Sponsored by..

Wednesday, 31 August 2011

dpolg-bundespolizei.org is not DPolG or the Bundespolizei

DPolG is a staff a association of the German Federal Police (Bundespolizei). So you might expect that dpolg-bundespolizei.org is something to do with the DPolG.. especially when the www.dpolg-bundespolizei.org resolves to, which is the same IP address as bundespolizei.de which is the German Federal Police.

But something is very wrong with this domain.Let's start with the WHOIS details:

Domain ID:D163178250-LROR
Created On:30-Aug-2011 11:02:35 UTC
Last Updated On:30-Aug-2011 11:02:35 UTC
Expiration Date:30-Aug-2012 11:02:35 UTC
Sponsoring Registrar:Regtime Ltd. (R1602-LROR)
Registrant ID:CO1014850-RT
Registrant Name:ALex Potolot
Registrant Organization:ALex Potolot
Registrant Street1:49-12 Shepherd Street
Registrant Street2:
Registrant Street3:
Registrant City:London
Registrant State/Province:London
Registrant Postal Code:W12 7HF
Registrant Country:GB
Registrant Phone:+44.2073290240
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:apotolot@yahoo.com

It's kind of odd that a German police domain should be registered to a person in the UK using a free email address. But what is odder is that the address does not exist. Although there is a Shepherd Street in London, the postcode is not W12 7HF, that's the postcode for Stanlake Road in Hammersmith. Shepherd Street's postcode begins W1J 7Jx in any case, and there's no number 49 on that road (it is approximately the location of the Park Lane Mews Hotel).

Let's check the nameservers:
Nameself.com is DNS service for Russian registrar WebNames.ru. (aka Regtime Ltd) who are also the domain registrar. Why would the German police use a Russian registrar?

The next clue is in the MX handlers - these are the servers that handle mail for dpolg-bundespolizei.org:

  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT1.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT2.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX2.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX3.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX4.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX5.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 10 ASPMX.L.GOOGLE.COM
So, the domain is using Google for mail handling. DPolG use their own mailservers, not Google.

Something is definitely amiss here, and it wouldn't be the first time that the Bundespolizei name was used for malicious purposes as there has been a recent rash of malware using it. On balance, a domain with a fake UK address registered via a Russian registrar and using Google for mail handling is unlikely to be legitimate. Avoid.

Monday, 29 August 2011

Fake jobs: consult-position.com, instant-job.com, newweb-career.com, uk-bestjob.com and web-newcarer.com

A new set of domains pushing illegal money laundering jobs and other criminal activities as part of this long running operation.


Typically, these emails will appear to be "from" you as well as "to" you.. this is just a forgery and it doesn't mean that your mail is hacked.

Don't be tempted by the jobs on offer, typical positions are for money mules, reshipping scams or sometimes back-office functions such as translating emails or signing paperwork. Don't bother replying to the email as no good will come of it.

If you have an example of any emails using this address, please consider sharing it in the Comments. Thanks!

Friday, 26 August 2011

Fake jobs: us-newcareer.com

Operating the same money laundering scam/spam as this batch of domains, and forming part of this very long running scam, the domain us-newcareer.com was freshly registered two days ago.

The jobs offered by anyone soliciting replies to this email address are all criminal activities and should be avoided. The spam email messages may appear to be coming from your own email address, but this is a simple forgery and it does not mean that your computer or mail account is compromised.

If you have examples of spam emails using the domain, please consider sharing them in the Comments. Thanks!

Wednesday, 24 August 2011

Fake jobs: greece-career.com, il-career.com, mc-jobs.com and oae-career.com

Four new domains peddling fake jobs today, forming part of this very long running scam.


The "jobs" offered are actually criminal activities such as money laundering. It may be that the email appears to come "from" you as well (the from address is trivially easy to fake, it doesn't mean that your machine is infected with anything).

Domains were registered two days ago to "Alexey Kernel", which is no doubt a fake name.

greece-career.com presumably targets Greek nationals, and il-career.com looks to be targeting Israelis. The other two are less clear, but our best guess is that mc-jobs.com might be targeting Macedonia (but the TLD is .mk) and oae-career.com might be the UAE and is just a typo. This continues the pattern of going after non-English speaking victims who might be fooled more easily by a scam email in their own language.

