The “Raspberry Ultra Drops” spammers

Large number of abused Yahoo accounts are being used for sending out spam that includes links to hacked websites with PHP code that links to sites selling weight loss products. Typically the mails have multiple recipients, no subject line and a single link in the message body that uses a PHP page, such as

http://www.example.com/images/stories/ronnd.php?faze=faze

The PHP code redirects to a spam domain, or another PHP page redirecting to a spam domain. Here is a list of some of the spam domains advertised recently:

12fox-news.com
12newsfx.com
1newstime.com
berryextra.com
berryrasps.com
berrythins.com
bestnewsfx.com
buy-raspberry.com
buyberrysdiet.com
channel6nws.com
diet12news.com
dietberryshop.com
dietsraspberry.com
e-raspberryshop.com
efoxnws.com
extra5news.com
focsnewss.com
fox-nws.com
fox5diet.com
fox5nws.com
foxclocknews.com
foxfxnws.com
foxnws24.com
fx-nwstop.com
fxnews12.com
fxsclock.com
fxsnws12.com
fxx-news.com
greencoffeediet.ru
hoursfox.com
i-foxnews.com
i-raspberrys.com
iclocknews.com
justraspberry.com
limitedberry.com
lossdietketone.com
luxurynws.com
naturalberrys.com
newoclocks.com
news24fox.com
newsfx12.com
newsfx24.com
newsfxs12.com
newsviagrow.ru
nowslimberry.com
nwscofee.com
nwsfox.com
nwsfox5.com
nwsfxs12.com
nwshour.com
onraspberry.com
onraspberrys.com
raspberry-slims.com
raspberrybest.com
raspberryelites.com
raspberryfresh.com
raspberryseller.com
raspberrysold.com
raspberrywinter.com
raspdiet.com
raspdiets.com
raspsberry.com
raspsworld.com
raspthinberry.com
salesraspberry.com
shopraspberry.com
slimketone.com
slimraspberry.com
slimsberrys.com
slimsfox.com
soldraspberry.com
topberrydiet.com
trimfatrasp.com
trimraspberry.com
ultraraspberry.ru

These domains use Russian name servers such as ns1.dnsmax.ru (219.87.170.82), ns1.dnscentral.ru (219.87.170.82), ns2.dnsmax.ru (89.103.247.13), ns2.dnscentral.ru (89.103.247.13). The use of hacked Yahoo accounts for mailing, of hacked PHP websites to mask the spam domain and the fake references to Fox News are similar to the “Work from home mom” scam that has been going around for a while, so they are probably connected.

My advice: Don’t buy from spammers. Why should you hand your credit card details to a criminal?

“Work from home mum” scams (newsonlineweekly.com)

Almost two years ago I wrote about “Work from Home Mum” scams. Right now I see this type of scam mostly advertised via paid website ads. A year ago it was mostly advertised via spam sent from hacked Yahoo email accounts, which of course is totally criminal.

The advertised websites still look very similar. A recent example is newsonlineweekly.com. When I opened it, the headline read “EXPOSED: Shizuoka-shi Mum Makes $7,397/Month From Home And You Won’t Believe How She Does It!” The internet provider I was accessing from was in Shizuoka, Japan. When I opened the same site from a webhoster based in Nuremberg, Germany, it came back as “EXPOSED: Nuremberg Mum Makes $7,397/Month From Home And You Won’t Believe How She Does It!” Their server looks up what city your IP address is associated with and puts that into the headline.

If you click on the link to sign up, it takes you to a site called “onlineincomesolution.com” where you’re asked for your name, email address and phone number. The small print mentions that you’re placing an order for “Acai Lipo” for £99.97 and another £99.97 for “Quick Detox” (the price was probably shown in UK Sterling because my browser is set for English (UK)).

They are still using deceptive advertising to trick housewives and mothers into sending them money hoping to be able to support their families. They are targeting people for their scam who are out of work and short of money. How sick is that?

The earth4energy scam

In recent months I have come across many ads for a website called earth4energy.com. If you haven’t seen the ads, it makes implausible claims of anyone being able to become energy independent for a only small investment. Make no mistake, it’s a scam, designed to sell worthless “e-books”. See this site for a thorough debunking of their claims.

The fact is, the electricity usage of average households can not be met easily or on the cheap from renewable sources using some DIY design. Any photovoltaic panels or wind turbines that are powerful enough to make a significant contribution will cost you a lot of money, typically at least several years worth of your normal electricity bill. These people would have you believe that for a few hundred dollars you could become independent of the utility companies. They do so because their business is selling e-books and videos to people. The exaggerated claims are how they get people to send them money. They are using an elaborate affiliate scheme and paid online ads to fish wide and far for people who might fall for their promises.

What I find particularly interesting about earth4energy.com is how similar it looks to the earlier “Run your car on water” scam I reported about a little over 4 years ago that made similarly outrageous claims. Then they promised cutting your fuel bill by wiring a “hydrogen generator” to your car alternator. Of course it didn’t work.

