Sponsored by..

Wednesday, 16 June 2010

"OFFICIAL WARNING FROM FBI" scam

An old scam, pretty much the flipside of the usual Advanced Fee Fraud. This one preys upon innocent victims by accusing them of money laundering, but the details don't pan out. Quite apart from the ridiculous proposition and free email addresses used, phrases like "shady", "waded in", "graft" and exclamation marks are something you would never expect to see in an official communication from law enforcement. Besides, I really don't think that the FBI email you if they suspect you are up to terrorist activities..

From: Anti Graft.
Reply-to: antiterrorist.crimesdiv.2010@megafastmail.com
date    16 June 2010 09:37
subject    OFFICIAL WARNING FROM FBI.

ANTI-TERRORIST AND MONETARY CRIMES DIVISION
FBI HEADQUARTERS IN WASHINGTON, D.C.
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
Website: www.fbi.gov
Phone: 202-595-1344

DATE:15/06/2010

It has been discovered that your contract/inheritance/winning FUND was about being transferred to an unknown account under your name. This attempt was perpetrated by someone who claims to be working for you, and that you have given him due authority to have the FUND moved to the account specified below:

SOUTHWESTERN FEDERAL CREDIT UNION
WESCORP 924 OVERLAND COURT
SAN DIMAS, CA 91772. USA.
ACCOUNT NUMBER: 322079133
ABA/ROUTING NUMBER: 1220-41-21-9
SHARETYPE NO.: 25
FINAL CREDIT  HABIB FENZI AND CO. (Beneficiary).

The Federal Bureau of Investigation (F.B.I.) waded in after being alerted by the supposed bank. We investigated and found that there is a possible money laundering activity in play.The FUND US$10,500,000.00(Ten Million Five Hundred Thousand United States Dollars) was found to be deposited in Bank of America in your name pending your consent to have it transferred to the new account indicated above. It was further revealed that initial FUND transfer originated from Nigeria to England and now here in Bank of America in USA.

These transfers did not follow due process in line with the international FUND transfer rules and regulation.Consequently,we suspect this be a terrorism funding, drug related fund deposit and/or money laundering. As stated above, the FUND has your name on it; and you must have it cleared of any connection with any of these illegal activities.Be informed that FAILURE to have this cleared out will attract a JAIL TERM.We will not hesitate to visit the full weight of the law upon you if you do not clear this fund.There is every indication that you are involved in this shady deal.

Finally, you are expected to have the CLEARANCE DOCUMENT obtain from where the FUND originated from to have you and your fund cleared. Only then shall we release your FUND as clean money devoid of any illegality, and you will be free of any involvement. To this end, you are to contact Mr. Peter Anderson of the Anti Graft Department of Economic and Financial Crimes Commission (E.F.C.C.) Nigeria and have the DIPLOMATIC IMMUNITY SEAL of TRANSFER (DIST) CLEARANCE DOCUMENT obtained. Contact him through this direct email address:efccantigraft.nigeria@megafastmail.com,Direct Line:+234 8028493286 Note that you have 72hrs to obtain this crucial Documentation.

This has to be cleared!

You are warned!

Faithfully Yours
Robert S. Mueller III
FBI Director
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
www.fbi.gov

Tuesday, 15 June 2010

west-vacancy.com scam

This email from a wholly fake company called west-vacancy.com is really recruiting for a money laundering job or something very similar. The domain itself was registered just a few days ago to a no-doubt fake registrant. Mail is handled by Google, there is no website but in this case the email originated from 188.16.123.52 in Russia.

Date: 15 June 2010 12:32
Subject: vacancy number 358

I introduce a large multinational enterprise the co-worker of the HR department of which I am. Our company has been working in different fields, such as:
- companies setting-up
- companies winding-up
- opening accounts in Europe
- etc.

We need employees in Europe:
- salary 2.400 euro + bonus
- 1 - 2 working hours per day
- free timetable

If you are interested in this job, please, send us your contact information: Cornell@west-vacancy.com
Name:
Surname:
Country:
E-mail:
Mobile phone-number:

Be informed! Candidates from Europe are needed only

Please, write your Telephone Number and our manager will contact you to conduct an interview.
For what it is worth, these are the registrant details of the fake domain:

Domain name: west-vacancy.com

Name servers:
    ns1.nameself.com
    ns2.nameself.com


Registrant:
    Aleksandr Lapatau
    Email: lapatasker@earthling.net
    Organization: Private person
    Address: Lenina, 34, 8
    City: Minsk
    State: Minskaya
    ZIP: 456123
    Country: BY

Monday, 14 June 2010

Terminally confused 419er

This is just a straight advanced fee fraud scam, but the scammer seems to want to through in the names of Yahoo, Nokia AND Microsoft into the same fraudulent pitch. Just to add overkill, it's from a "Reverend" too, which a bunch of email addresses which are frankly all over the shop. Oh yes, the originating IP is Argentina of all places.

From: CONGRATULATION FROM YAHOO COMPANY THAILAND <lotto_officethai2@btinternet.com>
Reply-to: revralphdelahay@w.cn
Date: 14 June 2010 13:28
Subject: CONGRATULATION FROM YAHOO COMPANY THAILAND
   
Microsoft Award Team.
 ADDRESS: NOKIA THAILAND OFFICE
 105/33 BANGKOK THAI TWR.,
 108 SIAM ROAD.,
 BANGKOK, 10400,
 KINGDOM OF THAILAND.
 Batch: 12/25/0340


 Dear Winner


 This is to inform you that you have won a prize money of $2,000,000,00 (Two Million United state dollars) for the Edition 2010 Lottery promotion which is organized by YAHOO  LOTTERY INC & WINDOWS LIVE.YAHOO & MICROSOFT WINDOWS, collects all the email addresses of people that are active online, among the millions that subscribed to Yahoo and Hotmail we only select ten people every Month as our winners through electronic balloting System without the winner applying, we Congratulate you for being one of the people selected.

 PAYMENT OF PRIZE AND CLAIM


 You are to contact your Claims Agent with immediate effect to facilitate the protocol of your winning prize before the expiry date of Claim; Winners shall be paid in accordance with his/her Settlement Centre. Prize must be claimed not later than 15 days from date of Draw Notification after the Draw date in which Prize has won. Any prize not claimed within this period will be forfeited. These are your identification numbers:

 Batch number....................12/25/0340
 Ref number.......................Ref: MSN-L/200-26937
 Winning number...................YM09788


 You are therefore advised to send the following information to  to this office so that we facilitate the claims of your prize to you.


 1. Full name.............
 2. Country..............
 3. Contact Address........
 4. Telephone Number.....
 5. Marital Status........
 6. Occupation.............
 7. Company...............
 8. Age.....................


 Please Note:
 Your Lottery Prize must be claimed not later than 15 days from date of Draw Notification after the Draw date in which Prize has won. Any prize not claimed within this period will be forfeited.

 Congratulations!! Once again.

 Yours in service,
 REV.RALPH DELAHAY
 (Operation Manager)
 Yahoo International Promotion Center

 Email: thailand.lotto@yahoo.com
 Bangkok 10400
 Kingdom of Thailand





Phishtank FAIL: hsbcnet.com / hsbc.net

hsbcnet.com is a valid and legitimate website belonging to HSBC. Traffic is redirected to this site from hsbc.net. The site itself is hosted on AS26381 63.111.163.110 which is delegated to an HSBC subsiduary called Household International from Verizon. The hsbcnet.com  was registered in 1998 to a registrant with an hsbc.com web address:

Registrant:
HSBC
   One HSBC Center
   Floor 21 - HTS eBusiness
   Buffalo, NY 14203
   US

   Domain Name: HSBCNET.COM

   Administrative Contact, Technical Contact:
      Fischer, Chuck  charles.fischer -at- us.hsbc.com
      HSBC Bank USA
      One HSBC Bank
      eBusiness, 21st Floor
      Buffalo,, NY 14203
      US
      (716) 841-2075 fax: (716) 841-5022


   Record expires on 04-Dec-2010.
   Record created on 04-Dec-1998.
   Database last updated on 14-Jun-2010 04:41:11 EDT.

   Domain servers in listed order:

   NS3.HSBC.COM                
   NS4.HSBC.COM       
         

It's clearly not a phishing site, and yet Phishtank say that it is.