If you have any examples of this spam, please consider sharing them in the Comments. Thanks!

Monday, 22 August 2011

HMRC phish: refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com

Here's a bunch of web sites and domains being used to peddle fake HMRC (UK tax office) refunds:


The fake emails look something like this:

From: HM Revenue & Customs Billing Department [mailto:hmrc@refund1-hmrc.com]
Sent: 22 August 2011 09:36
To: [redacted]
Subject: Billing Notifcation

Refund Notification

This e-mail has been sent to you by HM Revenue & Customs to inform you that we must pay you back 478 GBP.
Please complete all the information to process your refund

Please allow 2 weeks for you money to be availabe in your account. (eg: address, phone)
Total refund amount: 478 GBP

To ensure that your service is not interrupted, we request you to confirm and update your information today by following the link below:

Refund Notification

Thank you for your prompt attention to this matter. Do not reply to this e-mail.
Mail sent to this address cannot be answered.

Member [redacted]

© HM Revenue & Customs 2011 

The emails actually come from  refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com so

If you click through the link then you get a pretty standard phishing page trying to get credit card details, personal information and passwords.

The HMRC don't send tax refund messages by email, so any such notification should be considered bogus.

The phishing sites are hosted on in China, blocking that IP would be a good idea, but you could go further and block as it looks like a cable modem range and there shouldn't really be any legitimate sites hosted here.

Domain registration details are clearly fake:

Domain Name.......... refund1-hmrc.com
  Creation Date........ 2011-08-22
  Registration Date.... 2011-08-22
  Expiry Date.......... 2012-08-22
  Organisation Name.... scotia bank
  Organisation Address. hah
  Organisation Address.
  Organisation Address. there
  Organisation Address. 123131
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... scotia bank
  Admin Address........ hah
  Admin Address........
  Admin Address........ there
  Admin Address........ 123131
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... bbuubbh2@yahoo.com
  Admin Phone.......... +1.1233213121
  Admin Fax............

Tech Name............ scotia bank
  Tech Address......... hah
  Tech Address.........
  Tech Address......... there
  Tech Address......... 123131
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... bbuubbh2@yahoo.com
  Tech Phone........... +1.1233213121
  Tech Fax.............
  Name Server.......... ns1.refund1-hmrc.com
  Name Server.......... ns2.refund1-hmrc.com

The nameservers are hosted on in Colombia (CONSULNETWORK LTDA).

Thursday, 11 August 2011

Fake jobs: unionhire.net, wugcareer.com and wugoffers.net

Three new fake job domains registered in the past couple of days to the fake "Alexey Kernel" registrant, forming part of this very long running scam.


As before, there is a series of spam messages advertising so-called "jobs" from these companies, but in reality they are criminal activities such as money laundering.

If you have a sample email, please consider sharing it in the Comments. Thanks!

Something evil on reddingtaxcm.com and inferno.name

reddingtaxcm.com is a legitimate domain that is registered at GoDaddy and has been hijacked to serve up malware, hosted on (NetDirekt, Germany but more below..).

The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.

Although the IP is allocated to NetDirekt (now Leaseweb Germany), it belongs to part of a range suballocated to inferno.name of Serbia (apparently also known as v3Servers.net). Inferno featured recently in this blog with another similar malware attack, that time on seems to be full of (possibly fake) pharma sites.

A lot of other IP addresses associated with this company are implicated with forum spamming.

Just in case you want to block traffic to/from inferno.name (although there may well be legitimate sites and servers in these ranges) then I have identified the following IP ranges, although there may well be more:

As for, watch for traffic going to subdomains of reddingtaxcm.com, for example:


Thursday, 4 August 2011

Something evil on

I don't quite have the full picture on this, but it looks like some Scandinavian sites have been compromised in some way and are redirecting to a malware server on in Poland which is serving up fake AV applications.

Blocking access to is probably a very good idea. The following sites appear to be hosted on that server and should be blocked if you can't do so by IP address, alternatively just block access to all .co.cc and .rr.nu domains if you can.