Both scams made money by selling worthless e-books. Both used affiliate schemes. On either set of sites when you try to navigate away from it, a dialog box will pop up to ask you if you really want to leave, trying to keep you there. If both schemes were not run by the same person, I’d guess they either used the same web designer or one guy closely copied the other. Typical for the hype used to sell on both sites is a “limited time offer” on earth4energy.com. When I checked it, it said the special offer expired on November 22 at midnight, which is today:

To secure your purchase and get the bonus products for free please order now. (This offer expires Thursday November 22 at midnight)

When I checked the source code of the earth4energy.com website, I found this piece of Javascript code that always outputs the current date:

To secure your purchase and get the bonus products for free please <a href=”ordercd.php”>order now</a>. (This offer expires
<script type=”text/javascript”>
var d=new Date()
var weekday=new Array(“Sunday”,”Monday”,”Tuesday”,”Wednesday”,
“Thursday”,”Friday”,”Saturday”)
var monthname=new Array(“January”,”February”,”March”,”April”,”May”,
“June”,”July”,”August”,”September”,”October”,”November”,”December”)
document.write(weekday[d.getDay()] + ” “)
document.write(monthname[d.getMonth()] + ” “)
document.write(d.getDate() + ” “)
</script>
at midnight)</p>

It will tell you the offer expires on today’s weekday and today’s exact date at midnight. It will do so today, tomorrow or a year from now. The offer is not meant to ever expire, the fake deadline is only claimed to rush you into buying. That is just one example of deception on their site.

The identity of the registrant of domain “earth4energy.com” is hidden behind a WHOIS proxy, so we don’t know who it is. What’s interesting though is that the site was registered in June of 2008, around when I wrote about the earlier scam. Back then there was a site called water4gas.com (notice the similar naming scheme!) run by a guy calling himself “Ozzie Freedom”, whose original name was Eyal Siman-Tov. He is from Israel and appeared to be a member of the Scientology cult. In 2008 he got sued by the state of Texas for deceptive business practises. You can read about the court case here.

I find it interesting how many web pages out there promote both water4gas by Ozzie Freedom and earth4energy.com. Here are a few of them. Is that by coincidence or are they connected?

The “Find your stalkers” Facebook scam

Today I received a strange Facebook message. Supposedly one of my friends (an old classmate of mine in Germany) had posted on my wall, but the posting was in English. Now this German friend, unless he happens to forward me an English joke, always writes to me in German. There were several of these wall posts (please DO NOT CLICK on those links!):

23 February at 17:35:
According to http://goo.gl/6hr4J you’re my top stalker. Creep.

23 February at 17:35:
Secret tool shows who stalks your pics http://tinyurl.com/procreeper

23 February at 17:35:
Hey! This is awesome
Insane! Awesome tool to see who looks at your pics >> http://goo.gl/XsUqi

23 February at 17:35:
Hey! This is awesome
New FB tool shows who stalks your profile– http://goo.gl/FTx5T

23 February at 17:43:
Hey, whats happening?
Secret tool shows who stalks your pics http://goo.gl/DxvMD

So I contacted my friend and asked him if it was really him who’d written that or if his facebook account had been hacked. He replied that he wasn’t him.

I investigated the links, which use the Google URL shortening service to hide the
target URL:

tinyurl.com/procreeper => procreeper.info
goo.gl/6hr4J => theprochecker.info/?h
goo.gl/DxvMD => myprochecker.info/?i
goo.gl/FTx5T => procheckers.info/?e
goo.gl/XsUqi => theprochecker.info/?b

Domains procreeper.info, myprochecker.info, procheckers.info and theprochecker.info are all hosted at the same IP address (98.126.9.210, Krypt Technologies) and use the same name servers (ns1.imgurnot.com, ns2.imgurnot.com). The registrant is hidden behind a WHOIS proxy. The reverse DNS name of the host is “wowchatroulette.info“.

Here are other domains that appear connected to these domains (this is probably just the tip of the iceberg):

  • fb-creeper.info
  • fb-creeper.info
  • fbcheckers.info
  • fbcheckersnow.info
  • fbcreeper.info
  • fbcreeper.info
  • fbcreeperonline.info
  • fbcreeperonline.info
  • fbcreepers.info
  • fbcreepers.info
  • fbisfun.info
  • fbpromo.info
  • myfbcheckers.info
  • myprocreeper.info
  • newfbcheckers.info
  • omgfbisfun.info
  • procreep.info
  • procreeper.info
  • procreeperonline.info
  • procreepers.info
  • profilechecker.info
  • profileseek.info
  • profilespy.info
  • profileview.info
  • profileviewers.info
  • thefbcheckers.info
  • thefbcreeper.info
  • thefbcreeper.info

These sites have messages such as:

Find YOUR Stalkers

Find out who spends excessive time with your photos, reading your old wall posts, and looking at your friends list.

