Current Status

This blog is not frequently updated because most case-by-case scam reports are now listed in subordinate blogs. At this point in time, most of my efforts are targeted at documenting employment scams in the Suckers Wanted blog.

2006-12-18

Info: Vista Pirates

Spam advertising pirated software on the cheap (under the guise of "OEM" software) is nothing new, and not terribly interesting to me, but there's been quite a spate of it using Microsoft's new "Windows Vista" as the selling point. In the last week or so, my spamtraps have been collecting on the order of twenty such spams a day, most with the common subject, "Windows Vista Ultimate ready to download", and linking to a wide variety of recently-registered domains, so this is quite an aggressive spam campaign.

Beyond the fact that, for reasons of security, I recommend against using any version of Windows on a computer that is connected to the Internet, I emphatically recommend against obtaining any software, especially Windows, from dubious cheap online stores. Why, you ask? Because anecdotal evidence suggests that some of these sellers are not merely "pirates" engaged in flagrant copyright violation for profit, but are also placing back doors in their version of Windows so that they can use your computer to send spam -- or do whatever else they might find profitable to do with your computer.

It makes sense that they would do this: compromised Windows computers are, in my experience, the number one source of the worst spam on the Internet. These people are, so far as I can tell, sending their ads via such compromised computers. Do you suppose that some of the customers are now part of the spam problem? It wouldn't be in the least bit surprising would it? Why break into a computer the hard way when you can offer a system with a wide open back door and receive money from the target at the same time? It's a heck of a racket.

2006-12-08

Job Scam: Impex Consult Financial Consulting Group

Heads up -- a new name in job scams is on the radar for December: "Impex Consult Financial Consulting Group". This appears to be the same job scam gang responsible for Athens Financial Group Ltd, based on their common use of name server hosts. As usual, they want you to be a financial middle man -- or mule -- for stolen funds. This one is quite active: I've seen three different domain names covering the same scam in the past few days.

2006-12-07

Fraud: savechilds.net

This isn't the first time I've seen a bogus charity, but they aren't common. In this particular case, the spam uses that currently-popular technique of presenting the message in an image.

 Domain Name: SAVECHILDS.NET <-- scam domain
 Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
 Whois Server: whois.dns.com.cn
 Referral URL: http://www.dns.com.cn
 Name Server: DNS195.3FN.NET
 Name Server: NS2.3FN.NET
 Updated Date: 20-Nov-2006
 Creation Date: 30-Oct-2006 <-- recently created
 Expiration Date: 30-Oct-2007 <-- minimum length registration

Advance Fee Fraud: Integrated Global Finance Services

This is a form of advance fee fraud and possibly forgery. An offer for an unsecured loan arriving unsolicited via email should trigger all sorts of "scam" alarm bells: please work on your credulity problem if it doesn't. A scam like this probably involves the loan applicant either being hit up front with fees, fees, and more fees, with no payout ever. Alternatively, the scammers can pay the mark with a fake cheque and insist on a fee being paid out of that. The fee is paid via Western Union, and then the cheque bounces later, leaving the mark out of pocket.

CONTACT US FOR YOUR LOAN AND FINANCIAL ASSISTANCE.
INTERGRATED GLOBAL FINANCE SERVICES.
387/NTL PALMSTRAAT AMSTERDAM, NETHERLANDS.

Permit us to introduce our service to you. LOAN SCHEME, tagged 'loan under two weeks' INTERGRATED GLOBAL Professional Finance is a reputable limited liability company in the Europe entity.

Our service- deals in areas of funds,WE give out loan from (100,000 to 1,000,000 euro) bonds, grant and partnership with firms, corporations and esteemed individuals.

We offer offshore unsecured (no collateral service loan) to customers worldwide.Over the years, we have put into consideration the need for bodies and establishment in need for urgent cash either as a result of maintenance, expansion, establishment of a offices, Bankruptcy just to mention but few.

In general, we offer car loans, personal(domestic) loans, construction and working loan to reputable and existent men/women of the society at large.

Our service has been repositioned and standardized to meet customers demands in an economical way. Our interest charge is indeed reasonable, we offer hassle free loan service where by customers are allowed to make repayment over a long time span.

WE ALSO FUND SMALL BASE LOAN/FINANCE COMPANIES AS WE ARE A FULL TIME INVESTOR AS WELL.

For details and interest in our service contact

MR PHELPT VAN BROOK

Email:infocus@fynns.com

2006-12-05

Meta: Too Many Nigerians

Last month I had to deal with a combined average of nine lottery or 419 scams per day. They aren't all that hard to handle, but they consume time and are really boring. It's the same old same old again and again. I gave up on reporting phish scams a long time ago (other people were reporting it anyhow), and then the stock spam got too prolific to document. Now I'm going to quit reporting each and every lottery or 419 scam I receive, giving me more time to concentrate on job scams -- and the rest of my life, which does actually exist, believe it or not. So, with apologies to those who found "The 419 Files" and "Lottery Scam Du Jour" useful, I will not be updating those blogs indefinitely.

2006-12-04

Job Scam: Viking Finance

Looking to make a little extra money this Christmas season? If so, then I suggest you steer well clear of Viking Finance Ltd, which is the latest name in use by the money mule recruiters who called themselves Athens Financial Group Ltd last month, and a long string of other names in months prior to that. Remember folks, money mules participate in crimes, and crime is bad!

2006-11-28

Info: 419s and Lottery Scams Galore

Last month I considered the drop in the number of 419s and Lottery Scams arriving. Apparently it was a seasonal dip, rather than a trend: this month those crazy Nigerians and their brothers-in-scams have been making up for lost time. The month of November, 2006, is the worst month on record here at iDeceive for 419s and Lottery Scams by a long margin -- doubling the quantity over the worst previous month. I'm having a hard time keeping up with the inflow at the moment.

2006-11-23

Info: Job Scammers go .mobi

Dubious congratulations are in order for the new ".mobi" top-level domain name: they're now officially being used by job scammers. The Athens Financial Group job scam now includes the "afgl.mobi" domain as part of the scam. This top-level domain is intended for websites which are optimised for mobile devices, but our pet scammers are just using it as yet another name in their efforts to be a moving target: the website behind the name is the same old same old.

2006-11-21

Spam: bennicetravelandtours@yahoo.com

Sometimes a spam comes along that defies classification. This is one of them. No doubt I could get a clearer idea of what's going on here if I interacted with the sender, but life is too short for detail like that when there are so many scams to report.

This has "Nigerian Modus Operandi" written all over it: it was sent through a webmail system using drop-boxes at Yahoo! and Netscape for replies, and the originating webmail system reports the originating IP address as 62.56.140.83 which WHOIS in turn reports as Nigerian. So what's the scam? Well, the traditional Nigerian speciality is "advance fee fraud", so presumably that's it. Still, I haven't seen it done on this pretext before. If anyone has more detail on the scam, please post it.

Date: Tue, 21 Nov 2006 00:06:30 +0100 (GMT+01:00)
From: BENNICE  TRAVEL AND TOURS <bennicetravels@virgilio.it>
Reply-To: universaleinc@netscape.net
Subject: Bennice  World  Tours

 Hello  
Bennice U.K Travel and Tours  offers  a  wide  range  of  
services.
Do you  intend  to  get Visa  to any part  of  the  world?
We 
operate  a  travel  agency  that has  a  difference,
service delivery 
and  customer satisfaction is our Goal.
We Facilitate in procurement of 
Canadian Visa,[Students  and Working Visa.]
U.S  Visa  [Tourists,
Working  and  Students]
United Kingdom.
Schengen.
Japan  [Business and 
Tourists]
South America-Brazil,Venezuela Mexico  and Argentina.
Australia  and  New  Zealand.[Students]
South East  Asia-China ,
Malaysia ,Singapore and Thailand[ Working and tourists]
We  also  
specialize in procuring  Visas  and  other  travelling   document  for  
nurses  and
other  professionals in Nigeria.
There  are  limitless  
opportunities for Nigerian Nurses to work abroad.
We  have  ongoing  
application  within  France and  Spain.
The  visa  is  processed  
within  nine  days  to  two weeks.
Call  me  on   +44 70 40 11 2703
Our  Prices  are  relatively  cheap  and  you  have  value  for  money 
spent.
Regards
Edwin Oken
Email bennicetravelandtours@yahoo.com

2006-11-15

Info: New Extremes in Image Spam

Headache-inducing stock-touting spam It's common for spammers to place their message in a graphic image instead of plain text. They do this as a means to avoid spam filters. After all, if a computer can't read what the image says, then it's hard to tell whether it's just a picture attachment, or an image with a load of spammy text in it. We do have some ability to extract text from an image -- a process called "optical character recognition" (OCR) -- but it's not terribly reliable, and is made worse by bad images. Consequently, many spammers -- especially the stock-touting "pump and dump" spammers -- corrupt their images to make them harder for computers to read.

