Sponsored by..

Showing posts with label Scam. Show all posts
Showing posts with label Scam. Show all posts

Thursday 12 January 2017

Scam: 01254522444, the fake BT engineer and 888DCA60-FC0A-11CF-8F0F-00C04FD7D062

In the past few weeks I have seen a huge upsurge in the number of Indian tech support scammers ringing, both at home and my place of work. (For example.. this).

One common trick they use revolves around this hexadecimal number 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. Either it's a signal that hackers are at your PC, or it's your secret router ID that only BT would know.

The conversation goes something like this..

Victim: "But I don't get my internet from BT.."

Scammer: "BT provides all the internet connections for everyone else, including TalkTalk and Virgin Media."

Victim: "How do I know you're from BT?

Scammer: "There is a confidential Router ID that only BT will know. You can verify this to prove that we are BT."

The scammer then talks the victim through pressing -R then CMD (followed by OK) and then ASSOC (followed by RETURN). That simply produces a list of file associations (e.g. to say that .xlsx is an Excel spreadsheet). The line they want you to see is:
This is just something to do with how Windows  handles compressed files and folders. All Windows machines should have t his entry, but it looks sufficiently scary about to impress at least some victims.


However, if you want to waste their time please do so.. if you work in IT you can probably play a convincingly dumb user. It seems that they will try for up to 40 minutes or so before they give up. Alternatively, say that you have to get your laptop out from somewhere and it is very slow and just put them on hold. Every minute of their time you can waste will stop them targeting other potential victims.

And don't just ignore the call - report it. If you are in the UK you can report this sort of scam to Action Fraud - it will certainly help law enforcement if they have an idea of how many potential victims there are.

Friday 23 December 2016

02085258899 - tech support scam (using anydesk.com, teamviewer.com and supremofree.com)

If these people ring you DO NOT GIVE THEM ACCESS TO YOUR PC and either hang up - or waste their time like I do.

It seems there are some prolific technical support scammers ringing from 02085258899 pretending to be from BT. They had a very heavy Indian accent, and they have made many silent calls to my telephone number before today. They claim that hackers are accessing my router.

I wasted 37 minutes of their time, these are some of the steps to watch out for..

  1. They get you to open a command prompt and type ASSOC which brings up a big long list of file associations, in particular they seem interested in one that says .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
  2. Then they get you to bring up the Event Viewer by typing EVENTVWR and then clicking "Custom Views" and "Administrative Events". This is a log file that will always show a whole bunch of meaningless errors (such as network faults). It's quite normal for this to look quite bad to the untrained eye.
  3. Then in order they try to get you to connect to the following services to take remote control of your PC: www.anydesk.com, www.teamviewer.com and www.supremofree.com. All of these are legitimate services,but I have to confess I'd never heard of the last one.. so I will add it to my corporate blacklist.
  4. When those didn't work they tried directing me to a proxy at hide.me/proxy and www.hide.me/proxy (the same thing I know) which is probably another candidate for blocking.
Of course, once they have access to your PC they will try to convince you that you need to pay them some money for technical support. Be warned, that they can render your PC unusable if you don't pay, and they can also steal confidential data. Despite how many times they may tell you they are from BT, they are not.. they are simply fraudsters.

Monday 1 August 2016

Scam: Fanrong Europe Fund / fanrongfund.info / fanrongeuropefund.info / fanrongeuropefund.com

This spam email advertising a "too good to be true" investment is a scam:

From:    Tim Hoffman [letter@612.com]
To:    contact [contact@victimdomain.tld]
Date:    30 July 2016 at 09:26
Subject:    Fanrong Europe Fund – 1 Half 2016 return +32.69%.

Dear Sirs,

Please be informed that the Fanrong Europe Fund reported strong 1 Half 2016 with return +32.69%.

Fanrong Europe Fund is a registered hedge fund that managed by a team of stock market experts that located in Zurich, Switzerland. The Fanrong Europe Fund Strategy is Long/Short Equity. The Fund was launched in April 2014. It is open-ended hedge fund. We are open for new investors.

We welcome you to contact us through our web-site to learn more about investing with us:

Kind regards,
Tim Hoffman
e-marketing manager
Fanrong Europe Fund

Reply to: marketing@fanrongfund.info

If you do not want to receive this newsletter send an email to: unsubscribe@fanrongfund.info

NOTICE: Your address was obtained from open sources where you were agreed to receive the marketing information from third parties.
I have received two of these emails, one coming from the IPs and which are both allocated to a mobile phone provider in Lithuania (UPDATE: also The website fanrongfund.info was created just a few days ago (28th July 2016) and is registed to the following (presumably fake) registrant:

Registrant ID: JLD4030131633
Registrant Name: James Dean
Registrant Organization:
Registrant Street: Vorstadt 20
Registrant City: Zug
Registrant State/Province:
Registrant Postal Code: 6300
Registrant Country: CH
Registrant Phone: +41.417120101
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jd767@yahoo.com

The site is hosted (apparently) in the British Virgin Islands on an IP allocated to the Public Domain Registry (PDR). It uses nameservers from Russian company AYBHOST.COM.