Now, Phishtank does just allow any old user to mark a site as phishing. In this case, the site was submitted by a user called dvk01  and then verified by SEVEN other people as a phish - stuartgrant knack NotBuyingIt cybercrime marcoadfox Aminof theGeezer - although some people have said that it isn't. As a result of this faulty groupthink, 71% of reports say that this legitimate site is a phish.

This false positive has now filtered down to OpenDNS and a number of other blocking services (e.g. Sophos) that are now erroneously blocking access to HSBC.

Don't get me wrong, Phishtank and other similar service can be very useful. But in this case it shows that Phishtank's verification process really doesn't work.. as any actual examination of the web site in question would surely identify is as legitimate.

Wednesday, 2 June 2010

"llona Timofeeva" scam

There are probably lots of people called llona Timofeeva who are perfectly trustworthy, but this job offer from a "llona Timofeeva" is not.. and it is almost definitely a made up name. So if you are llona Timofeeva, then this is probably not about you.

From: Illona Timofeeva
Date: 2 June 2010 20:04
Subject: Part-time job

My name is Illona Timofeeva, I am Director of an EastEuropean humane society S_O_S.
We have organized an animal shelter providing veterinary services, management and sterilization.
A lot of our pets have been adopted and taken care of. But now we are facing difficulties
with acceptance of donations and contributions for our shelter in your region,
that is why we are looking for a manager of our corporate account in UK.
This is a part-time job offer which would not interfere with your day job.
You may earn as much as P3,000 per month or more. In case you are interested in this offer,
we look forward to receiving your CV or brief information about yourself to our email HumaneSociety_sos@lavabit.com    
We shall write you back as soon as possible and state the terms of this job offer.

Sincerely yours,
Illona Timofeeva
Director
SOSHumane Society
What is it? Well, it's a straightforward money laundering scam using the hook of cute, fluffy and defenceless animals to get you interested. Avoid.

Tuesday, 1 June 2010

Another spam using BonBon.net for replies

There have been a stack of fake job offers soliciting replies to a BonBon.net email address lately. These emails don't actually come from BonBon.net, but they are seeking a reply to a mailbox using that domain.

I was unfamiliar with this mail service, but a bit of research shows that it belongs to HotPOP who have been around since 1998 and have a pretty good anti-spam policy and seem to be a pretty decent bunch.. so my advice is that if you get a spam trying to get you to reply to BonBon.net then forward a copy to abuse -at - hotpop.com.

From: Emilio Richardson
Date: 1 June 2010 02:40
Subject: Vacancy
   
Req'd Education: High School
Citizenship or Work-Visa: YES
Base Pay: 72,000/year
Employee Type: Part-Time/Home-Based
Bonus: Yes

Description:

If you want to work in a strong developing team, in which you can feel like in your family, this  position is for you! Our company is looking for local customer service managers. You will have good career opportunities and will enjoy friendly working atmosphere of our team.

Requirements:
High School required. PC and Internet, MS Office or compatible. Must have strong writing and communication skills.

To Apply:
Forward your contact details back ONLY to our e-mail:  manager03ltd@BonBon.net

 and wait for response next 24h - 48h. Resume-containing only.
This really is just another Money Mule operation or similar, avoid at all costs.

Tuesday, 25 May 2010

job4-us.com fake job offer

Run by the same crew as this scam, this fake job offer is a "money mule" operation laundering stolen funds, under the guise of payment processor for a car sales company. The entire job4-us.com domain is fake, any email purporting to be from that address are bogus.

Date: 25 May 2010 11:22
Subject: A car store is looking for remote employees. (US)

My name is Lisa and our company is looking to fulfill several part time positions in your region. We are one of the largest internet solutions resellers on the market and are looking to build strong support team in United States to provide the best Customer Care.

Title of the current position available is “Payment Processing Assistant” and we have seven openings.

An ideal applicant for this position must meet the following requirements:
* At least 22 years of age
* Resident of United States of America
* Very observant and able to focus on details
* Patient
* Trustworthy
* Practical
* Loves to learn
* Explains well in writing
* Handles deadlines
* Bank account
* Full internet access (at home or at work)

Benefits:
* 50% of the monthly cell phone bill is covered by the company
* Monthly salary starting at $2000(after a month evaluation period)
* 5% commission for every processed transfer
* Banking, Western Union and Money Gram fees is be covered by the company

If you are interested please reply to: Kaitlin@job4-us.com

As before, the site is hosted on 195.206.246.210 in Moldova, on the same server as europjob.com, with the same registrant details which are probably fake:

Registrant:
Maksim Rodkin
Email: roddsn@post.com
Organization: Private person
Address: Miichurinskij prospekt, d.10-2, kv. 144
City: Moskva
State: Moskovskaya
ZIP: 178234
Country: RU
Phone: +7.4956783214

Evil Network: Maximus Hosting Services, Bosnia 77.78.239.0 - 77.78.240.255

A bunch of sites in the IP range 77.78.239.0 - 77.78.240.255 look all evil and appear to be serving up bad PDFs and other nastiness. IPs are allocated to Maximus Hosting Services, Bosnia and honestly I cannot see a single domain that looks legitimate.. I would suggest that you block the entire range.

1iii.org
2iii.org
Poteriapoter.com
Dwnld0020.com
Hyporesist.com
Newsbosnia.org
Search-static.org
Spmfb2299.com
Spmfb3309.com
Crowledarmor.com
Statxonline.com
Xsbot.net
Exfxreporting.com
Planopetroleumteam.com
Acunetxweb.net
Macuysinstall.net
1-aa.com
Caucasus-a.com
Pa-2.net
G000ggle.com
Zettapetta.net
Google-server14.info
Top-teen-porn.info
Google-server11.info
Kalashmalash.org
Ruslan7777.com
Bazavaza233.net
Shalalopdns.com
Vstils.ru
Tygolev.com
Hostingpanelavg.com
Homesiteuk.com
Vk-socks.net
Lrstat.com
Statistics-of-world.org
Eu-analytics.com

Wednesday, 19 May 2010

"Re: Intercepted Over Due Fund Transfer!!!" scam

This isn't the first time that we've seen a scam email pretending to be from the UN, but they are often slightly amusing in their pitch. The idea here is that the scammers are targeting people who have already been ripped off with the promise of compensation. Presumably the success rate with this approach makes it worth doing.

Unsurprisingly, the telephone number listed is in Nigeria. Avoid.
From: United Nations <info@un.org>
Reply-to: cenbankng@ml1.net
Date: 19 May 2010 02:40
Subject: Re: Intercepted Over Due Fund Transfer!!!

United Nations

Palais des Nations,

1211 Geneva 10,

Switzerland

Subject: Re: Intercepted Over Due Fund Transfer

Attention: Beneficiary,

In the last meeting between the United Nations OCHA and UNDP hold Copenhagen, 19 Febraury 2010-After a marathon all night session, talks aimed at injecting new and more wide-ranging momentum into the international effort to combat climate change, global recession and scam  ended with a positive outcome.

The United Nations and U.S department for Homeland security has meet with delegate from Africa, Asia, Australia, Antarctica, North America, South America  and Europe has agreed to Pay scam victims around the world the sum $10.8Million USD as compensation so the money could be use to combat unemployment and help people like you make the world a better place. The United States Department of Homeland Security (DHS), with the help of the FBI and Interpol Has screened through various Monitoring Networks and has been confirmed and notified that the transaction is Legal and you have the Lawful Right to claim your due fund.

To effect and carry out the directives given, you are advised to contact Dr David Wills

Dr David Wills.

International Claims Officer

Telephone: +234 8039393143

E-Mail: cenbankng@ml1.net

You have been instructed on what to do next you are strictly advice to follow his instruction so as to follow into the hands of fraudster,

Yours Faithfully,

Yvette Morris (UN)
Public Relation officer

Tuesday, 18 May 2010

europjob.com fake job offer

This fake job offer comes with a Moldovan and Russian connection.

Date: 18 May 2010 20:52
Subject: good day!
   
International Real Estate Consulting Company seeking local representation


Countries of interest: Austria, Belgium, Bulgaria, Hungary ,Greece, Denmark, Ireland, Cyprus, Lithuania, France, Sweden
Luxembourg, Malta, Netherlands, Poland, Slovakia, Slovenia, Portugal, Romania, Finland, Czech, Estonia

Tasks of the representation to consist of liaison and intermediation in financial transactions.

