Sponsored by..

Showing posts with label Scams. Show all posts
Showing posts with label Scams. Show all posts

Thursday, 8 March 2018

"Faster payment" scam is not quite what it seems

I see a lot of "fake boss" fraud emails in my day job, but it's rare that I see them sent to my personal email address. These four emails all look like fake boss fraud emails, but there's something more going on here.

From:    Ravi [Redacted] <ravi@victimdomain.com>
Reply-To:    Ravi [Redacted] <ravi@victimdomain.com-3.eu>
To:    accounts@victimdomain.com
Date:    23 February 2018 at 12:02
Subject:    Arrange this payment

Pleаsе make а £9,627.00 faster раyment for thе nеw contrаctor.

Sort сode: 30-62-15
Acc. numbеr: 10255956
Paуeе: Olivia Hаrris

I will send the doсs as soon аs i'll sort out my stuff.
Lеаve a rерly oncе сomрlеted or in casе you get аnу рroblеm while sеtting it up.

Ravi [Redacted]

Sent from my iPhonе.


From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-0.eu>
To:    sarah@victimdomain.com
Date:    5 March 2018 at 10:31
Subject:    5 Mar. faster payment

Morning Sаrah

Plеаse sеtup a £9,736.00 fastеr рауmеnt in fаvour of the new bеnеfiсiаrу.

Sort code: 30-61-10
Acс. number: 10811231
Pауее: Thеa Smith

I will sеnd the doсs аs soon аs i'm lеss busу.
Leave a rерly once сomрletеd or if уou get аnу рroblеm whilе sеtting it uр.

Andreа [Redacted]

Sеnt from mу iPhone.


From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-v.eu>
To:    karen@victimdomain.com
Date:    7 March 2018 at 11:08
Subject:    Arrange this payment

Hi Karеn

I nеed you to аrrаnge а £8,643.00 fastеr рауmеnt for the nеw bеnеficiarу.

Sort code: 30-62-12
Acc. numbеr: 10240298
Benefiсiarу: Beatriсe Evans

I will sеnd thе doсumеnts as soon as i'm less busу.
Lеavе а rеply oncе donе or if you get аnу problem whilе sеtting it uр.

Andrеа [Redacted]

Sеnt from my iPhonе.


From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-v.eu>
To:    mary@victimdomain.com
Date:    8 March 2018 at 11:03
Subject:    8 Mar. faster payment

Hi Mаrу

I neеd уou to mаke a £8,839.00 faster раymеnt for the new supрlier.

Sort codе: 30-62-12
Acс. numbеr: 10738345
Benеficiаry: Emmа Brown

I will send the рapеrwork onсе i'll sort out mу stuff.
Lеаve а reрly once donе or if you gеt аny рroblem whilе setting it up.

Andrea [Redacted]

Sent from mу iPhone.

"Andrea" and "Ravi" are not random people, they are both directors of a legitimate company with a name very similar (but unconnected) with one I blogged about years ago. In $dayjob the sample email I saw was from that company's chief counsel, so I believe these are targeted but just incorrect.

Normally with this sort of scam, the "boss" is asking for payment to be wired to the bank details in the email. But in this case, the sort codes for the banks (30-62-12, 30-61-10 and 30-62-15) don't exist. If you tried to wire money to them, the transfer would fail.

So, presumably when the bank transfer fails, the victim emails back the "fake boss", but it isn't all it seems. Although the "From" address looks to be genuine, there's a "Reply-To" address which goes to something a but more subtle.

For example in one of the examples about the email appears to come from andrea@victimdomain.com (i.e. whatever the victim's genuine domain is) but replies go back to something similar but different, for example andrea@victimdomain.com-v.eu - at which point the fraudsters probably then come up with different bank account details.

At the moment the email replies go to a server at (hostname uk-v.eu) in the Netherlands, but these domains and servers get shut down quickly.

All these following domains are linked to the scam (there are probably more):

This variation of an old scam seems to be quite new. Remember, if your boss emails you out of the blue and asks you to set up a payment without giving much information, always check that the request is valid and don't simply reply to the email.

UPDATE 2018-03-12

Another version..

From:    Andrea [redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [redacted] <andrea@victimdomain.com-w.eu>
To:    helen@victimdomain.com
Date:    12 March 2018 at 12:57
Subject:    Handle this payment

Hi Hеlеn

Pleasе makе a £8,909.00 fastеr payment for the nеw vеndor.

Sort сodе: 30-64-15
Acс. number: 10576602
Pаyeе: Elizabeth Moore

I will send the paperwork oncе i'll sort out mу stuff.
Lеave a rерlу whеn thе oреration is сomplеtе or in cаsе уou gеt аnу problеm whilе setting it up.

