Dynamoo's Blog

Sunday 19 June 2011

Fake job domains 19/6/111

A whole batch of domains advertising fake jobs today (mostly money mule operations). These were are registered two days ago to the fictitious "Leonid Pravduk" registrant that we have seen recently, and form part of the very long running "Lapatasker" series of scam domains.

europe-hire.net
green-westeurope.com
hosting-europ.com
newgreen-europ.com
traffic-europ.com
us-totaljob.com
usa-totaljob.com

Avoid these, basically.. but if you do have a sample email, feel free to share it in the comments.

Friday 17 June 2011

Fake jobs: totaljob-eu.com

Another day, another fake job domain used for contacting potential money laundering mules, this time totaljob-eu.com which is a part of this long-running scam.

The domain was registered just yesterday to the new "Leonid Pravduk" persona that the scammers seem to be using. Avoid.

    Leonid Pravduk

    Email: leonpravduk@yahoo.com

    Organization: Leonid Pravduk

    Address: ul.Beregovaya 13-2

    City: Doneck

    State: Doneckaya

    ZIP: 83000

    Country: UA

    Phone: +3.80443582153

Thursday 16 June 2011

SMS Spam: "You have still not claimed the compensation you are due.."

These mystery ambulance-chasing SMS spammers are at it again:

You have still not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOP

In this case the spam comes from +44749353036, but the spammers rotate numbers regularly as they get blacklisted.

If you get one of these, forward the message to 7726 ("SPAM") on T-Mobile, O2, Orange or Three. If you are a Vodafone customer, forward it to 87726 ("VSPAM"). Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.

Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!

Fake jobs: cosulting-eu.com and espana-cvbase.com

Two more fake domains in the long-running "Lapatasker" series:

cosulting-eu.com
espana-cvbase.com

The registration details have changed (see below), but otherwise this is the same old attempt to recruit people for money laundering. Avoid.

Leonid Pravduk
    Email: leonpravduk@yahoo.com
    Organization: Leonid Pravduk
    Address: ul.Beregovaya 13-2
    City: Doneck
    State: Doneckaya
    ZIP: 83000
    Country: UA
    Phone: +3.80443582153

Tuesday 14 June 2011

SMS Spam: "URGENT! If you took out a Bank Loan prior to 2007.."

This SMS spam is probably from the same bunch of scumbags who brought you this long-running ambulance chasing spam.

URGENT! If you took out a Bank Loan prior to 2007 then you are almost certainly entitled to £2300 in compensation. To claim text 'YES'. Free to apply.

In this case the SMS came from +447591233963, but the spammers vary these all the time to avoid getting blocked.(Update 28/9 they are now using +447968780878 and +447968766208. Update 30/9 and now +44798044443)

Since they don't honour TPS opt-outs, then they are probably not to be trusted.. whoever they are.

If you get one of these, forward the message to 7226 ("SPAM") on T-Mobile, O2 or Orange.. If you are a Vodafone customer, forward it to 87726 ("VSPAM"), on Three the number is 37726 ("3SPAM") Your carrier should be able to block the spammer's number and with enough evidence may be able to take action against them.

If you see any other telephone numbers for this, please consider letting us known through a Comment.

Fake jobs: usa-jobslist.com

Another addition to this long running scam, usa-jobslist.com is freshly registered and will be used to attempt to recruit people for money laundering and other illegal activities. Avoid.

Monday 13 June 2011

Fake jobs: gb-offerlist.com, high-webtraffic.com and traffic-dc.com

More fake job offers.. or at least more fake something from the crew behind the "Lapatasker" series of dodgy domains:

gb-offerlist.com
high-webtraffic.com
traffic-dc.com

The shift in domain names might mean a shift in tactics, but be assured that any solicitation you get from these email addresses will be a scam.

Thursday 9 June 2011

Fake jobs: europe-joblist.com

Another fake "Lapatasker" job offer domain, europe-joblist.com was registered just yesterday to "Aleksej Iliin".

The standard pitch is for a job that actually involves money laundering or some other criminal activity. Avoid.

Wednesday 8 June 2011

94.244.80.7 / bookpolo.com / booksolo.com / bookgusa.com injection attacks

The crew responsible for the LizaMoon and Worid-Of-Books.com are back with a new set of injection attacks, this time hosted on 94.244.80.7 in Lithuania.

The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com

Registrant details are familiar and fake:

JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 1180

us

Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.

The whole 94.244.64.0/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.