The website is pretty generic looking and opens with these words of wisdom:

Our main trade approach is:
"Close the position if it runs to loss, and hold it if it runs to profit".

Hans Messner
fund manager "Fanrong Europe Fund"

What next. "Buy low, sell high"? Here are some screenshots in case you see another version of this on your travels:

The "About" page carries this text:
We are the EU-domiciled investment manager with successful experience in stock trade in EU. Our professional assets managers have personal approach to trade with bear and bulls market. We use self-made investment strategy that allows getting the constant positive result in short-term horizon. All investment process is in full accordance with IIS (International Investment Standards) of Fanrong Capital (Hong Kong) (fanrongcapital.com).
Presumably this is copied off an earlier scam site, in this case there is an official warning about that particular firm.

fanrongfund.info appears to have mirrors at:


Both of these are hosted on (Hetzner, Germany). The WHOIS details for those are inconsistent with each other.

Registrant ID: HSM1859139253
Registrant Name: Hans Messner
Registrant Organization: Fanrong Europe Fund
Registrant Street: Leutschenbachstrasse 95
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8050
Registrant Country: CH
Registrant Phone: +41.445632589
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.info

Registry Registrant ID: Not Available From Registry
Registrant Name: Li Yong
Registrant Organization:
Registrant Street: Schwingerstrasse 9
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8006
Registrant Country: CH
Registrant Phone: +41.442289632
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.com

For completeness, the domain fanrongcapital.com is hosted on  (the same block as fanrongfund.info) and this particular corporation seems to be using a free email address..

Registry Registrant ID: Not Available From Registry
Registrant Name: Wei Zhang
Registrant Organization: Fanrong Capital
Registrant Street: 20F, 1 Harbor View Street
Registrant City: Hong Kong
Registrant State/Province: Hong Kong
Registrant Postal Code: 111000
Registrant Country: HK
Registrant Phone: +852.58085536
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: fanrongcapital@yahoo.com

Nothing about this offer is legitimate. Avoid it, or if you have invested money in this fictitious firm then you should contact the police immediately.

Friday 2 January 2015

binarysmoney.com / clickmoneys.com / thinkedmoney.com "job" spam

I've been plagued with these for the past few days:

Date:    2 January 2015 at 11:02
Subject:    response

Good day!

We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

We cooperate with different countries and currently we have many clients in the world.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1500 up to $5000 per month.

The job offers a good salary so, interested candidates please registration on the our site: www.binarysmoney.com

Attention! Accept applications only on this and next week.

Respectively submitted
Personnel department

Subject lines include:

New employment opportunities
Staff Wanted
Employment invitation
new job
New job offer
Interesting Job


Spamvertised sites seen so far are binarysmoney.com, clickmoneys.com and thinkedmoney.com, all multihomed on the following IPs: (Adnet Telecom / "Oancea Mihai Gabriel Intreprindere Individuala", Romania) (VTR Banda Ancha S.A., Chile) (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)

Another site hosted on these IPs is moneyproff.com. All the domains have apparently fake WHOIS details.

It looks like a money mule spam, but in fact it leads to some binary options trading crap.

There is no identifying information on the page at all. Trustworthy? Nope. But let's look at that relaxed looking chap at the top of the page, in a picture called matthew.png.

Well, that's just a Shutterstock stock photo that is pretty widely used on the web. In fact, everything about this whole thing is a cookie-cutter site with text and images copied from elsewhere.

Binary options are a haven for scammers, and my opinion is that this is such a scam given the spammy promotion and hidden identity of the operators. I would recommend that you avoid this and also block traffic to the following IPs and domains:

Saturday 20 September 2014

Scam: advocateforyouths.org is not the real Advocates for Youth (and other scam sites)

I've covered these scammers before - they rip off legitimate websites such as the genuine Advocates for Youth and use them to commit fraud. The domain advocateforyouths.org is currently being pushed by the bad guys, note that the legitimate domains is actually advocatesforyouth.org.

From:     advocates3@esecuredmails.eu
Date:     20 September 2014 00:52
Subject:     Re: Effects of Teenage Marriage
Signed by:     esecuredmails.eu


Advocates for Youth and co-organizers of the 21st international NGO's & CBO's conference on community Development and Development Planning have the pleasure to invite Youth Organizations, Socio Cultural Organizations, Community Based Organizations (CBO) Scholars, Researchers, Health Organizations, Professionals, Business Organizations (NGOs) Religion Organizations, Human Right Organizations & Women Groups to the International Conference on"Effects of Teenage Marriage and HIV/AIDS " taking place from Thursday 20th - Friday 21st November 2014 in U.S.A and Monday 24th - Friday 28th November 2014 in The NETHERLANDS respectively.

This is the most important event in the framework of the fight to Educate the Youth on HIV/AIDS, Child Abuse, human and community development which will take place in Washington DC, United States of America from Thursday 20th - Friday 21st November 2014 in U.S.A and Monday 24th - Friday 28th November 2014 in The NETHERLANDS respectively.

