Sponsored by..

Showing posts with label Scams. Show all posts
Showing posts with label Scams. Show all posts

Monday 18 March 2019

"Central Intelligence Agency - Case #79238516" extortion spam

I've seen various extortion spams over the past 12 months or so, but this one has a particularly vicious twist.

If you haven't seen one of these before - it's just a spam, randomly sent to your email address. You can safely ignore it.

From:    Liza Guest [liza-guest@eosj.cia-gov-it.tk]
Reply-To:    liza-guest@eosj.cia-gov-it.tk
To:    [redacted]
Date:    18 Mar 2019, 06:33
Subject:    Central Intelligence Agency - Case #79238516

Case #79238516
Distribution and storage of pornographic electronic materials involving underage children.
   
   
My name is Liza Guest and I am a technical collection officer working for Central Intelligence Agency.
   
It has come to my attention that your personal details including your email address ([redacted]) are listed in case #79238516.
   
The following details are listed in the document's attachment:
   
  • Your personal details,
  • Home address,
  • Work address,
  • List of relatives and their contact information.
   
   
Case #79238516 is part of a large international operation set to arrest more than 2000 individuals suspected of paedophilia in 27 countries.
   
The data which could be used to acquire your personal information:
   
  • Your ISP web browsing history,
  • DNS queries history and connection logs,
  • Deep web .onion browsing and/or connection sharing,
  • Online chat-room logs,
  • Social media activity log.
   
The first arrests are scheduled for April 8, 2019.
   
Why am I contacting you ?
   
I read the documentation and I know you are a wealthy person who may be concerned about reputation.
   
I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case. Here is my proposition.
   
Transfer exactly $10,000 USD (ten thousand dollars - about 2.5 BTC) through Bitcoin network to this special bitcoin address:
   
3QTV16BBsaEBVuwZv8wCjEgWZTKVVQPJ3h
   
You can transfer funds with online bitcoin exchanges such as Coinbase, Bitstamp or Coinmama. The deadline is March 27, 2019 (I need few days to access and edit the files).
   
Upon confirming your transfer I will take care of all the files linked to you and you can rest assured no one will bother you.
   
Please do not contact me. I will contact you and confirm only when I see the valid transfer.
   
Regards,
Liza Guest
   
Technical Collection Officer
Directorate of Science and Technology
Central Intelligence Agency

Another version comes "from" tannerlynch@oiks.cia-gov-it.gq and solicits payments to 32ngJWq6YYGUfvCbj3Ji7MNSnqi3rdM5qa. There are probably others. At the time of writing, neither of these two Bitcoin wallets had received any payment.

Tuesday 22 May 2018

Phishing and fraudulent sites hosted on 188.241.58.60 (Qhoster)

Nigerian registrants. Dodgy Eastern European  host offering bulletproof and anonymous hosting. Yup, I very much doubt there is anything legitimate at all hosted on 188.241.58.60.. or indeed any part of Qhoster's network.

