Sponsored by..

Friday 24 April 2009

"WorldPay CARD transaction Confirmation" (again)

A repeat of a trojan spam run from a few months ago ,this fake "WorldPay CARD transaction Confirmation" email comes with a nasty payload.

Subject: WorldPay CARD transaction Confirmation
Date: Fri, April 24, 2009 5:28 pm

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
Sincerely,
Amazon Team

This confirmation only indicates that your transaction has been processed
successfully.
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that
your order has been accepted, and to deliver any goods or services you have ordered.
In this case there was a ZIP file called WorldPay_NR9712.zip (the filename may vary) with an executable in named WorldPay_NR9712.exe. When unzipped it looks a bit like a Windows Help file.

Detection rates are very poor, with only Microsoft flagging it up as something specific (PWS:Win32/Zbot.M). The ThreatExpert prognosis also indicates that it is malware (by the way, if you are dealing with an infected machine the ThreatExpert report can help you clean it up).

If you can, it is always a good idea to block EXE-in-ZIP attachments at the perimeter.

"IBC Group" fake job offer

There are lots of wholly legitimate firms called "IBC Group" or something similar. This one claims to be an "international business consultancy".. and yet they are using a free Google Mail address rather than a corporate one. It is just another money mule scam, although the 5% fee they are offering is surprisingly low (of course, this is stolen money so all you will end up with is a jail sentence).

Subject: Business
Date: Fri, April 24, 2009 12:29 pm

Dear SMALL BUSINESS OWNER
We are being a private international business consultancy (IBC GROUP) striving hard to perform the best to achieve optimal results in gaining efficiency of our client’s ventures. In this global economy crash time we turn to alternative solutions for our clients from Eastern Europe who are obliged to pay off US or Western Europe originated transfer taxes, which at times may be as much as 35%.
Therefore, we are raising up this appeal to those small business owners who have both desire and possibility to stand up as our partners and who may use their business accounts to operate internal transactions for their further remittance to our clients . As being held on a larger scale, your personal benefit will be 5% off every payment posted to your account (or company’s). It may become a considerable upgrade for you and your company.
If this comes up your alley, please, come back for details by: Katherin.Mills@gmail.com

with the following:
First Name:
Last Name:
Country:
State:
City:
Phone (Landline):
Phone (CELL):
Email:

Thank you in advance,
IBC GROUP.


Originating IP is 88.242.82.65 in Turkey.

Wednesday 22 April 2009

Russian / Italian spam

One of the major hurdles that spammers and scammers face is language. A typical eastern bloc scammer usually won't be able to speak any language like a native other than their own, and a poorly worded pitch is often an obvious sign of a scam.

Machine translations rarely make sense, and the best translators are always native speakers of that language. So, a professional fraud crew will often try to recruit linguistic experts to give their message more of an edge.

In this case, the spammers are trying to recruit someone who speaks Italian and presumably Russian. That's a target audience of around 60 to 70 million people who might well fall for an Italian language scam.

В наше бюро переводов требуются специалисты по итальянскому языку.
Если Вам нужен дополнительный заработок (~1000$ в месяц) - эта вакансия для Вас!
Ездить и ходить - никуда не нужно! Достаточно просто иметь доступ к интернету и телефон!
Никаких финансовых вложений с вашей стороны не нужно! И это не тендер!

Если Вам все еще интересно наше предложение - просто кратко ответьте на следующие
вопросы:
1. Имя
2. Город проживания
3. Где обучались языку и на каком уровне им владеете.

Наш e-mail: lONicholsonbronze@gmail.com

После этого в течении некоторого времени мы обязательно свяжемся с Вами!

Всего хорошего, надеемя на долгое сотрудничество!
This translates approximately to:

We need specialists to provide translations to the Italian language. If you need additional income (about $1000 per month) - this position is for you! You do not need to drive or walk anywhere! You just need to have access to the Internet and a telephone.

If you are interested in our offer - just briefly answer the following questions:
1. Name
2. City of residence
3. Where did you learn the language and how proficient are you.

Out email is: [random Gmail account]

After this we will contact you in a short while.

Have a good time, hoping for a long cooperation!

Our samples originate from ADSL and dial-up subscribers in Turkey and India. The Gmail address is different in each one.

Don't be tempted by an unsolicited "job offer" like this. You are extremely unlikely to be paid, and you could end up in serious trouble with the police.

