iDeceive

News: FTC (USA) takes action against some "Work at Home" scammers

2010-02-18T14:55:00.002Z

One of the categories of job scam is the one where you are asked to pay a fee to get a work-at-home kit, or some kind of useful information on how to work at home. Any kind of up-front fee or need for a credit card should make you think "likely scam" without further ado. The good news is that some legal action is being taken against these scammers: the FTC has just announced seven new cases being brought against businesses using allegedly deceptive and illegal techniques to sell "job opportunities" of various sorts. You can read the FTC press release, or a nice summary at Sunbelt blog.

Info: Interview with a Nigerian Scammer

2010-02-11T17:30:00.002Z

Scam Detectives are blogging a series of interviews with a Nigerian ex-scammer. This is worthwhile reading for anyone who wants to be informed of the inner workings of the Nigerian scam scene.

News: Qchex shut down by FTC and US courts

2009-02-10T11:19:00.002Z

Good news for a change: one of the major sources of fraudulent cheques (checks) in the USA has been shut down and ordered to hand over their revenues. Qchex offered a service whereby anyone could have cheques printed for any bank account, but the service made no attempt to verify that the person placing the order had any authority to do so. I hope this puts a significant dent in cheque fraud, but it's too much to hope that it will eliminate the problem completely.

Alert: Malware via MMS Spam

2008-11-17T05:46:00.003Z

I don't usually report this kind of thing, but it's hot off the press and at least somewhat novel, so here it is. Some miscreant has just registered the domain name mmswirelessweb.com, and is spamming everyone with notifications that they have received an MMS from someone. This notification uses Verizon Wireless branding, but this is just a rip-off: Verizon is not involved in any way. Clicking on the link will prompt you to install a piece of software that is, of course, malware.

   Domain Name: MMSWIRELESSWEB.COM
   Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
   Whois Server: whois.melbourneit.com
   Referral URL: http://www.melbourneit.com
   Name Server: YNS1.YAHOO.COM
   Name Server: YNS2.YAHOO.COM
   Updated Date: 16-nov-2008
   Creation Date: 16-nov-2008
   Expiration Date: 16-nov-2009

If you have allowed this software to be installed on your computer, you should assume that your computer is badly compromised and disconnect it from the Internet until it can be repaired by an expert.

Phish of the Day: eNom

2008-10-29T04:12:00.001Z

A correspondent forwarded me this phish which is unusual in that it has an unusual target: customers of the registrar eNom. These phishers are looking to hijack other people's domain names for nefarious purposes. Note that the links in the message below do NOT go to eNom. The phisher seems to have a pile of domains in the form "comN2.biz" which he is using to support these phishing sites. So far, I have found com62.biz, com72.biz, com82.biz, and com92.biz. All were registered to someone using the email address alexeyvas@safe-mail.net at around Mon Oct 27 00:45 GMT 2008. All use nameservers in the domain XWHLWWW.COM, which was created on 10-Oct-2008.

I recommend against clicking on any of the following links, since they go to a known hostile site at the time of posting.

---------- Forwarded message ----------

 Dear user, 
 
 On Tue, 28 Oct 2008 XX:XX:XX -0500 we received a third party complaint of invalid domain contact information in the Whois database for this domain Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information. 
   
 The contact information for the domain which displayed in the Whois database was indeed invalid. On Tue, 28 Oct 2008 XX:XX:XX -0500 we sent a notice to you at the admin/tech contact email address and the account email address informing you of invalid data in breach of the domain registration agreement and advising you to update the information or risk cancellation of the domain. The contact information was not updated within the specified period of time and we canceled the domain. The domain has subsequently been purchased by another party. You will need to contact them for any further inquiries regarding the domain. 
   
 PLEASE VERIFY YOUR CONTACT INFORMATION - http://www.enom.com 
 
 If you find any invalid contact information for this domain, please respond to this email with evidence of the specific contact information you have found to be invalid on the Whois record for the domain name. Examples would be a bounced email or returned postal mail. If you have a bounced email, please attach or forward with your reply or in the case of returned postal mail, scan the returned letter and attach to your email reply or please send it to: 
   
 Attn: Domain Services 14455 N Hayden Rd Suite 219 Scottsdale, AZ 85260 
 
 LINK TO CHANGE INFORMATION - http://www.enom.com
 
 Thank you,
 Domain Services
 
 [IncidentID:XXXXX]

Info: Freelance Home Writers

2008-08-14T04:14:00.006Z

I've been asked a few times about whether "Freelance Home Writers" is a scam. My forte is outright fraud and crime rather than "dodgy business", so I'd first like to emphasise that this isn't (as far as I can tell) a front for organised crime.

Having said that, I still wouldn't trust them with a penny of my money. Why's that, you ask? Well, in addition to the informed opinion of an independent party, I note that "Freelance Home Writers" employs a tactic in common use by scammers who want to avoid the ill effects of a bad reputation: the progressive registration of multiple domain names. The image attached to this post is a snapshot of one of several identical "Freelance Home Writers" websites operating under different domain names that have been registered at different times. For example, "freelancehomewriters.com" was registered on 21-Feb-2007, whereas "freelance-home-writers.com" was registered on 29-Aug-2007, and "freelancehomewriters.biz" (which was misconfigured and causing a browser error when I tested it today) was registered on 29-Jan-2008. All of the above were registered using the "WhoisGuard" anonymisation service, so we have no idea who is actually behind this service, or where they are based. Would you trust an anonymous company with no address?

Bear in mind that these guys are selling a product, not offering jobs. They want you to pay to join. Are you going to trust them with your credit card details? Will you have any recourse if their "product" turns out to be worthless? Will you even be able to navigate away from their damn home page without being blocked by pop-up ads? Can you believe their claim on their FAQ page that they have "been online for nearly 6 years now" when the earliest domain name registration is dated 2007?

So, in answer to the question, "is Freelance Home Writers legit or a scam?" my answer is, "I really can't say, but there's plenty of evidence that they can't be trusted!" When you're handing over your credit card information to someone in exchange for a promise of goods or services, trustworthiness is what counts, isn't it? "Scam or legit" frames the question the wrong way: "trustworthy or not" is, I think, a better way to look at it. As fas as I'm concerned, "Freelance Home Writers" operates in a manner that shouts, "I can't be trusted!"

Advance Fee Fraud: Royale Financing Company

2008-07-24T04:26:00.001Z

A correspondent tells me that he has applied for a loan through "Royale Financing Company" at www.royalefinancing.com. This is an advance fee fraud scam: they want you to send them fees up-front via Western Union before they will send you the loan. Sadly, the loan and the whole company are both a big lie: this is just a bunch of fraudsters conning people into sending them money. They will gladly take your money and keep it -- you'll never see a cent back.

Bear in mind that the name "Royale Financing Company" is made up. Scammers make up new names regularly because people like me report the old ones as scams. Don't judge the operation by its name: judge it by what they do. If they want you to send them money to apply for a loan, just assume they're scammers and steer clear of them.

Here are the current registration details for royalefinancing.com, for what they're worth.

   Domain Name: ROYALEFINANCING.COM
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
   Name Server: NS1.DOMAINCITYSERVERS.COM
   Name Server: NS2.DOMAINCITYSERVERS.COM
   Updated Date: 01-may-2008
   Creation Date: 01-may-2008
   Expiration Date: 01-may-2009

Alert: Beware Barbara Moratek of the Ivete Foundation

2008-01-11T08:31:00.000Z

Sunbelt Blog is reporting a strange synergy between what appears to be a Nigerian scam variant and malware pushers. They report that there is spam circulating which claims to be from one "Barbara Moratek" of the "Ivete Foundation". The spam itself is relatively innocuous -- it may be a lead-up to some kind of advance fee fraud or cheque forgery scam, but that's all. If you do a Google search for those names, however, you'll get a lot of hits on sites which contain malware in the form of fake audio/video codecs.

Is this conspiracy, or coincidence? It's hard to say, but it's a new development either way, so far as I'm aware.

Scam: Gadgets Ltd UK

2007-12-06T14:07:00.001Z

I haven't checked whether there is a real company operating under this name, but I haven't seen a scam as blatant as this in a while. Nothing subtle here, just send money via Western Union in return for a false promise that you'll receive goods. If anyone has dealt with this clown, please tell us where he wanted the Western Union transfer sent. With a gmail address and a UK +4470 "forward anywhere" number, he could be anywhere in the world, but following the money is always interesting.

---------- Forwarded message ----------
From: Gadgets Ltd UK <gadgets.lmtduk@gmail.com>
Reply-to: gadgets.lmtduk@yahoo.com
Date: 6 Dec 2007
Subject: APPLE iPhone/Sony PS3(60GB)for $600 USD FREE SHIPPING
To:

APPLE iPhone/Sony PS3(60GB)for $600 USD FREE SHIPPING

We are offering The Revolutionary APPLE iPhone 8GB and Sony PS3(60GB) =
$600 USD FREE SHIPPING

SAMPLE PRODUCTS PRICE LIST

Video Games
Playstation 3 ........$300
Nintendo Wii......... $200
Sony PSP......... ....$140
Xbox 360 Platinum.... $140
Xbox 360 Premium..... $120

Apple ipod Nano 4gb....$100
Apple ipod Nano 80gb...$250

GSM PHONES
Nokia 8800 sirocco....$350
Motorola V3i D&G......$250
Nokia N95......... ...$320
Nokia N93......... ...$260
Nokia N93i ...........$280
Nokia N70 ............$160
Nokia N72 ............$175
Nokia N73 ............$250
Nokia N80 ............$200
Nokia N90 ............$200
Nokia N91 ............$200

Sony Ericsson
Sony Ericsson W800i....$200
Sony Ericsson W810i....$225
Sony Ericsson W900i....$250
Sony Ericsson K510i....$105
Sony Ericsson W800i....$150
Sony Ericsson k750i....$165
Sony Ericsson M600.....$302
Sony Ericsson k700.....$100
Sony Ericsson W600.....$156
Sony Ericsson w850.....$230

PDA
Palm Treo 650........$170
Palm Treo 700w.......$250
Palm Treo 750........$240
QTEK 9000 ...........$300
QTEK S110 ...........$250
HTC P3300 ...........$300
HTC P3600 ...........$350
Dell Axim X51V.......$350
i-mate Jam ..........$400
i-mate K-Jam ........$420

All GSM Phones,Brand New,Tri- Band, Simfree ,Unlock and open to all GSM
Networks

world wide with 1 yr warranty and Video Games are also Brand new
with Complete Accessories plus Int'l Warranty .

Our Very Flexible Terms of Trade
Prices are in US Dollars
Payment: Western Union Money Transfer
Delivery :FedEx Express 2-3 days after payment
Warranty : 1 Year Int'l warranty with 90 days return policy with full
refund option.

Thank you and looking forward to your order CONFIRMATION soon.

NOTE : FEEL FREE TO CALL OR REQUEST MORE INFO

John Philips
GADGETS LIMITED (UK) LTD
Registered No. 05881519
THE OLD STABLES, ARUNDEL ROAD,
POLING,ARUNDEL,WEST SUSSEX,BN18 9QA
UNITED KINGDOM
TEL : +447031917966, +447031917369

News: UK Clarifies Cheque Clearance Times

2007-11-29T00:33:00.001Z

This is good news for residents of the UK who have been targeted by cheque forgery scams, which account for a fair slab of the job scams I report at Suckers Wanted. Banks have been quite clear about how soon after depositing a cheque you can draw on it, but they have been rather less clear about how long it takes to fully process the cheque. There is a window in which you can withdraw the funds, but the cheque can still bounce, and this is the window that scammers exploit. Although the window has not been eliminated, new rules make the window small and uniform across banks. If you receive a cheque in the UK and you don't fully trust the source (which you should not, unless you have significant prior experience with it), you should wait seven working days before you act on the payment. If the cheque hasn't bounced in that time, it's the bank's problem for not detecting the issue quickly enough.

These rules come into effect on the first of December.

Advance Fee Fraud: US Green Card Lottery

2007-11-06T03:38:00.001Z

It's that time again: the time when you can apply for consideration in the U.S. Department of State Electronic Diversity Visa Lottery, and also when scammers will pretend that you've won it (see example below) in order to defraud you. It may come as a shock, but I didn't apply for entry to the increasingly-misnamed "land of the free", and I happen to know that " applicants selected in the Diversity Visa random drawing are notified by the Department of State, Kentucky Consular Center by letter, NOT email" [source].

There are a great many variations on this type of green card lottery fraud, but this one is a blatant case of advance fee fraud: they want you to pay a "visa processing fee". I suspect that they are not associated with us-green-card-lottery.org, although I don't think too highly of that site either. If you're going to enter this lottery, do yourself a favour and deal only with the U.S. government directly so that you can clearly tell the scams from the real deal.

---------- Forwarded message ----------
From: us green card lottery service <usgclsa@walla.com>
Subject: The Official U.S Green Card Lottery Program
To:

[image redacted]

The Official U.S Green Card Lottery Program

United States Department of State, National Visa Center

32 Rochester Ave, Portsmouth , NH 03801-2909

www.us-green-card-lottery.org

Case Number: 2007BK21783000

Dear winner.

We wish to notify you that you are among the selected lucky winners of the U.S visa Lottery (Green Card) through our email ballot lottery program held on the 20th of July in Arkansas (USA) The Green Card email ballot lottery program was conducted under the terms of Section 203 of the Immigration and Nationality Act (INA) Section 131 of the Immigration Act of 2006 ( Pub.L.101-649) This is the second edition of the email ballot program and it provides winners "Green Cards"

The aims and objectives of the program is to give free visa's to citizens of developing countries around the world who wishes to travel to U.S and start a new life and work. The green card Lottery is a matter of huge benefits for those who want to try themselves abroad.

Selection

6.3 million Email addresses were randomly extracted during the 33-days extraction period that ran from 12.00 AM on Aug 10, 2007 until midnight, Sep, 9 2007. All extracted email addresses were assigned to different ticket numbers for representation and privacy for final selection through computer draw system and your email address attached to ticket number 56402-188 drew the lucky numbers which subsequently won you the U.S visa and we are sending the winning notification through the selected email addresses which means that, if you receive the notification in your mail box you have been selected among the lucky winners.

Your visa duration is 10 years multiple entries to the U.S, it is renewable upon expiration and it permits you to travel to U.S with your spouse. The visas have been apportioned among six geographic regions with a maximum of seven percent available to persons born in any single country. Our visa processing agents had been apportioned among the six geographic regions.

Visa claim application (step 1)

Your visa winning details falls within our Asia/pacific booklet representative office as indicated in the draw system and we have forwarded your winning details to our Asia/Pacific office for the processing of your Green Card acknowledgement Certificates, therefore, FOR YOUR VISA FORM, REQUIREMENTS AND FURTHER DETAILS, contact our Asia/pacific agent with the below contact details;

Name: Mr. Lewis Taylor.

Ofiice Address: 95 Wireless Road Panthumwam Bangkok Thailand.

Tel: +66- 8-1499-4471

Fax: +66-2251 9977

Email: uscounsular@oued.org

Approximately six hundred and twenty five (625) lucky selected winners had been notified through their selected winning email addresses including you today. All selected lucky winners will need to act on their claims applications quickly before the expiration of the visa claim deadline which is on the (30th Nov 2007)

Advanced Question.

How can I make the claim of my visa?

You will obtain your visa through the U.S Consular officer in your home country or any U.S Embassy nearest to you with your Green Card Acknowledgement Certificates that will be processed and send to you by our Asia/pacific agent. U. S. embassies and consulates will not be able to provide a list of winners until their Green Card acknowledgement certificates are processed with their case numbers and placed on the U.S Immigration Network Database.

Visa Processing Fee.

Single-$755USD

Dual-$1,250USD

What is processing fee?

The processing fee pays for the accuracy preparation of your documents that will enable you to obtain your visa through the U.S Consular officer in your home country or country of your present residence. Green card experts charges a nominal fee to cover administrative and processing costs incurred in conjunction with the careful processing of every document. According to J.Stevenson Wilson, Author of Visa Lottery services Report, the total average fee charged by green card lottery services ($755USD) for one person,there is no correlation between the fee charged and the quality of services provided and its benefits.

Benefits.

Winners will get FREE Airline Ticket to the USA.

people that win this Lottery will get the constant legal status of the US inhabitant, an opportunity of free country entrance and departure, the right to be working in the USA legally and getting American salary. You may have any job in America, whether it is a government, public or private job. A permanent residence visa (as well as American work visa) eases your life. In addition to permanent legal residence Green Card holders also receive health, education, retirement, taxation, social security and other benefits.

Disqualification.

Any selected lucky winner from the following countries will be disqualified;

Mexico-Canada-Haiti-Columbia-Elsalvador-Jamaica-Poland-Peru-Korea-Dominican Republic-Philippines-Vietnam-Russia and United-Kingdom (except Northern Ireland) This is because each has more than 50, 000 candidates in the USA.

Please retain this letter and take it with you to your visa interview centre when directed.

Do not reply back to this notification email (busy)

Please read and follow all the enclosed instructions very carefully.

Sincerely yours,

Mrs. Christine Roberts.

Secretary General U.S Consulate-Kentucky.

Walla! Mail - get your free 5G mail today

Info: A Nigerian Scammer offers his services

2007-10-22T08:28:00.001Z

If you're currently looking for an experienced Nigerian scammer partner in India, then apparently this guy is available. In case you don't know the lingo, "wash wash" is the black money scam. Your guess is as good as mine as to why he thought I'd be interested in a partnership. Maybe he took "ideceive" as a literal "I deceive".

---------- Forwarded message ----------
From: shama uman <sman11k@yahoo.com>
Date: 22 Oct 2007
Subject: ur guy from india
To: ideceive@gmail.com

HELLO
I AM FROM NIGERIA MY NAME IS pascal FROM IMO STATE IN NKWERRE L.G.A NIGERIA AM GUY MAN I HAVE BEEN TO MANY COUNTRIES SOME WERE LIKE ABIDJA ,TOGO, GHANA ,DUBAI, CHINA MALAYSIA NOW IN INDIA I DO ATTEND FACE-TO-FACE EXECUTION WASH WASH, CONSIGNMENT DIPLOMAT LEVELS ALSO TRANSFER.....WE CAN
DO THINGS TOGETHER MY GUY LET WORK OUT MONEY,IF YOU HAVE INDIA JOB AM HERE TO ATTEND IT FOR YOU AND YOU WILL GET YOUR % GUY HERE IS MY CONTACT MOBILE NUMBER +919899227328 OR YOU CAN EMAIL ME ON p_ben2k@yahoo.com MY BEST REARDS,
pascal (ONYEZE)
ONE LOVE
our mode of sharing is 60/40.

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

News: Fake Checks are a Multi-Billion Dollar Business

2007-10-10T16:46:00.000Z

According to a Reuters report, "an international crackdown on Internet financial scams this year has yielded more than $2.1 billion in seized fake checks and 77 arrests in the Netherlands, Nigeria and Canada." This is one of the possible frauds behind the "money mule" job scams I report at Suckers Wanted.

Spam: P.P. Bankcard Services

2007-09-25T18:14:00.001Z

Here's a slightly interesting thing. This is spam, straightforwardly enough: it was sent to my Gmail account, and I have never corresponded with this party, let alone sent mail with the subject to which this is supposed to be a reply. So what's the motive behind the scam? Is it an actual business just trying to drum up custom through spam? More likely it's a kind of phishing, because the scammers are only interested in companies that do at least $300,000 a year in credit card or check sales. If anyone replies to this with an expression of interest, they've just marked their network as worth compromising, and they'll likely receive a reply containing attachments with malicious payloads, designed to leave back doors into the system for these miscreants to use.

---------- Forwarded message ----------
From: John Tucker <bancardoffice@gmail.com>
Date: 26 Sep 2007 04:10
Subject: Re: Phone Call For Merchant Account
To: Owner <ideceive@gmail.com>

Hello this is John Tucker with P.P. Bankcard Services, we help businesses setup, reduce, and clarify credit, debit, check, and atm processing costs. Our company even works with businesses that are considered "high risk" by other Processors.

I'm not sure if it would make sense for a phone appointment at the moment so I sent this email to see if you had any of the following situations:

>> Are you currently seeking to setup processing?

>> Are you currently processing and are dissatisfied with your Processor?