Andrеа [redacted]

Sеnt from my iPhone.
This uses the domain com-w.eu and is hosted on (hostname uk-w.eu) along with uk-b.eu.

UPDATE 2018-03-13

Two more examples with the same pattern:

From:    Ravi [redacted] <ravi@victimdomain.com>
Reply-To:    Ravi [redacted] <ravi@victimdomain.com-w.eu>
To:    keith@victimdomain.com
Date:    13 March 2018 at 09:52
Subject:    Payment due 13 mar.

Hi Keith

Plеase аrrange a £8,563.00 fаstеr paуment for the new benefiсiarу.

Sort code: 30-60-41
Acc. number: 10638574
Pауeе: Rosе Clarke

I will sеnd the pаperwork as soon аs i'm lеss busу.
Lеаvе а rеplу when the oрerаtion is сomрlеte or if уou gеt аny problem whilе setting it up.

Rаvi [redacted]

Sеnt from my iPhonе.


From:    Andrea [redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [redacted] <andrea@victimdomain.com-w.eu>
To:    emma@victimdomain.com
Date:    13 March 2018 at 09:26
Subject:    Settle up this payment

Hi Emmа

Please mаkе a £8,999.00 fаstеr pаymеnt for the nеw benеfiсiаrу.

Sort codе: 30-60-41
Aсс. numbеr: 10167445
Bеnеficiаrу: Aisha Robinson

I will forward the docs onсe i'll sort out my stuff.
Lеаve a rеply once completed or in cаse уou get аny problеm while setting it uр.

Andreа [redacted]

Sеnt from mу iPhonе.

What I hadn't noticed before is that the spam is using homoglyphs in the text to avoid filters. For example, the word "pаymеnt" in the email above does not acutally say "payment", but it uses a couple of cyrillic (i.e. Russian) characters in place of the "a" and "e" that just look the same.

For the latest spam messages, the email relays through various hosts but always seems to originate from (hostname: lmasko22.example.com). As with the other infrastructure this belongs to a company called MoreneHost in Russia.

Tuesday, 31 October 2017

Bogus porn blackmail attempt from adulthehappytimes.com

This blackmail attempt is completely bogus, sent from a server belonging to the adulthehappytimes.com domain.

From:    Hannah Taylor [bill@adulthehappytimes.com]
Reply-To:    bill@adulthehappytimes.com
To:    contact@victimdomail.tld
Date:    31 October 2017 at 15:06
Subject:    ✓ Tiскеt ID: DMS-883-97867 [contact@victimdomail.tld] 31/10/2017 03:35:54 Maybe this will change your life
Signed by:    adulthehappytimes.com


I sincerely anticipate that I will not hurt ur feelings. Shit happens, life didn’t give me a choice. I don’t hate people with special tastes, moreover only God can judge u. So:

Firstly, I put the particular virus on a web site with porn videos (I think you understood me).

Secondly, when you tapped on a video, soft instantly started working, all cams turned on and screen started recording, then my soft collected all contacts from emails, messengers etc. Im really proud for this soft, it makes devices act as remote desktop with keylogger function, impressive. This email address Ive collected from your device, I emailed u here because I think you will 100% going to check your corporative email.

Eventually, I edited a split screen video, with your participation and porn video from your screen, its very weird. Consequently, I can share this video with all your friends, colleagues, relatives etc. I guess it’s a big problem for you.

But we can resolve this problem. 305 Usd- in my opinion, very common cost for false like this.

I accept only bitcoin, this is my wallet’s address- 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY U have 45 hours after opening my letter to make transaction. I will see when u read this letter, I adjusted special tracking pixel in it. This time is sufficiently only to complete all verifications and transaction, so you have to think rapidly. If I wont get my «wage», I will share this video with all contact Ive received from ur device.

You can complain to cops for a help, but they wont search out me for even 150 hours, Im from Japan, so think twice. If Ill receive btc- all compromising evidence will be erased forever and I will never message you again.

U can reply, but this Will not make sense, I sent you this notification using my soft for anonymous messages, I don’t check the email after using it, because I contemplate about my safety too. Have a nice day, I hope u will make a good decision for you.
If you got one of these, the first thing to realise is that it is bullshit. This particular one was sent to the contact@ address of a random domain I own. You note there are no personal details in the email, and furthermore the claim that there's a tracking pixel in the email can easily be refuted by checking the HTML of the message itself.

