flapstate.com / mdanclub.com / wayizer.com

Today I was contacted by someone about a domain flapstate.com which was still on my spam list from spam received last year. It looks like since then the domain had expired and been deleted, but then registered by a new owner for what appears to be a scam.

The same scam also uses domains

  • mdanclub.com
  • wayizer.com
  • wayate.com
  • coralnic.com
  • grigga.com
  • srcify.com
  • azureclub.com
  • flipality.com

and probably many others. The fact that they keep switching the domain of their website is already one giveaway that it’s a scam.

The four domains wayate.com, wayizer.com, mdanclub.com and flapstate.com are all hosted on the same server, at IP address That IP address has been assigned the reverse DNS name “server1.bestunbeatableoffer.com”. Interestingly “bestunbeatableoffer.com” is not currently working, as it has been suspended by its registrant for spam or abuse. A Google search for the domain “bestunbeatableoffer.com” finds a blog entry that accuses the site owners of phishing, using a whole bunch of different domains that harvested personal details, including email addresses and passwords.

Do not enter your real name, email account or password on any of these websites. These sites are deceptive and harvest personal information which can (and probably will) be abused!

Here is what happens. If you access any of these websites it first gives you this message:

Our system indicates that a pic from your ip address has been uploaded to this site within the past 48 hours.

This is a blatant lie, because it will say that from whatever IP address you access from, as this is hard-coded into the website. It doesn’t even check what IP address you access from before it puts up this dialog.

Once you click OK it puts up another dialog:

Fill in to view your pics.

FULL Name of Friend
who referred you to this page:

Your FULL Name:

Your FULL Email:

It then asks for your password. This is highly dangerous. With your email address on Yahoo, Hotmail, Gmail and many other services and your password, the website could access your online address book and find all your online contacts. What’s more it can then contact everyone in your address book in your name, sending them an email that looks like it was sent by you! Thus the deception would snowball. It would allow massive address harvesting.

This is especially true because they also ask about which social networking site you come from (e.g. Myspace, Facebook). If people happen to use the same password there, it will allow the scammers to break into social networking accounts and their associated address books, “friends lists”, etc. They can then tell every one that “their pic has been uploaded” and repeat the game ad infinitum, until they have stolen millions of names, email addresses and passwords.

After filling in the previous forms with bogus data, I got this dialog:


Our system indicates that your friend recently bookmarked and reserved this page just for you.

It said that after I made up a bogus name for the friend who supposedly sent me there. My email address was also one I made up and had never used before (on a domain that I own). After that I got an error message:

Link unavailable

Possible causes are:
Your geographic location is not allowed for this offer.
Duplicate IP Address.
A system error ocurred.
The offer has expired.
The AFID or CID is not valid or authorized.

The domain flapstate.com was registered with these details, which appear to be forged (see comments below by the real Adam Arzoomanian, who appears to be an innocent party whose name was abused and reputation destroyed by the real scammer):

Registrant [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas

Administrative Contact [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
Phone: +1.7029221911

Billing Contact [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
Phone: +1.7029221911

Technical Contact [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
Phone: +1.7029221911

Domain servers in listed order:


Record created on: 2008-08-03 19:18:56.0
Database last updated on: 2008-08-03 19:16:31.357
Domain Expires on: 2009-08-03 19:18:56.0

(Note that registrant details are not generally verified by registrars, so there is little to stop a criminal from using someone else’s name for a fraudulent domain registration.)

Any other domains that are part of this same scam are likely to use the same address details.

The street address and phone number listed above appear to belong to a nightclub called Spin Nightclub.

Toptieprofiles.com appears to have been part of the same scam, because its HTML code used to reference IP address, as does flapstate.com.