237buzz.com
255page.ga
702mine.com
779999977.com
a1cargomovers.com
abtprinting.com
adassco.com
admincamac.co.uk
afazendaideal.ml
afflluenceindia.com
africheck.com
alamiranut.com
alexandrahospitals.com
alliarnce.org.uk
allseaship.com
amba-medias.com
amiicogroup.com
andrzejkupnopark.eu
anook.info
ansaexpress.com
antrackdiplomaticcs.com
apidexconstruction.com
aramexbe.com
arshland.com
artyschat.com
atlanticfforum.com
aughana.com
battlegrounds-arena.com
baugeruest-handel.com
bevadgmbh.com
billdiamondfinance.co.uk
binaryoptionsmonitor.com
binco-sale.com
bit-masters.com
bitcoincashold.com
bitcoinsdrugsrehab.com
bitmain-alliances.com
bitmamashop.com
blecoman.com
bmpro.info
bourseafrique.com
britannia-pharmaceutical.co.uk
btccap.biz
btctriplermachine.com
buycounterfeitmoneys.com
calvinscott.biz
cameroonianbeauties.com
candodvillahotel.com
carphonewarehouse-eu.com
centroculturadigital.com
certificatesshop.com
chainconnect.co
chaseoffshoreonline.tk
chondomonitor.com
citydiaryfarms.com
classicdeliverycourier.com
clickhereforgiveaway.site
clickhereforgiveaway.xyz
cloud-bigfile.com
cncoslight-zh.com
cnximgang.com
coca-colafinancedept.com
coflaxfluidhandling.com
coinminners.com
coinrxstore.com
compasseguip.com
confirmedsoft.us
cosm0-hk.com
cosmosport24.com
creditonfcu.com
crewlinked.com
criagent.com
crypto023.com
cryptominingtechnology.com
cryptoshifters.com
cs-oilfeild.com
cureonlinepharmacy.org
denverlaserhairremoval.co
divecastle.com
dlnamicatrade.com
double-bitcoins-legit.com
eastmanimpex.cam
ebid-tg.com
efceosaudi.com
elitecertifiedhack.com
emailtime.info
ethiopianairilines.com
eurocertificationcentre.eu
fabftifun.com
faircloths.co.uk
fastcoine.com
fastestfingersfirst.com
fidelity-investment.co.uk
findingthepropercode.com
firstsuorceinc.com
forvisitingthankyou.com
fotesale.com
front-dashboard.com
gdp-international.com
general-funds.com
generate-dcash.biz
gettinginonthelow.com
global-news.center
globalinkscobsult.com
globalinksconsult.com
gmb-trade.com
goimsa.info
grand-sale.com
grantersmultiservices.com
greetapex.com
guaranteecds.com
hackers-list.com.de
harpack-ulma.com
heraeu.com
hereweareonit.com
hlroyoung.com
horizonpartnerrsltd.com
houseofspells.com
hsbrands-int.ml
humer1adminka.com
hyip.co.in
hyipcave.com
idexpresscargo.com
inlinefornine.com
interseadrill.com
item-desc.com
jdfrencis.com
jonihoppershowcase.com
kcf-th.com
kececiprofile.com
kencanafishing.com
kiingsay.com
kindres.com
kindres.de
kippaskagit.com
kmsinfoservice.com
ks-prod.com
lane-pres.com
legitrxonline.club
lifegoalsdevelopmentschool.com
litbitcoinembassy.com
littlerockbitcoins.com
live-rx-store.com
loactrippleser.ga
loan-assistance.com
loan-dealer.com
loudiclear.com
lurnentum.com
luwiex.com
manarpso.com
mannhiem.in
maomanlodocs.cf
marshawoifesquire.com
mcmg-tech.com
meetcameroonians.com
meetup4real.com
megachemstoreonline.com
miamibeachcoin.com
microclicker.com
mile22-casting.com
miningcrux.com
mission4christministry.com
movimientorevolucionariodelpueblo.org
ms-fi.com
mst4sale.com
mysite111.com
neatwaytogettheninth.com
neusportltd.com
news-world.center
nexttys.com
nightcapdice.com
ninthinline.com
nlsteinweg.com
nomuta.com
noworri.com
obsgruop.com
offshoreseadrill.com
onehereisreservedforyou.com
online-citibankgroup.com
ontothenextgame.com
opcolage.com
orifiameglobal.com
ourskynet.com
oxfords-pay.com
parcelservicess.com
pharmas4plus.com
plccsolutions.com
psypharm.com
ptochart.com
quicktitletransfer.com
rashedal-wataniagroup.com
rawgarner.com
realbuyrx.com
recordspharm.com
researchchem4us.com
resumedatabase11.xyz
rnailb.com
rnarhaba.com
ro-noutati-mondene.ml
robnsaconsult.com
rock-sale.com
rosenbaumcontemporarygroup.com
royalstandard.ga
rumlt.in
rush-sale.com
seachiefs.com
seguradoravirtual.com
seosenior.com
service-infoo.com
she-afro.com
shippingdynamics.com
showbarghana.com
siglobal.org
simplyitaly.dk
simplyitaly.it
skillocademy.com
sms-red-online.ga
solid-sale.com
southchina-sea.net
srcoin.ca
srnec-cn.com
stacksign.ga
superenterprise.work
superwhiteningpills.org
svclnlk.com
tax-gov.com
tccholdng-th.com
tecebusiness.com
techfronst.com
thebinaryoptionmonitor.org
thecolumbiabanks.com
thefutureofkitchen.com
theninthisin.com
thewomoorsfestival.co.uk
thisistheninth.com
tienhongjs.com
timetorefillthestock.com
torromodel.de
trans-atlanticdrilling.com
trustedhackers.com
turkiyenews247.tk
turkiyenews27.tk
twhe48.online
uk-pharmcay.com
ulmaparkaging.com
ultronnews.com
unipharma.bz
urnalaxmi-organics.com
usr-acc-serv.com
vendadebitcoin.com
visteonogbonnagroup.com
vpox.ru
vwork.pw
walletsofcoolandhip.com
weather-livenews.com
webs-host.pro
xcesstel.com
xopen.cc
yahoomailservice.com
youngcompamies.com
yoyooo.xyz
zestcrypto.com

Thursday 8 March 2018

"Faster payment" scam is not quite what it seems

I see a lot of "fake boss" fraud emails in my day job, but it's rare that I see them sent to my personal email address. These four emails all look like fake boss fraud emails, but there's something more going on here.