Advocates for Youth is registered 501(c) Non profit international organization whose aims & objectives are to empower individuals and communities worldwide through offering grants for business, education, economic enhancement, community development and environmental conservation, to support groups and organizations addressing social issues, youth ad women empowerment, and a variety of philanthropic projects through grants to non-profit organization; to provide education & information with view of limiting abuse and child molestation, to support and advocate on behalf of those infected and affected by the menace or abuse and neglect to promote the well-being of mankind by empowering the capacity of charitable organization to provide effective programs of quality.

This conference will bring together 1026 representatives of NGOs/CBOs and numerous numbers of interested individual participants from all over the world. The conference will be conducted on participatory bases with satellite plenary and simultaneous sessions followed by general and small group discussions.

FINANCIAL SUPPORT: The conference receives financial support from CitiBank New York and United Nations Youth Commission etc. This sponsorship covers the following:

1. Return Airplane travel tickets for selected delegates from their home countries to venues of the event in Washington DC ( United States of America ) and The Hague City (The Netherlands), then back to their home countries.

2. Hotel accommodations in Washington DC ( United States ) only for selected delegates and their friends.

3. Medical insurance cover for delegates throughout the entire conference duration.

Advocates for Youth will not assume the responsibilities of any other costs other than those listed above.

NOMINATION & SELECTION OF PARTICIPANTS: Intending participants are requested to nominate between Five (5) to Ten (15) active members to participate. Participants should be from 14 years and above (Male or Female).

REGISTRATION PROCESS: To register to take part in this Conference, please request for the International Delegates Registration form and other conference information. The request for registration form and other conference information should be addressed to the Secretary:

Linara J. Davidson
Secretary, Advocates for youth
2000 M Street, NW Suite 750,
Washington DC 20036,
United States of America,
Tel: +1 202.600.9543
Fax: + 1 650.747.4401
Email: ljdavidson@advocateforyouths.org
Website: www.advocateforyouths.org 

While we anticipate your earliest response, you are advised to contact the Secretary by email and we look forward to meeting up with you and your group in Washington DC and The Hague City to assert a new change for a stronger society.

Announcer !!!

Debra Hauser
President, Advocates for youth,
Washington DC
Email: debra.hauser@advocateforyouths.org

This email is a scam and is basically a way to defraud the potential victim of money by making them think that they are dealing with a real organisation. The websites referred to is an almost pixel-perfect copy of the real thing.

The differences are very subtle. Crucially the contact details between the fake and real sites are different, but the scammers have gone to the effort of acquiring a phone number in the same area code.

Let's look at the WHOIS details for the fake domain:

Registrant ID:DI_37927050
Registrant Name:weba
Registrant Organization:greg
Registrant Street: rue marcel de france
Registrant City:la chapelle
Registrant State/Province:St luc
Registrant Postal Code:10600
Registrant Country:FR
Registrant Phone:+33.2356789990
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:nelsondove1@gmail.com

Not much to go on there, but the scammers are using their own email infrastructure to pump these out from using the domain esecuredmails.eu registered to:

Name: Nelson
Organisation: N/A
Language: English
bijsterhuizen 1160
2282 pm Rijswijk
Phone: +31.645433356
Email: unit1x1@yahoo.com

Both of these refer to "Nelson". The website advocateforyouths.org actually forwards to a framed page on www-parisline.in (hosted on in India) registered to:

Registrant Name:Patrik Pie
Registrant Organization:N/A
Registrant Street1:14 rue du Theatre
Registrant Street2:
Registrant Street3:
Registrant City:Porte de Versailles
Registrant State/Province:Paris
Registrant Postal Code:75015
Registrant Country:FR
Registrant Phone:+33.0617750470
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:nelsondove1@gmail.com

As before, this site also contains a number of other fake sites, some of which are likely to form part of the same scam. I covered the fake Al-zaida Emirates Group Holding Co and Hotel T Bello before. There may be other scam sites on the same server.

Advocates for Youth is a decent organisation, and apparently these scumbag scammers have no shame whatsoever in using their good name for their own financial gain. Given the relative sophistication of the scammer's set-up, it is likely that they will keep trying with this particular scam.
 Take care.

Tuesday 15 July 2014

Scam? thejointventuregroup.com (The Joint Venture Group) and other domains

This slimy proposition plopped into my spamtrap:

From:     Lori Henderson [info@loriwiththejointventuregroup.com]
Date:     15 July 2014 02:11
Subject:     Attention Investors
Sailing list:     xkuqlvkqlvveull of 1541

Investment opportunities like the one I am about to share comes along once every twenty years. Companies that produce earnings of billions annually are not the norm. This proprietary product is that will do just that. We have already received letters of interest to purchase this unique product from:

Mercedes Benz

General Motors


Pep Boys

The U.S. Army, just to name a few.

If you are an accredited investor and would like to own a portion of with an estimated gross volume in the billions, then reply to this email and you will receive the details. Please be advised, this is a limited.


Haven Henderson


 To stop getting mails
The email originates from, an IP address in Arlington, Texas. The domain "loriwiththejointventuregroup.com" is registered with anonymous details. The same content is mirrored on several sites:


The site has been knocked together using a sitebuilding tool by a 12 year old (by the looks of it).

