Subject: Refund of Duplicate Payment
From: "Customer Care Center" <2712@mibug-credit.com>
Date: Sat, June 20, 2009 8:12 pm
Dear Business Partner!
Enclosed is our e-check in the amount of EURO 1,750.00 which represents a refund for your inadvertent duplicate
remittance for payment of transaction no. 267.
We are pleased that our bookkeeping department discovered this overpayment so quickly.
Thank you.
Instant Number Accounts
Credit Cards Bulk and Wholesale
http://mibug-credit.com
Yes, you'd think that there's a malware payload or something, but there isn't. Let's check out the domain registrations details - hosted at 213.208.134.154 in Austria:
owner-contact: P-GFB634
owner-organization: MIBUG CREDIT UG
owner-fname: Georg
owner-lname: BENDL
owner-street: Menzingerstrasse 130
owner-city: MUENCHEN
owner-zip: D80997
owner-country: DE
owner-phone: +49.180523363313143
owner-email: wmt18703@kunde.webmachine.eu
This is meant to be some sort of financial services site, but it was only registered on 8th June 2009.
The site does very little, you can try to open an account (which requires you handing over a bunch of personal information), but there's no way of getting this "refund". There are a few links to wiremouse.com on the site, something that's hosted on the same server.. so let's have a look at what else is on 213.208.134.154:
- Afrohair.at
- Altkatholiken.net
- Bankparadies.com
- Bmc-london.co.uk
- Bmc-shop.co.uk
- Cocodonia.com
- Firmenparadies.com
- Jr-austria.com
- Mibug-credit.com
- Quotum.at
- Schmeissfliegen.com
- Server1.biz
- Sofortbetrieb.com
- Tiefpreiszentrum.com
- Turi-landhaus.com
- Wiremouse.com
Registrant ID: C6565959-B-CO
Registrant Name: Georg BENDL
Registrant Address1: Bacherstrasse 7
Registrant City: GRIES
Registrant Postal Code: A5662
Registrant Country: Austria
Registrant Country Code: AT
Registrant Phone Number: +43.66492436352
Registrant Email: WMT5549@kunde.wmtech.net
Hmmm.. OK, well what about wiremouse.com?
owner-contact: P-NVM192
owner-organization: Managed Offshore Payment Services Limited
owner-fname: Nikolas owner-lname: MAKIN
owner-street: Cariocca Business Park 2 Sawley Road
owner-city: MANCHESTER
owner-zip: GM40 8BB
owner-country: GB
owner-phone: +44.7031887152
owner-email: wmt8464@kunde.webmachine.eu
So, it's based in the UK? Well, the postcode is incorrect.. but in fact, Companies House does have a firm of the name Managed Offshore Payment Services Limited registered. But its accounts are overdue and there is a proposal to "strike off" the firm:
Let's look at bmc-london.co.uk on the same server:
Domain name:
bmc-london.co.uk
Registrant:
Bendl Georg
Registrant type:
Unknown
Registrant's address:
38 Homer Street
LONDON
GW1H 4NH
GB
Registrar:
Key-Systems GmbH [Tag = KEY-SYSTEMS-DE]
URL: http://www.Key-Systems.net
Relevant dates:
Registered on: 04-Sep-2008
Renewal date: 04-Sep-2010
Registration status:
Registered until renewal date.
Name servers:
ns1.webmachine.at
ns2.webmachine.at
This Georg Bendl chap moves around a lot. The address is valid although it's hard to verify if there's a real company operating from that address.
In fact, most domains seem to be registered to "Georg Bendl", but the address is different in almost every case (although Salzburg features more than once).
It's hard to fathom what this spam is about, although these sites do consistently link back to wiremouse.com. Some sort of SEO? A Joe Job? A phish? Email marketing gone horribly wrong? I don't know.
The final clue is the the sending IP address is 62.47.184.176 which is an ADSL subscriber in Austria. Draw your own conclusions, but I would be tempted to give all of these domains a wide berth.