This is a scam designed to trick people into running a script on Facebook that will have a message sent to all their Facebook friends and to get them to also visit such websites. Anti-malware site TrendMicro warns:

Malware type : Spyware
Destructive : No
Platform : Windows 2000, XP, Server 2003
Encrypted : Yes
In the wild : Yes

This malware uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it poses as a Facebook stalker finder to be able to infect Facebook user accounts

(…)

This malware may be hosted on websites that run a malicious script when accessed by unsuspecting users.

It poses as a legitimate Facebook application. It propagates by sending IMs and status messages with links to websites where it can be downloaded.

This spyware executes when a user accesses certain websites where it is hosted.

See also this TrendMicro blog post on the subject.

If you have received wall posts like that in the name of a friend, click on the X to the right of the posts to delete them and alert your friend! Do not click on any of the links in the malicious posts.

Fake news / “work at home mom” job scams

During the last couple of weeks I have listed hundreds of domains that are part of an ongoing spam campaign advertising bogus “Work at home jobs”. The websites advertised by these spams were designed to look like they belong to commercial TV channels, sometimes illegally including the CNBC logo and many of the domain names contain terms like “cnbc”, “nbc”, “abc” or “news”.

Here is a sample screen shot:


One of the scam sites: cnbcwebsource20.com

The fact that these people illegally use trademarks of major corporations should already be a major red flag. This is not just some dubious get-rich-quick scheme, is is the work of a criminal operation. The sites are hosted in different countries, including the US, Russia, China and Romania. The registrant details that can be looked up via WHOIS often only list a proxy service.

Here is text from a typical site used in this scam:

news8reports.com | Work At Home Mom Makes $6,498/Month Part-Time

Can $97 Really Turn Into $6795? We Investigated…
News 8 Reports Investigates Online Work at Home Programs…

Are There Any Legit Work At Home Programs?

With unemployment numbers extremely high, everybody is looking to make a few extra bucks these days. Many people are turning to work at home programs… But, which ones are REAL and which ones are SCAMS?

We just had to find out… So we set out to do some research ourselves. We came across a blog by Jessica Holmes of Tokyo, 40.

Oh, Tokyo? By sheer coincidence that’s where I live. But looking at the source of the website, I could see that the HTML code simply looks up the IP address from which the site is accessed and outputs the city associated with it. If you were reading the same article from an IP address in Baltimore it would say that “Jessica Holmes” lived in Baltimore!

That little bit of cheating and the attempt to be mistaken for commercial TV channel websites are just the tip of the iceberg of this criminal scam. In an attempt to avoid being caught by spam filters, many of the spams abuse URL shortening services such as bit.ly or redi.ec to hide the domain names of the fake news sites that are getting blacklisted by us. Many of the spams appear to have been sent from hacked Hotmail, Gmail and AOL mail accounts. The spam appears designed to get unemployed people to pay $97 dollars upfront (“Can $97 Really Turn Into $6795?” headline on the fake site) in the hope of being able to support their families with whatever is offered, when they’re really only going to support the criminals who run this scam.

Here are the WHOIS details of the above mentioned site:

Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: NEWS8REPORTS.COM
Created on: 30-Jan-10
Expires on: 30-Jan-11
Last Updated on: 28-Sep-10

Administrative Contact:
Private, Registration NEWS8REPORTS.COM@domainsbyproxy.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax — (480) 624-2598

Technical Contact:
Private, Registration NEWS8REPORTS.COM@domainsbyproxy.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax — (480) 624-2598

Domain servers in listed order:
NS1.WIREDTREE.COM
NS2.WIREDTREE.COM

Be extremely skeptical of any job offers that involve any of the following:

  1. Anything sent as spam (unsolicited bulk email)
  2. Work at home jobs that supposedly pay thousands of dollars a month that anybody can do
  3. Upfront payments or purchases in order to get a job (in any real job the employer pays you, not vice versa!)
  4. Hard sales tactics, such as web sites that pop up a dialog when you’re trying to close them
  5. Signs of deception or hidden identities.

URL shortening abuse examples:

cnbcfinancenow21.tk = bit.ly/cYANOE
cnbc2.com = bit.ly/cVE04V
cnbc2.com = bit.ly/9am423
cnbc2.com = bit.ly/9yLTQz
cnbc2.com = bit.ly/ajmIpO
cnbc2.com = bit.ly/dehCDk
nbcnow28.tk = is.gd/h1cqG
cnbc2.com = bit.ly/a7azZN
nbcnow28.tk = is.gd/h1cbJ
cnbc2.com = bit.ly/a81vu0
cnbc2.com = bit.ly/9fe1sd
cnbc2.com = bit.ly/aROkLP
cnbc2.com = bit.ly/aZSKYx
cnbc2.com = bit.ly/9DCGzQ
cnbc2.com = bit.ly/9avkAn
cnbc2.com = bit.ly/dcEmpU
cnbc2.com = bit.ly/9lXpMJ
nbc40news.net = bit.ly/bjI19K
nbc39news.net = bit.ly/alVIfU
nbc40news.net = bit.ly/cTHQ2Y
nbc40news.net = bit.ly/aYrKCa
nbc40news.net = bit.ly/dieJ5R
nbc39news.net = bit.ly/dbkWxV
nbc40news.net = bit.ly/9uOD6H
nbc41news.net = bit.ly/c7gCyu
nbc41news.net = bit.ly/gqRtBZ
nbc41news.net = bit.ly/f5VsQz
cnbc14news.net = bit.ly/fot9an
nbc41news.net = bit.ly/i0jOK2
nbc41news.net = bit.ly/gFJe8e
nbc41news.net = bit.ly/fgpSVG
nbc7newsmedia.net = bit.ly/9lBObh
cnbc3news.net = bit.ly/eGEYhq
cnbc3news.net = bit.ly/g2u93V
msnbcnews4.net = bit.ly/fGupR0
msnbcnews4.net = bit.ly/hq2gX3
msnbcnews4.net = bit.ly/i8iYaK
nbcnews7.net = bit.ly/h0Kw5O
cnbc3news8.com = bit.ly/hnQyy7
cnbc3.com = bit.ly/hIxAuy
msnbcnews11.net = bit.ly/i6CZN3
msnbcnews11.net = bit.ly/fmRgsD
nbcnews12.net = bit.ly/gANdZw
msnbcnews11.net = bit.ly/gadsv7
msnbcnews11.net = bit.ly/hBXuRH
cnbc7.com = bit.ly/eUPW7N
cnbc7.com = bit.ly/edNttc
cnbc7.com = bit.ly/elDyof
cnbc7.com = bit.ly/fAe9oj
cnbc7.com = bit.ly/hg6Kvi
cnbc7.org = bit.ly/h6bTfo
cnbc7.org = bit.ly/gpuFHr
cnbc7.org = bit.ly/idIJoX
cnbc7.org = bit.ly/hOBmjw
cnbc7.org = bit.ly/gLbsrp
cnbc7.org = bit.ly/eq12aU
cnbc7.com = bit.ly/e43Iib
cnbc7.org = bit.ly/dPKBna
cnbc7.org = bit.ly/e10nTV
cnbc7.com = bit.ly/f5Z7rq
cnbc7.org = bit.ly/guMMYG
cnbc7.com = bit.ly/ez7AJF
cnbc7.com = bit.ly/grGu4j
cnbc7.com = bit.ly/gNwG4N
cnbc7.com = bit.ly/hdv9Xr
cnbc7.com = bit.ly/eMp8ce
cnbc7.org = bit.ly/hLrMSK
cnbc7.org = bit.ly/dKWCHA
cnbc7.com = bit.ly/eDe0ud
cnbc7.com = bit.ly/ft1H3q
cnbc7.org = bit.ly/fGPn0R
cnbc7.org = idek.net/3dtS
nbcbeforehotmail.info = bit.ly/gmv7PJ
nbcbeforehotmail.info = bit.ly/i5dFZm
nbcbeforehotmail.info = bit.ly/eQLUik
nbcbeforehotmail.info = bit.ly/hJnzSD
nbcbeforehotmail.info = bit.ly/fpBgps
nbcbeforehotmail.info = bit.ly/hYbl1G
nbcbeforehotmail.info = bit.ly/f75etY
nbcbeforehotmail.info = bit.ly/i0DGVt
nbcbeforehotmail.info = bit.ly/h1rrCw
nbcbeforehotmail.info = bit.ly/gEdAoY
nbcbeforehotmail.info = bit.ly/gm3Ti8
nbcbeforehotmail.info = bit.ly/ihbu2g
nbcbeforehotmail.info = bit.ly/hj7GKp
nbcbeforehotmail.info = bit.ly/gkbCcG
nbcbeforehotmail.info = bit.ly/e8RuVs
nbcbeforehotmail.info = bit.ly/hoVraB
nbcbeforehotmail.info = bit.ly/hFLA4Q
nbcbeforehotmail.info = bit.ly/h9lmA3
nbcbeforehotmail.info = bit.ly/f082ws
nbcbeforehotmail.info = bit.ly/gfhNP6
nbcbeforehotmail.info = bit.ly/emkJsL
nbcbeforehotmail.info = bit.ly/hoVraB
nbcbeforehotmail.info = bit.ly/hFLA4Q
nbcbeforehotmail.info = bit.ly/gfhNP6
nbcbeforehotmail.info = bit.ly/hoVraB
nbcbeforehotmail.info = bit.ly/gfhNP6
bannewsnbc.info = bit.ly/gysB7G
nbcbeforehotmail.info = bit.ly/hoVraB
nbcbeforehotmail.info = bit.ly/gfhNP6
bannewsnbc.info = bit.ly/gysB7G
cnbc20medianet.com = bit.ly/gfgAUo
bannewsnbc.info = bit.ly/g2xI9o
bannewsnbc.info = bit.ly/eL2oQx
bannewsnbc.info = bit.ly/hTX1Tr
msn7nbc.info = bit.ly/eBVtbo
polonbcnews.info = bit.ly/fkXMia
msn7nbc.info = bit.ly/hQDC2d
polonbcnews.info = bit.ly/fC0Gvj
msn7nbc.info = bit.ly/fGAVTr
polonbcnews.info = bit.ly/fBGs29
msn7nbc.info = bit.ly/eIgvhO
msn7nbc.info = bit.ly/dFjrGX
msn7nbc.info = bit.ly/dYIcw5
msn7nbc.info = bit.ly/gn896l
msn7nbc.info = bit.ly/er1dSj
msn7nbc.info = bit.ly/g61R4u
news42local.info = is.gd/gMaJL
ultranews23.com = tiny.cc/UltraYjlSnews23
ultranews23.com = tiny.cc/Ultra0Delnews23
newsfamily7.com = a.nf/2tmNJV
ultranews23.com = tiny.cc/Ultra6sPYnews23