The "from" address in the email is bill@adulthehappytimes.com and this matches the name of the sending email server, mta11.adulthehappytimes.com on

You might notice it says mta11 - indeed adulthehappytimes.com seems to have subdomains mta.adulthehappytimes.com through mta15.adulthehappytimes.com some of which are hosted at Heroku / AWS, but the ones that aren't are on the following IPs:

All of those belong to TimeWeb in Russia. The domain itself is also hosted on (mta1.adulthehappytimes.com) but it appears to be parked. However, however controls this domain has gone to the effort of setting up 16 different mail servers. The WHOIS details show that the domain is actually ten years old..

Domain ID: 1041994153_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.domain.com
Registrar URL: www.domain.com
Updated Date: 2016-09-06T01:55:42Z
Creation Date: 2007-06-21T21:10:46Z
Registrar Registration Expiration Date: 2018-06-21T21:10:46Z
Registrar: Domain.com, LLC
Registrar IANA ID: 886
Registrar Abuse Contact Email: compliance@domain-inc.net
Registrar Abuse Contact Phone: +1.6027165396
Reseller: Netfirms
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID:
Registrant Name: Alexey Pokachalov
Registrant Organization: Alexey Pokachalov
Registrant Street: Stepana Razina 84-10
Registrant City: Togliatti
Registrant State/Province: NA
Registrant Postal Code: 445057
Registrant Country: RU
Registrant Phone: +17.9608367000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: genarur@gmail.com
Registry Admin ID: 

It's odd to see an old domain being used for spam like this, so perhaps the domain itself and the infrastructure has been hijacked. It is hard to be certain, but also you wouldn't post real contact details on the WHOIS and then solicit anonymous payments through BitCoin, so my hunch is that the domain owner doesn't even know it is happening.

I don't know if Bitcoin wallet 16Q65ck9Uikr2z1N4wTPG5H7ZgkmLSzDeY is common to all these spam emails, but at the moment nobody has sent money to that Bitcoin wallet.

Sunday, 8 October 2017

Scam: "Help Your Child To Be A Professional Footballer." / info@champ-footballacademyagency.co.uk

This spam email is a scam:

Subject:       Help Your Child To Be A Professional Footballer.
From:       "FC Academy" [csa@sargas-tm.eu]
Date:       Sun, October 8, 2017 10:30 am
To:       "Recipients" [fcsa@sargas-tm.eu]
Priority:       Normal

Does your child desire to become a professional footballer?

Our football academy are currently scouting for young football player to participate in 3-6 months training and  our main purpose is to recruit young and talented footballers to help become a great football  player in Life and become a great star .  Our agent will train and linked your child up with big clubs in United Kingdom and Europe.

We will also help your child to get Visa and Work Permit once the admission into our football academy is approved.

Our aim is to provide a wide range of opportunities to complement a successful playing career. We will help your child to find the best route to fulfilling their ambitions of becoming a professional footballer in United Kingdom and Europe.

If you want to help your child achieve their soccer dream, reply us for more information.
Best Regards,

At the time of writing the domain sargas-tm.eu does not exist, but the Reply-To address is actually info@champ-footballacademyagency.co.uk which is a registered domain. The WHOIS details for this say:

Domain name:

        NELSON OZI

    Registrant type:

    Registrant's address:
        404 sapphire tower
        404 sapphire tower
        United States

    Data validation:
        Nominet was not able to match the registrant's name and/or address against a 3rd party
source on 19-Sep-2017

        Web4Africa Ltd. t/a Web4Africa [Tag = WEB4AFRICA-GH]
        URL: https://www.web4africa.net

    Relevant dates:
        Registered on: 19-Sep-2017
        Expiry date:  19-Sep-2018
        Last updated:  19-Sep-2017

    Registration status:
        Registered until expiry date.

    Name servers:

WHOIS lookup made at 10:50:09 08-Oct-2017

There are lots of suspect things about this domain registration - the address is clearly fake, the registrar is based in South Africa and the nameservers are in Russia, and also it was registered just a few weeks ago. A quick bit of Googling around shows that "Nelson Ozi" is also linked to the following probably fraudulent domains:


These all seem to be connected with an IP range (Web4Africa again) which does seem to have a lot of scammy sites hosted on it. Blocking access to that range might be prudent.

The spam email itself comes via another Russian server mail.elmeh.ru but this particular email originated from in Vietnam. Replies to the champ-footballacademyagency.co.uk email would be set to mx.yandex.net which is in Russia again.

It would probably be quite difficult to stuff any more dodgy indicators into this spam. What the scam actually is isn't 100% clear, it could be anything from a simple advanced fee fraud all the way up to child abduction. Avoid.

