Current Status

This blog is not frequently updated because most case-by-case scam reports are now listed in subordinate blogs. At this point in time, most of my efforts are targeted at documenting employment scams in the Suckers Wanted blog.

2005-04-30

Fraud: BFF

Well, rather than appeal to greed, you can always try an appeal to pity. Here's one of those not-quite-so-common instances of some random individual pretending to be a charity. Given as how they've included a phone number, they can probably expect a little auditing from the Italian authorities (the country code is for Italy, and the email's point of origin is also in Italy). This one was received from 82.105.184.182 (host182-184.pool82105.interbusiness.it.) on Sat, 30 Apr 2005 12:23:44 -0000, mailed directly to ideceive@gmail.com, and thus obviously the result of address-harvesting off this very site.

Dear One,
                 Life they say is a journey but what matters is your ability to, as you pass through, touch lives. Let me draw your attention to how you can reach out and make an impact on souls in a place almost consumed with despair.
                If ever you have had a desire to do good, to change the state of the world, then please read on. The Bright Future Foundation(BFF) Jigawa State, Nigeria, has the aim and objective to change the lives of the children in the remote and undeveloped villages, to provide food, clothing and enlightenment on how they can better themselves.
               I must say that these innocent souls still live in absolute poverty without shelter and enough food to cater for their daily needs. Children summing up to about 40,000 are confirmed by statistics to die everyday. And with the raising dust of diseases within the region, the death rate is not marching up with the birth rate.
              Our organisation, the BFF, have felt the need to ease this economic hardship with focus on the helpless children who can do nothing for themselves. Funds, we admit, are limited; ours is more than a missionary challenge, we feel a deeper need to touch them not just spiritually but in every way we can. To ease our work of providing food to these villages, cars,motorcycles and other forms of mobility are necessary to us. That is why we are looking outward, beyond the Nigerian government and beyond the local churches for the aid we desperately  need.  Among the Hadeija people group here in Jigawa state, our team have to trek hundreds of kilometers to meet up with the hungry children there.
           No doubt more modern facilities need to be provided to upgrade the level of our aid  program. The Bugi, Hadeija and Gumel people of Jigawa State have an acute water problem, and solving it is another one of our main objectives.  Theirs is a sorry case of many problems and hardly any solutions, and when you take a look at at the pictures we have of the children from these areas, you'll understand a lot better.
           When we first came here we wanted to do our own bit for these suffering people, but soon we realised we couldn\'t do it alone. And that is where, dear reader, you come in. For you to have read this far shows you have a deep feeling for this issue, and hopefully, that you are willing to help. Our organisation has a vision of  raising $10,000 to use to procure food items, clothing, health facilities and also means of transportation. Monetary contributions may be made though  western union  money  transfer c/o john,robert. Contact us via this email(john900_robert@yahoo.com) and,pohne number,+393205758093  for arrangements on how these funds can reach us, and also for any other information you need about our program.
         We believe you have been blessed in your life, and now you can bless others. Thank you for showing you care,  I promise you won't regret it .Awaiting your prompt reply,
                                                Yours Sincerely,
                                           John,robert,   Head of Rural Affairs, BFF Worldwide

Phish of the Day: SouthTrust

Received a nasty little phish from 83.197.153.171 (AMontpellier-252-1-21-171.w83-197.abo.wanadoo.fr.) on Fri, 29 Apr 2005 20:23:42 +0000. This is of the variety that presents the whole text as a GIF image, and uses a HTML "imagemap" trick to cover up the real URL. The text was as follows.

Dear SouthTrust bank customer,

Technical services of the SouthTrust bank are carrying out a planned software
upgrade. We earnestly ask you to visit the following link to start the procedure of
confirmation of customers' data.

https://www.southtrust.com/st/PersonalBanking/custdetailsconfirmation

Please do not answer this email -- follow the instructions given above.

We present our apologies and thank you for co-operating.

The actual link was to http://confinfodll.com, which was well and truly unreachable by the time I got around to checking it, thankfully. I've seen reports of this particular phish elsewhere, and those reports said that the site contained malicious payload that would try to compromise your computer, if it was using a vulnerable version of Internet Explorer. Be aware of the danger, folks!

2005-04-27

Pump and Dump: KSIGE

Nothing new here that I can see. Penny-stocks being hyped in the hopes of big returns, by the look. Standard fare, except for the mention of "a huge fax promotion". Are the spammers also junk-faxing this one? This spam was received from 24.107.111.177 (commons10k2.mo24.107.111.177.charter-stl.com) on Wed, 27 Apr 2005 16:12:01 +0000. An excerpt follows.

### WallStreet Insiders Edge - KSIGE.OB ###

Are you tired of buying st0cks and not having them
perform? Our staff has been working hard to uncover
the hot ones that "will move"! This is a perfect
opportunity to get in, it is very low and on the
move ready to explode. Check it out and you will
see why... Plus they have a huge fax promotion
launching on friday night so next week can be
in the .40 to .50 range easily....

Company:Ksign International Inc.
Ticker:KSIGE . OB
Current-Price:0.05
Industry:Network Security
52Wk High:.21
Estimated 3-5 Day target:.45+
Estimated-6months-target:1.50

About: KSIGN-Int'l., INC.

