Sponsored by..

Thursday, 28 May 2009

Podzz.com domain scam

Podzz.com is the latest incarnation of a fraudulent domain appraisal scam being run out of Canada. The basic pitch is that you receive an unsolicited offer for a domain name, with a list of three or more possible appraisal services to evaluate it. In this case, podzz.com is the cheapest, and the most likely for the victim to choose.

Of course, what then happens is that the offer disappears and the victim is out of pocket. We have covered this scam and the people behind it here, here and here. Avoid.

Wednesday, 27 May 2009

"Dealer warning as police investigate security imposters"

I don't usually recycle press releases, but this one is of interest. It's really aimed at mobile phone dealers and details the possibility of customer poaching through stolen paperwork, but it seems to have good general guidance that applies to most companies.

Dealer warning as police investigate security imposters
CRIMINAL gangs posing as security staff are targeting mobile phone dealers, according to experts.

Scammers are trying to trick staff into handing over confidential data by pretending to be from shredding companies according to one of the UK’s largest operators.

Competitors are even reported to be raiding the bins of dealer with lax security at their premises to uncover useful details about contract expiry dates.

Jim Watson, managing director of Shred Easy, which destroys confidential data for mobile phone dealers, said:

“Scammers are targeting dealers to get their hands on valuable paperwork. There has been a spate of people pretending to be working for Shred Easy and our competitors by trying to trick staff into handing over bags of confidential data that has been safely kept within a store.


“Mobile phone dealers are vigilant in terms of securely storing their data but when it comes to the disposal of that information they must be alert to con artists trying to trick them into handing it over.


“Major operators will suffer dearly and some independent dealers could even be put out of business if the data fell into the wrong hands. The loss of confidential phone numbers, contact details as well as details about contracts and customers would be devastating.


“We have already been in contact with the police and made them aware of the details. I can’t go into details about who was targeted for legal reasons but it was a major mobile phone retailer and we’ve ensured their staff are alert and follow the official policy for dealing with confidential waste.


“Dealers must be also be alert to the fact that their competitors are fighting tooth and nail to get their hands on data and in some cases we’ve heard reports of competitors sifting the bins outside dealerships to get confidential customer details so they can be poached at a later date”

Shred Easy offers five top tips for mobile phone dealers:

1) Always ask for identification
2) Only deal with an accredited shredding company
3) Make use of professional ‘onsite shredding vehicles’
4) Store confidential data securely in store
5) Don’t throw paperwork in the bin


See www.shreadeasy.com

While you might think to challenge someone coming into your business premises, how often do you check that people taking waste away are really who they say they are?

Tuesday, 26 May 2009

"Norton Finance" fraudulent loan offer

Norton Finance are a real company that offers loans, typically to people with poor credit ratings. This lazy scam email is not from Norton Finance, but is instead is a scam, routed through IP address 209.226.175.134 in Canada which is well known for fraudulent emails. Avoid.

Subject: home loan or loan for any legitimate reason
From: "NORTON FINANCE COMPANY" bengalfinancial@bellnet.ca
Date: Tue, May 26, 2009 9:48 pm

For further enquires and to apply for a loan from us,please feel free to contact our application desk with details.Send us an email
Mr. Tony White
norton.finance@btinternet.com
Regards,
Stanke Kathryn
(Online Advertiser)
NORTON FINANCE COMPANY (NFC)

Wednesday, 20 May 2009

mig-design.com fraudulent job offer

A straightforward pitch for what is probably a money mule operation.

Subject: Looking for a job? More info here
From: "Shirley Schafer" boss@adabillur.com

Greetings,

If you are still looking for a well-paid part time job (2-4 hours a day) with possible full-time promotion opportunities at one of top-echelon Management Companies, please e-mail your resume/CV or a short description of your former activities.

Use ONLY corporative e-mail address below for all further correspondence:
office@mig-design.com

Necessary information concerning working and cooperation opportunities, financial benefits and advantages is sent by your request.