From:    Ravi [Redacted] <ravi@victimdomain.com>
Reply-To:    Ravi [Redacted] <ravi@victimdomain.com-3.eu>
To:    accounts@victimdomain.com
Date:    23 February 2018 at 12:02
Subject:    Arrange this payment

Pleаsе make а £9,627.00 faster раyment for thе nеw contrаctor.

Sort сode: 30-62-15
Acc. numbеr: 10255956
Paуeе: Olivia Hаrris

I will send the doсs as soon аs i'll sort out my stuff.
Lеаve a rерly oncе сomрlеted or in casе you get аnу рroblеm while sеtting it up.


Rеgards
Ravi [Redacted]

Sent from my iPhonе.

-----------------

From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-0.eu>
To:    sarah@victimdomain.com
Date:    5 March 2018 at 10:31
Subject:    5 Mar. faster payment

Morning Sаrah

Plеаse sеtup a £9,736.00 fastеr рауmеnt in fаvour of the new bеnеfiсiаrу.

Sort code: 30-61-10
Acс. number: 10811231
Pауее: Thеa Smith

I will sеnd the doсs аs soon аs i'm lеss busу.
Leave a rерly once сomрletеd or if уou get аnу рroblеm whilе sеtting it uр.


Rеgаrds
Andreа [Redacted]

Sеnt from mу iPhone.

-----------------

From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-v.eu>
To:    karen@victimdomain.com
Date:    7 March 2018 at 11:08
Subject:    Arrange this payment

Hi Karеn

I nеed you to аrrаnge а £8,643.00 fastеr рауmеnt for the nеw bеnеficiarу.

Sort code: 30-62-12
Acc. numbеr: 10240298
Benefiсiarу: Beatriсe Evans

I will sеnd thе doсumеnts as soon as i'm less busу.
Lеavе а rеply oncе donе or if you get аnу problem whilе sеtting it uр.


Regаrds
Andrеа [Redacted]

Sеnt from my iPhonе.

-----------------

From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-v.eu>
To:    mary@victimdomain.com
Date:    8 March 2018 at 11:03
Subject:    8 Mar. faster payment

Hi Mаrу

I neеd уou to mаke a £8,839.00 faster раymеnt for the new supрlier.

Sort codе: 30-62-12
Acс. numbеr: 10738345
Benеficiаry: Emmа Brown

I will send the рapеrwork onсе i'll sort out mу stuff.
Lеаve а reрly once donе or if you gеt аny рroblem whilе setting it up.


Rеgards
Andrea [Redacted]

Sent from mу iPhone.

"Andrea" and "Ravi" are not random people, they are both directors of a legitimate company with a name very similar (but unconnected) with one I blogged about years ago. In $dayjob the sample email I saw was from that company's chief counsel, so I believe these are targeted but just incorrect.

Normally with this sort of scam, the "boss" is asking for payment to be wired to the bank details in the email. But in this case, the sort codes for the banks (30-62-12, 30-61-10 and 30-62-15) don't exist. If you tried to wire money to them, the transfer would fail.

So, presumably when the bank transfer fails, the victim emails back the "fake boss", but it isn't all it seems. Although the "From" address looks to be genuine, there's a "Reply-To" address which goes to something a but more subtle.

For example in one of the examples about the email appears to come from andrea@victimdomain.com (i.e. whatever the victim's genuine domain is) but replies go back to something similar but different, for example andrea@victimdomain.com-v.eu - at which point the fraudsters probably then come up with different bank account details.

At the moment the email replies go to a server at 185.235.131.65 (hostname uk-v.eu) in the Netherlands, but these domains and servers get shut down quickly.

All these following domains are linked to the scam (there are probably more):
uk-0.eu
uk-1.eu
uk-2.eu
uk-3.eu
uk-4.eu
uk-5.eu
uk-8.eu
uk-9.eu
uk-f.eu
uk-v.eu
com-0.eu
com-1.eu
com-2.eu
com-3.eu
com-4.eu
com-5.eu
com-6.eu
com-7.eu
com-8.eu
com-f.eu
com-v.eu

This variation of an old scam seems to be quite new. Remember, if your boss emails you out of the blue and asks you to set up a payment without giving much information, always check that the request is valid and don't simply reply to the email.

UPDATE 2018-03-12

Another version..

From:    Andrea [redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [redacted] <andrea@victimdomain.com-w.eu>
To:    helen@victimdomain.com
Date:    12 March 2018 at 12:57
Subject:    Handle this payment

Hi Hеlеn

Pleasе makе a £8,909.00 fastеr payment for the nеw vеndor.