>> Are you receiving bad checks?

>> Are you having issues with Accounts Receivable and aren't receiving payments on time from customers?

>> Or, are you seeking to setup an ATM or receive a higher surcharge income from your ATM Machine?

If you have any of the above situations give me a call at: 1-866-543-6268 to discuss creating a potential solution. You can also send me a fax to: 1-866-553-8246.

*** Very Important, due to the popularity of our company and our programs we can only see businesses who will do at least $300,000 a year in credit card sales or check sales.

(To comply with marketing regulations, if you are fine and would not like to be included in future emails give me a call or send me a email and our office will gladly comply.)

Thanks alot and I look forward to speaking with you.

Sincerely,

John Tucker
Account Manager
P.P. Bankcard Services and Systems
Direct Extension: 1-866-543-6268
Direct Fax: 1-866-553-8246

Job Scam: New money mule variant?

2007-09-07T21:03:00.001Z

Here's a scam I haven't noticed before. Some dodgy West African wants to send you credit card details (stolen, of course) so that you can wire back money (ostensibly to a travel agency -- but we know it's just the scammer himself) via Western Union. Personally, if I were running a Western Union agency, I wouldn't accept payment by credit card -- especially not in "card not present" situations. Does this scam have a snowball's chance in Western Sahara of working?

---------- Forwarded message ----------
From: patrick clerk <patrick_clerks@yahoo.fr>
Date: 8 Sep 2007 01:13
Subject: I AM WAITING FOR YOUR SOONEST ANSWER
To: patrick_clerks@yahoo.fr

Dear Sir,

I am Patrick Clerks, at the time of the marriage of my son, I would like to reserve 2double rooms and your restaurant or club bars for the day of September 20th, 2007.
I intend to regulate by remote credit card.
Then I would like to be in contact with the person in charge of the reservation.
the ammount that i can be able to spend is 10.000 euros which is planned for a cocktail and a dinner (of 18h with 23h).

Thus you will understand that I want the best for my only son that why i will try as much as possible to make this reception to have success.
Also I would like to make a reservation for 10 or may be 20 guests who will come to assist to the weeding of my son because those persons are his best friends and i want this day represent the most important moment in his life.That is the reason why i contact you in order to guarantee with you the success of this weeding.

I will ask you to help me sending a group of 4 persons three days before the weeding day as my representants close to you so that they can work with you and inform me in any organisation which will take place there,because this weeding is a challenge for me.
i want also to tell you that those person i will send close to you will help in the choice of the menu and the decoration and something else you will ask them to do before my arrival.

However I will consequently ask you to remove the reservation price and 5000€ by charging my the credit card that i will send you as soon as you give me your oK.
Not that this ammount of 5000€ wiil be used to regulate the plane ticket of those 4persons who will represnt me until my arrival.

Not also that i will need you to send the 5000€ to a member of NAKATA TRAVEL AGENCY which is located in Ivory Coast by western union because i used most of the time to take my travel ticket and i have a reduction there in each ticket.

I am currently in Morrocco for a congress and I benefitted from the occasion to take my son and his future wife with me for the choice of the weeding clothes they will need at the time of the ceremony that why i am not capable to make any transfer because the law of this country forbid this.

Thus I am waiting for your soonest response in order to communicate to you my credit card number+ the scratch date for the payment.
MoreoverI ask you the disponibilty to help me resloving this matter.

Not that NAKATA TRAVEL AGENCY have problems with their machine so they cannot charge my credit card by themselve.

For your will to help me i will reward you with 500€ .

MY DIRECT PHONE NUMBER IS 0022504735052.

Respectifully yours.

Mr.Patrick Clerk

Découvrez le blog Yahoo! Mail : dernières nouveautés, astuces, conseils.. et vos réactions !

Advance Fee Fraud: LIVE-PAYMENTS.COM

2007-09-05T21:27:00.001Z

Some 419ers tell you they have a stash of cash they want you to repatriate; some tell you you've won the lottery; some want you to pretend to be next of kin to receive an inheritance; some pretend that you are owed money for contractual work in Nigeria. These scammers just tell you there's a payment waiting for you -- simple as that. The story changes, but the fraud remains the same: there is no stash of cash waiting for you -- they're just trying to blind you with dollar signs so that they can (a) take all your personal details, and (b) persuade you to pay a few small incidental fees on the way towards receiving this imaginary stash.

   Domain Name: LIVE-PAYMENTS.COM
   Registrar: GODADDY.COM, INC.
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: NS1.SEDOPARKING.COM
   Name Server: NS2.SEDOPARKING.COM
   Updated Date: 29-jul-2007
   Creation Date: 29-jul-2007
   Expiration Date: 29-jul-2008

---------- Forwarded message ----------
From: Gilmac Financial Services <cititiconsultant@gawab.com>
Date: 06-Sep-2007 00:14
Subject: Live Payment
To: ideceive@gmail.com

ATTN:

You have been sent a payment, here is your payment information:

PAYMENT NOMBER:      03115027
PAYMENT DATE:    05/09/2007
PAYMENT VALUE:   750,000 USD
In order to receive you payment please confirm you identity in our verification page:

Dr. P. Brook

Gilmac Financial Services
Weeps-The Netherlands.
Tel: +31-634-254755
Fax: +31-847-118266
Email: live_payment@gawab.com

1). Full Names:..................
2). Residential Address: ........
3). Occupation:..................
4). Sex:.........................
5). Phone/Fax Numbers:...........
6). Country of Resident:.........
7). Nationality: ................
8). Payment Value:.........
9). Payment Number:...............
10). Amount.................
11). A scan or Fax Copy of any Valid Proof of your

Identification like International Passport or Driver's
License:................

All participants where selected through a computer
ballot system drawn from over 20,000 company and
30,000,000 individual email addresses and names from
all over the world drawn from Europe, Asia, Australia,
New Zealand, Middle East, Africa, North and South
America. Do note also that every email addresses that
were used on this program were gotten without the
knowledge of each recipient. Be informed here that all
winnings must be claimed not later than the 15th Day
of September 2007 and that anybody under the age of
18yrs is automatically disqualified and hereby not
eligible to apply for a claim of this amount.

Congratulations from our management as we expect you
to make good use of your funds. Do note also that
every email addresses that were used on this program
were gotten without the knowledge of each recipient.
www.live-payments.com

Please follow the given instructions.
After we receive your confirmation, we will send you the payment.

Thank You
Live-Payments staff
Mr,Franck William

News: Monster.com data compromised

2007-08-22T04:29:00.000Z

Here's an important heads-up for people with personal details on Monster.com. According to Symantec, a new piece of malware has been sucking out the personal details of job-seekers from that site, via compromised recruiter accounts. Consequently, we can expect some very targeted job scams aiming at monster.com users.

Advance Fee Fraud: Fondation de France

2007-08-02T16:14:00.001Z

This is really just a variation on the "you won a lottery you didn't enter" scam. Only the cover story is different: you've been given a grant for which you didn't apply. This is typically advance fee fraud: they want money up front for some fee or other before you get to see any of your promised wealth. Sometimes they send a fake cheque or money order. Basically, don't get involved. Note that the FDF is a real organisation -- it's just that these scammers have nothing to do with it.

In addition to the contact address given in this spam, " fdf_org07@yahoo.fr", a correspondent reports one which uses "fdfgrantoffice967@atmail.org ". These are freemail addresses which anyone could register, anywhere, anytime, and they're probably not the only ones in use for this particular scam.

---------- Forwarded message ----------
From: THE FONDATION DE FRANCE(FDF) <[random address]>
Date: 02-Aug-2007 22:08
Subject: THE FONDATION DE FRANCE(FDF)
To: [redacted]

THE FONDATION DE FRANCE(FDF)
http://www.fdf.org.

The Fondation De France(FDF) would like to notify you that you have been chosen by the board of trustees as one of the final recipients of a cash Grant/Donation for your own personal, educational, and business development. The FDF, established 1977 by the Multi-Million groups and now supported by the Economic Community for West African States (ECOWAS), United Nations Organization (UNO) and the European Union (EU) was conceived with the objective of human growth, educational, and community development.

In conjunction with the ECOWAS, UNO and the EU, We are giving out a yearly donation of US$1,350,000.00 (One million, Three hundred and Fifty thousand United states dollars only) each to 100 lucky recipients. These specific Donations/Grants will be awarded to 100 lucky international recipients worldwide, in different categories.

Based on the random selection exercise of internet websites and millions of supermarket cash invoices worldwide, you were selectedamongst the lucky recipients to receive the award sum of US$1,350,000.00 as charity donations/aid. Nevertheless, according to the federal and international law concerning the personal collection of prize winnings, your bonding fees, broker fees, and tarrif fees, have already been deducted from your donation.So congratulations once again.

You would be required to send down the following informations:

FULL NAMES:______________
ADDRESS: _______________
CITY:____________________
STATE:__________________
COUNTRY________________
SEX:_______________
AGE:__________________
MARITAL STATUS:___________
NATIONALITY__________
OCCUPATION:_______________
E-MAIL ADDRESS:____________
TELEPHONE NUMBER:_____________________

You are required to contact the Executive Secretary below, for qualification documentation and processing of your claims. After contacting our office, you will be given your donation pin number, which you will use in collecting the funds. Please endeavor to quote your Qualification numbers (FDF-444-6647-9163) in all discussions.

Executive Sec. Mr David Tinny
Email: fdf_org07@yahoo.fr

Tick a suitable mode for payment of your funding grant award as listed below:

1.Online Bank Payment
2.Courier Delivery

Do note that these funding grant are strictly administered by the EU, ECOWAS and UNO.

On behalf of the Board kindly accept our warmest congratulations

Yours faithfully,
Mrs. Martha C. Edmondson.
(Director of Human Resources )

Meta: I'm a slacker

2007-07-31T15:51:00.000Z

The month of July, 2007, is nearly at an end, and if you look at the monthly archive for the Suckers Wanted blog, you might get the impression that it was a slow month for job scams. This isn't the case: I have a total of around sixty job scam spams that I didn't get around to processing. No doubt there was some repetition in this lot, so the total number of additional blog entries I ought to have written is somewhat less than that, but it's still a lot of work.

The reason for the slacking off has to do with my secret identity: he's been a busy boy, and this has seriously bitten into my deception spotting time. August isn't looking much more promising, either, but here's hoping for the best.

Advance Fee Fraud: 419 through 101egreetings.com

2007-07-27T14:16:00.001Z

This is probably more common than I'm aware of, because my reflex action is to delete "ecard" notifications of this sort. Anyway, this is an instance of an "ecard" site being used to send 419 scam spam. I checked out the site, and there's no "report this as spam" button on the page that I can see, so shame on 101egreetings.com for leaving their system so open to abuse.

---------- Forwarded message ----------
From: danlami_zbplc@yahoo.co.uk <danlami_zbplc@yahoo.co.uk>
Date: 07/26/2007;
Subject: A warm wish from Mr. DAVID DANLAMI
To: ideceive@gmail.com

Dear Recipient,

[Mr. DAVID DANLAMI (danlami_zbplc@yahoo.co.uk)] has sent you an egreeting from 101eGreetings.com
101eGreetings.com is all about saying something, expressing yourself,
and connecting . We have got ecards for all occasions to help you
celebrate all the little and big things in life. Share the joy with
people you love and care about, make them smile, by sending them an
e-wish from our collection.

Your ecard will be available on our server for the next [30] days.

--------------------------------------
CARD DETAILS
--------------------------------------

To view your ecard, please click on the following link :

http://www.101egreetings.com/cgi-bin/greetings/viewcard.pl?cardnum=EG12505126072007783

Alternately, you may copy and paste this link in your browser's
address box.

Your ecard number is : [ EG12505126072007783 ]

In case you have any questions or queries regarding your greeting
please mail us at [ support@101egreetings.com ]

Best Wishes
Customer Care
http://www.101egreetings.com/

To send someone an ecard, please visit us at http://www.101egreetings.com

Advance Fee Fraud: Richard Dolls Foundation

2007-07-19T15:16:00.001Z

I felt that this one was worth noting, because I don't recall having seen a 419 disguised as a conference invitation before. The bait here is the part that says, "Richard Dolls Foundation has set up an Access Fund to support the travel costs for all qualified participants." Depending on their modus operandi, they'll either ask for money up front (and never send you anything in return), or send you a fake cheque, get you to bank it, and then send them money based on the proceeds -- leaving you to foot the bill when the cheque bounces.

How do I know this is a scam? Easy. For starters, it's spam. For seconds, it's from a Yahoo freemail account. For thirds, "Richard Dolls Foundation?" Where do they get these names? And last, but certainly not least, the originating IP address of the spam was 77.70.128.146, which is presently delegated to a service provider in sunny Nigeria. 'Nuff said.

---------- Forwarded message ----------
From: Richard Doll Foundation <infor_dollfoundation@yahoo.co.uk>
Date: 19-Jul-2007 03:14
Subject: Call To Participate
To: doll_foundation1@yahoo.co.uk

Hello Delegate,

This is a Call for Participation in an INTERNATIONAL CONFERENCE OF NGOs holding from 20th August till the 30th of September 2007 in London, United Kingdom where as many as 200 participants from across the world including Health Practitioners, Professionals in relevant fields, Lawyers, Psychologists, Women and Youth Development Groups, Government Officials, Donor Agencies and participating NGOs will meet to discuss issues pertaining to the Welfare of NGOs...and also to meet others like yourself; to learn, teach, inspire and being inspired. This event will be exploring the potential of a practical approach that will unleash and nurture the human capacity to create, collaborate and change positively, the world at large.

What are the objectives of this meeting? The meeting will provide a medium where participating individuals and NGOs will convene to address and discuss ways of improving key Humanitarian issues and topics with much emphasis on Human Rights, Gender Equality, Peace and Security, Social and Economic Development, Youth and Children, Health Education, Ethics and Value and Environmental Protection. Participating NGOs will have direct access to grants by International Donor Agencies.

The opening Lecture will be held by Dr Mrs Artemisa Franco who is the President of the Center for Human Rights Research and Development, Maputo - Mozambique.The program will include:
* Thought-provoking plenaries
* In-depth breakout and dinner sessions for strategy-development
* Capacity and skills-building sessions; and
* Debates to stimulate discussion.

In addition to the main program, the meeting will also host book launches, artistic and cultural activities, exhibitions, plenty of space and opportunity for informal networking and alliance building.

All plenaries and selected breakout sessions will have interpretation into English, Spanish and French.

Who can participate? What happens if more than 200 participants apply? Anyone who is a member of an NGO, Professionals in related fields, Students Unions, Lecturers of Universities and Community based organizations, the Clergy as well as women and youth development groups can apply to participate.

If more than 200 people apply (as we anticipate), a global selection committee will select a representative 200 from among the applicants. This committee will ensure that the participants at the meeting are truly international and represent a diverse range of interests, issues, and regions.

The events shall commence on the 20th till the 30th of July 2007 at Abba Queens Gate Hotel London.
I can't afford the cost - Can you help? Richard Dolls Foundation has set up an Access Fund to support the travel costs for all qualified participants.

How do I apply, and when is the deadline? All Interested organizations should send an email to the Local Organizing Committee. Participants MUST be a group of 1-3 persons to qualify for registration.

Contact Person: Rev. George Solomon
Email: infor_dollfoundation@yahoo.co.uk

Regards,
Local Organizing Committee
Richard Dolls Foundation

Yahoo! Answers - Get better answers from someone who knows. Try it now.

News: 111 suspected 419ers arrested in Amsterdam

2007-06-19T22:57:00.000Z

I'm pleased to say that the Netherlands is still taking Nigerian organised crime seriously, even if the UK has decided to slack off. As reported in The Register (among other places), police in Amsterdam last weekend arrested 111 people of West African nationality (primarily Nigerian). They are suspected of running lottery scams.

Spam: Job Scammer does OEM Soft too?

2007-06-12T18:41:00.001Z

A few days ago, I received a short blast of identical spams (other than the "from" address, which was totally different for each instance) promoting dubious vacancies at a "company" called SunFx. For detail, see the SunFX Online Inc scam report at my Suckers Wanted blog. This particular instance of the spam stood out because it's mangled: it blends an OEM Software scam with the job scam. I suspect that this is either the same scammer running more than one scam, or at least the same spammer, possibly sending spam on behalf of more than one dodgy client.

---------- Forwarded message ----------
From: James Nelson <[redacted]>
Date: 09-Jun-2007 19:45
Subject: Re: Hi
To: [redacted]

OEM Soft Store 80% Discounts

We are glad to present You this online software store with maximum lowest prices on the Internet. You won\'t find software anywhere else on the Internet with prices lower than here. All the programs we have here for sale and available for Download Only.

http://www.best-soft-download.hk/

--------------------------------------------------------------------------------

MS Windows Vista Business Edition at ......ONLY $49.95

MS Office 2007 Professional .......................ONLY $49.95

ADOBE Creative Suite 3 Design Premium ..ONLY $37.95

SystemWorks Premier 2007 Edt .................ONLY $19.95

And many more...

--------------------------------------------------------------------------------

Come and check out by yourself
http://www.best-soft-download.hk/
SunFx Online Inc. customer service department is currently offering employment for 10 Australia residents and 15 United States residents in order to provide it's new branch with qualified personnel.
The private client support desk is responsible for following up client enquiries, helping the clients to understand how SunFx Online can save them money on foreign currency transactions, and developing new business through referrals.
If you're a customer service fanatic, and enjoy working in a challenging and rewarding environment, please see below for our current list of opportunities.

Position: Customer service officer.
Salary: Your starting salary will be $2300 - $4500, which will be paid to you in accordance with our standard payroll procedures.
In addition, you will be eligible for monthly and annual bonuses.
Relevant Work Experience: Will be an advantage.
Location: Australia / United States.
Education Level: College degree will be an advantage.
Insurance: 1 month after you begin work, you will be covered under our group health insurance policy, unless you advise us that you do not desire such coverage.
Information regarding our health insurance, as well as other group benefit plans, is enclosed
Keywords: Telecommuting, flexiplace.

Should you have any questions regarding this letter, our offer of employment or anything else, please write me an e-mail.
We are excited to have you join our organization and look forward to working with you.

Please forward your full resume, contact information and questions to HR dept. e-mail: sunfxcareers@ssl-mail.com

You will be contacted within 1 to 4 business days.

Best regards,
James Nelson
Employment Manager
SunFx Online Inc.
sunfxcareers@ssl-mail.com

Spam: ship4love

2007-06-01T12:11:00.000Z

This scam is funny. I don't know what the exact details are -- it looks like advance fee fraud, but I'm not going to bother digging up details. However, here are a few suspicious points.

Does this whole thing reek of "bait" to you? Someone is trying to lure desparate males with some very tall tales here.
A beauty pageant called, "The Beauty and Intelligence of Russia"? Oh really? Seems like nobody else on the Internet has heard of it.
They advertise by spam. That's a good way to get victims, not customers.
The domain name is freshly registered.

Speaking of domain registration...

   Domain Name: SHIP4LOVE.COM <-- scam
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
   Name Server: NS1.SLAVHOST.COM
   Name Server: NS2.SLAVHOST.COM
   Updated Date: 10-apr-2007
   Creation Date: 10-apr-2007 <-- recent
   Expiration Date: 10-apr-2008

That's about all the effort I'm going to waste on this scam. Here's the original spam text for reference, though.

---------- Forwarded message ----------
From: [redacted]
Date: 01-Jun-2007 16:17
Subject: ship4love
To: [redacted]

Hello,

If you do not want to loose your money and to talk to girls who does not
even exist there is new wonderful opportunity to meet Russian girls in
person and to spend 7 days on cruise with them. On the 25 of July a
beautiful ship " St. Valentine " will sail from Sochi (Russia) and will
go around the Black Sea. There will be 50 Russian beauties who want to
meet a foreigner in order to make a family and they are ready to leave
Russia. These girls are disappointed in Russian men and they will be
happy to find the man abroad. All their pictures are placed on the
website. On the ship will be created such an atmosphere that will help to
start romantic relations. There will be invited only 30
foreign men on that cruise. And you can be one of them!
If you are interested, go in a site: ship4love.com

ship4love.com

Best regards.

