Hijack Alert: Monetary prize from Microsoft

At first glance, this looks like a lottery scam, but on closer inspection it appears to be a browser hijack attempt. I haven't been able to determine exactly which security hole this is attempting to exploit, but I think it's reasonable to assume two things: first, that it targets Microsoft Windows, and second, that it's a fairly specific security hole being targeted. This second point is in contrast with most of the hijack attempts I've reported here which use the "Web-Attacker" software and test for a substantial range of exploitable holes.

Those who have the technical skills may care to check it for themselves (assuming it remains online for long enough). For the rest, if you are using Microsoft Windows and you clicked on a link in a spam like this, you should assume that your computer has been compromised and have it disinfected ASAP.

Dear Microsoft Consumer! Within the limits of advertising company Microsoft has played USD 1000000 between the clients. The choice occured in the casual image. On yours e-mail the monetary prize at a rate of USD 52346 has dropped out. To receive it, it is necessary for you to visit ours Resolution Centre and to fill the small form. Please click here to visit the Microsoft Resolution Centre Corporation Microsoft congratulates you on a prize and that you and in the further will use our development hopes.    Microsoft Corporation

Misc: You want a link exchange? I'll give you link exchange!

This is a funny-sad sort of thing. I've just received the following email.

Dear Webmaster,

My name is Robert Williams, and I run the web site Work At Home Business
Website:

http://www.work-at-home-business-website.com/

I recently found your site http://ideceive.blogspot.com and am very
interested in exchanging links. I've gone ahead and posted a link to your
site, on this page:

http://www.work-at-home-business-website.com/linkmachine/resources/resources_advertising_3.html

As you know, reciprocal linking benefits both of us by raising our search
rankings and generating more traffic to both of our sites. Please post a
link to my site as follows:

Title: Work At Home Business Website
URL: http://www.work-at-home-business-website.com/
Description: Working from home is a dream for many but actually going
ahead and starting a home business is very difficult. Let us help!

Once you've posted the link, let me know the URL of the page that it's on,
by entering it in this form:

http://www.work-at-home-business-website.com/linkmachine/resources/link_exchange.php?ua=_ua9&site_index=MjA5ODQzMQ%3D%3D

You can also use that form to make changes to the text of the link to your
site, if you'd like.

Thank you very much,

Robert Williams

Right. Call me suspicious by nature, but I seriously doubt that this "Robert Williams" has ever laid eyes on my humble blog. Instead, there is strong circumstantial evidence to suggest that this is spam generated by ethically dubious "Linkmachine" software. The "premium" edition of this software "finds potential link exchange partner sites" and "searches websites for contact e-mail address". Can you put two and two together?

As for Mr Williams' work-at-home-business-website and his request for a link, I'm going to oblige him, but not quite on the terms he requested.

Sales pitch mode: on.

Working from home is a dream for many, but actually going ahead and starting a home business is very difficult. Furthermore, there are many scammers out there who would like to sell you a short-cut to a simple and profitable work-at-home business. Such people set up vacuous, junky "work at home" websites, and send spam inviting you to join in. They make outlandish claims about the ability to earn a thousand or more dollars a month without any real effort. If this doesn't scream "scam" at you, you should probably increase your daily dose of scepticism.

Sales pitch mode: off.

Bah! Humbug!

Hijack Alert: Dangerous tuna with increased mercury levels on your local market

Here's another spam which is intended to lure the victim to a hostile website armed with Web-Attacker. The modus operandi is identical to that used in the recent "World-Soccer news" attack: the spam contains sensational news, and a link to a website; the website itself is a hastily cobbled-together facade of relevant snippets plagiarised from somewhere or other, heavily obfuscated with Javascript, and includes an IFRAME reference to something that loads Web-Attacker. If you browse this site using a computer that runs Microsoft Windows, you should assume that it has been compromised and have it checked up.

The spam "lure" was as follows (links defanged). Note that the key link is to http://www.protectinnocent.org/register.htm.

We are struggling for the future of our planet, please help us.
Only together we can stand for our nature!

Send a message to the "Environmental Protection Agency and Food and Drug Administration" to improve mercury testing so we can keep tuna safe for our families and for dolphins.

Some of the tuna producers -- particularly in Ecuador and Mexico -- use practices that can hurt or kill dolphins and catch tuna with increased mercury levels.

Sign for it - help yourself and thousands of other lives.