Monday, 23 January 2017

WARNING: pmacademyusa.org / "Project Management Academy USA"

For the past six years I have been following the exploits of Patchree "Patty" Patchrint and Anthony Christopher Jones who claim to run a series of seminars on project management and grant writing. Umm.. and failed restaurants in Los Angeles. I'm not going to repeat all of the information in this post, I advise you to read the whole story.

This latest scheme is a quite snazzy-looking website at  www.pmacademyusa.org called "Project Management Academy USA".

The website may look professional, but it is simply done using the WIX website builder:

You'll notice that the site supplies no information at all about who runs it. However a useful tip alerted me to the site, which is basically a more glitzy version of the Institute of Project Management America from a few years back, including this lazy example of copypasta:

About Project Management Academy USA
At Project Management Academy USA, our programs are led by practitioners-working professionals who are experts in the process of maximizing results using professional project management practices. Modern industry needs results driven professionals who are focused on a disciplined dedication to effective project management from initiation to closing. We strive to combine real-world scenarios, actual case-studies, with the knowledge provided by PMI and academic foundations to create certified project managers who are prepared for further certification and credential. Our programs are ultra-foundational, meaning they ensure attainment of the universal basics of project management, prepare participants for certification exams, and provide the advantage of our mastery components, which are unique to our programs and are followed by a Masters designation.
They currently advertise courses running in the following locations:
January 17-20, 2017
University of Southern California
8:00am to 5:00pm

February 21-24, 2017
University of Miami
8:00am to 5:00pm

February 28 - March 3, 2017
University of Texas at Austin
8:00am to 5:00pm

March 21-24, 2017
University of California Berkeley
8:00am to 5:00pm

March 28-31, 2017
University of Chicago
8:00am to 5:00pm
Funnily enough, the venue seems to be changed at the last minute from the prestigious university it was advertised at to some other location in the rough vicinity. And also, at the last moment the person who was meant to be teaching the course is substituted at the last moment for someone who has to fill in and mysteriously seems to have problems getting paid (if this is you then please add a comment below).

If you have doubts about the quality of these causes, I urge you to read the posts and especially the comments that go with them. Those are not my words, but the words of the people unfortunate enough to either pay for a course or who turn up to teach.

Friday, 16 September 2016

Inspiral Carpets hacked, leads to The Quantum Code binary options spam

This type of binary options scam spam comes in waves every so often:

Subject:     Welcoming speech
From:     jeffriesvx@mail2nancy.com
Date:     Friday, 16 September 2016, 3:31

Good day!

We are looking for employees working remotely.

My name is Glen, I am the personnel manager of a large International company.
Most of the work you can do from home, that is, at a distance.
Salary is $2600-$5500.

If you are interested in this offer, please visit Our Site

Good day!

It's not very interesting to tell the truth, but it relies on hacked WordPress sites in order to provide landing pages. Of course, hacking someone's site to do this is illegal and no legitimate business would promote itself like this.

What I noticed was the URL in the email..
Inspiral Carpets? Yup, that's the website of the Manchester rock band of the same name. Rather than a carpet shop. As this URLquery report shows, it lands on..

cash-onlines.com [] (Enzu, US)

There's a familiar landing page..

Clicking the link goes to www.the-quantumcode.com hosted on (Terratransit, Netherlands). This is some bollocks about a binary options trading robot which will apparently make you millions. Obviously this is a scam, because if it was really that easy we'll all be doing it.

One little scammy trick is a counter to tell you that loads of people are looking at the site but there are only a small number of slots available.

The numbers are completely made up. If you look exactly the same page in another browser window, they are different.

It's hard to say if the spam was sent out by whoever runs the binary options site or an affiliate. But it's still crap either way.

Hosted on the same server are the following domains which are probably more of the same plus a load of other bollocks:



Monday, 1 August 2016

Scam: Fanrong Europe Fund / fanrongfund.info / fanrongeuropefund.info / fanrongeuropefund.com

This spam email advertising a "too good to be true" investment is a scam:

From:    Tim Hoffman [letter@612.com]
To:    contact [contact@victimdomain.tld]
Date:    30 July 2016 at 09:26
Subject:    Fanrong Europe Fund – 1 Half 2016 return +32.69%.

Dear Sirs,

Please be informed that the Fanrong Europe Fund reported strong 1 Half 2016 with return +32.69%.

Fanrong Europe Fund is a registered hedge fund that managed by a team of stock market experts that located in Zurich, Switzerland. The Fanrong Europe Fund Strategy is Long/Short Equity. The Fund was launched in April 2014. It is open-ended hedge fund. We are open for new investors.