The site quotes a company name and address as follows:
The Joint Venture Group P.O. BOX 1063 CEDAR HILL TX 75106

..but I can find no verifiable proof about the existence of a firm of this name in Texas.

Perhaps a clue into the operation can be found on a page labelled "Consulting Position"

The Joint Venture Group is looking for self-motivated individuals who are experienced in marketing to project developers and business owners who need private funding.

    In addition to providing funding capital for project developers and business owners who cannot qualify for conventional bank financing, The Joint Venture Group also provides a safe investment opportunity to accredited investors. This private investment fund pays $2,500 in monthly commissions, for every client that is enrolled by the consultant into the fund. The commission percentage is based on a minimum investment of $1,000,000. Click here to learn more.

    If you are a motivated individual looking for a great opportunity to receive a consistent monthly income in the amount of $2,500  on every enrolled client, than fill out the application below and please name the consultant that referred you to this page. 

Let's have a look at that "handshake" picture more closely..

It says: "If you're not a part of the solution, there's good money to be made in prolonging the problem". Funny, yes. Something that a consulting firm would have on their site? Definitely not.

It could well be that Lori, Thom, Walter, Tiarra and Marva are real people who have fallen for this sham and the promise of easy riches.

So, it it a scam? My personal opinion that it is. "The Joint Venture" group offer easy money - loans for just about any project, a rate of return for investors that is unrealistic, and of course it is promoted via spam by a company that hides all its real contact details. It certainly looks scammy according to the duck test.

Perhaps a clue can be found on the "Procedures page".

Please be advise, there is a 100% REFUNDABLE deposit of $20K which is a Success Fee. The deposit will be returned when funding is arranged. The deposit is also refundable if The Joint Venture Group fails to arrange funding by the end of 365 days. Proof of funds are required on all funding submissions. There will be no exceptions made.
So, this is saying: you give us twenty thousand bucks and we'll sort out your finance. Honest. You can trust us. We have a domain name and everything.

The Joint Venture Group is comprised of pf private investors who will provide funding for a variety of commercial developments and business projects to those who do not qualify for traditional bank financing.  We also offer a safe investment fund to accredited investor which pays 12% annually, 1% each month. The minimum entry amount is $1M. The investment also provides funding for our clients that require funding. Our minimum funding amount is $1M with no maximum. You can review the details and funding procedures by clicking here.
Say after me.. one meelion dollars!

The Joint Venture Group claim to be a multibillion dollar outfit, but their web design (and spelling) is awful.

Well, OK I have seen the website for Berkshire Hathaway which is has nearly half a trillion dollars worth of assets but also has a website that looks like it was designed in 30 minutes in 1994. But at least Warren Buffett knows how to spell.

Nothing about The Joint Venture Group looks legitimate. I would give it a wide berth if I were you.

Monday 23 June 2014

"Domain Listing Expired" scam spam (ibulkmailer.com /

I've received this spam to the contact details for several domains I own in the past few weeks:

Date:      Sun, 22 Jun 2014 07:53:10 +0200 [06/22/14 01:53:10 EDT]
From:      Domain Notification [chandan@gmail.com]
Reply-To:      chandan@gmail.com
Subject:      re: Domain Listing Expired

Attention: Important Notice

ATT: [redacted].COM

Please ensure that your contact information is correct or make the necessary changes above


Domain Name: [redacted].COM
Search Engine Submission

Pay By

June 30,2014

Attn: [redacted].COM
As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it's time to send in your registration and save.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine subscription includes domain name search engine submission. You are under no obligation to pay the amounts stated below unless you accept this offer. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: [redacted].COM will expire on June 15,2014 Act today!

Detail of Service:
Act by Date:
For Domain

Select Term
Your Existing Domain
Period Covered
1year     Valid for 1 Year CLICK TO RENEW     06/15/2014 - 06/15/2015     $75.00
2year     Valid for 2 Year CLICK TO RENEW     06/15/2014 - 06/15/2016     $119.00
3year     Valid for 3 Year CLICK TO RENEW     06/15/2014 - 06/15/2017     $199.00
4year     -Most Recommended- CLICK TO RENEW     04/04/2014 - 04/04/2024     $295.00
5year     Limited time offer - Best value! CLICK TO RENEW     Lifetime     $499.00

Payment by Credit Card
Select the term and complete the form above, (do not reply this mail with your credit card details on this mail , just click on pay above. once we receive your pay we will send you details and report after payment is successful, also make sure you provide us with your correct information at time of signup.

Unsubscribe me from this list

Powered by Interspire

It looks like a domain renewal notice.. but it isn't. It's a renewal notice for SEO services. "But wait," I hear you cry, "I haven't signed up for any SEO services!" to which my answer is "Exactly!"

This is where the spam moves from being annoying to being a more of a scam. The use of the word "Renew" implies that you already have a relationship with these people but you do not. There is nothing to renew, but stating that this is something you already use is not only incorrect but in my personal opinion it is a fraudulent misrepresentation.

The link in the email goes to (OVH Canada, not surprisingly) and then onto a landing page at ibulkmailer.incom on (Websitewelcome, US).

