Current Status

This blog is not frequently updated because most case-by-case scam reports are now listed in subordinate blogs. At this point in time, most of my efforts are targeted at documenting employment scams in the Suckers Wanted blog.


Advance Fee Fraud: Tsunami Sob Story

Always bear in mind that fraudsters have no shame whatsoever. Received from on Wed, 30 Mar 2005 02:17:40 -0000, one 419 spam sob story about a person who is fifteen years old, lost the other four members of his family in the tsunami disaster, and is currently dying of "Esophageal Cancer" which has "defiled all forms of medicine". This particular spammer claims to be one "Lima Jung from Indonesia", but the message was sent through a web mail system which reports the originating address as, which is in a block of addresses delegated to "Nigeria Telecommunications Limited". Nigeria? Who'd have thought it?

It is the dying wish of "Lima Jung from Indonesia" that you take charge of a certain $18 Million in a foreign bank account, and dispose of it as follows. "I will want you to use 30% of the funds to surpport Charitable Organization and 30% should be donated to the Tsunami victims to alleviate their sufferings,while addional 20% should be used to set up a Foundation in my name and the remaining 20% should be for you as compensation for your gesture."

Anyone attempting to help Lima Jung from Indonesia will, no doubt, be led on a merry and rather expensive wild goose chase. My advice: make a donation to a reputable aid agency if you haven't already done so, and ignore Lima Jung from Indonesia, along with any other random spammer who wants you, a perfect stranger, to assist in moving millions of dollars around.

Spam: Spy Control

Beware of spammers bearing GIFs. Received from ( on Tue, 29 Mar 2005 22:17:25 +0000, one spam advertising Spy Control software. There's a number of things to be said about this. First of all, there's good cause to be suspicious of the software itself. It has been advertised in an unethical manner, and there's a significant chance that the software will also do unethical things if you install it on your computer. Installing software of any sort on your computer is quite a trusting act, so consider the reputation of your source when doing so.

The other thing I'd like to mention about this spam is that it appears to use "affiliate marketing", but this is often a smokescreen. Affiliate marketing is where marketing is out-sourced in an open manner to anyone who wants to do it. Some of these "affiliates" might advertise by spamming, and the company so advertised may try to deny responsibility by blaming the affiliate. It's the responsibility of the company to deter spamming by affiliates. I can see no reason to think that the "affiliate" even exists in this particular case.


Spam: Fake Rolex Watches

This one is slightly amusing. Received from [] ( on Fri, 25 Mar 2005 13:47:42 +0000. Subject: "Rolex watches starting under $99.99" -- yeah, right! Craptastic replicas are us, inc. And then, this little gem in the body: "Who can resist a 24kt. white gold Rolex watch surrounded in stainless steal?" I think that the "steal" part is a fair indicator of the level of integrity involved here. It should go without saying that you never deal with any random shonks that try to sell you something by spamming you: the risk of fraud is ludicrously high. And if that isn't enough to put you off, here's a scare-mongering article from Reuters entitled "Don't Buy That Fake Rolex! It Could Finance Terror". See? Avoid at all costs.


Advance Fee Fraud: Barrister Phillip Andrews

Received from (deepest darkest Africa) on Thu, 24 Mar 2005 11:41:34 -0000, one perfectly ordinary Nigerian 419 scam. A brief extract follows.

I contacted you to assist in repartrating the money
and property left behind by my client since I have no
place to locate any of his relatives. I can easily
convince his bank in the  Europe with my legal practice that
you are the only surviving relation of my client.Otherwise
the Estate he left behind will be confiscated or declared
unserviceable by the bank where this huge deposits
were lodged.

Particularly, My late client had an account with one
of the banks in  Europe valued at about US$9.3Million
 (Nine Million Three Hundred Thousand United States Dollars)
which I witness the documentations before he left for the
states on 24 october 2002.

Remember kids, Captain Obvious says, "if a complete stranger promises you lots of money in exchange for doing something dishonest, it's a scam!"


Pump and Dump: CWTD

Stock scamming is popular today. This one was received from ( on Wed, 23 Mar 2005 12:55:21 +0000. I'll reproduce it here in all its ugly HTML glory, minus the insanely verbose "forward looking statements" fine print disclaimer.


