there is some evidence to suggest that the original offer is not genuine.

Additional information:
a bit more research shows indicates the domain pedma.com was sold via eBay item #170253846100 in August 2008 to a member called unique*money, presumably this is Manuel Fichter.





Now, it might be that Mr Fichter sold the domain on and perhaps it is a coincidence that the new owner lives in the same area and has used exactly the same telephone number. Note that the seller "bargaindomains" is a reputable eBay seller who just sold the domain on in August.

About the London address: there is no company by the name of "Pedma" operating in the UK, according to Companies House.

The PayPal billing name of "Unique Desktop" is connected with the domain "fastbooster.com". The terse WHOIS details for that mention an email address of willyfichter@googlemail.com, but earlier last year it had a rather more full domain description:

Owner Contact:
Willy Fichter
Immo-World24 Limited
Am Soeldnermoos 17
Hallbergmoos, 85399, DE

Punycode Name: fastbooster.com
Unicode Name: fastbooster.com

Admin Contact
Willy Fichter

willyfichter@googlemail.com
Am Soeldnermoos 17
Hallbergmoos, 85399, DE
phone: +49 89381684552

Technical Contact
Hostmaster Strato Rechenzentrum
Cronon AG Professional IT-Services
hostmaster@cronon-isp.net
Emmy-Noether-Str. 10
Karlsruhe, D-76131, DE
phone: +49 72166320305

Zone Contact
Hostmaster Strato Rechenzentrum
Cronon AG Professional IT-Services
hostmaster@cronon-isp.net
Emmy-Noether-Str. 10
Karlsruhe, D-76131, DE
phone: +49 72166320305

Record expires on: 2009-05-04 20:35:24

Domain servers in listed order:

shades02.rzone.de
docks18.rzone.de

It is hard to be 100% certain who is sending out these "offers". But at a guess, one of these Mr Fichters might have an idea.

Update:
pedma.com has been suspended by HostGator. Yeay.



Another update (18/3):
The owner of pedma.com is now desperately trying to punt the domain name on Sedo for $1000, which is a bit rich considering that he ripped off Sedo's text for the fake appraisal site!