Search engine registration spam

Some spammers try to scare domain registrants with bogus “notifications” such as the following:

Expiration Notice

Order #: 111769336
Order Date: Jun 29, 2013
Bill To: [My Name]
[My details from the WHOIS record of my domain]

PROCESS PAYMENT NOW

Domain Name
[MY.DOMAIN.NAME]

Registration
Jun 29, 2013 – Jun 29, 2014

Price
$75.00

Term
1 Year

Domain: [MY.DOMAIN.NAME]

To: [My Name]

Don’t miss out on this offer which includes search engine submission for [MY.DOMAIN.NAME] for 12 months. There is no obligation to pay for this order unless you complete your payment by Jul 14, 2013. Our services provide submission and search engine ranking for domain owners. This offer for submission services is not required to renew your domain registration.

Failure to complete your search engine registration by Jul 14, 2013 may result in the cancellation of this order (making it difficult for your customers to locate you using search engines on the web).

Process Payment For
[MY.DOMAIN.NAME]
UNSUBSCRIBE INSTRUCTIONS

You have received this message because you elected to receive special notifications and offers. If you no longer wish to receive our special notices, please unsubscribe here, or mail us a written request to the attention of: Customer Contact Manager, PO Box 4668 New York, NY 10163. Please allow up to four weeks for the complete unsubscribe process to take place. NOTE: If you have multiple accounts with us, you must opt out for each one individually in order to fully stop receiving these notifications. This message is CAN-SPAM compliant.

Please do not reply to this email, as we are not able to respond to messages sent to this address.

Needless to say I never asked for this message and harvesting registrant details from WHOIS records for spamming purposes is a violation of ICANN terms.

It is easy to confuse this spam email with a domain registration expiry notice from a registrar, which it isn’t. You can safely delete this and similar messages. Do not hand your credit card details to spammers!

Here are some of the domains used by the spammers who run this scam:

ordertracking136456.com
ordertracking476475.com
ordertracking686342.com
securetrans12113.com
securetrans78922.com
securetrans92175.com
trksecure247546.com
trksecure972456.com
auibcu.com

The domains are hosted on IP address 220.164.140.243 in China.

The “search engine registration” they’re selling is pointless and no such registration is needed. Google isn’t going to forget about my domain just because I’m not going to send these crooks $75 essentially just for spamming me. If either your domain already shows up in Google and other search results or Googlebot or other crawlers are crawling it or there are existing links to it from other websites then you’re already in business.

A “search engine registration” will not protect your domain from accidental expiry, which is what registrants should be concerned about. If your domain is important, please check its expiry date with the registrar via a WHOIS lookup. If your registrar (like mine) offers an auto-renewal service for domain registrations, enable auto-renewal and check that the credit card expiry date is sufficiently far into the future. Otherwise mark a date a few weeks before the expiry date in your calendar so you won’t forget.

RegClean Pro scareware scam

While looking for some information on how to get from Vienna airport to the city centre, the second link that came up looked like it might provide information on train connections, using domain schnellbahn-wien.at. However, when I clicked on it, the page that opened flashed a warning that my PC was about to crash. I immediately suspected a scam. The only link from there took me to a site (systweak.com) trying to sell me a scareware product called “RegClean Pro”. At no point did it show me the promised train information.

If I viewed the Google hit using the “Translate” function of Google, the promised travel information did come up, suggesting the server was feeding different contents to Google than it does to ordinary site visitors, which violates Google’s terms and conditions. I reported it as Google spam.

Beware of any malware warnings or registry problem warnings that pop up on random websites – these are all likely to be scams.

Beware of product quote phishing scams!

A new type of scam is become more common, in which criminals use requests for a quote to trick businesses into handing over passwords. They do this by providing a link to a site that supposedly holds details of the products they want a quote for, which requires a login using an e-mail address. Here is an example:

Date: Sat, 30 Mar 2013 15:04:07 +0100
Subject: Please send us your data sheets and your price list regarding this product.
From: “Agung .” <agung.suryagungfuniture@gmail.com>

Dear sir/madam,

We are interested in the purchase of your products and services. we want to make order from your company and we are urgently in need of these products. You are advised to log in into our site to view the photos and specifications of the exact products we need ASAP and kindly tell us the cost of the products and the FOB to Durban, Sea Port.