Good and prolonged relations history with local financial institutions is strongly recommended
(references will be asked).

If you would like to be a regional manager in Europe send us your contact information: Full name:
Country:
City:
E-mail:
Telephone Number:

Our contacts: Denver@europjob.com
The europjob.com domain was registered just yesterday and is hosted on 195.206.246.210 at Starnet in Moldova. The WHOIS details show the infamous "Private Person" as a registrant with an email address frequently connected with scams.

Registrant:
    Maksim Rodkin
    Email: roddsn@post.com
    Organization: Private person
    Address: Miichurinskij prospekt, d.10-2, kv. 144
    City: Moskva
    State: Moskovskaya
    ZIP: 178234
    Country: RU
    Phone: +7.4956783214

It's not clear what the job is, probably money laundering or some other criminal back office service. Avoid.

Fake "NetTemps Inc" domains

These domains and IPs seem to be associated with this company masquerading as "Net Temps Inc" (there are legitimate companies with a very similar name though), you can see examples of the scam email being used here and here.

82.243.193.235- Proxad, France
nettms.eu
nextspend.biz

95.64.133.205 - MultyKabelnie Seti Balashihi, Russia
nettms.net
nettps.net
eddpiii.com.pl

74.63.228.139 - Limestone Networks, Texas
ns1.loopcool.net
ns1.seerdanee.com

87.117.245.9 - JSHosts, UK
lokiou.eu
ns1.globalistory.net
ns1.hourscanine.com
ns1.limeteablack.net
ns1.skcstaff.com
ns1.skcstaffing.com
ns1.socialworc.net

204.12.229.89 - Hosting Ventures LLC, USA [Mostly suspended, some now deleted]
mx.nettempsin.co.uk
mx.nettms.net
ns1.availname.net
ns1.disksilver.net
ns1.girlfrendsboy.com
ns1.nodefront.net
ns1.pdsproperties.net
ns1.sorbauto.com
ns1.whiskybrend.net
availname.net
ddeasaeq.vc
edfa4.com.vc
edfa7.com.vc
efasqca.com.pl
ewasza.co.uk
ewasze.co.uk
ewasze.me.uk
ewaszi.co.uk
ewaszu.co.uk
girlfrendsboy.com
iurseda.com.vc
nodefront.net
pdsproperties.net
sorbauto.com
whiskybrend.net

79.170.40.4 - Heart Internet, UK
netpts.org
nettes.org


77.25.179.23 - Vodafone, Germany
ns2.loopcool.net
ns2.rakusolutions.com

Fast Flux (IP varies)
nettempsin.co.uk

Registered but no website
hourscanine.com
juverds.info
skcstaffing.com

Suspended / On hold
nttempinc.com
santroperz.net
assewya.co.uk
limeteablack.net
skcstaff.com

Monday, 17 May 2010

Nettms.net / Nettps.net "NetTemps Inc" scam

This fraudulent job offer solicits replies to an email address of cv@nettms.net  and it pretends to be from "NetTemps Inc". There is a legitimate firm in the US of a similar name, but this job offer is not from them.

Subject: part-time job in Europe
Date: Mon, 17 May 2010 16:05:37 +0100

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.  
      
Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.  
    
If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number. 
    
We are eager to help you find a better job and improve your career!
      
If you have questions, please do not hesitate to e-mail me on:  
      
c v @ n e t t m s . n e t      [please delete spaces in the email address before sending it to us]  
 
Yours sincerely,   
Juliette Barnes 
NetTemps Inc  
It's the same scam as this one, but in this case the back-end servers are different.. the mailed replies go to 204.12.229.89 [Hosting Ventures LLC, US] with a web site hosted at 95.64.133.205 in Russia along with another similar domain of Nettps.net.

Anyway, this job offer is probably laundering stolen money or some other criminal activity and should be avoided at all costs.

Friday, 14 May 2010

"Delivery LCI" job scam

This is a fraudulent job offer, which appears to be a reshipping scam and possibly some other "back office" functions for organised criminals. The is no company registered in the UK called Delivery LCI or LCI Delivery.

From: Timmy Bliss
Date: 14 May 2010 01:49
Subject: Job opening

Hello,

I'm Mary, writing on behalf of Delivery LCI about your job
search, would like to invite you to learn more about the job
opportunity that we are offering right now for people like you.
First of all you need no prior experience, but we will provide all
necessary training when you will join us.

Now let's take a look at what Delivery LCI offers you:


Shipping Regional Manager

 Requirements:
 - Resident of the United States;
 - Fluent English;
 - Basic knowledge of Microsoft Word and Microsoft Excel;
 - Home Computer with e-mail account and ability to check your e-mail
 box at least twice a day
 - Adults only accepted (we cannot hire underage people)


 Job description:

 - Receive correspondence from our company and its clients at his/her
 residential address;
 - Report to our manager (every candidate will be included in a
 manager's lists)
 - Forward received items according to instructions of our manager
 - Fill in the forms and papers as indicated in our manager's
 instructions (you will receive an e-mail with instructions for each
box).
 - Ship packages out


 Personal qualities:
- honesty
- decency
- sociability
- ability to work in team


 Salary
 - 30$ per package processed for trial period 1 month
 - 50$ per package processed \ by the end of trial period\
 - The salary is credited to your account once a month


 If you are interested in our position, reply back to us
 with your short resume at:

 KathrynKnowlton@BonBon.net

Thank you for reading.

+44.20 3286 9579 

Despite there being no company of this name in the UK, there are two probably related websites of deliverylci.com and lcidelivery.com. At the moment, only deliverylci.com is running, registered to a fake address in the US:


Registrant:
    Dennis  Oneal
    Email: support@deliverylci.com
    Organization: Delivery LCI 
    Address: 1938 Woodland Terrace
    City: Orangevale
    State: CA
    ZIP: 95662
    Country: US
    Phone: +1.9169879747 
    Fax: +1.9169879747

but claiming to be based in the UK from their website:

Your calls are received by the phone: +44.20 3286 9579

E-mail: lcidelivery@lcidelivery.com

Our Office:

5 NORTH STREET, HAILSHAM, EAST SUSSEX, BN27 1DQ, United Kingdom
5 North Street, Hailsham does exist and is the office of a firm of accountants, there are many companies registered at this address. The telephone number is a London one though, not one for Hailsham.

Digging further shows that the deliverylci.com website is hosted at  89.248.162.136 [Ecatel, Netherlands]. The following sites are hosted on the same server:

  • Dealcomltd.com
  • Deliverylci.com
  • Idealogisticservices.com
  • Todaylogisticservices.com
89.248.162.136 is also a nameserver for other domains:

  • ns1.taxreturnsworld.com
  • ns1.worldtaxreturns.com
  • ns2.itadvancedservices.com   
  • s1.oilhost.eu
The domain taxreturnsworld.com was recently mentioned by Brian Krebs as being part of a particularly sophisticated job scam. So, it seems likely that all these domains and so-called companies are bogus and should be avoided.

Thursday, 13 May 2010

Dating scam: "I will be glad to get to know you"

There have been quite a few dating scams soliciting replies to BonBon.net lately, and coming with an attached photo. This one is meant to be "Anete".. what do you mean, you don't remember Anete? Anyway, it's probaly some fat sweaty Russian bloke trying to part you from your cash, so avoid this one.

Subject: I will be glad to get to know you

Hello! How are you? I hope you are ok. I am Anete.
You remember, we have got acquainted with you at dating site?
You have given me your email and today I write to you.
I think, now we can begin our acquaintance. I will be glad! Hope you too.
I am 30 years old. I want to find the man and to create serious relationship.
I want, that you have answered me if you still want to know me.
I send you my photos, and I want, that you do the same.
I will be glad to get to know you more close.

Please reply only to my personal e-mail:  utinanete@BonBon.net

I look forward your answer. With the best regards, Anete...