Sort сodе: 30-64-15
Acс. number: 10576602
Pаyeе: Elizabeth Moore

I will send the paperwork oncе i'll sort out mу stuff.
Lеave a rерlу whеn thе oреration is сomplеtе or in cаsе уou gеt аnу problеm whilе setting it up.


Regаrds
Andrеа [redacted]

Sеnt from my iPhone.
This uses the domain com-w.eu and is hosted on 185.241.54.62 (hostname uk-w.eu) along with uk-b.eu.

UPDATE 2018-03-13

Two more examples with the same pattern:

From:    Ravi [redacted] <ravi@victimdomain.com>
Reply-To:    Ravi [redacted] <ravi@victimdomain.com-w.eu>
To:    keith@victimdomain.com
Date:    13 March 2018 at 09:52
Subject:    Payment due 13 mar.

Hi Keith

Plеase аrrange a £8,563.00 fаstеr paуment for the new benefiсiarу.

Sort code: 30-60-41
Acc. number: 10638574
Pауeе: Rosе Clarke

I will sеnd the pаperwork as soon аs i'm lеss busу.
Lеаvе а rеplу when the oрerаtion is сomрlеte or if уou gеt аny problem whilе setting it up.


Regаrds
Rаvi [redacted]

Sеnt from my iPhonе.

----------

From:    Andrea [redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [redacted] <andrea@victimdomain.com-w.eu>
To:    emma@victimdomain.com
Date:    13 March 2018 at 09:26
Subject:    Settle up this payment

Hi Emmа

Please mаkе a £8,999.00 fаstеr pаymеnt for the nеw benеfiсiаrу.

Sort codе: 30-60-41
Aсс. numbеr: 10167445
Bеnеficiаrу: Aisha Robinson

I will forward the docs onсe i'll sort out my stuff.
Lеаve a rеply once completed or in cаse уou get аny problеm while setting it uр.


Regаrds
Andreа [redacted]

Sеnt from mу iPhonе.

What I hadn't noticed before is that the spam is using homoglyphs in the text to avoid filters. For example, the word "pаymеnt" in the email above does not acutally say "payment", but it uses a couple of cyrillic (i.e. Russian) characters in place of the "a" and "e" that just look the same.


For the latest spam messages, the email relays through various hosts but always seems to originate from 91.243.80.176 (hostname: lmasko22.example.com). As with the other infrastructure this belongs to a company called MoreneHost in Russia.


Tuesday 31 October 2017

Sunday 8 October 2017

Scam: "Help Your Child To Be A Professional Footballer." / info@champ-footballacademyagency.co.uk

This spam email is a scam:

Subject:       Help Your Child To Be A Professional Footballer.
From:       "FC Academy" [csa@sargas-tm.eu]
Date:       Sun, October 8, 2017 10:30 am
To:       "Recipients" [fcsa@sargas-tm.eu]
Priority:       Normal

Hello,
Does your child desire to become a professional footballer?

Our football academy are currently scouting for young football player to participate in 3-6 months training and  our main purpose is to recruit young and talented footballers to help become a great football  player in Life and become a great star .  Our agent will train and linked your child up with big clubs in United Kingdom and Europe.

We will also help your child to get Visa and Work Permit once the admission into our football academy is approved.

Our aim is to provide a wide range of opportunities to complement a successful playing career. We will help your child to find the best route to fulfilling their ambitions of becoming a professional footballer in United Kingdom and Europe.

If you want to help your child achieve their soccer dream, reply us for more information.
Best Regards,
CFAA.

At the time of writing the domain sargas-tm.eu does not exist, but the Reply-To address is actually info@champ-footballacademyagency.co.uk which is a registered domain. The WHOIS details for this say:

Domain name:
        champ-footballacademyagency.co.uk

    Registrant:
        NELSON OZI

    Registrant type:
        Unknown

    Registrant's address:
        404 sapphire tower
        404 sapphire tower
        USA
        Kentucky
        97101
        United States

    Data validation:
        Nominet was not able to match the registrant's name and/or address against a 3rd party
source on 19-Sep-2017

    Registrar:
        Web4Africa Ltd. t/a Web4Africa [Tag = WEB4AFRICA-GH]
        URL: https://www.web4africa.net

    Relevant dates:
        Registered on: 19-Sep-2017
        Expiry date:  19-Sep-2018
        Last updated:  19-Sep-2017

    Registration status:
        Registered until expiry date.