Copy and paste the link to your http://anhuifuhuangimportexport.yolasite.com

NOTE: You can only view this product page if you carefully log in with your exact email and password you are using to communicate with us, as our need products specifications and designs is exclusively for our Company and has been protected for our exclusive right to protect our business.

We earnestly await your swift response to enable us to make deposit payment so that you can start the production immediately.

Kind regards,
Director of Operation

You should never enter the password to your e-mail account (or other passwords such as for Facebook, Google, Amazon, eBay and PayPal accounts) on a site other than the proper website of the service. Furthermore, you should only enter the password on pages protected by SSL (padlock icon visible in the browser, URL starts with http://). Scam sites typically are not SSL-protected.

OTC Pump and Dump scams: PacWest Equities (PWEI)

Another stock is being spammed by pump & dump scammers. Never buy stocks advertised by spammers!

Example:

This Chart is an Absolute Bull! You`re Going to Get it First!!! This
Stock Closes Green for Third Straight Day!

Trading Date: March 29th
Company Name: PacWest Equities Inc.
Tick: P W_E I
It is now: .2326
Short Term Target: .65

This Company is our Low Float, Big Bounce Opportunity for Today. This
Stock is on High Alert for Today!

Example:

It Surges Ahead on Elevated Volume! This stock could be a possible Buyout
Candidate!

Trading Date: Fri, March 29th
Company: PacWest Equities Corp
Stock: PWE_I
Last Trade: $0.2326
Target: $0.75

This company is on the brink of a Big Breakout. More gains coming this week!

Example:

It is in the green and should keep moving up tomorrow! Special
Report (Read Inside)!!!

Trade Date: Mar 29th
Company Name: PacWest Equities Inc
Symbol to buy: PW_E I
Last Trade: $0.2326
Short Term Target: .50

High Alert Today! Stock Profile!!!

UPDATE: New OTC scam using shares of “Liberty Coal (LBTG)” on April 15, 2013:

Great news for L B T_G – Liberty Coal – that will deliver huge
returns!!!

Takeover offers are back on the table that will boost L B T_G
prices up to the $.20 – $.30 range. Right now L B T_G is
selling for a very low price, so the money to be made is
amazing! Even Management want to acquire L B T_G because of
their enormous coal find that can bear shale oil. Don’t
hesitate if you want to earn big on this take over before it
gets out to the rest of the public! Buy all the L B T_G you
can afford on Mon, Apr 15.

Another one:

Breaking intelligence for L_BTG – LIBERTY COAL ENERGY INC – that
will turn a quick profit.

Buyout plans are going ahead fast that will drive L_BTG shares up
to the $.20 – $.30 range. Right now L_BTG is selling for pennies,
so the money to be made is huge! Competitors want to buy out L_BTG
because of their seemingly unlimited coal reserves that can draw
out shale oil. Take action now to earn big on this buyout prior to
other investors. Buy all the L_BTG you can possibly get on Tuesday,
April 16, 2013!

Another one:

Why PetroChina should acknowledge in S CX N? ExxonMobil captures
$14 Bill after Arkansas Oil Spill. GP will implement S CX N
solution. Lawmakers to lift the current restrictions vs huge
Oil. As buyers we could benefit from Big Oil, while decrease
tomorrows hazard. Assist large Oil remained responsible by
owning S CX N on Monday Apr 29.

Another one:

Attention headlines for G T R L!!! Films will be treated akin
capital investment by Bureau. BEA is substituting counting federal
revenues. A film can be purchased time after time be could analyzed
as a financial vehicle it shall be valuated after so the stock
price shall grow. Show firm G T R L could be bought more then a 3
USD.

Name: Get Real USA
Stock Symbol: G T R L

This analyzing bill is not void yet, add now buy 7000 stocks of G T
R L on April, 29!!!

Another one:

Acquire a abrupt 50% with B Y S_D!!! Reasonable at barely 0.01!!! Only a
fraction of a cent! Bayside Petroleum Corp. (B Y S_D) guaranteed to burst.
Set your order right now!!!

OTC Pump & Dump scams: County Line Energy Inc (CYLC)

County Line Energy Inc (CYLC) is the next OTC stock being pushed by “pump & dump” stock scammers. Beware! Spammers advertise stock because they want to sell theirs, not because it’s a good idea to buy it (it is not).

Here is a spam sample:

This is our newest award winning pick, be sure to act fast! Exciting
New Trade with Increasing Sales.