Tuesday, 2 August 2011

virtualmapping.org redirect

The domain name virtualmapping.org sounds legitimate, but isn't.. it's a redirector used on hacked websites. The first time you visit one of these hacked sites via a Google search, you get redirected to a URL at virtualmapping.org/cgi-bin/r.cgi. Subsequent visits don't seem to trigger this, nor does visiting the site directly. It could be an altered .htaccess file.

virtualmapping.org is hosted on which is unsurprisingly enough in Romania, in a Cobalt IT SRL block suballocated to SC Coral IT Office SRL / xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire range.. at the very least, block, and which are especially toxic.

After hitting virtualmapping.org, visitors are then redirected to one of the following sites on, hosted at Netdirekt in Frankfurt but actually allocated to a host called inferno.name (Sogreev Anton, Serbia). is full of Russian porn sites, so probably a good thing to block in any case.

Some of the domains that are loading the malware are:

Basically, anything in the nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.

The payload is a nasty trojan according to various analysis tools (ThreatExpert, Comodo, Anubis). Detection rates are very low. The analysis tools might help you to clean up your PC if you have somehow become infected.

Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains, assistancebeside.com ( and imagehut4.cn which was actually deleted last year, but was registered to the scumbags at Real Host Ltd.

There's quite a lot to block here, the highest priorities are:

I see no harm in blocking the following /24s:

And if you're not afraid to block really quite large address ranges:

Monday, 1 August 2011

Fake jobs: careers-canada.com

One fake job domain today, and the scammers seem to have shifted to a new target - Canada. This time, the domain is careers-canada.com, registered only yesterday to the fictitious "Alexey Kernel" in the Ukraine.

The standard approach with these scammers is to spoof an email "from" the target's email address (don't worry if you see this, your email account has not been compromised) and the emails offer a variety of illegal jobs including money laundering. It forms part of this long-running scam.

If you have any examples of emails using this domain, please consider sharing them in the Comments.. thanks!

Saturday, 30 July 2011

Fake job domains 30/7/11

Six new fake job domains today to avoid:


The recent approach has been to spam out emails that appear to be "from" the recipient. Sometimes the emails are poorly translated into Spanish, Portuguese or Greek.

The "jobs" on offer are illegal activities such as money laundering and form part of this very long running scam that has been going on for at least two years.

The domain registrant details are fake:

Alexey Kernel
    Email: johnkernel26@yahoo.co.uk
    Organization: Alexey Kernel
    Address: Kreshchatyk Street 34
    City: Kiev
    State: Kiev
    ZIP: 01090
    Country: UA
    Phone: +38.00442794512 

Mail for these domains is being routed through mx.yandex.ru in Russia.

These job offers are completely bogus and could land you in serious trouble with the police. If you have an example email using one of these domains, please consider sharing it in the Comments. Thanks!

Friday, 29 July 2011

"Iranian" Advanced Fee Fraud

Claiming to come from Iran, but actually originating from in India, this allegedly Iranian scam is just a new twist on the Nigerian 419 scams that we are all familiar with.. in other words, this is an advanced fee fraud.

From: Ghohestani Hananehsadat Seyedhemed
Reply-To: iranianhananehsadat@gawab.com
Date: 29 July 2011 07:55
Subject: FROM IRAN.....
         My name is Ghohestani Hananehsadat Seyedhemed; I was born in Mashad, Iran on 05th March 1991 to Mr and Mrs G. Seyedhemed, who dead in the January 2011 plane crash in Iran that killed more than 80 people including my Father, Mother and younger brother Ali.

 My father was a retired nuclear scientist and has worked in different project in Iran and outside Iran but lately there was a spate of serial killings of Iranian nuclear scientist and my father knew about it and was making arrangement for our trip and relocation to a foreign country and me and my brother was issued international passport on 15th July 2010 in preparation for our relocation and my father also made a deposit in a foreign bank amounting to $24,500,000USD(Twenty Four Million Five Hundred United States Dollars) for the settling in another country.

 Since my father died i have been trying to get the funds because i have the deposit documents and contact of his Lawyer who i have spoken with just after my fathers death but as a single lady in Iran you just cannot do anything on your own, you are not allowed to travel out of Iran and moreover with no access to telephone or constant internet. My father’s family took all that my father had here in Iran and forced me into marrying my father’s Friend when i disagreed initially they beat me and said as a single girl i cannot stay alone so i had no choice than to marry him. My life is really miserable because i am not allowed to go out, have visitors or use the phone.I have lost my pride as a woman. Luckily for me, my husband has a daughter my age and she allows me use her computer when she is around actually not knowing what i do here.