We welcome you to contact us through our web-site to learn more about investing with us:

Kind regards,
Tim Hoffman
e-marketing manager
Fanrong Europe Fund

Reply to: marketing@fanrongfund.info

If you do not want to receive this newsletter send an email to: unsubscribe@fanrongfund.info

NOTICE: Your address was obtained from open sources where you were agreed to receive the marketing information from third parties.
I have received two of these emails, one coming from the IPs and which are both allocated to a mobile phone provider in Lithuania (UPDATE: also The website fanrongfund.info was created just a few days ago (28th July 2016) and is registed to the following (presumably fake) registrant:

Registrant ID: JLD4030131633
Registrant Name: James Dean
Registrant Organization:
Registrant Street: Vorstadt 20
Registrant City: Zug
Registrant State/Province:
Registrant Postal Code: 6300
Registrant Country: CH
Registrant Phone: +41.417120101
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jd767@yahoo.com

The site is hosted (apparently) in the British Virgin Islands on an IP allocated to the Public Domain Registry (PDR). It uses nameservers from Russian company AYBHOST.COM.

The website is pretty generic looking and opens with these words of wisdom:

Our main trade approach is:
"Close the position if it runs to loss, and hold it if it runs to profit".

Hans Messner
fund manager "Fanrong Europe Fund"

What next. "Buy low, sell high"? Here are some screenshots in case you see another version of this on your travels:

The "About" page carries this text:
We are the EU-domiciled investment manager with successful experience in stock trade in EU. Our professional assets managers have personal approach to trade with bear and bulls market. We use self-made investment strategy that allows getting the constant positive result in short-term horizon. All investment process is in full accordance with IIS (International Investment Standards) of Fanrong Capital (Hong Kong) (fanrongcapital.com).
Presumably this is copied off an earlier scam site, in this case there is an official warning about that particular firm.

fanrongfund.info appears to have mirrors at:


Both of these are hosted on (Hetzner, Germany). The WHOIS details for those are inconsistent with each other.

Registrant ID: HSM1859139253
Registrant Name: Hans Messner
Registrant Organization: Fanrong Europe Fund
Registrant Street: Leutschenbachstrasse 95
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8050
Registrant Country: CH
Registrant Phone: +41.445632589
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.info

Registry Registrant ID: Not Available From Registry
Registrant Name: Li Yong
Registrant Organization:
Registrant Street: Schwingerstrasse 9
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8006
Registrant Country: CH
Registrant Phone: +41.442289632
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.com

For completeness, the domain fanrongcapital.com is hosted on  (the same block as fanrongfund.info) and this particular corporation seems to be using a free email address..

Registry Registrant ID: Not Available From Registry
Registrant Name: Wei Zhang
Registrant Organization: Fanrong Capital
Registrant Street: 20F, 1 Harbor View Street
Registrant City: Hong Kong
Registrant State/Province: Hong Kong
Registrant Postal Code: 111000
Registrant Country: HK
Registrant Phone: +852.58085536
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: fanrongcapital@yahoo.com

Nothing about this offer is legitimate. Avoid it, or if you have invested money in this fictitious firm then you should contact the police immediately.

Thursday, 16 June 2016

Spam: Dr Happy's Terrorism Conference

Fake conferences are a pretty common scam. The criminals send out spam about serious-looking upcoming conferences that don't exist and then rip victims off for travel costs, conference fees and hotel accommodation. This spam about a fake conference about terrorism caught my eye because it comes from the amusingly named (but fake) Dr Happy Wisdom:

From:    Dr. Happy [shreyag@bajajcapital.com]
Reply-To:    "Dr. Happy" [iedhsto.officedesk@gmail.com]
Date:    15 June 2016 at 23:24

Dear Sir/Madam,

 On behalf of the International Economic Development on Human Security and Terrorism Organization, I am pleased to invite you to our conference that will be held from August 15th to 19th, 2016 @ the conference place in Dallas Texas USA and August 22nd-26th 2016 @ in Dakar Senegal. The conference meeting will contain various talks and mini workshops related to the issues of Challenges to Economic Development & Human Security in our society.

The topic of the conference is "The Effect of Terrorism on Global Economy and Human Security " the sponsors of this event shall cover your round-trip air tickets from your country to the USA and from USA to Dakar Senegal back to your country and we shall also provide visa assistance with the U.S Embassy in your country of residence and your ground transportation from the airport to the conference venue. The hotel accommodation booking cost will be your own responsibility in Republic of Senegal. Please contact the conference secretariat for more information and registration for participation: [iedhsto.officedesk@gmail.com].

We look forward to your confirmed presence at the conference.
Respectfully Yours,
Dr. Happy Wisdom,
Program Assistant.