This particular spammer has taken the practice of image corruption to new extremes. The background contains various blotches of colour, and the lines of text are all slightly off kilter. I hope that nobody takes stock purchasing advice from a message that looks like it's abusing psychoactive drugs like this.

2006-11-13

Job Scam: Norden United Ltd

If past experience is anything to go by, we can expect quite a few job offers from Norden United Ltd this month. They will look suspiciously similar to all the other job offers I've reported here recently, and all be illegal money mule jobs. The first of these arrived a couple of days ago, and I would have reported it sooner, but I had a backlog of work to clear.

2006-11-02

Job Scam: Athens Financial Group Ltd

It looks for all the world like the same old phishing/jobscam gang that did Israeli Brokerage Services and goodness knows how many other scams reported here, but the new name of the month is "Athens Financial Group Ltd". Go take a peek if you want the details, but it really is the same old scam with a new name.

2006-10-26

Advance Fee Fraud: Godwin Mahama

It's only ever so slightly presumptuous of me to label this one "advance fee fraud". The full spam text is posted at The 419 Files for your reference, and you'll note that there is none of the usual "I require your assistance in relocating millions of dollars" nonsense. No indeed -- this is an entirely different kettle of fish. Well, entirely different except for the fact that it's just as fishy.

In this case, a certain so-called Mr Godwin Mahama tells us he's "a licenced government contractor, sourcing/commission agent registered with the government of Ghana", and that "many foreign firms have gotten several contracts through my company's effort and lobbying." Great. Presumably if I contact him at his suspiciously unprofessional Yahoo! freemail address (godwin_mahama2006@yahoo.com), and tell him I'm in the fertiliser business (only a slight stretch, really), he'll respond by telling me that he thinks he can get the government to contract me -- if I'm willing to pay for his services as a lobbyist.

As an Internet Fertiliser expert, I call "bullshit" on this one.

There may or may not be a real "Mr Godwin Mahama" in Ghana who may or may not be some sort of consultant, but there's no reason to think that the identity is real based on the information given.

Info: Israeli Brokerage Services shift tactics AGAIN

You just can't keep a determined spammer down, can you? In their on-going efforts to steal your money, the Israeli Brokerage scammers have not only started using yet another domain name, but they've given up their cherished tactic of putting all their text in graphic images. Well, I don't expect that they've given up on graphics, strictly speaking, but they've diversified into plain text. Anyhow, here's the text (including the new Hong Kong based web address), since it's a simple copy and paste job.

Hello! I am Tal Alkobi, manager of a Human Recourses department and I work in Israeli Brokerage services Ltd This letter is aimed at attracting Your attention to a vacant post of financial manager for cooperation with private individuals. But first I would like to tell You about the company. Israeli Brokerage services Ltd was established in 1994 to render assistance to our clients in selling, buying, privatization, arranging deals and brokering at stock exchange. We can put into practice any operation that our client wishes. To reach it, we possess a large choice of investment instruments. Owing to the high professional standard of our specialist, we attract a lot of clients so our company is the leading company of this kind in Europe. And we continue to grow! And now we want to offer You the next: - to join our work collective - to become one of high qualified specialists - to get a prestigious part time job - to raise more IT IS NOT NECESSARY FOR YOU TO HAVE ANY HIGHER OR PROFESSIONAL EDUCATION to get this job. The only requests are: - You must have several free hours a day - have a bank account or a possibility to open a new one - have a computer YOUR MAIN TASK CONSIST IN ensuring us the possibility to provide the best service for our clients in short terms. YOUR DUTIES will be the next: - to receive payments for the ordered securities from our clients to Your bank account - to withdraw the funds and to transfer it further to our brokers in other countries You should use Western Union or money Gram services for these transfers. Your PAY amounts 9% commission out of every deposit that You receive on Your bank account. If you are interested, please visit our site: http://ibsl.hk We are waiting for You! I beg Your pardon if You received this letter by mistake. In that case I ask You to be so gentle to delete it. Yours faithfully Tal Alkobi

2006-10-22

Info: Israeli Brokerage Services scammers change tactics

One of the ways to block spam fairly reliably is to block on the basis of the links contained in the spam. In reaction to this, apparently, the Israeli Brokerage Services scammers have mostly stopped linking the images in their spam to their websites. Instead, they have been opting for shorter domain names and instructing the recipient to type the address by hand, as shown in the sample spam image here. Because the text appears in a GIF image, the recipient can't even copy and paste the address.

As an aside, if their primary motivation here is to dodge spam filters, it's not working very well. There are a lot other characteristics of their spams which identify them as such.

2006-10-16

Info: Are Nigerians changing their tack?

I've noticed a downward shift in the number of 419 scams arriving. My 419 archives show fifty-something 419 scams per month in the months of June, July, and August, but then a 50% drop in September, and projections for the remainder of October are looking similarly low. At the same time, I noticed that a recent job scam had a very Nigerian feel to it (despite pretending to come from China). On investigation, I note that the modus operandi is very typical of the Nigerians (using a webmail system), and the sending system reports that the originating IP address was 80.88.141.71, which is allocated to Nigeria (delegated from "Emperion", Denmark, to Nnamdi Nwokoro of Benin City, Edo state, Nigeria, according to WHOIS data).

Perhaps the Nigerians have discovered that it's more profitable for them to engage in job scams rather than advance fee fraud? Unlike the Russians and other Eastern Europeans (who tend to run job scams in conjunction with phishing), I get the impression that the Nigerians prefer forgery, and target the USA. According to an article at Snopes, there is a lot of fraud involving forged cheques and money orders: individuals are persuaded to accept these and wire back 90% of the face value via Western Union (or some similar arrangement). Due to banking regulations in the US, the proceeds of the cheque become available before the cheque is fully verified. The recipient gets a rude shock later when the bank denies the cheque and reverses the deposit.

2006-10-12

Phone Scam: Perfect Soul Mate

This is the same kind of premium-rate SMS scam I documented a couple of months ago under the title of "Your 1 True Love". It seems like a harmless bit of fun, but you're actually signing up for a truckload of useless-but-outrageously-expensive SMS messages. The sting can be found in their terms and conditions, which I quote here in full for reference.

Introduction

Your access to this service is conditional upon your acceptance of all terms of use laid out herein. You must read the following terms and conditions carefully before taking advantage of any services offered on this service. You may view all or parts of this service using an Internet web browser or mobile phone only if you agree not to reproduce, transmit (broadcast) or adapt any part of the content of this service without the permission from FunSpring.

Delivery

All SMS services provided by FunSpring are charged on a per-SMS basis irrespective of: • the message reaching the recipient. The message may not reach the recipient if his/her phone is switched off, out of range or not compatible with the content of the message. In this case, the message will attempt to be delivered for seven days • situations where a service is being denied to the user due to user's incorrect procedure and/or user ban and with the exception of where a requested product was not available.

Partnership

By signing up with or accessing any of FunSpring services, you form a partnership with FunSpring whereby you give permission to accept any type of promotional or otherwise content from FunSpring and third parties affiliated with FunSpring at any time. This includes material sent via SMS, E-Mail or any other means of communication utilized by FunSpring and any of its affiliates.

The Site and HOROSCOPE Service

By clicking the "ENTER" button you will be sent a free soul mate prediction and will start a subscription to the HOROSCOPE service. You will be sent up to 15 horoscopes each month priced at $5/sms. You may stop this subscription service at any time by sending a text message with STOP, to short code 19999008. Your phone must be Internet-enabled and have text messaging capability. You must be the owner of this device and either be at least sixteen years older or have the permission of your parent or guardian. Standard text messaging rates apply. For support please contact 1300767306 during business hours.

In particular here, I draw your attention to the last two paragraphs. One states that you are liable to receive 15 horoscopes per month at a rate of $5 per horoscope (i.e. they have the right to drain your phone account at a rate of $75 per month), and the other states that they can share your phone number or email address with whomsoever they please for whatever reason they please (presumably to advertise crap at you).

The domain name in question is "perfectsoulmate.net" which is registered through a privacy proxy service for obvious reasons. It came to my attention through a Google ad, as it did last time, rather than spam. Advertisers pay per click on their ads: you should make your own decision as to whether you want to click through any such ad you find, but I strongly advise against giving them any personal information if you do visit their site.

2006-10-09

Job Scam: Israeli Brokerage Services Ltd

The "Israeli Brokerage Services Ltd" money mule job scam is a continuation of others we've seen here previously, and also related to the "Bronsard Advantage" one reported a here recently. I mention it here specifically because the spammers are now trying a new tactic: leaving out the hyperlink to their website. In the most recent instance of this spam, the instructions are, "to take a visit to our web site please enter in address line in your Internet browser." The URL in question is http://ibsl.org. At a guess, their motive is to avoid spam filters, and it worked to some degree. This particular spam was tagged as "suspected spam" by one filter, then forwarded to a Gmail account which correctly classified it as spam.