newsfamily7.com = a.nf/2tmNJV
news42local.net = is.gd/gMtdl
ultranews23.com = tiny.cc/UltradmSJnews23
ultranews23.com = tiny.cc/UltraMfIanews23
ultranews23.com = tiny.cc/UltrameYanews23
news42local.net = bit.ly/ctBb1V
news42local.info = bit.ly/d1MSVM
news42local.co.uk = is.gd/gNatd
ultranews23.com = tiny.cc/UltratIfOnews23
ultranews23.com = tiny.cc/UltrabS2znews23
news42local.co.uk = is.gd/gNiZ6
news42local.co.uk = is.gd/gNrYT
news42local.co.uk = bit.ly/bw7lIF
news42local.co.uk = is.gd/gNuTt
news42local.net = bit.ly/a7lyX5
ultranews23.com = tiny.cc/UltraOqI9news23
ultranews23.com = tiny.cc/UltraJ5s7news23
ultranews23.com = tiny.cc/UltrameYanews23
ultranews23.com = tiny.cc/UltrakP48news23
news42local.biz = bit.ly/9CZnHc
news42local.net = bit.ly/9o9F07
news42local.net = bit.ly/b4VA1w
news42local.co.uk = is.gd/gNF4a
news42local.co.uk = bit.ly/aqgrW8
news42local.net = bit.ly/cvFRT2
ultranews23.com = tiny.cc/UltraMfIanews23
ultranews23.com = tiny.cc/UltraCWiRnews23
ultranews23.com = tiny.cc/Ultrap5RVnews23
ultranews23.com = tiny.cc/UltratbGGnews23
ultranews23.com = tiny.cc/Ultran79Unews23
news42local.co.uk = is.gd/gNMW5
newsfornow1.net = is.gd/gMuAg
news42local.co.uk = is.gd/gNPVV
news42local.biz = bit.ly/bfcDWc
ultranews23.com = tiny.cc/UltrajUqYnews23
ultranews23.com = tiny.cc/UltrahiT7news23
ultranews23.com = tiny.cc/UltraJFv2news23
ultranews23.com = tiny.cc/UltrafG3rnews23
ultranews23.com = tiny.cc/Ultra0TQWnews23
ultranews23.com = tiny.cc/UltraaRW8news23
ultranews23.com = tiny.cc/Ultra5xnEnews23
ultranews23.com = tiny.cc/UltraXt90news23
ultranews23.com = tiny.cc/UltrafKw7news23
ultranews23.com = tiny.cc/UltrabJQbnews23
ultranews23.com = tiny.cc/UltraSsFOnews23
news88local.com = is.gd/gPDsy
news88local.biz = is.gd/gOPq1
news88local.org = is.gd/gOPUX
news88local.com = is.gd/gOQI1
ultranews23.com = tiny.cc/UltraffIjnews23
news88local.com = is.gd/gOXqs
news88local.com = is.gd/gOXXx
news88local.org = is.gd/gP4Aj
news88local.org = is.gd/gP6yN
ultranews23.com = tiny.cc/UltraGUWenews23
news88local.net = is.gd/gPQ1S
ultranews23.com = tiny.cc/Ultrabjwynews23
ultranews23.com = tiny.cc/Ultragxl9news23
news88local.net = is.gd/gPftN
news88local.org = is.gd/gPgb1
news88local.org = is.gd/gPlkm
ultranews23.com = tiny.cc/UltragLHCnews23
news88local.biz = is.gd/gPoBK
news88local.com = is.gd/gPqMb
news88local.biz = is.gd/gPwP4
news88local.org = bit.ly/bttwD6
ultranews23.com = tiny.cc/UltrazuZWnews23
ultranews23.com = tiny.cc/Ultrax70Dnews23
news88local.biz = bit.ly/dCR623
news88local.biz = bit.ly/ajGmui
newsfamily7.com = a.nf/2tmNJV
news88local.com = bit.ly/aOBoYO
newsfamily7.com = a.nf/2tmNJV
news88local.net = bit.ly/9C49kE
news88local.biz = bit.ly/cJqASy
news88local.biz = bit.ly/9EXjGv
news88local.net = bit.ly/9AbRRU
news88local.com = bit.ly/bMxJFA
news88local.biz = bit.ly/9TPphi
news88local.com = bit.ly/c2aoIR
news88local.com = bit.ly/cwUiTp
news88local.org = bit.ly/ceXIWe
news88local.org = bit.ly/ayN7mB
news88local.org = bit.ly/dwGy6e
news88local.net = bit.ly/blEQQW
newsfamily7.com = a.nf/2tmNJV
newschan42.com = a.nf/kBJUtc
newsfamily7.com = a.nf/2tmNJV
newsfornow1.net = bit.ly/9r6UkK
thenews4later.net = bit.ly/9C9ZPP
local50news.com = bit.ly/aH9MEQ
local50news.com = bit.ly/czTx2t
thenews4later.net = bit.ly/9C9ZPP
local50news.com = bit.ly/cWQ62S
local50news.com = bit.ly/9mUM9t
local50news.com = bit.ly/dwFAzE
ultranews23.com = a.nf/kV7WWd
thenews4later.net = bit.ly/bOdJk8
businessnews10.tk = is.gd/hleaz
ultranews23.com = korta.nu/f84ji
newscenter10.co.cc = is.gd/hmLhQ
businessnews21.tk = bit.ly/9o2AvQ
cnn65news.com = bit.ly/ciDaWR
cnn65news.com = bit.ly/9ieRys
ultranews23.com = retwt.me/1PKxk
local87news.com = bit.ly/cdyzi5
local87news.com = bit.ly/9Y5OEA
local87news.com = bit.ly/cdyzi5
local87news.com = bit.ly/9Y5OEA
local87news.com = bit.ly/cdyzi5
local87news.com = bit.ly/9WlaQT