The WHOIS details for ibulkmailer.com are as follows:

Registry Registrant ID:
Registrant Name: kumar, chandan
Registrant Organization:
Registrant Street: DDA FLAT NO 556 PKT B HASTSAL
Registrant City: New Delhi
Registrant State/Province: Delhi
Registrant Postal Code: 110059
Registrant Country: IN
Registrant Phone: 7838808080
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: admin@ibulkmailer.com

WHOIS details can easily be faked, but the "Chandan" name in the registration details tallies with the address chandan@gmail.com in the spam itself.

An examination of the sites co-hosted with ibulkmailer.com along with several other identifying factors identity this website as belonging to Chandan Kumar of CNS Web Technologies Pvt Ltd (U72300DL2009PTC191574) of India.

To save you from having to do the analysis yourself, a shortcut is to visit Chandan Kumar's LinkedIn page which links through to ibulkmailer.com in one of the "Company Website" links.

The contact details for Mr Kumar's company are below:

CNS Web Technologies Private Limited
New Delhi

If you get these spam messages (and the link still leads to ibulkmailer.com) then one effective way of dealing with it would be to forward the message to the webhost abuse department at abuse -at- websitewelcome.com.

Doing business with spammers is never a good idea, and doing business with spammers who misrepresent your relationship with them is likely to be a very bad idea indeed. Avoid.

The following domains are also associated with CNS Web Technologies and Chandan Kumar. Do with them what you will.


Saturday 7 June 2014

Institute of Project Management America (instituteofprojectmanagementamerica.org). Is this a scam?

Three years ago I was spammed by an organisation called the North American Program Planning and Policy Academy (NAPPPA) which was attempting to get me to sign up for some seminars. It looked like a scam at the time, and it still looks like a scam now.

It took me a year of sporadic research to come up with the names of the people running the scam. Anthony Christopher Jones (known sometimes as "Tony Jones") and Patchree Patchrint (known as "Patty Patchrint"). After exposing them and detailing some of the evidence against them, NAPPPA, Jones and Patchrint dropped out of view. I assumed that this was the cockroach effect.. switch the lights on, and those roaches scurry for cover.

It looks like I was wrong.

A unexpected comment on my blog post opened up a new line of investigation.
Lem said...

I wish I would have found this blog prior to teaching a course for the Institute of Project Management America (IPMA). www.instituteofprojectmanagementamerica.org
The student certificates were signed by none other than Anthony C. Jones. Needless to say, I have not been paid nor the facility that hosted the training. I plan to sue them. In addition, there is a Patty Jones serving as the administrator/front person for IPMA. Perhaps his spouse. If anyone has any additional information about them, please share.
6 June 2014 22:25 
Could this be the same Anthony C Jones and Patty Jones (or Patchree Patchrint) that ran NAPPPA?

A look at instituteofprojectmanagementamerica.org shows an unremarkable site, but one which is carefully devoid of any contact details. The WHOIS records for the domain are hidden, and the only contact data that can be found are the telephone numbers  888-859-5659 and 866-959-3543.

The logo on the website has been recycled from elsewhere  and otherwise the template is bland, professional looking but completely anonymous.

A close look at the hosting history shows a number of related sites, either which are direct clones of instituteofprojectmanagementamerica.org or are previous versions. A full list is at the end of the post in Appendex 1, but principle domain names in use are:
The ones in the format projectmanagementusa3.org go all the way up to projectmanagementusa212.org. Who needs 212 copies of the same website? Well, spammers use these techniques to evade blacklisting.

The domains americanprojectmanagementusa.org  and projectmanagementusa.org are rather interesting as it is an older generation of the "Institute of Project Management America" spam site entitled "American Project Management" (you can see them at the Internet Archive).

A quick search against the phone number listed on that site (213-293-7410, 877-359-1110 and 888-739-0821) lead us to a BBB report with an alert to say the business has ceased trading.

The BBB indicates that this is a Colorado business, but a search of State records shows that there is no such business of that name registered in that state.

But a further Google search of the phone numbers also brings up this document at Scribd outlining the so-called American Project Management outfit and its activities [pdf copy here]. And who uploaded the document? A user called ppatchrint. That is undoubtedly Patchree Patchrint.

This document gives a California address rather than a Colorado one:
American Project Management
645 W. 9th Street
Unit 110-603
Los Angeles, CA 90015

So this gives us a clue to search the state records in California. An LLC search for "Institute of Project Management America" comes up blank, but a search for "American Project Management" comes up with a hit for "DDGLA AMERICAN PROJECT MANAGEMENT, LLC"

Now, I know that "DDGLA American Project Mangement LLC" is not quite the same thing  as "America Project Management", but the "645 WEST 9TH ST STE 110-603" address is the same as "645 W. 9th Street, Unit 110-603" as seen in the Scribd document. So there's a high likelihood that this is a match.. but there's no real contact information for this company.

But what does DDGLA actually stand for? I've been down this particular path with the NAPPPA investigation, so I know that DDGLA actually stands for "DOSS Development Group Los Angeles". A search for DOSS DEVELOPMENT GROUP at the California secretary of state reveals a name behind that company. And you've probably already guessed that it is Patchree Patchrint aka Patty Jones.