Yours faithfully,
Recruiting Office,
MIG Management and Design

Let's look at mig-design.com.. actually, don't - it's never a good idea to poke at spamvertised sites unless you know what you are doing. There's not much to see apart from a snazzy logo saying "MIG International Design Group".

The logo has clearly been professionally designed. But it also appears to have been stolen from this site although amusingly the spammers have corrected the obvious spelling error.

Let's check out the WHOIS details:

Name : Michell
Organization : Michell
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
Country :
Postal Code : 85230
Phone Number : 86--56343365
Fax : 86--56343365
Email : Michell.Gregory2009@yahoo.com


A quick Google search for that email address shows several hits.. indeed, it has been used before for the luxgroupnz.com scam.

The IP address of the site is 61.150.91.136 in China and usually in these circumstances it is safe to assume that ALL sites on the same server are suspect:

  • Bsi-investment.com
  • Bsibanksingapore.com
  • Ckinter.cn
  • Ckinter.ru
  • Freeadulttube.com.cn
  • Importfinanceinc.com
  • Intdgroup.com
  • Lloydsinsurer.com
  • Luxgroupww.com
  • Majordesigngroup.net
  • Medikmenty.com
  • Mens-health.com.cn
  • Mig-design.com
  • Mig-disign.com
  • Teentube.com.cn
  • Vsehorosho.info
  • W-trabajo.com
  • Wploy-empleo.com
  • Wtrabajo.com
In this case the email originates from 117.197.0.23 in India.

A flashy logo does not mean that it's a legitimate site. In this case the spammers have just ripped off someone else's identity. Avoid.

Tuesday, 19 May 2009

Phorm Whitewash

The British government's stance on Phorm has always been pretty supine. Despite serious allegation of criminal misconduct by Phorm and BT, the Government has again decided to whitewash the issue after politely ignoring the latest anti-phorm petition.

Thank you for the e-petition on internet advertising technologies and customer privacy.

As your petition states, some Internet Service Providers (ISPs) have been looking at the use of Phorm’s Webwise and Open Internet Exchange (OIX) products. However, the only use of the technology so far has been the trials conducted by BT.

Advertisers and ISPs need to ensure that they comply with all relevant data protection and privacy laws. It is also important that consumers’ privacy is protected and that they are given sufficient information and opportunity to make a clear and informed decision whether to participate in services such as Phorm.

The Government is committed to ensuring that people’s privacy is fully protected. Legislation is in place for this purpose and is enforced by the Information Commissioner’s Office (ICO). ICO looked at this technology, to ensure that any use of Phorm or similar technology is compatible with the relevant privacy legislation. ICO has published its view on Phorm on its website:

[link]

ICO is an independent body, and it would not be appropriate for the Government to second guess its decisions. However, ICO has been clear that it will be monitoring closely all progress on this issue, and in particular any future use of Phorm’s technology. They will ensure that any such future use is done in a lawful, appropriate and transparent manner, and that consumers’ rights are fully protected.
In other words - private companies unlawfully spying on citizens is no concern of the government.

Conspiracy theorist like to point out that Phorm's web monitoring technology is exactly the sort of thing that the government wants to do. Fortunately, it looks like Phorm is perhaps on their last legs after launch of this bizarre foaming-at-the-mouth blog that they started recently.

The government's complete disdain for British citizens is astonishing, and will probably be reflected in a humiliating result in next month's European and local elections. But then if voting really changed anything, this government probably would make it illegal.

Monday, 18 May 2009

NameOrange / nameorange.com scam

Another variant of this scam and this scam linked to a guy called Manuel Fichter - the basic pitch is that you get an email offering to buy your domain name which lists a number of "approved" domain appraisers, the one that appears to be cheapest is actually run by the scammer.