One another way you can help us is to send this letter or the link to our website: http://protectinnocent.org/register.htm- to all people you know.

2006 Help Dolphins

The domain "protectinnocent.org" is a ruse: it was registered on 20-Jul-2006 at 09:57:27 UTC. The domain name configuration for this is unusual, and worth mentioning in passing. There are five nameservers, named "dnsN.name-services.com", where N ranges from 1 to 5. At time of writing, these have the following addresses.

dns1.name-services.com. 3600    IN      A       69.25.142.1
dns2.name-services.com. 3600    IN      A       216.52.184.230
dns3.name-services.com. 3600    IN      A       63.251.92.193
dns4.name-services.com. 3600    IN      A       64.74.96.242
dns5.name-services.com. 3600    IN      A       70.42.37.1

Each of them is reporting SOA serial number 2002050701, so they should all contain identical records, but when queried for "A" records for "www.protectinnocent.org", they respond with five different answers: 69.25.142.3, 216.52.184.240, 63.251.92.195, 64.74.96.243, and 216.52.184.240 respectively. With the exception of the fifth response (which is a repeat of the second), all the address records are close neighbours of their respective nameservers. None of the address records have corresponding PTR entries, but all are ultimately under the control of eNom, which is also the registrar through which "protectinnocent.org" was registered.

I think that all we can learn from this is that eNom uses dodgy DNS tricks to distribute load on their mirrored webservers.

Ultimately "protectinnocent.org" is just a side-show, anyhow. The real "sting" comes from the IFRAME which loads http://www.web12.ws/go.php. That, in turn, is just a "302" redirect to http://www.web12.ws/cgi-bin/ie0606.cgi?homepage, which is a "302" redirect to http://www.web12.ws/demo.php, which is a hideously obfuscated piece of Javascript that expands out to the Web-Attacker "which browser with what exploitable security holes am I running on?" script. From there, other scripts are launched to actually exploit whatever security holes are available, if any.

It will come as no surprise that "web12.ws" was also registered through eNom, on 2006-07-21 08:47:45. The address for "www.web12.ws" is currently 66.36.231.123, which doesn't have a PTR record, and WHOIS reports as allocated to HopOne Internet Corp.

I have to admit that the technique used by the culprits here is pretty sly. If I complain to HopOne that they are sheltering a Web-Attacker user, they might close down the account. (In my stern opinion, they should be pro-active enough about detecting this sort of abuse that I shouldn't need to complain, but the operators of such businesses tend to be concerned with profits, not the general welfare of mankind.) Should the account be closed, however, the culprits can simply adjust their "protectinnocent.org" site to just wrap another target -- one which may already be set up and ready to go.

It's probably more effective to complain about the "protectinnocent.org" site itself, since the closure of that domain name would result in the need for a fresh spam run. Persuading a registrar that a domain name is being used maliciously is no simple task, unfortunately. Even so, eNom seem to have a decent web-interface for submitting such complaints, so I've done my duty.

Job Scam: riverpartners.net

The rats behind the "River Partners" job scam have switched domains from "river-partners.net" (documented earlier) to "riverpartners.net". See a spam sample (or two) at Suckers Wanted. As usual, only one of the nameservers is respondong to requests. The results of the query can be seen below for reference, bearing in mind that the very small "time to live" values mean that this data will become obsolete rapidly.

; <<>> DiG 9.3.1 <<>> A riverpartners.net @66.109.17.68
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50463
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;riverpartners.net.             IN      A

;; ANSWER SECTION:
riverpartners.net.      1800    IN      A       24.99.224.131
riverpartners.net.      1800    IN      A       70.240.216.34
riverpartners.net.      1800    IN      A       71.64.201.226
riverpartners.net.      1800    IN      A       74.135.163.127
riverpartners.net.      1800    IN      A       89.55.168.153

;; AUTHORITY SECTION:
riverpartners.net.      1800    IN      NS      ns1.serv-names.com.
riverpartners.net.      1800    IN      NS      ns2.serv-names.com.