So, between the blog comments, the Scribd document and data held by the California Secretary of State, there are now three points of evidence linking the "Institute of Project Management America" and "American Project Management" with Patchree Patchrint aka Patty Jones and Anthony Christopher Jones.

So, is it a scam?

I haven't personally seen any spam promoting this so-called institute, but that was the basic approach with NAPPPA. Millions of credible-looking spam emails were sent out to universities and other organisations, that were published in good faith (such as this one).

Project Management Masters Certification Program

June 10-13, 2014
Association of Research and Enlightenment of New York
The PMMC is designed for those seeking professional project management certification.
PMMC program provides 36 hours of project management education, meeting education requirements for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. The program meets the education requirement for all professional designations through the Project Management Institute and other professional agencies. Additionally, the program awards 3.6 Continuing Education Units (CEUs) upon request. Tuition for the four-day Project Management Masters Certification program is $995.00

Participants may reserve a seat online at the website, or by calling the Program Office toll-free at (888) 859-5659

Go to: http://www.instituteofprojectmanagementamerica.org/
What happened with NAPPPA is that these courses appeared to be booked at universities throughout the US, presumably to give them an air of authenticity. But at the last moment the venue for the course got moved to somewhere off-campus, people drafted in to teach the course never got paid and many students complained that the courses were of low quality. I don't doubt that the same is happening here.

In fact, this scam has been going on for a long time. Before the Institute of Project Management America, American Project Management and North American Program Planning and Policy Academy there were another similar scammy outfits.

The "Institute for Communication Improvement, LLC" (aka "The Grant Institute") seems to be the best known. For example:
The evidence seems to show that in one form or another the business has been running since 2005 or 2006, only now it is charging victims nearly a thousand dollars a pop for a course of questionable value.

Given the history of this pair, it is my personal opinion that the Institute of Project Management America is a scam. Indeed, DDGLA American Project Management LLC have already been successfully sued in California over their unethical operations.

Who are Anthony Christopher Jones and Patchree Patchrint (Patty Jones)?

I coverered this pair before, a California-based husband-and-wife team with links to Hacienda Heights and Los Angeles. In addition to the programs listed above, they have run a number of (mostly failed) LA based restaurants such as Mother Road, Mode, and the Royale on Wilshire.

DDGLA is also associated with the following (apparently defunct) websites:
  • ddglacommercial.com
  • pettycashadvance.com
  • bankddgla.com
  • ddglafinancial.com

What should you do if you are unhappy with the Institute of Project Management America?

I don't live in the US so I'm not 100% familiar with the processes that you can use. But if you think you have been ripped-off then complaining the the BBB, your local Attorney General, law enforcment or the courts seem to be a way to go. I don't have a current address for this pair however, if you manage to turn one up then I can share it if you send me an email.

Appendix 1:
These are a selection of the domains and IPs used. There are hundreds of other ones, especially in in the format projectmanagementusa111.org .


Thursday 22 May 2014

#BringBackOurGirls scam

This scam email attempts to steal money from unsuspecting but altruistic people by hijacking the legitimate #BringBackOurGirls campaign.

From:     Joy Marcus [joymcus55@gmail.com]
Date:     22 May 2014 00:24
Subject:     #BringBackOurGirls
Signed by:     gmail.com

My beloved brother and sister. I hope my message get to you in peace.
My name is Mary Sambo from Borno state in Nigeria. I am crying while
putting this message together in the church hostel. I lost my husband to
the terrorist attack that is happening in Borno state, my daughters was
kidnap along with the 270 girls been kidnap in school chibok village in
Nigeria, by the terrorist.

Which the entire world is now searching for them. I am 7 month pregnant
and i am staying at the church hostel, we are 30 in a single room, i
don't have access to good medical care and i am afraid my living
condition might affect my unborn child.

I am asking for help from you in other for me to get a place for myself
and also register myself to health center where i will get proper
medical care. Please help me with anything you, May Almighty God reward
Hope to hear from you.

Mary Sambo.
Please reply here: marysamb91@yahoo.com
Apparently this church hostel that she is staying in has internet access good enough to send out spam. And although the scammer is soliciting replies to marysamb91@yahoo.com it is sent from joymcus55@gmail.com which has its own Google+ profile.. which contains a picture.

Now, I don't know about you.. but I don't think that this looks like a Nigerian woman who has to live in a church hostel. That's because it is a photograph of actress and model Yvette Fintland who would no doubt be very displeased to see her photo being abused in this way (and has nothing whatsoever to do with this scam or spam).

There are no words that can adequately describe the horror of the kidnapping of 200 innocent children. And there are no words that adequately describe the disgust at people who are prepared to exploit this awful event for their own personal gain.

Saturday 1 February 2014

African Human Right and Refugees Protection Council (AHRRPC) scam

This spam email is actually part of an advanced fee fraud setup:

From:     fernando derossi fernandderossi59@gmail.com
To:     fernandderossi59@gmail.com
Date:     1 February 2014 13:22
Signed by:     gmail.com

Dear Sir:

My company has been mandated to look for a company capable of
supplying food stuffs product listed bellow by the  AFRICAN HUMAN
refugee within the war affected countries IN middle east and Africa
going through your company's profile, have decided to know if your
company is interested.