 Please i am contacting you in the Name of Almighty Allah who i serve and who my family serve to help me in getting these funds. All you need to do is stand as my family member and be next of Kin because the Lawyer told me then to suggest anybody who can stand as the next of kin and he will prepare necessary document but i cannot bring anyone from my father’s family since all they want is to claim my father’s property.

 I will send you the deposit certificate and the Lawyers contact so that you can make urgent contact with him. I will also send you my ID or passport for Identification if you need that. You may wonder why i am contacting you, a complete stranger but i trust you more than my father’s brothers who has done no good but harm to me and i know that you will not disappoint me too because i have gone through nights of prayers just to locate a reliable person who can help me out of this problem.

 I will need you to reply me with your details as follows to (iranianhananehsadat@gawab.com)

Phone number........................

 As soon as the money is transferred to you. We shall share the total amount 60% for me and 30% for you and 10% for any expenses incurred during this transaction. I want to use my share to get out of Iran and invest in a foreign Country. I hope to hear from you as soon as possible and may Allah bless you and your family.

Ghohestani Hananehsadat Seyedhemed


Fake jobs: chile-hh.com, cl-joblists.com, pt-joblist.com and spain-joblist.com

Four new fake job domains today, targeting victims in South America, Spain and Portugal.


These domains were all registered in the past few days. The standard email approach seems to be "from" the victim, and they are often badly translated into Portuguese and Spanish.

The "jobs" on offer are not jobs at all, they usually involve money laundering and other criminal activities. They form part of this very long running scam that has been going on for years.

Three of the four domains have a new (fake) registrant that we haven't seen before:

Alexey Kernel
    Email: johnkernel26@yahoo.co.uk
    Organization: Alexey Kernel
    Address: Kreshchatyk Street 34
    City: Kiev
    State: Kiev
    ZIP: 01090
    Country: UA
    Phone: +38.00442794512 

If you have an example email, please consider sharing it in the comments.

Thursday, 28 July 2011

Fake jobs: trabajo-lista.com

A single fake domain today, trabajo-lista.com uses the same approach as yesterday's domains, again targeting Spanish language speakers with money laundering jobs and other illegal activities.

Emails will most likely appear to be "from" yourself. This particular scam has been going on now for several years.

If you have a sample, please consider sharing it in the Comments. Thanks!

Wednesday, 27 July 2011

Fake jobs: chile-hh.com, cv-trabalho.com, espana-hh.com and worldjoblists.com

These domains are being used to advertise fake jobs and appear to be targeting Spanish and Portuguese speakers. They form part of this long-running series of domains associated with fake job offers.


The jobs being offered are typically money laundering (lavado de dinero / lavagem de dinheiro) which are highly illegal. It is possible that some other jobs offered may be "back office" functions, including translation into local languages.

The domains are very new, registered in the past two days to:

Ricardo Lopez
    Email: ricardolip2@yahoo.com
    Organization: Ricardo Lopez
    Address: ul. Liivalaia 34-10
    City: Tallin
    State: Tallin
    ZIP: 15040
    Country: EE
    Phone: +3.726317190 

If you have any examples of mail using these domains, please consider sharing them in the Comments section. Thanks.

Tuesday, 26 July 2011

Phishtank FAIL: paypal.de

paypal.de is pretty obviously a legitimate PayPal domain, registered to eBay and hosted on in eBay's address space. However, Phishtank thinks that it is a phish.. well, OK, false positives happen.. but the problem here is that it has been manually verified as a phish which really does show a weakness in the Phishtank verification system. It's not the first time it has happened.

So, if you are in Germany and find that paypal.de is blocked, then this is the reason why.

Saturday, 23 July 2011

Fake jobs: eur-exlusive.com

Another addition to this series of fake job offers is the domain eur-exlusive.com.

Assuming that this follows the standard pattern of dozens of other domains, then these will be too-good-to-be-true job offers that appear to have been emailed "from" yourself. The jobs on offer will actually be money laundering or some other criminal activity.

The domain was registered on 23th July, to a fake registrant "Ricardo Lopez", allegedly from Estonia. Avoid at all costs.