Monday, 10 May 2010

Evil network: Sagade Ltd / ATECH-SAGADE

There's been an awful lot of badness from Latvia recently, with several fake AV apps and other Very Bad Things hosted in the range 91.188.59.0 - 91.188.59.255, which appears to be a wholly bad subnet of pure evil. It looks like a similar setup to Real Host Ltd which was shut down last year.

inetnum: 91.188.59.0 - 91.188.59.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89@gmail.com
country: LV
admin-c: JS1449-RIPE
tech-c: JS1449-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
source: RIPE # Filtered

person: Juris Sahurovs
remarks: Sagade Ltd.
address: Latvia, Rezekne, Darzu 21
phone: +371 20034981
abuse-mailbox: piotrek89@gmail.com
nic-hdl: JS1449-RIPE
mnt-by: ATECH-MNT
source: RIPE # Filtered

% Information related to '91.188.32.0/19AS6851'

route: 91.188.32.0/19
descr: BKCNET Autonomous System
descr: IZZI SIA
descr: Ieriku 67a, Riga, LATVIA
origin: AS6851
mnt-by: AS6851-MNT
source: RIPE # Filtered

All these websites appear to be malicious, I cannot find a single site that I can identify as being legitimate. Most have obviously fake WHOIS details too. I would recommend blocking access to the whole IP block.

1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
00g00.ru
Odnotraxniki.ru
Td0.ru
Kerrimckeetq.info
Maiamaribeihlv.info
Marguriiexyhamlin.info
Privatetechnology.biz
Syscodec.com
Systemcodec.net
Traffcash.biz
Kimirleonarda.info
Nitrosearch.info
Fastglobosearch.com
Likinto.com
Mcml1.com
Trol0l0.com
Mokato.com
Ziko.in
Viasot.com
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Lotise.com
Manytis.com
Membernameserver.com
Ossarix.com
Soterpo.com
Stepil.com
Winepsy.com
Zingis.com
Bombastats.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Belleplaceurl.com
Christophecoinurl.com
Coinurlredirect.com
Coinurlredirection.com
Endroiturlredirect.com
Glossipfd.com
Goldcoinurl.com
Gork.in
Gulk.in
Hnarmettis.com
Hotelplaceurl.com
Lieuurlredirect.com
Mnuyetsgrr.com
My654bestsite.com
Nuvolokijj.com
Parkplaceurl.com
Polk.in
Rozg.in
Samk.in
Sekmoon.net
Silvercoinurl.com
Sumk.in
Vvven.in
Worldplaceurl.com
Zoid.in
Smackbybitch.com
Videosite1.com
Beeape.com
Supercrazynight.com
Supersporns.com
Sys-force.ru
Firsttunesclub.in
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Allforyouplus.net
Hotfilesfordownload.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Yourbestway.cn
Youvideoxxx.com
Cern-a.com
Xbasex.com
Rowfirst.com
Autouploaders.net
Poafirst.com
Rodfirst.com
Solaruploader.com
Noafirst.com
My-best-web.com
Pakwer.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com
Oklahomacitycom.com

Thursday, 6 May 2010

"I live in a city under name Kirov"

Unlike some other dating scam emails promoting very young women, this particular one claims to be from a 37-year-old economist, which I guess might say something about their target audience. In reality, "Mariya" is probably a fat sweaty male Russian who is trying to scam you out of some money.

Date: 6 May 2010 09:44
Subject: I live in a city under name Kirov

Hello my the surprised Friend!

I understand, that you are surprised now, when this letter has arrived to you. BUT I ASK YOU TO SPEND 5 MINUTES, your time and have read it up to the end then probably it will change your and my life. At first I wish to tell a little about myself. My name is Mariya. To me of 37 years. I live in a city under name Kirov, it is a small city in northern part of Russia. I not married and never was. I also do not have children. I have left school then has finished institute on a
trade of "economist". If it is interesting to you I will necessarily tell about it, but now not in it the purpose dear friend. Recently, I watched TV and saw, that in Russia there are 35000000
women who live without men, and there are such agencies of marriage which have many electronic addresses, and such agency can help to find for women the suitable man. I have gone to one of such agencies, and have addressed to them with inquiry that they have found for me the
good man. They have informed at once me, that in Russia I should search for the good and decent man very long time. Then they have offered me acquaintance to the man from other country, on what I have looked from a positive side. As I know, that at us in the country of the man, do not appreciate women, is possible because women several times more.

In general, I have agreed to strike up acquaintance to the man from other country, and they have given me your electronic address. Having told that you the lonely fair and decent man who searches for the woman for creation of relations. Then I took your electronic address and have gone to the cafe Internet to write you the letter. Here now you can my letter see. I have written you it with hope, that you will answer to me. I have inserted one my photo that you could see, my appearance and to solve for you directly completely, you will like to begin dialogue and relations with me or not. Only I ask, concern my letter seriously, look my photo, the letter, think and solve, precisely you would like to have the correspondence with me? I do not wish to be the friend, it is not necessary, I am ready to serious relations. It is very necessary to love, give my love to the MAN and family creation. If you really wish to have serious relations with me
write to me. If you do not want to have a relationship with me, just do not respond to my letter, I can understand everything myself. And nevertheless, I wish to tell to you, that my photo is made not professionally, but you see me, such what I in a life. And you can precisely define such woman as I am necessary for you or not. Very big inquiry as wanted if you however interested in me write to me about your e-mail where we can speak with you and small good photos you. Like everything, that I wished to tell you, and now I only need to wait from you for the answer, and I hope you write to me. If I was not pleasant to you, or serious relations are not necessary for you then do not write me anything, I will understand!

I hope your new friend, I hope that I can become for you friend Mariya!

You can send your letter and photo to this email address: mashalovers@BonBon.net

The lonely woman from Russia Mariya.

Saturday, 1 May 2010

Scam: "The big prospects for intelligent people from England and other regions"

Another money mule scam dressed up as a job offer from an estate agents. The estate agent pitch seems popular at the moment, having come up recently here and here.

From: Heather Crum
Date: 1 May 2010 01:31
Subject: The big prospects for intelligent people from England and other regions

I am HR manager in international real estate agency.

Your electronic address is taken from base of people who are searching for the job. We have the job offer for you. If it is an error and you aren’t searching for the job or you aren’t interested in additional earnings, please ignore this message. We apologize for spent time.

If you are interested in this offer, you need to address to e-mail: Schiavone.Basso@HotPOP.com

The basic direction of our company: The search of clients and partners. Sale, resale and rent of the elite real estate and the industrial areas.

Required qualities for the post:

Practical knowledge of the program “Microsoft Office Word”.
Ability to communicate, intelligence.
Experience in commercial activity is welcomed.
The knowledge of the Italian language and of other languages is welcomed.

The minimum salary is 2000 euro. Frequently the monthly income exceeds 10.000 euro. It all depends on intelligence of the Agent and on his desire and ability to work to his full extent.

For the additional information can refer to the electronic address which is specified above.
Yours faithfully, on behalf of all employees “Europe Real Estate”.

Friday, 30 April 2010

What is this I don’t even

Seriously, no.

Why doesn't Windows include native PDF reader support?

F-Secure asks: Why doesn't Windows include native PDF reader support? Perhaps it's time for Microsoft to act in character and help kill off Acrobat Reader for good.

"I am looking for the second half"

A straightforward dating scam email, but one notable for including a picture of a pretty Russian girl, which most spammers don't bother with. In any case, if you respond to "Natalia" (who is probably note even a woman in real life) then you'll soon find that she has unexpected "expenses" that will require you to send money..


Subject: I am looking for the second half

HELLO!!! My name is Natalia! I live in Russia, dating site, I am looking for the second half. I want to find true love, I loved your profile, I would like to continue with you dialogue.

If you do not mind to write me an e-mail: mamaevanatalia20@HotPOP.com

I am very tired of being single. I really want to build a serious relationship. I'll be glad to communicate ..... Natalia



Tuesday, 27 April 2010

I have a bad feeling about Donald Trump..

I have a bad feeling about Donald Trump.. one day he might become president.

Friday, 23 April 2010

"Twitter Support" phish

This phish claims to be from Twitter, but it actually redirects to a fake site at adcopy.awbweb.com/differential.html hosted on 216.81.74.9 which appears to be a legitimate site that has been hijacked.

From: Twitter Support <support@twitter.com;>
Subject: Undelivered Message 52-629

Hi,

You have 1 unread message(s)
http://twitter.com/account/message/0C5B9-C2FEF

The Twitter Team

Please do not reply to this message; it was sent from an unmonitored email address. This message is a service email related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support.