Avoid this one. If you live in Canada and believe that you have been defrauded, then contact your local RCMP and make a complaint about:

Manuel Fichter
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada

martuz.cn injection attack

In the past couple of weeks, thousands of websites were hit with an injection attack pointing to gumblar.cn.. this week it has changed to martuz.cn. It's not a SQL injection attack as far as I can tell, the smart money is that it is using compromised FTP credentials, possibly harvested from end-user PCs rather than a problem with the web server itself.

A typical attack is that JS files on the victim's server are altered with an obfuscated (i.e. partly encrypted) script which might vector through martuz.cn/vid/?id=5718066 or martuz.cn/vid/?id=575730 or something similar, then leading to martuz.cn/vid/?id=3 or another similarly named page (the exact URLs may vary depending on the client software).

There's a writeup about martuz.cn here and here, in the meantime blocking traffic to the domain and the IP address 95.129.145.58 will probably be a good idea.

Wednesday, 13 May 2009

419ers hit by the downturn?

A strangely worded 419 scam arrived today in a format I haven't seen before. Perhaps the economic downturn is having an effect on the supply of gullible people?

Subject: THAT IS ALL I CAN DO FOR YOU
From: "RICHARD GOZNEY" bhcommission1@mail2consultant.com
Date: Tue, May 12, 2009 6:56 pm

BRITISH HIGH COMMISSION
DANGOTE HOUSE,
AGUYI IRONSI STREET, MAITAMA DISTRICT,
ABUJA,NIGERIA..
TEL: +234-8039672472


Attention

After long silence from you we came to realize that you may have given up your compensation due to lack of money for the Certificates.

I have been able to settle for the Certificates which amounts to US$1800 so i expect you to pay me back once you receive your card.

You have to reconfirm your delivery address for the EMS courier company to mail your ATM card to you without delay. Note that you are entitled to settle for their safe keeping fee of $250.

Make haste to send down your address and i shall provide you with the information of their cashier for you to send the safe keeping fee of $250 to her.
I am looking forward to your immediate response.

Yours in Service,

Mr. Richard Gozney

Despite the Nigerian address the email originates from 200.7.198.3 in Ecuador, although the phone number is definitely Nigerian and has been used for this type of scam many times before.

Tuesday, 12 May 2009

"Western Union Transfer MTCN: 2474153681" trojan

Another EXE-in-ZIP trojan, this time disguised as an Excel spreadsheet. The pitch is:

Subject: Western Union Transfer MTCN: 2474153681
From: "Western Union Support Team" support@westernunion.com
Date: Tue, May 12, 2009 11:00 pm

Dear Customer!

The money transfer you have sent on the 22nd of April was not collected by the
recipient.
According to the Western Union contract the transfers which are not received in 15
days are to be returned to sender.
To collect cash you need to print the invoice attached to this email and visit the
nearest Western Union agency.

Thank you!
In this case there was an attachment called Invoice_8773.zip containing a file named Invoice_8773.exe. Because of the really stupid way that Windows (by default) hides the file extensions and the fact that the bad guys have given this executable a convincing icon, it will look something like this when unzipped:

VirusTotal identifies is as a variant of Zbot, the ThreatExpert prognosis has more details in case you are trying to clean it up.

If you can block EXE-in-ZIP files at your mail perimeter, then that is always the best defence against this kind of attack.

Monday, 11 May 2009

Michael Price / BizSummits.org unsolicited bulk email

I've had a few of these in the past, but this time my spidey sense was tingling.

Subject: Roger, Website discussion on April 21st.
From: "Pat Weller" pat@mktgalliance.org
Date: Mon, May 11, 2009 1:49 pm

Hi Roger, let me know if you might be interested in attending our
upcoming program, "Does Your Website Produce the Results You Want? How to
Drive Conversions by Writing Better Content" on Monday, April 27th. You
can view the complete details at www.mktgalliance.org/webconversations

Businesses of all sizes can benefit greatly from these ideas that have
proven to work based on experiences with hundreds of websites. Thomas
Young, Internet Marketing Consultant and CEO with Intuitive Websites,
will be making the presentation. He will review conversion strategies,
effective taglines, using captions on photos, how to avoid blocks of text,
bullet items in web copy, how to avoid brochure copy and marketing-speak,
calls to action and more. I hope you and your team will join us.