Tuesday 21 April 2009

"August Insurance USA" scam

Another fraudulent job offer, this time originating from 190.43.155.148 in Peru. It doesn't really matter what the exact fraud is, this could well be a "back office" operation. But it's a scam nonetheless. Avoid.

Subject: Good vacancy August Insurance USA.
Date: Tue, April 21, 2009 12:07 am
Priority: High

College degree but not enough experience?

Responsible for managing the day to day operations of various facilities to ensure the operations,
maintenance, and vendor management standards of the contract are met in a cost effective, safe and efficient manner.

Requirements
Candidates must possess the following:

- Effective interpersonal skills & communication skills
- Demonstrated leadership and team building abilities
- Self-confidence, flexibility and a positive attitude
- U.S. work authorization

Selected individuals will be trained to enhance leadership and networking skills in
preparation for an executive role within our company.

Compensation based solely on personal performance. For immediate consideration
please contact.

All positions will be filled immediately due to our recent expansion.

You may email your resume in Word to: CHmayHooper@gmail.com
Needless to say, don't send 'em anything. And if you have agreed to "work" for them, demand some verifiable proof that they exist.

Monday 20 April 2009

Friday 17 April 2009

Waledac: freeservesms.com

Waledac is pretty common these days, and it usually tries to point the victim to a fake video codec that is actually a trojan, often through a sensational "news" headline or the promise of nudity.

This particular pitch promises something quite different:
Do you want to test your partner or just to read somebody's SMS? This program is exactly what you need then!
It's so easy! You don't need to install it at the mobile phone of your partner.
Just download the program and you will able to read all SMS when you are online.
Be aware of everything! This is an extremely new service!


The download file is called smstrap.exe. So this magical piece of software can read someone else's SMS messages without having to install software on the phone, right? Wrong.. it's just another variant of the Waledac trojan (see the VirusTotal results, ThreatExpert prognosis).

In this case the domain in use is freeservesms.com although it is likely that there will be others. For the records, the WHOIS details are:

Domain Name : freeservesms.com

Registrant Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Administrative Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Technical Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Billing Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Status :
clientDeleteProhibited
clientTransferProhibited

Domain Name Server :
ns1.moneymedal.com
ns2.moneymedal.com
ns3.moneymedal.com
ns4.moneymedal.com
ns5.moneymedal.com
ns6.moneymedal.com

Registration Date :2009-4-13
Expiration Date : 2010-4-13
Added: downloadfreesms.com is punting the same malware.


Wednesday 15 April 2009

"Yadu Investment Co., Ltd." / ntwifinetwork.com / tech-wifi.com

This email (supposedly from a Chinese domain registrar) follows a well-worn path of trying to sell useless names to owners of existing dot coms.

From: Joy [mailto:Joy@ntwifinetwork.com]
Sent: 10 April 2009 07:47
To: [redacted]
Subject: Notice of Intellectual Property Protection

Dear Sir/Madam: 2009-4-10

We are a domain name registration service company in Asia,
Last week we received a formal application submited by “Yadu Investment Co., Ltd.” Which wanted to use the keyword " [redacted]" to register the Internet Brand and with suffix such as .cn /.com.cn /.net.cn/.hk/ .asia/ domain names.
After our initial examination, we found that these domain names to be applied for registration are same as your domain name and trademark. We aren’t sure whether you have any relation with this company. Because these domain names would produce possible dispute, now we have hold down this registration, but if we do not get your company’s an reply in the next 5 working days, we will approve his application
In order to handle this issue better, Please contact us by Fax ,Telephone or Email as soon as possible.

Yours sincerely

Joy

Checking Department


Tel: 86 513 8532 2060
Fax: 86 513 8532 2065
Email :Joy@ntwifinetwork.com
Website: www.ntwifinetwork.com
Mail No.: [redacted]

Registrars DO NOT check trademarks before registrations (the exception is "sunrise registrations" for completely new top-level domains). This is an attempt to get you to buy an overpriced domain name that you don't need.

This mail may come from twifinetwork.com, tech-wifi.com or other domains, the domains are hosted on 174.138.60.95, some of the wording is lifted from asiaregistry.com although it is not possible to tell if they are affiliated.

If you are concerned about securing these domains, then most registrars now deal in Asian TLDs and can register them for you, else you are probably same to ignore it.

btw, the pitch is not new and has been used here, here and here.