Trade Date: Mon, March 18th
Name: COUNTY LINE ENERGY INC.
Stock Symbol: C_Y L C
Last Trade: $0.019
Target: $.15

It is our Day-Trade Bounce back Play. This Company is unique!!!

Other stocks spammed by the same scammers recently: Pengram Gold Corp. (PNGM), GOLD & GEM STONE MINING, INC (GGSM) and Microelectronics Technology (MELY).

See also:

OTC Pump & Dump scams: Pengram (PNGM)

Pump and dump scams are investment scams in which a scammer acquires stock (usually of little known OTC stocks), then drums up demand (often via spam emails) and offloads their stocks at inflated prices.

Steer clear of any stock promoted via spam: Their prices will collapse no later than when the spamming stops and people realize there are no other buyers. Such stocks can become near impossible to sell. In any case, a buyer will have lost most of their investment.

One such stock currently being promoted is Pengram Gold Corp. (PNGM). The spamming started around March 9, 2013 and trading volumes went up in the next couple of days.

Here is a spam sample:

Pre Announcement! Major Momentum is Brewing for This Beast.

Trade Date: Thu, Mar 14th, 2013
Company: Pengram Gold Corporation
Trade: P NG_M
Closed Price: .027
Long Term Target: $0.20

It Releases Breaking News! Our New Pick Under A Penny!!!

Right up to that day and from one week before, they had been spamming stocks of GOLD & GEM STONE MINING, INC (GGSM):

Morning Dip spells Big Opportunity. It Should Continue Upward
Trend!

Date: March, 4
Company Name: Gold and GemStone Mining, Inc
Tick: GG SM
Latest Pricing: .017
Short Term Target Price: 0.35

You Need To Read This Story. This week is going to be even
better than the last.

From Feb 17-21 it was stock of Microelectronics Technology (MELY):

This Stock Continues to Climb!!! We are on fire..

Trading Date: Tue, February 19th
Company: Microelectronics Technology
Ticker: M_ELY
Closed at: $0.0163
9-Day Target: 0.10

It continues soaring! Are you missing out? Building a strong
support for a push higher!

It only takes the scammers a couple of days to unload their existing stock, then they start promoting the next one.

Occasionally the US Security and Exchange Commission (SEC) will suspend stocks involved in such trading patterns, as it did in 2011, to protect potential buyers from being scammed.

Garcinia Cambogia weight loss spam from hacked Yahoo accounts

I’m seeing another round of weight loss spam that abuses third party Yahoo accounts for sending. It is similar to the earlier “Raspberry Ultra Drops” weight loss spam that also used compromised Yahoo accounts.

Here is one of the advertised domains, which is hosted on many different servers:

biggsetfatburningsecret.com. 1439 IN A 91.207.7.134
biggsetfatburningsecret.com. 1439 IN A 94.75.193.33
biggsetfatburningsecret.com. 1439 IN A 94.75.193.38
biggsetfatburningsecret.com. 1439 IN A 142.0.79.134
biggsetfatburningsecret.com. 1439 IN A 142.0.79.140
biggsetfatburningsecret.com. 1439 IN A 176.53.119.24
biggsetfatburningsecret.com. 1439 IN A 176.53.119.27
biggsetfatburningsecret.com. 1439 IN A 176.53.119.68
biggsetfatburningsecret.com. 1439 IN A 176.53.119.69
biggsetfatburningsecret.com. 1439 IN A 198.144.156.42
biggsetfatburningsecret.com. 1439 IN A 199.116.117.166
biggsetfatburningsecret.com. 1439 IN A 199.127.98.117

The domain is registered through Ukrainian registrar ukrnames.com using forged WHOIS contact details.

The buy link on that site redirects to authenticgreencoffee.com, a domain registered last July, with the owner hidden behind a WHOIS proxy.