Also, the email address used in the domain registration (bulletinpics@gmail.com) suggests a link to domain BulletinPics.com which was also used for an email address and password harvesting scam (see here). Website www.bulletinpics.com looks identical to flapstate.com but is hosted on a different server, on IP address This site loads an iframe that points at domain destination-server.com, which is hosted at IP address like flapstate.com, wayate.com, wayizer.com and mdanclub.com. Here’s the registration record for bulletinpics.com:

Registrars.domain: bulletinpics.com
owner: – –
organization: Spin Promotions
email: bulletinpics@gmail.com
address: 2255A Renaissance Drive
city: Las Vegas
state: —
postal-code: NV
country: US
phone: +1.7029221911
admin-c: CCOM-1288874 bulletinpics@gmail.com
tech-c: CCOM-1288874 bulletinpics@gmail.com
billing-c: CCOM-1288874 bulletinpics@gmail.com
nserver: a.ns.joker.com
nserver: b.ns.joker.com
nserver: c.ns.joker.com
status: lock
created: 2008-05-13 12:14:33 UTC
modified: 2008-05-14 10:01:57 UTC
expires: 2009-05-13 12:14:33 UTC

contact-hdl: CCOM-1288874
person: – –
organization: Spin Promotions
email: bulletinpics@gmail.com
address: 2255A Renaissance Drive
city: Las Vegas
state: —
postal-code: NV
country: US
phone: +1.7029221911

The name “Spin Promotions” suggests a possible connection to Spin Nightclub, whose street address was used for the other domain registrations.

ProfileMirrors.com is another domain that loads a page off destination-server.com. This job offer on GetAFreelancer.com for people doing captcha entry mentions both destination-server.com and bulletinpics. This is very interesting because CAPTCHAs are commonly used to defeat spammers who automatically set up or log in to email accounts at free email providers or BBSes or social networking sites. Here’s a copy of the posting, just in case it gets removed:

searching for good and reliable Teams for desntination captcha entry project . we can pay good rate . PM for more details

when you will PM , please include in your PM

* how many entries you will do everyday
* how many peoples you have to work on this project


Before bidding work for 15 mins then give us feedback


entry ID : demo

When I tried the URL given I got this message:



After 30 minutes CLICK HERE to continue work.

Project Manager: Scott Shaw
bulletinpics at gmail dot com

The reason this error page continues to appear is
because agents NEED to take a 30 minute break.
Do not keep attempting to open page.
error will continue to appear.

When I tried it again, I got a CAPTCHA to solve. It turned out to be from MySpace:


Could it be that these people use software to log into MySpace accounts using passwords obtained via the scam and then use job seekers in Bangla Desh, India and other low-wage countries to defeat the CAPTCHA test thrown at them by MySpace, so they can get at the data in the account afterwards?

With bulk CAPTCHA tests they can also invite anyone on MySpace to become “friends” of the phished accounts, so they can potentially reach every active MySpace user.

Here’s another job offer (a Google search finds many more offers like this):

we need captcha entry team for destination capthca project . we need teams who can deliver minimum 15,000 captcha entries to 50,000 captcha entries daily


entry ID : demo

please go to the link and work for 15 mins , then give us feedback how many entries you can handle daily.interested team can PM us . but u should check the given link before PM us

Rate is negotiable

happy bidding

The following offer that mentions “bulletinpics” even talks of millions of CAPTCHAs to be solved:

Status: Open
Budget: $30-250
Created: 06/15/2008 at 5:07 EDT
Bidding Ends: 08/14/2008 at 5:07 EDT (2 days, 2 h left)
Project Creator: bulletinpics
Buyer Rating:
(2 reviews)
Description: As many people know, the BulletinPics CAPTCHA project has been very succesful, solving over 250,000 captcha entries per day for several teams earning very good money. We are looking to expand to over one million captchas per day but in order to do this, we need to rotate new domain names to host our images.

We are now looking for people/companies who own unused .COM domain names. We need to point these domains to our main image server for two weeks per domain.