Monday 13 April 2009

Tropicalnames.com scam

tropicalnames.com is the new name for the pedma.com domain appraisal scam. The basic pitch is that you get an unsolicited offer for a domain name, along with a list of recognised appraisal companies. The cheapest company is controlled by the scammers who sent the email (apparently operating out of Canada).

Domain was registered on 3rd April 2008 with anonymised details and is hosted on 124.217.231.173 in Malaysia. If you get one of these, treat it as spam and file a complaint with abuse -at- piradius.net.

Sunday 12 April 2009

"Mikeyy Mooney" / StalkDaily.com - someone is lying

The rules of spam are a semi-humorous and semi-serious look at the behavior of spammers.

Well, one hot spam topic is the recent StalkDaily.com XSS attack on Twitter. This cross-site attack basically spams out ads via a victim's contact list, and although it is arguable if this is "hacking", it certainly is spamming.

So, let's look at the "rules of spam" and how they apply in this case.

Rule #0: Spam is theft.
Using Twitter's services to send spam is theft. But perhaps the main financial cost to Twitter is that this kind of rubbish will put people of using the service. Of course, Twitter doesn't actually seem to make any money, but that's another issue..

Rule #1: Spammers lie.
So, when the spam attack took place, some people must have started to make complaints about StalkDaily.com, a domain registered on 22nd March to an anonymous registrant. The owner of StalkDaily.com responded as follows:

For everyone wondering, I did NOT promote and/or was involved with the spamming ON Twitter. All bad things you are hearing about this site is not true. Please reconsider as I am not the person who did this.
So, that clearly states that StalkDaily.com is not behind the XSS attack. So what's going on? Is it a Joe Job? Here's the odd thing.. Joe Jobs normally target established sites (not one less than a month old), and why waste an XSS exploit like this on a Joe Job when Twitter will probably close it?

We didn't have to wait long for an answer:

I have came clean and have accepted the responsibility for the worm, read the interview here, http://www.bnonews.com/news/242.html.

That's kind of 100% different from the last denial. The operator of StalkDaily.com is clearly lying about something, perhaps everything.

Rule #2: If a spammer seems to be telling the truth, see Rule #1.
As we have discovered, StalkDaily.com's denial was proved to be a lie. Or perhaps there denial is a lie. In any case, you should not do business with liars or spammers.

Rule #3: Spammers are stupid.
And this dude is as stupid as they get. Sure, stupid in a very smart kind of way.. but the kind of stupid that doesn't thing what the consequences might be.

Rule #4: The natural course of a spamming business is to go bankrupt.
I can hear the sound of Twitter lawyering up. Hahahah.


The StalkDaily.com website points to a pseudo-news article at BNOnews fingering someone called "Mikeyy Mooney". And there's a large collection of material relating to "Mikeyy Mooney" at sqworl. But is it really "Mikeyy Mooney"? The admission itself comes from whoever operaters StalkDaily.com.. and we have already established that they are a liar. The sqworl documents point to someone in Louisiana.. the BNOnews article says New York. Last time I looked at a map, these were two different places.

Perhaps a closer look at StalkDaily.com's server might be interesting. 74.200.253.195 hosts the following domains:

  • Haxyou.com
  • Michangelomooney.com
  • Stalkdaily.com
Wait.. Michangelo? Is this guy a teenage mutant ninja turtle?

Most of these sites have anonymous WHOIS details, except for Haxyou.com which is registered to some guy called Ryan who appears to be a distinctly different biological entity.

This is the bottom line - the operator of StalkDaily.com is a liar. They may even be lying that they are "Mikeyy Mooney." Perhaps Twitter can do us all a favour and subpoena the domain records before suing this idiot into the ground.

"Body parts" murder II

The gruesome body parts murder has a new installment with the discovery of a fifth body part, quite near to some of the others. You can see a the distribution of finds on Google Maps.

This adds another element to the data set. The route between points "A" and "B" is curious and uses a lot of back roads, if that IS the route. Clearly these grisly finds have a pattern, but can they be traced back to the origin?

Thursday 9 April 2009

"Body parts" murder

One mystery gripping this part of the UK is the mysterious "body parts" murder, where part of a dismembered victim have been left near the roadside in several locations: Wheathampstead, Puckeridge and Cottered in Hertfordshire and the head was dumped in Asfordby, Leicestershire.