As an unchallenged PKI-based solution provider,
KSIGN has played an important and market leading
role in building a reliable and safe e-world. KSIGN
established in 1999, in spite of its short business
history, has grown dramatically and gained a good
reputation as a technology and market leader in Korea.
With the endeavors poured into R&D of PKI solutions,
it has also developed many applications like Extranet
Access Management, Key Roaming System, Secure Web and
Application Transaction System, Crypto toolkit and so
on. From now on, it will continue to be a valued partner
to Korean e-Government, Korean CA's (Certificate
Authorities), financial institutes, educational
organizations and enterprises.

Advance Fee Fraud: Summerset International Lottery

Well, the 419ers have well and truly discovered my "mailto" link -- I've won another El Fraudo Lottery. The spam was received from 81.33.133.53 (53.Red-81-33-133.pooles.rima-tde.net -- that's in Spain again, or should I say "in Spain still?") on Wed, 27 Apr 2005 17:23:17 -0000. The content was base64 encoded, which is a fairly common trick used to avoid particularly naive spam filters. I mention it only because I haven't seen much of this technique lately. Presumably that's because all the spam filters that were impacted by the trick have long since been adjusted to compensate for it. Gmail flagged it as spam, but it's pretty good at that sort of thing.

This may be a variation on the usual advance fee fraud, which we might call "refund fraud". Note, in the copy below, the claim that "this 10% will be remitted after you have received your winnings prize". Granted, there is also some mention of what looks like advance fees, or at least the possibility of them demanding a lot of personal data to "confirm your identity" (or some other such pretext), but mention of a fee after you receive your winnings is a slightly different tack. What happens here is that they send you a rubber cheque (that's a "check" for the Americans in the audience). You deposit the cheque, send them the ten percent remittance, and then find later that your bank reverses the deposit of the cheque, leaving you with a really big problem.

Don't get involved in scams like this. Nothing good can come of it. If you're already involved, then don't draw on any money you deposit. Just leave it there. The chances are it doesn't exist, and your bank will figure that out and make it disappear. And if you gave any identifying information to the 419ers, watch out for identity fraud. Don't give them enough personal information that they could apply for a credit card using your identity, for goodness sake. Even if they don't do it themselves, they could sell the data to someone else.

FROM:GOVERNMENT ACCREDITED LICENSED LOTTERY PROMOTERS.
WINNING NOTICE FOR CATEGORY "B" WINNERS.
Ref..# SLPA / 628000234/ 05
Batch..# 05-968544400-LPA
RE:BONUS LOTTERY PROMOTION PRIZE AWARDS WINNING NOTIFICATION
Dear Lucky Winner,
We are pleased to inform you of the result of the just concluded final draws of SUMMERSET INTERNATIONAL LOTTERY AWARD held on the 27th Apr,2005. The online cyber lotto draws was conducted from an exclusive list of 25,000 e-mail addresses of individual and corporate bodies picked by an advanced automated random computer search from the internet in appreciation of our annual  summer visitors to Spain. No tickets were sold.
After this automated computer ballot, your e-mail address emerged as one of two winners in the category "B" with the following:
You as well as the other winner are therefore to receive a cash prize of €2,800,809:00 ( Two Million, Eight Hundred Thousand, Eight Hundred And Nine Euros Only) each from the total payout prize.
Your prize awards has been insured with your e-mail address pending when your full names and address will be known to us, and  thereafter,your winning fund will be transfered to you upon meeting our requirements, statutory obligations, verifications, validations and satisfactory report. To begin the claims processing of your prize winnings you are advised to contact our licensed and accredited claims agent Sr. Pedro  Gonzalez
Tel # +34-675-165-960
Fax #+34-657-197-922
Email: mega-trust-ag@myway.com
And also be informed that 10% of your lottery winning belongs to (IBERO PROMOTION COMPANY S,A.) Because they are the company that bought your ticket and played the lottery on your name, NOTE this 10% will be remitted after you have received your winnings prize because the money is insured in your name already.  for category "B" winners with the informations below:
Ticket #. 005-620006500238-SSLPA.
Serial #. 779065780999
Winning #. 05-56-622-100-077
File #   LPA / 609874
NOTE: All winnings must be claimed not later than the 20th May,2005. After this date, all unclaimed funds will be included in the next stake. Remember to quote your reference information in all correspondences. You are to keep all lottery informations away from the general public especially your reference and ticket numbers. This is important as a case of double claims will not be entertained.
Anybody under the age of 18 and members of the affiliate agencies are automatically not allowed to participate in this program.

Congratulations!!!
Yours faithfully,
PABLO  ANTONIO  MARIANO.

Pump and Dump: ABZT

The stock scammers are at it again, this time with ABZT (Ablaze Technologies, Inc.), another pink-sheet stock currently trading at around eight cents a share. Assume pump and dump until contrary evidence arises. For the record, this spam was received from 80.9.133.40 (Mix-Rouen-116-3-40.w80-9.abo.wanadoo.fr.) on Tue, 26 Apr 2005 15:50:23 +0000. A brief excerpt of the spam follows.

"WallStreet Insider Investor Report"

This Weeks biggest gainer will be ABZT with over 300%
ROI (Return On Investment) expected. Here is the feature
profile below. And thank you for your continued membership
to our great service. We have 720% gains in March and for
April we are looking at over 800% so follow the Winners
with WallStreet Insider Report.

Ticker: ABZT . PK
Latest-Price: .08
Expected-Price in next 3 days: 45 cents

NEws-Release: Ablaze Technologies Announces
Agreement with Intelligent Sports, Inc.