;; ADDITIONAL SECTION:
ns1.serv-names.com.     1800    IN      A       66.109.17.68
ns2.serv-names.com.     1800    IN      A       72.9.1.151

;; Query time: 243 msec
;; SERVER: 66.109.17.68#53(66.109.17.68)
;; WHEN: Sat Jul 22 08:02:56 2006
;; MSG SIZE  rcvd: 197

Phish of the Day: Fifth Third Bank

This is another phish which appears to be sent by the employment scam rats. The actual link is to http://www.53.com.wps.portal.secure.belyhw.info/r1/context/. Note that the domain "belyhw.info" was registered 20-Jul-2006 13:10:44 UTC (less than 24 hours ago at the time of writing).

Phish of the Day: Suncorp

This phish links to http://suncorpmetway.com.au.korinc.org/r1/doconfirm/ (note that it's a subdomain of "korinc.org") and uses the same filter-buster as the phish reported immediately prior to this one. The overlap in the domain name used for the phish ("korinc.org") proves beyond reasonable doubt that the same scammers are behind these phishing attacks.

Phish of the Day: Macquarie Bank

I don't usually bother reporting phish, but this one appears to be from the same rats that are bringing us the current spate of employment scams. The image in the spam is a link to http://www.macquarie.com.au.retail.customercare.korinc.org/r1/conf/ (note that it's a subdomain of "korinc.org", registered 17-Jul-2006 19:29:25 UTC). The aspect which suggests a tie back to the employment scam rats is the pattern of filter-buster text used in conjunction with the image: "are but, how best you, very good best why of" and so on. This is the same pattern as reported earlier for various job scams.

In case you're not familiar with why these would be sent by the same gang, the scam goes like this. The rats gain access to various online bank accounts by sending out phishing spam. Then they send out employment spam which involves other parties acting as "payment processors". Using their ill-gotten access to online bank accounts, they transfer money from the phishing victims to the employment scam victims. The employment scam victims then forward the money via Western Union or Money Gram, and the rats have their profit. Meanwhile, the phishing victim finds that his money has gone to the employment scam victim, and they get to argue over who gets their money back.

Job Scam: river-partners.net

A new name has turned up today in the ongoing magical morphing job scam series. This one calls itself "River Partners Inc", and currently uses the domain name "river-partners.net", but River Partners bears a striking similarity to Trigon Partners. Could it be the same rat behind the curtain again? Why wouldn't it be? The spam text is archived at Suckers Wanted.

Here's the DNS information about "river-partners.net" at this time. As is typical for these guys, only one of their nameservers was responding to queries.

; <<>> DiG 9.3.1 <<>> A river-partners.net @66.109.17.68
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;river-partners.net.            IN      A

;; ANSWER SECTION:
river-partners.net.     1800    IN      A       69.243.77.246
river-partners.net.     1800    IN      A       82.49.125.97
river-partners.net.     1800    IN      A       82.237.121.9
river-partners.net.     1800    IN      A       24.99.224.131
river-partners.net.     1800    IN      A       65.184.136.225

;; AUTHORITY SECTION:
river-partners.net.     1800    IN      NS      ns1.serv-names.com.
river-partners.net.     1800    IN      NS      ns2.serv-names.com.

;; ADDITIONAL SECTION:
ns1.serv-names.com.     1800    IN      A       66.109.17.68
ns2.serv-names.com.     1800    IN      A       72.9.1.151

;; Query time: 231 msec
;; SERVER: 66.109.17.68#53(66.109.17.68)
;; WHEN: Thu Jul 20 02:52:11 2006
;; MSG SIZE  rcvd: 198

If anyone has corresponded with these scammers, please forward it to me or post it here so that I can aggregate the information.

Job Scam: Several, but the same rat behind the curtain

Oh dear, the job scams are coming thick and fast at the moment. In the past six hours or thereabouts, I've received employment offers from "Swiss Invest, Ltd" (http://swiss-invest-ltd.biz/html/index.php?sect_id=6), "UK Modulus Invest Co." (http://modulus-uk.biz/), and "Global Austrian Syndicate" (http://gas-limited.org/html/index.php?sect_id=5). We've seen all these names before, although the associated domains keep changing.

What's worth noting is the striking similarities between these three scams, as well as the differences between different spams for the same entity, which makes all three look like the work of a common scammer/gang. The "Global Austrian Syndicate" spams, for example, sometimes use an image instead of text, but sometimes use plain text. In a recent instance where they used an image for the body, they also used a bunch of meaningless "filter-buster" text: "best from do you but very good why" and so on. This same pattern of filter-buster was used a little while before that in a "Swiss Invest, Ltd" spam.