Spam: CharityHope

2007-05-13T10:25:00.001Z

Right... the link in this spam took me to a page full of porn video links, not a form for submitting a resume. Thankfully, I'm cautious enough to use a text-only browser when checking out such things, so I may have been spared an unwanted anatomy lesson. I also tried without the numeric extension on the end of the URL, and that took me to a page containing Javascript which did nothing, but looked a lot like Javascript I have seen on sites which try to exploit security weaknesses in web browsers.

All in all, if you managed to find this page before clicking on any links, I highly recommend that you don't. If you clicked already, and you run Windows, you may want to scan your computer for the latest malware. It's also entirely likely that the number at the end of the URL is a unique tracking ID, and the spammer is creating a list of suckers who are silly enough to click on links in spam, which is always a bad idea (unless you're some kind of idiot who writes a blog about spam).

---------- Forwarded message ----------
From: Cleo <gerr[@]shapel.bir.ru>
Date: 13-May-2007 12:27
Subject: _The best time to join the team of CharityHope. Contact us by sending your resume.
To: undisclosed-recipients

Our Charitable Center, established in year 2000 by a team of highly qualified professionals who feel privileged to help world and people in their sorrow. We are working to help people donate money for realization our social and charity programs, called up to help growing generation to get education, for providing of charity projects, directed on formation of favorable social and informational area around children. We are working on developing of new children centers for their education, we are taking active part in support and adaptation of homeless children.
Our organization is pleased to inform you that there are available vacancies for a Donation Manager Position.

your resume - http://81.29.241.160/in.php?21352828

Our team is really happy to invite you to our company!

Spam: job@headfirm.net

2007-05-10T16:10:00.001Z

Here's an interesting spam I found while sifting through the usual job scam spams. At first glance, this appears to be a standard job scam, but on closer inspection it lacks key ingredients. For example, it expresses as strict requirements that the applicant be registered with the SEC.

This is perhaps a clue to what they're really doing here: trying to find registered stock brokers. My guess is that this is the first stage of a "spear phishing" attack: anyone who contacts them claiming to be a stockbroker will be sent some documents in return, such as Microsoft Word documents. These are actually Trojan horse documents, crafted in such a way that they will attempt to install other software on the stockbroker's computer. The attackers probably want to gain access to stock trading systems so that they can buy and sell stock to manipulate the price for their own gain, or some similar scam.

---------- Forwarded message ----------
From: [redacted] <[redacted]@hotmail.com>
Date: 10-May-2007 09:58
Subject: Good job offer from careerbuilder
To: [redacted]@gmail.com
Cc: [three more gmail.com addresses redacted]

This position is open as of 05/09/2007.

Financial Consultant Retirement Advisor - Stock Broker

Financial Consultant - Registered Rep - Money Management - Retirement Planning

We're looking for established money motivated reps. Huge payouts! 100% Commission.

We're an independent Financial Services and Investment Services firm looking for the next great member of our team. Our Financial Consultants provide Investment, Insurance and Financial Planning services tailored to meet the needs of business and individual clients. Are you ready to step away from the micro managed environment of the larger firms?

Would you like the freedom to actually give objective advice? If so, Keep Reading!

What's in it for you:

~ A professional work environment. We are passionate about what we do!
~ The freedom to do what's right for your client. No pressure to sell the monthly special!
~ Solid earning potential and benefits package. Strong Commission Structure.

What we are looking for:

~ Registration with the Securities and Exchange Commission (SEC)(required)
~ Registration with the Medallion Guarantee Signature program (required)
~ Bachelors degree in Business, Finance, Accounting, Marketing, Communications or related field
~ 3 + years experience as a Financial Consultant, Registered Rep or Broker
~ Exceptional communication, presentation, and relationship-building skills
~ We're looking for proven producers with an entrepreneurial streak!

So, If you are a talented and experienced Financial Consultant or Financial Advisor, with a Bachelors degree and 3 or more years experience . . . Apply Today!

Salary: $350,000.00 - $600,000.00 /Year

Required Skills

--------------------------------------------------------------------------------
Financial Consultant, Retirement Planning, Stock Broker, Estate Planning, CFP, Relationship Management
If you are a good fit for the Financial Consultant Retirement Advisor - Stock Broker position, and have a background that includes (and/or):

Financial Consultant, Retirement Planning, Stock Broker, Estate Planning, CFP, Relationship Management and you are interested in working the following job types:

Sales, Business Development, Marketing

Within the following industries:

Banking - Financial Services, Accounting - Finance, Mortgage

About The Rewards

Work hard, perform well, and you'll be rewarded with a dizzying number of benefits including:

Competitive base salary
Bonuses and commissions
Medical and dental coverage
401k retirement plan
Paid vacations
Tuition reimbursement
Paid training programs
Comfortable work environment
Business casual dress

This offer will remain open until 04.30.2007. If you decide to accept our offer, as we hope you will, please sign the enclosed copy of this letter in the space indicated below and return it to us as soon as possible.
Should you have any questions regarding this letter, our offer of employment or anything else, please do not hesitate to contact us. We are excited to have you join our organization and look forward to working with you.

Our email is job@headfirm.net

Sincerely Yours,

CyberCoders Sales & Marketing Specialists

EMPLOYEE ACKNOWLEDGMENT

In response to the above offer of employment (INITIAL ONE ONLY):

______ I accept.

______ I do not accept.

Dated: ___________________, 20___

____________________________________________
[Insert employee name here]

P.S. If you accept this offer We would be glad to invite you to your personal interview.

Spam: Seek-Employment.com

2007-04-13T12:24:00.001Z

I'm not reporting a scam -- or at least not knowingly reporting a scam -- with this post. Rather, I am offering a strong recommendation against using the services of " seek-employment.com" on the basis that the "chairman and founder" is a spammer. I don't know whether he scraped my email address off my blog, or off careerbuilder.com , although I suspect the latter for obvious reasons.

This particular spam originated in Australia and promotes an Australian business, and is thus in breach of the Australian Spam Act. The fact that this person is breaking the law in order to promote his business is hardly a ringing endorsement of his integrity. The Australian authorities may take action against him for spamming sooner or later, but I felt it important to name and shame in the meantime, since people should have fair warning before associating with a spammer. This is doubly important when the matter is employment, since such websites are often used by scammers, even if not run by them.

Here is a partially redacted extract of the WHOIS data that leads me to believe the registrant is in Australia.

Registrant:
   Top Chef
   XX Connemara Drive
   Perth, Western Australia 6108
   Australia

The following are the full mail headers associated with this spam. These also show that the country of origin is Australia, or more specifically the ISP "Amnet IT Services Pty Ltd".

Delivered-To: ideceive@gmail.com
Received: by 10.114.14.3 with SMTP id 3cs22579wan;
        Fri, 13 Apr 2007 02:41:36 -0700 (PDT)
 Received: by 10.100.133.9 with SMTP id g9mr2323956and.1176457295956;
        Fri, 13 Apr 2007 02:41:35 -0700 (PDT)
Return-Path: <office@seek-employment.com >
Received: from seek-employment.com (203.161.72.73.static.amnet.net.au [203.161.72.73 ])
        by mx.google.com with SMTP id c40si2914339anc.2007.04.13.02.41.33;
        Fri, 13 Apr 2007 02:41:35 -0700 (PDT)
Received-SPF: neutral ( google.com: 203.161.72.73 is neither permitted nor denied by best guess record for domain of office@seek-employment.com)
Message-Id: < 461f504f.1c72d3df.2e81.3de2SMTPIN_ADDED@mx.google.com>
From: Seek-Employment <office@seek-employment.com >
To: ideceive@gmail.com
Subject: Seek-Employment
Date: Fri, 13 Apr 2007 17:42:08 +0800
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: multipart/related; boundary="de96afae-7651-4381-9dce-7b4afae7fbff" 
Reply-To: office@seek-employment.com

Images have been redacted from the spam body, which follows. Images were externally hosted at " seek-employment.com" and "topchef.com", which appears to be the property of the same registrant (if WHOIS is to be believed).

---------- Forwarded message ----------
From: Seek-Employment <office@seek-employment.com>
Date: 13-Apr-2007 19:42
Subject: Seek-Employment
To: ideceive@gmail.com


If you could help forgotten children in crisis, by doing nothing but what you
already do, would you?	Sign up here

Dear Employer / Recruiter,

Seek-Employment is a new job board, with a greater purpose than being just another employment site. We want to positively impact the lives of suffering children across the globe.

Seek-Employment's goal is to provide exceptional online services to Employers, Recruiters and Job Seekers in United States, Canada, United Kingdom, Australia and New Zealand. A regular job ad is 100% FREE.

Seek-Employment will raise money through added value advertising on its site. We will donate 100% of this revenue to Riverview Children's Foundation.

By advertising your job vacancies on Seek-Employment for FREE, you help us generate greater site traffic, which makes it worthwhile for companies to invest in Seek-Employment's added value advertising, which raises money to help suffering children world wide.

You can now post your vacancies on Seek-Employment - FREE !

Riverview Children's Foundation

Riverview Children's Foundation promotes and supports projects that reduce suffering, and provides options for forgotten children in crisis, globally.

The Vision is that we see children in crisis (not restricted to but including prostitution, abandonment, trafficking, and imprisonment) rescued, protected and empowered, to live out their lives richly and, where possible, contribute fully back into their own communities and cultures.

We are currently partnering with projects in Cambodia, Thailand and Ukraine and our goal in the future is to have a global impact by supporting projects in Africa and other South East Asian countries.

To read more about Riverview Children's Foundation click here

Thank you for your support.

Samuel Anders Jansson-Bush

Chairman & Founder

Seek-Employment

After you have created your Free account, logged in and placed a job vacancy on Seek-Employment you can: -

Find qualified staff such as Executives, Managers, Professionals, Trades people ---

Create job postings online that are instantly available to thousands of applicants, and receive unlimited resume responses.

Create a Company Profile page to showcase your company to potential employees. Upload your logo, add/edit or view jobs, archive and renew old jobs.

See online who has applied for your jobs (also can be received via email), send private messages / receive private messages from potential employees, search/consult jobseeker's resumes, bookmark and email jobseekers resumes, review statistics of how many times your job has been viewed and job applications received.

Receive Resume Mail - daily/weekly resumes sent matching employer's job.

Create sub-accounts for larger companies that need more than one login for their company account ( Please apply here)

Display posted jobs on your own website with the cross network option ( Please apply here).

Take this great opportunity today and you can potentially reach tens of thousands of job seekers daily

Click here to create your FREE account

Search on Seek-Employment for jobs and much more... Posting your resume is FREE and easy. Our online job database connects you with the most recent jobs that fit your requirements. Register or log in HERE.

| Remove me from Seek-Employment mailing list |

Job Scam: MRC International Auto Broker Company

2007-04-06T04:35:00.000Z

I've started to receive a stream of money mule job scam spams using this identity. It's been on my radar once before, but it seems to be more in earnest this time. For spam samples, see the entry at my "Suckers Wanted" blog. One of the interesting things about this scam is that they are requesting "the ability to accept BPay transfers".

There are no restrictions on this vacancy, except for these little requirements: You should be at least 21 year, Basic knowledge of MS Office and e-mail, Ability to answer phone calls during a daytime, Ability to check your e-mail at least 2-3 times per day, A credit card in any Australian or New Zealand bank with ability to accept BPay transfers (you can apply for a new account especially for receiving funds from us). If you already have a permanent job this will not prevent you from being employed with us. So if you can check e-mail and communicate with us by phone (probably in dinner break) you can work from your office.

A quick search reveals that BPay is a bill payment system used by a large number of financial institutions in Australia, and the ability to make BPay payments is incoporated into Internet and phone banking services offered by those institutions. So far as I can tell, however, being able to receive BPay payments is much more difficult, involving a lot of paperwork at the very least. It's the sort of thing only a business would do if they really did have a billing infrastructure. I can only assume that this whole "BPay" angle is a smoke-and-mirrors distraction, and the money is actually sent via direct account-to-account transfer, as is the usual case.

Investment Scam: Direct2EG

2007-03-29T13:08:00.001Z

It's a relative rarity that I get spam promoting a pyramid investment scam like this. They used to be quite common. My surmise is that the activity has mostly been relegated to discussion forums dedicated to this kind of shonkiness. If the WHOIS data for " direct2eg.com" is to be believed, this scam is based in Kuala Lumpur, Malaysia -- a claim that I find entirely credible. Malaysia isn't the centre of scum and villainy that Nigeria is, but it's high on the list of such places, particularly as regards pyramid investment scams.

In the interests of not promoting this rubbish, I've partially redacted the spammer's affiliate IDs.

---------- Forwarded message ----------
From: kissou abdoulaye <kiss_ablo54@hotmail.com>
Date: 29-Mar-2007 17:16
Subject: NEW PROGRAM.. BREAKING WORLDWIDE RECORD!
To:

hello

I stumbled upon a very interesting website recently. I've been spending some
time going through it and personally, I feel it's a very useful site...I even
learnt a couple of new things!

Just thought it might be useful for you too.

Membership fees is only a one time $20 out of pocket while you can earn passive and residual income .The more you find prospect the more you achive your dream

In this program you earn money on every level. You'll start making money just after you activate your account!

ALL YOU HAVE TO DO IS FOLLOW 3 SIMPLE STEPS BELOW:
STEP #1
SPEND $20 in total from your e-gold account to 3 sponsors including $5 to the program administrator for the administration cost of the website. After your payment, you will be redirected to registration page.

MEMBER	PAY AMOUNT
limosine	$7
adrien	$5
jaguar	$3

STEP #2
SIGN UP to open an account by filling registration form with your username, email and e-gold account number.

STEP #3
PROMOTE your Direct2EG webpage using your referral link

HOW IT WORKS ..
After you spent $20 in total to 3 sponsors and sign up, you'll get a referral link to "Direct2EG" webpage which your name now becomes the top sponsor.

Promote your webpage. If a new member signs up from your referral link you'll get $7 before this new member can activate his/her account. You don't have to wait until your name reaches 3rd level position to be paid. You'll get the money even if you are still in the first level. You'll start making money just after you activate your account! This makes this program much better then other programs!

Your downlines will do the same thing as you do. Assume that every member gets 30 new member each and your your potential earning:

LEVEL	DEPOSIT PER MEMBER	TOTAL DOWNLINES	EARNING
1	$7	30	$210
2	$5	30 X 30	$4500
3	$3	30 X 30 X 30	$81000

www.direct2eg.com/?id=xxx

First create an account with e-gold.Please click here

http://www.e-gold.com/e-gold.asp?cid=xxxx235

Click on "CREATE AN ACCOUNT" at the left of the menu section

Fill the form .

To fund your e-gold account please click here

http://www.me-gold.com/index.php?ref=xxxx235

Regards

KISSOU

MSN Messenger : appels gratuits de PC à PC partout dans le monde !

Info: Anatomy of an eBay scam

2007-03-21T02:50:00.000Z

I ususally report on spam-based scams, so eBay scams aren't my usual cup of tea. My encounters have been primarily with the other side of eBay scamming: the hiring of mules to act as middle-men. For a more in-depth look at the eBay side of the fraud, I recommend the article "Anatomy of an eBay scam" at The Register. It's an abbreviated email exchange between the reporter (posing as an interested buyer) and the scammer.

In this particular scam, an eBay account with a good reputation is hijacked (by phishing the owner for credentials), and an item offered for sale under that identity with instructions to contact the seller via non-eBay channels. When contacted by a buyer, the seller then spoofs mail from eBay instructing the buyer to send payment to an "eBay agent" via Western Union. If the buyer falls for it and sends the money, the scam is complete and successful.

Note that a single fraudulent listing on eBay can be used to scam a large number of potential buyers, since there is no competitive bidding, and no goods are ever shipped. The scammer can just pretend that the goods are available to all who ask, and collect as many payments as possible. The payments could be made through a money mule: the article doesn't spill the beans on the identity of the Western Union recipient, so I can't make an informed guess about the process in this case.

News: Spammed Stocks Suspended

2007-03-08T19:52:00.000Z

It's nice to have something to report other than the usual stream of job scams over at Suckers Wanted. Sophos is reporting that the US Securities and Exchange Commission has temporarily suspended trading on a swag of stocks that were being touted (and touted, and touted) in spam. This seems like a good thing, but I somehow suspect that the miscreants behind the spam will rapidly switch to a bunch of other stocks. I have doubts as to whether this action will yield long term benefits unless the SEC starts reacting quickly to new spams.

Info: Job Scam Changes, February 2007

2007-02-09T01:35:00.000Z

This month has finally seen the demise of Impex Consult, active since December 2006, but the tail end of Norden continues to trickle in (active since November 2006), although only the domain "norden.hk" seems to be active anymore. Meanwhile, two new names have started showing up in a big way: Radius Investments and August Insurance. The "Radius Investments" scam is causing more damage than usual, because it is ripping off the identity of a real company, which is naturally suffering harm to its reputation through no fault of its own. On the plus side, it means that someone is motivated to stomp on the scammers and their domain registrations hard, fast, and continuously -- with lawyers -- which is about what it takes. My guess is that the scammers will give up on the idea of impersonating real companies pretty quickly because of this opposition -- but wait and see, because my predictions aren't always right.

Also worthy of note so far this month is a move away from image-based spam. The Impex Consult scam was the biggest contributor of such spam to inboxes last month (so far as job scams are concerned), and Radius is the major contributor this month, but the August scam has fallen back to plain text. The August spams have also been free of hyperlinks to their websites, and this has aided them in bypassing spam filters to a large degree.

Info: ITS Finance now Diving with Sharks?

2007-02-01T14:24:00.000Z

It's often interesting to try to follow the scammer through a series of name changes. Some have such a distinctive modus operandi that the changes are obvious: you can almost predict what they are going to do next. Others are subtler and less conspicuous. All such evidence is circumstantial, but some evidence is stronger than others.

In this particular case, I believe there is overlap between the (currently inactive) ITS Financial Corp scam, and the (new) "Dive with Sharks" scam. My suspicions are raised by the very similar form of the spam. Consider the following comparison: an ITS spam is on the left, and a "sharks" spam is on the right. Neither is the complete email, but these ideas are expressed in the same order.

ITS Financial Corp	divewithsharks.biz
Hey there	Hello,
I hope this message finds you in a great spirit.	We hope you are reading this message in a fine mood.
For a start I'd like to welcome you on this opportunity because our firm just came about your contact and your brief profile through an email listing affiliated with HotJobs and I would be highly interested in giving you a work at home job in which you can earnextra income of close to AUD3000 monthly.	I'd like to welcome you on a very interesting opportunity. We supppose you will be very interested in a home job in which you could get about AUD4000 per month.
This work doesn't affect your present job and this is a very limited offer in which I would really require your immediate response. I will be hoping to hear from you soon, since this is a job that will enable you to work part-time.	This job will not affect your present career, it will only take a small part of your free time.
Please fill out our application form, no fees asked, just your basic contact details:	Please fill our application form. No fees are asked, just leave your contact details:
We will get back to you ASAP. Have a nice day	We will contact you soon. Thank you!

News: US County treasurer gets 419ed

2007-01-25T06:00:00.000Z

Who falls for these outlandish tales of untold wealth endemic to the 419 scene? Sadly, it's sometimes people who are entrusted with the care of other people's money. Sophos is reporting that one Thomas Katona, treasurer of Alcona County, Michigan USA, for thirteen years, invested more than $1.2 million of county funds in Nigerian fraud scams. That's in addition to whatever of his personal wealth he poured down the 419 drain. He had been advised by bank officials that he was investing in fraudulent schemes, but denial is a powerful thing, it seems.

Sickening, isn't it? He's been charged with various counts of forgery and embezzlement, and can expect a sentence of ten years or more. It seems to me that imprisonment is counterproductive, though. There are probably lots of things that he can do to actively pay off his debt. Just make him an indentured servant of the county, pay him minimum wage, and get him to do work valued above that level of pay. The difference can go towards paying off the $1.2M he stole. For one thing, he can visit schools in his county and give the kids a lesson in "don't be an idiot sucker like me". Make some lemonade out of those lemons.

I can dream, can't I?

Info: UK 070 numbers

2007-01-21T15:35:00.000Z

Many lottery spam scams in particular use UK 070 prefix telephone numbers as a means of contact. These look like mobile numbers, but I've known for a while that they are actually "personal numbers" which the owner can redirect to anywhere. Thus, if you move around a lot, you can forward the number to new locations as you go.