Don't Miss Out! Micro Cap Stocks Are Providing HUGE
Investor Profits!Strong Gains Expected on aBlaze
Technologies, Inc all week..

2005-04-26

Advance Fee Fraud: ideceive@gmail.com wins the lottery

I'm pleased to announce that this blog has won El Fraudo Lottery of Spain, or rather that the 419ers have found our email address on our home page and are spamming it (and every other address they can harvest off the web). This spam was received from 81.202.248.10 (81-202-248-10.user.ono.com, part of a Spanish ISP's network) on Mon, 25 Apr 2005 18:55:58 -0000. Their tall tale is included below, by the modern magic of cut and paste.

Nacional Loterias Sp
Calle aberto 1-5a
Madrid Branch, Spain.
Reference numbers: SP/67-B1174832
                   YOUR E-MAIL ADDRESS WON THE LOTTERY.
We wish to congratulate you over your success in our computer balloting sweepstake held on 23rd April 2005. This is a millennium scientific computer game in which email addresses were used. It is a promotional program aimed at encouraging internet users; therefore you do not need to buy ticket to enter for it. Your email address attached to ticket number 12 15 21 27 35, drew the lucky star numbers which consequently won the draw in the Second category. You have been approve for the star prize of One million one hundred thousand euros(1.1m euros).
CONGRATULATIONS!!!
You are advised to keep this winning very confidential until you receive your lump prize in your account.This is a protective measure to avoid double claiming by people you may tell. Send your winning ticket numbers, reference numbers amount won and your personal data for processing of your claim to sanchezfernando230@lawyer.com
All prizes must be claimed within three weeks.
NOTE: If you are under the age of 18, you are automatically disqualified for this star prize.
Yours faithfully,
Mrs. Eva Carlos.
CC :NacionalLoterie@netscape.net

Aside from the ridiculous idea that some organisation is forking out millions of euros at random for the purpose of "encouraging internet users", this is a modestly clever 419. It was sent from Spain, and it claims to be from Spain, for a start. Also, the use of a "lawyer.com" email address might give some a false sense of security. False? You bet! Lots of 419ers use "@lawyer.com" addresses. Ownership of an "@lawyer.com" address is, so far as I'm concerned, more likely to indicate fraud than lawyerhood.

Anyone who attempts to collect their winnings from this lottery will discover it's not so "free" after all. There will be certain expenses to cover. Then certain other expenses. Then certain further expenses. And taxes. And no winnings, ever! That's why they call it "advance fee fraud", folks!

2005-04-25

Advance Fee Fraud: One-Legged Omar

It's been rather quiet on the fraud front lately -- from the perspective of my inboxes at least. Maybe I'm just having a lucky break. Anyway, the drought broke today with the arrival of an itty bitty 419. Received from 193.254.240.120 (a webmail system in Italy) which claims that the original message was sent "from 81.199.108.18 (proxying for 81.199.108.5)". Guess which country those addresses are registered to! Did you guess "Nigeria"? Congratulations on getting it right if you did.

Anyway, the person in Nigeria sending through a web-mail service in Italy claims to be "Mr. Omar Salah Hassan", from Baghdad in Iraq, presently residing in London. His letter is fairly short and to the point (and a complete fabrication with intent to defraud), so I'll present it here for your perusal.

Good day to you,

I need a partner(a neutral and foreigner) who will
invest with me. I am Mr. Omar Salah Hassan from the city of
Baghdad in Iraq. I got your contacts through my
personal research and out of desperation. I deal on
crude oil before I lost one of my legs by bomb blast
in Baghdad. I decided to reach you through this
medium. Presently I am residing in London.

I have USD$5.2m for investment purpose. I want you to
receive this fund on my behalf and invest on a
profitable business venture on agreed terms. If you
are interested please get back to me on my privacy email:
(omar_shassan@excite.com) as soon as possible for more details. Include
your private telephone number in your response.

Thank you.
Mr. Omar Salah Hassan.

2005-04-18

Phish of the Day: HSBC

Today's phish has yet another variation on the theme of "reasons why you need to log in to your Internet banking account right this very minute via this link." This one was sent to a harvested ".au" address, so Australians beware -- you're probably the targets here. The message was received from 85.137.9.156 (rDNS not properly configured, but belonging to auna.net in Spain from what I can surmise) on Sun, 17 Apr 2005 21:04:25 -0000.

Dear client [HSBC logo]
Internal mail warning

You did not read our internal security message that have been dispatched last week.

You have received an important internal message from our bank concerning your account status. You got this email due to the fact that all other ways of contacting you were either not specified or did not reach you.

We strongly advise you to review the message as soon as possible.

Read the message now

Note: you have to be logged in the HSBC online banking service

Thank you for your understanding,
HSBC Customer Care

The actual link is to http://202.22.193.242/onlinebanking/index.htm, which contains a copy of the original HSBC banking page, modified to suit the phisher's needs. That particular host is in Bangladesh, of all places, and it's pretty darn slow. I haven't investigated it in great detail, because the HSBC website (and consequently its phishy clone) is one of those obnoxious sites that's picky about which browser you use, and I'm not using Internet Explorer. Thus, all I get is an incompatibility notice.

Advice for the day: ignore warning messages like this. If it really is your bank, and they really do suspend your Internet banking access or such, then switch to a better bank.