If you have a sample, please consider sharing it in the Comments.

Friday, 22 July 2011

Sky survey boll*cks

I'm feeling quite sweary this week, so here's a stupid email from a market research company who are pretending not to be doing it for Sky (I know it's for Sky because it uses an email address only used to sign up to Sky). It's b*llocks basically.

From: Tpoll Broadband Survey helpdesk@tpoll.net
Date: 22 July 2011 16:19
Subject: A survey about your broadband provider

Dear Mr Dynamoo

A well-known broadband provider has commissioned us here at Tpoll, an independent market research agency, to talk to people about their opinions and experiences with their TV and broadband providers.

The broadband provider in question is very keen to properly understand their customers’ needs, how well the products and services they offer are meeting their needs, and how they compare to other providers. They have asked Tpoll to investigate and we have invited you to take part in an online survey to share your thoughts and opinions.

This survey is organised and run under the rules of the Market Research Society. All responses will be strictly confidential and results will only be looked at on an aggregated level so please be as honest as you can with your answers.

Your answers will be very much appreciated and will be extremely valuable in shaping the products and services the provider offers.

Please click on the link below to start the survey - it should take 10 to 15 minutes to complete.

Click here to begin

Many Thanks,

Elizabeth Green

Tpoll Market Intelligence

So.. you want me to spend 15 minutes doing market research for Sky - a company that I don't use for broadband - just to help them shape their business? I did very much enjoy telling them that I don't have a TV or broadband access. Maybe this will screw up their survey.

Is this spam? It's hard to tell. I have a pre-existing relationship with Sky, but I'm pretty sure I didn't opt-in for this. It would be much more honest if Sky just admitted that they were behind it. Although perhaps their relationship with Rupert Murdoch's empire might be driving them to keep it quiet..

Thursday, 21 July 2011

Etisalat - f*ck you very much

If you've never heard of Etisalat then you are probably lucky. Etisalat is the monopoly telecoms provider in the UAE, and like all monopoly providers it is basically crap.

Why am I bothered? Well, after receiving this same spam 4386 times with no sign of a let-up, then I thought it might be nice if Etisalat educated their customer. Unfortunately, Etisalat's abuse mailbox doesn't work, presumably because it is packed full of complaints and nobody from Etisalat can manage to shift their fat sweaty arses enough to look at it.

Now, not getting a response to abuse complaints is pretty typical and not really worth commenting on. However, I was eventually able to get a response from customer support. And it looked promising!
Thank you for contacting Etisalat Customer Care Center.

Further to your email, please accept our sincere apologies for any inconvenience happened. We had escalated the issue to the concerned department and will update you soon after we receive a reply. Kindly bear with us for the delay. reference number 388135

Once again we thank you for contacting us and looking forward to serving you in the future. For any further clarification please contact Etisalat Customer Care Center.
Great.. I thought. Better late than never. So I waited.. and the next reply was basically a "fuck you" from Etisalat:
Thank you for contacting Etisalat Customer Care Center.
Kindly enable sufficient anti spam settings or add filters in your email to overcome the situation.
Once again we thank you for contacting us and looking forward to serving you in the future. For any further clarification please contact Etisalat Customer Care Center.
Wait.. what? The solution to Etisalat allowing customers to spam is.. basically to block email from Etisalat? So basically it is just too much effort for Etisalat to actually do anything. Maybe the airconditioning is broken in the Etisalat support offices and their arses are just too fat and sweaty today..

Anyway, is the culprit to block but if you follow Etisala's own recommendations then block email coming in from - ( just to be on the safe side.

And Etisalat, in the words of the FCC Song, f*ck you very much.

Fake jobs: world-chilecv.com

Just a single fake job domain today, world-chilecv.com is an addition to this long-running series of so-called job offers which actually turn out to be money laundering or some other criminal activity.

The domain in question was registered just yesterday to the no-doubt fake reigstrant:

Ricardo Lopez
    Email: ricardolip2@yahoo.com
    Organization: Ricardo Lopez
    Address: ul. Liivalaia 34-10
    City: Tallin
    State: Tallin
    ZIP: 15040
    Country: EE
    Phone: +3.726317190 

This domain was registered only yesterday. Avoid.