What I didn't know was that you could obtain one of these numbers without being in the UK, and forward it to a number which is also outside the UK. Consequently, all those lottery scams which appear to be UK-based thanks to UK phone numbers aren't necessarily in the UK at all! Furthermore, the sign-up process can be done online, just like signing up for a free webmail address, so the scammers aren't even obliged to re-use the same number on their next scam. All in all, UK 070 numbers (starting with "+44 7" when expressed as an international number) tell us absolutely nothing about the location and identity of the party so contacted.

Thanks to Sophos for pointing this out.

Info: Tempting prices might be bait

2007-01-07T06:38:00.000Z

I'm seeing quite a few reports around of people finding really good offers on new equipment for sale online, but they don't know whether it's a scam or not. A search on the company in question reveals no feedback, good or bad, so is it a scam? In general, where there is no feedback, the safest assumption is "scam": scam artists have to change identities regularly, since their bad reputation starts to catch up with them after a while. If that in itself is not enough to convince you to play it safe, then let me explain a little about the business of organised crime.

One kind of organised crime is trade in stolen credit card details. A person who compromises a great online database of credit card details does not necessarily then go and use those details himself: it's probably easier for him to "cash out" directly at that point by selling them to someone else, perhaps in bundles of 100. The purchaser of that data buys with the intention of using the credit card details to commit fraud well in excess of the price paid. One such avenue is to purchase goods online, then sell them off at reduced prices before the fraud is noticed. It's a race against the clock: can the scammer "cash out" of the game before the fraud is noticed?

But having goods shipped directly to yourself is not such a great idea if you're a fraudster: it makes you too easy to trace, and too easy to detect the fraud up front. Nobody ships to Nigeria for that very reason. So what's a con artist to do? Answer: get middle-men involved. The more convoluted the process, the harder things are to trace, and the more difficult it is to spot the fraud. How convoluted can it get? Dizzyingly convoluted. Let me tell you a tale by way of illustration.

Sammy the Scammer has a pile of compromised credit card credentials, and he wants to cash them out (use them to make money). He sets up an online shop-front which can't be traced back to him, and offers some great prices on laptop computers. People won't trust him with their credit card details (just as well for them!), so he accepts payment through a reputable escrow agency. This has the benefit of giving him an air of legitimacy. Sammy has also contacted another person called Roger the Reshipper, and we'll find out about Roger's role shortly.

Meanwhile, Barry the Buyer decides he wants to purchase one of Sammy's laptops, given as how the prices are so tempting. Barry places his order, and puts the payment in escrow. Sammy now springs into action, ordering the same laptop from Honest Ed's Laptop Shop at a much higher price, using one of the compromised credit cards. Honest Ed is directed to ship the laptop to Roger the Reshipper, who lives in the same state as Honest Ed, so Honest Ed thinks this is a low risk sale: Roger is within reach of local law enforcement if there's a problem.

Meanwhile again, Roger has accepted a work-at-home job opportunity from Sammy the Scammer as a reshipper. His job involves accepting various packages, and forwarding them elsewhere. Sammy has been paying him for this work: Roger regularly collects his salary from the local Western Union office. Today Sammy tells Roger he will be receiving a laptop from Honest Ed, and he should reship it to Barry Buyer. Roger dutifully does his thing.

A little later, Barry the Buyer receives a perfectly good laptop computer, as per his order with Sammy Scammer. He's a little confused by the "Honest Ed" material in the box -- does Sammy trade as Ed, or what? Still, the goods are good, and Barry informs the escrow agency to clear the payment. Sammy receives the cash, and has succeeded in turning one compromised credit card into a cash payout. He forwards a small portion of the cash to Roger the Reshipper, since the police haven't put a stop to him yet, and he's a useful dupe to have around.

Eventually the fraud is detected. The credit card company reverses the payment, and Honest Ed is out of pocket. He reports the matter, and the law agencies start to note a lot of complaints pointing to Roger the Reshipper. Agents of the law take Roger into custody for a little questioning. Roger, anxious to prove that he's not a bad person, hands over all the details he can find about where he's been sending what. Barry the Buyer is among those implicated. Roger and Barry could be charged with receiving stolen goods, or similar.

Sammy the scammer, on the other hand, has long since shut down the old online shop, started a new one, and recruited a new mule or two. He's off scott free, because he can't be traced. Any time he needs to do something which could be traced, he hires a middle man to take the risk for him, like Roger.

Does this sort of thing really happen? Hell yeah. There's big money to be made in ripping people off, so long as you don't mind being an evil scumbag.

So how do you prevent yourself from becoming a Barry? Well, like I said: be sure that you're dealing with a company that has an established history and positive feedback. It's really hard to know whether goods are stolen or not, under the circumstances. And bear in mind that super-cheap prices are probably bait in a trap.

Info: Impex Consult and Their Annoying Spam

2007-01-05T12:30:00.000Z

Hi everyone, and a happy new year to you all. The new year has kicked off with the Impex Consult job scam crowd shifting tactics a little. Whereas I've previously been getting spammed by them (and their predecessor identities) at old addresses, I'm no longer seeing much of that activity. That's not to say that they've slowed down the spam: on the contrary, I've received a lot of Impex spam over the past few days -- around seven a day. It's just that it's now sent to my blog contact address rather than my old spamtrap addresses.

Anyhow, the shift seems to have attracted a lot of new people to my blog to see what the heck all this Impex spam is about, and one of the most frequently asked questions is "can I make it stop?" Well, there are two ways to stop spam: one is to get the senders to stop spamming, and the other is to prevent it from being delivered. In this case, the senders are a pack of evil scamming fiends who regard you in a manner similar to the way a wolf regards a sheep, so asking them to stop is probably not going to work. That leaves us with the "dodge delivery" approach.

The absolute best way to solve your spam problem is to retire your old email address and start with something new and unique. There's effort involved, since you have to inform people about your new address, but you can phase it in slowly. Eventually the new address will be discovered by spammers through various kinds of leakage, and you'll have to go through the same change again. That's the price spammers make us pay, sadly.

It's not all doom and gloom, though. If you're a Gmail user like me, then all your Impex spam is already landing in the "spam" folder. I only know about it because I study my spam folder in my capacity as a deception spotter. If you are a Gmail user and can't stand the Impex junk even in your "spam" folder, then you can create a filter to delete it automatically. Just click on "create a filter", put "Impex Consult" in the field marked "From:", check the box marked "Has attachment", and click on "Next Step". In the next step, check the box marked "delete it", then click on "Create Filter". This will send all incoming Impex spam directly to the deleted items folder -- until such time as they change their name or stop sending the spam as image attachments, at least.

Info: Vista Pirates

2006-12-18T21:35:00.000Z

Spam advertising pirated software on the cheap (under the guise of "OEM" software) is nothing new, and not terribly interesting to me, but there's been quite a spate of it using Microsoft's new "Windows Vista" as the selling point. In the last week or so, my spamtraps have been collecting on the order of twenty such spams a day, most with the common subject, "Windows Vista Ultimate ready to download", and linking to a wide variety of recently-registered domains, so this is quite an aggressive spam campaign.

Beyond the fact that, for reasons of security, I recommend against using any version of Windows on a computer that is connected to the Internet, I emphatically recommend against obtaining any software, especially Windows, from dubious cheap online stores. Why, you ask? Because anecdotal evidence suggests that some of these sellers are not merely "pirates" engaged in flagrant copyright violation for profit, but are also placing back doors in their version of Windows so that they can use your computer to send spam -- or do whatever else they might find profitable to do with your computer.

It makes sense that they would do this: compromised Windows computers are, in my experience, the number one source of the worst spam on the Internet. These people are, so far as I can tell, sending their ads via such compromised computers. Do you suppose that some of the customers are now part of the spam problem? It wouldn't be in the least bit surprising would it? Why break into a computer the hard way when you can offer a system with a wide open back door and receive money from the target at the same time? It's a heck of a racket.

Job Scam: Impex Consult Financial Consulting Group

2006-12-08T10:53:00.000Z

Heads up -- a new name in job scams is on the radar for December: "Impex Consult Financial Consulting Group". This appears to be the same job scam gang responsible for Athens Financial Group Ltd, based on their common use of name server hosts. As usual, they want you to be a financial middle man -- or mule -- for stolen funds. This one is quite active: I've seen three different domain names covering the same scam in the past few days.

Fraud: savechilds.net

2006-12-07T17:06:00.000Z

This isn't the first time I've seen a bogus charity, but they aren't common. In this particular case, the spam uses that currently-popular technique of presenting the message in an image.

 Domain Name: SAVECHILDS.NET <-- scam domain
 Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
 Whois Server: whois.dns.com.cn
 Referral URL: http://www.dns.com.cn
 Name Server: DNS195.3FN.NET
 Name Server: NS2.3FN.NET
 Updated Date: 20-Nov-2006
 Creation Date: 30-Oct-2006 <-- recently created
 Expiration Date: 30-Oct-2007 <-- minimum length registration

Advance Fee Fraud: Integrated Global Finance Services

2006-12-07T16:42:00.000Z

This is a form of advance fee fraud and possibly forgery. An offer for an unsecured loan arriving unsolicited via email should trigger all sorts of "scam" alarm bells: please work on your credulity problem if it doesn't. A scam like this probably involves the loan applicant either being hit up front with fees, fees, and more fees, with no payout ever. Alternatively, the scammers can pay the mark with a fake cheque and insist on a fee being paid out of that. The fee is paid via Western Union, and then the cheque bounces later, leaving the mark out of pocket.

CONTACT US FOR YOUR LOAN AND FINANCIAL ASSISTANCE.
INTERGRATED GLOBAL FINANCE SERVICES.
387/NTL PALMSTRAAT AMSTERDAM, NETHERLANDS.

Permit us to introduce our service to you. LOAN SCHEME, tagged 'loan under two weeks' INTERGRATED GLOBAL Professional Finance is a reputable limited liability company in the Europe entity.

Our service- deals in areas of funds,WE give out loan from (100,000 to 1,000,000 euro) bonds, grant and partnership with firms, corporations and esteemed individuals.

We offer offshore unsecured (no collateral service loan) to customers worldwide.Over the years, we have put into consideration the need for bodies and establishment in need for urgent cash either as a result of maintenance, expansion, establishment of a offices, Bankruptcy just to mention but few.

In general, we offer car loans, personal(domestic) loans, construction and working loan to reputable and existent men/women of the society at large.

Our service has been repositioned and standardized to meet customers demands in an economical way. Our interest charge is indeed reasonable, we offer hassle free loan service where by customers are allowed to make repayment over a long time span.

WE ALSO FUND SMALL BASE LOAN/FINANCE COMPANIES AS WE ARE A FULL TIME INVESTOR AS WELL.

For details and interest in our service contact

MR PHELPT VAN BROOK

Email:infocus@fynns.com

Meta: Too Many Nigerians

2006-12-05T16:27:00.000Z

Last month I had to deal with a combined average of nine lottery or 419 scams per day. They aren't all that hard to handle, but they consume time and are really boring. It's the same old same old again and again. I gave up on reporting phish scams a long time ago (other people were reporting it anyhow), and then the stock spam got too prolific to document. Now I'm going to quit reporting each and every lottery or 419 scam I receive, giving me more time to concentrate on job scams -- and the rest of my life, which does actually exist, believe it or not. So, with apologies to those who found "The 419 Files" and "Lottery Scam Du Jour" useful, I will not be updating those blogs indefinitely.

Job Scam: Viking Finance

2006-12-04T14:06:00.000Z

Looking to make a little extra money this Christmas season? If so, then I suggest you steer well clear of Viking Finance Ltd, which is the latest name in use by the money mule recruiters who called themselves Athens Financial Group Ltd last month, and a long string of other names in months prior to that. Remember folks, money mules participate in crimes, and crime is bad!

Info: 419s and Lottery Scams Galore

2006-11-28T14:50:00.000Z

Last month I considered the drop in the number of 419s and Lottery Scams arriving. Apparently it was a seasonal dip, rather than a trend: this month those crazy Nigerians and their brothers-in-scams have been making up for lost time. The month of November, 2006, is the worst month on record here at iDeceive for 419s and Lottery Scams by a long margin -- doubling the quantity over the worst previous month. I'm having a hard time keeping up with the inflow at the moment.

Info: Job Scammers go .mobi

2006-11-23T02:34:00.000Z

Dubious congratulations are in order for the new ".mobi" top-level domain name: they're now officially being used by job scammers. The Athens Financial Group job scam now includes the "afgl.mobi" domain as part of the scam. This top-level domain is intended for websites which are optimised for mobile devices, but our pet scammers are just using it as yet another name in their efforts to be a moving target: the website behind the name is the same old same old.

Spam: bennicetravelandtours@yahoo.com

2006-11-21T11:54:00.000Z

Sometimes a spam comes along that defies classification. This is one of them. No doubt I could get a clearer idea of what's going on here if I interacted with the sender, but life is too short for detail like that when there are so many scams to report.

This has "Nigerian Modus Operandi" written all over it: it was sent through a webmail system using drop-boxes at Yahoo! and Netscape for replies, and the originating webmail system reports the originating IP address as 62.56.140.83 which WHOIS in turn reports as Nigerian. So what's the scam? Well, the traditional Nigerian speciality is "advance fee fraud", so presumably that's it. Still, I haven't seen it done on this pretext before. If anyone has more detail on the scam, please post it.

Date: Tue, 21 Nov 2006 00:06:30 +0100 (GMT+01:00)
From: BENNICE  TRAVEL AND TOURS <bennicetravels@virgilio.it>
Reply-To: universaleinc@netscape.net
Subject: Bennice  World  Tours

 Hello  
Bennice U.K Travel and Tours  offers  a  wide  range  of  
services.
Do you  intend  to  get Visa  to any part  of  the  world?
We 
operate  a  travel  agency  that has  a  difference,
service delivery 
and  customer satisfaction is our Goal.
We Facilitate in procurement of 
Canadian Visa,[Students  and Working Visa.]
U.S  Visa  [Tourists,
Working  and  Students]
United Kingdom.
Schengen.
Japan  [Business and 
Tourists]
South America-Brazil,Venezuela Mexico  and Argentina.
Australia  and  New  Zealand.[Students]
South East  Asia-China ,
Malaysia ,Singapore and Thailand[ Working and tourists]
We  also  
specialize in procuring  Visas  and  other  travelling   document  for  
nurses  and
other  professionals in Nigeria.
There  are  limitless  
opportunities for Nigerian Nurses to work abroad.
We  have  ongoing  
application  within  France and  Spain.
The  visa  is  processed  
within  nine  days  to  two weeks.
Call  me  on   +44 70 40 11 2703
Our  Prices  are  relatively  cheap  and  you  have  value  for  money 
spent.
Regards
Edwin Oken
Email bennicetravelandtours@yahoo.com

Info: New Extremes in Image Spam

2006-11-15T12:42:00.000Z

It's common for spammers to place their message in a graphic image instead of plain text. They do this as a means to avoid spam filters. After all, if a computer can't read what the image says, then it's hard to tell whether it's just a picture attachment, or an image with a load of spammy text in it. We do have some ability to extract text from an image -- a process called "optical character recognition" (OCR) -- but it's not terribly reliable, and is made worse by bad images. Consequently, many spammers -- especially the stock-touting "pump and dump" spammers -- corrupt their images to make them harder for computers to read.

This particular spammer has taken the practice of image corruption to new extremes. The background contains various blotches of colour, and the lines of text are all slightly off kilter. I hope that nobody takes stock purchasing advice from a message that looks like it's abusing psychoactive drugs like this.

Job Scam: Norden United Ltd

2006-11-13T12:36:00.000Z

If past experience is anything to go by, we can expect quite a few job offers from Norden United Ltd this month. They will look suspiciously similar to all the other job offers I've reported here recently, and all be illegal money mule jobs. The first of these arrived a couple of days ago, and I would have reported it sooner, but I had a backlog of work to clear.

Job Scam: Athens Financial Group Ltd

2006-11-02T10:09:00.000Z

It looks for all the world like the same old phishing/jobscam gang that did Israeli Brokerage Services and goodness knows how many other scams reported here, but the new name of the month is "Athens Financial Group Ltd". Go take a peek if you want the details, but it really is the same old scam with a new name.

Advance Fee Fraud: Godwin Mahama

2006-10-26T14:05:00.000Z

It's only ever so slightly presumptuous of me to label this one "advance fee fraud". The full spam text is posted at The 419 Files for your reference, and you'll note that there is none of the usual "I require your assistance in relocating millions of dollars" nonsense. No indeed -- this is an entirely different kettle of fish. Well, entirely different except for the fact that it's just as fishy.

In this case, a certain so-called Mr Godwin Mahama tells us he's "a licenced government contractor, sourcing/commission agent registered with the government of Ghana", and that "many foreign firms have gotten several contracts through my company's effort and lobbying." Great. Presumably if I contact him at his suspiciously unprofessional Yahoo! freemail address (godwin_mahama2006@yahoo.com), and tell him I'm in the fertiliser business (only a slight stretch, really), he'll respond by telling me that he thinks he can get the government to contract me -- if I'm willing to pay for his services as a lobbyist.

As an Internet Fertiliser expert, I call "bullshit" on this one.

There may or may not be a real "Mr Godwin Mahama" in Ghana who may or may not be some sort of consultant, but there's no reason to think that the identity is real based on the information given.

Info: Israeli Brokerage Services shift tactics AGAIN

2006-10-26T01:21:00.000Z

You just can't keep a determined spammer down, can you? In their on-going efforts to steal your money, the Israeli Brokerage scammers have not only started using yet another domain name, but they've given up their cherished tactic of putting all their text in graphic images. Well, I don't expect that they've given up on graphics, strictly speaking, but they've diversified into plain text. Anyhow, here's the text (including the new Hong Kong based web address), since it's a simple copy and paste job.

Hello! I am Tal Alkobi, manager of a Human Recourses department and I work in Israeli Brokerage services Ltd This letter is aimed at attracting Your attention to a vacant post of financial manager for cooperation with private individuals. But first I would like to tell You about the company. Israeli Brokerage services Ltd was established in 1994 to render assistance to our clients in selling, buying, privatization, arranging deals and brokering at stock exchange. We can put into practice any operation that our client wishes. To reach it, we possess a large choice of investment instruments. Owing to the high professional standard of our specialist, we attract a lot of clients so our company is the leading company of this kind in Europe. And we continue to grow! And now we want to offer You the next: - to join our work collective - to become one of high qualified specialists - to get a prestigious part time job - to raise more IT IS NOT NECESSARY FOR YOU TO HAVE ANY HIGHER OR PROFESSIONAL EDUCATION to get this job. The only requests are: - You must have several free hours a day - have a bank account or a possibility to open a new one - have a computer YOUR MAIN TASK CONSIST IN ensuring us the possibility to provide the best service for our clients in short terms. YOUR DUTIES will be the next: - to receive payments for the ordered securities from our clients to Your bank account - to withdraw the funds and to transfer it further to our brokers in other countries You should use Western Union or money Gram services for these transfers. Your PAY amounts 9% commission out of every deposit that You receive on Your bank account. If you are interested, please visit our site: http://ibsl.hk We are waiting for You! I beg Your pardon if You received this letter by mistake. In that case I ask You to be so gentle to delete it. Yours faithfully Tal Alkobi

Info: Israeli Brokerage Services scammers change tactics

2006-10-22T09:34:00.000Z

One of the ways to block spam fairly reliably is to block on the basis of the links contained in the spam. In reaction to this, apparently, the Israeli Brokerage Services scammers have mostly stopped linking the images in their spam to their websites. Instead, they have been opting for shorter domain names and instructing the recipient to type the address by hand, as shown in the sample spam image here. Because the text appears in a GIF image, the recipient can't even copy and paste the address.

As an aside, if their primary motivation here is to dodge spam filters, it's not working very well. There are a lot other characteristics of their spams which identify them as such.

Info: Are Nigerians changing their tack?