Note that because the spam text is presented in a GIF image, the recipient really does have to type the address by hand -- a kind of CAPTCHA, really.

2006-10-07

Job Scam: Bronsard Advantage Co

First sighting: "Bronsard Advantage Co" money mule job scam. This has the same modus operandi and basic pattern as many other job scams reported here. For details of the operation follow the above link; this blog entry serves only as an announcement of first sighting.

2006-09-28

News: Convicted spammer's appeal dismissed

The USA has Jeremy Jaynes, and the UK has Peter Francis-Macrae. What do these guys have in common? They are both spammers who have been found guilty of spamming and various other nefarious deeds. In the case of Francis-Macrae, he's just had his appeal dismissed (reported by the BBC and The Register).

Judging by his misdeeds, Francis-Macrae is a right nasty little brat, not only engaging in email harassment, but also in threatening actual physical harm to just about anyone who ever told him off about it. At his conviction, the judge described him as, "one of the most vindictive young men [he'd] ever seen".

Enjoy your porridge, Peter. All of it.

2006-09-22

Hijack Alert: Commonwealth Bank Group offers 11% p.a. on Term Deposits for Current Customers!

Here's a twist: a "Web Attacker" browser hijack which targets customers of a specific bank. After all, why phish when you can just install a keylogger? Or better yet, install an agent which performs additional transactions while the user is online. Whatever the case, this particular hijack uses a more up-to-date version of Web Attacker than I've seen before (ie0609.cgi). The text of the email lure follows; investigate the links at your own risk. Note that there are two similar domain names in use here (.org and .com).

It seems Commonwealth Bank is doing really well this year, and here we go: 
the highest deposit rate I.ve ever seen in Australia. Just quoting the news I 
found at Wealth Creator Magazine.s website:  
  
If you want competitive returns and you don.t need instant access to your 
cash, you can get a competitive 8.95% p.a. on Term Deposits 
at the Commonwealth Bank for amounts from $3,000 for 12 months, and 10.95% 
for amounts of $5,000 and over.   

We are proud to have you as a member of our bank and would love to offer this 
time-limited Commonwealth Bank.s anniversary rate!   
http://www.wealthcreatorau.org/commpromo.html
  
Isn.t amazing? But they limit the offer to the current customers, that's the 
one sad point. If you are one of them I feel jealous for you.  
  
Again all the details are on the magazine.s portal, the direct link 
to this news: http://www.wealthcreatorau.com/commpromo.html

2006-09-20

Hijack Alert: To you there has come a card from Postcard.com

This is another "Web Attacker" lure. I don't know for sure if it contains the latest and greatest "VML" vulnerability for Internet Explorer (for which there is as yet no patch), but it doesn't seem to. I don't have a sacrificial Windows system on which to test it, sadly. Anyhow, if you got an email like this and clicked the link, you'd better assume the worst: that some nefarious person now has complete remote control of your computer, and can monitor all that you do on it.

Happy birthday, dear [name]!

20/09/2006 14:23
You have got a postcard with congratulations from the company Post.com.
You can pick it up at http://[domain]/postcard45683.html

Postcard.com

URLs I've seen associated with this hijack:

2006-09-12

Hijack Alert: Email Confirmation for [name]

These hijack alerts are starting to become as mainstream as the job scams, and I'll probably give up on reporting them in detail soon. In fact, I don't intend to report this one in detail. It's just another email designed to make the recipient go "OMG!! WTF??" and click on the link. At the other end of the link (after your browser silently navigates through a twisty little maze of HTTP redirects and other obfuscation) is the infamous Web Attacker software, which attempts to compromise your computer through various known browser bugs.

The best way to be safe from this attack at the moment is still, "don't use Microsoft Windows -- at least, not for anything Internet related." Seriously, that's the best advice I can offer, unhelpful as it is. Second best is, "use a browser other than Internet Explorer, and don't ever ever click on links in spam, no matter what." The text of today's angst-inducing lie follows for the benefit of those wise enough to search: square brackets indicate redacted text; visit the URLs at your own peril. Note that in this particular case I received a bounce message, meaning that the spammer in question sent this spam using one of my addresses as the "from" address. There's not a lot you can do to prevent this, so why worry about it?

Date: Tue, 12 Sep 2006 16:59:08 +0200
Subject: Email Confirmation for [name]
Dear [name].

   Thank you for your subscription to http://prismhouse.com/scken4182.html

   You have been billed as KRBILL LLC for the amount of:
   3.95(USD) for 3 days (trial) then 34.95(USD) recurring every 30 days .

   Your new subscription identification number is:573716,

       Your membership access information is:
       Username for your subscription: Skilores
       Password for your subscription: FGyju75u
       E-mail: [name]@[domain]

  Membership website: http://prismhouse.com/scken4182.html

Thank you for choosing KRBill as the eMerchant for your subscription!
Customer Support/Cancel Your Subscription 12/09/2006 16:59

2006-09-01

Info: A New Twist on the Lottery Scam?

Lottery scams have been around for quite a while, and are so common that I have a blog dedicated to them. The most suspicious thing about lottery scams is that you win a lottery you never entered. The sender usually spins some bull story about how it's your email address that's won, and the sponsor is some benevolent set of corporations that want to promote Internet use. If you believe that sort of thing, you're just plain credulous, I'm sorry to say.

A new variation on the scam which sounds a little more credible has just come to my attention. Rather than tell you you've won a lottery you never entered, they give you a free opportunity to enter a sweepstakes. If you're as cynical as I am, you can guess what happens next: you win the lottery, and it's the same old scam all over again. This is pretty smart from the scammer's perspective. Not only is the whole cover story more credible, but the people who reply and enter the lottery have immediately identified themselves as easy marks.

I won't post a sample in full, since there is too much tracking data in the URLs. Thanks goes to JR for submitting it.

From: "Eligibility Notification " <s.baker@afternooncake.com>
Date: 31 Aug 2006 15:51:43 -0400
Subject: , You Have Been Selected to Win a Million Dollars

WIN A MILLION DOLLARS!
AUDREY SOLARA SWEEPSTAKES DIRECTOR

To Whom It May Concern,

You're one of the authorized individuals who has a chance to WIN $1,000,000!

You've been selected as a candidate to receive this e-mail announcement.
Not everyone has been sent this private message.
To enter our WinAMillion Sweepstakes simply visit the link below.
[etc]

2006-08-21

News: Stock spammers charged

The US Securities and Exchange Commission has charged a "recidivist securities law violator" and his wife with "orchestrating a fraud scheme to inflate the price of WebSky, Inc., a San Francisco-based penny stock company, using spam email." According to the press release, "the couple pocketed more than $1 million in proceeds as a result of the scam." It should come as no shock to discover that they haven't been entirely honest about things, both in the spam they used to promote the stock, and in their dealings generally. Thanks to The Register for bringing this to my attention. It's always nice to hear of a scammer facing justice.

2006-08-16

Meta: Blog Upgrade

A quick apology to anyone who was using the Atom feed of this site and just received a bunch of old posts as though they were new. This is a result of my cutting over the blog to an upgraded version that Google are now offering. Hopefully there won't be any other undesirable side-effects.

2006-08-05

Phone Scam: Your 1 True Love

This is a bit different for me, but this kind of practice peeves me no end. There is a site called "Your 1 True Love" which is apparently targeting Britons and Australians through a Google AdWords campaign. "Predict your one true love," says the ad. "Find your ideal soul mate predicted right down to the name." Obvious baloney, but a harmless bit of fun, right? Wrong: it's a nasty little trap for the unwary.

The page to which the ad links has a form for your name, your mobile phone number, and your date of birth. The button is a pretty graphic that says "YES, I wish to receive my soulmates name" with "and agree to the terms and conditions" in small print underneath. Mobile number? Terms and conditions? I can see where this is going: it's a premium rate SMS scam.

Digging a little deeper into the HTML source for the page, I see there's Javascript code to ensure that the mobile number entered follows the form of either a UK mobile number or an Australian mobile number. I also find a mention of the terms and conditions, but its hidden inside an HTML comment, so you can't see it at all unless you look at the source. The deactivated link goes to a poorly-formatted page which has the following text.

Terms and Conditions Of Service

Your 1 True Love is a subscription based mobile phone service, you must be at least 16 years of age or older and have the bill payers permission.

You will receive a prediction of your true love followed by love predictions. Cost is $5 per message with up to 15 predictions/messages sent to your phone per month.

You can stop subscription at any time by sending stop to 19999003. For full terms and conditions click here.