For example, if you own 10 unused domains, we would need you to change the DNS so the A record of each domain would point to our captcha server’s IP address. We are willing to pay $1USD (or best lowest bid) to use up to 1000 domains for 2 weeks each. Please let us know if you can provide this type of service.

More related domains (see also):

  • tellafriendrewards.com
  • stolenprofiles.com
  • profilemirrors.com
  • ownyourfriendarchive.com
  • tradepeopleprofiles.com
  • friendownership.com
  • mirrorsocialsites.com
  • bulletinpics.com
  • peepatpeeps.com
  • buddyspots.com
  • saveyour profile.com
  • seepeopleprofiles.com
  • socialprofilemirror.com
  • discussprofiles.com

UPDATE 2008-10-21:

The server at (http://www.destination-server.com/bulletinpics/entry.cgi) now displays this message, suggests the scam has ended:

This website has been discontinued

All team leaders will be paid in full this week.

UPDATE (2008-11-06):

Spin nightclub happened to be where infamous spammer Sanford “Spamford” Wallace aka “DJ Masterweb” worked (see here). According to the WikiPedia article on Wallace he has been targeting MySpace users before:

On 2008-01-26 the UK Register reported that the Federal Trade Commission has asked the Judge overseeing the 2006 settlement to find Wallace and partner Walter Rines in civil contempt of court for their use of malware and social engineering on MySpace to promote porn and gambling sites.[8] In May 2008 Wallace and Rines were found guilty and ordered to pay $230 million to MySpace by the L.A. District Court when they failed to appear for trial.

What a remarkable coincidence!

47 thoughts on “flapstate.com / mdanclub.com / wayizer.com

  1. Thank you for this is a very detailed and useful post and I can confirm the details mentioned above, as after receiving an email from what now seems to be a harvested myspace account to go to flipality.com and check out my picture there, I was intrigued to find out more.

    Sadly your blog did not come up in the top google search results, so I also traced the domain registrars and ended up with bulletinpics, wondering if they are the sourse of all this evil.

    I also found this add on the freelance job board maybe giving an explanation why these URL’s change frequently, but I am not technically advanced enough to fully comprehend all this, let alone really want to.
    text from the add” As many people know, the BulletinPics CAPTCHA project has been very succesful, solving over 250,000 captcha entries per day for several teams earning very good money. We are looking to expand to over one million captchas per day but in order to do this, we need to rotate new domain names to host our images.

    We are now looking for people/companies who own unused .COM domain names. We need to point these domains to our main image server for two weeks per domain.

    For example, if you own 10 unused domains, we would need you to change the DNS so the A record of each domain would point to our captcha server’s IP address. We are willing to pay $1USD (or best lowest bid) to use up to 1000 domains for 2 weeks each. Please let us know if you can provide this type of service.” (http://www.getafreelancer.com/projects/Data-Entry/Domain-Pointing-for-BulletinPics-CAPTCHA.html)

    How this is all legal is beyond me.

  2. The trouble is, as long as no one prosecutes them they won’t really care.

    I have reported the issue to MySpace but am not sure what, if anything, they are doing about it. They don’t exactly have the most spotless record on security issues. However, they seem to be doing something, because once you’ve populated the scam forms with junk data and replied “MySpace” to the question of where you got referred to their site, they give you this message:

    We apologize but MySpace has advised our content partners
    that we may not serve our site’s content to MySpace users.
    If you receive a link to this site from another network
    in the future, please feel free to return.

    Click here to go back to MySpace.
    If you are no longer logged in,
    please type http://www.myspace.com
    directly into your browser.

    We don’t know if “Adam Arzoomanian” or “Scott Shaw” are the real names of people involved in this scam or not. No one really verifies details in WHOIS records, as long as the credit card payment doesn’t bounce the domain gets registered…

  3. This was really informative! Thank you for taking the time to do this. I can usually spot a fake website like this, and I did.
    I just got a message from my cousins myspace account saying my Display pic was all over the site. I go there, but then try to leave. But then I start to fill in information, but before I finish I X’d out completely before sending anything.