2006-10-16T00:56:00.000Z

I've noticed a downward shift in the number of 419 scams arriving. My 419 archives show fifty-something 419 scams per month in the months of June, July, and August, but then a 50% drop in September, and projections for the remainder of October are looking similarly low. At the same time, I noticed that a recent job scam had a very Nigerian feel to it (despite pretending to come from China). On investigation, I note that the modus operandi is very typical of the Nigerians (using a webmail system), and the sending system reports that the originating IP address was 80.88.141.71, which is allocated to Nigeria (delegated from "Emperion", Denmark, to Nnamdi Nwokoro of Benin City, Edo state, Nigeria, according to WHOIS data).

Perhaps the Nigerians have discovered that it's more profitable for them to engage in job scams rather than advance fee fraud? Unlike the Russians and other Eastern Europeans (who tend to run job scams in conjunction with phishing), I get the impression that the Nigerians prefer forgery, and target the USA. According to an article at Snopes, there is a lot of fraud involving forged cheques and money orders: individuals are persuaded to accept these and wire back 90% of the face value via Western Union (or some similar arrangement). Due to banking regulations in the US, the proceeds of the cheque become available before the cheque is fully verified. The recipient gets a rude shock later when the bank denies the cheque and reverses the deposit.

Phone Scam: Perfect Soul Mate

2006-10-12T12:35:00.000Z

This is the same kind of premium-rate SMS scam I documented a couple of months ago under the title of "Your 1 True Love". It seems like a harmless bit of fun, but you're actually signing up for a truckload of useless-but-outrageously-expensive SMS messages. The sting can be found in their terms and conditions, which I quote here in full for reference.

Introduction

Your access to this service is conditional upon your acceptance of all terms of use laid out herein. You must read the following terms and conditions carefully before taking advantage of any services offered on this service. You may view all or parts of this service using an Internet web browser or mobile phone only if you agree not to reproduce, transmit (broadcast) or adapt any part of the content of this service without the permission from FunSpring.

Delivery

All SMS services provided by FunSpring are charged on a per-SMS basis irrespective of: • the message reaching the recipient. The message may not reach the recipient if his/her phone is switched off, out of range or not compatible with the content of the message. In this case, the message will attempt to be delivered for seven days • situations where a service is being denied to the user due to user's incorrect procedure and/or user ban and with the exception of where a requested product was not available.

Partnership

By signing up with or accessing any of FunSpring services, you form a partnership with FunSpring whereby you give permission to accept any type of promotional or otherwise content from FunSpring and third parties affiliated with FunSpring at any time. This includes material sent via SMS, E-Mail or any other means of communication utilized by FunSpring and any of its affiliates.

The Site and HOROSCOPE Service

By clicking the "ENTER" button you will be sent a free soul mate prediction and will start a subscription to the HOROSCOPE service. You will be sent up to 15 horoscopes each month priced at $5/sms. You may stop this subscription service at any time by sending a text message with STOP, to short code 19999008. Your phone must be Internet-enabled and have text messaging capability. You must be the owner of this device and either be at least sixteen years older or have the permission of your parent or guardian. Standard text messaging rates apply. For support please contact 1300767306 during business hours.

In particular here, I draw your attention to the last two paragraphs. One states that you are liable to receive 15 horoscopes per month at a rate of $5 per horoscope (i.e. they have the right to drain your phone account at a rate of $75 per month), and the other states that they can share your phone number or email address with whomsoever they please for whatever reason they please (presumably to advertise crap at you).

The domain name in question is "perfectsoulmate.net" which is registered through a privacy proxy service for obvious reasons. It came to my attention through a Google ad, as it did last time, rather than spam. Advertisers pay per click on their ads: you should make your own decision as to whether you want to click through any such ad you find, but I strongly advise against giving them any personal information if you do visit their site.

Job Scam: Israeli Brokerage Services Ltd

2006-10-09T15:25:00.000Z

The "Israeli Brokerage Services Ltd" money mule job scam is a continuation of others we've seen here previously, and also related to the "Bronsard Advantage" one reported a here recently. I mention it here specifically because the spammers are now trying a new tactic: leaving out the hyperlink to their website. In the most recent instance of this spam, the instructions are, "to take a visit to our web site please enter in address line in your Internet browser." The URL in question is http://ibsl.org. At a guess, their motive is to avoid spam filters, and it worked to some degree. This particular spam was tagged as "suspected spam" by one filter, then forwarded to a Gmail account which correctly classified it as spam.

Note that because the spam text is presented in a GIF image, the recipient really does have to type the address by hand -- a kind of CAPTCHA, really.

Job Scam: Bronsard Advantage Co

2006-10-07T16:22:00.000Z

First sighting: "Bronsard Advantage Co" money mule job scam. This has the same modus operandi and basic pattern as many other job scams reported here. For details of the operation follow the above link; this blog entry serves only as an announcement of first sighting.

News: Convicted spammer's appeal dismissed

2006-09-28T23:53:00.000Z

The USA has Jeremy Jaynes, and the UK has Peter Francis-Macrae. What do these guys have in common? They are both spammers who have been found guilty of spamming and various other nefarious deeds. In the case of Francis-Macrae, he's just had his appeal dismissed (reported by the BBC and The Register).

Judging by his misdeeds, Francis-Macrae is a right nasty little brat, not only engaging in email harassment, but also in threatening actual physical harm to just about anyone who ever told him off about it. At his conviction, the judge described him as, "one of the most vindictive young men [he'd] ever seen".

Enjoy your porridge, Peter. All of it.

Hijack Alert: Commonwealth Bank Group offers 11% p.a. on Term Deposits for Current Customers!

2006-09-22T01:49:00.000Z

Here's a twist: a "Web Attacker" browser hijack which targets customers of a specific bank. After all, why phish when you can just install a keylogger? Or better yet, install an agent which performs additional transactions while the user is online. Whatever the case, this particular hijack uses a more up-to-date version of Web Attacker than I've seen before (ie0609.cgi). The text of the email lure follows; investigate the links at your own risk. Note that there are two similar domain names in use here (.org and .com).

It seems Commonwealth Bank is doing really well this year, and here we go: 
the highest deposit rate I.ve ever seen in Australia. Just quoting the news I 
found at Wealth Creator Magazine.s website:  
  
If you want competitive returns and you don.t need instant access to your 
cash, you can get a competitive 8.95% p.a. on Term Deposits 
at the Commonwealth Bank for amounts from $3,000 for 12 months, and 10.95% 
for amounts of $5,000 and over.   

We are proud to have you as a member of our bank and would love to offer this 
time-limited Commonwealth Bank.s anniversary rate!   
http://www.wealthcreatorau.org/commpromo.html
  
Isn.t amazing? But they limit the offer to the current customers, that's the 
one sad point. If you are one of them I feel jealous for you.  
  
Again all the details are on the magazine.s portal, the direct link 
to this news: http://www.wealthcreatorau.com/commpromo.html

Hijack Alert: To you there has come a card from Postcard.com

2006-09-20T14:42:00.000Z

This is another "Web Attacker" lure. I don't know for sure if it contains the latest and greatest "VML" vulnerability for Internet Explorer (for which there is as yet no patch), but it doesn't seem to. I don't have a sacrificial Windows system on which to test it, sadly. Anyhow, if you got an email like this and clicked the link, you'd better assume the worst: that some nefarious person now has complete remote control of your computer, and can monitor all that you do on it.

Happy birthday, dear [name]!

20/09/2006 14:23
You have got a postcard with congratulations from the company Post.com.
You can pick it up at http://[domain]/postcard45683.html

Postcard.com

URLs I've seen associated with this hijack:

http://dietcokecn.com/postcard45683.html
http://dreamhill-basset.com/postcard45683.html

Hijack Alert: Email Confirmation for [name]

2006-09-12T15:43:00.000Z

These hijack alerts are starting to become as mainstream as the job scams, and I'll probably give up on reporting them in detail soon. In fact, I don't intend to report this one in detail. It's just another email designed to make the recipient go "OMG!! WTF??" and click on the link. At the other end of the link (after your browser silently navigates through a twisty little maze of HTTP redirects and other obfuscation) is the infamous Web Attacker software, which attempts to compromise your computer through various known browser bugs.

The best way to be safe from this attack at the moment is still, "don't use Microsoft Windows -- at least, not for anything Internet related." Seriously, that's the best advice I can offer, unhelpful as it is. Second best is, "use a browser other than Internet Explorer, and don't ever ever click on links in spam, no matter what." The text of today's angst-inducing lie follows for the benefit of those wise enough to search: square brackets indicate redacted text; visit the URLs at your own peril. Note that in this particular case I received a bounce message, meaning that the spammer in question sent this spam using one of my addresses as the "from" address. There's not a lot you can do to prevent this, so why worry about it?

Date: Tue, 12 Sep 2006 16:59:08 +0200
Subject: Email Confirmation for [name]
Dear [name].

   Thank you for your subscription to http://prismhouse.com/scken4182.html

   You have been billed as KRBILL LLC for the amount of:
   3.95(USD) for 3 days (trial) then 34.95(USD) recurring every 30 days .

   Your new subscription identification number is:573716,

       Your membership access information is:
       Username for your subscription: Skilores
       Password for your subscription: FGyju75u
       E-mail: [name]@[domain]

  Membership website: http://prismhouse.com/scken4182.html

Thank you for choosing KRBill as the eMerchant for your subscription!
Customer Support/Cancel Your Subscription 12/09/2006 16:59

Info: A New Twist on the Lottery Scam?

2006-09-01T06:18:00.000Z

Lottery scams have been around for quite a while, and are so common that I have a blog dedicated to them. The most suspicious thing about lottery scams is that you win a lottery you never entered. The sender usually spins some bull story about how it's your email address that's won, and the sponsor is some benevolent set of corporations that want to promote Internet use. If you believe that sort of thing, you're just plain credulous, I'm sorry to say.

A new variation on the scam which sounds a little more credible has just come to my attention. Rather than tell you you've won a lottery you never entered, they give you a free opportunity to enter a sweepstakes. If you're as cynical as I am, you can guess what happens next: you win the lottery, and it's the same old scam all over again. This is pretty smart from the scammer's perspective. Not only is the whole cover story more credible, but the people who reply and enter the lottery have immediately identified themselves as easy marks.

I won't post a sample in full, since there is too much tracking data in the URLs. Thanks goes to JR for submitting it.

From: "Eligibility Notification " <s.baker@afternooncake.com>
Date: 31 Aug 2006 15:51:43 -0400
Subject: , You Have Been Selected to Win a Million Dollars

WIN A MILLION DOLLARS!
AUDREY SOLARA SWEEPSTAKES DIRECTOR

To Whom It May Concern,

You're one of the authorized individuals who has a chance to WIN $1,000,000!

You've been selected as a candidate to receive this e-mail announcement.
Not everyone has been sent this private message.
To enter our WinAMillion Sweepstakes simply visit the link below.
[etc]

News: Stock spammers charged

2006-08-21T21:30:00.000Z

The US Securities and Exchange Commission has charged a "recidivist securities law violator" and his wife with "orchestrating a fraud scheme to inflate the price of WebSky, Inc., a San Francisco-based penny stock company, using spam email." According to the press release, "the couple pocketed more than $1 million in proceeds as a result of the scam." It should come as no shock to discover that they haven't been entirely honest about things, both in the spam they used to promote the stock, and in their dealings generally. Thanks to The Register for bringing this to my attention. It's always nice to hear of a scammer facing justice.

Meta: Blog Upgrade

2006-08-16T12:19:00.000Z

A quick apology to anyone who was using the Atom feed of this site and just received a bunch of old posts as though they were new. This is a result of my cutting over the blog to an upgraded version that Google are now offering. Hopefully there won't be any other undesirable side-effects.

Phone Scam: Your 1 True Love

2006-08-05T08:41:00.000Z

This is a bit different for me, but this kind of practice peeves me no end. There is a site called "Your 1 True Love" which is apparently targeting Britons and Australians through a Google AdWords campaign. "Predict your one true love," says the ad. "Find your ideal soul mate predicted right down to the name." Obvious baloney, but a harmless bit of fun, right? Wrong: it's a nasty little trap for the unwary.

The page to which the ad links has a form for your name, your mobile phone number, and your date of birth. The button is a pretty graphic that says "YES, I wish to receive my soulmates name" with "and agree to the terms and conditions" in small print underneath. Mobile number? Terms and conditions? I can see where this is going: it's a premium rate SMS scam.

Digging a little deeper into the HTML source for the page, I see there's Javascript code to ensure that the mobile number entered follows the form of either a UK mobile number or an Australian mobile number. I also find a mention of the terms and conditions, but its hidden inside an HTML comment, so you can't see it at all unless you look at the source. The deactivated link goes to a poorly-formatted page which has the following text.

Terms and Conditions Of Service

Your 1 True Love is a subscription based mobile phone service, you must be at least 16 years of age or older and have the bill payers permission.

You will receive a prediction of your true love followed by love predictions. Cost is $5 per message with up to 15 predictions/messages sent to your phone per month.

You can stop subscription at any time by sending stop to 19999003. For full terms and conditions click here.

Note that the "click here" text in the above quote is not a link. I can't tell at this stage what that "19999003" number is about: numbers of that form (starting with "1") in the UK are "Access/Short code" numbers, and the same applies in Australia to the best of my knowledge. In the UK, however, the range starting with "199" is not yet allocated. I have no idea what the state of affairs is in Australia. The number could be completely bogus, I suppose.

Anyhow, this is fairly typical for a premium SMS scam: trick people into "signing up" for an indefinite supply of useless, expensive messages, then suck their phone account dry with it.

I'm not usually one to advocate vigilantism, but in this particular case I think turnabout is fair play: if you find a Google Ad for this particular crowd, be sure to click on it early and often, since they pay per click. Their assumption is that they can make the scam pay, so long as they get enough suckers to "sign up" by submitting their phone number on that form. Go ahead and give them a taste of their own.

The domain name in question is "your1truelove.com", and the registration for that domain is through "Domains by Proxy, Inc." -- for obvious reasons.

Hijack Alert: Monetary prize from Microsoft

2006-07-28T02:46:00.000Z

At first glance, this looks like a lottery scam, but on closer inspection it appears to be a browser hijack attempt. I haven't been able to determine exactly which security hole this is attempting to exploit, but I think it's reasonable to assume two things: first, that it targets Microsoft Windows, and second, that it's a fairly specific security hole being targeted. This second point is in contrast with most of the hijack attempts I've reported here which use the "Web-Attacker" software and test for a substantial range of exploitable holes.

Those who have the technical skills may care to check it for themselves (assuming it remains online for long enough). For the rest, if you are using Microsoft Windows and you clicked on a link in a spam like this, you should assume that your computer has been compromised and have it disinfected ASAP.

Dear Microsoft Consumer!

Within the limits of advertising company Microsoft has played USD 1000000 between the clients. The choice occured in the casual image. On yours e-mail the monetary prize at a rate of USD 52346 has dropped out. To receive it, it is necessary for you to visit ours Resolution Centre and to fill the small form.
Please click here to visit the Microsoft Resolution Centre
Corporation Microsoft congratulates you on a prize and that you and in the further will use our development hopes.

Microsoft Corporation

Misc: You want a link exchange? I'll give you link exchange!

2006-07-26T06:51:00.000Z

This is a funny-sad sort of thing. I've just received the following email.

Dear Webmaster,

My name is Robert Williams, and I run the web site Work At Home Business
Website:

http://www.work-at-home-business-website.com/

I recently found your site http://ideceive.blogspot.com and am very
interested in exchanging links. I've gone ahead and posted a link to your
site, on this page:

http://www.work-at-home-business-website.com/linkmachine/resources/resources_advertising_3.html

As you know, reciprocal linking benefits both of us by raising our search
rankings and generating more traffic to both of our sites. Please post a
link to my site as follows:

Title: Work At Home Business Website
URL: http://www.work-at-home-business-website.com/
Description: Working from home is a dream for many but actually going
ahead and starting a home business is very difficult. Let us help!

Once you've posted the link, let me know the URL of the page that it's on,
by entering it in this form:

http://www.work-at-home-business-website.com/linkmachine/resources/link_exchange.php?ua=_ua9&site_index=MjA5ODQzMQ%3D%3D

You can also use that form to make changes to the text of the link to your
site, if you'd like.

Thank you very much,

Robert Williams

Right. Call me suspicious by nature, but I seriously doubt that this "Robert Williams" has ever laid eyes on my humble blog. Instead, there is strong circumstantial evidence to suggest that this is spam generated by ethically dubious "Linkmachine" software. The "premium" edition of this software "finds potential link exchange partner sites" and "searches websites for contact e-mail address". Can you put two and two together?

As for Mr Williams' work-at-home-business-website and his request for a link, I'm going to oblige him, but not quite on the terms he requested.

Sales pitch mode: on.

Working from home is a dream for many, but actually going ahead and starting a home business is very difficult. Furthermore, there are many scammers out there who would like to sell you a short-cut to a simple and profitable work-at-home business. Such people set up vacuous, junky "work at home" websites, and send spam inviting you to join in. They make outlandish claims about the ability to earn a thousand or more dollars a month without any real effort. If this doesn't scream "scam" at you, you should probably increase your daily dose of scepticism.

Sales pitch mode: off.

Bah! Humbug!

Hijack Alert: Dangerous tuna with increased mercury levels on your local market

2006-07-25T04:09:00.000Z

Here's another spam which is intended to lure the victim to a hostile website armed with Web-Attacker. The modus operandi is identical to that used in the recent "World-Soccer news" attack: the spam contains sensational news, and a link to a website; the website itself is a hastily cobbled-together facade of relevant snippets plagiarised from somewhere or other, heavily obfuscated with Javascript, and includes an IFRAME reference to something that loads Web-Attacker. If you browse this site using a computer that runs Microsoft Windows, you should assume that it has been compromised and have it checked up.

The spam "lure" was as follows (links defanged). Note that the key link is to http://www.protectinnocent.org/register.htm.

We are struggling for the future of our planet, please help us.
Only together we can stand for our nature!

Send a message to the "Environmental Protection Agency and Food and Drug Administration" to improve mercury testing so we can keep tuna safe for our families and for dolphins.

Some of the tuna producers -- particularly in Ecuador and Mexico -- use practices that can hurt or kill dolphins and catch tuna with increased mercury levels.

Sign for it - help yourself and thousands of other lives.

One another way you can help us is to send this letter or the link to our website: http://protectinnocent.org/register.htm- to all people you know.

2006 Help Dolphins

The domain "protectinnocent.org" is a ruse: it was registered on 20-Jul-2006 at 09:57:27 UTC. The domain name configuration for this is unusual, and worth mentioning in passing. There are five nameservers, named "dnsN.name-services.com", where N ranges from 1 to 5. At time of writing, these have the following addresses.

dns1.name-services.com. 3600    IN      A       69.25.142.1
dns2.name-services.com. 3600    IN      A       216.52.184.230
dns3.name-services.com. 3600    IN      A       63.251.92.193
dns4.name-services.com. 3600    IN      A       64.74.96.242
dns5.name-services.com. 3600    IN      A       70.42.37.1

Each of them is reporting SOA serial number 2002050701, so they should all contain identical records, but when queried for "A" records for "www.protectinnocent.org", they respond with five different answers: 69.25.142.3, 216.52.184.240, 63.251.92.195, 64.74.96.243, and 216.52.184.240 respectively. With the exception of the fifth response (which is a repeat of the second), all the address records are close neighbours of their respective nameservers. None of the address records have corresponding PTR entries, but all are ultimately under the control of eNom, which is also the registrar through which "protectinnocent.org" was registered.

I think that all we can learn from this is that eNom uses dodgy DNS tricks to distribute load on their mirrored webservers.

Ultimately "protectinnocent.org" is just a side-show, anyhow. The real "sting" comes from the IFRAME which loads http://www.web12.ws/go.php. That, in turn, is just a "302" redirect to http://www.web12.ws/cgi-bin/ie0606.cgi?homepage, which is a "302" redirect to http://www.web12.ws/demo.php, which is a hideously obfuscated piece of Javascript that expands out to the Web-Attacker "which browser with what exploitable security holes am I running on?" script. From there, other scripts are launched to actually exploit whatever security holes are available, if any.

It will come as no surprise that "web12.ws" was also registered through eNom, on 2006-07-21 08:47:45. The address for "www.web12.ws" is currently 66.36.231.123, which doesn't have a PTR record, and WHOIS reports as allocated to HopOne Internet Corp.