Best regards,

Pat Weller
Program Director
Marketing Alliance
600 North Park Centre
Seventeenth Floor
Mail back to decline further
Atlanta, GA 30328
www.mktgalliance.org/webconversations


Well, I'm not called "Roger" and I can't quite figure out where that came from. The email came from 66.232.113.10 which is the same IP as mktgalliance.org, so that really confirms it as genuine.

A look at the WHOIS details are interesting:

BizSummits
Michael Price (MPrice@BizSummits.org)
+1.8006003389
Fax:
1200 Abernathy Rd, 17th Floor
Atlanta, GA 30328
US

Alright, ten points for having (apparently) genuine contact details (it matches their BBB report), minus several million points for blasting out unsolicited emails to random addresses.

Is it spam? Well, it's certainly unsolicited commercial email and in this case it was sent to an email address that didn't actually exist. Annoyingly, it could well be CAN SPAM compliant. But it falls within the scope of the Boulder Pledge so best avoided.

Here are some other domains associated with BizSummits:
  • mybizteleseminars.net
  • customerservicesummit.net
  • theopsbenchmarkalliance.com
  • associationgrowthsummit.net
  • mktgalliance.org
DavesPlanet.net has more information here, the Other Librarian blog indicates that it has been going on for years here, and a Google Search shows just how widespread these unsolicited emails are. Do you really want to do business with a company like this?

Underwater mobile phone

Need a phone that works under water? Well, the Samsung B2100 Solid Extreme does. But as they used to say on TV.. "kids, don't try this at home".


Friday, 1 May 2009

webmail.upgrade@spamcop.net phish

A fairly lazy attempt to phish SpamCop accounts, originating from 200.85.160.12 in Nicaragua. If you're a SpamCop subscriber, then report it via the usual mechanism. The Reply-To address is webmailupgrader@consultant.com, so you should be able to tell that it is a fake.

Subject: Spamcop Email Verification
From: "Spamcop Webmail Notice" webmail.upgrade@spamcop.net
Date: Fri, May 1, 2009 5:11 pm
To: webmail.upgrade@spamcop.net

Dear Spamcop Webmail Account Owner,
We are currently performing maintenance for Our Spamcop
Digital Webmail Customers.We intend upgrading our Digital
Webmail Security Server for better online services. We are
canceling unused Spamcop webmail email account to create
more space for new accounts.To prevent your account from
closing you will have to update it below to know it's status
as a currently used account.

CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username :=====================================
Email Password :=====================================
Date of Birth :======================================

Warning!!! Any account owner that refuses to update his/her
webmail account within three (3) days of this update
notification will loose his/her account permanently.

Thank You For Your Support

Friday, 24 April 2009

"WorldPay CARD transaction Confirmation" (again)

A repeat of a trojan spam run from a few months ago ,this fake "WorldPay CARD transaction Confirmation" email comes with a nasty payload.

Subject: WorldPay CARD transaction Confirmation
Date: Fri, April 24, 2009 5:28 pm

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team

This confirmation only indicates that your transaction has been processed
successfully.
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that
your order has been accepted, and to deliver any goods or services you have ordered.
In this case there was a ZIP file called WorldPay_NR9712.zip (the filename may vary) with an executable in named WorldPay_NR9712.exe. When unzipped it looks a bit like a Windows Help file.

Detection rates are very poor, with only Microsoft flagging it up as something specific (PWS:Win32/Zbot.M). The ThreatExpert prognosis also indicates that it is malware (by the way, if you are dealing with an infected machine the ThreatExpert report can help you clean it up).

If you can, it is always a good idea to block EXE-in-ZIP attachments at the perimeter.