2005-04-17

Phish of the Day: Wells Fargo

Received a phish from 217.220.34.229 (worf.webintouch.com) on Sat, 16 Apr 2005 20:30:05 +0000. Text is as follows, although I've removed certain links to graphics at the actual wellsfargo.com site so as not to use their images without permission.

Dear Wells Fargo Customer,

We are glad to inform you, that our bank is switching to new transactions security standards. The new updated technologies will ensure the security of your payments through our bank. Both software and hardware will be updated.

We kindly ask to confirm your card details here:

https://online.wellsfargo.com/

If you are not enrolled with Online Banking please Click Here

https://online.wellsfargo.com/verify/

We offer you a new convenient and safe high-quality level of service to handle your card.

Thank you for your support.
Wells Fargo Service Department

The actual link is not to Wells Fargo, of course, but to http://82.79.70.26/ (for the first link), or http://82.79.70.26/verification.php (for the second). According to WHOIS data, that IP address is somewhere in deepest darkest Romania. When I inspected the site, I noted that it was using a fairly old Internet Explorer trick to cover up the address bar with the real Wells Fargo address. In general, I recommend using a browser other than Internet Explorer whenever possible. Firefox is an obvious choice.

2005-04-15

Phish of the Day: eBay, eBay, eBay

"If you choose to ignore our request, you leave us no choice but to temporarily suspend your account." Does this sound familiar? Does it smell phishy? It should: it's from one of many eBay phish I've received recently, targeted at an address harvested from Usenet. These are pretty dull in the overall scheme of things -- about like the PayPal phish that have also been in over-supply. The most interesting thing about the phish is the lure used, which is as follows.

We recently noticed one or more attempts to log in to your eBay account from a foreign IP address and we have reasons to believe that your account was used by a third party without your authorization. If you recently accessed your account while traveling, the unusual login attempts may have been initiated by you.

In most cases the recipient will not have recently accessed eBay while traveling, and may therefore be suckered into clicking on the link, which presumably takes them to a standard faked-up site where they willingly disclose sensitive data to evildoers. I say "presumably", because the one link I tried wasn't responding.

No further comment on eBay phish for now. Boring stuff.

2005-04-13

Pump and Dump: CWTD again

Not much variety on the stock fraud front. CWTD was pumped on 2005-03-23 and 2005-04-04, and now again today. The spam was received from 83.214.215.154 (no rDNS, but WHOIS reports delegation to "Telecom Italia France") on Tue, 12 Apr 2005 20:55:38 +0000.

 

 CWTD  is set to rocket to $ 12  per share. Several news releases coming this week will take CWTD  to the next level......Watch it move this week.  CWTD is set to move much higher this week with significant short term trading profts predicted.......Don&apst miss out on this one this week, April 13- April  20 .


 

 !!! Ready to Run !!!          [RUNNING NOW !!!]          !!! Big Winner !!!

 

-CWTD-               -CWTD-     ***        -CWTD-        -CWTD.-

   

 

See Company President John Hui interview with CNN ASIA

 ALSO LOOK FOR NEW CNN INTERVIEW re: Tremendous 12 Month Company Growth COMPLETED!!!!  Forward Plan to dominate China&apss Travel Industry.  (A Chinese Expedia.Com?)

  China World Trade outbid CTRP on acquisition of  "NEW GENERATION" Southern China&apss largest travel company.      ALL COMPANY INFORMATION AVAILABLE-                         www.chinawtc.com

 

 

 

         CHAIRMAN TSANG, FORMERLY OF GOLD LION                                                HOLDINGS has taken the reins of CWTD and continuing his record for success. CWTD is here to stay.   READ THE NEWS

@ yahoo.com  Finance     

 

CURRENT PRICE       $ 2.83           

 Projection    5 to 7 Days                         $5.50  - $ .50

 Projection   12 to 18 Days                      $ 9.00 - $12.00 

Take a look at our recent Strng Buy recomendatons...
      CFTN at 0.40    High 2.62...655% Gain! 
      HTSC at 0.70    High 295...329% Gain! 
      QLHC at 0.90    High 3.50...389% Gain! 
      DMTY at 0.30    High 0.90...300%Gain! 
      NALG at 0.76     High 1.60...110%Gain! in two days
      IPYS at 0.38        High 1.10...189%Gain! in two days

    
 

CWTD NEWS COMING - STOCK is ready to ROCK !!!!
Company has already facilitated the money it need&apss TO CONTINUE IT&apsS RAPID GROW!!!!

 

Information within this email contains" forward looking statements" within the meaning of Section 27A of the Securities Act of 1933 and Section 21B of the Securities Exchange Act of 1934.Any statements that express or involve with respect to predictions, goals, expectations, beliefs, plans, projections, objectives, assumptions or future events or performance are not statements of historical fact and maybe "forward looking statements.
Forward looking statements are based on expectations, estimates and projections at the time the statements are made that involve a number of risks and uncertainties which could cause actual results or events to differ materially from those presently anticipated. Forward looking statements in this action may be identified through
the use of words such as: "projects", "foresee"," expects", "estimates," "believes," understands" "will," "part of:" anticipates," or that by statements indicating certain actions "may," could," or "might" occur. Please be advised that nothing within this email shall constitute a solicitation or an invitation to get position in or sell any security mentioned herein. This newsletter is neither a registered investment advisor nor affiliated with any broker or dealer.  All statements made are our express opinion only and should be treated as such. We may own, take
position and sell any securities mentioned at any time. This report includes forward-looking statements within the meaning of The Private Securities Litigation Reform Act of 1995. These statements may include terms as "expect"," believe", "may", "will", "move"," undervalued" and "intend" or similar terms.