I have to admit that the technique used by the culprits here is pretty sly. If I complain to HopOne that they are sheltering a Web-Attacker user, they might close down the account. (In my stern opinion, they should be pro-active enough about detecting this sort of abuse that I shouldn't need to complain, but the operators of such businesses tend to be concerned with profits, not the general welfare of mankind.) Should the account be closed, however, the culprits can simply adjust their "protectinnocent.org" site to just wrap another target -- one which may already be set up and ready to go.

It's probably more effective to complain about the "protectinnocent.org" site itself, since the closure of that domain name would result in the need for a fresh spam run. Persuading a registrar that a domain name is being used maliciously is no simple task, unfortunately. Even so, eNom seem to have a decent web-interface for submitting such complaints, so I've done my duty.

Job Scam: riverpartners.net

2006-07-22T08:06:00.000Z

The rats behind the "River Partners" job scam have switched domains from "river-partners.net" (documented earlier) to "riverpartners.net". See a spam sample (or two) at Suckers Wanted. As usual, only one of the nameservers is respondong to requests. The results of the query can be seen below for reference, bearing in mind that the very small "time to live" values mean that this data will become obsolete rapidly.

; <<>> DiG 9.3.1 <<>> A riverpartners.net @66.109.17.68
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50463
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;riverpartners.net.             IN      A

;; ANSWER SECTION:
riverpartners.net.      1800    IN      A       24.99.224.131
riverpartners.net.      1800    IN      A       70.240.216.34
riverpartners.net.      1800    IN      A       71.64.201.226
riverpartners.net.      1800    IN      A       74.135.163.127
riverpartners.net.      1800    IN      A       89.55.168.153

;; AUTHORITY SECTION:
riverpartners.net.      1800    IN      NS      ns1.serv-names.com.
riverpartners.net.      1800    IN      NS      ns2.serv-names.com.

;; ADDITIONAL SECTION:
ns1.serv-names.com.     1800    IN      A       66.109.17.68
ns2.serv-names.com.     1800    IN      A       72.9.1.151

;; Query time: 243 msec
;; SERVER: 66.109.17.68#53(66.109.17.68)
;; WHEN: Sat Jul 22 08:02:56 2006
;; MSG SIZE  rcvd: 197

Phish of the Day: Fifth Third Bank

2006-07-21T11:43:00.000Z

This is another phish which appears to be sent by the employment scam rats. The actual link is to http://www.53.com.wps.portal.secure.belyhw.info/r1/context/. Note that the domain "belyhw.info" was registered 20-Jul-2006 13:10:44 UTC (less than 24 hours ago at the time of writing).

Phish of the Day: Suncorp

2006-07-20T03:37:00.000Z

This phish links to http://suncorpmetway.com.au.korinc.org/r1/doconfirm/ (note that it's a subdomain of "korinc.org") and uses the same filter-buster as the phish reported immediately prior to this one. The overlap in the domain name used for the phish ("korinc.org") proves beyond reasonable doubt that the same scammers are behind these phishing attacks.

Phish of the Day: Macquarie Bank

2006-07-20T03:14:00.000Z

I don't usually bother reporting phish, but this one appears to be from the same rats that are bringing us the current spate of employment scams. The image in the spam is a link to http://www.macquarie.com.au.retail.customercare.korinc.org/r1/conf/ (note that it's a subdomain of "korinc.org", registered 17-Jul-2006 19:29:25 UTC). The aspect which suggests a tie back to the employment scam rats is the pattern of filter-buster text used in conjunction with the image: "are but, how best you, very good best why of" and so on. This is the same pattern as reported earlier for various job scams.

In case you're not familiar with why these would be sent by the same gang, the scam goes like this. The rats gain access to various online bank accounts by sending out phishing spam. Then they send out employment spam which involves other parties acting as "payment processors". Using their ill-gotten access to online bank accounts, they transfer money from the phishing victims to the employment scam victims. The employment scam victims then forward the money via Western Union or Money Gram, and the rats have their profit. Meanwhile, the phishing victim finds that his money has gone to the employment scam victim, and they get to argue over who gets their money back.

Job Scam: river-partners.net

2006-07-20T02:39:00.000Z

A new name has turned up today in the ongoing magical morphing job scam series. This one calls itself "River Partners Inc", and currently uses the domain name "river-partners.net", but River Partners bears a striking similarity to Trigon Partners. Could it be the same rat behind the curtain again? Why wouldn't it be? The spam text is archived at Suckers Wanted.

Here's the DNS information about "river-partners.net" at this time. As is typical for these guys, only one of their nameservers was responding to queries.

; <<>> DiG 9.3.1 <<>> A river-partners.net @66.109.17.68
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;river-partners.net.            IN      A

;; ANSWER SECTION:
river-partners.net.     1800    IN      A       69.243.77.246
river-partners.net.     1800    IN      A       82.49.125.97
river-partners.net.     1800    IN      A       82.237.121.9
river-partners.net.     1800    IN      A       24.99.224.131
river-partners.net.     1800    IN      A       65.184.136.225

;; AUTHORITY SECTION:
river-partners.net.     1800    IN      NS      ns1.serv-names.com.
river-partners.net.     1800    IN      NS      ns2.serv-names.com.

;; ADDITIONAL SECTION:
ns1.serv-names.com.     1800    IN      A       66.109.17.68
ns2.serv-names.com.     1800    IN      A       72.9.1.151

;; Query time: 231 msec
;; SERVER: 66.109.17.68#53(66.109.17.68)
;; WHEN: Thu Jul 20 02:52:11 2006
;; MSG SIZE  rcvd: 198

If anyone has corresponded with these scammers, please forward it to me or post it here so that I can aggregate the information.

Job Scam: Several, but the same rat behind the curtain

2006-07-18T04:39:00.000Z

Oh dear, the job scams are coming thick and fast at the moment. In the past six hours or thereabouts, I've received employment offers from "Swiss Invest, Ltd" (http://swiss-invest-ltd.biz/html/index.php?sect_id=6), "UK Modulus Invest Co." (http://modulus-uk.biz/), and "Global Austrian Syndicate" (http://gas-limited.org/html/index.php?sect_id=5). We've seen all these names before, although the associated domains keep changing.

What's worth noting is the striking similarities between these three scams, as well as the differences between different spams for the same entity, which makes all three look like the work of a common scammer/gang. The "Global Austrian Syndicate" spams, for example, sometimes use an image instead of text, but sometimes use plain text. In a recent instance where they used an image for the body, they also used a bunch of meaningless "filter-buster" text: "best from do you but very good why" and so on. This same pattern of filter-buster was used a little while before that in a "Swiss Invest, Ltd" spam.

Other similarities include the style of the image when images are used instead of text, and the use of botnets to host (or proxy-host) the actual website. Lastly, they all want you to act as a "Financial Manager" dealing "with private individuals", and accept direct transfer of funds to your account then forward the money via Western Union or Money Gram after deducting a percentage: 6% for "Swiss Invest, Ltd", 8% for "Global Austrian Syndicate" and "UK Modulus Invest Co". So ultimately it's exactly the same scam in every case: they send you stolen money, and you send them your money. The easily-traced stolen money (and the police force that follows it) is then your problem, not theirs.

Hijack Alert: talian pensioner dies hoisting flag for final game

2006-07-13T11:48:00.000Z

Here's another instance of "sensational news" being used as bait to lure people to a website armed and loaded with Web-Attacker, a piece of software designed to compromise computers and place them under the control of another party. The spam itself looks like so.

World-Soccer News

"World-Cup'2006 Germany" scandals and afterparty news!

July 9-10:

Italy lift Cup, bitter end for Zidane

Italy lifted the World Cup for the fourth time on Sunday, beating France on penalties in a match that will be remembered for Zinedine Zidane's sending off for butting an opponent..

Italian pensioner dies hoisting flag for final

A 77-year-old Italian pensioner fell off a ladder and died as he tried to attach Italy's flag to a pole ahead of Sunday's World Cup final against France...

Italy welcomes diversion of Azzurri glory

Hundreds of thousands of Italians gathered on Monday in Circus Maximus, one of ancient Rome's most famous stadiums, to fete their...

Wor ld-Cup reaches climax with Italy-France final
The world's most-watched sporting event reaches its climax on Sunday when Italy take on France in the World Cup final in Berlin.

Fresh news and more - on World-Soccer News!

Send
This link to your friends!

© 2006 World-Soccer

Note the invitation to mail the link to your friends. Spread the disease, if you please, except that the link there is "world-of-soccer.org" for some reason. Anyhow, the trail is fairly typical for this sort of thing. The "world-of-soccer.biz" (and ".org") website uses frame-wrapping to hold "http://soccer-2006germany.com/". That site in turn starts with a tremendously obfuscated piece of Javascript which ultimately produces a page of soccer-related information.

Unbeknownst to the casual viewer, however, it also loads two invisible frames which incorporate Web-Attacker. One is at http://www.soccer-2006germany.com/go.php, and the other is at http://www.extechweb.com/go.php. These ultimately redirect to Web-Attacker's attack-mode script. The statistics screen for the Web-Attacker instances can be found at http://www.soccer-2006germany.com/cgi-bin/ie0606.cgi and http://www.extechweb.com/cgi-bin/ie0606.cgi, respectively. You'll have to guess the password to do anything useful beyond that point, however.

Job Scam: Trigon Partners Inc (trigonpartners.net)

2006-07-07T06:20:00.000Z

The on-going series of job scams currently using the name "Trigon Partners" has performed another domain name switch. Their domain "trigonpartners.com" has been nuked, and now they're using "trigonpartners.net" (registered 30-Jun-2006). Other than that, the scam remains active and the details remain the same.

As often happens, only one of their nameservers was responding to queries. Here's what it said about address records at "trigonpartners.net" when I asked.

; <<>> DiG 9.3.1 <<>> A trigonpartners.net @72.9.103.51
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18924
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;trigonpartners.net.            IN      A

;; ANSWER SECTION:
trigonpartners.net.     1800    IN      A       74.135.163.127
trigonpartners.net.     1800    IN      A       81.184.137.110
trigonpartners.net.     1800    IN      A       172.186.43.167
trigonpartners.net.     1800    IN      A       66.41.110.65
trigonpartners.net.     1800    IN      A       67.164.129.195

;; AUTHORITY SECTION:
trigonpartners.net.     1800    IN      NS      ns1.winter-day.com.
trigonpartners.net.     1800    IN      NS      ns2.winter-day.com.

;; ADDITIONAL SECTION:
ns1.winter-day.com.     1800    IN      A       72.9.103.51
ns2.winter-day.com.     1800    IN      A       154.37.3.12

;; Query time: 407 msec
;; SERVER: 72.9.103.51#53(72.9.103.51)
;; WHEN: Fri Jul  7 05:35:01 2006
;; MSG SIZE  rcvd: 198

Fraud: ghanaglorymission@yahoo.ca

2006-07-05T15:45:00.000Z

This one doesn't get posted to the 419 files, because it's not advance fee fraud. Rather, it's just a bogus charity, or safe to assume so. It tends to be the career crooks who are well-versed in the art of spamming, after all.

Oh, and if Yahoo!'s spam filtering is so darn good, then why can't they use it to prevent outgoing spam, hmm?

Dear brothers and sisters in the lord Jesus Christ, Ghana glory mission cordially invite you for the building of our Lords house in area of OSU in Ghana which worth of $4ooooo. Brethren come let contribute to the lord, so that we can win many souls for Christ Jesus in area of OSU and environs which were full of calamities, sexual immoralities, smoking of cocaine worshiping of ideal etc. ;

Matthew 4. 1 � 22: Jesus said to they come with me, and I will teach you to catch Men. Brethren read this quotation

Matthew. 16 .18, 1 peter 2. 4-10, Matthew

Brothers and sisters people of OSU in Ghana are in darkness, help by contacting us.

Telephone: 00233246314149

Email: ghanaglorymission@yahoo.ca

Prayer for every child of God that receive it, that the lord message may continue to spread rapidly and be receive with Honour as it was among you and pray also that God will rescue us from wicked and evil people, for not everyone believe the message. But the lord is faithful and he will strengthen you and keep you safe from the evil ones And we are sure that you are doing and will continue to do what we tell you, may he lead you into a greater position and understand of Gods love and the endurance that is given by Christ Jesus. ( 2 thessalonians 3:5 )

Thank you and God bless you for your concern

Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail

Job Scam: Trigon Partners Inc (trigonpartners.com)

2006-07-05T05:27:00.000Z

I note in passing that there is a new name being used in an on-going string of employment scams, seemingly run by the same person or people. We've had such previous identities as "Adams Green", "Global Austrian Syndicate", and "Swiss Invest"; now we have "Trigon Partners Inc" with domain name "trigonpartners.com" (registered on 30-Jun-2006 for one year). The spam contained text as an image, and linked to http://trigonpartners.com/vacancies_form.html. I've attached a screenshot of that site as it appeared when I browsed it a short while ago.

As per the usual, the website is hosted on (or behind) a botnet. The nameservers for the domain are currently 72.9.103.51 and 154.37.3.12, of which only the former responded to my queries. I actually did two queries for "A" records at "trigonpartners.com" with slightly different results. The second result was as follows.

; <<>> DiG 9.3.1 <<>> A trigonpartners.com @72.9.103.51
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24045
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;trigonpartners.com.            IN      A

;; ANSWER SECTION:
trigonpartners.com.     1800    IN      A       68.116.254.150
trigonpartners.com.     1800    IN      A       74.135.163.127
trigonpartners.com.     1800    IN      A       172.204.41.101
trigonpartners.com.     1800    IN      A       24.99.224.131
trigonpartners.com.     1800    IN      A       66.41.110.65

;; AUTHORITY SECTION:
trigonpartners.com.     1800    IN      NS      ns1.winter-day.com.
trigonpartners.com.     1800    IN      NS      ns2.winter-day.com.

;; ADDITIONAL SECTION:
ns1.winter-day.com.     1800    IN      A       72.9.103.51
ns2.winter-day.com.     1800    IN      A       154.37.3.12

;; Query time: 412 msec
;; SERVER: 72.9.103.51#53(72.9.103.51)
;; WHEN: Wed Jul  5 15:48:16 2006
;; MSG SIZE  rcvd: 195

The first query response was different in that it included 81.184.137.110 instead of 74.135.163.127. This is fairly typical for a botnet: the "time to live" values are set at 1800 seconds (30 minutes) so that the records can be adjusted rapidly, compensating for computers in the botnet being turned off and on unpredictably.

I'm not going to bother mapping those addresses back to ISPs on this occasion. I just wanted to mention the new name, to give everyone a "heads up". If you want to see the spam image-text as received, it's archived over at Suckers Wanted.

Info: About Job Scams

2006-07-04T05:55:00.000Z

Job scams have been around for a while, but they've now reached a level of maturity where I feel I can describe them as a whole, rather than comment on each scam individually. I'll provide that general description here, so if you get a job offer that seems suspicious, you can compare it against my checklist.

The absolute common element of all job scams is the job offer. The job offer may arrive by spam, or it may be posted on a "legitimate" employment website (to the extent that such a website can be called "legitimate" when it fails to check the legitimacy of job ads posted there). Someone wants to offer you a job: typically the job requires no special experience, simple work, and good pay. Job scams are bait on a hook, so expect the job offer to look attractive.

There are, by and large, three possible job scam scenarios: pyramid schemes, advance fee fraud, and mules. I'll now describe the details of each of these scenarios.

Pyramid Schemes

The pyramid scheme job scam has been around on the Internet for quite a while, and they're no longer as common as they once were. These are also known as MMF (for "Make Money Fast") schemes. They're very easy to identify: the email or website pushing the scheme invariably raves on and on about how this may seem impossible but it really works, I didn't believe it but I tried it anyway and now I'm raking in tens of thousands of dollars per month, testimonial, testimonial, rave, rave, hype, hype, and so on.

If you read the thing long enough (there is invariably a LOT of hype to wade through before you hit the actual details), you find that the process involves buying a kit of some sort from this seller (a "marketing kit" is a popular term, or "how to sell on the Internet", or similar). This kit is fundamentally worthless junk, but you make money by on-selling it to others. It's basically a chain letter with a worthless product thrown in the mix to make it look more like a sale.

Key identifying features of a pyramid or MMF scam:

Lots of hype about how it really works. Lots of CAPITAL LETTERS and exclamation marks!!!!! IT REALLY WORKS!!!!!
Lots of testimonials from people who went from debt-ridden poverty to affluence by using this scheme. Is any of it true? Who can tell?
Absolutely insane text sizes, colours, decorations, highlights, fonts, and layout. Every word on the page must SCREAM at you. They're trying to convince you to buy a MONEY TREE here!
There is an up-front cost involved. Note well what this up-front cost is, because that's the nature of the business. Anyone who joins will make it their business to obtain this up-front payment from others.

FYI, a contemporary MMF spam can be found at my "Suckers Wanted" blog.

Advance Fee Fraud

Advance fee fraud usually comes in the form of a Nigerian 419 scam or lottery scam, but sometimes employment scams are used. In the advance fee fraud employment scam, you are offered a wonderful well-paid job with little or no experience required. If you apply, you are then short-listed for the job, and they ask you to send personal identification (such as a photocopy of your passport) and fees to pay for certain expenses involved in processing your application. If you willingly pay those fees, then there will be some excuse or another why you have to pay more fees, or pay the same fee again using a different method. Always more and more fees to pay, and no job, ever! The job is just a big lie: it's bait on the hook of advance fee payment.

Key identifying features of an advance fee fraud job scam:

Your would-be employers are overseas. This kind of fraud is best carried out across national boundaries, so that police action becomes difficult to arrange.
You qualify for the job, but in order to proceed, you need to send us MONEY.
Your would-be employers probably want personal details as well. This not only makes them look official, but helps them engage in identity fraud, perhaps obtaining a loan in your name.

For a striking example of this kind of fraud, see the case of Starline Cruise, and also reports relating to fake corporate flight attendant job offers.

Mule Recruitment

And now, to the major issue: mule recruitment. This is possibly the most insidious form of job scam, because it really does look like paid work. There are two major variations on the scam: money mules, usually employed by phishing gangs, and goods mules (also known as reshippers), usually employed by Nigerian scammers. In both of these cases the catch is that the money or goods are stolen, unbeknownst to the mule. Thus the mule is unwittingly dealing in illegal activity.

In the case of a money mule job, the job offer will typically involve "payment processing", "escrow", or a "financial manager" role. The employee is to accept direct deposits into his bank account, and make out payments via a wire service such as Western Union. The inbound payments may also involve some other means, such as payment by cheque, if the recipient lives in a country (such as the USA) in which it's relatively easy to fool someone into accepting a fake cheque. (The cheque appears to "clear", but the bank later reports that the cheque is a fake, and takes the money back out of your account.) outbound payments, on the other hand, are almost invariably made by Western Union or Money Gram wire transfer services. These are hard to trace, and can't be reversed (unlike direct deposits or cheque payments).

Key identifying features of a money mule job scam:

The job offer comes from an overseas company that wants your assistance to do business in your country.
The job involves "payment processing" or "escrow": accepting money in one form, then sending it (minus a cut) to your employers via Western Union or Money Gram. This is the key risk, since the incoming payments may be fraudulent or stolen, and are liable to be reversed. Money sent via Western Union, on the other hand, is Gone For Good.

The last variation, that of the goods mule, is less common but just as dangerous. (Thanks go to Snopes for documenting it.) In this case, the employee is a "shipping manager" or similar, and the job involves being a middle-man for purchased goods. The employer arranges for goods to be delivered to the employee, and the employee is responsible for sending these goods back to the employer by bulk freight, usually to Africa, and usually on the pretext that this process saves money over having all the goods shipped individually. It sounds plausible, but the problem is that the goods are usually being obtained fraudulently, such as by credit card fraud. Handling fraudulently obtained goods in large quantities isn't a great career move.

Key identifying features of a goods mule job scam:

The job involves receiving goods, and forwarding them somewhere outside your local legal jurisdiction, usually Africa. This is a bad idea, because you're assisting in the transfer of stolen or fraudulently obtained goods.
Unlike the other job scams which involve no payment at all, or deduct payment from money handled, this kind of job will be paid in a somewhat traditional manner.