The email does actually originate from an IP address in Senegal ( but then it is routed through a hacked server belonging to the domain bajajcapital.com which is a finance company in India. The compromise email account can be seen in the "From" field.

At best this scam is some sort of financial fraud. At worst, turning up to it could put your life in danger. Avoid.

Saturday, 7 May 2016

WARNING: projmanagementintl.org / "Project Management International" aka Patty Patchrint and Anthony Christopher Jones

I blogged about "Project Management International" last year, an outfit running (in my personal opinion) fake or low-quality seminars, at that time using the domain projectmanagementinternational.org.

This outfit is run by Anthony Christopher Jones and Patchree "Patty" Patchrint (aka Patty Jones) from California. I've written about this oufit several times in the past five years, but it turns out that Jones and Patchrint have been running similar schemes since 2008.

In 2011 ABC15 news in Arizona investigated a previous incarnation of these scheme, named "NAPPPA"...

These Jones / Patchrint operations seem to pop up from time to time and then disappear, usually after being exposed for what they are. This latest iteration of the fake "Project Management International" organisation uses the domain projmanagementintl.org. It's a flashy-looking site, but really it is just made from a standard template.

The "Registration" page lists some prestigious universities as hosting these courses.

From what I can tell, the usual thing that happens is that at the last minute the location is changed to a nearby hotel or conference centre, and it seems that no booking are ever made with the university. All feedback on the courses seems to indicate that they are all of very poor quality. There are numerous reports that the people hired to teach these courses are also not paid as promised.

The courses themselves are advertised through spam email (example here)

The Project Management Fundamentals Course  will be offered May 25-27, 2016 at the University of Utah campus in Salt Lake City, Utah. Project management professionals, business and technology professionals, students, and educators are invited to register at the Project Management International website here .

May 25-27, 2016
Salt Lake City, Utah
8:00am - 5:00pm
The Project Management Fundamentals Course  is designed for those seeking professional project management certification. It serves as a thorough introduction to the fundamentals of project management. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development.  

Project Management Fundamentals Course provides 24 hours of project management education hours for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 24 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials. Additionally, the program awards 2.4 Continuing Education Units (CEUs) upon request. 

Program Description

Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.

The skills developed in the Project Management Fundamentals Course apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets.  

Our approach to project management education offers proven, results-focused learning.

Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.


Tuition for the three-day Project Management Fundamentals Course is $595.00

Program Schedule and Content
1. Project Initiation, Costing, and Selection, Day 1
2. Project Organization and Leadership, Day 1 
3. Detailed Project Planning, Day 2 
4. Project Monitoring and Control, Day 2
5. Project Risk and Stakeholder Management, Day 3

·   A Project Management International Certificate of Accomplishment is awarded upon completion of the three day program. ·    Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.·   Each class is highly focused and promotes maximum interaction.·   You can network with other project management professionals from a variety of industries.·   Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.·    Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will receive 24 project management education hours towards the requirements for eligibility.


Participants may reserve a seat online at the Project Management International website , by calling the Program Office toll-free at (888) 201-6372, or by sending their name and contact information via email to the Program Registrar .

Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.

To unsubscribe from this mailing list, simply reply to this message and write EXCLUDE to be removed from future notices.

Contact numbers listed on the spamvertised site are:

Toll Free: (888) 201-6372
Phone: (213) 222-6855
Fax:   (855) 420-6217

If you see these telephone numbers on other seminar sites, then it will be the same operation. The site quotes a PO box as a contact address but reveals no other information about this so-called corporation.

Project Management International
PO BOX 812112
Los Angeles, California 90081

If you feel you have been scammed by this operation then I urge you to report it to the police, FBI, FTC or your local AG's Office. If you would like to share your experiences (positive or negative) then please feel free to use the Comments section below.

Friday, 1 April 2016

Fake boss scams meet AI robocallers in a dangerous escalation of fraud

Many of us will be familiar with the "fake boss" scam. You're sitting at your desk when your CEO suddenly calls and asks you to transfer a large stack of currency to some shady bank account for a business transaction you are not allowed to talk about.

This type of fraud is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and convincing calls have to be made to unsuspecting minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.

Now, the notorious Russian gang dubbed Den Duraka by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer.

Sporting the clumsy Russian acronym LOZHNYY, this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using hacked credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers.

Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were not suspicious as this seemed consistent with the behaviour of their CEOs.

Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely ignore any communications from your CEO and indeed any C-level executive. You have been warned!

(If you hadn't spotted the clues in the Russian names above.. this is an April Fools joke)

Wednesday, 16 December 2015

Domain registration scan: cn-registry.net / "Huabao Ltd"

This type of Chinese domain registration scam has been around for years.