local87news.com = bit.ly/cdyzi5
ultranews23.com = retwt.me/1PKxk
nbc40news.net = bit.ly/bjI19K
nbc39news.net = bit.ly/alVIfU
nbc40news.net = bit.ly/cTHQ2Y
nbc40news.net = bit.ly/aYrKCa
nbc40news.net = bit.ly/dieJ5R
nbc39news.net = bit.ly/dbkWxV
local99news.net = bit.ly/ac1Nt7
ultranews23.com = retwt.me/1PKxk
nbc40news.net = bit.ly/9uOD6H
ultranews23.com = bacn.me/jrbj
local99news.org = bit.ly/bm8NPu
local99news.org = bit.ly/bFi8J6
local99news.com = bit.ly/bCzIrN
local99news.com = bit.ly/ae3EY2
nbc41news.net = bit.ly/c7gCyu
local99news.net = bit.ly/9PCUP4
local99news.com = bit.ly/dgeAan
local99news.org = bit.ly/9wqppM
local99news.net = bit.ly/aTLwlD
ultranews23.com = bacn.me/jrbl
local99news.com = bit.ly/dBacHx
local99news.org = bit.ly/chHCja
nbc41news.net = bit.ly/c7gCyu
local99news.org = bit.ly/bCB5uB
local99news.com = bit.ly/9IBs4W
local99news.org = bit.ly/dsl0Om
ultranews23.com = bacn.me/jrbj
nbc41news.net = bit.ly/gqRtBZ
nbc41news.net = bit.ly/f5VsQz
local90news.net = bit.ly/gKy1NM
cnbc14news.net = bit.ly/fot9an
nbc41news.net = bit.ly/i0jOK2
ultranews23.com = bacn.me/jrbp
nbc41news.net = bit.ly/gFJe8e
nbc41news.net = bit.ly/fgpSVG
nbc7newsmedia.net = bit.ly/9lBObh
ultranews23.com = bacn.me/jrbn
local46news.org = bit.ly/fcPLLc
local46news.org = bit.ly/hGN6E0
cnbc3news.net = bit.ly/eGEYhq
cnbc3news.net = bit.ly/g2u93V
ultranews23.com = retwt.me/1PKxk
ultranews23.com = bacn.me/jrbk
ultranews23.com = retwt.me/1PKxk
msnbcnews4.net = bit.ly/fGupR0
msnbcnews4.net = bit.ly/hq2gX3
ultranews23.com = retwt.me/1PKxk
ultranews23.com = bacn.me/jrbj
ultranews23.com = bacn.me/jrbp
ultranews23.com = bacn.me/jrbk
ultranews23.com = bacn.me/jrbl
ultranews23.com = bacn.me/jrbm
msnbcnews4.net = bit.ly/i8iYaK
ultranews23.com = bacn.me/jrbl
nbcnews7.net = bit.ly/h0Kw5O
cnbc3news8.com = bit.ly/hnQyy7
abcnews12.net = bit.ly/gnP0r0
abcnews12.net = bit.ly/fr2era
abcnews12.net = bit.ly/eLpV1n
abcnews12.net = bit.ly/gT7zEx
abcnews12.net = bit.ly/evDdv9
abcnews11.net = bit.ly/i0AdRc
abcnews11.net = bit.ly/hB00NV
abcnews11.net = bit.ly/haD230
abcnews12.net = bit.ly/eC6Nib
abcnews11.net = bit.ly/eH1AEF
abcnews12.net = bit.ly/gdA3tj
abcnews12.net = bit.ly/hTHdgL
abcnews11.net = bit.ly/ggMB1g
abcnews12.net = bit.ly/dVHHsG
abcnews11.net = bit.ly/f34jVH
abcnews12.net = bit.ly/hMf52P
abcnews11.net = bit.ly/fycYPy
msnbcnews11.net = bit.ly/i6CZN3
msnbcnews11.net = bit.ly/fmRgsD
nbcnews12.net = bit.ly/gANdZw
msnbcnews11.net = bit.ly/gadsv7
cbsnews12.net = bit.ly/hurzVY
msnbcnews11.net = bit.ly/hBXuRH
cbsnews12.net = bit.ly/hjGq7d
cbsnews12.net = bit.ly/gWwBD8
cbsnews12.net = bit.ly/fj1m2B
here4newslocal.net = bit.ly/hQ68Yq
nb18newstoday.info = i5.be/SY6
usnews3.com = a.nf/K3gdA1
newswebguide.com = tinyurl.com/6x2b4qf
cnn65news.net = bacn.me/k55j
cnn65news.net = bacn.me/k59p
global81news.net = bacn.me/k6mp
newschan42.com = a.nf/lrW38G
usnews3.com = a.nf/K3gdA1
newschan42.com = a.nf/lrW38G
walletnews1.info = bit.ly/eRuN9c
newschan42.com = a.nf/lrW38G
local22news.biz = bacn.me/kbzd
newschan42.com = a.nf/lrW38G
usnews3.com = a.nf/K3gdA1
newschan42.com = a.nf/lrW38G
local22news.biz = bit.ly/dGHb1x
usnews3.com = a.nf/K3gdA1
ultranews23.com = a.nf/GleoGo
usnews3.com = a.nf/K3gdA1
ultranews23.com = a.nf/GleoGo
usnews3.com = a.nf/K3gdA1
ultranews23.com = a.nf/GleoGo
usnews3.com = a.nf/K3gdA1
ultranews23.com = a.nf/GleoGo
usnews3.com = a.nf/K3gdA1
ultranews23.com = a.nf/GleoGo
usnews3.com = a.nf/K3gdA1
ultranews23.com = a.nf/GleoGo
usnews3.com = a.nf/K3gdA1
ultranews23.com = a.nf/GleoGo
bannewsnbc.info = bit.ly/gysB7G
ultranews23.com = a.nf/GleoGo
bannewsnbc.info = bit.ly/gysB7G
bannewsnbc.info = bit.ly/g2xI9o
bannewsnbc.info = bit.ly/eL2oQx
bannewsnbc.info = bit.ly/hTX1Tr
polonbcnews.info = bit.ly/fkXMia
polonbcnews.info = bit.ly/fC0Gvj
polonbcnews.info = bit.ly/fBGs29
usnews3.com = a.nf/K3gdA1