General Tips

General tips for avoiding job scams:

Assume that any job offer which arrives by unsolicited email is a direct attempt to defraud you (and thousands of others, no doubt).
Beware of jobs that promise great rewards for no special skills: they're bait on a hook.
Beware of temptation: promises of money raining down on you, or fast easy bucks, or luxurious work conditions. These are also bait on a hook.
Beware of overseas employers. If they're not within reach of your local police force, there's not going to be much you can do if and when they rip you off.
Beware of jobs which involve being a middle-man, especially a middle-man between people inside and outside your national boundaries. You'll probably be acting as a buffer zone between the criminals who hired you, and the police who are tracking down their illegal activity.
Beware of jobs which involve sending money overseas via Western Union. The modern scam artist prefers to receive money this way, because it's hard to trace and recover. If you're the sucker who made the payment via Western Union, it's likely to be your money that the crook obtains. Payments made to you, on the other hand, will have a distressing habit of being reversed at a later date.

Meta: Job Scam postings moved to new blog

2006-07-04T05:40:00.000Z

Job scams have been the bread and butter of this blog for a while, but they've become sufficiently "mainstream" that I'm now relocating them to a dedicated blog, "Suckers Wanted". Like the other sub-blogs, this will aim for quantity of reportage over depth of analysis: I will forward as many job scams as I can to the blog, but not comment on them unless they genuinely warrant special attention.

Job Scam: redefinezim@aol.com

2006-07-03T05:38:00.000Z

Scams like this seem to be getting more common and simple. Any job where you are a middle-man leaves you vulnerable if the incoming funds/goods are stolen or fraudulent. Jobs like this just set you up to rip you off.

Hi Ideasymedios!
We are an international escrow company.
Now we are looking for a new partners.


You can earn some money - do not lose this opportunity!


It is easy and completely free for you.


Please contact us for more details: redefinezim@aol.com

Best wishes,
Rosanna Earl
++++++++++++++++++++++++++
Sun, 2 Jul 2006 19:14:11 -0500




bulkhead dahl
celandine arrhenius
cocktail canberra
coach alkaloid bask corcoran
augur coronet

Info: A New Kind of Money Mule Scam

2006-07-02T11:20:00.000Z

Here's a new twist on a well-established scam: take note and add it to your list of "behaviour that should make me suspicious". This information is gleaned from a post over at ScamFraudAlert. It's a variation on the "payment processor" job, where you wind up being stung in exactly the same way without ever becoming an "employee". The scam goes something like the following.

Excellent offer on some kind of goods arrives via spam.
Victim is lured to the scammers website by the offer, and decides to buy something, since the prices are unbeatable. Victim divulges credit card details to the fraudsters at this time: this is bad move #1, but there is no immediate fraud on the card.
Fraudster contacts victim saying that the credit card payment system is down, and they aren't sure whether the payment went through or not, but offers a refund just to be sure. This refund is actually stolen money, transferred out of a compromised third party Internet banking account. Victim does not know this and accepts the refund, thinking that this is first-rate service.
Fraudster then suggests to victim that some other means of payment might be better, such as Western Union. You all saw that coming, didn't you? The fraudster offers to deduct the cost of the money transfer from the transaction, so the victim feels like he's not paying any extra.
After a while there is no sign of the goods arriving, but the bank does notice that the funds transferred during step #3 were stolen. They reverse the transaction, so the victim is now officially out of pocket. The fraudsters keep whatever money was sent to them via Western Union, and they have the victim's credit card details as a bonus.

Lesson number one in this should be "never under any circumstances purchase from someone who adertised to you using spam".

Job Scam: Global Austrian Syndicate (gas-ltd.info)

2006-06-29T17:22:00.000Z

The Global Austrian Syndicate job scammers have reincarnated again: at last report, they were "gas-limited.com"; now they're "gas-ltd.info". They've also started sending their spam as plain text! What's up guys? Too many people blocking on image attachments? Whatever the case, the job remains the same: send stolen money overseas via wire transfer service until the police arrest you for it.

At the time of writing, the one nameserver for the domain which was responding (at 207.210.93.181) gave the following answer to an address query.

; <<>> DiG 9.3.1 <<>> A gas-ltd.info @207.210.93.181
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48651
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;gas-ltd.info.                  IN      A

;; ANSWER SECTION:
gas-ltd.info.           1800    IN      A       172.184.3.151
gas-ltd.info.           1800    IN      A       172.210.81.133
gas-ltd.info.           1800    IN      A       213.103.251.238
gas-ltd.info.           1800    IN      A       64.53.175.197
gas-ltd.info.           1800    IN      A       84.58.57.238

;; AUTHORITY SECTION:
gas-ltd.info.           1800    IN      NS      ns2.get-site.com.
gas-ltd.info.           1800    IN      NS      ns1.get-site.com.

;; ADDITIONAL SECTION:
ns1.get-site.com.       1800    IN      A       207.210.93.181
ns2.get-site.com.       1800    IN      A       204.21.41.81

;; Query time: 222 msec
;; SERVER: 207.210.93.181#53(207.210.93.181)
;; WHEN: Thu Jun 29 17:33:40 2006
;; MSG SIZE  rcvd: 190

Reverse DNS lookups on the addresses yield "ACB80397.ipt.aol.com", "ACD25185.ipt.aol.com", "d213-103-251-238.cust.tele2.fr", "d53-64-197-175.nap.wideopenwest.com", and "dslb-084-058-057-238.pools.arcor-ip.net", respectively. Neither of the nameservers yield reverse DNS names: do your own "whois" lookup if you care.

Spam text is copied below, because it is text this time. By the way, they are lying outright when they say, "Your email was given by 3rd party website www.jobs-in-europe.net on our request". The email address to which this was sent appeared as a contact address on a website some years back, and hasn't been used for any other purpose. It's a spamtrap address now: spammers are the only ones still sending anything to it.

Hello

My name is Francois Veillon I am the manager of a Human Recourses department of Global Austrian Syndicate (GAS).
I’d like to offer a perfect vacancy for you. The vacancy of a Financial manager working with private individuals.

Let me give you some facts about our company first:
Global Austrian Syndicate (GAS) was registered back in 1993. The primary focus of Global Austrian Syndicate is international finance services, mainly through the Internet and other communicative channels. The corporation is interested in working on the markets of all countries without exceptions and sees promotion of its services through the network of representatives (independent investment consultants) working as private individuals or resident company employees as most effective. We also provide a full range of financial services to companies and to individuals as well. Additionally, we grant credits to individuals and companies on the international level, and this list of our services and opportunities is far from being complete.

So today, we are glad to offer you to:
- become a part of our company
- join a team of highly qualified specialists
- get a prestigious part time job
- earn a real fortune

The main advantages of working as a Financial manager dealing with private individuals are:

- You don’t need any experience or specific knowledge
- You don’t need to make any advance payments
- This job won’t take much of your time.

Your range of duties will include:
- Receiving payments for the ordered stocks and bonds from the Global Austrian Syndicate clients (private individuals) to your bank account
- Withdrawing the funds and transferring them further to our brokers in one of the countries where the desirable stocks and bonds should be bought

The transfer should be done by the means of Western Union or Money Gram services to fasten the process of the delivery of the funds.
Your SALARY is 8% commission out of every deposit that you receive to your bank account.

If you are interested in this job and would like to get more information, you are welcome to visit our website:

http://gas-ltd.info/html/index.php?sect_id=5

Or you can just write an email to us, and our managers will give a prompt and competent reply.

We are looking forward to working with you!
Your email was given by 3rd party website www.jobs-in-europe.net on our request, as you or someone else subscribed to a job opportunities newsletter.
I apologize if this email reached you by mistake. In that case, please be so kind to delete it.

Yours faithfully Francois Veillon

Job Scam: job-alert.net

2006-06-28T05:48:00.000Z

Why settle for a single job scam when you can set up an entire website for recruiting willing suckers? The spammers who have just registered "job-alert.net" (on 22-Jun-2006) and spamvertised it -- directly to the contact address for this blog, no less -- were probably thinking along those lines. The same spammers also appear to be using the domain "jobalertsvc-vac.com" (registered 26-Apr-2006), since all the "job-alert.net" website does at the moment is frame-wrap the "jobalertsvc-vac.com" site. There is also mention of "jalert.net" (registered 07-Jun-2006) on the page, but that domain is not currently resolving to any address or other useful record.

I don't know what specific jobs these guys are offering, but I'll wager my pound to your penny they're the sort that gets the worker on the wrong side of the law. But hey -- they're offering free tee-shirts!

Sir\Madam,

www.Job-Alert.Net - is a mail based recruitment business. It offers employers a genuine recruitment function that combines the candidate capture function and the human resources function of a recruitment agency. You just need to fill in a form and our representatives in your country will send you an e-mail when a position that interests you becomes available.

All operations are made manually, in order not to bore you with automated robot-search results. So, take your time to enter correct and detailed information about yourself.
Process is divided into steps. You can proceed with the first step by providing us with necessary information:
Job Alert First-step registration form here.
You will get your personal instructions for the last two steps by e-mail, as soon as possible.

Futhermore, everyone will get a FREE T-shirt of any size with Job-Alert.net logo and your Initials printed on it! We assure you, that every person who will find a job with our help will receive FREE Job-Alert.net T-shirt.

Thank you for your time.
Job-Alert.Net Team.

Job Scam: job@easternbridge.info

2006-06-27T13:41:00.000Z

This is just a repeat of an earlier job scam spam with new contact details.

From: dodie flynn <terryhoskins@speedingbits.com>
Date: 27-Jun-2006 18:07
Subject: Open Vacancy
To: isabelle ramsey <ideceive@gmail.com>

 How many times did you think of giving up your
 permanent job and join another "good looking"
 work-at-home scheme? And how many of them were
 successful? Did you earn more than $5000 a month with
 them? NO? Then you have an opportunity right now and
 right here!

 We made it possible for you to get a real part-time
 job in a world of transportation business and control
 your income on your own! We will never ask you about
 your credit rating and never put any inquiries to your
 credit profile. This is business of partners, we don't
 take, we give you this opportunity

 You can become our Representative and take part in a
 stunning world of financial operations. No more
 up-front costs or tricks. A steady income is just a
 click away! The best thing it all depends on you.

 Being a long-established solid corporation we
 understand how important it is to provide our customers
 the best possibilities and support. We always try our
 best to be cooperative and customer-friendly, you can
 call or email us any time and ask a question if
 something is not clear.

 Get involved in a great transportation business, and
 start making money in just a few clicks. You will make
 a fixed amount ($30) out of every shipped product. The
 usual product quantity range from 10 to 100 packages a
 month. This is not a dream, you enter a serious market!
 A unique opportunity where your income depends on you!

 More information \ apply \ send your resumes to: job@easternbridge.info

 bird bolt arc transmitter gutta sundik
 flower-shaped Chaldee church seat board
 well-aware shot effect pleasure principle
 well-gathered Indo-malaysian donkey puncher
 apple mint apron conveyer fleecy-white
 call-down ward hill self-complacential
 yerba reuma accretion cutting sword blade
 brick archer tree-goddess best-principled

Job Scam: Global Austrian Syndicate (gas-limited.com)

2006-06-26T18:26:00.000Z

The "Global Austrian Syndicate" crooks are at it again. They've done the same thing before with gas-ltd.biz and gas-ltd.cn, and recently they wore a different hat with adamsgreen.org. Those domains have all been neutered, so this time they're back with "gas-limited.com". Specifically, this spam links to http://gas-limited.com/html/index.php?sect_id=5.

At the time of writing, the one nameserver for the domain which was responding (at 207.210.93.181) gave the following answer to an address query.

; <<>> DiG 9.3.1 <<>> A gas-limited.com @207.210.93.181
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56905
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;gas-limited.com.               IN      A

;; ANSWER SECTION:
gas-limited.com.        1800    IN      A       70.239.73.247
gas-limited.com.        1800    IN      A       81.101.95.9
gas-limited.com.        1800    IN      A       201.151.39.83
gas-limited.com.        1800    IN      A       24.12.203.230
gas-limited.com.        1800    IN      A       69.81.155.153

;; AUTHORITY SECTION:
gas-limited.com.        1800    IN      NS      ns2.get-site.com.
gas-limited.com.        1800    IN      NS      ns1.get-site.com.

;; ADDITIONAL SECTION:
ns1.get-site.com.       1800    IN      A       207.210.93.181
ns2.get-site.com.       1800    IN      A       204.21.41.81

;; Query time: 222 msec
;; SERVER: 207.210.93.181#53(207.210.93.181)
;; WHEN: Tue Jun 27 04:36:58 2006
;; MSG SIZE  rcvd: 190

I'm leaving it as an exercise to the reader to determine whether the addresses returned in this query are customer systems on broadband networks, as has been the case in times past. (Hint: yes, they are.)

Job Scam: Adams Green, Inc. (adamsgreen.org)

2006-06-24T17:39:00.000Z

From the scumbags who brought you Global Austrian Syndicate (twice) and Swiss Invest before it, it is iDeceive's dubious honour to present "Adams Green, Inc." The scam is the same: only the names have been changed to victimise the innocent. We have the same text-as-image spam, with the same layout, using the same modus operandi. This time the domain is "adamsgreen.org", the contact calls himself "Andrew Thomson", and "there are 5 openings for a representative to assist in creation our virtual local presence for the back office functions."

According to "whois" records, the domain "adamsgreen.org" was registered for one year on 21-Jun-2006. The nameservers for the domain are currently 72.232.71.90 (network space of Layered Technologies, Inc. -- they're popular with these spammers), and 154.37.3.12 (network space of Performance Systems International). Both these providers have prominent abuse-reporting addresses, and I'll notify them immediately.

At the time of investigation, "adamsgreen.org" resolves to the following addresses (and reverse name lookups): 74.131.72.24 (DHCP-74-131-72-24.insightbb.com), 69.62.158.34 (34.158-62-69.ftth.swbr.surewest.net), 69.203.157.76 (cpe-69-203-157-76.si.res.rr.com), 71.56.93.164 (c-71-56-93-164.hsd1.ga.comcast.net), and 71.57.30.8 (no rDNS; whois says Comcast Cable Communications Holdings, Inc ILLINOIS). Once again, these all look like ISP broadband customer addresses, thus suggesting the use of compromised PCs in private homes and businesses. Also, the time-to-live value on the DNS records is set to thirty minutes, so the addresses can be updated fairly rapidly if needs be.

The spammers have screwed up this message, however: the HTML links to http://www.adamsgreen.org/index-2.html, but the sub-domain "www.adamsgreen.org" doesn't exist! They were supposed to leave off the "www" part. I'm sure they'll rectify their error in the near future when they figure out why it's not working.

Job Scam: job@westbcompany.org

2006-06-24T07:47:00.000Z

Would you like a short term position handling stolen money and fraudulently acquired goods? Would you like to be asked awkward questions by the police about why you are doing so? Would you like your bank account frozen, and the possibility of facing criminal charges? Yes? Then maybe this job is for you!

How many times did you think of giving up your
permanent job and join another "good looking"
work-at-home scheme? And how many of them were
successful? Did you earn more than $5000 a month with
them? NO? Then you have an opportunity right now and
right here!

We made it possible for you to get a real part-time
job in a world of transportation business and control
your income on your own! We will never ask you about
your credit rating and never put any inquiries to your
credit profile. This is business of partners, we don't
take, we give you this opportunity

You can become our Representative and take part in a
stunning world of financial operations. No more
up-front costs or tricks. A steady income is just a
click away! The best thing it all depends on you.

Being a long-established solid corporation we
understand how important it is to provide our customers
the best possibilities and support. We always try our
best to be cooperative and customer-friendly, you can
call or email us any time and ask a question if
something is not clear.

Get involved in a great transportation business, and
start making money in just a few clicks. You will make
a fixed amount ($30) out of every shipped product. The
usual product quantity range from 10 to 100 packages a
month. This is not a dream, you enter a serious market!
A unique opportunity where your income depends on you!

More information \ apply \ send your resumes to: job@westbcompany.org

self-absorption parlor car two-leaved
stagger grass Post-mishnaic surface tension
cairn terrier safety catch wave top
horn-footed oxyacetylene cutting snap-apple
fencing mask twice-sanctioned re-estimate
self-upbraiding Anti-darwinian cattail millet
two-legged half-numb well-intended
evergreen millet high-density double-branch

Job Scam: Global Austrian Syndicate (gas-ltd.cn)

2006-06-21T20:06:00.000Z

This is the same "Global Austrian Syndicate" job scam reported earlier, except that they've changed domain names from ".biz" to ".cn". Key phrases in this spam include the name "Francois Veillon", who claims to be "the manager of a Human Resources department of Global Austrian Syndicate (GAS)".

At this moment, the website for "gas-ltd.cn" is being served up from five distinct compromised computers: adsl-71-132-152-189.dsl.pltn13.pacbell.net [71.132.152.189], i166108.upc-i.chello.nl [62.195.166.108], adsl-69-229-122-56.dsl.scrm01.pacbell.net [69.229.122.56], adsl-70-228-129-73.dsl.akrnoh.ameritech.net [70.228.129.73], and mo-71-50-28-170.dhcp.sprint-hsd.net [71.50.28.170]. This is likely to change rapidly, for such is the nature of a botnet.

The nameservers for "gas-ltd.cn" are currently 202.95.232.72.reverse.layeredtech.com [72.232.95.202], and 41.91.232.72.reverse.layeredtech.com [72.232.91.41]. In my experience so far, layeredtech.com do respond to abuse reports, although not spectacularly quickly.

Update at 2006-06-22 05:33. I've just checked the nameservers again, and they're no longer responding. Either layeredtech.com is on the ball, or we're just lucky. Kudos to Layered Tech if they are, in fact, responsible.

Job Scam: drgabriel1@aim.com (Escrow Agent)

2006-06-21T02:57:00.000Z

I've started to see "Escrow Agent" more frequently as a cover story for money transfer jobs. Aside from the fact that this email is a linguistic travesty, it beggars belief that such a well-paid job with such light demands is both legal and likely to be offered via unsolicited email. And yet people will still fall for it. Please be wise, folks: these jobs are better described as "aide to a thief", or "patsy" for short.

Casual Position - Escrow transactions assistant.

Job details Closing date: June 30 2006 Location: USA, Canada,
Australia, United Kingdom, Germany .Salary: Excellent earning potential- $25K to $60K OTE Benefits: Pension, Insurance, Free UPS shipping, and more!As a market leader and one of the world's largest organisations of its kind, we are expanding rapidly as we continue to pioneer the concept of technology assurance through our innovative range of Software Escrow and Information Escrow Solutions. Our company has a strong reputation within the escrow industry as both leaders and innovators of testing,security and consultancy solutions.

As a part of our on-going expansion program we are seeking Transaction Assistants for our Escrow Solutions. Whether you are looking for a professional career or a part-time position we are right for you! We are the world's largest global escrow company, operating in more than 50 countries and territories and employing more than 10,000 people worldwide. As a part-time employee,you'll have access to the following benefits: More than $60,000 per year,Great starting pay and annual raises, Set
work schedule and so on! BENEFITS:

$25,000 � $60.000 a year.Great starting pay and annual rises.Direct deposit, You get your salary instantly.Lots of free time (�as required"employment relationship).Perfect career opportunities.Set work schedule.Variety of shift options.Business experience recruiters look for.Weekends and holidays off.Paid vacations and holidays.Discounted stock purchase plan.Promotion from within.Training and skill building.Free UPS Shipping.- $3,800 per month You will be receiving more than 5 transactions a week.- You need 5-7 hours free during the week, not moreYou can advise the best time for transactions processing, in the morning: from 7:00 till 11:00 am or in the evening: from 3:30 till 5:00 pm.- Free UPS shipping You will be provided an NCC Group UPS ID card in your name. You will be using this card for mailing correspondence from UPS office for free on our company�s behalf (we also allow to use it for shipping your own packages, after working through probation period.)
- Comprehensive medical and life insurance for you and your dependents You will be receiving an NCC Group, Inc. Medicine card and all the paperwork in 2 weeks after successfully completing your probation period.
GENERAL REQUIREMENTS:

You have to be honest, loyal, responsible and hard-working.You have to comply with all reasonable and lawful instructions provided to you by our company. You need 5-7 hours during the week for communication.Residential address to receive correspondence (if any).Computer w/internet connection, printer and e-mail.