2005-04-12

Pump and Dump: CYRR.PK continues

The CYRR.PK stock hype continues unabated. The text of the spam has now been modified to claim a current price of $0.90 at 2005-04-11, and now says "look for big move on Tuesday" (rather than Monday), but remains the same in other respects. This instance was received from 210.24.227.165 (adsl165.dyn227.pacific.net.sg) on Tue, 12 Apr 2005 05:43:45 +0000. Note that the modus operandi of this spammer is to use compromised domestic computers with broadband connectivity (a "botnet", or "zombies"). This is fairly sophisticated stuff.

2005-04-11

Advance Fee Fraud: Euro Millions Lottery

Better known as "El Fraudo Lottery". Today's tall tale of unsolicited riches comes from Spain. This particular 419er is using the approach of harvesting email addresses off web pages -- a fact made obvious by the fact that the same computer which performs the web request also sends the mail, and the fact that the addresses so harvested were all harvester-bait anyway. Four of my spam-traps received exactly the same notification of winnings from 62.175.6.72 (rDNS points to B-72-6-ADSL.red.retevision.es, but no such name exists) on Mon, 11 Apr 2005 15:24:47 -0000. Four random addresses that all won a million euros on exactly the same ticket? Wow, what are the chances? Answer: 100% -- of it being a scam.

This one is funny, though, because the lottery "was promoted and sponsored by Bill Gates,President of Microsoft, the world's largest software company in order to enhance and promote the use of Internet Explorer Users and microsoft-wares around the globe." Sure it's a blatant lie, but there's some great irony in it.

EURO MILLIONS LOTTERY INTERNATIONAL.
FROM: INTERNATIONAL PROMOTION/PRIZE AWARD DEPT.
REFERENCE: 67/80/IPD
BATCH: EGGS-541-623-782:
RE: WINNING NOTIFICATION / FINAL NOTICE
Dear Winner,
We are pleased to inform you of the result of the Euro millions Lottery
Winners,an International E-mail program held on the 2nd of Dec. 2004. Your
E-mail address fall to the ticket number 653-908-321-675 with serial main
number 345-790-241-671 drew lucky star numbers 34-32-90-43-32 which
consequently won in the 2nd category of this program, you have  therefore
been approved for a lump sum pay out of 1.000.000.00 Euro.(One Million Euros)

CONGRATULATIONS!!!
Due to mix up of some numbers and names, we ask that you keep your winning
informations confidential until your claims has been processed and your money
remitted to you. This is part of our security protocol to avoid double
claiming and unwarranted abuse of this program by some participants.
All participants were selected through a computer ballot system drawn from
over 100,000 company and 50,000,000 individual email addresses and names from
all over the world.
This lottery was promoted and sponsored by Bill Gates,President of Microsoft,
the world's largest software company in order to enhance and promote the use
of Internet Explorer Users and microsoft-wares around the globe.
This promotional program takes place every three years.We hope that, with
part of your winning, you will take part in our end of year 50 million Euro
International lottery.
To file for your claim, please contact our fiducial agent:
MR.JUAN CALOS
(EUROCREDIT & SECURITY)
TEL:0034-678-855-871
Email:eurocreditscrty@yahoo.com
Remember, all winning must be claimed not later than 31th APRIL 2005.
After this date all unclaimed funds will be included in the next 
stake.Please note in order to avoid unnecessary delays and complications
please remember to quote your reference number and batch numbers in all
correspondence. Furthermore, should there be any change of address do inform
our agent as soon as possible
.Congratulations once more from our members of staff and thank you for being
part of our promotional program.
Sincerely yours,
MR, FERNANDO SANCHEZ
Lottery Coordinator.
Note: Anybody under the age of 18 is automatically disqualified

2005-04-09

Pump and Dump: CYRR.PK

Today's stock manipulation spam scam is for "Canary Resources, Inc." (CYRR.PK). It comes as no surprise that this is a sub-dollar stock, since the cheaper the stock, the larger each one cent change is as a percentage of the full price. This particular spam was received from 67.97.7.93 (an undistinguished IP address under the control of broadwing.net) on Sat, 09 Apr 2005 06:26:30 +0000. The hype is reproduced below for your information.

Update at 2005-04-09 10:00: a second copy has arrived, received from 221.128.103.242 (in Thailand, probably an ADSL line) on Sat, 09 Apr 2005 09:45:34 +0000.

Update at 2005-04-10 05:56: a third copy has arrived, received from 81.151.240.52 (host81-151-240-52.range81-151.btcentralplus.com) on Sun, 10 Apr 2005 04:33:38 +0000.

Update at 2005-04-11 14:04: a fourth copy has arrived, received from 61.229.171.124 (61-229-171-124.dynamic.hinet.net) on Mon, 11 Apr 2005 12:29:24 +0000.

BREAKOUT  FORECAST

APRIL     2005

!!!       NEW U.S. ENERGY COMPANY       !!! 

-NEW ISSUE-                                                                                    -NEW ISSUE- 

CANARY RESOURCES, INC. 