Note that the "click here" text in the above quote is not a link. I can't tell at this stage what that "19999003" number is about: numbers of that form (starting with "1") in the UK are "Access/Short code" numbers, and the same applies in Australia to the best of my knowledge. In the UK, however, the range starting with "199" is not yet allocated. I have no idea what the state of affairs is in Australia. The number could be completely bogus, I suppose.

Anyhow, this is fairly typical for a premium SMS scam: trick people into "signing up" for an indefinite supply of useless, expensive messages, then suck their phone account dry with it.

I'm not usually one to advocate vigilantism, but in this particular case I think turnabout is fair play: if you find a Google Ad for this particular crowd, be sure to click on it early and often, since they pay per click. Their assumption is that they can make the scam pay, so long as they get enough suckers to "sign up" by submitting their phone number on that form. Go ahead and give them a taste of their own.

The domain name in question is "your1truelove.com", and the registration for that domain is through "Domains by Proxy, Inc." -- for obvious reasons.

2006-07-28

Hijack Alert: Monetary prize from Microsoft

At first glance, this looks like a lottery scam, but on closer inspection it appears to be a browser hijack attempt. I haven't been able to determine exactly which security hole this is attempting to exploit, but I think it's reasonable to assume two things: first, that it targets Microsoft Windows, and second, that it's a fairly specific security hole being targeted. This second point is in contrast with most of the hijack attempts I've reported here which use the "Web-Attacker" software and test for a substantial range of exploitable holes.

Those who have the technical skills may care to check it for themselves (assuming it remains online for long enough). For the rest, if you are using Microsoft Windows and you clicked on a link in a spam like this, you should assume that your computer has been compromised and have it disinfected ASAP.

Dear Microsoft Consumer!

Within the limits of advertising company Microsoft has played USD 1000000 between the clients. The choice occured in the casual image. On yours e-mail the monetary prize at a rate of USD 52346 has dropped out. To receive it, it is necessary for you to visit ours Resolution Centre and to fill the small form.

Corporation Microsoft congratulates you on a prize and that you and in the further will use our development hopes.

 
 Microsoft Corporation 

2006-07-26

Misc: You want a link exchange? I'll give you link exchange!

This is a funny-sad sort of thing. I've just received the following email.

Dear Webmaster,

My name is Robert Williams, and I run the web site Work At Home Business
Website:

http://www.work-at-home-business-website.com/

I recently found your site http://ideceive.blogspot.com and am very
interested in exchanging links. I've gone ahead and posted a link to your
site, on this page:

http://www.work-at-home-business-website.com/linkmachine/resources/resources_advertising_3.html

As you know, reciprocal linking benefits both of us by raising our search
rankings and generating more traffic to both of our sites. Please post a
link to my site as follows:

Title: Work At Home Business Website
URL: http://www.work-at-home-business-website.com/
Description: Working from home is a dream for many but actually going
ahead and starting a home business is very difficult. Let us help!

Once you've posted the link, let me know the URL of the page that it's on,
by entering it in this form:

http://www.work-at-home-business-website.com/linkmachine/resources/link_exchange.php?ua=_ua9&site_index=MjA5ODQzMQ%3D%3D

You can also use that form to make changes to the text of the link to your
site, if you'd like.

Thank you very much,

Robert Williams

Right. Call me suspicious by nature, but I seriously doubt that this "Robert Williams" has ever laid eyes on my humble blog. Instead, there is strong circumstantial evidence to suggest that this is spam generated by ethically dubious "Linkmachine" software. The "premium" edition of this software "finds potential link exchange partner sites" and "searches websites for contact e-mail address". Can you put two and two together?

As for Mr Williams' work-at-home-business-website and his request for a link, I'm going to oblige him, but not quite on the terms he requested.

Sales pitch mode: on.

Working from home is a dream for many, but actually going ahead and starting a home business is very difficult. Furthermore, there are many scammers out there who would like to sell you a short-cut to a simple and profitable work-at-home business. Such people set up vacuous, junky "work at home" websites, and send spam inviting you to join in. They make outlandish claims about the ability to earn a thousand or more dollars a month without any real effort. If this doesn't scream "scam" at you, you should probably increase your daily dose of scepticism.

Sales pitch mode: off.

Bah! Humbug!

2006-07-25

Hijack Alert: Dangerous tuna with increased mercury levels on your local market

Here's another spam which is intended to lure the victim to a hostile website armed with Web-Attacker. The modus operandi is identical to that used in the recent "World-Soccer news" attack: the spam contains sensational news, and a link to a website; the website itself is a hastily cobbled-together facade of relevant snippets plagiarised from somewhere or other, heavily obfuscated with Javascript, and includes an IFRAME reference to something that loads Web-Attacker. If you browse this site using a computer that runs Microsoft Windows, you should assume that it has been compromised and have it checked up.

The spam "lure" was as follows (links defanged). Note that the key link is to http://www.protectinnocent.org/register.htm.

We are struggling for the future of our planet, please help us.
Only together we can stand for our nature!

Send a message to the "Environmental Protection Agency and Food and Drug Administration" to improve mercury testing so we can keep tuna safe for our families and for dolphins.

Some of the tuna producers -- particularly in Ecuador and Mexico -- use practices that can hurt or kill dolphins and catch tuna with increased mercury levels.

Sign for it - help yourself and thousands of other lives.

One another way you can help us is to send this letter or the link to our website: http://protectinnocent.org/register.htm- to all people you know.


2006 Help Dolphins

The domain "protectinnocent.org" is a ruse: it was registered on 20-Jul-2006 at 09:57:27 UTC. The domain name configuration for this is unusual, and worth mentioning in passing. There are five nameservers, named "dnsN.name-services.com", where N ranges from 1 to 5. At time of writing, these have the following addresses.

dns1.name-services.com. 3600    IN      A       69.25.142.1
dns2.name-services.com. 3600    IN      A       216.52.184.230
dns3.name-services.com. 3600    IN      A       63.251.92.193
dns4.name-services.com. 3600    IN      A       64.74.96.242
dns5.name-services.com. 3600    IN      A       70.42.37.1

Each of them is reporting SOA serial number 2002050701, so they should all contain identical records, but when queried for "A" records for "www.protectinnocent.org", they respond with five different answers: 69.25.142.3, 216.52.184.240, 63.251.92.195, 64.74.96.243, and 216.52.184.240 respectively. With the exception of the fifth response (which is a repeat of the second), all the address records are close neighbours of their respective nameservers. None of the address records have corresponding PTR entries, but all are ultimately under the control of eNom, which is also the registrar through which "protectinnocent.org" was registered.

I think that all we can learn from this is that eNom uses dodgy DNS tricks to distribute load on their mirrored webservers.

Ultimately "protectinnocent.org" is just a side-show, anyhow. The real "sting" comes from the IFRAME which loads http://www.web12.ws/go.php. That, in turn, is just a "302" redirect to http://www.web12.ws/cgi-bin/ie0606.cgi?homepage, which is a "302" redirect to http://www.web12.ws/demo.php, which is a hideously obfuscated piece of Javascript that expands out to the Web-Attacker "which browser with what exploitable security holes am I running on?" script. From there, other scripts are launched to actually exploit whatever security holes are available, if any.

It will come as no surprise that "web12.ws" was also registered through eNom, on 2006-07-21 08:47:45. The address for "www.web12.ws" is currently 66.36.231.123, which doesn't have a PTR record, and WHOIS reports as allocated to HopOne Internet Corp.

I have to admit that the technique used by the culprits here is pretty sly. If I complain to HopOne that they are sheltering a Web-Attacker user, they might close down the account. (In my stern opinion, they should be pro-active enough about detecting this sort of abuse that I shouldn't need to complain, but the operators of such businesses tend to be concerned with profits, not the general welfare of mankind.) Should the account be closed, however, the culprits can simply adjust their "protectinnocent.org" site to just wrap another target -- one which may already be set up and ready to go.

It's probably more effective to complain about the "protectinnocent.org" site itself, since the closure of that domain name would result in the need for a fresh spam run. Persuading a registrar that a domain name is being used maliciously is no simple task, unfortunately. Even so, eNom seem to have a decent web-interface for submitting such complaints, so I've done my duty.

2006-07-22

Job Scam: riverpartners.net

The rats behind the "River Partners" job scam have switched domains from "river-partners.net" (documented earlier) to "riverpartners.net". See a spam sample (or two) at Suckers Wanted. As usual, only one of the nameservers is respondong to requests. The results of the query can be seen below for reference, bearing in mind that the very small "time to live" values mean that this data will become obsolete rapidly.