    I was curious though, because my myspace display pic had shown up on like the front or something like that on imageshack.us last week, so I was like, “Maybe it happened again?”

    Anyways, very informative and I’m telling everyone I know about this article!

  4. Add to that list srcient.com and atomisphere.com being sent to myspace users.

    Thanks for the info.

  5. I received the same scam pointing to:

    I also found this list of domains apparently registered on 7/14/2008 and checked a few of the ones begining with “kchang” which seemed to all come from the same place.

  6. Thanks, Rick. There’s tons of them amongst the list you pointed me to, including:


  7. and more:


  8. Dear Sir,
    Thanking you and have a nice day. I am very much interested to join online captcha entry & all kind of data entry project. I have an experience and dedicated a group for performing the job. So i need your help. I promise you that always i give you support as your requirement. Pls give me a chance to join with your job.

    I am waiting for your nice confirmation.
    Best Regards
    My E-mail:ahsan_0115@yahoo.com
    Office address: 511 West Nakhalpara,
    Tejgaon, Dhaka-1215,Banglagesh.
    Phone: 088-02-8155249
    Cell: 088-01199099949.

  9. Dear sir, I am from Bangladesh. I have many experience in captcha entry work. I can give u 15000+ entry per day. If u want more, ok, I am agree. And also agree with ur rate. I am waiting for ur reply.
    My e-mail- rony_fastlife@yahoo.com
    office:- H#47, R#13, Nikunja-2, Dhaka-1229
    Yahoo id- rony_fastlife
    Thank you

  10. Thanks for the information. I also got a myspace message saying that my profile pic was “all over” a website. Please add DINALOAD.COM to your list of Adam Arzoomanian websites that ask for your name and your friend’s name. I didn’t go any further than that because it was obvious at that point that the whole thing was a scam. It would not allow me to X out. When I tried it sent a new error message that said that by leaving I was giving them permission to erase the pictures and that I would never get another chance to see them. JERKS. I had to bring up Task Manager and End Task to get out of the website.

    I’m careful. Not exceedingly so, but as an example, this is the second time I’ve written this comment because the first time I went to add a comment to your blog I didn’t include my email address. Before doing so this time I checked out Joe Wein and JWSpamSpy. I’m satisified that it is unlikely that this blog is anything but what it seems to be.

    What I don’t understand, and maybe you can explain this to me, is where the money is in this kind of spam. I have a hard time believing that it is all just some kind of elaborate childish prank. Too much time and money has been put into all of the website registrations for it to be just a bunch of jerks getting a laugh about how big they can make this joke. Who is making money and how? Are they selling the email list information? It just doesn’t seem to make any sense to me. Do you know?

    Confused and mad,


  11. I can only guess how exactly they will monetize this scam. The possibilities are virtually endless.

    For instance, recently there has been an upsurge of non-419 spam (such as pill spam) sent from Hotmail and AOL accounts, which would be possible with thousands of phished passwords of users of such accounts. So these people could sell access to email accounts to spammers. By using existing accounts of known people they will be whitelisted in numerous spam filters.

    They could also simply sell the address lists (phished accounts + all addresses in the online address books) to spammers. I’m not sure what the going rate is. As long as the spammers pay more for the addresses than the scammers pay for CAPTCHA solving it will be profitable.

    Last but not least, they could trawl the mail archives in the phished accounts to find information for accessing other resources, for example, information about Amazon.com or other online purchases, or emails about online banking.

    Scammers have been doing specific phishing formats for breaking into Amazon.com accounts, because electronics fraudulently purchased there can be resold for cash.

    The possibilities in this scam are really only limited by the scammers’ imagination and their criminal energy.

  12. Adam Arzoomanian is at Spin Nightclub in Las Vegas.

    Google search “Sanford Wallace” aka DJ MASTERWEB and Spin Las Vegas.