CYRR.PK

Current Price   $.86   [4/07/05]     10 Day - 14 Day Price Projection   $3.00-4.00 

stock closed at .86 on Friday. Look for big Move on Monday
 

Canary becomes the operator and owner of a 75% working interest in Osborn Energy's entire 
undeveloped land position of approximately 76,869 acres of approximately 400,000 acres in 
North Eastern Kansas, and  West Central Missouri. In exchange for funding all 
drilling activity, Osborn Energy retains a 25% working interest. 
 
It is expected that this acreage will yield over 1,800 drill locations.
     

James Beatty, CEO of Canary Resources, Inc. commented, "We are fortunate to have a partner in Osborn Energy, the most experienced explorer and operator in the Forest City Basin, and the first company with commercial gas production. Osborn Energy's extensive investment in field-testing and research into drilling, completion, and production techniques provide a major competitive advantage for Canary Resources which mitigates exploration and development risk."

CYRR NEWS IS COMING - STOCK IS READY TO ROCK

Information within this email contains" forward looking statements" within the meaning of Section 27A of the Securities Act of 1933 and Section 21B of the Securities Exchange Act of 1934.Any statements that express or involve with respect to predictions, goals, expectations, beliefs, plans, projections, objectives, assumptions or future events or performance are not statements of historical fact and maybe "forward looking statements. Forward looking statements are based on expectations, estimates and projections at the time the statements are made that involve a number of risks and uncertainties which could cause actual results or events to differ materially from those presently anticipated. Forward looking statements in this action may be identified through the use of words such as: "projects", "foresee"," expects", "estimates," "believes," understands" "will," "part of:" anticipates," or that by statements indicating certain actions "may," could," or "might" occur. Please be advised that nothing within this email shall constitute a solicitation or an invitation to get position in or sell any security mentioned herein. This newsletter is neither a registered investment advisor nor affiliated with any broker or dealer. All statements made are our express opinion only and should be treated as such. We may own, take position and sell any securities mentioned at any time. This report includes forward-looking statements within the meaning of The Private Securities Litigation Reform Act of 1995. These statements may include terms as "expect"," believe", "may", "will", "move"," undervalued" and "intend" or similar terms.

Meta: Current Interests

Recently I've received an incessant stream of PayPal phish. This has become tedious to the point that I don't even care to mention it anymore. I'm somewhat inclined to feel that way about phishing in general, but PayPal phish is definitely off the menu until further notice due to sheer excess of quantity.

I also delete without comment any spam that's hawking medication, software, or loans. With particular regards to software, yes, it's deceptive, but it's the same old lie every time. They offer to sell cheap software, when in actual practice they are selling unlicensed ("pirated") software. If you really want to obtain unlicensed software (and run the various risks associated with it, legal and otherwise), then there are much cheaper ways to do it. My personal recommendation is that you either suck it up and pay full price from a reputable source, or break the habit and start looking into solving your computing needs with genuinely free software. No further comment.

I'm still interested in reporting the latest 419 lies, stock manipulation scams, and deceptive job offers, along with those things that are actually new or unusual and therefore interesting. And I will continue to report any Internet practice that strikes a loud, dissonant cluster of pipe-organ notes in my ethics-sensitive regions.

Spam: Make Money Fast with Referral Spamming

I haven't had a really good brain-meltingly stupid MMF ("make money fast") spam in ages. I had forgotten what it was like to read fifty paragraphs of "this really works", "don't miss this opportunity", "you mak be sceptical, but this really works", "I made thousands of dollars a day by doing nothing at all", and so on, before you get to the punchline: send money to the person at the top of the list and add yourself at the bottom.

To be fair, though, this spam is more insidious than that. It's not just a classic pyramid scheme scam, it's also an attempt to cash in on a substantial number of referral schemes, notably including PayPal's referrals programme. Spamming is, of course, strictly forbidden by the terms and conditions associated with PayPal's programme. I've notified PayPal of this abuse, and hopefully the spammer will have his account terminated with prejudice.

Referral programmes are a nice idea in theory, but they are abuse-magnets in practice. The party running the scheme must have strong anti-spam policies in place, or it just becomes a spam-by-proxy scheme. And even if you do have strong anti-abuse policies in place, that opens another possible abuse: Joe jobs. Determining the details of this possible abuse are left as an exercise to the reader.

This spam was received from 211.243.155.4 (address delegated to "Thrunet", Korea) on Fri, 8 Apr 2005 15:14:29 -0000. Rather than copy and paste the honking great thing here (particularly given the amount of work that fixing the HTML would involve), I'll simply note that much the same thing can be found online at http://fric.ygre.biz/english.htm and http://email.paypal.free.fr/. The incoming spam appears identical to the first of these pages, which appears to be a poor copy-and-modify job of the second. I don't really recommend visiting either page, so here's the choicest quotation: "To date, I have made exactly $1440,000. My accountant has drawn up a cash-flow forecast in which he predicts that, within the next 24 months, I will become a Millionaire just through this one business alone."

2005-04-08

Phish of the Day: PayPal, PayPal, PayPal

I've been getting PayPal phishes on a daily basis lately. They are becoming so commonplace as to be tedious. I'm only reporting this one for lack of any interesting fraud in my inbox. This parficular phish swam in from 211.21.199.5 ("bsd.cool-eagle.com.tw" points to that address, but the reverse DNS lookup is a mess) on Fri, 08 Apr 2005 08:55:03 +0000. The lure on this one is "You have added a new mail to your paypal account." There was more than one link in the message: the only one I found that worked was http://societysm.com/pl/ (inspect at your own risk). It seemed to use some sort of Javascript tricks to create a pop-over, but it failed to do anything interesting on my non-Microsoft browser.