Other domains hosted on the same servers, some of which are part of the “Work from home mom” scam series:

bestfoodsforburningfat1.com
biggsetfatburningsecret.com
biggsetweightlosssecret.com
bigjim-foods.com
blogprogramflatstomach.com
blogquickprogramdiet.com
burnfatinfewdays.com
dietsforburningfat.com
eatingplansforweightloss.com
getflatstomachtoday.com
getweightlossandburnfat.com
icbs-news.com
icm-news.com
ircnn-news.com
losingweightrapidly.com
mnc-news.com
myscecretweightlosssolution.com
neverseeweightlossagain.com
plantipsflatstomach.com
plantodayflatstomach.com
rapidweightloss-blog.com
realmenshealthblog.com
revolutionarydiet2013.com
revolutionarydietformula.com
revolutionarydietloss2013.com
revolutionarydietsolution2013.com
revolutionarydietsolutions.com
revolutionarydietweightloss.com
revolutionarydietweightloss2013.com
revolutionarydietweightlosssolution.com
revolutionarydietweightlosssolution2013.com
revolutionaryfatburning.com
revolutionaryfatburningformula.com
revolutionaryfatburningmethod.com
revolutionaryflatstomachsystem.com
revolutionarynaturaldiet.com
revolutionarynaturalweightlosssystem.com
revolutionaryweightloss1.com
revolutionaryweightloss2013.com
revolutionaryweightlossdietplan.com
revolutionaryweightlossdietsolution.com
revolutionaryweightlossdietsolutions.com
revolutionaryweightlossplan.com
revolutionaryweightlosssolution.com
secretultrafastdiet.com
solutionflatstomachsecretsnow.com
solutionflatstomachtoday.com
solutionwithweightonline.com
thebigjim.com
tipsflatstomachquick.com
tipsflatstomachsystem.com
tipsprogramflatstomach.com
todayblogflatstomach.com
todayflatstomachblog.com
todayflatstomachquick.com
todayquickflatstomach.com
ultrafastsecretsdiet.com
weightlossgreatnews.com
weightlossthatworkisnotmagicpill.com

The “work at home mom” scam series also used hacked Yahoo accounts for advertising websites that are made to look like network TV news sites, so these scams are probably related.

The spam senders are often abusing mail interfaces meant for mobile phones. The Yahoo message IDs of the spams contain some of these strings:

.androidMobile@web
.BPMail_high_noncarrier@web
.BPMail_high_carrier@web
.BPMail_low_noncarrier@web
.BPMail_low_carrier@web

Probably “.androidMobile” is for use by the Yahoo Mail for Android app, though the spam is not necessarily sent from Android phones. More likely it is just using the servers provided for Android, but accessing from a PC.

The “BPMail” IDs are an interesting one. I suspect the “_noncarrier” variants involve IP addresses not connected to one of the phone carriers that bundle Yahoo mail with their service, while the “_carrier” variants mean the IP address is part of the provider’s address pool, though it could be used by a PC accessing via a wireless broadband modem.

“High” and “low” could be an internally assigned spam rating, though that is mere speculation. However, “.BPMail_high_noncarrier” is the most common Google hit of these 4 that comes up when searching for information about this type of spam. When investigating a pool of spam samples, this was the order of declining frequency: “.BPMail_high_noncarrier” was by far the most frequent, followed by “.BPMail_high_carrier” and finally relatively small numbers of “.BPMail_low_noncarrier” and “.BPMail_low_carrier”.

The spam recipients (common numbers: 1, 3, 9 or 10) tend to include the last addresses the legitimate owner of the Yahoo account has emailed. So perhaps the spammers are harvesting email addresses from the “Sent” folder of the Yahoo account after gaining access to it.

I find it amazing that Yahoo has yet to find a away to close the vulnerability that allows this spam and fraud to continue, despite the months and years since it was first observed.

The “$5 wrinkle trick” (TruVisage, PurEssance) trial trap

On a lot of websites I visit I see ads like “Mom discovers $5 wrinkle trick — see her trick”. These ads lead to sites such as ch8health.com which advertise “free trials” of cosmetic products called TruVisage and PurEssance using deceptive advertising:

  • The trial is not free but costs $5.35, supposedly for shipping and handling.
  • Unless the trial is cancelled within 20 days, a further $74.95 is charged for the first bottle, which you may or may not have received by then.
  • After 30 days you will be billed another $80.30 ($74.95 + $5.35 shipping and handling). The same amount will be charged every 30 days after until canceled.
  • The website uses logos of newspapers and other media as if they had reviewed the product, which they haven’t. For example, when viewed from Japan it shows the logos of Japan Times, Yomiui Shimbun and Asahi Shimbun
  • The date at which the free trial is supposed to expire is always one day away – it is dynamically calculated based on your local time.
  • The date of all “user comments” are always one day old – they are also dynamically calculated based on your local time.

The deception used in these ads is very similar to the tricks used in the “Work at home mom” scam and the target population may be similar too.