From:    Jim Gong [jim.gong@cnregistry.net]
Date:    15 December 2015 at 13:40
Subject:    "petroldirect"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.

We received an application from Huabao Ltd on December 14, 2015. They want to register " petroldirect " as their Internet Keyword and " petroldirect .cn "、" petroldirect .com.cn " 、" petroldirect .net.cn "、" petroldirect .org.cn " 、" petroldirect .asia " domain names etc.., they are in China and Asia domain names. But after checking it, we find " petroldirect " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,
General Manager 
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Shanghai, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cn-registry.net
In fact, there is no Huabao Ltd - it's just a made-up name that the scammers use to try to persuade you into buying some overpriced and worthless domains. Nobody is interested in buying these domains, and no domain registrar would contact you before registration in any case as it is not the responsibility of registrar to do so*.

I certainly don't recommend forwarding this to your CEO, as many CEOs will not understand the scam and may fall for it. If you do forward it, make you that you point out that this is a scam.

This scam has been around for so long, that I even made a video about it..

These following domains are all variations of the same rogue Chinese registrar:


* except in specific and limited circumstances (e.g sunrise applications) that do not apply here.

Monday, 2 November 2015

Scam: "European Trademark Publication" / "ETP" / "etp-publication.com"

A little while ago I registered a trademark. I was a bit surprised to see a small flurry of scammers following that up (by snail mail), sending me what to all intents and purposes are fake invoices. Here is one of them.

In the greyed-out text at the bottom, you can just about read the bit where they give the game away..

Basically, this "ETP" outfit is saying.. send us £930 for no reason at all. Avoid.

Monday, 26 October 2015

Fake seminar sites to avoid, registered to vravindhar@yahoo.com

A contact tipped me off to some fake financial seminar sites, all linked to the email address vravindhar@yahoo.com. They are promoted in spam emails similar to these:

From: rob.koster@fatcacomplianceinstitute.com [mailto:rob.koster@fatcacomplianceinstitute.com]
Sent: Wednesday, August 05, 2015 8:33 AM
To: redacted
Subject: FATCA Compliance - [redacted]
Importance: High

Dear Participants,

We are pleased to announce you that FATCA Compliance Institute is conducting a 2 day practical seminar on FATCA Compliance.

This seminar is going to be repeated and held thrice:

The seminar is open to all the Banking & Financial Professionals. The seminar particulars are attached with this mail.

Last date for enrolling your participation is [redacted], 2015.

Please contact for assistance.

Rob Koster
Seminar Secretary
Tel:+31-800-020-0534(Netherlands and Other EU Countries) 
       +1-312-625-0112(All Other Countries)

And also..

 From: alfred@pacibankers.com [mailto:alfred@pacibankers.com]
Sent: Wednesday, February 11, 2015 11:50 AM
Subject: Asset Management Auditing and Internal Accounting Controls - [redacted]
Importance: High

Asset Management Auditing and Internal Accounting Controls - 2 Day Program

Dear Delegate
Pacific Standards (www.pacificstandards.com) would like to invite representatives from your organization to attend the above mentioned program scheduled for 2015. We are limiting the number of participants for each cluster to 20, as the courses are designed to be interactive and to encourage discussion and the exchange of ideas.

Program Dates:      Cluster I – February 25 - 26, 2015 
                                      Cluster II – March 9 - 10, 2015                                  
                                      Cluster III - March 18 - 19, 2015 
                                      Cluster IV- April 6 - 7, 2015
                                      Cluster V- April 15 - 16, 2015
Venue: {redacted}
We invite you to nominate individuals from your respective organization. It is also important to stress that all available slots will be filled on a first come first serve basis. Please advise your colleagues to attend and take advantage of this valuable and pivotal workshop.(Please see the attached brochure for complete course coverage).
Early Registration Deadline is February 15, 2015 
Last Date of Registration is February 17, 2015 

Looking forward for an early reply.

Thanks & Regards,
Pacific Standards
Marketing Manager
Contact Number: +91-8801-990-204

Emails are sent from (Softlayer, Netherlands). The registrant details look like this on most of the domains:
Registry Registrant ID:
Registrant Name: Ravindhar V
Registrant Organization:
Registrant Street: office:7, sushant lok , sushant estate
Registrant City: gugaon
Registrant State/Province: Haryana
Registrant Postal Code: 122002
Registrant Country: India
Registrant Phone: +91.9999960651
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: vravindhar@yahoo.com
Registry Admin ID:
The emails specifically target the finance sector with what appear to be relevant seminars and services, however once payment has been received there is reportedly no further communication and no seminars.

There are a large number of related sites, some using several different domains. There are virtually zero references to these "organisations" on Google, and a close examination of the sites shows several red flags.