2005-04-06

Advance Fee Fraud: Ali Salaki

The same old story: a completely random foreigner wants your assistance in moving millions of dollars around, and will cut you in on it. What's noteworthy about this one is that it shows another 419er modus operandi. My mail server received this spam from 62.81.235.112 (smtp12.eresmas.com) on Wed, 06 Apr 2005 02:22:15 +0000. According to WHOIS records, this appears to be a perfectly ordinary mail server owned by "Eresmas Interactiva, S.A.", an ISP in Spain. Under most circumstances, the only header fields in a mail message that you can trust are the ones added by your own mail server, but in this case I'm a little less suspicious of the other headers because I have little reason to think that the mail server is actively malicious. The other headers suggest that the mail came off a private network (192.168.x.x address space), and that the mail user agent was "X-Mailer: Netscape Webmail". The reasonable surmise is that this particular 419er is abusing Internet Cafés in Spain. This comes as no surprise: the modus operandi has been around for a while. Amsterdam was also popular in the past, but there was a heavy crackdown and a number of arrests of alleged 419ers there last year, so Spain appears to be the new popular spot.

Mr. Ali Salaki.
Manager Internal Audit/Foreign Remittance Dept,
Union Bank Plc Here,
14/16  Broad Street, Marina Lagos Island.
Private email address: alisalaki@yahoo.co.uk

Attn: Sir/Madam,

Your name and e-mail address came up in a random draw conducted by my search in the internet. My name is Ali Salaki. An account officer to late Mr.James Harrison who us e to worked for an oil firm in Nigeria.Mr James Harrison a well known Philanthropist, before he died, he made a Will stating that $13.2M(Thirteen million,two hundred thous and U.S. dollars only)should be donated to any Philanthropist of our choice overseas.

I have made a random draw your name and e-mail address was picked as the beneficiary to this Will.I am particularly interested in securing this money from the Bank,beca use they have issued a notice instructing me as the account officer to produce the beneficiary of this Will within two weeks or else the money will be credited to the Gove rnment treasury as per law here.It is my utmost desire to execute the Will of my late client.

You are required to contact me immediately to start the process of sending this money to any of your designated official account.I urge you to contact me immediately fo r further details bearing in mind that the Bank has given us a date limit,Please act fast. Email me via my private E-mail:(alisalaki @yahoo.co.uk)

Congratulation as i await your urgent reply

Mr. Ali Salaki.
Manager Internal Audit/Foreign Remittance Dept

Pump and Dump: TFTG

Today's stock price manipulation scam is TFTG. Received from 221.127.93.75 (in Hong Kong?) on Tue, 05 Apr 2005 18:53:55 +0000, spam as follows (minus a significant amount of blah-blah at the end regarding forward-looking statements and disclosure of holdings, etc.).

Emerging Growth Companies


TFTG SIGNS LOI TO ACQUIRE FIRM WITH $16 MILLION IN REVENUES


Management Anticipates Sharp Rise in Price!!!


Symbol TFTG
Current price is 32 cents


Investing Public

If you had purchased CyberAds, Inc. in February, you would have realized a 600% GAIN on your investment!! Trimfast Group, Inc. is our latest pick which is in a High Growth Billion Dollar Stored Value Card industry. Trimfast is priced at 32 cents and has just signed a Letter of Intent to acquire a stored value card distribution firm which generated $16 Million in Revenues for 2004. This revenue generation could immediately result in a rapid rise. How many 32 cent investments do you see which make $16 Million in Revenues??

Trimfast Group, Inc.

Trimfast Group, Inc. is an emerging growth company actively looking for additional mergers or acquisitions. These mergers or acquisitions will be targeted towards companies with a significant ability for growth or which could add instant shareholder value to Trimfast Group, Inc.

INVESTMENT HIGHLIGHTS

Trimfast Group, Inc. Signs Letter of Intent to Acquire Firm with $16 Million in Revenues: TFTG announces it has signed a Letter of Intent to acquire a stored value distribution firm. This firm generated $16 Million in revenues for year end 2004. With the completion of this acquisition, Trimfast would immediately have access to important markets for its products. Currently the stored value distribution industry generates BILLIONS of dollars in revenue per year and is growing rapidly. In addition to this potential acquisition, Trimfast is in discussions with several other companies that fit its acquisition profile.

TFTG Retains Former President of PT-1 Communications. Pioneer in the Prepaid Phone Card Business in United States: is pleased to announce that it has retained former President of PT-1 Communications as a consultant to review its product and marketing strategy for the stored value prepaid Master Card and ATM markets. Mr. Vita Former President of PT-1 Communications is an expert in the field of debit distribution. Mr. Vita was responsible for the most successful introduction of phone cards as PT-1 went from start up in 1995 to the largest prepaid phone card company in the United States. Prior to its sale in 1999, PT-1&apss phone cards were available in over 50,000 retail locations throughout the US.