Other similarities include the style of the image when images are used instead of text, and the use of botnets to host (or proxy-host) the actual website. Lastly, they all want you to act as a "Financial Manager" dealing "with private individuals", and accept direct transfer of funds to your account then forward the money via Western Union or Money Gram after deducting a percentage: 6% for "Swiss Invest, Ltd", 8% for "Global Austrian Syndicate" and "UK Modulus Invest Co". So ultimately it's exactly the same scam in every case: they send you stolen money, and you send them your money. The easily-traced stolen money (and the police force that follows it) is then your problem, not theirs.

Hijack Alert: talian pensioner dies hoisting flag for final game

Here's another instance of "sensational news" being used as bait to lure people to a website armed and loaded with Web-Attacker, a piece of software designed to compromise computers and place them under the control of another party. The spam itself looks like so.

World-Soccer News

"World-Cup'2006 Germany" scandals and afterparty news!

July 9-10:

• Italy lift Cup, bitter end for Zidane

Italy lifted the World Cup for the fourth time on Sunday, beating France on penalties in a match that will be remembered for Zinedine Zidane's sending off for butting an opponent..

• Italian pensioner dies hoisting flag for final

A 77-year-old Italian pensioner fell off a ladder and died as he tried to attach Italy's flag to a pole ahead of Sunday's World Cup final against France...

• Italy welcomes diversion of Azzurri glory

Hundreds of thousands of Italians gathered on Monday in Circus Maximus, one of ancient Rome's most famous stadiums, to fete their...

• Wor ld-Cup reaches climax with Italy-France final

The world's most-watched sporting event reaches its climax on Sunday when Italy take on France in the World Cup final in Berlin.

Fresh news and more - on World-Soccer News!

Send
This link to your friends!

© 2006 World-Soccer

Note the invitation to mail the link to your friends. Spread the disease, if you please, except that the link there is "world-of-soccer.org" for some reason. Anyhow, the trail is fairly typical for this sort of thing. The "world-of-soccer.biz" (and ".org") website uses frame-wrapping to hold "http://soccer-2006germany.com/". That site in turn starts with a tremendously obfuscated piece of Javascript which ultimately produces a page of soccer-related information.

Unbeknownst to the casual viewer, however, it also loads two invisible frames which incorporate Web-Attacker. One is at http://www.soccer-2006germany.com/go.php, and the other is at http://www.extechweb.com/go.php. These ultimately redirect to Web-Attacker's attack-mode script. The statistics screen for the Web-Attacker instances can be found at http://www.soccer-2006germany.com/cgi-bin/ie0606.cgi and http://www.extechweb.com/cgi-bin/ie0606.cgi, respectively. You'll have to guess the password to do anything useful beyond that point, however.

Job Scam: Trigon Partners Inc (trigonpartners.net)

The on-going series of job scams currently using the name "Trigon Partners" has performed another domain name switch. Their domain "trigonpartners.com" has been nuked, and now they're using "trigonpartners.net" (registered 30-Jun-2006). Other than that, the scam remains active and the details remain the same.

As often happens, only one of their nameservers was responding to queries. Here's what it said about address records at "trigonpartners.net" when I asked.

; <<>> DiG 9.3.1 <<>> A trigonpartners.net @72.9.103.51
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18924
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;trigonpartners.net.            IN      A

;; ANSWER SECTION:
trigonpartners.net.     1800    IN      A       74.135.163.127
trigonpartners.net.     1800    IN      A       81.184.137.110
trigonpartners.net.     1800    IN      A       172.186.43.167
trigonpartners.net.     1800    IN      A       66.41.110.65
trigonpartners.net.     1800    IN      A       67.164.129.195

;; AUTHORITY SECTION:
trigonpartners.net.     1800    IN      NS      ns1.winter-day.com.
trigonpartners.net.     1800    IN      NS      ns2.winter-day.com.

;; ADDITIONAL SECTION:
ns1.winter-day.com.     1800    IN      A       72.9.103.51
ns2.winter-day.com.     1800    IN      A       154.37.3.12

;; Query time: 407 msec
;; SERVER: 72.9.103.51#53(72.9.103.51)
;; WHEN: Fri Jul  7 05:35:01 2006
;; MSG SIZE  rcvd: 198

Fraud: ghanaglorymission@yahoo.ca

This one doesn't get posted to the 419 files, because it's not advance fee fraud. Rather, it's just a bogus charity, or safe to assume so. It tends to be the career crooks who are well-versed in the art of spamming, after all.