    Name servers:
        dns1.yandex.net
        dns2.yandex.net

Disclaimer
WHOIS lookup made at 10:50:09 08-Oct-2017


There are lots of suspect things about this domain registration - the address is clearly fake, the registrar is based in South Africa and the nameservers are in Russia, and also it was registered just a few weeks ago. A quick bit of Googling around shows that "Nelson Ozi" is also linked to the following probably fraudulent domains:

svbfib.com
svbfibem.com
globalcreditsus.com

These all seem to be connected with an IP range 169.255.59.0/24 (Web4Africa again) which does seem to have a lot of scammy sites hosted on it. Blocking access to that range might be prudent.

The spam email itself comes via another Russian server mail.elmeh.ru but this particular email originated from 103.207.37.101 in Vietnam. Replies to the champ-footballacademyagency.co.uk email would be set to mx.yandex.net which is in Russia again.

It would probably be quite difficult to stuff any more dodgy indicators into this spam. What the scam actually is isn't 100% clear, it could be anything from a simple advanced fee fraud all the way up to child abduction. Avoid.

Monday 23 January 2017

WARNING: pmacademyusa.org / "Project Management Academy USA"

For the past six years I have been following the exploits of Patchree "Patty" Patchrint and Anthony Christopher Jones who claim to run a series of seminars on project management and grant writing. Umm.. and failed restaurants in Los Angeles. I'm not going to repeat all of the information in this post, I advise you to read the whole story.

This latest scheme is a quite snazzy-looking website at  www.pmacademyusa.org called "Project Management Academy USA".

The website may look professional, but it is simply done using the WIX website builder:


You'll notice that the site supplies no information at all about who runs it. However a useful tip alerted me to the site, which is basically a more glitzy version of the Institute of Project Management America from a few years back, including this lazy example of copypasta:

About Project Management Academy USA
At Project Management Academy USA, our programs are led by practitioners-working professionals who are experts in the process of maximizing results using professional project management practices. Modern industry needs results driven professionals who are focused on a disciplined dedication to effective project management from initiation to closing. We strive to combine real-world scenarios, actual case-studies, with the knowledge provided by PMI and academic foundations to create certified project managers who are prepared for further certification and credential. Our programs are ultra-foundational, meaning they ensure attainment of the universal basics of project management, prepare participants for certification exams, and provide the advantage of our mastery components, which are unique to our programs and are followed by a Masters designation.
They currently advertise courses running in the following locations:
January 17-20, 2017
University of Southern California
8:00am to 5:00pm

February 21-24, 2017
University of Miami
8:00am to 5:00pm

February 28 - March 3, 2017
University of Texas at Austin
8:00am to 5:00pm

March 21-24, 2017
University of California Berkeley
8:00am to 5:00pm

March 28-31, 2017
University of Chicago
8:00am to 5:00pm
Funnily enough, the venue seems to be changed at the last minute from the prestigious university it was advertised at to some other location in the rough vicinity. And also, at the last moment the person who was meant to be teaching the course is substituted at the last moment for someone who has to fill in and mysteriously seems to have problems getting paid (if this is you then please add a comment below).

If you have doubts about the quality of these causes, I urge you to read the posts and especially the comments that go with them. Those are not my words, but the words of the people unfortunate enough to either pay for a course or who turn up to teach.


Friday 16 September 2016

Inspiral Carpets hacked, leads to The Quantum Code binary options spam

This type of binary options scam spam comes in waves every so often:

Subject:     Welcoming speech
From:     jeffriesvx@mail2nancy.com
Date:     Friday, 16 September 2016, 3:31

Good day!

We are looking for employees working remotely.

My name is Glen, I am the personnel manager of a large International company.
Most of the work you can do from home, that is, at a distance.
Salary is $2600-$5500.

If you are interested in this offer, please visit Our Site

Good day!

It's not very interesting to tell the truth, but it relies on hacked WordPress sites in order to provide landing pages. Of course, hacking someone's site to do this is illegal and no legitimate business would promote itself like this.

What I noticed was the URL in the email..
inspiralcarpets.com/super/wp-content/themes/twentyfifteen/genericons/
Inspiral Carpets? Yup, that's the website of the Manchester rock band of the same name. Rather than a carpet shop. As this URLquery report shows, it lands on..

cash-onlines.com [172.246.233.55] (Enzu, US)

There's a familiar landing page..


Clicking the link goes to www.the-quantumcode.com hosted on 31.220.0.35 (Terratransit, Netherlands). This is some bollocks about a binary options trading robot which will apparently make you millions. Obviously this is a scam, because if it was really that easy we'll all be doing it.

One little scammy trick is a counter to tell you that loads of people are looking at the site but there are only a small number of slots available.

The numbers are completely made up. If you look exactly the same page in another browser window, they are different.


It's hard to say if the spam was sent out by whoever runs the binary options site or an affiliate. But it's still crap either way.