Given that the Puckeridge part was reportedly left by the northbound carriageway, that gives a clue as the the direction that the "dumper" was travelling. And making an assumption that the head was the last part to be dumped because it was the furthest away from the others, then you can take these four data points and plot them into Google Maps.

You can see more here. Of course, speculation is just that, but if does appear that the dumper did a loop around Hertfordshire perhaps near the A414, A10, A507 and then drove up the A1 for about an hour before turning off. Yes, there's a technology aspect here - a tool like Google Maps makes it very easy to visualise this sort of data.

OK, this is all pretty gruesome and don't forget that someone has lost their life. But there's a grim fascination as to where the next discovery will be. Will that fit into the pattern?

Wednesday 8 April 2009

secretdesiresuk.com spam

Yuck.

Subject: SecretDesires - The Ultimate Social Networking for Singles and Couples
From: "Secret Desires"
Date: Wed, April 8, 2009 5:25 pm

Are you a couple or single looking for FUN??

Worldwide Coverage with Audio and Video Cam Chat Rooms!

Virtual Kisses and Profile Voting!

Profile Pictures and Videos!

Massive Video Database growing Daily!

Come and Enjoy the Ride!!

You must add at least one valid profile picture to remain a FREE member!!

Secret Desires - What's Yours??
Originating IP is 78.145.126.63, secretdesiresuk.com is hosted on 174.132.193.251. The domain is registered to HostGator rather than the actual registrants, who are..


Debbie 'n' Paul. They say: "SecretDesiresUK is the culmination of 3 years of false starts and hard work by Debbie and Paul, of Orion Network Designs. We are both Swingers and have worked in the Adult Industry long enough to understand exactly what people want from an Adult Social Networking Site."

What? Like spam?

Let's log in. No confirmation of email address is needed. Bad luck Mr President.

67 members. And yes, the photograph gallery shows plenty of "members". Including some nudie shots of Debbie 'n' Paul. Yuk.

I'm not prudish, and frankly I believe that consenting adults should be able to get on with whatever they want to in private. But spamming this crap out at random is just going to get the wrong kind of attention.

If you get one of these, forward the email to security -at- hostgator.com.

Saturday 4 April 2009

luxgroupnz.com / LuxGroup scam

There are lots of legitimate ocmpanies with the name LuxGroup or Lux Group or something similar. This particular fake "LuxGroup" uses the domain luxgroupnz.com to push some sort of fraudulent job offer, probably a money mule or some other criminal activity.

Subject: A better career with LuxGroup

Good Day,

Major International Company is ready to offer you part(1-2 hours a day) and full time(5-8 hours per day) job in the USA. If you are interested, get back to us by email and send your resume or a short description of your former activities. Excellent career growth perspectives and merited salary.

For more info about terms, conditions and financial remuneration, get back ONLY to our corporative email address below: advjob@luxgroupnz.com

With regards,
Lux Group, Hiring Department
The luxgroupnz.com domain was registered on April 1st 2009 through XIN NET TECHNOLOGY CORPORATION to:

Name : Michell
Organization : Michell
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
Country :
Postal Code : 85230
Phone Number : 86--56343365
Fax : 86--56343365
Email : Michell.Gregory2009@yahoo.com

Site is hosted on 222.73.37.250, name services are proved by NS1.CHOSTSERVICE.COM and NS2.CHOSTSERVICE.COM. Other domains hosted on that server are:

  • A-finance.net
  • A-finance.org
  • Aiminfo.info
  • Careertrip.cn
  • Danunafig.ru
  • Dessgif.com
  • Hot-jobster.cn
  • I-love-pets.ru
  • Icm-mail.biz
  • Icm-network.net
  • Isearchword.info
  • Itellu.info
  • Itellu.ru
  • Lastyp.ru
  • Mountain-travel.ru
  • Mycotteges.ru
  • Oceananswers.info
  • Oceanofsearches.info
  • Pinigeliai.com
  • Temp-biz.cn
  • U-search.info
  • Yadrenamat.ru
  • Yaponamat.ru
Some of these other domains have also been used for fraudulent offers.

If you get one of these ignore it.

Friday 3 April 2009

Hostfresh dead?