Oh, and if Yahoo!'s spam filtering is so darn good, then why can't they use it to prevent outgoing spam, hmm?

Dear brothers and sisters in the lord Jesus Christ, Ghana glory mission cordially invite you for the building of our Lords house in area of OSU in Ghana which worth of $4ooooo. Brethren come let contribute to the lord, so that we can win many souls for Christ Jesus in area of OSU and environs which were full of calamities, sexual immoralities, smoking of  cocaine worshiping of ideal etc.                                                                                                                                                                    ;                                                                                                                                              

Matthew 4. 1 � 22: Jesus said to they come with me, and I will teach you to catch Men. Brethren read this quotation

Matthew. 16 .18, 1 peter 2. 4-10, Matthew

Brothers and sisters people of OSU in Ghana are in darkness, help by contacting us.

 

Telephone: 00233246314149

Email: ghanaglorymission@yahoo.ca

 

Prayer for every child of God that receive it, that the lord message may continue to spread rapidly and be receive with Honour as it was among you and pray also that God will rescue us from wicked and evil people, for not everyone believe the message. But the lord is faithful and he will strengthen you and keep you safe from the evil ones And we are sure that you are doing and will continue to do what we tell you, may he lead you into a greater position and understand of Gods love and the endurance that is given by Christ Jesus. ( 2 thessalonians 3:5 )

Thank you and God bless you for your concern

 

---

Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail

Job Scam: Trigon Partners Inc (trigonpartners.com)

I note in passing that there is a new name being used in an on-going string of employment scams, seemingly run by the same person or people. We've had such previous identities as "Adams Green", "Global Austrian Syndicate", and "Swiss Invest"; now we have "Trigon Partners Inc" with domain name "trigonpartners.com" (registered on 30-Jun-2006 for one year). The spam contained text as an image, and linked to http://trigonpartners.com/vacancies_form.html. I've attached a screenshot of that site as it appeared when I browsed it a short while ago.

As per the usual, the website is hosted on (or behind) a botnet. The nameservers for the domain are currently 72.9.103.51 and 154.37.3.12, of which only the former responded to my queries. I actually did two queries for "A" records at "trigonpartners.com" with slightly different results. The second result was as follows.

; <<>> DiG 9.3.1 <<>> A trigonpartners.com @72.9.103.51
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24045
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;trigonpartners.com.            IN      A

;; ANSWER SECTION:
trigonpartners.com.     1800    IN      A       68.116.254.150
trigonpartners.com.     1800    IN      A       74.135.163.127
trigonpartners.com.     1800    IN      A       172.204.41.101
trigonpartners.com.     1800    IN      A       24.99.224.131
trigonpartners.com.     1800    IN      A       66.41.110.65

;; AUTHORITY SECTION:
trigonpartners.com.     1800    IN      NS      ns1.winter-day.com.
trigonpartners.com.     1800    IN      NS      ns2.winter-day.com.

;; ADDITIONAL SECTION:
ns1.winter-day.com.     1800    IN      A       72.9.103.51
ns2.winter-day.com.     1800    IN      A       154.37.3.12

;; Query time: 412 msec
;; SERVER: 72.9.103.51#53(72.9.103.51)
;; WHEN: Wed Jul  5 15:48:16 2006
;; MSG SIZE  rcvd: 195

The first query response was different in that it included 81.184.137.110 instead of 74.135.163.127. This is fairly typical for a botnet: the "time to live" values are set at 1800 seconds (30 minutes) so that the records can be adjusted rapidly, compensating for computers in the botnet being turned off and on unpredictably.

I'm not going to bother mapping those addresses back to ISPs on this occasion. I just wanted to mention the new name, to give everyone a "heads up". If you want to see the spam image-text as received, it's archived over at Suckers Wanted.

Info: About Job Scams

Job scams have been around for a while, but they've now reached a level of maturity where I feel I can describe them as a whole, rather than comment on each scam individually. I'll provide that general description here, so if you get a job offer that seems suspicious, you can compare it against my checklist.

The absolute common element of all job scams is the job offer. The job offer may arrive by spam, or it may be posted on a "legitimate" employment website (to the extent that such a website can be called "legitimate" when it fails to check the legitimacy of job ads posted there). Someone wants to offer you a job: typically the job requires no special experience, simple work, and good pay. Job scams are bait on a hook, so expect the job offer to look attractive.