Breakout Forecast     March-April     2005


CURRENT PRICE       $2.12 

Projection    5 to 7 Days -------$4.50 - $5.00
Projection    12 to 18 Days------$6.00 - $8.00

China World Trade Corporation&apss WTC Link to Utilize SMS Platform to Increase Member and
Merchant Network

ALSO LOOK FOR NEW CNN INTERVIEW re: Tremendous 12 Month Company Growth
COMPLETED!!!!  Forward Plan to dominate China's Travel Industry.  (A Chinese Expedia.Com?)

China World Trade outbid CTRP on acquisition of  "NEW GENERATION" Southern
's largest travel company.

CTRP     @  $40.00  SHARE PRICE
CWTD    @    $2.35    Growth rate 5 times higher vs CTRP

 reins of CWTD and continuing his record for success. CWTD is here to stay.
@  Finance     


Pump and Dump: IFNI

Received spam from ( on Tue, 22 Mar 2005 03:55:10 +0000 of a pump and dump nature. Pretty ordinary stuff. Note that the "unsubscribe" link at the end has not been changed by me: they stuffed it up on their own. The address this was sent to was harvested from WHOIS.

March 13, 2005
Issue 856
The Undervalued Alert

  Current price .0035
  Short term target .07
  12 month target .80
  52 week high .759
  52 week low .001
  Shares outstanding 240,793,895
  Shares in float est. 37 million

Ifinix Corporation OTC: Pinksheets (IFNI)
If Ifinix could reach its 52 week high again you could make over 7000% return on your investment at its current Price level.


Reasons to own (IFNI):

* The stock was .75 back in September 2004 before the Company had their new trading platform software up and running and it&apss now trading at around 1 penny. Now is the time to own the stock at this level.

* (IFNI) is projecting (according to their business plan) over 2.6 million net profits before taxes for 2005, over 14 million net profits before taxes in 2006 and over 24 million net profits before taxes in 2007.

* If (IFNI) reached only half their projections in 2005, the stock should easily be back to its level in September 2004 of .75 cents in no time.

* We feel the upside for huge profit is there for the investors that take advantage of this public announcement.

* (IFNI) believes their new trading platform is more advanced and cost effective than any of their competitors.

* Any company with totally proprietary software that works better than its larger competitor's current system is primed for a buy-out offer.


Company Profile:

Ifinix Corporation is focused on technical excellence and creativity. They are market enthusiasts determined and dedicated to provide superior and sophisticated electronic financial solutions for institutional investors, brokerage firms, professional traders and individual investors. This company provides high performance and cost-effective software solutions. Their direct access, real-time trading and information systems are designed and built with superior salability, security, efficiency and reliability.

Ifinix solutions are totally proprietary. Their system architecture takes advantage of the latest technologies operating on a fault-tolerant platform. The core systems, with access to all U.S. equity markets, are already implemented and live. Components are currently being built to include the exchange listed future and options trading in the U.S. markets. Subsequently, interfaces to other markets will be developed with the objective of establishing the electronic trading platform as the leading unified platform for investment and trading across global financial markets. The platform will provide direct access and intelligent executions, real time information and all decision support tools for stocks, options, future, mutual funds and exchange traded debt instruments. It enables an active investor located anywhere in the World to effectively trade across global markets using one system on his PC.
In addition to providing superior decision support tools, the platform reduces the cost of trade executions for the users through intelligent and fast executions. With its comprehensive functionality, traders will not need to use any third party software, application or service to conduct their trading activity.

The Undervalued Alert publishes reports providing information on selected companies. The Undervalued Alert is not a registered investment advisor or broker-dealer. This report is provided as an information service only and the statements and opinions in this report should not be construed as an offer or solicitation to buy or sell any security. The Undervalued Alert accepts no liability for any loss arising from an investor&apss reliance on or use of this report. An investment in IFNI is considered to be highly speculative and should not be considered unless a person can afford a complete loss of investment. Direct Results (3859 Wekiva Springs Road #303 Longwood, FL 32779) has received 5 million shares of free trading stock in (IFNI) from First Capitol Partners for the publication and circulation of this report. This report contains forward-looking statements, which involve risks and uncertainties that may cause actual results to differ materially from those set forth in the forward-looking statements.


Info.: Trends in 419 scamming

The following information was recently posted on the Spam Research mailing list by active anti-spammer Suresh Ramasubramanian. The archives of that list are only available by subscription, so I've obtained permission from Suresh to re-publish here.

I've seen 419ers muscle in on a whole lot of things now that the "I'm the widow of a dead dictator" is so twentieth century ..