Hosted in Russia:

news7bfge.com
news7ffvg.com
news7ghuf.com
news7hdtr.com
news7hhgs.com
news7hjkl.com
news7kjih.com
news7mnvb.com
news7oksi.com
news7oplk.com
news7riue.com
news7ttdd.com
news7tuij.com
news7uuij.com
news7vfys.com
news7connect.com
news7link.com
news7sync.com
news7technology.com
news7udomain.com
news7uinternet.com
news7usource.com
news7utechnology.com
accessnews11.com
b2news11.com
buynews11.com
bytenews11.com
compunews11.com
connectnews11.com
cybernews11.com
directnews11.com
domainnews11.com
e-news11.com
enews11.com
eznews11.com
i-news11.com
inews11oi.com
infounews11a.com
internetnews11.com
internews11.com
news11asuy.com
news11hjgf.com
news11iuyr.com
news11kdjc.com
news11qoiu.com
news11quyw.com
news11qwuo.com
news11vyru.com

Hosted in Hong Kong:

buycnbc1aok.com
internetcnbc1wo.com
procnbc1wo.com
sellcnbc1wo.com

Hosted in the USA:

cnbc20market.com
cnbcjobs20.com
cnbc20early.com

Haiti disaster attracts Nigerian scammers

It happened after the Indian ocean tsunami and after Hurricane Katrina. It’s happening again with the earthquake in Haiti that has killed tens of thousands and left hundreds of thousands injured, homeless, hungry or without medical treatment: Scammers in Nigeria and elsewhere are stealing money meant for victims of the disaster.

If you think there is a line that such scammers won’t cross, think again.