"IBC Group" fake job offer

There are lots of wholly legitimate firms called "IBC Group" or something similar. This one claims to be an "international business consultancy".. and yet they are using a free Google Mail address rather than a corporate one. It is just another money mule scam, although the 5% fee they are offering is surprisingly low (of course, this is stolen money so all you will end up with is a jail sentence).

Subject: Business
Date: Fri, April 24, 2009 12:29 pm

Dear SMALL BUSINESS OWNER
We are being a private international business consultancy (IBC GROUP) striving hard to perform the best to achieve optimal results in gaining efficiency of our client’s ventures. In this global economy crash time we turn to alternative solutions for our clients from Eastern Europe who are obliged to pay off US or Western Europe originated transfer taxes, which at times may be as much as 35%.
Therefore, we are raising up this appeal to those small business owners who have both desire and possibility to stand up as our partners and who may use their business accounts to operate internal transactions for their further remittance to our clients . As being held on a larger scale, your personal benefit will be 5% off every payment posted to your account (or company’s). It may become a considerable upgrade for you and your company.
If this comes up your alley, please, come back for details by: Katherin.Mills@gmail.com

with the following:
First Name:
Last Name:
Country:
State:
City:
Phone (Landline):
Phone (CELL):
Email:

Thank you in advance,
IBC GROUP.


Originating IP is 88.242.82.65 in Turkey.

Wednesday, 22 April 2009

Russian / Italian spam

One of the major hurdles that spammers and scammers face is language. A typical eastern bloc scammer usually won't be able to speak any language like a native other than their own, and a poorly worded pitch is often an obvious sign of a scam.

Machine translations rarely make sense, and the best translators are always native speakers of that language. So, a professional fraud crew will often try to recruit linguistic experts to give their message more of an edge.

In this case, the spammers are trying to recruit someone who speaks Italian and presumably Russian. That's a target audience of around 60 to 70 million people who might well fall for an Italian language scam.

В наше бюро переводов требуются специалисты по итальянскому языку.
Если Вам нужен дополнительный заработок (~1000$ в месяц) - эта вакансия для Вас!
Ездить и ходить - никуда не нужно! Достаточно просто иметь доступ к интернету и телефон!
Никаких финансовых вложений с вашей стороны не нужно! И это не тендер!

Если Вам все еще интересно наше предложение - просто кратко ответьте на следующие
вопросы:
1. Имя
2. Город проживания
3. Где обучались языку и на каком уровне им владеете.

Наш e-mail: lONicholsonbronze@gmail.com

После этого в течении некоторого времени мы обязательно свяжемся с Вами!

Всего хорошего, надеемя на долгое сотрудничество!
This translates approximately to:

We need specialists to provide translations to the Italian language. If you need additional income (about $1000 per month) - this position is for you! You do not need to drive or walk anywhere! You just need to have access to the Internet and a telephone.

If you are interested in our offer - just briefly answer the following questions:
1. Name
2. City of residence
3. Where did you learn the language and how proficient are you.

Out email is: [random Gmail account]

After this we will contact you in a short while.

Have a good time, hoping for a long cooperation!

Our samples originate from ADSL and dial-up subscribers in Turkey and India. The Gmail address is different in each one.

Don't be tempted by an unsolicited "job offer" like this. You are extremely unlikely to be paid, and you could end up in serious trouble with the police.

Tuesday, 21 April 2009

"August Insurance USA" scam

Another fraudulent job offer, this time originating from 190.43.155.148 in Peru. It doesn't really matter what the exact fraud is, this could well be a "back office" operation. But it's a scam nonetheless. Avoid.

Subject: Good vacancy August Insurance USA.
Date: Tue, April 21, 2009 12:07 am
Priority: High

College degree but not enough experience?

Responsible for managing the day to day operations of various facilities to ensure the operations,
maintenance, and vendor management standards of the contract are met in a cost effective, safe and efficient manner.