  • Buy stuff (anything from cars / pedigreed dogs to hookers^W escort services) on the Internet, pay using stolen credit cards / fake cashiers checks. Only, if the car costs $6000, he'll give you a fake check for $10000 and con you into wiring him the remaining money using western union. You fall for that and you only find out after the check is presented to the remote bank for clearing, and then bounced back.
  • Post on singles lists / bbs / newsgroups pretending to be a guy looking for friends online. Hook the friend with a lot of BS about the hard time they're facing in Nigeria, and either get them to wire some money over "as a loan", or maybe get them to sponsor the 419er for an entry visa to the States. That visa then gets used to get a scam artist into the states for random other purposes, none of which involve visiting the sucker.
  • Same thing with universities / conferences etc - any fairy story will do in order to get a visa to the states, or maybe pull fake check scams on the university admissions office or conference organizer. I see that first hand every year .. I chair the fellowships committee for the APRICOT asia pac netops conference ( Every year I get fellowship applications from obvious nigerian scam artists, each of them with weird and wonderful reasons why they want to attend the conference
  • Phishing. I'm working with western union, which is facing a rash of nigerians using standard boiler room sending techniques (lots of guys sending from free webmail accounts - we run 40 million of those) to pretend they're western union bidpay, and trying to steal id.


Update: PayPal Phish

Further to the earlier PayPal phish report, NameZero hasn't taken the "" site down yet, and the owner is now using their redirect service to go to <>. This time it's working. I've notified, since it's their server. Let's see which of those two service providers take action more quickly.

Phish of the Day: PayPal (interesting)

This particular phish is not your run-of-the-mill PayPal "verify your account" rubbish. It uses a number of techniques I haven't encountered before. The email was received from ( on Thu, 17 Mar 2005 02:30:42 +0000. The subject was "Xeter Xhilbin has just sent you $52.00 USD with PayPal" [name partially redacted to protect the innocent]. That's the first difference: the lure is someone sending you money, rather than PayPal demanding that you reactivate your account under threat of being locked out. The text is very neatly laid out HTML which I expect has been copied from a real PayPal notice of this kind. I'll only reproduce the plain-text content of the message here, however.

PayPal <>

You've got cash!

Xeter Xhilbin just sent you money with PayPal.

Xeter Xhilbin is a Verified buyer.

To complete this payment, you must accept or deny it within 30 days. If you do 
not accept or refuse this payment within 30 days, it will be cancelled and the 
funds will be returned to _eter _hilbin's account.
Payment Details

Amount:   $52.00 USD
Transaction ID:   4UA98825E3568683F

View the details of this transaction online 

Address Information

Address:   Xeter Xhilbin
United States
Address Status:   Confirmed 

Thank you for using PayPal!
The PayPal Team

PayPal Email ID PP59195


Protect Your Account Info

Make sure you never provide your password to fraudulent websites.

To safely and securely access the PayPal website or your account, open a new web 
browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL 
<>) to be sure you are on 
the real PayPal site.

PayPal will never ask you to enter your password in an email.

For more information on protecting yourself from fraud, please review our 
Security Tips at 

Protect Your Password

You should never give your PayPal password to anyone, including PayPal employees.

The second interesting fact about this phish is the fake URL provided: namely, <>. At a glance, it might look like a real PayPal sort of URL, but it's actually one very long name in the zone "". That domain was registered through NameZero on 19-Feb-2005. The registrant appears to have opted for NameZero's masked URL forwarding service, which redirects to <>. Any valid hostname ending in "" will currently be redirected to that address -- it's a wildcard match. Fortunately, the destination address of "" seems to be nonexistent for now, so there's nothing further to report -- people falling for this lure will wind up with an error page, or a blank page for the time being.

NameZero has a fairly reasonable-looking web page for reporting abuse, and I've taken the liberty of telling them about this one.

Update on 2005-07-07. I have received an email from someone claiming that the name and address information given in this phish is his address, and asking me to delete the information. I have therefore replaced portions of the name and address with "X". Take note: phishers are quite happy to use your personal information for whatever reason suits them.


Phish of the Day: Regions

Received from (some host in a DSL pool in Germany) on Wed, 16 Mar 2005 04:06:35 +0000, one phishy little spam targeting "" banking customers. A very ordinary phish, really. Here's a quick excerpt of the text.

Account Confirmation Required!

Dear Valued RegionsNet® Client,

Recently there have been a large number of identity theft attempts targeting RegionsNet customers. In order to safeguard your account we require that you confirm your banking details. This process is mandatory.

You may do so by clicking Here and submitting the required information.