Pacific Standards

Claiming to be in Singapore, but boasting an Indian phone number of +91-8801990204, this outfit claims to be part of "Grenoble Learning". Neither Pacific Standards nor Grenoble Learning actually appear to exist.

Domains used:

Brown & Co

This claims to be based as 12 Flemington Street, Glasgow but quotes a US contact number of 1-800-BRO-CORP / 1-800-246-8115.  There are many, many companies in the UK with the name "Brown & Co", but where you would expect to see number 12 on that street.. there appears to be a car park.

Domains used:


FATCA Compliance Institute

A quick Google search for "FATCA Compliance Institute" reveals exactly zero reliable references to this important-looking organisation, boasting contact details in both India and The Netherlands.
15-66 plot 101 Prabhu Nagar
Poranki 521137.
Tel:+31-800-020-0534(Netherlands and Other EU Countries)
FAX:+31-800-020-0534 (ONLY EU)
FAX: +31-20-524-1592 (ALL COUNTRIES)
USA Tel: +1-312-625-0112 (All other Countries)
Email: director@fatcacompliance.cc

Corporate Office:

Keizersgracht 209
1006 DT Amsterdam
The Netherlands
The Netherlands Toll-Free:

USA Tel: +1-312-625-0112 (All other Countries)
Email: director@fatcacompliance.cc

Domains used:


Rightman Group

The web site here looks very slick. But if you Google for snippets of somewhat ungrammatical text (such as "But, one things remains unchanged – our dedication to doing the best work in the world.") you will find that there are hundreds of sites using the exact same template. Rightman Group has the following contact details listed:

Rightman Group
 United States
199 Scott Street
Suite 810
Buffalo, NY 14204
USA call charges apply.
 Dreikönigstrasse 30
Zürich, Switzerland

The New York State Division of Corporations has no such company as "Rightman Group" listed.

Domains used:


Swiss Dossier

I can only imagine that the name "Swiss Dossier" came about through an error in autotranslation. It lists several addresses:

offices@swissdossier.com(Training Programs)

Tel:  +1-786-235-8424(USA)

Our Global offices are located at:
19th Floor, Prudential Towers(North Side)
Office no: 1901
Chulia Street

Aeschenvorstadt, 405

79 Thornall Street,
6th Floor, Edison, NJ 08837.
New Jersy

70 Sheppard Avenue, Suite 301,
North York, Ontario M2N 3A4,

A Google search for "swissdossier.com" comes up with no independent and reliable references to this so-called company.

Domains used:


Treasury Management Institute

According to Companies House in the UK, there is no company in the UK with the name "Treasury Management Institute". The contact details indicate that this is perhaps the workplace of John or Jane Doe:

Email : 
01, Temple Quay, Temple Back East, Bristol, BS1 6DZ, UK
SWConsulting Group, Sec 42 Gurgaon, India(Institute operates under the licence of SWConsulting Group)
There are no independent references to this organisation existing in Bristol.

Domains used:


Financial Models India

Sharing the same contact details as some of these other highly questionable sites, and hosted on the same infrastructure, Financial Models India would appear to fail the Duck Test.

79 Thornall Street,
6th Floor, Edison, NJ 08837,
New Jersy,

19th Floor,
Prudential Towers (North Side),
Office no: 1901,
Chulia Street, Singapore

Aeschenvorstadt, 405,
Basel, Switzerland

70 Sheppard Avenue,
Suite 301, North York,
Ontario M2N 3A4,

DLF Square M Block,
Jacaranda Marg DLF City, Phase II,
Gurgaon 122002, INDIA  

Domains used:


Virat World Wide

This appears to be the firm or individual behind these sites. The "About Us" page says:

Ravindhar.V - Managing Director

Mr. Ravindhar is an able administrator and change master. He has rich experience in thearea of Financial Information Technology(FIT). He has developed financial software products and Information Technology management solutions for financial institutions and banks in more than a fifty countries and for top global Banks and companies. His qualification is Master of Finance and Accounting with a track of computer applications in Finance and Accounting(MFA). Mr.Ravindhar comes from Business Family of Poranki Sugars and his family is a legacy of entrepreneurs based in India. Group is widely respected by the industry.
I'm guessing the the "V" stands for "Virat", making him "Ravindhar Virat". The contact details list an address in the... errr. UNITED KIGDOM.

Global Support
This address is actually a hotel. The +91 telephone number is a number in India, not the UK.

Domains used:


Other domains

The other domains (mostly now defunct or with no content) also appear to belong to the same operator:






If you have any experiences with any of these "companies", feel free to leave a comment.