JOB DESCRIPTION: At this point we can offer you several ways of cooperation,which include, but are not limited to:ACH (E-Check) transactions assistance.You should have a NetSpend.com All-Access card, in order to participate.PayPal transactions assistance.

You should have a Verified PayPal.com account to participate.As an Escrow Transactions Assistants you will be delivering escrow payments from buyer to seller. As you know, every escrow transaction involves seller and buyer. You will be collecting payments from buyers along with the instructions, subtracting your salary (which is included in the total amount of transaction) and all fees applicable,and then forwarding the rest of the funds to the recipient using the method specified by the instruction.The main purpose is to provide sellers and buyers all over the world the ability of using their favorite payment systems (transfer methods).

When customer initiates the transaction from your country of residence, we need to have a middle man (our representative) in your country to speed up the process, and shorten the way of the money by delivering the payment to the recipient directly. Also, we have to act as a third party to ensure that the seller actually received his payment.

You will be provided with detailed instructions for every single transaction. To complete a transaction, you need to follow several easy steps below:Receive the funds into your personal (Bank / Card / PayPal) account.Wait for the instruction to appear in your email. Report your progress to the manager at least once a day (during the time of ongoing transaction).

Follow the instructions our manager will provide you with, and send the funds out using the specified method. Transactions require to be completed in 5 business days (max).Your salary (commission) for regular transaction is 5% of total amount.

We have a probation period - 1st month of employment. During this probationary period, we will be evaluating the employee's job performance and work behavior, as well as his/her character, conduct, and attitude that directly affect job performance. Throughout the period the supervisor will be documenting performance and conduct activity in the Employee Work Folder. If you complete this a probation period successfully, your salary will be reviewed and increased (up to 10%).

Thanks for reading our proposal. We hope that you are interested and eager to start cooperation with us.Accept our apologies if this message caused any inconveniences to you.

PLS KINDLY REPLY BACK TO THE EMAIL ADDRESS IF YOU ARE WILLING TO
ACCEPT THE OFFER.

Dr Gabriel.
contact me : +447024026560

drgabriel1@aim.com

Hijack Alert: National Bank Closing and Blocking Accounts without a notice!

2006-06-19T16:52:00.000Z

Much like the previous hijack alert I mentioned (also covered as a news story in The Register now), this particular spam tempts people into viewing a webpage based on alarmist (and false) news about the National Australia Bank closing and blocking accounts. The link itself goes to a site running software called "Web-Attacker", which attempts to hijack your computer. Presumably it attempts to install keystroke-logging software to pick up login details of those who later attempt to check their National Australia Bank account online.

If you were tricked into viewing such a page (and you use Microsoft Windows), you had better assume your computer is infected with spyware, and avoid doing any online banking with it until you've had it checked out and cleaned up.

The domain "worldbankinformation.com" (used in this attack) was registered a few days ago on 16-Jun-2006.

From: krfcbocp@clementlawgroup.com Herman Day 
Date: Tue, 20 Jun 2006 01:11:20 +1000 
Subject: National Bank Closing and Blocking Accounts without a notice! 

Recently many accounts have been reported closed without even a notice from 
the bank officials! Mostly it’s business accounts but regular checkings are 
also in trouble.  

Latest Bank’s Report showed much lower profit than expected and their stocks 
hit lows for the last 5 years! But can it be really a reason for breaking 
relations with entrepreneurs?  

The list of customers affected and their stories could be found here: 
http://www.worldbankinformation.com/news.php

Also there is a report form to fill if you have the same issue.  

Well, my account is fine and customer service representative refused to comment 
on these stories. Hope your savings are also safe...

Job Scam: jointogether@myway.com or dr.milk23@yahoo.com pretending to be Wanlida Textile Company Ltd

2006-06-19T02:55:00.000Z

This is a fairly blatant money laundering job scam. It was sent directly to the contact address for this blog, which is unusual, but I'm not sure what specific significance it has.

The spam refers to "Wanlida Textile Company Ltd" and the domain "wj-wanlidasilk.com". That domain name was registered for seven years back in 2003, so I would guess that it's a genuine company, and that our scammer has nothing to do with it whatsoever. The contact email addresses being used (myway.com and yahoo.com) are free webmail services, meaning that the addressee could be anyone, anywhere. The telephone number, on the other hand, incorporates the country code for Hungary (assuming that the number is real at all, and written with the full international prefix).

From: dr. milk <jointogether@myway.com>
Date: 19-Jun-2006 11:20
Subject: ATTN: SOLICITING FOR A REP. IN YOUR COUNTRY
To: [Hundreds of recipients!]

Wanlida Textile Company Ltd
No.6 Third District Nanshan Road
Shengze, Wujiang City
Jiangsu Province, China
Phone number:36422423323

www.wj-wanlidasilk.com
Email:jointogether@myway.com
dr.milk23@yahoo.com

ATTN: SOLICITING FOR A REP. IN YOUR COUNTRY
It is my pleasure to write you in respect of our Company Wanlida Textile Co., Ltd. with address as above. We are experts in the sale of Textile materials. We export into the Canada/America and parts Europe. We got your email through Business Directory. We were recently given a two-year contract to supply our product to Canada/America and Europe trade zones. In our just concluded Annual General Meeting (AGM), we decided to search for a representative who can help us establish a medium of getting to our customers in Europe and America as well as making payments through the representative as our payment officer.
I, as the CEO of this multinational company hereby relate with you because of the communication problem faced by most of our Board Members, since many of them cannot read, speak or write English language except Chinese, which is our official language. In view of this you are expected to relate directly with me as the company representative since I decided to contact you and give them frequent update about our activities. Most of our customers have problem in making payment to us, as we do not run foreign accounts.
About 90 percent of our customers prefer to pay through Certified Cheques and Money orders or bank transfers based on the amount involved.
Your Task

We have decided to open this new job position for solving this problem.
Your tasks are;

1. Receive payment from Customers
2. Cash Payments at your Bank
3. Deduct 10% which will be your percentage/pay on Payment processed
4. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to. Payment is to be forwarded either by MoneyGram or Western Union Money Transfer.
See www.westernunion.com and www.moneygram.com for details.
After establishing a close co-operation with us you'll be able to operate with larger orders and you'll be able to earn more. Our payments will be issued out in your name and you can have them cashed in your bank or other Cashing Services.
You'll have a lot of free time doing another job, you'll get good income and regular job. So if you are interested, your quick response to the email below would be appreciated. You are to reply to the company's public relation officer email address as below:

I am very interrested in working with or for you.
Please if you are interested forward to us.
Your full name.......................
Phone number .........................
Fax number...........................
Present occupation...................
And your full contact address................
BELOW IS OUR COMPANY HEADQUARTER
Wujiang Wanlida Textile Co., Ltd.

Selected Products
Jacquard Fabric
Cotton Satin
Printed Satin
Twisted Satin
Thanks for your time.
Kindly reply your response to the company public relation officer below

Name: dr.milk
contact me +447024026560
jointogether@myway.com
dr.milk23@yahoo.com
Kindest Regards,

Mr dr.milk
Ceo.

Job Scam: kayla.auction@googlemail.com

2006-06-16T13:42:00.000Z

This is another money laundering job, thinly veiled by a couple of other job descriptions which are just red herrings. The crooks offering this work have obviously done a spot of phishing in relation to Commonwealth Bank of Australia and National Australia Bank customers, and are now looking for willing chumps to forward the money to them via Western Union or Money Gram -- right up until they get arrested for handling stolen money, that is.

The contact address for this spam is kayla.auction@googlemail.com, but it's not visible in the plain text rendition of the spam that I'm using here. (It's a hyperlink in the HTML version.)

From: ao5sqmgX4C@yahoo.com Ward Heyser 
Date: Fri, 16 Jun 2006 21:36:49 +1000 
Subject: 5: Transaction Manager position.    Ref:6907 

 We are happy to present You our new project. Today our Internet auction
   bidding Company has finally begun successful cooperation with
   Australian financial authorities. Our internet auction bidding system
   is secured with the Commonwealth Bank of Australia and National
   Australia Bank anti-FAS system and this is why we, as the official
   affiliate of the Australian Commonwealth Bank and National Australia
   Bank, are proud to guarantee safety and security of every Internet
   auction operation our Company processes in Australia. Vacancies.
   Customer support manager: 8 hours per day. 2400$ per month.Requirements:
   car, PC, cell and home phone number, Internet.Assist customers from
   Your regions with full time Internet and personal support. Bidding
   manager: 2-4 hours per day. From 3000$ per month + weekly bonuses for
   successful completion of daily assignments with no delays.Requirements:
   Internet, cell and phone number, Bank account in the Commonwealth Bank
   of Australia or National Australia Bank. Assist customers from Your
   region with funds processing from the initial bidder to the seller
   itself. Bank Account in the Commonwealth bank or in the National
   Australia Bank is obligatory. Become the initial third party between
   the seller and the bidder from Australian region. Transport manager:
   6-10 hours per day. 3000$ per month. Requirements: car, PC, cell and
   home phone. Punctuality and responsibility. Transport the initial
   wares to the post office and International postal service companies.
   Maximum carrying capacity of 2 tons. Requirements:Age limit from 18y.o
   to 60.y.oInternet and be able to check Your email dailyBe able to
   contact our managers and customers both with Your cell phone and the
   email Benefits: 1. Become our initial representative and a middleman
   between the seller and the buyer from your country 2. Gain authority
   with people from all parts of the world who really rely on Your
   service 3. Possible career growth 4. Work efficiently with no holds
   and delays and get weekly bonuses besides monthly salary for
   outstanding performance of one’s duties. If you have any additional
   questions or desire to become our affiliate – don’t hesitate to
   contact our HR Department Sincerely Yours
   Megan Williams
   Staff manager

Phish of the Day: The Internal Revenue Service

2006-06-16T03:23:00.000Z

I don't usually post about phishing, since it's pretty old hat, fairly common, and covered by other specialists anyhow. This particular instance was sufficiently interesting to write about, however. It's an attempt to obtain credit card details (including the CCV code) under the pretext that you're due a tax refund. I've attached a screenshot of the phishing site as rendered in my browser.

This particular phish is hosted on a compromised webmail server in China. The URL is http://mail.halas.com.cn/.../IRS/refund/caseid886432/index.html, but note that the "caseid" value is not significant in any way -- it's just a red herring. The three dots immediately following the server name designate a directory that is normally hidden (and could easily be overlooked if not hidden). It looks a little conspicuous in a URL, however, and if these folks ever check their log files, they'll pick it up. Certain parts of the page so loaded do refer to the IRS website, and some content is obtained that way, so the IRS folks will be aware of this already if they're paying attention to their own server logs.

Info: Stock spammers go to remarkable lengths for stealth

2006-06-16T02:59:00.000Z

I'm not currently tracking pump and dump stock spamming, mostly because there's just so much of it. I note in passing, however, a new stage in a trend that's been going on for some time.

It used to be that stock spammers would just send their spam in perfectly plain and readable ways. They then started to corrupt some of the more readily identifiable parts of the spam, such as the "forward looking statements" boilerplate disclaimer that many of them include, so as to lessen the number of spam filters that would catch them on this. More recently again, they have started embedding spaces and punctuation into the stock name itself, so as to prevent searches on that stock name turning up all the spam that winds up being archived on the web. Some of them have chosen to embed their entire message in an image -- a technique which is also popular among the pill spammers, but note that the stock spam is usually just plain text rendered as an image. This also prevents any part of the text from being used as filter-fodder, and prevents the archived spam from being searchable on the web.

The final stage in this progression that I wish to note is one recent stock spam (pumping "Advanced Powerline Technologies, Inc." [APWL]) which not only encodes the entire text as an image, but breaks up that image into a grid of smaller sub-images. I'm not entirely sure what additional benefit this is supposed to have (from the perspective of the scumbag who is sending it), but it could be an attempt to foil my recent habit of archiving such images on the Stock Spam blog. Previously, it was just a simple case of "save the image and upload it to the blog", but since it's no longer a single image, this technique wouldn't work -- additional effort would be required.

As I've said, I'm not tracking stock spam at the moment anyhow, so this doesn't actually impact me. It's interesting to watch the arms race between scammers and scam-busters progress, though.

Hijack Alert: National Bank goes bankrupt?!

2006-06-15T04:14:00.000Z

Here's a breed of spam that's still sufficiently novel that people will take the bait. Attempts to hijack computers via web browsers are taking over where viruses left off. Don't get me wrong: there are a lot more viruses out there than web-jacking attempts, but the latter category has the greater growth as a percentage.

The basic outline is this: the malicious party sends out spam with a link to a website. The cover story is usually some spectacular news story, but it can also be something as simple as "Tiffany has sent you an e-card!" All the malicious party wants you to do is click that link. The actual website you reach could be completely blank, or it could be a site selling Viagra pills, or whatever: the kicker is the part you don't see. Behind the scenes, that web page will be loading various bits and pieces which attempt to gain control of your computer.

If you use Microsoft Windows and you've been suckered into following a link like this, you had better assume your computer has been compromised. Disinfecting such a computer is a very tricky job, and I can't offer any simple advice as to how one goes about it, sorry.

Here's an example of a hijack attempt I received a short while ago. Follow the link at your own risk.

People starting panic withdrawals, some of the accounts were reported 
closed due to technical reasons, many ATMs are not operating. 
Does it seem that one of the Australia's greatest goes bankrupt? 
 
The full story could be found here: http://www.saltnlight-e.com/news.php
 
Well, hope that isn't true... Anyway You'd rather check your balance...

Job Scam: Global Austrian Syndicate (gas-ltd.biz)

2006-06-15T02:39:00.000Z

This is yet another money laundering job offer, with all the obvious red flags: offer arrives by spam, requires no experience, involves money transfer using Western Union or Money Gram, and so on.

The style of this scam is a close match to that of the Swiss Invest scam that's been arriving regularly in my inbox for nearly a month. Closer investigation shows that the DNS records for "gas-tld.biz" and "swiss-invest.cn" are almost identical. At the time of writing, they both resolve to the following addresses: 24.41.42.238 (user-0c2iane.cable.earthlink.net), 24.43.27.76 (CPE000a73995cf3-CM000a73995cf2.cpe.net.cable.rogers.com), 64.135.101.176 (address in space allocated to BroadbandONE, Inc.), 69.248.123.80 (c-69-248-123-80.hsd1.nj.comcast.net), and 70.101.24.127 (70-101-24-127.dsl2-plymouth.roc.ny.frontiernet.net). These all appear to be end-user PCs on broadband networks, which almost certainly means that they are compromised and being used by these criminals without the knowledge of the actual owners. There are other tricks involved with the DNS, but they're a bit technically obscure, so I won't bore you with details here.

For the benefit of searchers, some of the key phrases in this spam include the name "Francois Veillon", who claims to be "the manager of a Human Resources department of Global Austrian Syndicate (GAS)". Other than that, it's mostly boilerplate job scam stuff.

Job Scam: us_job@mail333.com

2006-06-13T20:03:00.000Z

This is just another "payment processor" money laundering job.

Dear Sirs!

We are USA company mainly working in financial field.

We are stable and solid company. We are looking for drivers, managers, managers of transfers, office managers.
There are a few outstanding requirements for candidate - reliability, honesty, diligence.
If all this is about you and you are interested to invest your time we would be glad to get in touch with you.

To start the registration as Payment Manager(3000$ every month), please contact us!
The career plans: LIFE prosperity, AUTO purchasing, HOUSE purchasing
In case you need more information please do not hesitate to contact us.

Malissa L. Jackson
H.R. Manager
Independent Business Solutions
E-mail: us_job@mail333.com

Job Scam: Further details on "Mercury Industries"

2006-06-13T05:56:00.000Z

Although I haven't seen any actual spam from them in a while, the scammers calling themselves "Mercury Industries" are still active. Here's a copy of a job offer letter they emailed to me after I sent off a request for further information. There are two important things to note about the job (highlighted in bold text): it involves money transfers (see point three), and you don't get paid until after you've done at leat one such transfer (so they're guaranteed not to make a loss on you as an "employee"). This is obviously a money laundering positon.

Good day,

We would like to thank you for your application. It was a pleasure to
receive your answer so soon for administrative support/ transaction
support assistant position.

Such approach to administrative support / transaction support assistant
position has confirmed our desire to work with you.
Please email me:
Your address
PO Box (If available)
Phone number
Cell Phone number or alternative number to reach you
Email address that you use most often
We will enter this information to our database and it will be only used
within our company.
If you would like to write us why would you fit for this position we 
would
be interested to hear from you.
We will guide you through the work process on initial remunerated 
training
period after you will pass the screening process. Training will take 3h
per day for 3 days and will be held online with the support of our
training instructors. Through training you will get paid AUD 20$ per 
hour
and commissions for each serviced transaction. We will calculate your
hours through the time log. Your wages will be paid out after you will
service first transaction.
Initial requirements are:
 1. Answer our Australian customer’s questions and requests via e-mail 
or
phone, have at least 15h per week to work for us. However, we can work
around your schedule.
 2. Keep in touch with a manager every morning and be
able to answer calls and e-mail communications from the manager 
promptly.
Keep a time log of hours worked.
 3. Accept payments from customers for further credit to our
clients.


All office expenses will be paid for. You will not have to pay for
anything in order to start working with us. No sales involved, we have 
our
own customer base. You will have to work through regular business hours 
in
Australia. You will not have to travel on business.
After you will be hired you will be compensated AUD 20$ per hour, also 
you
will receive commission. Your wages and compensation for expenses will 
be
paid by direct deposit to your bank account.
I appreciate the time that you took to write us. We are very interested 
to
continue screening process and look forward to hearing from you 
regarding
this position.
Sincerely,
M. White

Meta: This blog now syndicated using Atom

2006-06-09T07:02:00.000Z

I've recently begun to appreciate the benefits of news aggregation using syndication formats like RSS and Atom. Blogspot blogs can publish Atom syndication data, so I've decided to go ahead and do it. This blog is primarily targeted at people searching for specific scams, but you may want to subscribe if you are following scams more broadly and want to hear about everything I encounter. If you want to subscribe, the appropriate site feed URL is http://ideceive.blogspot.com/atom.xml . If you're new to the whole idea of syndication and aggregation, try out Google Reader.

Job Scam: westbcompany.net

2006-06-09T06:02:00.000Z

This is slightly different from the usual money laundering scams, but the basic concept is the same. Instead of being a money middle-man, they want you to be a goods middle-man. The reasons for the middle-man position are largely the same: there's shonky dealing going on, and they want the shonkiness to be traced to you, not them.

For example, this case might involve credit card fraud. The scammers may have obtained a swag of credit card details, and they want to obtain valuable goods (laptop computers, for example) using other people's credit cards. Such purchases are considerably less suspicious when the shipping address is local, so if you sign up for this job, they'll select a bunch of credit cards which appear to match your location, and use your address as the shipping address. They then instruct you to ship the goods on to them.

Engaging in this sort of work is participating in fraud, and the police will probably take a dim view of it in most countries.

The domain "westbcompany.net" was registered for one year on 01-Jun-2006. Text of the spam follows.

You might have noticed how the recent changes of all kinds influence your life. Constant growth of prices, low wages, employment problems. If you aren't satisfied with your present income or it doesn't comply with your capabilities; If you constantly lack money; If you want to better your financial status or you are just looking for a part-time job, then this job is what you need. Consider the advantages of the work we offer: Extra incomeYou might have noticed how the recent changes of all kinds influence your life. Constant growth of prices, low wages, employment problems. If you aren't satisfied with your present income or it doesn't comply with your capabilities; If you constantly lack money; If you want to better your financial status or you are just looking for a part-time job, then this job is what you need. Consider the advantages of the work we offer: Extra income
Minimal expenses and no expenditures at all (only I-net and e-mail)
The easiness of work. - Possibility to combine this work with your occupations (you just need to check your e-mail several times a day) For this work you don't need a special education possessing some special skills or knowledge possessing storehouse, office, special equipment.
The job we offer is related to mail. It is an easy job which doesn't require leaving your main occupation. You will have to receive to your home address parcels from our clients and ship them out further following our manager's instructions ($30 for each shipped out box). Contact us by e-mail and you will be sent a list of vacancies available at the present time. You work will be paid for without any delays.
You may work with several orders at a time as well as work with each one separately.
Contact: job@westbcompany.net