Tuesday 7 June 2011

Fake jobs: allconsult-eu.com, es-joblist.com and us-joblist.com

Another bunch of fake "Lapatasker" job offers, part of a long-running series. Jobs offered will including such illegal activities as money laundering and receiving stolen goods, so worth avoiding.

allconsult-eu.com
es-joblist.com
us-joblist.com

Contact details on the domain are probably fake ("Aleksej Iliin" again):

    Aleksej Iliin

    Email: abolan@mail.org

    Organization: Private person

    Address: Okruzhnaya ul. d.5 kv.4

    City: Moskva

    State: Moskovskaya obl.

    ZIP: 183124

    Country: RU

    Phone: +7.4959424617 

    Fax: +7.4959424617

All domains were registered on 5th June.

Tuesday 31 May 2011

Liver Transplant spam

A weird one here.. somebody offering bits of their liver for sale. Of course it could be a scam, but it might even be genuine (which is perhaps more disconcerting). Originating IP address is 95.167.110.9 in Russia.

From: Alex alexsilpo@yahoo.com
Date: 30 May 2011 10:37
subject: Liver transplant.

Hello.
I found your e-mail adress on medical site of transplant and liver problems.
My name is Alex, I am 31 years european man, I never drank alcohol and did not smoke cigarettes, my blood is O+ and I have a good health. If you need liver transplant I am ready to give part of my liver, but I want to receive a big compensation for that...

If you do not need liver transplant, but you know somebody who need it, please send my message to this person or keep it just in case.

alexsilpo@yahoo.com
alexsilpo@hotmail.com
alexsilpoeu@yandex.ua

Alex

P.S. If I was mistaken, I am sorry, I will not disturb you any more.

Fake jobs: 1new-position.com, gb-hire.net, gb-jbprogramm.com, online-vacancy.net and us-vacancy.net

Another installment of this long-running job scam, the following domains are newly registered (2 days ago) and are most likely to be used to recruit people for money laundering and other criminal activities. Avoid.

1new-position.com
gb-hire.net
gb-jbprogramm.com
online-vacancy.net
us-vacancy.net

Domains are registered to the "Aleksej Iliin" persona that we have seen many times before.

Tuesday 24 May 2011

gb-offers.com bogusjob offers

Another domain offering bogus jobs in money laundering or other illegal activities is gb-offers.com, part of the long running "Lapatasker" series of scams. As with other recent domains, this too is registered to the (probably fake) "Aleksej Iliin" person.

Avoid.

Friday 20 May 2011

Fake jobs: au-position.org and europjob.org

Two new(ish) fake job domains in the "Lapatasker" series, au-position.org and europjob.org are being used to recruit money mules etc etc.

As usual, avoid.

Thursday 19 May 2011

Scam: "Your money has been recovered"

Originating from a government-owned IP address in China (218.26.2.42), this slightly puzzling advanced fee fraud is deliberately vague about where this $7.6m comes from.. of course, there are no millions stashed away in Hong Kong, but instead you can expect that there will be a LOT of expensive and unexpected fees to pay instead.

From: Mark Edwin admin@ssing.ru
Reply-To: intldeptreconcom@consultant.com
Date: 18 May 2011 01:50
Subject: Your money has been recovered (5/18/2011)

International Debt Recovery and Reconciliation Hong Kong
6/F,Trade Service Center ,388 Kwun Road
Kowloon, Hong Kong

Tel: 852-3015-1834 Fax: 852-3015-1834

Dear Beneficiary

                                                                        Re Payment instruction
This is international debt recovery and reconciliation office Hong Kong, our mandate is to settle all outstanding debt owe to contractors and individuals all over the world, thus this debt must have been originated from awarded contracts, inheritance and sweepstakes lottery, If you fall into this category of contractors, individual or lottery winners we advise that you contact this office immediately.We presently recover your $7.6 Million United States Dollars

The directive came in line with the agreement reached in New York U.S.A with the International Moneytary Fund -IMF, World Bank London and Paris Club on creditors and overseas credit Commission for immediate settlements of all Intercontinental debts owed to you by various countries.

1.      Date of Approval: 22-11-2010
2.      Revised Remittance: Not endorsed.
3.      Fund Endorsement payment code No AG-000087GXY-2F-PASS 2001-2010
4.      Date of issue 19-01-2011
5.      Bank Effect payment of beneficiary fund
6.      International payment: Certifнcate Code No:Not Endorsed

On receipt of your a responds to this fax/email message, please contact our north America payment clearing center bellow.

George Donald
Foreign Affair Officer
Email:
Tel: 1-226-556-3307
Fax: 1-866 964 3856.