    Adam Arzoomanian is at Spin, Sanford Wallace is at Spin.

  13. Hi MJP10,

    thanks for the research!

    A couple of weeks ago I came across a list of top 10 spammers that mentioned “Spamford” Wallace is now working as a DJ in Vegas and the same thought occurred to me, but didn’t have the time to verify it then.

    I have added an update to the main article above.

  14. Joe-

    Thanks for posting all of this info. This morning, due to too much curiosity, I fell victim to the uuubzpad.com site. I gave them my secondary e-mail account, not my personal, primary one. However, the password I gave was false. Aside from selling my address, am I still at a great risk if they don’t have my Actual password for the account? I went ahead and posted a link to this blog on the Facebook discussion page about Scam/Spammers–I hope you don’t mind!


  15. Hey I did the same thing as Lea for the kchangvine crap. I never use the email which I gave out and I did not put in a real password. I have the same question as her.

  16. friends-to-friends-only.com (


    Registrant [1405632]:
    Adam Arzoomanian bulletinpics@gmail.com
    375 E Harmon
    Las Vegas

    IP is listed on SpamHaus SBL as being as being assigned to, under the control of, or providing service to a known professional spam operation run by Spencer Wiggins, who is on their “Register Of Known Spam Operations (ROKSO)”.

    ROKSO spammers are the worst of the lot.

  17. Lea and Carly,

    if your actual password is different from the one you gave, you’re probably reasonably safe (other than maybe getting more spam at your email account).

  18. 🙂 Hi there!

    Thank you for posting all of this. It’s really good information to have, and I hope people see it before they get phished.

    They have two more domain names– Atomisphere.com, and Friends-to-Friends.com that I know of.

    They hacked my friend’s Facebook and used it to post a message on my wall that said, “did uu know ur default image is displayyed on atomisphere.com” using precisely that attrocious grammar, so I knew it wasn’t my friend.

    I decided to find out what the site was so I could warn her, and it gave me the same page and prompts you’ve displayed here, along with a message when I tried to leave that said, “WARNING: If you leave now you may NEVER get to see the photos your friend reserved for you.” (Along with a lot of other stuff.)

    These phishing sites are pathetic! And they’re getting so lazy too; like those e-mails I receive all of the time that have specific subjects, but the messages say qedtfhjyjhjkhjkhghjg.

    Thank you so much for your blog. Keep up the good work! 🙂

  19. Pingback: The No-Name Blog » Blog Archive » Let Freedom Ring

  20. add “what is cyanzoom”
    “what is queenpath”


  21. I have a question, what is the best action to take if you do fall victim to one of these sites? I friend of mine went to the site and filled out the first part with email and password and then phone #. Any info would be helpful!

  22. Joe, just wanted to add my sincere thanks to the list of the grateful. It was pretty obvious off the bat that this was a phishing scam, but the investigative work you’ve done and documented here is highly commendable.

    Just to add my experience to the documentation, I was sent this message from a friend’s hacked Facebook account:

    “heyy do you realize your face book pictre is alll over uuubzvine.com”

    The uuubzvine.com link brought me to “friends-to-friends-only.com,” where everything else played out exactly as you’ve described (popups about a picture being uploaded, fill in your FULL name, etc). Pretty scummy.

    Anyway, thanks again. Rock on.

  23. add Brightium.com to your list of Adam Arzoomanian sites.

    This is evil.

  24. Pingback: Facebook “Virus” — ubzcode.com | Veritrope

  25. IF you don’t log in with your email address or password are you safe??? I went to cyanzoom.com and just x’d out but I was wondering am I at risk still???

  26. Thanks for all the great info. My husband got a message this morning at 3:14am stating “did you realize that your profile picture is all over cyanzoom.com” from one of his friends. I went to investigate this and we ALMOST fell victim to it. I decided to research it and found your website. I’m marking this as a favorite. Thanks for putting up this great information! We really appreciate the time you took into researching it.