Wednesday, 21 April 2010

nettempsin.co.uk / NetTemps Inc scam

There are probably plenty of legitimate companies with names like "NetTemps Inc", but this money mule scam email soliciting replies to nettempsin.co.uk is not from one of them.

From: "Polly Richardson"
Subject: representatives wanted

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.

Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.

If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number.

We are eager to help you find a better job and improve your career!

If you have questions, please do not hesitate to e-mail me on:

c v @ n e t t e m p s i n . c o . u k [please delete spaces in the email address before sending it to us]

Yours sincerely,
Juliette Barnes
NetTemps Inc


==================================

Unusually, the mail server that deals with replies is multihomed:
  • 79.125.134.191 [ADSL subscriber, Macedonia]
  • 91.41.145.247 [Deutsche Telekom dial-up subscriber, Germany]
  • 83.132.68.62 [TVCABO cable modem, Portugal]
  • 87.116.150.117 [Broadband customer, Serbia]
  • 186.137.3.195 [Cablevision customer, Argentina]
Nameservers are ns1.santroperz.net (domain suspended by registrar for fraud) and ns1.seerdanee.com hosted on 204.12.237.52 at WholeSale Internet, Inc. in Kansas City.

In any case, this is just a Money Mule scam and it should be avoided.

Tuesday, 20 April 2010

martin-argiento.eu / Martin Argiento scam

A slight remix of this money mule scam from last month, but with a slightly different name.

Subject: The Italian company is looking for reliable partners
From: "Cindy Jeffers"
Date: Tue, April 20, 2010 6:03 pm

Dear Mr\Ms
My name is Martin Argiento. I am the manager in international real estate agency Europe Real Estate.

At present, we increase the number of part-time employees on the territory of England and other regions. In this connection, we carry on hiring new employees for the post of the regional real estate Agent.

Activity of the agent:
The search of the clients, advertising of the company.
Purchase \sale of the elite real estate.
Talks.
The monitoring of the market in several region.

Required qualities for the post:
Practical knowledge of the program Microsoft Office Word.
Ability to communicate, intelligence.
Experience in commercial activity is welcomed.
The knowledge of the Italian language and of other languages is welcomed.

The minimum salary is 2000 euro. Frequently the monthly income exceeds 10.000 euro.
It all depends on intelligence of the Agent and on his desire and ability to work to his full extent.

For the additional information refer to the electronic address:
realestate@martin-argiento.eu

Yours faithfully, on behalf of all employees Europe Real Estate.

Mail is directed to 85.112.126.89 in Russia [colocat.ru] but there is also a website hosted at 188.130.250.248 in Latvia [Fastmedia].

There's a whole bunch of badness on the same server in Russia, all of which should probably be avoided:

  • agency-sunsea.com
  • allinwondernews.com
  • apolcentral.com
  • apolonline.com
  • argiento.com
  • argiento.eu
  • argiento.net
  • beastdat.com
  • beinorder.com
  • bgrealty.org
  • bm-holding.com
  • cannibalcannibalistic.com
  • catcherscatherine.com
  • cemeterycentaurus.com
  • cephaliccerebrum.com
  • cesspoolchainsaw.com
  • chelseacinderblock.com
  • clubdatingckoo.com
  • coleldatingcom.com
  • comdatinghorse.com
  • comecloserit.com
  • confessionconducting.com
  • corporectomycorpus.com
  • crowpathcuernos.com
  • cunthuntcraniotomy.com
  • dacelie.com
  • datdos.com
  • datingfooool.com
  • datinggogocolelc.com
  • datingord.com
  • datingsermon.com
  • datingswot.com
  • datomg.com
  • datyandel.com
  • decapitationcattle.com
  • forurelax.com
  • freedom-dating.com
  • gaterk.com
  • goforitdear.com
  • gogodatinghorn.com
  • gskcorp.com
  • handshakesharvest.com
  • hatebeakhereafter.com
  • hereufame.com
  • hornydatingyou.com
  • ise-sl.com
  • itmakesuhappier.com
  • josetxe-financiero.com
  • klaipedetis.com
  • lovesexdatings.com
  • mail.swpost.net
  • martin-argiento.eu
  • myapol.com
  • negligentcondemned.com
  • new-crash.com
  • olsen-rossi.com
  • oppsmyhotty.com
  • orddating.com
  • prime-techno.net
  • pro-job24.com
  • qgraphicinstalls.com
  • rdnets.com
  • reallyforu.com
  • shekelsta.com
  • shufersalta.com
  • swpost.net
  • umap-btl.com
  • uwillhappy.com
  • youthesuperman.com
  • znakomilka.com

Monday, 19 April 2010

MICROSOFT WINDOWS-2010 lottery scam


A French language advanced fee fraud scam email with a colourful PDF file attached. The PDF does seem to be free of viruses, but you should never open unsolicited Acrobat documents from untrusted sources as they often carry a virus.

Subject: BONJOUR Mr/Mme
From: "DOMINIQUE LOVERS"
Date: Mon, April 19, 2010 10:44 am

BONSOIR Mr/Mme

Nous sommes heureux de vous annoncer que vous faites partie des heureux
gagnants de la loterie MICROSOFT WINDOWS-2010, veuillez prendre connaissance du message en pièce jointe, ensuite contacter l'huissier de justice du Maître JEAN MICHEL .
E-MAIL: jean-michel.brousseau@live.fr

Veuillez surtout lui faire parvenir votre numéro de lot et vos informations
Ci-dessous en vue de vous donner la procédure de retrait de votre gain.
Recevez nos sincères félicitations.

Bonne compréhension à vous

MICROSOFT WINDOWS
Direction Marketing
Mr WEI ANDRE

Saturday, 17 April 2010

euvacant.com job offer scam

This is some sort of money mule operation, euvacant.com has the domain registered with hidden details though a registrat in China, the website and mail server are hosted at 178.162.135.100 which is Pegashosting Network in the Ukraine.

Subject: part-time employment in Europe
From: "Katheryn.Parra"
Date: Sat, April 17, 2010 7:38 am

Hi,
West Union Group is searching for a European representative in order to satisfy the
requests of our well respected costumer. To be welcome to our team you need to be a
communicative person and to possess the skills in proper customer care.
We provide you with:
- Flexible schedule
- Good salary
- We pay-off all taxes for you
- Insurance
To obtain more information, please fill up the form below and send it to:

r e p l y 9 @ e u v a c a n t . c o m [please delete spaces in the email
address before sending it to us]

First Name:
Last Name:
Country:
E-Mail:
Contact Number:
Best time to contact you:
Attached resume is preferable

Our operators will contact you and will assist all your questions.

Position available for European citizens only!

Best Regards HR Management of West Union Group

In this case the originating IP was 190.22.247.165 in Chile. Avoid.

Note that the return email address varies, another example used "c v 2 @ e u v a c a n t . c o m" but in all cases the domain seems to be the same.

Wednesday, 14 April 2010

"IMPORTANT: Royal Mail Delivery Invoice #1092817" Virus / Trojan

The wording may vary, but this is a PDF exploit currently doing the rounds pretending to be from Royal Mail. Sophos, F-Secure and Avast detect it along with some other products (VT results here) but otherwise detection is patchy.

Subject: IMPORTANT: Royal Mail Delivery Invoice #1092817
From: "Royal Mail" <delivery@royalmail.com>
Date: Wed, April 14, 2010 11:28 am

We missed you, when trying to deliver.

Please view the invoice and contact us with any questions.

We will try to deliver again the following business day.

Royal Mail.

Attachments:
Royal_Mail_Delivery_Invoice_1092817.pdf

The bad PDF file looks like some sort of calendar, I have not yet been able to analyse exactly what sort of evil things it does.

If you still use Adobe Acrobat then you should make sure that you update to the latest version which is 9.3.2, or use an alternative like Sumatra.

Monday, 12 April 2010

FarmTown, impressionclub.com and justimpression.com

Sandi at Spyware Sucks reports that the popular(ish) Facebook game of FarmTown (not FarmVille) has be compromised, possibly through a malicious banner.

The domain justimpression.com has been fingered as part of the malware chain, registered to the infamous "Private person" of:

Registrant:
Private person
Armand Gregori (armandgregory3@gmail.com)
Federicsshopen via 3
Katowice
Katowice,S589FG
PL
Tel. +34.41528965

Creation Date: 17-Dec-2009
Expiration Date: 17-Dec-2010

Domain servers in listed order:
ns2.reg.ru
ns1.reg.ru
That email address is pretty well known for malware distribution.