; <<>> DiG 9.3.1 <<>> A riverpartners.net @66.109.17.68
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50463
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;riverpartners.net.             IN      A

;; ANSWER SECTION:
riverpartners.net.      1800    IN      A       24.99.224.131
riverpartners.net.      1800    IN      A       70.240.216.34
riverpartners.net.      1800    IN      A       71.64.201.226
riverpartners.net.      1800    IN      A       74.135.163.127
riverpartners.net.      1800    IN      A       89.55.168.153

;; AUTHORITY SECTION:
riverpartners.net.      1800    IN      NS      ns1.serv-names.com.
riverpartners.net.      1800    IN      NS      ns2.serv-names.com.

;; ADDITIONAL SECTION:
ns1.serv-names.com.     1800    IN      A       66.109.17.68
ns2.serv-names.com.     1800    IN      A       72.9.1.151

;; Query time: 243 msec
;; SERVER: 66.109.17.68#53(66.109.17.68)
;; WHEN: Sat Jul 22 08:02:56 2006
;; MSG SIZE  rcvd: 197

2006-07-21

Phish of the Day: Fifth Third Bank

This is another phish which appears to be sent by the employment scam rats. The actual link is to http://www.53.com.wps.portal.secure.belyhw.info/r1/context/. Note that the domain "belyhw.info" was registered 20-Jul-2006 13:10:44 UTC (less than 24 hours ago at the time of writing).

2006-07-20

Phish of the Day: Suncorp

This phish links to http://suncorpmetway.com.au.korinc.org/r1/doconfirm/ (note that it's a subdomain of "korinc.org") and uses the same filter-buster as the phish reported immediately prior to this one. The overlap in the domain name used for the phish ("korinc.org") proves beyond reasonable doubt that the same scammers are behind these phishing attacks.

Phish of the Day: Macquarie Bank

I don't usually bother reporting phish, but this one appears to be from the same rats that are bringing us the current spate of employment scams. The image in the spam is a link to http://www.macquarie.com.au.retail.customercare.korinc.org/r1/conf/ (note that it's a subdomain of "korinc.org", registered 17-Jul-2006 19:29:25 UTC). The aspect which suggests a tie back to the employment scam rats is the pattern of filter-buster text used in conjunction with the image: "are but, how best you, very good best why of" and so on. This is the same pattern as reported earlier for various job scams.

In case you're not familiar with why these would be sent by the same gang, the scam goes like this. The rats gain access to various online bank accounts by sending out phishing spam. Then they send out employment spam which involves other parties acting as "payment processors". Using their ill-gotten access to online bank accounts, they transfer money from the phishing victims to the employment scam victims. The employment scam victims then forward the money via Western Union or Money Gram, and the rats have their profit. Meanwhile, the phishing victim finds that his money has gone to the employment scam victim, and they get to argue over who gets their money back.

Job Scam: river-partners.net

A new name has turned up today in the ongoing magical morphing job scam series. This one calls itself "River Partners Inc", and currently uses the domain name "river-partners.net", but River Partners bears a striking similarity to Trigon Partners. Could it be the same rat behind the curtain again? Why wouldn't it be? The spam text is archived at Suckers Wanted.

Here's the DNS information about "river-partners.net" at this time. As is typical for these guys, only one of their nameservers was responding to queries.

; <<>> DiG 9.3.1 <<>> A river-partners.net @66.109.17.68
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;river-partners.net.            IN      A

;; ANSWER SECTION:
river-partners.net.     1800    IN      A       69.243.77.246
river-partners.net.     1800    IN      A       82.49.125.97
river-partners.net.     1800    IN      A       82.237.121.9
river-partners.net.     1800    IN      A       24.99.224.131
river-partners.net.     1800    IN      A       65.184.136.225

;; AUTHORITY SECTION:
river-partners.net.     1800    IN      NS      ns1.serv-names.com.
river-partners.net.     1800    IN      NS      ns2.serv-names.com.

;; ADDITIONAL SECTION:
ns1.serv-names.com.     1800    IN      A       66.109.17.68
ns2.serv-names.com.     1800    IN      A       72.9.1.151

;; Query time: 231 msec
;; SERVER: 66.109.17.68#53(66.109.17.68)
;; WHEN: Thu Jul 20 02:52:11 2006
;; MSG SIZE  rcvd: 198

If anyone has corresponded with these scammers, please forward it to me or post it here so that I can aggregate the information.

2006-07-18

Job Scam: Several, but the same rat behind the curtain

Oh dear, the job scams are coming thick and fast at the moment. In the past six hours or thereabouts, I've received employment offers from "Swiss Invest, Ltd" (http://swiss-invest-ltd.biz/html/index.php?sect_id=6), "UK Modulus Invest Co." (http://modulus-uk.biz/), and "Global Austrian Syndicate" (http://gas-limited.org/html/index.php?sect_id=5). We've seen all these names before, although the associated domains keep changing.

What's worth noting is the striking similarities between these three scams, as well as the differences between different spams for the same entity, which makes all three look like the work of a common scammer/gang. The "Global Austrian Syndicate" spams, for example, sometimes use an image instead of text, but sometimes use plain text. In a recent instance where they used an image for the body, they also used a bunch of meaningless "filter-buster" text: "best from do you but very good why" and so on. This same pattern of filter-buster was used a little while before that in a "Swiss Invest, Ltd" spam.

Other similarities include the style of the image when images are used instead of text, and the use of botnets to host (or proxy-host) the actual website. Lastly, they all want you to act as a "Financial Manager" dealing "with private individuals", and accept direct transfer of funds to your account then forward the money via Western Union or Money Gram after deducting a percentage: 6% for "Swiss Invest, Ltd", 8% for "Global Austrian Syndicate" and "UK Modulus Invest Co". So ultimately it's exactly the same scam in every case: they send you stolen money, and you send them your money. The easily-traced stolen money (and the police force that follows it) is then your problem, not theirs.

2006-07-13

Hijack Alert: talian pensioner dies hoisting flag for final game

Here's another instance of "sensational news" being used as bait to lure people to a website armed and loaded with Web-Attacker, a piece of software designed to compromise computers and place them under the control of another party. The spam itself looks like so.

World-Soccer News

"World-Cup'2006 Germany" scandals and afterparty news!

July 9-10:
Fresh news and more - on World-Soccer News!

Send
This link to your friends!

Note the invitation to mail the link to your friends. Spread the disease, if you please, except that the link there is "world-of-soccer.org" for some reason. Anyhow, the trail is fairly typical for this sort of thing. The "world-of-soccer.biz" (and ".org") website uses frame-wrapping to hold "http://soccer-2006germany.com/". That site in turn starts with a tremendously obfuscated piece of Javascript which ultimately produces a page of soccer-related information.

Unbeknownst to the casual viewer, however, it also loads two invisible frames which incorporate Web-Attacker. One is at http://www.soccer-2006germany.com/go.php, and the other is at http://www.extechweb.com/go.php. These ultimately redirect to Web-Attacker's attack-mode script. The statistics screen for the Web-Attacker instances can be found at http://www.soccer-2006germany.com/cgi-bin/ie0606.cgi and http://www.extechweb.com/cgi-bin/ie0606.cgi, respectively. You'll have to guess the password to do anything useful beyond that point, however.

2006-07-07

Job Scam: Trigon Partners Inc (trigonpartners.net)

The on-going series of job scams currently using the name "Trigon Partners" has performed another domain name switch. Their domain "trigonpartners.com" has been nuked, and now they're using "trigonpartners.net" (registered 30-Jun-2006). Other than that, the scam remains active and the details remain the same.

As often happens, only one of their nameservers was responding to queries. Here's what it said about address records at "trigonpartners.net" when I asked.

; <<>> DiG 9.3.1 <<>> A trigonpartners.net @72.9.103.51
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18924
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;trigonpartners.net.            IN      A

;; ANSWER SECTION:
trigonpartners.net.     1800    IN      A       74.135.163.127
trigonpartners.net.     1800    IN      A       81.184.137.110
trigonpartners.net.     1800    IN      A       172.186.43.167
trigonpartners.net.     1800    IN      A       66.41.110.65
trigonpartners.net.     1800    IN      A       67.164.129.195

;; AUTHORITY SECTION:
trigonpartners.net.     1800    IN      NS      ns1.winter-day.com.
trigonpartners.net.     1800    IN      NS      ns2.winter-day.com.

;; ADDITIONAL SECTION:
ns1.winter-day.com.     1800    IN      A       72.9.103.51
ns2.winter-day.com.     1800    IN      A       154.37.3.12

;; Query time: 407 msec
;; SERVER: 72.9.103.51#53(72.9.103.51)
;; WHEN: Fri Jul  7 05:35:01 2006
;; MSG SIZE  rcvd: 198

2006-07-05

Fraud: ghanaglorymission@yahoo.ca

This one doesn't get posted to the 419 files, because it's not advance fee fraud. Rather, it's just a bogus charity, or safe to assume so. It tends to be the career crooks who are well-versed in the art of spamming, after all.