  27. Some one has notified me that my default pic from facebook is on this website and I was wondering how to find it and remove it.

  28. I was notified from a friend that my default from my facebook profile was on this website. I have no idea of how to find it or remove it. Can someone walk me thr this

  29. I got this dam bug on my facebook account and it sent a copy of the message i clicked to over 400 friends. Is there anything other than changing your password that needs to be done??

  30. a friend told me my profile pic was here!WHATS GOIN ON?IS THS A SCAM OR WHTS GOIN ON

  31. This scam is really traveling through Facebook. My friend was sent the message: “Did you know your profile picture is all over queenbuzz.com?” We both came close to falling for it. It took some Google digging to find your page to figure out what was going on. Thank you for your lucid and comprehensive research and explanation.

  32. Hello, I am Adam Arzoomanian. I am real and have nothing to due with any of this. I seperated from Spin 6 months before any of this started. I would guess that my name was used by someone who had my info and a grudge!! Wow could it be someone with a history of internet SCAM’S!!!! I am a good man and businessman with a clean record and good history.

  33. Let me add that I would actually be quite surprized if in any phishing scam the perpetrator used his own real name for registering the domains.

  34. Pingback: The “new shopping new life” spam

  35. This is the REAL Adam Arzoomanian. HOW dare the press call me a CYBER CRIMINAL I am a victim of identity theft and Dont even own a computer!! Sanford Wallace is a covicted criminal . I have never been charged nor convicted of any crime!!! He Stole my identity and has destroyed my reputation. I need help fighting this because I have neither the ability not the resoures to do ANY of what i have been alleged to have done.What makes more sense? Someone with no formal computer training or criminal history with a unblemished history in property, resort and nightclub management was a MASTERMIND of and elaberate world wide computer scam. Or the SPAM king stole his identity and did it without his consent or knowledge? MMM use your head people I have been destroyed by this man. I cant even take care of my stage three cancer ridden wife becasue I cant get a job. If by some chance some kind good person out there can help me to clear my name I would be greatfull. Thank you joew i will try that

  36. Been receiving emails stating picture all over site. The two sites that i remember are
    crimsonblab.com and drezoom.com
    Has any of my personal information been compromised or facebook account been altered because of these?

  37. Hope that Adam Arzoomanian can get help in clearing his name. Identity theft is such a huge problem in so many areas. Has anyone been able to give him advice? I don’t know what to tell him, but hope that someone out there can help. It’s really bad when anyone can do this to anyone!!

  38. I know adam arzoomanian personaly he does work at above mentioned resort as for the night club i think they run that there to accross the street from the hard rock the nameslips my mind. I do know for fact that this adamarzoomanian is way to busy a man and makesway too much income to try and scam any body This is a federal offense he should get a lawyer the source shouldnt be hard to trace
    Best Reguards,

  39. @Angie,

    unlike you I don’t know Adam Arzoomanian personally, but I doubt anyone with the criminal energy to run this kind of scam would be using his own name for registering the domains, certainly not after spammer Sanford Wallace was sentenced to pay $230 million to MySpace for scams like that.

    Using his own name would be like mailing the MySpace and Facebook legal departments and asking to be sued.

    We can conclude Adam Arzoomanian can not be the scammer. He is an innocent victim in this scam. The criminal must be someone else who was abusing his name. I hope whoever did this to Adam Arzoomanian will get his just deserts.

  40. I will testify to your character i think it may help If you wantmeto try and help contact me

  41. but u understandabley dont leave your contact info but I do see u check on the site txt email me angelica.barron@ymail.com I will “Testify to knowing you seeing you work at alexis park ur character and that you had very litl commputer knowledge when I met you Hope I can help

  42. Pingback: Facebook "Virus" — ubzcode.com | Veritrope

Leave a Reply

Your email address will not be published. Required fields are marked *