Requirements
Candidates must possess the following:

- Effective interpersonal skills & communication skills
- Demonstrated leadership and team building abilities
- Self-confidence, flexibility and a positive attitude
- U.S. work authorization

Selected individuals will be trained to enhance leadership and networking skills in
preparation for an executive role within our company.

Compensation based solely on personal performance. For immediate consideration
please contact.

All positions will be filled immediately due to our recent expansion.

You may email your resume in Word to: CHmayHooper@gmail.com
Needless to say, don't send 'em anything. And if you have agreed to "work" for them, demand some verifiable proof that they exist.

Monday, 20 April 2009

Friday, 17 April 2009

Waledac: freeservesms.com

Waledac is pretty common these days, and it usually tries to point the victim to a fake video codec that is actually a trojan, often through a sensational "news" headline or the promise of nudity.

This particular pitch promises something quite different:
Do you want to test your partner or just to read somebody's SMS? This program is exactly what you need then!
It's so easy! You don't need to install it at the mobile phone of your partner.
Just download the program and you will able to read all SMS when you are online.
Be aware of everything! This is an extremely new service!


The download file is called smstrap.exe. So this magical piece of software can read someone else's SMS messages without having to install software on the phone, right? Wrong.. it's just another variant of the Waledac trojan (see the VirusTotal results, ThreatExpert prognosis).

In this case the domain in use is freeservesms.com although it is likely that there will be others. For the records, the WHOIS details are:

Domain Name : freeservesms.com

Registrant Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Administrative Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Technical Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Billing Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Status :
clientDeleteProhibited
clientTransferProhibited

Domain Name Server :
ns1.moneymedal.com
ns2.moneymedal.com
ns3.moneymedal.com
ns4.moneymedal.com
ns5.moneymedal.com
ns6.moneymedal.com

Registration Date :2009-4-13
Expiration Date : 2010-4-13
Added: downloadfreesms.com is punting the same malware.


Wednesday, 15 April 2009

"Yadu Investment Co., Ltd." / ntwifinetwork.com / tech-wifi.com

This email (supposedly from a Chinese domain registrar) follows a well-worn path of trying to sell useless names to owners of existing dot coms.

From: Joy [mailto:Joy@ntwifinetwork.com]
Sent: 10 April 2009 07:47
To: [redacted]
Subject: Notice of Intellectual Property Protection

Dear Sir/Madam: 2009-4-10

We are a domain name registration service company in Asia,
Last week we received a formal application submited by “Yadu Investment Co., Ltd.” Which wanted to use the keyword " [redacted]" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.
After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren’t sure whether you have any relation with this company. Because these domain names would produce possible dispute, now we have hold down this registration, but if we do not get your company’s an reply in the next 5 working days, we will approve his application
In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.

Yours sincerely

Joy

Checking Department


Tel: 86 513 8532 2060
Fax: 86 513 8532 2065
Email :Joy@ntwifinetwork.com
Website: www.ntwifinetwork.com
Mail No.: [redacted]

Registrars DO NOT check trademarks before registrations (the exception is "sunrise registrations" for completely new top-level domains). This is an attempt to get you to buy an overpriced domain name that you don't need.

This mail may come from twifinetwork.com, tech-wifi.com or other domains, the domains are hosted on 174.138.60.95, some of the wording is lifted from asiaregistry.com although it is not possible to tell if they are affiliated.

If you are concerned about securing these domains, then most registrars now deal in Asian TLDs and can register them for you, else you are probably same to ignore it.

btw, the pitch is not new and has been used here, here and here.

Monday, 13 April 2009

Tropicalnames.com scam

tropicalnames.com is the new name for the pedma.com domain appraisal scam. The basic pitch is that you get an unsolicited offer for a domain name, along with a list of recognised appraisal companies. The cheapest company is controlled by the scammers who sent the email (apparently operating out of Canada).

Domain was registered on 3rd April 2008 with anonymised details and is hosted on 124.217.231.173 in Malaysia. If you get one of these, treat it as spam and file a complaint with abuse -at- piradius.net.