            Below are the list of food Stuffs and the targeted value
needed by (AHRRPC)

1.  Rice
2.  Beans
3.  Milk powder
4.  Sugar
5.  Vegetable Oil
6.  Used Cloths
7.  Wheat Flour
8.  White corn meal
9.  Corn Cooking oil
10. Cumin seed oil
11. Ground nut
12. Sage Oil
13. Soya bean oil
14. Palm oil
15.  Fresh Vegetables
16.  Fresh fruits
17.  Cocoa powder.

We will be happy to work with you company only as representing agent
to secure an allocation for your company while in return your company
will give us comission as soon as your receive your contract value. We
will give you more details about the contract when we recieve your


Mr.Fernando Derossi
Bamako-Mali in West Africa.
The email links to a website at www.ahrrpc.8k.com which set off all sorts of alarms on my virus scanner, but I think it is just an ad-laden free web hosting site, and purports to be from the African Human Right and Refugees Protection Council (AHRRPC).

Of course, there is no such organisation as this and probably the main thrust of the scam is that there will be an "arrangement fee" payable in order to sell these goods.. and once the fee is paid the scammers will disappear.

One thing that I noticed is that "Mr Fenando Derossi" has a Google+ profile.. so is it a case the the Google account has been hijacked? Well, a simple way to find out is to take the image and upload it to Google Images (by clicking the little camera icon). That gives several positive matches for the photo which has been stolen from a French model and actor called Jean-Georges Brunet. In fact, poor Monsieur Brunet has had his picture stolen before for other types of scam.

Give any approaches from the so-called African Human Right and Refugees Protection Council (AHRRPC) a very wide berth. And remember, if you want to verify who a photo actually belongs to then Google Images is an excellent resource.

Monday 16 December 2013

Video: Chinese domain scams

yiyu-ipr.org domain scam

Yet another Chinese domain scam, this time trying to punt the "Tiger Direct" trademark (which I don't own!).

From:     lisa [lisa@yiyu-ipr.org]
Date:     16 December 2013 04:04
Subject:     International Trademark " tigerdirect"

(Please forward this to your CEO or President, because this is urgent. Thank you.)

Dear President & CEO,

We are an IPR registration service law office in China. On Dec.13, 2013, we received an application from "TD Investment Co., Ltd." wants to register the following Trademark and Domains:



Based on the registration procedure, we found that the name is the same as your company's name,and we must check these for you. If your company and this "TD Investment Co., Ltd." are the same company,there is no need to reply to us,We will accept their application and will register those for them soon. If your company has no relationships with that company nor authorized,please reply to us asap at latest within 7 workdays. But if we can't get any information from your side over 7 workdays,we will unconditionally approve the application submitted by "TD Investment Co., Ltd." Thanks for your cooperation.

Kind Regards,

Lisa Zeng

Lisa Zeng / Attorney
YIYU Chengdu Office(Head Office)
3/F,1st Building Citang Street No.8,
Qingyang District, ChengDu, China.
Tel: +86 28 8777 5008
Fax: +86 28 6246 5008
Web: http://www.yiyu-ipr.org
This e-mail contains information (including any attachments) intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient or the authorized employee or agent responsible for delivering it to the intended recipient, any dissemination, publication or copying of this e-mail is strictly prohibited and may be illegal. If you have received this communication in error, please notify the sender. Thank you for your cooperation.
P Please consider the environment before you print this e-mail.
This scam has been running for a long time. In reality registrars are in no way responsible for checking trademarks before registration, and my experience is that even after these dire warnings nobody actually registers the domains in any case.

I don't know if the WHOIS details for this domain are genuine, but there are:
Registrant ID:f0dda025f296d026
Registrant Name:David Tang
Registrant Organization:YIYU LAW OFFICE
Registrant Street1:chengdushi
Registrant Street2:
Registrant Street3:
Registrant City:chengdushi
Registrant State/Province:sichuan
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.2887775008
Registrant Phone Ext.:
Registrant FAX:+86.2862465008
Registrant FAX Ext.:
Registrant Email:296304138@qq.com

These other domains are all associated with the same outfit and you can probably assume that any similar pitch from them is a scam.


Tuesday 10 December 2013

"EUROPOL" scareware / something evil on ("PE Ivanov Vitaliy Sergeevich", Ukraine) is currently serving up scareware claiming that the victim's PC is locked, using the following domains:


The scareware is multilingual and detects the country that the visitor is calling from. In this case I visited from the UK and got the following:


All activities of this computer have been recorded. All your files are encrypted.


All your files are encrypted to prevent their distribution and use.
Due to violations of the law, your browser has been blocked
because of at least one of the reasons below.