Failure to do so may result in a temporary cessation of your account services pending submission. Thank you for your prompt attention to this matter and your co-operation in helping us maintain the integrity of our customers accounts.

Please do not reply to this e-mail, as this is an unmonitored alias. If you require further assistance refer to our support centre .

RegionsNet respects your privacy. Click here to read the RegionsNet Group Privacy Policy Statement.

Electronic Banking services are issued by the RegionsNet of United States (Electronic Banking services include telephone banking, Netbank and Bpay). A Product Disclosure Statement (PDS) is available for these products on this website or from any branch of the RegionsNet.

I haven't bothered to include the links or text formatting, etc -- life's too short. The above should be enough to identify the message. In my case, the fraudulent link was to <>, which was a download-and-save copy of <> according to comments in the HTML. This contained a login form which included the text, "Regions does not contact customers via e-mail to verify or request security information." Anyway, if you ignored that and provided some sort of login information (I made something up), then you proceeded to <>, which included a form wanting the following details.

  • Card Number:
  • Expiration date:
  • PIN Code: * part of the bank verification process
  • CVV2 Code: * 3 digit security code printed on card
  • SSN Number: * social security number

I chose to submit this form without entering anything, and was redirected back to the real Regions home page. The site hosting the fake web pages appears to be a Red Hat box somewhere in China. Here's what nmap thinks of it.

Starting nmap 3.75 ( ) at 2005-03-16 05:45 GMT
Interesting ports on
(The 1652 ports scanned but not shown below are in state: closed)
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
80/tcp   open     http
111/tcp  open     rpcbind
135/tcp  filtered msrpc
445/tcp  filtered microsoft-ds
1521/tcp open     oracle
6000/tcp open     X11
7001/tcp open     afs3-callback
8080/tcp open     http-proxy

Regions bank seems to be on the ball with regards to phishing. They have a web page about email fraud.


News: New variety of phish in the works?

There are rumblings afoot in the UK that online retailers may become the next popular phishing vector. How so? Like this, apparently.

'The conmen will send emails offering a bottle or two of champagne as an inducement to check out the site and register to shop. But anyone falling for it will have handed their details to scam merchants.'

I'm not entirely persuaded that this brand of fraud would be very profitable, relative to the more traditional vector of compromising online banking details. And we already have an established industry of eBay fraudsters. Still, it's something to watch out for.

This item was brought to my attention via The Register.

Payment Processing Job Scam:

I hate these. This is what phishers do with the left hand while the right hand is trying to con someone out of their password. "Job offers" like these are bogus, but in a highly deceptive way: you start receiving "payments" as promised, but what your "employers" fail to mention is that the money is stolen (as a result of phishing). You wind up engaged in money laundering -- until the local authorities come knocking on your door and tell you about it, that is.

This particular spam was received from on Tue, 15 Mar 2005 06:51:06 -0000. It consists of a single GIF graphics image, which I can't upload to this blogging service. It is, however, substantially identical to one that's already been reported elsewhere, so no matter.

Advance Fee Fraud: British Lottery International

"You've won a lottery without ever buying a ticket" is a recent theme in 419 advance fee fraud. Try to collect these winnings, and you'll discover there are certain "expenses" that you have to meet before you get to taste any of your winnings. And, to cut a long story short, there are no "winnings", only expenses, and expenses, and expenses. Here's a sample I received from ( on Tue, 15 Mar 2005 00:11:08 -0000. Note that exactly the same message arrived at four different addresses, each belonging to different (but fictitious) identities. A lot of people "win" this lottery. Please note that the horrible line-breaks (often in the middle of a word) are part of the original text.

Date: Tue, 15 Mar 2005 01:06:01 +0100
From: britishnatioanllotto

British Lottery Headquarters:
Customer Service

Ref: BTL/491OXI/04
Batch: 12/25/0304
Date: 15/03/2005


We happily announce to you the draw of the British Lottery International programs held on the 1st of March 2005 in London.Your e-mail address attached to ticket number: 56
4 75600545 188 with Serial number 5388/02 drew the lucky numbers:31-6-26-13-35-7,which subsequently won you the lottery in the 2nd category.You are therefore, been approve
d to claim a total sum of US$2,500,000.00 (Two million, five hundred thousand, United StatesDollars) in cash credited to file KPC/9080118308/02.This is from a total cash p
rize of US $125 Million dollars, shared amongst the first Fifty (50) lucky winners in this category.