There are, by and large, three possible job scam scenarios: pyramid schemes, advance fee fraud, and mules. I'll now describe the details of each of these scenarios.

Pyramid Schemes

The pyramid scheme job scam has been around on the Internet for quite a while, and they're no longer as common as they once were. These are also known as MMF (for "Make Money Fast") schemes. They're very easy to identify: the email or website pushing the scheme invariably raves on and on about how this may seem impossible but it really works, I didn't believe it but I tried it anyway and now I'm raking in tens of thousands of dollars per month, testimonial, testimonial, rave, rave, hype, hype, and so on.

If you read the thing long enough (there is invariably a LOT of hype to wade through before you hit the actual details), you find that the process involves buying a kit of some sort from this seller (a "marketing kit" is a popular term, or "how to sell on the Internet", or similar). This kit is fundamentally worthless junk, but you make money by on-selling it to others. It's basically a chain letter with a worthless product thrown in the mix to make it look more like a sale.

Key identifying features of a pyramid or MMF scam:

• Lots of hype about how it really works. Lots of CAPITAL LETTERS and exclamation marks!!!!! IT REALLY WORKS!!!!!
• Lots of testimonials from people who went from debt-ridden poverty to affluence by using this scheme. Is any of it true? Who can tell?
• Absolutely insane text sizes, colours, decorations, highlights, fonts, and layout. Every word on the page must SCREAM at you. They're trying to convince you to buy a MONEY TREE here!
• There is an up-front cost involved. Note well what this up-front cost is, because that's the nature of the business. Anyone who joins will make it their business to obtain this up-front payment from others.

FYI, a contemporary MMF spam can be found at my "Suckers Wanted" blog.

Advance Fee Fraud

Advance fee fraud usually comes in the form of a Nigerian 419 scam or lottery scam, but sometimes employment scams are used. In the advance fee fraud employment scam, you are offered a wonderful well-paid job with little or no experience required. If you apply, you are then short-listed for the job, and they ask you to send personal identification (such as a photocopy of your passport) and fees to pay for certain expenses involved in processing your application. If you willingly pay those fees, then there will be some excuse or another why you have to pay more fees, or pay the same fee again using a different method. Always more and more fees to pay, and no job, ever! The job is just a big lie: it's bait on the hook of advance fee payment.

Key identifying features of an advance fee fraud job scam:

• Your would-be employers are overseas. This kind of fraud is best carried out across national boundaries, so that police action becomes difficult to arrange.
• You qualify for the job, but in order to proceed, you need to send us MONEY.
• Your would-be employers probably want personal details as well. This not only makes them look official, but helps them engage in identity fraud, perhaps obtaining a loan in your name.

For a striking example of this kind of fraud, see the case of Starline Cruise, and also reports relating to fake corporate flight attendant job offers.

Mule Recruitment

And now, to the major issue: mule recruitment. This is possibly the most insidious form of job scam, because it really does look like paid work. There are two major variations on the scam: money mules, usually employed by phishing gangs, and goods mules (also known as reshippers), usually employed by Nigerian scammers. In both of these cases the catch is that the money or goods are stolen, unbeknownst to the mule. Thus the mule is unwittingly dealing in illegal activity.

In the case of a money mule job, the job offer will typically involve "payment processing", "escrow", or a "financial manager" role. The employee is to accept direct deposits into his bank account, and make out payments via a wire service such as Western Union. The inbound payments may also involve some other means, such as payment by cheque, if the recipient lives in a country (such as the USA) in which it's relatively easy to fool someone into accepting a fake cheque. (The cheque appears to "clear", but the bank later reports that the cheque is a fake, and takes the money back out of your account.) outbound payments, on the other hand, are almost invariably made by Western Union or Money Gram wire transfer services. These are hard to trace, and can't be reversed (unlike direct deposits or cheque payments).

Key identifying features of a money mule job scam:

• The job offer comes from an overseas company that wants your assistance to do business in your country.
• The job involves "payment processing" or "escrow": accepting money in one form, then sending it (minus a cut) to your employers via Western Union or Money Gram. This is the key risk, since the incoming payments may be fraudulent or stolen, and are liable to be reversed. Money sent via Western Union, on the other hand, is Gone For Good.