REASONS TO BUY TFTG TODAY:

* TFTG Signs LOI to Acquire Stored Value Card Distribution Firm with $16 Million in Revenues.
* Management Reviewing Several Additional Acquisition Targets.
* Stored Value Card Industry Generates Billions in Revenue per year.
* Senior Advisor Peter M. Vita turned a once start-up company into the largest phone card company in the United States. Mr. Vita now seeks similar results for TFTG.

OPPORTUNITY:


The upside associated with TFTG can be three-fold. First, the long-term potential for the stored value card industry is staggering. Secondly, at TFTG's current price, the company may be able to attract value-oriented investors who are focusing on low proven emerging growth companies. Third, TFTG has signed an LOI to acquire a stored value distribution firm with $16 Million in Revenues. This acquisition could provide immediate value to investors with a sharp rise in price!!Information within this email contains" forward looking statements" within the meaning of Section 27A of the Securities Act of 1933 and Section 21B of the Securities Exchange Act of 1934.Any statements that express or involve with respect to predictions, goals, expectations, beliefs, plans, projections, objectives, assumptions or future events or performance are not statements of historical fact and maybe "forward looking statements.

2005-04-05

Phish of the Day: Regions

At a casual glance, I'm doubtful as to whether this phish comes from the same hive of scum and villainy as the previous one. This one was received from 207.234.145.115 (dns1.dexma.it, mail.dexma.it) on Tue, 05 Apr 2005 16:53:40 +0000. Text as follows, minus the Regions bank image, which I don't want to use without permission.

<img src="http://www.regions.com/images/header_right.gif">
          Dear customer,

due to concerns, for the safety and integrity of the Internet Banking community we have issued this warning message. It has come to our attention that your account information needs to be updated due to inactivity.

 
If you could please take 5-10 minutes of your online experience and renew your records you will not run into any future problems with the online service. However, if you choose to ignore our request, you leave as no choice but to temporary suspend your account.
Please use the link below to access our mainframe database verification system and confirm the information we have on file for your account.

https://secure.regionsnet.com/EBanking/logon/user

 

Note: Requests for information will be initiated by Regions Business Development; this process cannot be externally requested through Customer Support.

If you have any questions, feel free to contact our customer support department any time at:
- support@regions.com

We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintain the integrity of the entire system.

 

Sincerely,
Regions Bank Management.

The actual link was to http://allvisions.com/secure.regionsnet.com/EBanking/logon/index.html, which is interesting, because allvisions.com has IP address 207.234.145.140, making it a close neighbour of the host from which the email was sent. I suspect that allvisions.com has had their hosting account compromised by this phisher, and I've alerted them to the problem.

2005-04-04

Pump and Dump: CWTD

This looks familiar. Received from 217.187.189.66 (bon9-d9bbbd42.pool.mediaWays.net) on Mon, 04 Apr 2005 04:44:55 +0000. Same trademark ugly HTML as last time. Note that the only difference relative to the last time is the current stock price, which has gone from $2.12 to $2.26 (or so they say). Their projections are a bit off, to say the least.

INVESTOR ALERT- IMMEDIATE RELEASE-INVESTOR ALERT

Breakout Forecast     March-April     2005

CHINA WORLD TRADE CORP.         CWTD   CHINA WORLD TRADE CORP

CURRENT PRICE        $2.26 

Projection    5 to 7 Days -------$4.50 - $5.00
Projection    12 to 18 Days------$6.00 - $8.00

China World Trade Corporation&apss WTC Link to Utilize SMS Platform to Increase Member and
Merchant Network
 

ALSO LOOK FOR NEW CNN INTERVIEW re: Tremendous 12 Month Company Growth
COMPLETED!!!!  Forward Plan to dominate China's Travel Industry.  (A Chinese Expedia.Com?)

China World Trade outbid CTRP on acquisition of  "NEW GENERATION" Southern
China
's largest travel company.

WHICH COMPANY IS THE BETTER VALUE?
CTRP     @  $40.00  SHARE PRICE
OR
CWTD    @    $2.26    Growth rate 5 times higher vs CTRP

CHAIRMAN TSANG, FORMERLY OF GOLD LION HOLDINGS has taken the
 reins of CWTD and continuing his record for success. CWTD is here to stay.
  READ
 THE NEWS
@ yahoo.com  Finance     

 

2005-04-02

Phish of the Day: eBay

Received from 72.9.248.34 on Sat, 02 Apr 2005 05:10:28 +0000, one fairly ordinary eBay phish.

Dear eBay Member:

It has come to our attention that your eBay Billing Information records are out of date.
That requires you to update the Billing Information.
Failure to update your records will result in account termination.
Please update your records in maximum 24 hours.
Once you have updated your account records,
Your eBay session will not be interrupted and will continue as normal.
Failure to update will result in cancellation of service,
Terms of Service (TOS) violations or future billing problems.

Please click here to update your billing records.

The link was to http://66.49.46.170.nw.nuvox.net, which you can inspect at your own risk. When I inspected it, the page that loaded in the first instance was a fake error page ("The page you are looking for is currently unavailable"), which included a Javascript redirect to another page which contained the actual fill-out form. I didn't see anything that looked like it might try to exploit a browser security hole, but I don't know for sure, since I don't have a sacrificial Windows system on which to try it.

News: Microsoft Wants to Catch Phishers

It seems that Microsoft is part software company, and part lawsuit company. At least they're channeling some of their lawsuits in the right direction with the announcement of 117 "John Doe" lawsuits against phishers. Sadly, they'll probably only catch the small-fry. Still, that's better than nothing.