Oh, and if Yahoo!'s spam filtering is so darn good, then why can't they use it to prevent outgoing spam, hmm?

Dear brothers and sisters in the lord Jesus Christ, Ghana glory mission cordially invite you for the building of our Lords house in area of OSU in Ghana which worth of $4ooooo. Brethren come let contribute to the lord, so that we can win many souls for Christ Jesus in area of OSU and environs which were full of calamities, sexual immoralities, smoking of  cocaine worshiping of ideal etc.                                                                                                                                                                    ;                                                                                                                                              
Matthew 4. 1 � 22: Jesus said to they come with me, and I will teach you to catch Men. Brethren read this quotation
Matthew. 16 .18, 1 peter 2. 4-10, Matthew
Brothers and sisters people of OSU in Ghana are in darkness, help by contacting us.
 
Telephone: 00233246314149
Email: ghanaglorymission@yahoo.ca
 
Prayer for every child of God that receive it, that the lord message may continue to spread rapidly and be receive with Honour as it was among you and pray also that God will rescue us from wicked and evil people, for not everyone believe the message. But the lord is faithful and he will strengthen you and keep you safe from the evil ones And we are sure that you are doing and will continue to do what we tell you, may he lead you into a greater position and understand of Gods love and the endurance that is given by Christ Jesus. ( 2 thessalonians 3:5 )
Thank you and God bless you for your concern
 


Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail

Job Scam: Trigon Partners Inc (trigonpartners.com)

I note in passing that there is a new name being used in an on-going string of employment scams, seemingly run by the same person or people. We've had such previous identities as "Adams Green", "Global Austrian Syndicate", and "Swiss Invest"; now we have "Trigon Partners Inc" with domain name "trigonpartners.com" (registered on 30-Jun-2006 for one year). The spam contained text as an image, and linked to http://trigonpartners.com/vacancies_form.html. I've attached a screenshot of that site as it appeared when I browsed it a short while ago.

As per the usual, the website is hosted on (or behind) a botnet. The nameservers for the domain are currently 72.9.103.51 and 154.37.3.12, of which only the former responded to my queries. I actually did two queries for "A" records at "trigonpartners.com" with slightly different results. The second result was as follows.

; <<>> DiG 9.3.1 <<>> A trigonpartners.com @72.9.103.51
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24045
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;trigonpartners.com.            IN      A

;; ANSWER SECTION:
trigonpartners.com.     1800    IN      A       68.116.254.150
trigonpartners.com.     1800    IN      A       74.135.163.127
trigonpartners.com.     1800    IN      A       172.204.41.101
trigonpartners.com.     1800    IN      A       24.99.224.131
trigonpartners.com.     1800    IN      A       66.41.110.65

;; AUTHORITY SECTION:
trigonpartners.com.     1800    IN      NS      ns1.winter-day.com.
trigonpartners.com.     1800    IN      NS      ns2.winter-day.com.

;; ADDITIONAL SECTION:
ns1.winter-day.com.     1800    IN      A       72.9.103.51
ns2.winter-day.com.     1800    IN      A       154.37.3.12

;; Query time: 412 msec
;; SERVER: 72.9.103.51#53(72.9.103.51)
;; WHEN: Wed Jul  5 15:48:16 2006
;; MSG SIZE  rcvd: 195

The first query response was different in that it included 81.184.137.110 instead of 74.135.163.127. This is fairly typical for a botnet: the "time to live" values are set at 1800 seconds (30 minutes) so that the records can be adjusted rapidly, compensating for computers in the botnet being turned off and on unpredictably.

I'm not going to bother mapping those addresses back to ISPs on this occasion. I just wanted to mention the new name, to give everyone a "heads up". If you want to see the spam image-text as received, it's archived over at Suckers Wanted.

2006-07-04

Info: About Job Scams

Job scams have been around for a while, but they've now reached a level of maturity where I feel I can describe them as a whole, rather than comment on each scam individually. I'll provide that general description here, so if you get a job offer that seems suspicious, you can compare it against my checklist.

The absolute common element of all job scams is the job offer. The job offer may arrive by spam, or it may be posted on a "legitimate" employment website (to the extent that such a website can be called "legitimate" when it fails to check the legitimacy of job ads posted there). Someone wants to offer you a job: typically the job requires no special experience, simple work, and good pay. Job scams are bait on a hook, so expect the job offer to look attractive.

There are, by and large, three possible job scam scenarios: pyramid schemes, advance fee fraud, and mules. I'll now describe the details of each of these scenarios.

Pyramid Schemes

The pyramid scheme job scam has been around on the Internet for quite a while, and they're no longer as common as they once were. These are also known as MMF (for "Make Money Fast") schemes. They're very easy to identify: the email or website pushing the scheme invariably raves on and on about how this may seem impossible but it really works, I didn't believe it but I tried it anyway and now I'm raking in tens of thousands of dollars per month, testimonial, testimonial, rave, rave, hype, hype, and so on.

If you read the thing long enough (there is invariably a LOT of hype to wade through before you hit the actual details), you find that the process involves buying a kit of some sort from this seller (a "marketing kit" is a popular term, or "how to sell on the Internet", or similar). This kit is fundamentally worthless junk, but you make money by on-selling it to others. It's basically a chain letter with a worthless product thrown in the mix to make it look more like a sale.

Key identifying features of a pyramid or MMF scam:

  • Lots of hype about how it really works. Lots of CAPITAL LETTERS and exclamation marks!!!!! IT REALLY WORKS!!!!!
  • Lots of testimonials from people who went from debt-ridden poverty to affluence by using this scheme. Is any of it true? Who can tell?
  • Absolutely insane text sizes, colours, decorations, highlights, fonts, and layout. Every word on the page must SCREAM at you. They're trying to convince you to buy a MONEY TREE here!
  • There is an up-front cost involved. Note well what this up-front cost is, because that's the nature of the business. Anyone who joins will make it their business to obtain this up-front payment from others.

FYI, a contemporary MMF spam can be found at my "Suckers Wanted" blog.

Advance Fee Fraud

Advance fee fraud usually comes in the form of a Nigerian 419 scam or lottery scam, but sometimes employment scams are used. In the advance fee fraud employment scam, you are offered a wonderful well-paid job with little or no experience required. If you apply, you are then short-listed for the job, and they ask you to send personal identification (such as a photocopy of your passport) and fees to pay for certain expenses involved in processing your application. If you willingly pay those fees, then there will be some excuse or another why you have to pay more fees, or pay the same fee again using a different method. Always more and more fees to pay, and no job, ever! The job is just a big lie: it's bait on the hook of advance fee payment.

Key identifying features of an advance fee fraud job scam:

  • Your would-be employers are overseas. This kind of fraud is best carried out across national boundaries, so that police action becomes difficult to arrange.
  • You qualify for the job, but in order to proceed, you need to send us MONEY.
  • Your would-be employers probably want personal details as well. This not only makes them look official, but helps them engage in identity fraud, perhaps obtaining a loan in your name.

For a striking example of this kind of fraud, see the case of Starline Cruise, and also reports relating to fake corporate flight attendant job offers.

Mule Recruitment

And now, to the major issue: mule recruitment. This is possibly the most insidious form of job scam, because it really does look like paid work. There are two major variations on the scam: money mules, usually employed by phishing gangs, and goods mules (also known as reshippers), usually employed by Nigerian scammers. In both of these cases the catch is that the money or goods are stolen, unbeknownst to the mule. Thus the mule is unwittingly dealing in illegal activity.

In the case of a money mule job, the job offer will typically involve "payment processing", "escrow", or a "financial manager" role. The employee is to accept direct deposits into his bank account, and make out payments via a wire service such as Western Union. The inbound payments may also involve some other means, such as payment by cheque, if the recipient lives in a country (such as the USA) in which it's relatively easy to fool someone into accepting a fake cheque. (The cheque appears to "clear", but the bank later reports that the cheque is a fake, and takes the money back out of your account.) outbound payments, on the other hand, are almost invariably made by Western Union or Money Gram wire transfer services. These are hard to trace, and can't be reversed (unlike direct deposits or cheque payments).

Key identifying features of a money mule job scam:

  • The job offer comes from an overseas company that wants your assistance to do business in your country.
  • The job involves "payment processing" or "escrow": accepting money in one form, then sending it (minus a cut) to your employers via Western Union or Money Gram. This is the key risk, since the incoming payments may be fraudulent or stolen, and are liable to be reversed. Money sent via Western Union, on the other hand, is Gone For Good.