Hosted on the same server are the following domains which are probably more of the same plus a load of other bollocks:

15kin15minutes.com
altronix-app.com
altronix-app.net
altronixapp.net
beautifulasians.net
beckdietsolution.biz
blogtipsntricks.net
channel78news.com
channel818news.com
channel988news.com
clickcashformula.com
clickcashformulareview.com
cloudcliks.com
crescendobot.com
deliciouslyella.net
fannetasticfood.net
fasttrackprofits.net
freeteethwhitenings.co
gopsusports.net
healthbeatblog.net
heartifb.biz
hgspanel.com
hostingtosuccess.com
instantcashmarket.com
ironmantips.co
jeffbullas.net
jmusportsblog.us
jonbarron.me
liedetectorreview.biz
liedetectorreview.com
liedetectorreviews.com
makeyourbodywork.net
michaelcrawfordclub.com
millnaire-blueprint.com
myliedetectorreview.com
newskincaretips.org
perpetualformula.com
russianhotties.co
smallbiztrends.us
snapcreativity.net
startofhappiness.biz
the-orioncode.com
the-orioncode.net
the-orioncode.org
the-quantumcode.co
the-quantumcode.com
themillblueprint.com
thequantum-code.com
thequantum-code.net
thequantum-code.org
thequantumcode.biz
thequantumcode.co
thequantumreview.com
thezerolossformula.biz
thezerolossformula.net
thezerolossformula.org
upgradeforbonus.com
zerolossformula.biz
zerolossformula.net
zlformula.net


Avoid.

Monday 1 August 2016

Scam: Fanrong Europe Fund / fanrongfund.info / fanrongeuropefund.info / fanrongeuropefund.com

This spam email advertising a "too good to be true" investment is a scam:

From:    Tim Hoffman [letter@612.com]
To:    contact [contact@victimdomain.tld]
Date:    30 July 2016 at 09:26
Subject:    Fanrong Europe Fund – 1 Half 2016 return +32.69%.

Dear Sirs,

Please be informed that the Fanrong Europe Fund reported strong 1 Half 2016 with return +32.69%.

Fanrong Europe Fund is a registered hedge fund that managed by a team of stock market experts that located in Zurich, Switzerland. The Fanrong Europe Fund Strategy is Long/Short Equity. The Fund was launched in April 2014. It is open-ended hedge fund. We are open for new investors.

We welcome you to contact us through our web-site to learn more about investing with us:
www.FanrongFund.info

Kind regards,
Tim Hoffman
e-marketing manager
Fanrong Europe Fund
www.FanrongFund.info


Reply to: marketing@fanrongfund.info

If you do not want to receive this newsletter send an email to: unsubscribe@fanrongfund.info

NOTICE: Your address was obtained from open sources where you were agreed to receive the marketing information from third parties.
I have received two of these emails, one coming from the IPs 188.69.207.57 and 188.69.223.168 which are both allocated to a mobile phone provider in Lithuania (UPDATE: also 188.69.223.54). The website fanrongfund.info was created just a few days ago (28th July 2016) and is registed to the following (presumably fake) registrant:

Registrant ID: JLD4030131633
Registrant Name: James Dean
Registrant Organization:
Registrant Street: Vorstadt 20
Registrant City: Zug
Registrant State/Province:
Registrant Postal Code: 6300
Registrant Country: CH
Registrant Phone: +41.417120101
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jd767@yahoo.com


The site is hosted (apparently) in the British Virgin Islands on an IP allocated to the Public Domain Registry (PDR). It uses nameservers from Russian company AYBHOST.COM.

The website is pretty generic looking and opens with these words of wisdom:

Our main trade approach is:
"Close the position if it runs to loss, and hold it if it runs to profit".

Hans Messner
fund manager "Fanrong Europe Fund"

What next. "Buy low, sell high"? Here are some screenshots in case you see another version of this on your travels:






The "About" page carries this text:
We are the EU-domiciled investment manager with successful experience in stock trade in EU. Our professional assets managers have personal approach to trade with bear and bulls market. We use self-made investment strategy that allows getting the constant positive result in short-term horizon. All investment process is in full accordance with IIS (International Investment Standards) of Fanrong Capital (Hong Kong) (fanrongcapital.com).
Presumably this is copied off an earlier scam site, in this case there is an official warning about that particular firm.

fanrongfund.info appears to have mirrors at:

fanrongeuropefund.info
fanrongeuropefund.com

Both of these are hosted on 46.4.24.196 (Hetzner, Germany). The WHOIS details for those are inconsistent with each other.

fanrongeuropefund.info
Registrant ID: HSM1859139253
Registrant Name: Hans Messner
Registrant Organization: Fanrong Europe Fund
Registrant Street: Leutschenbachstrasse 95
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8050
Registrant Country: CH
Registrant Phone: +41.445632589
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.info


fanrongeuropefund.com
Registry Registrant ID: Not Available From Registry
Registrant Name: Li Yong
Registrant Organization:
Registrant Street: Schwingerstrasse 9
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8006
Registrant Country: CH
Registrant Phone: +41.442289632
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.com


For completeness, the domain fanrongcapital.com is hosted on 5.100.152.26  (the same block as fanrongfund.info) and this particular corporation seems to be using a free email address..