The last variation, that of the goods mule, is less common but just as dangerous. (Thanks go to Snopes for documenting it.) In this case, the employee is a "shipping manager" or similar, and the job involves being a middle-man for purchased goods. The employer arranges for goods to be delivered to the employee, and the employee is responsible for sending these goods back to the employer by bulk freight, usually to Africa, and usually on the pretext that this process saves money over having all the goods shipped individually. It sounds plausible, but the problem is that the goods are usually being obtained fraudulently, such as by credit card fraud. Handling fraudulently obtained goods in large quantities isn't a great career move.

Key identifying features of a goods mule job scam:

• The job involves receiving goods, and forwarding them somewhere outside your local legal jurisdiction, usually Africa. This is a bad idea, because you're assisting in the transfer of stolen or fraudulently obtained goods.
• Unlike the other job scams which involve no payment at all, or deduct payment from money handled, this kind of job will be paid in a somewhat traditional manner.

General Tips

General tips for avoiding job scams:

• Assume that any job offer which arrives by unsolicited email is a direct attempt to defraud you (and thousands of others, no doubt).
• Beware of jobs that promise great rewards for no special skills: they're bait on a hook.
• Beware of temptation: promises of money raining down on you, or fast easy bucks, or luxurious work conditions. These are also bait on a hook.
• Beware of overseas employers. If they're not within reach of your local police force, there's not going to be much you can do if and when they rip you off.
• Beware of jobs which involve being a middle-man, especially a middle-man between people inside and outside your national boundaries. You'll probably be acting as a buffer zone between the criminals who hired you, and the police who are tracking down their illegal activity.
• Beware of jobs which involve sending money overseas via Western Union. The modern scam artist prefers to receive money this way, because it's hard to trace and recover. If you're the sucker who made the payment via Western Union, it's likely to be your money that the crook obtains. Payments made to you, on the other hand, will have a distressing habit of being reversed at a later date.

Meta: Job Scam postings moved to new blog

Job scams have been the bread and butter of this blog for a while, but they've become sufficiently "mainstream" that I'm now relocating them to a dedicated blog, "Suckers Wanted". Like the other sub-blogs, this will aim for quantity of reportage over depth of analysis: I will forward as many job scams as I can to the blog, but not comment on them unless they genuinely warrant special attention.

Job Scam: redefinezim@aol.com

Scams like this seem to be getting more common and simple. Any job where you are a middle-man leaves you vulnerable if the incoming funds/goods are stolen or fraudulent. Jobs like this just set you up to rip you off.

Hi Ideasymedios!
We are an international escrow company.
Now we are looking for a new partners.


You can earn some money - do not lose this opportunity!


It is easy and completely free for you.


Please contact us for more details: redefinezim@aol.com

Best wishes,
Rosanna Earl
++++++++++++++++++++++++++
Sun, 2 Jul 2006 19:14:11 -0500




bulkhead dahl
celandine arrhenius
cocktail canberra
coach alkaloid bask corcoran
augur coronet

Info: A New Kind of Money Mule Scam

Here's a new twist on a well-established scam: take note and add it to your list of "behaviour that should make me suspicious". This information is gleaned from a post over at ScamFraudAlert. It's a variation on the "payment processor" job, where you wind up being stung in exactly the same way without ever becoming an "employee". The scam goes something like the following.

1. Excellent offer on some kind of goods arrives via spam.
2. Victim is lured to the scammers website by the offer, and decides to buy something, since the prices are unbeatable. Victim divulges credit card details to the fraudsters at this time: this is bad move #1, but there is no immediate fraud on the card.
3. Fraudster contacts victim saying that the credit card payment system is down, and they aren't sure whether the payment went through or not, but offers a refund just to be sure. This refund is actually stolen money, transferred out of a compromised third party Internet banking account. Victim does not know this and accepts the refund, thinking that this is first-rate service.
4. Fraudster then suggests to victim that some other means of payment might be better, such as Western Union. You all saw that coming, didn't you? The fraudster offers to deduct the cost of the money transfer from the transaction, so the victim feels like he's not paying any extra.
5. After a while there is no sign of the goods arriving, but the bank does notice that the funds transferred during step #3 were stolen. They reverse the transaction, so the victim is now officially out of pocket. The fraudsters keep whatever money was sent to them via Western Union, and they have the victim's credit card details as a bonus.

Lesson number one in this should be "never under any circumstances purchase from someone who adertised to you using spam".