The site is hosted on 64.120.176.42 along with a site called impressionclub.com. "Impression Club" claims to be a Pennsylvania based company that has been in business for four year, except the domain was only registered in January 2010 with anonymous contact details, and Russian nameservers.


You can probably count impressionclub.com as a rogue ad network and one to avoid.

The FarmTown developers have a forum thread about the problem (one poster identifies an ad for greetingcards.com as the culprit) and there are several threads on Facebook about this [1] [2] [3] [4] [5] which also point at the following domains as being part of the chain

  • scan-and-protect3.com
  • scan-and-protect5.com
  • scan-and-protect7.com
  • scan-and-protect8.com
  • scan-and-remove10.com
  • scan-and-remove55.com
  • scan-and-remove99.com
  • 1server-antivirus.com
  • 2server-antivirus.com
  • 4server-antivirus.com
  • 6server-antivirus.com
  • 1web-antivirus.com
  • 2web-antivirus.com
  • try6-your-scanner.com
  • 111-your-scanner.com
  • 222-your-scanner.com
  • basketballtickets2.com
  • batman2010.com
  • spread2010.com
  • terminator-2010.com

All these domains are registered with apparently false details, there are probably a bunch more but I'm having difficult resolving the IPs at the moment.

This could be a fairly big deal, Quantcast reports that justimpression.com has a traffic rank of 6,227 and pulled in 329,000 US visitors during February.


This is another good reason to block Facebook in corporate enviroments, and also a useful warning that you need to be very, very careful when selling ad space!

Tuesday, 6 April 2010

reycorporacion.com - bogus job offer

A slightly unusual twist to bogus job offers, this one solicits replies to reycorporacion.com which appears to be a legitimate company, but it looks like the mail has somehow been compromised.

Subject: Position Opening

Speech of welcome

I am a representative of the HR department of a large international company. Our company has been working in different fields, such as:
- real estate companies setting-up and winding-up bank accounts opening and maintenance logistics private undertaking services etc.


We are making a regional managers team in Europe now:
- salary 2.600 euro + bonus
- part-time employment
- flexible work time

If our offer is interesting for you send us the below information on our e-mail address: marta.urzola@reycorporacion.com
Name:Surname:Country:E-mail:Mobile phone-number:

Note! We are searching Europeans only!

Please, write you
Nothing in the registration details, IP address or MX records looks particularly suspect, so it is likely that the reycorporacion.com server has been compromised in some way. In any case, avoid this job offer as it will be some sort of Money Mule operation. If you get one of these, then I recommend alerting the web host abuse-server -at- strato.de to the problem.

"Represent Party" / representparty.org spam

Sent to a postmaster role account.. classy.

From: Represent [mailto:ben.lynch@representparty.org]
Sent: 05 April 2010 16:22
To: UK Postmaster
Subject: How would you improve the UK - we need your ideas.

Hi,

How would you improve the UK - we need your ideas.

We have just launched a new website ‘Represent’ – and we are looking for ideas on how to make the UK a better place - any ideas will do as long as they are positive.

All ideas submitted will be published on the website where they can be rated to find the most popular ideas for improving the country.

Go to http://www.representparty.org <http://www.representparty.org/>, register (this does not mean you are joining any organisation it helps you to add ideas and rate other ideas) and add your ideas. Remember the website is new so there may not be many ides at the moment but bear with us as we process the ideas uploaded and we’ll get more ideas published as soon as possible.

Thank you for your time.

Regards

Ben Lynch
Represent

PS – If you believe that this email was intrusive please accept my apologies. If you do not want to receive any further emails from us please click on the link below.
http://www.representparty.org/unregister.aspx?action=unsubscribe&value=[redacted]
Originating IP is 109.228.0.79 which also hosts representparty.org and representparty.com. It will probably come as no surprise to see that this IP address belongs to Fasthosts in the UK who are very tolerant of bulk emailers like this.

Anyway, how's this for a positive idea.. stop f**king spamming me.

Thursday, 1 April 2010

Wednesday, 17 March 2010

argiento.eu / Piccini Real Estate Company scam

This is a money mule scam, email originating from a hacked PC in Brazil, site hosted on 188.130.250.248 in Latvia which is a well-known bad IP address.

Note that there are several reliable real estate companies with "Piccini" in the name, this scam is not related to any of these companies. Avoid.

From: "Kathryn Crum"
Subject: The Italian company is looking for partners in England
Date: Wed, March 17, 2010 2:15 pm


Dear
My name is Martin Argiento. I am working in the international real estate agency Piccini Real Estate. Our company is registered in Italy.

Currently we are taking on the employees to hold a post of regional agents. We have a vacancy which you could fill.

Your electronic address, is taken from a database of the company which is engaged in employment. If it is an error, or if you do not have time, or you are not interested in this offer, we ask you to ignore the message. We apologize for the wasted time.

The vacancy description:
The salary from 2000 Euros.
Non fixed working ours.
The guaranteed prospect.

Requirements:
Practical knowledge of the program Microsoft Office Word.
Having skills in Microsoft Office Excel.
Ability to communicate, intelligence, responsibility.
Ability to come to an understanding with people and to carry on negotiations.
Experience in commercial activity is welcomed.

If you are interested in cooperation, please send mail on the electronic address: m@argiento.eu


On behalf of employees of Piccini Real Estate company.

Thursday, 4 March 2010

"west-es-company.com" scam job offer

This is another money mule email, soliciting replies to west-es-company.com which is hosted at 193.104.94.57 in the Russian Federation along with a whole bunch of other badness.



Subject: hello!
From: "Ronald"
Date: Thu, March 4, 2010 11:10 am

Hello,

My name is Ronald and our company currently has several positions it needs to fill in your region.

We are a well known company with offices throughout Europe, Asia and North America.

Our current turnover is over 130 million annually and we are still seeking for expansion.

I have 12 vacancies of Financial Assistant that need to be fulfilled immediately.

Major operational duties are prompt receiving and processing customerÂ’s payments for their further transfer according to the specified method. Detailed work scheme will be provided upon request.

I am looking for self-motivated individuals with strong work ethics and ability to schedule work hours effectively.

Requirements:

* Expert skills in managing payments and transfers between our company and clients
* Knowledge of basic payment systems
* Bank account (personal or business)
* Advanced PC and Internet skills
* Minimum 24 y.o.

Benefits:

*Salary plus commissions
*Full reimbursement of banking and Western Union fees.

NOTE: This vacancy is valid for American residents ONLY.

Contacts: Ronald@west-es-company.com





Avoid this one at all costs.

Friday, 26 February 2010

Stupid spammer? Or Joe Job?

Sometimes it's hard to say if a spam is a really stupid spammer, or a very sophisicated Joe Job.



From: "Human resources" <list@weekendsoff.info>
Reply-To: HR@internet-marketing.com
Subject: Thank you for your application

This is an automated response; please do not reply to this email

Thank you for your application, this will be reviewed shortly

The Job You Have applied for is

>>

Internet Marketing - Work from home Unlimited income

An Irish based company is looking for a motivated and dynamic individual to head up the local operations in UK, USA, Canada, Australia and New Zealand, Must be computer literate, Dynamic, and a self starter.

Previous marketing experience is desirable but not essential as
Full training is given.

For details on how to apply please click the link below

http://ec2e68oy1e-p-g0mu8cbhzr5ke.hop.clickbank.net/

>>

Many thanks

The HR Team


This email is intended for the addressee only If you have received this email in error please treat its contents as confidential and delete it immediately





Clickbank spam is pretty rare, simply because Clickbank will terminate spamming affiliates. Clickbank redirects to http://www.theaffiliatecode.com/cb.php?hop=bharrsunny which then affiliates to one of those stupid eBook sites called "TheAffiliateCode.com" that promises untold riches. The name "bharrsunny" is almost definitely the name of the affiliate account.

The email routes via a server at 94.136.62.178 [Webfusion - UK and currently blacklisted] and appears to originate from a Sky broadband subscriber at 90.221.179.176 (currently blacklisted). A look at the server at 94.136.62.178 throws up a number of websites, including "weekendsoff.info" (listed in the headers) and "weekendsoff.co.uk". The WHOIS details for these domains is as follows:

Domain name:
weekendsoff.co.uk

Registrant:
Bob Harris

Registrant type:
UK Individual

Registrant's address:
27 old tatham
york
YO43 4BN
United Kingdom

Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:
Registered on: 14-May-2009
Renewal date: 14-May-2011

Registration status:
Registered until renewal date.