This year Lottery Program Jackpot is the largest ever for British Lottery.The estimated $125 million jackpot would be the sixth-biggest in U.K. history. The biggest was th
e $363 million jackpot that went to two winners in a May 2000 drawing of The Big Game, Mega Millions'predecessor.

Please note that your lucky winning number falls within our European booklet representative office in Europe as indicated in our play coupon.In view of this, your US$2,500
,000.00 (Two million, five hundred thousand,United States Dollars) would be released to you by our affiliate bank in London.
Our agent will immediately commence the process to facilitate the release of your funds to you as soon as you make contact with her .

All participants were selected randomly from World Wide Web site through computer draw system and extracted from over 100,000 companies.This promotion takes place annually
. For security reasons, you are advised to keep your winning information confidential till your claims is processed and your money remitted to you in whatever manner you d
eem fit to
claim your prize. This is a part of our precautionary measure to avoid double claiming and unwarranted abuse of this program by some unscrupulous elements.

Please be warned.To file for your claim, please contact our fiduciary agent with the below details for processing of your claims.

AGENT: Mrs Victoria Pebbles.

To avoid unnecessary delays and complications, please quote your
Reference/Batch Numbers
Full names
Residential address

Congratulations once more from all members and staffs of this program.Thank you for being part of our promotional lottery program.
Michael Ronin.
AFRO-ASIAN Zonal Coordinator

Mail sent from WebMail service at PHP-Nuke Powered Site

Note a couple of things about the tactics of this 419er which are, in my experience, quite typical of the breed. First up, the source of the addresses: these were mailed to addresses located on a web page. I put those email addresses on the web page precisely to act as spam-bait. The addresses don't usually get much spam (yet), and they aren't visible unless you look at the source-text of the page, but I've seen clear links between hosts spidering that web page and then spamming to those addresses. A significant portion of the incoming spam is 419 material like this.

The other thing to note is the footer on the message, claiming that it came through a web-mail system. This also quite typical for 419ers: exploiting web-mail systems as their mail distribution vector is their most common M.O.


Phish of the Day: PayPal

Received a PayPal Phish from ( on Mon, 14 Mar 2005 11:02:38 -0000. Nothing terribly remarkable, so far as these things go. For the record, it looked something like this...

[Insert PayPal logo here.]

Dear Paypal member,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service.

Until we can collect this information, your access to sensitive account features will be limited.

Your account access has been limited for the following reason(s):

Our system requires further account verification.

Allowing your account access to remain limited for an extended period of time may result in further limitations on the use of your account and possible account closure.

We encourage you to log in and perform the steps necessary to restore your account access as soon as possible.

Case ID Number: PP-xxx-xxx-xxx

Please follow the link below and renew your account information:

Sincerely, PayPal Account Review Department

PayPal Email ID PPxxx

Accounts Management as outlined in our User Management , Paypal will periodically send you information about site changes and enhancements

Visit our Privacy Policy and User Agreement if you have any questions : -outside

The first link actually goes to (caveat: go to that address at your own risk), which, when I tested it, gave a redirect to PayPal's security page, and opened up a fake "login" window in a pop-up. The fake login was hosted at (again, visit at your own risk). This is a hosting account that appears to have been set up explicitly for this job. I've notified the hosting company.

PayPal has a page about protecting yourself from fraudulent emails.


Pump and Dump: GTVCF

Today's dish is pump and dump stock fraud spam. Received from ( on Fri, 11 Mar 2005 11:36:40 +0000. A brief extract follows.

* Wallstreet Insider Alert Newsletter *

Information you can Trust and Profit from. Our
extensive research shows GTVCF is on the move
with big gains expected on Monday. They will be
having a big promotion promotion going all
weekend for there new press release with
big gains expected monday. So don't miss it
get in as soon as possible to profit.

Company:Globetech Ventures
Industry:Gold/Molybendum Mining
Current Price:$0.32
52Wk High:$1.73
Market Cap:4.34M
Estimated 3months-target :$1.00
Estimated 6months-target: $2.50
Recommendation:STRONG BUY
Analysis:Industry Outperform


So I've decided to try out a "blog". Why? Because I suspect that it's the right tool for this job. The "job" in this case is the job of shining a spotlight on deceptive Internet practices, with particular reference to email and web-related nasties. There is, at present, a thriving industry in separating victims from their money by means of online deception. "Phishing" emails, where a big fat liar sends you email and claims that he's your bank (or similar), are one such form of deception. As I stumble across these deceptive practices, I'll document them here. That way, the next person to encouter suspicious activity might do a search and find that the fraud has already been exposed.

Be careful out there, folks.