The last variation, that of the goods mule, is less common but just as dangerous. (Thanks go to Snopes for documenting it.) In this case, the employee is a "shipping manager" or similar, and the job involves being a middle-man for purchased goods. The employer arranges for goods to be delivered to the employee, and the employee is responsible for sending these goods back to the employer by bulk freight, usually to Africa, and usually on the pretext that this process saves money over having all the goods shipped individually. It sounds plausible, but the problem is that the goods are usually being obtained fraudulently, such as by credit card fraud. Handling fraudulently obtained goods in large quantities isn't a great career move.

Key identifying features of a goods mule job scam:

  • The job involves receiving goods, and forwarding them somewhere outside your local legal jurisdiction, usually Africa. This is a bad idea, because you're assisting in the transfer of stolen or fraudulently obtained goods.
  • Unlike the other job scams which involve no payment at all, or deduct payment from money handled, this kind of job will be paid in a somewhat traditional manner.

General Tips

General tips for avoiding job scams:

  • Assume that any job offer which arrives by unsolicited email is a direct attempt to defraud you (and thousands of others, no doubt).
  • Beware of jobs that promise great rewards for no special skills: they're bait on a hook.
  • Beware of temptation: promises of money raining down on you, or fast easy bucks, or luxurious work conditions. These are also bait on a hook.
  • Beware of overseas employers. If they're not within reach of your local police force, there's not going to be much you can do if and when they rip you off.
  • Beware of jobs which involve being a middle-man, especially a middle-man between people inside and outside your national boundaries. You'll probably be acting as a buffer zone between the criminals who hired you, and the police who are tracking down their illegal activity.
  • Beware of jobs which involve sending money overseas via Western Union. The modern scam artist prefers to receive money this way, because it's hard to trace and recover. If you're the sucker who made the payment via Western Union, it's likely to be your money that the crook obtains. Payments made to you, on the other hand, will have a distressing habit of being reversed at a later date.

Meta: Job Scam postings moved to new blog

Job scams have been the bread and butter of this blog for a while, but they've become sufficiently "mainstream" that I'm now relocating them to a dedicated blog, "Suckers Wanted". Like the other sub-blogs, this will aim for quantity of reportage over depth of analysis: I will forward as many job scams as I can to the blog, but not comment on them unless they genuinely warrant special attention.

2006-07-03

Job Scam: redefinezim@aol.com

Scams like this seem to be getting more common and simple. Any job where you are a middle-man leaves you vulnerable if the incoming funds/goods are stolen or fraudulent. Jobs like this just set you up to rip you off.

Hi Ideasymedios!
We are an international escrow company.
Now we are looking for a new partners.


You can earn some money - do not lose this opportunity!


It is easy and completely free for you.


Please contact us for more details: redefinezim@aol.com

Best wishes,
Rosanna Earl
++++++++++++++++++++++++++
Sun, 2 Jul 2006 19:14:11 -0500




bulkhead dahl
celandine arrhenius
cocktail canberra
coach alkaloid bask corcoran
augur coronet

2006-07-02

Info: A New Kind of Money Mule Scam

Here's a new twist on a well-established scam: take note and add it to your list of "behaviour that should make me suspicious". This information is gleaned from a post over at ScamFraudAlert. It's a variation on the "payment processor" job, where you wind up being stung in exactly the same way without ever becoming an "employee". The scam goes something like the following.

  1. Excellent offer on some kind of goods arrives via spam.
  2. Victim is lured to the scammers website by the offer, and decides to buy something, since the prices are unbeatable. Victim divulges credit card details to the fraudsters at this time: this is bad move #1, but there is no immediate fraud on the card.
  3. Fraudster contacts victim saying that the credit card payment system is down, and they aren't sure whether the payment went through or not, but offers a refund just to be sure. This refund is actually stolen money, transferred out of a compromised third party Internet banking account. Victim does not know this and accepts the refund, thinking that this is first-rate service.
  4. Fraudster then suggests to victim that some other means of payment might be better, such as Western Union. You all saw that coming, didn't you? The fraudster offers to deduct the cost of the money transfer from the transaction, so the victim feels like he's not paying any extra.
  5. After a while there is no sign of the goods arriving, but the bank does notice that the funds transferred during step #3 were stolen. They reverse the transaction, so the victim is now officially out of pocket. The fraudsters keep whatever money was sent to them via Western Union, and they have the victim's credit card details as a bonus.

Lesson number one in this should be "never under any circumstances purchase from someone who adertised to you using spam".

2006-06-29

Job Scam: Global Austrian Syndicate (gas-ltd.info)

The Global Austrian Syndicate job scammers have reincarnated again: at last report, they were "gas-limited.com"; now they're "gas-ltd.info". They've also started sending their spam as plain text! What's up guys? Too many people blocking on image attachments? Whatever the case, the job remains the same: send stolen money overseas via wire transfer service until the police arrest you for it.

At the time of writing, the one nameserver for the domain which was responding (at 207.210.93.181) gave the following answer to an address query.

; <<>> DiG 9.3.1 <<>> A gas-ltd.info @207.210.93.181
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48651
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;gas-ltd.info.                  IN      A

;; ANSWER SECTION:
gas-ltd.info.           1800    IN      A       172.184.3.151
gas-ltd.info.           1800    IN      A       172.210.81.133
gas-ltd.info.           1800    IN      A       213.103.251.238
gas-ltd.info.           1800    IN      A       64.53.175.197
gas-ltd.info.           1800    IN      A       84.58.57.238

;; AUTHORITY SECTION:
gas-ltd.info.           1800    IN      NS      ns2.get-site.com.
gas-ltd.info.           1800    IN      NS      ns1.get-site.com.

;; ADDITIONAL SECTION:
ns1.get-site.com.       1800    IN      A       207.210.93.181
ns2.get-site.com.       1800    IN      A       204.21.41.81

;; Query time: 222 msec
;; SERVER: 207.210.93.181#53(207.210.93.181)
;; WHEN: Thu Jun 29 17:33:40 2006
;; MSG SIZE  rcvd: 190

Reverse DNS lookups on the addresses yield "ACB80397.ipt.aol.com", "ACD25185.ipt.aol.com", "d213-103-251-238.cust.tele2.fr", "d53-64-197-175.nap.wideopenwest.com", and "dslb-084-058-057-238.pools.arcor-ip.net", respectively. Neither of the nameservers yield reverse DNS names: do your own "whois" lookup if you care.

Spam text is copied below, because it is text this time. By the way, they are lying outright when they say, "Your email was given by 3rd party website www.jobs-in-europe.net on our request". The email address to which this was sent appeared as a contact address on a website some years back, and hasn't been used for any other purpose. It's a spamtrap address now: spammers are the only ones still sending anything to it.

Hello

My  name  is  Francois Veillon I  am  the  manager of a  Human Recourses  department of Global Austrian Syndicate (GAS).
I’d like  to  offer a perfect vacancy for  you. The vacancy  of  a  Financial  manager  working  with  private  individuals.

  Let  me give you  some facts about  our  company first:
    Global  Austrian Syndicate (GAS) was registered back  in  1993.  The primary  focus of  Global  Austrian  Syndicate is international finance services, mainly  through the  Internet  and  other  communicative channels.  The  corporation is  interested  in  working  on the markets of all  countries without  exceptions and sees promotion of  its  services  through the  network of representatives (independent investment consultants) working  as private  individuals or  resident company employees as most  effective.  We also provide  a full range of  financial  services to  companies  and  to individuals  as well.  Additionally, we grant  credits to individuals  and companies on  the  international  level,  and  this list of  our  services  and opportunities is far from being complete.

  So today,  we  are glad to  offer you  to:
  - become  a  part of  our  company
    -  join  a team of highly  qualified specialists
- get  a prestigious part  time job
  - earn a real fortune

The main  advantages  of working as  a  Financial manager  dealing with private individuals are:

    -  You  don’t need any experience  or specific  knowledge
    -  You don’t need to  make  any advance payments
  -  This job  won’t take much of your  time.

  Your  range of duties will include:
- Receiving  payments  for the ordered stocks and bonds  from  the Global  Austrian  Syndicate  clients  (private individuals) to your bank  account
-  Withdrawing the funds and  transferring  them  further to our brokers  in one of  the countries  where the  desirable stocks  and  bonds  should  be  bought

The  transfer should  be  done  by the means of Western Union  or  Money Gram services  to fasten  the  process  of the  delivery of  the  funds.
Your SALARY  is  8%  commission  out  of  every  deposit  that you receive  to  your bank  account.

If you are  interested in  this job and would like to  get more information,  you  are welcome to  visit our website:

  http://gas-ltd.info/html/index.php?sect_id=5

  Or  you can just  write an  email to us,  and our managers  will  give a prompt  and  competent  reply.

  We  are  looking forward  to  working  with  you!
Your  email was  given by 3rd party website www.jobs-in-europe.net on  our request, as  you or someone  else subscribed  to  a job opportunities newsletter.
    I apologize if this  email reached you  by  mistake.  In  that  case,  please be so  kind to  delete  it.