However, I will advise that   update this office on a regular bases

Best regards,

MARK EDWIN
Regional Coordinator
International Credit Commission Hong Kong

Friday 13 May 2011

New Blogger logo

Google unveiled a new Blogger logo today to reflect their two day outage (another triumph for cloud computing).

Wednesday 11 May 2011

Fake jobs: first-weboffer.com, weboffers-tech.com, weboffers-tech.com and wug-tech.com

Another batch of domains offering non-existent jobs, part of the long-running "Lapatasker" series. The jobs will include money laundering and other criminal activity.. so probably best acoided.

As with other recent domains, these are registered to a probably fictitious person called Aleksej Iliin, the domains were registered on 10th May.

first-weboffer.com
weboffers-tech.com
weboffers-tech.com
wug-tech.com

Pinball Corporation RIP?

Pinball Corporation is a company that bought the remnants of Zango, a company that had a reputation for pushing slimeware. Last year I pointed out a case where Pinball Corp were clearly not keeping an eye on the actions of their affiliates, and other people have been critical of them too.

Well, there's potentially some good news.. because according to the Washington State Corporations Division, Pinball Corp became inactive on the 2nd May 2011.

PINBALL CORP.

UBI Number	602918125
Category	REG
Profit/Nonprofit	Profit
Active/Inactive	Inactive
State Of Incorporation	DE
WA Filing Date	09/02/2010
Expiration Date	09/30/2011
Inactive Date	05/02/2011
Registered Agent Information
Agent Name	BUSINESS FILINGS INCORPORATED
Address	1801 WEST BAY DR NW STE 206
City	OLYMPIA
State	WA
ZIP	98502
Special Address Information
Address
City
State
Zip

Governing Persons

Title	Name	Address
President,Treasurer	Scott, Joel	One Market Plaza Spear Tower Fl 19 SAN FRANCISCO, CA
Secretary	Siefer, Serena	One Market Plaza Spear Tower Fl 19 SAN FRANCISCO, CA
Director	Chandratillake, Suranga	3600 136th Pl SE BELLEVUE, WA
Director	Service, Matthew	3600 136th Pl SE BELLEVUE, WA

Of note is that although the corporation appears to be inactive, the website at pinballcorp.com is still running and with no notice about the change of company status. Where Pinball Corp's affiliates stand is unknown, but given the deceptive business practices of a number of them, then I don't think too many people will be shedding a tear.

But why has the company apparently become inactive? It turns out that Pinball Corp is a wholly owned subsiduary of a UK firm called Blinkx plc, and the "inactive" date coincides almost exactly with Burst Media (for $30m). Perhaps Blinkx decided that Pinball Corp was no longer something that they wanted to have in their expanded portfolio?

Tuesday 10 May 2011

SMS Spam: £3750 for an accident you haven't had

There seems to be a huge number of these spam SMS messages doing the rounds recently:

Free Msg; Our records indicate you may be entitled to £3750 for the accident you had. To apply free reply CLAIM to this message. To opt out text STOP.

These message come through if you are registered on TPS or not. There is no identification as to who is sending them, and the number changes regularly (I have seen +447955957379, +447591260334, +447542067695, +44758137217, +447403811563, +447826688283, +447517528462). Sometimes the spam starts FREEMSG. Always the value seems to be £3750. It doesn't matter if you have had an accident or not.

If you are a Vodafone, O2 and Orange customer you can report the SMS spam to your provider: for Orange and O2 forward the message to 7726 (it spells SPAM) or on Vodafone is is 87726 (VSPAM). I have not been able to confirm, but T-Mobile and 3 may also accept forwarded messages to 7726 as well. The carriers should be able to block the spammers if they get enough reports, and take legal action where necessary.

Update: 3's spam reporting number is 37726 (3SPAM). Thanks for the tip, Richard!

Replying STOP is probably not a good idea - the spammers may well use it to confirm that the mobile number is active. And replying CLAIM is probably an even worse idea since they are a bunch of low-life spammers who probably cannot be trusted.

Sunday 8 May 2011

Fake "Lapatasker" job domains, 8/5/11

Another set of domains offering fake jobs via spam, the latest in this long running saga. The domains were registered on 6th May.

first-euro.com
it-hire.com
newgreen-europe.com
newgreen-tech.com
usa-worldoffer.com
world-hire.net

The probably fake registrant details still use the "Aleksej Iliin" alias that we have seen previously.

Jobs offered will most likely include the usual mix of money laundering and other fraudulent activities. Avoid.