Name servers:
ns.123-reg.co.uk
ns2.123-reg.co.uk
The .info domain also reveals:
Registrant Phone:+44.1430861312
Registrant Email:bh861839@aol.com

weekendsoff.co.uk is a web design outfit with some familiar looking templates (e.g. www.weekendsoff.co.uk/Shop-sites/shop3/index.html is the same as this page on Quackit) as it seems are all the other pages. Still, I guess this is all above board, isn't it?

Now, there's an uncanny match between the name "Bob Harris" and the affiliate name "bharrsunny". So, is Bob Harris really stupid? Or has someone hacked his server with a sophisticated Joe Job? But this isn't the only time this person has been fingered for spamming. I'm sure you can make up your own mind..

Tuesday, 23 February 2010

Mystery Shopper Scam from "linkshare.humanresources@gmail.com"

LinkShare is an affiliate marketing company, this email purports to be from "LinkShare™" (note the nice use of the TM) and states that they are a market research company.. which they are not. Originating IP is 124.243.42.42 in Korea, replies are solicited to a free Gmail account rather than linkshare.com and the email is "from" alerts@careerbuilder.com which surely ain't right.

Basically, this is a standard mystery shopper scam email and it should be avoided at all costs.

Subject: MYSTERY SHOPPER OPENING: {$150 Per Survey}
From: "LinkShare™ Corporation" <alerts@careerbuilder.com>
Date: Wed, February 24, 2010 4:46 pm
Priority: Normal

About the Company:
LinkShare™ is a market research company that uses Mystery Shopping and Mystery Consuming to measure the quality of service rendered or gather specific information
about products and services. We use mystery shoppers to get the information anonymously.

Job Description & Responsibilities:
As our mystery shopper posing as normal customers, you will expected to perform specific tasks such as purchasing a product or using a service. We presently have a
couple of outstanding contracts, which means you will visit outlets in your area. While there, you will secretly evaluate things like customer service, store
cleanliness and quality of service rendered. When you're done, submit your shoppers report to us via e-mail and get paid for your opinions.

Some of the simple questions in your Shoppers Report will be:
. How well were you treated?
. Were the employees friendly and courteous?
. Did you receive prompt service?

That's all there is to it! The answers to these kinds of questions are extremely valuable to any business - You'll be providing important information that will be
used to improve the quality of businesses everywhere. You will be provided funds in advance for any upcoming survey via Checks to cover expenses.

Where will I be mystery shopping?
The companies we deal with mostly represent large chain stores and popular franchises with hundreds and thousands of locations across the country. They are stores, services and restaurants like:

. Money Gram
. Wal-Mart
. Western Union
. Cvs

Special skills are not required for this opening. However, in order to apply for this job you must ensure you have access to your e-mail at least twice daily and must read and respond to our notifications within 24 hours.

If you would like to be considered for assignments, please fill out the Application below as we hope to Welcome You to LinkShare™!

Full Names:
Address Line 1:
Address Line 2:
City:
State:
Zip Code:
Age:
Home Phone Number
Cell / Mobile Phone Number:

All applications must be sent to: linkshare.humanresources@gmail.com

LinkShare™ Corporation
215 Park Avenue South 9th Floor
New York, NY 10003
Email: linkshare.humanresources@gmail.com

The information contained in this e-mail, and any attachment, is confidential and is intended solely for the use of the intended recipient. Access, copying or re-use of
the e-mail or any attachment, or any information contained therein, by any other person is not authorized. If you are not the intended recipient please return the e-mail to the sender and delete it from your computer.

Wednesday, 17 February 2010

Money mule operation morphs

This fraudulent job offer (i.e. for a money mule laundering stolen funds) originates from 109.169.243.117 and points to a server on 193.104.94.57, both in the Russian Federation. This is the same server as this scam although the domain names have changed.

Subject: Vacancy ID053 USA
Date: Wed, February 17, 2010 2:12 am

Dear job seekers!

Apply for the job. We recommend this position.

Job Description:

We are looking for people who can control the payment of our customers from your state / region.

The responsibilities of work included compiling monthly reports on the overall turnover of funds, sending documents on each transfer.

We offer you confidentially as you conduct a search to meet your career goals and we can help you to understand and communicate what makes you stand out in a crowd.

My role is to find the best candidates to meet the needs of my clients. You could be just the person I'm looking for.

Job Requirements:

As a Finance Manager, you are responsible for all aspects of operation, including customer relations, team management, financial management and team recognition/retention.

You must:
- be 23 years of age or older
- be resident of United States of America
- have a bank account
- must have full internet access (at home or at work)

Minimum qualifications include:
- Well developed analytical, communication, and interpersonal skills
- Strong operational background and knowledge
- Exceptional people skills
- Problem solving skills
- Top notch communication and writing skills
- A drive to be the best

Benefits:
- Monthly salary starting at $2000(after a month evaluation period)
- 5% commission for every task you complete
- Banking and Western Union fees covered by the company

If you are interested in applying for this position please send your resume
Cara@new-job-position.com

Robtex reports a number of dodgy domains and mail servers on that domain, all of which should be considered fraudulent.

  • 7-job-net.com
  • company-euro.com
  • euro-shopping.net
  • gold-es-net.com
  • goldes-it.com
  • good-nets.com
  • it-financess.com
  • job-for-yours.com
  • mail.7-job-net.com
  • mail.company-euro.com
  • mail.gold-es-net.com
  • mail.goldes-it.com
  • mail.job-for-yours.com
  • mail.online-web-net.com
  • mail.people-and-job.net
  • mail.web-euro-it.com
  • mail.webpages-it.com
  • mail.wesst-netts.com
  • online-web-net.com
  • people-and-job.net
  • web-euro-it.com
  • webcompany-es.net
  • webcompany-euro.net
  • webfiless.com
  • webpages-it.com
  • wesst-es.net
  • wesst-netts.com

donotemail@wearespammers.com |

Saturday, 13 February 2010

I'm Bob Gatchel, and I'm a spammer

OK, spam isn't exactly uncommon, and get-rich-quick MLM schemes are a bit like the dog shit that you sometimes tread on while out walking. This particular piece of spam caught my eye:


Subject: [redacted], your just released 5 Ways to Make a Fast $5,000 CD at absolutely no cost from Bob
From: "EWI" <robertallen4@ewiadvisory.com>
Date: Fri, February 12, 2010 12:43 am

Dear [redacted],

Hi, I'm Bob Gatchel and recently you visited one of my websites where you requested more information about starting your own internet based home business ... that's GREAT! And because you did this, I have a very special free gift for you -
with no strings attached!

Look ...because you took the time to learn more about this industry, I want to give you my brand new Ebook and TeleSeminar that will show you how to pick out the PERFECT online home based business for you!

It's called: "Internet Home Business EXPOSED"

And you can secure your FREE copy of this course at this website:

http://InternetHomeBusinessExposed.com

This is an info-packed 54 page ebook and 50 minute TeleSeminar that reveals the TOP 12 online based home businesses for 2010 and beyond! Discover how a new and exciting home business can:
* Give you FREEDOM form a normal 9-5 job
* Give you more free time for your family
* Give you financial stability without the struggle
* Let you live a happier & healthier life!

Look ... I did the investigating and hard research so you don't have to and can show you how to make this happen in your life!

Who am I?

Why should you listen to me?

And why should you get this course?

For the past 12 years, I've not only been earning a high six figure income using the internet from the comfort of my home ... but I've been helping others do the same as an internet marketing consultant that specializes in the fields of home based business.

My courses, training and consulting are featured all over the internet ... and my unique insights into this industry have even been featured in the worldwide best selling book: "Multiple Streams of Internet Income" by the renowned wealth trainer, Robert G. Allen.

Bottom line? I know what I'm talking about when it comes to making money from home using the internet - and I know how to help the average person achieve amazing results!

When you get your copy of "Internet Home Business EXPOSED" at:

http://InternetHomeBusinessExposed.com

You'll see how it "cuts through the fluff" and gives you everything you need to avoid the TONS of scams out there ... I've done all of the hard work and research FOR YOU to find only the 12 BEST and PROVEN ways to make big money from home - in your spare time or even help quit your job and to it FULL time like me!