    Yours faithfully Francois Veillon

2006-06-28

Job Scam: job-alert.net

Why settle for a single job scam when you can set up an entire website for recruiting willing suckers? The spammers who have just registered "job-alert.net" (on 22-Jun-2006) and spamvertised it -- directly to the contact address for this blog, no less -- were probably thinking along those lines. The same spammers also appear to be using the domain "jobalertsvc-vac.com" (registered 26-Apr-2006), since all the "job-alert.net" website does at the moment is frame-wrap the "jobalertsvc-vac.com" site. There is also mention of "jalert.net" (registered 07-Jun-2006) on the page, but that domain is not currently resolving to any address or other useful record.

I don't know what specific jobs these guys are offering, but I'll wager my pound to your penny they're the sort that gets the worker on the wrong side of the law. But hey -- they're offering free tee-shirts!

Sir\Madam,

www.Job-Alert.Net - is a mail based recruitment business. It offers employers a genuine recruitment function that combines the candidate capture function and the human resources function of a recruitment agency. You just need to fill in a form and our representatives in your country will send you an e-mail when a position that interests you becomes available.

All operations are made manually, in order not to bore you with automated robot-search results. So, take your time to enter correct and detailed information about yourself.

Process is divided into steps. You can proceed with the first step by providing us with necessary information:
Job Alert First-step registration form here.
You will get your personal instructions for the last two steps by e-mail, as soon as possible.

Futhermore, everyone will get a FREE T-shirt of any size with Job-Alert.net logo and your Initials printed on it! We assure you, that every person who will find a job with our help will receive FREE Job-Alert.net T-shirt.

Thank you for your time.
Job-Alert.Net Team.

2006-06-27

Job Scam: job@easternbridge.info

This is just a repeat of an earlier job scam spam with new contact details.

From: dodie flynn <terryhoskins@speedingbits.com>
Date: 27-Jun-2006 18:07
Subject: Open Vacancy
To: isabelle ramsey <ideceive@gmail.com>
 
 
 How many times did you think of giving up your
 permanent job and join another "good looking"
 work-at-home scheme? And how many of them were
 successful? Did you earn more than $5000 a month with
 them? NO? Then you have an opportunity right now and
 right here!
 
 We made it possible for you to get a real part-time
 job in a world of transportation business and control
 your income on your own! We will never ask you about
 your credit rating and never put any inquiries to your
 credit profile. This is business of partners, we don't
 take, we give you this opportunity
 
 You can become our Representative and take part in a
 stunning world of financial operations. No more
 up-front costs or tricks. A steady income is just a
 click away! The best thing it all depends on you.
 
 Being a long-established solid corporation we
 understand how important it is to provide our customers
 the best possibilities and support. We always try our
 best to be cooperative and customer-friendly, you can
 call or email us any time and ask a question if
 something is not clear.
 
 Get involved in a great transportation business, and
 start making money in just a few clicks. You will make
 a fixed amount ($30) out of every shipped product. The
 usual product quantity range from 10 to 100 packages a
 month. This is not a dream, you enter a serious market!
 A unique opportunity where your income depends on you!
 
 More information \ apply \ send your resumes to: job@easternbridge.info
 
 bird bolt arc transmitter gutta sundik
 flower-shaped Chaldee church seat board
 well-aware shot effect pleasure principle
 well-gathered Indo-malaysian donkey puncher
 apple mint apron conveyer fleecy-white
 call-down ward hill self-complacential
 yerba reuma accretion cutting sword blade
 brick archer tree-goddess best-principled

2006-06-26

Job Scam: Global Austrian Syndicate (gas-limited.com)

The "Global Austrian Syndicate" crooks are at it again. They've done the same thing before with gas-ltd.biz and gas-ltd.cn, and recently they wore a different hat with adamsgreen.org. Those domains have all been neutered, so this time they're back with "gas-limited.com". Specifically, this spam links to http://gas-limited.com/html/index.php?sect_id=5.

At the time of writing, the one nameserver for the domain which was responding (at 207.210.93.181) gave the following answer to an address query.

; <<>> DiG 9.3.1 <<>> A gas-limited.com @207.210.93.181
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56905
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;gas-limited.com.               IN      A

;; ANSWER SECTION:
gas-limited.com.        1800    IN      A       70.239.73.247
gas-limited.com.        1800    IN      A       81.101.95.9
gas-limited.com.        1800    IN      A       201.151.39.83
gas-limited.com.        1800    IN      A       24.12.203.230
gas-limited.com.        1800    IN      A       69.81.155.153

;; AUTHORITY SECTION:
gas-limited.com.        1800    IN      NS      ns2.get-site.com.
gas-limited.com.        1800    IN      NS      ns1.get-site.com.

;; ADDITIONAL SECTION:
ns1.get-site.com.       1800    IN      A       207.210.93.181
ns2.get-site.com.       1800    IN      A       204.21.41.81

;; Query time: 222 msec
;; SERVER: 207.210.93.181#53(207.210.93.181)
;; WHEN: Tue Jun 27 04:36:58 2006
;; MSG SIZE  rcvd: 190

I'm leaving it as an exercise to the reader to determine whether the addresses returned in this query are customer systems on broadband networks, as has been the case in times past. (Hint: yes, they are.)

2006-06-24

Job Scam: Adams Green, Inc. (adamsgreen.org)

From the scumbags who brought you Global Austrian Syndicate (twice) and Swiss Invest before it, it is iDeceive's dubious honour to present "Adams Green, Inc." The scam is the same: only the names have been changed to victimise the innocent. We have the same text-as-image spam, with the same layout, using the same modus operandi. This time the domain is "adamsgreen.org", the contact calls himself "Andrew Thomson", and "there are 5 openings for a representative to assist in creation our virtual local presence for the back office functions."

According to "whois" records, the domain "adamsgreen.org" was registered for one year on 21-Jun-2006. The nameservers for the domain are currently 72.232.71.90 (network space of Layered Technologies, Inc. -- they're popular with these spammers), and 154.37.3.12 (network space of Performance Systems International). Both these providers have prominent abuse-reporting addresses, and I'll notify them immediately.

At the time of investigation, "adamsgreen.org" resolves to the following addresses (and reverse name lookups): 74.131.72.24 (DHCP-74-131-72-24.insightbb.com), 69.62.158.34 (34.158-62-69.ftth.swbr.surewest.net), 69.203.157.76 (cpe-69-203-157-76.si.res.rr.com), 71.56.93.164 (c-71-56-93-164.hsd1.ga.comcast.net), and 71.57.30.8 (no rDNS; whois says Comcast Cable Communications Holdings, Inc ILLINOIS). Once again, these all look like ISP broadband customer addresses, thus suggesting the use of compromised PCs in private homes and businesses. Also, the time-to-live value on the DNS records is set to thirty minutes, so the addresses can be updated fairly rapidly if needs be.

The spammers have screwed up this message, however: the HTML links to http://www.adamsgreen.org/index-2.html, but the sub-domain "www.adamsgreen.org" doesn't exist! They were supposed to leave off the "www" part. I'm sure they'll rectify their error in the near future when they figure out why it's not working.

Job Scam: job@westbcompany.org

Would you like a short term position handling stolen money and fraudulently acquired goods? Would you like to be asked awkward questions by the police about why you are doing so? Would you like your bank account frozen, and the possibility of facing criminal charges? Yes? Then maybe this job is for you!

How many times did you think of giving up your
permanent job and join another "good looking"
work-at-home scheme? And how many of them were
successful? Did you earn more than $5000 a month with
them? NO? Then you have an opportunity right now and
right here!

We made it possible for you to get a real part-time
job in a world of transportation business and control
your income on your own! We will never ask you about
your credit rating and never put any inquiries to your
credit profile. This is business of partners, we don't
take, we give you this opportunity

You can become our Representative and take part in a
stunning world of financial operations. No more
up-front costs or tricks. A steady income is just a
click away! The best thing it all depends on you.

Being a long-established solid corporation we
understand how important it is to provide our customers
the best possibilities and support. We always try our
best to be cooperative and customer-friendly, you can
call or email us any time and ask a question if
something is not clear.

Get involved in a great transportation business, and
start making money in just a few clicks. You will make
a fixed amount ($30) out of every shipped product. The
usual product quantity range from 10 to 100 packages a
month. This is not a dream, you enter a serious market!
A unique opportunity where your income depends on you!

More information \ apply \ send your resumes to: job@westbcompany.org

self-absorption parlor car two-leaved
stagger grass Post-mishnaic surface tension
cairn terrier safety catch wave top
horn-footed oxyacetylene cutting snap-apple
fencing mask twice-sanctioned re-estimate
self-upbraiding Anti-darwinian cattail millet
two-legged half-numb well-intended
evergreen millet high-density double-branch