Registry Registrant ID: Not Available From Registry
Registrant Name: Wei Zhang
Registrant Organization: Fanrong Capital
Registrant Street: 20F, 1 Harbor View Street
Registrant City: Hong Kong
Registrant State/Province: Hong Kong
Registrant Postal Code: 111000
Registrant Country: HK
Registrant Phone: +852.58085536
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: fanrongcapital@yahoo.com


Nothing about this offer is legitimate. Avoid it, or if you have invested money in this fictitious firm then you should contact the police immediately.

Thursday 16 June 2016

Spam: Dr Happy's Terrorism Conference

Fake conferences are a pretty common scam. The criminals send out spam about serious-looking upcoming conferences that don't exist and then rip victims off for travel costs, conference fees and hotel accommodation. This spam about a fake conference about terrorism caught my eye because it comes from the amusingly named (but fake) Dr Happy Wisdom:

From:    Dr. Happy [shreyag@bajajcapital.com]
Reply-To:    "Dr. Happy" [iedhsto.officedesk@gmail.com]
Date:    15 June 2016 at 23:24
Subject:    INTERNATIONAL CONFERENCE PROGRAM 2016

Dear Sir/Madam,

 On behalf of the International Economic Development on Human Security and Terrorism Organization, I am pleased to invite you to our conference that will be held from August 15th to 19th, 2016 @ the conference place in Dallas Texas USA and August 22nd-26th 2016 @ in Dakar Senegal. The conference meeting will contain various talks and mini workshops related to the issues of Challenges to Economic Development & Human Security in our society.

The topic of the conference is "The Effect of Terrorism on Global Economy and Human Security " the sponsors of this event shall cover your round-trip air tickets from your country to the USA and from USA to Dakar Senegal back to your country and we shall also provide visa assistance with the U.S Embassy in your country of residence and your ground transportation from the airport to the conference venue. The hotel accommodation booking cost will be your own responsibility in Republic of Senegal. Please contact the conference secretariat for more information and registration for participation: [iedhsto.officedesk@gmail.com].

We look forward to your confirmed presence at the conference.
Respectfully Yours,
Dr. Happy Wisdom,
Program Assistant.

The email does actually originate from an IP address in Senegal (41.82.15.40) but then it is routed through a hacked server belonging to the domain bajajcapital.com which is a finance company in India. The compromise email account can be seen in the "From" field.

At best this scam is some sort of financial fraud. At worst, turning up to it could put your life in danger. Avoid.


Saturday 7 May 2016

WARNING: projmanagementintl.org / "Project Management International" aka Patty Patchrint and Anthony Christopher Jones

I blogged about "Project Management International" last year, an outfit running (in my personal opinion) fake or low-quality seminars, at that time using the domain projectmanagementinternational.org.

This outfit is run by Anthony Christopher Jones and Patchree "Patty" Patchrint (aka Patty Jones) from California. I've written about this oufit several times in the past five years, but it turns out that Jones and Patchrint have been running similar schemes since 2008.

In 2011 ABC15 news in Arizona investigated a previous incarnation of these scheme, named "NAPPPA"...


These Jones / Patchrint operations seem to pop up from time to time and then disappear, usually after being exposed for what they are. This latest iteration of the fake "Project Management International" organisation uses the domain projmanagementintl.org. It's a flashy-looking site, but really it is just made from a standard template.


The "Registration" page lists some prestigious universities as hosting these courses.


From what I can tell, the usual thing that happens is that at the last minute the location is changed to a nearby hotel or conference centre, and it seems that no booking are ever made with the university. All feedback on the courses seems to indicate that they are all of very poor quality. There are numerous reports that the people hired to teach these courses are also not paid as promised.

The courses themselves are advertised through spam email (example here)

The Project Management Fundamentals Course  will be offered May 25-27, 2016 at the University of Utah campus in Salt Lake City, Utah. Project management professionals, business and technology professionals, students, and educators are invited to register at the Project Management International website here .

May 25-27, 2016
Salt Lake City, Utah
8:00am - 5:00pm
The Project Management Fundamentals Course  is designed for those seeking professional project management certification. It serves as a thorough introduction to the fundamentals of project management. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development.  