Again, get this course NOW at:

http://InternetHomeBusinessExposed.com

Take your first step to living the life you deserve and the freedom to live your dreams! Take the time to get your free copy of "Internet Home Business
EXPOSED" and get started on your path to success TODAY!

Successfully Yours,

Bob Gatchel

Creator of "Internet Home Business EXPOSED"

PS - This free ebook and teleseminar are only going to be available for free for limited time only. We are going to actually start selling this course very shortly. Be sure you get your copy today while it's still free OK?

Go to:

http://InternetHomeBusinessExposed.com

We respect your privacy. To remove yourself from this mailing list, please reply to this email.

"Bob" has made a couple of newbie mistakes here - firstly, the "Reply To" address is invalid as there is no such domain as "ewiadvisory.com" and he forgot to include his postal address, which makes in non CAN SPAM compliant.

InternetHomeBusinessExposed.com is the sort of name that almost begs to ripped apart. Hosted along with hundreds of other crummy MLM sites on 74.208.120.206, the domain has private registration details, which is a shame. Not to worry, a little bit of digging turns up a valid address of:

Robert Gatchel
16 Shire Lane
Port Deposit, Maryland 21904
United States

There's also a valid "reply-to" email address you can use of bobgatchel@gmail.com.

There you go Bob, fixed that for you.

Interestingly, it turns out that Bob is a bit of a stickler for rules, which is kind of odd when you consider his non CAN SPAM compliant message. Page 73 of this planning document shows Bob objecting to his neighbour installing a mobile home on their property because it broke the deed restrictions. OK Bob, that's fair enough.. but just remember this next time you send out spam.

So what is InternetHomeBusinessExposed.com? Well, it just forwards to another site at getthescoopabout.com (again, anonymised) and it's just pushing some crappy seminar. But what are they selling?

A little more digging finds that Bob is affiliated with some outfit called the Enlightened Wealth Institute which has a non-too-pretty report at the BBB. He is also affiliated with some scientifically unproven dietary supplement from Yoli Incorporated. A quick Google of "Yoli" shows an awful lot of people pushing Yoli as an MLM rather than something you would want to put in your body.

Now, excuse me Bob.. I have some dog shit to clean up.

Thursday, 11 February 2010

"7-job-net.com" Money Mule Operation

This is a straightforward money mule (i.e. money laundering) operation with a twist:

Subject: from International Consulting Company
From: "Arnulfo Salas"
Date: Thu, February 11, 2010 9:24 am

Hello

Our company(Outsourse Solution) is proud to announce you that we now have positions
available(part time)

A candidate for the Payments Processing Position must meet the following
requirements:

* Is 23 years of age or older
* Is resident of United States of America
* Is fair and objective
* Is detail oriented
* Is very observant and able to focus on details
* Is fairly intelligent
* Has patience
* Is trustworthy
* Is practical
* Types well
* Loves to learn
* Explains well in writing
* Is discreet
* Handles deadlines
* Has bank account
* Has full internet access (at home or at work)

Benefits:
* Monthly salary starting at $2000(after a month evaluation period)
* 5% commission for every task you complete
* Banking and Western Union fees covered by the company

If you are interested in becoming a Payments Processor for our company
you can request more information at Arnulfo@7-job-net.com

Thank you,
Outsourse Solution Inc.
Usually we see spam like this soliciting replies to throwaway free email addresses. In this case, 7-job-net.com is a domain that has been registered specifically for this scam, on 14th January 2010.

Registrant details show the infamous "Private person" moniker.

Aleksandr Lapatau
Email: lapatasker@earthling.net
Organization: Private person
Address: Lenina, 34, 8
City: Minsk
State: Minskaya
ZIP: 456123
Country: BY
Phone: +375.172427204

The email address is connected with at least one other scam.

Of interest is the fact that the domain is hosted on 193.104.94.57 in Russia along with the following sites:
  • Westitnet.net
  • Company-euro.com
  • Euro-company.net
  • Euro-shopping.net
  • Euro-webs.net
  • Good-nets.com
  • It-best-eur.net
  • It-financess.com
  • It-netx.com
  • Net-euros.com
All these sites have bogus looking registration details and are best avoided.

Monday, 8 February 2010

Old pitch, new payload

This particular pitch from the badly-spelled "Internet Service Provider Consorcium" was doing the rounds back in September 2008, and it appears to have been recycled again to deliver a brand new Bredolab payload.


Subject: Your internet access is going to get suspended
From: "ICS Monitoring Team" <*****>
Date: Mon, February 8, 2010 9:34 pm
To: *****
--------------------------------------------------------------------------

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team
Attachment is report.zip which contains report.exe and of course you can probably guess that it contains something nasty.


Who know what other oldies this crew might try to use?

Friday, 5 February 2010

www.dynamoo.com/blog is now blog.dynamoo.com

Because of Google's sucky decision to terminate their sucky FTP publishing service, you might notice that the URL of this blog has changed from www.dynamoo.com/blog to blog.dynamoo.com.

Everything is lashed together with symbolic links and .htaccess files for now, if you notice anything odd then contact me.

More fake ad networks

The German news site Handelsblatt was recently the victim of a malvertising campaign:

02.02.2010 Handelsblatt malware on Web site

Update: Infection banners confirmed!

The S-CERT was able to reproduce the infection in its test laboratory on the IHT website. Infection occurs through an advertising banner, which is from "Doubleclick.net. This will in turn include advertisements from the domain "muentely.com" in the Handelsblatt-page insert. The latter site is obviously manipulated and contains malicious JavaScript code.

Further investigations in the S-CERT laboratory testing have confirmed that will be used including a PDF vulnerability to the spread of malware. The studies also show that there is an alternative to the vulnerability, attempts to exploit gaps by further appropriate attack code to install a malware onto vulnerable PCs.

According to the investigations of the S-CERT is the malware with the accessing PCs will eventually become infected, a so-called Scareware: Users are informed by insertion of appropriate dialogue, that their PC is infected with malware wide area. To remove this malware, an appropriate protective software is available for purchase. To give emphasis to the malware message that ensures Scareware that can be started on any new applications over infected PCs. Relevant information of users may also indicate an infection.
The malware campaign was running via Doubleclick and Nuggad.net, directing through a bunch of domains that look like ad agencies but aren't before ending up in a server in Panama.

The fake ad agencies are in the 213.163.75.x range, all recently registered through BIZCN.COM in China, a fairly well known black hat registrar.

Note that while the domains appear to be fake, the registration data may include the details of innocent third parties, so I have not published it here. I would recommend avoiding doing business with them unless you can absolutely verify their credentials.
Synopsystd.com
  • Namdoline.com
  • Quintat.com
  • Bradfortnd.com
  • Ealana.com
  • Rovitalt.com
  • Favorti.com
  • Muentely.com
  • Briarmod.com
  • Deltamsc.com
  • Jessiereet.com
  • Startrailrs.com
  • Connata.com
  • Vehiced.com
  • Essiell.com
  • Holdrism.com
  • Bellwaynetworks.com
  • Forlifemedia.com
  • Revoltechmarketing.com
  • Hickoryhs.com
  • Ingramctc.com
  • Luxortd.com
  • Morrelmedia.com
  • Gappion.com
  • Savoyee.com
  • Goldbaynetwork.com

Thursday, 4 February 2010

"Hello, this is Icon calling on behalf of BT.."

The phone rings from an undisclosed International number.. an automated voice say "Hello, this is Icon calling on behalf of BT.." and it then goes on to explain that there's nobody to talk to me and I should call back on 0800 980 0127 to unsubscribe. Except of course that I'm bloody on TPS.

So who are they? Icon Communications Centers are based in Prague and have a website at www.icon-cc.com (no, I'm not giving them a link). In fact, the crummy job is advertised right here. OK, I say crummy.. the good thing is that Prague is a very nice place, but you probably won't see too much of it in a call centre.

Enjoy.

Edited: so I spoke to the very polite person on the other end and very politely suggested that the stop ringing. Having plugged the caller for details (yes, they really do work near the centre of the city) it seems that Icon are perhaps not a bad gig if you can speak English and find yourself in Prague looking for a job.