UPDATE:

There is another variant of these ads. The ad text is something like “Woman is 53 but looks like 27” or “Mom Cut 20 Years in a Week Using This 1 Weird Trick” and takes you to a site called “consumers-lifestyles.net” where they advertise products called “BellaGenix” and “PuraSilk”. Shipping and handling is $4.95 but the first package is $99.95 and the subscription will cost you $89.95 every 30 days until cancelled. Beware!

The “Raspberry Ultra Drops” spammers

Large number of abused Yahoo accounts are being used for sending out spam that includes links to hacked websites with PHP code that links to sites selling weight loss products. Typically the mails have multiple recipients, no subject line and a single link in the message body that uses a PHP page, such as

http://www.example.com/images/stories/ronnd.php?faze=faze

The PHP code redirects to a spam domain, or another PHP page redirecting to a spam domain. Here is a list of some of the spam domains advertised recently:

12fox-news.com
12newsfx.com
1newstime.com
berryextra.com
berryrasps.com
berrythins.com
bestnewsfx.com
buy-raspberry.com
buyberrysdiet.com
channel6nws.com
diet12news.com
dietberryshop.com
dietsraspberry.com
e-raspberryshop.com
efoxnws.com
extra5news.com
focsnewss.com
fox-nws.com
fox5diet.com
fox5nws.com
foxclocknews.com
foxfxnws.com
foxnws24.com
fx-nwstop.com
fxnews12.com
fxsclock.com
fxsnws12.com
fxx-news.com
greencoffeediet.ru
hoursfox.com
i-foxnews.com
i-raspberrys.com
iclocknews.com
justraspberry.com
limitedberry.com
lossdietketone.com
luxurynws.com
naturalberrys.com
newoclocks.com
news24fox.com
newsfx12.com
newsfx24.com
newsfxs12.com
newsviagrow.ru
nowslimberry.com
nwscofee.com
nwsfox.com
nwsfox5.com
nwsfxs12.com
nwshour.com
onraspberry.com
onraspberrys.com
raspberry-slims.com
raspberrybest.com
raspberryelites.com
raspberryfresh.com
raspberryseller.com
raspberrysold.com
raspberrywinter.com
raspdiet.com
raspdiets.com
raspsberry.com
raspsworld.com
raspthinberry.com
salesraspberry.com
shopraspberry.com
slimketone.com
slimraspberry.com
slimsberrys.com
slimsfox.com
soldraspberry.com
topberrydiet.com
trimfatrasp.com
trimraspberry.com
ultraraspberry.ru

These domains use Russian name servers such as ns1.dnsmax.ru (219.87.170.82), ns1.dnscentral.ru (219.87.170.82), ns2.dnsmax.ru (89.103.247.13), ns2.dnscentral.ru (89.103.247.13). The use of hacked Yahoo accounts for mailing, of hacked PHP websites to mask the spam domain and the fake references to Fox News are similar to the “Work from home mom” scam that has been going around for a while, so they are probably connected.

My advice: Don’t buy from spammers. Why should you hand your credit card details to a criminal?

“Work from home mum” scams (newsonlineweekly.com)

Almost two years ago I wrote about “Work from Home Mum” scams. Right now I see this type of scam mostly advertised via paid website ads. A year ago it was mostly advertised via spam sent from hacked Yahoo email accounts, which of course is totally criminal.

The advertised websites still look very similar. A recent example is newsonlineweekly.com. When I opened it, the headline read “EXPOSED: Shizuoka-shi Mum Makes $7,397/Month From Home And You Won’t Believe How She Does It!” The internet provider I was accessing from was in Shizuoka, Japan. When I opened the same site from a webhoster based in Nuremberg, Germany, it came back as “EXPOSED: Nuremberg Mum Makes $7,397/Month From Home And You Won’t Believe How She Does It!” Their server looks up what city your IP address is associated with and puts that into the headline.

If you click on the link to sign up, it takes you to a site called “onlineincomesolution.com” where you’re asked for your name, email address and phone number. The small print mentions that you’re placing an order for “Acai Lipo” for £99.97 and another £99.97 for “Quick Detox” (the price was probably shown in UK Sterling because my browser is set for English (UK)).

They are still using deceptive advertising to trick housewives and mothers into sending them money hoping to be able to support their families. They are targeting people for their scam who are out of work and short of money. How sick is that?