Project Management Fundamentals Course provides 24 hours of project management education hours for both PMI's Certified Associate in Project Management (CAPM) ® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 24 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials. Additionally, the program awards 2.4 Continuing Education Units (CEUs) upon request. 

Program Description

Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.

The skills developed in the Project Management Fundamentals Course apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets.  

Our approach to project management education offers proven, results-focused learning.

Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.

Tuition

Tuition for the three-day Project Management Fundamentals Course is $595.00

Program Schedule and Content
1. Project Initiation, Costing, and Selection, Day 1
2. Project Organization and Leadership, Day 1 
3. Detailed Project Planning, Day 2 
4. Project Monitoring and Control, Day 2
5. Project Risk and Stakeholder Management, Day 3

Benefits
·   A Project Management International Certificate of Accomplishment is awarded upon completion of the three day program. ·    Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.·   Each class is highly focused and promotes maximum interaction.·   You can network with other project management professionals from a variety of industries.·   Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.·    Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will receive 24 project management education hours towards the requirements for eligibility.

Registration

Participants may reserve a seat online at the Project Management International website , by calling the Program Office toll-free at (888) 201-6372, or by sending their name and contact information via email to the Program Registrar .

Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.



To unsubscribe from this mailing list, simply reply to this message and write EXCLUDE to be removed from future notices.



Contact numbers listed on the spamvertised site are:

Toll Free: (888) 201-6372
Phone: (213) 222-6855
Fax:   (855) 420-6217


If you see these telephone numbers on other seminar sites, then it will be the same operation. The site quotes a PO box as a contact address but reveals no other information about this so-called corporation.

Project Management International
PO BOX 812112
Los Angeles, California 90081


If you feel you have been scammed by this operation then I urge you to report it to the police, FBI, FTC or your local AG's Office. If you would like to share your experiences (positive or negative) then please feel free to use the Comments section below.

Friday 1 April 2016

Fake boss scams meet AI robocallers in a dangerous escalation of fraud

Many of us will be familiar with the "fake boss" scam. You're sitting at your desk when your CEO suddenly calls and asks you to transfer a large stack of currency to some shady bank account for a business transaction you are not allowed to talk about.

This type of fraud is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and convincing calls have to be made to unsuspecting minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.

Now, the notorious Russian gang dubbed Den Duraka by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer.

Sporting the clumsy Russian acronym LOZHNYY, this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using hacked credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers.

Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were not suspicious as this seemed consistent with the behaviour of their CEOs.

Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely ignore any communications from your CEO and indeed any C-level executive. You have been warned!

(If you hadn't spotted the clues in the Russian names above.. this is an April Fools joke)


Wednesday 16 December 2015

Domain registration scan: cn-registry.net / "Huabao Ltd"

This type of Chinese domain registration scam has been around for years.

From:    Jim Gong [jim.gong@cnregistry.net]
Date:    15 December 2015 at 13:40
Subject:    "petroldirect"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.

We received an application from Huabao Ltd on December 14, 2015. They want to register " petroldirect " as their Internet Keyword and " petroldirect .cn "、" petroldirect .com.cn " 、" petroldirect .net.cn "、" petroldirect .org.cn " 、" petroldirect .asia " domain names etc.., they are in China and Asia domain names. But after checking it, we find " petroldirect " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

 
Best Regards,
  Jim
General Manager 
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Shanghai, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cn-registry.net
In fact, there is no Huabao Ltd - it's just a made-up name that the scammers use to try to persuade you into buying some overpriced and worthless domains. Nobody is interested in buying these domains, and no domain registrar would contact you before registration in any case as it is not the responsibility of registrar to do so*.

I certainly don't recommend forwarding this to your CEO, as many CEOs will not understand the scam and may fall for it. If you do forward it, make you that you point out that this is a scam.

This scam has been around for so long, that I even made a video about it..


These following domains are all variations of the same rogue Chinese registrar:

cnregistry.net
cn-registry.net
cnwebregistry.net
cn-registry.com
cnweb-registry.com
cnwebregistry.com
cnwebregistry.org
cnweb-registry.org
cnregistry.com.cn
cn-registry.org.cn
cnweb.org.cn
webregistry.org.cn


* except in specific and limited circumstances (e.g sunrise applications) that do not apply here.


Monday 2 November 2015

Scam: "European Trademark Publication" / "ETP" / "etp-publication.com"

A little while ago I registered a trademark. I was a bit surprised to see a small flurry of scammers following that up (by snail mail), sending me what to all intents and purposes are fake invoices. Here is one of them.

In the greyed-out text at the bottom, you can just about read the bit where they give the game away..


Basically, this "ETP" outfit is saying.. send us £930 for no reason at all. Avoid.