Sandi reports that Hostfresh has been de-peered, the latest organized criminal web host to be removed from the interwebs.

This Hong-Kong based outfit provided the back end hosting for malware infections including early versions of Conficker. It has been increasing apparent that they are basically an outpost of the Russian Business Network.

Hostfresh-hosted domains have scattered, but it probably won't be long until they find another RBN-friendly host that doesn't know what happened to Atrivo, McCole, Ukrtelegroup and Estdomains.

Thursday 2 April 2009

BlizzardImageHosting.com - possible Joe Job

We have an email trap that seems to be hit exclusively by a low number of Waledac related spam (fake "terror reports", pharma spam, penis enlargement etc). We know that this particular address was harvested from a compromised PC, so the only people who have the address are the Bad Guys.

Unexpectedly then, the following email turned up:

From: (removed)
Sent: 01 April 2009 20:33
To: (removed)
Subject: Free Image Hosting

BlizzardImageHosting.com is a new leader in online image & photo hosting,
portfolios, and slideshow creation. We offer features you wont find
at other image hosting sites and we offer it FOR FREE!

- Upload Unlimited Images
- Share Images With Anyone and Anywhere
- Get Gigabytes of Monthly Bandwidth

and much more...

Sign up now!
http://blizzardimagehosting.com/index.php

(c) 2003-2009 Blizzard Image Hosting All Rights Reserved

So, my initial thoughts were that blizzardimagehosting.com were in league with the bad guys. Let's check out their WHOIS details:

Marquee, Media Networks webmaster -at- marqueemediaonline.com
Marquee Media Networks
6741 Sprinkle Road, Ste 293
Portage
MI
49002
US
Phone: +1.2694929957
Fax: +1.2694929958
The address is actually a branch of PakMail, but that probably means in this case that Marquee Media Networks rents a post box. The WHOIS details for marqueemediaonline.com indicate a name of Christopher Maher. So do these WHOIS details look suspicious? Not really. Usually, Waledac related domains come with WHOIS details that indicate telltale traces in China or Russia, the details for blizzardimagehosting.com are not inherently suspicious.

Marquee Media operates a web server at 216.17.107.72, which contains an ill-advised mix of adult sites and general interest sites (porn sites and fishing on the same server?) all the WHOIS details are consistent, and there seems to be nothing illegal going on.

Here's the thing - nothing at all about blizzardimagehosting.com fits the Waledac profile. This seems to be a small business running out of Illinois, nothing more. At a best guess, Marquee Media has somehow displeased the Waledac gang, either through something to do with adult content or web hosting.

So.. if you get a spam for blizzardimagehosting.com then treat it with scepticism, and as far as I am concerned this company is probably not guilty of this spam run and instead it looks like a Joe Job.

Friday 27 March 2009

"Shanghai QiPeng Network Information Technology" / "Sopper Investment Co. LTD"

This particular pitch has been around for a long time - a domain name registrar (or reseller) who is "checking" about a domain registration that might infringe on your trademarks. Of course, registrars are not responsible for checking trademarks (can you imagine how complicated and expensive the process would be!)

Usually this approach is an attempt to get you to register useless domain names at inflated prices.. and in all probability these domain names they are warning about will never even be registered. If you really are concerned, then register them through a reputable registrar, else you are best off ignoring it.

Subject: Domain Issues for "[redacted]"
From: "Ramon zhang"
Date: Fri, March 27, 2009 9:20 am

If you are not the person who is in charge of this, please forward to the right person/department. Thank you)

Dear CEO,

We , a registrar organization in China, have something to check with you. We received an application today One South Korea company called " Sopper Investment Co. LTD" is applying for "[redacted]" as internet brand and following Asian/.CN domain names to use.
[redacted].com.tw
[redacted].hk
[redacted].in
[redacted].net.cn
[redacted].org.cn
[redacted].tw

After our initial checking, we found the internet brand and keyword of these domain names are as same as your company¡¯s.Because of it involves your company's intellectual property, so we need to check this with your company. If the aforesaid company is your subsidiary company or your business partner, please DO NOT reply us, we will approve the application automatically. If you have no any relationship with this company, please contact us within 7 workdays. If out of the deadline, we will approve the application submitted by "Sopper Investment Co. LTD" unconditionally.
Look forwarding to hearing from you.Thanks.