1. You have been subjected to violation of Copyright and Related Rights Law and illegally using or distributing copyrighted contents such as Video, Music or\and Software (files were found in your browser's temporary files and your documents), thus conflicting with Article 1, Section 8, Clause 8 of the Criminal Code of the United Kingdom.
Article 1, Section 8, Cause 8 of the Criminal Code states a fine or two hundred minimal wages or a deprivation of liberty of two to eight years.
2. You have been viewing or distributing prohibited Pornographic contents: Child Porno photos and such, were found in browser's temporary files and your documents.
Thus, you are violating article 202 of the Criminal Code of the United Kingdom. Article 202 of the Criminal Code states a deprivation of liberty of four to twelve years.
3. Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected with malware, thus you are violating the law of Neglectful Use of your Personal Computer. Article 210 of the Criminal Code declares a fine of up to £50,000 and/or deprivation of liberty of four to nine years.
Pursuant to the amendment of the Criminal Code of the United Kingdom of May 28, 2011, this law infringement (if it is a first time offence) may be considered as conditional in case you pay the fine.

To unlock your computer and avoid other legal consequences, you are obliged to pay a release fee of £200, payable through Ukash (you must purchase the Ukash card and enter the code). You can buy the card at any store or gas station, payzone or paypoint.

Find the nearest epay or payzone location.
Go to any location with a PayPoint or Payzone terminal.
Ask for Ukash: £200.00 (one voucher code).

Please note: Fine can only be paid within 12 hours. As soon as 12 hours expire, the possibility to pay the fine is lost forever. All your PC data will be detained and criminal's procedure will be initiated against you if the fine will not be paid!

The text varies depending on the country the visitor is in, for example URLquery displays the text in Norwegian.

 The bad guys use subdomains to obfuscate the domain somewhat, so instead of just getting f1207.com (for example), you get europol.europe.eu.id176630100-8047697129.f1207.com instead which looks a little more official. You can see some more examples here.

All the domains in use are registered through scam-friendly registrar BIZCN to:

Registrant Name: Zhong Si
Registrant Organization: Xicheng Co.
Registrant Street: Huixindongjie 15  2
Registrant City: Beijing
Registrant State/Province: Chaoyang
Registrant Postal Code: 101402
Registrant Country: cn
Registrant Phone: 01066569215
Registrant Phone Ext:
Registrant Fax: 01066549216
Registrant Fax Ext:
Registrant Email: zhongguancun@yahoo.com

Now, I would normally suggest that the WHOIS details were fake but a Google search for the email address shows that it has been active for over two years including this injection attack I documented in September 2011. It is possible therefore that Zhong Si and Xicheng Co are actually responsible. is regiesterd to "PE Ivanov Vitaliy Sergeevich" (i.e. Vitaliy Ivanov or Виталий Сергеевич Иванов) as follows:

organisation:   ORG-IV2-RIPE
org-name:       PE Ivanov Vitaliy Sergeevich
org-type:       OTHER
address:        42-A Tobolskaya street, office 230, Kharkov, Ukraine
mnt-ref:        MNT-IV25
mnt-by:         MNT-IV25
source:         RIPE # Filtered forms part of AS48031 which has a so-so reputation according to Google, it does look like there are a lot of legitimate sites in the neighbourhood as well as these malicious ones.

Recommended blocklist:

Update: a similar attack has also taken place on on the same netblock.

Monday 18 November 2013

0844 number scam (08445715179)

This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:

ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +447453215347 (owned by Virgin Media Wholesale Ltd, but operated by a third party). The catch is that the calls to an 0844 number can cost up to 40p per minute (see more details here), a large chunk of which goes into the operator's pockets. So what happens when you ring back? You get put on hold.. and left on hold until you have racked up a significant bill.

Sadly, I don't know who is behind this scam, and in this case it was illegally sent to a TPS-registered number.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You should also send a complaint to the ICO who may be able to take more serious action against these spammers.

Sunday 10 November 2013

"African Development Humanitarian Council" (adhcouncil.org) scam

This spam promotes the non-existent African Development Humanitarian Council purportedly with a web address of adhcouncil.org:

From:     camara amadu [camaraamadu9@gmail.com]
To:     davisaentltd@rediffmail.com
Date:     10 November 2013 14:23
Signed by:     gmail.com

African Development Humanitarian Council
Is ready to purchase the listed bellow foodstuffs.


2. Beans

3. Milk

4. Sugar

5. Vegetable Oil

6. Onion

7. Cement

As an authorised foodstuffs agent. This is 2013 foodstuffs supply
contract project from African Development Humanitarian Council
The foodstuffs is for the sustenance of refugees of war affected
countries, Like Côte d'Ivoire, Somalia, Sudan, Liberia and others.

Payment has been made to be 100% full payment by Telegraphic swift
Transfer (T/T) after signing of the contract agreement with the
contract awarding board of directors in Mali.

If your Company can supply any of these products please reply me, then
I will help you to get the contract through my office. You will
receive the complete payment of the contract value before shipping
your goods. Port of destination is TOGO LOME Sea Port.

Best Regards,

Mr. Camara
Tel..........+223 71878900
The email solicits replies to camaraamadu9@gmail.com and was sent to a spam trap. The "African Development Humanitarian Council" does not exist (although there are many agencies with similar names) and the domain adhcouncil.org was registered in April with fake WHOIS details. Of course, the spammer might not be associated with the domain name, but in any case the whole lot is some sort of scam and should be avoided.

It's hard to say exactly what the scam is. Probably some sort of advanced fee fraud, but in any case you should ignore this particular solicitation.