Best Regards,

Ramon Zhang
Leader Checker
Shanghai QiPeng Network Information Technology Co.,Ltd
Tel£º +86-21-6992-9440 Fax£º +86-21-6992-9447

Postal Code£º 200063
website:http://www.qipeng.org.cn


Shanghai QPNIC Web Property Solutions Limited is a comprehensive company engaged in the Internet intellectual property services that mainly provides network-based service, network intellectual property service.
Company objective: The good faith first, the customer is supreme.

The same approach can be seen here and here.

Thursday 26 March 2009

dns@nisource.com Joe Job

NiSource is a US electricity and gas provider. This spam appears to be a Joe Job aimed at the DNS support mailbox at that company. In this case the originating IP is 166.156.53.33.

From: Mabel Mcdaniel [mailto:dns@nisource.com]
Sent: 26 March 2009 14:55
To: [redacted]
Subject: Replica Watches

A lot of brands, 100-300 usd.
Mail to order: dns@nisource.com

Since the email is soliciting replies via email, it is most likely a revenge attack for something or other.

Monday 23 March 2009

Video: Beware of the Monkeys

Don't give the monkeys a socket set (source: IET)

songmeanings.net compromised?

songmeanings.net is a popular and relatively crud-free lyrics site that attracts millions of visitors a year. Alexa ranks it as about the 5000th most popular site in the world (dynamoo.com ranks in at about 290,000).

Unfortunately, the email database at songmeanings.net appears to have been compromised and the email addresses are now receiving "Canadian Pharmacy" spam routed via spaces.live.com. It is unknown if any other details have been taken, in all likelihood this is probably a trojan that has taken email addresses only.

(They are not the only one. Tradedoubler is an advertising network that has been similarly compromised).

Pozde.com domain valuation scam

A copy of the recent Pedma.com domain appraisal scam, this time with the name pozde.com. The pitch is something similar to the following:

Dear sir,

we are interested to buy your domain name [REDACTED] and offer to buy it from you for 70% of the appraised market value.

As of now we accept appraisals from either one of the following leading appraisal companies:

sedo.com
pozde.com
moniker.com
accuratedomains.com

If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use Paypal for amounts less than $2,000 and escrow.com for amounts above $2,000) as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Thanks,

P. Jackson
Pozde.com is the fake appraisal site, and because it is cheaper than the others (which are legitimate) there's a chance you will try to use it. Although this time they have remembered to give you a box to specify your domain (they didn't with the old version), you should be under no doubt that this is an attempt to defraud.

The WHOIS entry for pozde.com is a crude fake:

Registrant:
Richard Smith
563 queen st
bruckberg, er 54767
Iceland

Domain Name: POZDE.COM
Created on: 19-Nov-08
Expires on: 19-Nov-09
Last Updated on: 20-Mar-09

Administrative Contact:
Smith, Richard admin@bizing.biz
563 queen st
bruckberg, er 54767
Iceland
+1.9024312570 Fax --

Technical Contact:
Smith, Richard admin@bizing.biz
563 queen st
bruckberg, er 54767
Iceland
+1.9024312570 Fax --

Domain servers in listed order:
NS1.IPNAMES.NET
NS2.IPNAMES.NET
In fact, it is actually registered to:

Registrant:
Manuel Fichter
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada

Domain Name: POZDE.COM
Created on: 19-Nov-08
Expires on: 19-Nov-09
Last Updated on: 05-Mar-09

Administrative Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024312570 Fax --

Technical Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024312570 Fax --
You should also consider the domains tysoo.com (recently bought by Manuel Fichter) and dexpay.com as suspect, because it seems that there is a pattern emerging here.

So why is it a scam? Pedma.com was definitely a scam - when you sent off your PayPal payment there was no way to specify what you wanted appraising, the fact that Pozde.com has added this in is immaterial. The WHOIS entry is fake (the registrant is in Canada, not Iceland).

Site is hosted on 124.217.231.173 in Kuala Lumpur. Send abuse reports to abuse -at- piradius.net.

If you feel that you have been defrauded and you live in Canada, you can file a complaint with the RCMP.

Added: some other domains to watch out for, owned by the same person are:

  • veecs.com
  • grooc.com
  • usbabes.info
  • tysoo.com (being transferred)
  • dexpay.com
  • bizing.biz
  • fastbooster.com
  • moviesforme.org
  • casinocrew.com