Here is an email soliciting donations on behalf of “HAITI CITIZENS LIVING IN THE UNITED KINGDOM” with relatives living in Haiti, but really originating from an IP address in Nigeria, West Africa:

PASTOR JOHN BROMA
HAITI CITIZENS IN UNITED KINGDOM
23 BEN AVENUE S/W,LONDON
UNITED KINGDOM

DEAR SIR/MADAM

WE ARE HAITI CITIZENS LIVING IN THE UNITED KINGDOM WHOM THEIR FAMILIES
ARE AFFECTED BY THE RECENT EARTQUAKE,WE HAVE BEEN TRYING TO RAISE MONEY
TO HELP THE HAITI CITIZENS WHO ARE WITHOUT FOODS,DRUG AND SHELTER,SO WE
PLEAD THAT YOU SUPPORT US WITH WHAT EVER YOU CAN.

ALL DONATIONS SHOULD BE SEND THROUGH WESTERN UNION MONEY TRANSFER
BECAUSE OF THE URGENT ATTENTION NEEDED.DO SEND IT TO THE INFORMATIONS BELOW.

PASTOR JOHN BROMA

HAITI CITIZENS IN UNITED KINGDOM
23 BEN AVENUE S/W,LONDON
UNITED KINGDOM

PLEASE MAKE SURE THAT YOU FORWARD THE WESTERN UNION INFORMATIONS SUCH AS
SENDERS NAME,AMOUNT SEND AND THE MTCN.WE PRAY THAT ALMIGHTY GOD WILL
BLESS AS YOU HELP THE SUFFERING HAITI CITIZEN.

THANKS FOR YOUR HELP

PASTOR JOHN BROMA(SECRETARY)

Looking at the message headers we see:

Received: from User ([82.128.33.35] RDNS failed) by mail.westnet.com
with Microsoft SMTPSVC(6.0.3790.3959); Fri, 15 Jan 2010 19:13:32 +0900
Reply-To: <pastorjohnbroma@yahoo.com>
From: HIATI CITIZENS IN UNITED KINGDOM<pastorjohnbroma@yahoo.com>
Subject: HELP FOR HAITI
Date: Sat, 16 Jan 2010 11:21:10 -0800

IP address 82.128.33.35 belongs to a cell phone provider in Nigeria:

inetnum: 82.128.32.0 – 82.128.63.255
netname: INET-MLTL
descr: CDMA 1x/EVDO Dial up pool
country: NG
admin-c: RIA27
tech-c: RIA27
status: ASSIGNED PA
mnt-by: MLTL-INT-MNT
mnt-lower: MLTL-INT-MNT
source: AFRINIC # Filtered
parent: 82.128.0.0 – 82.128.127.255

person: IP Admin-RIPE
address: Multilinks Telecommunications Limited
address: 231 Adeola Odeku Str.
address: Victoria Island, Lagos, Nigeria

The criminal who sent this mail must be one of their customers.

If you want to make a donation to help those affected by the disaster, send it to the Red Cross or another well established relief organization. Beware of any stranger who asks you to wire money by Western Union or MoneyGram, because these instant wire transfer services are essentially anonymous and untraceable and there are no safeguards whatsoever against abuse by criminal recipients, who can not be traced. That is precisely why scammers prefer you to send money that way.

If hell exists there must be a special place there waiting for these scammers, who even make money out of the orphans and dying in Haiti.

Dial +44 70 (UK number) for international online fraud

A few years ago I created the Scam-O-Matic (www.scamomatic.com), a website that every month has helped thousands of people worldwide by automatically diagnosing online fraud emails that people have submitted to it. Scamomatic.com recognizes fake lotteries, “dead customer” scams, “dying widow” scams and many other common formats from scammers from Nigeria that you may have seen in your inbox before. Even when it can’t pinpoint the exact type of scam, it often recognizes it as a generic scam format, largely thanks to the presence in the email of UK phone numbers that start with +44 70. These numbers are everywhere in Nigerian online scams, regardless of the precise scam format. The +44 70 prefix might as well be called the country code of Nigerian scammers.

If you receive any email that mentions any +4470 phone number, do not reply to it! You can submit the body of any suspicious email message to www.scamomatic.com for instant feedback about what kind of scam it might be.

These +4470 numbers are a gift to online scammers by British phone regulators. They are primarily owned by obscure British phone companies offering an anonymous call forwarding service. The economic model of these services is simple: The caller dials a rather expensive UK number and the UK service provider forwards the incoming call to a somewhat less expensive to call international number (for example a Nigerian mobile phone, which remains hidden from the caller), pocketing the difference between the call rates. For example, the caller might pay 50 cents per minute to call a +44 70 number and the call will then be forwarded to a Nigerian mobile phone that costs 25 cents per minute, leaving 25 cents per minute as a net margin for the service operator. The more successful the scammers are, the more money the phone company makes. Who ever said crime doesn’t pay?

These UK phone numbers are very attractive to scammers: When people can be made to believe that they are dealing with a bank, lawyer or government official in London, UK when they’re actually talking to a scammer on his cell phone in an Internet cafe in Lagos, Nigeria then they are much more easily defrauded by criminals.

As far as I can tell these numbers aren’t really being used for any other purpose than to enable international online crimes to be committed. In some nine years of tracking Nigerian scam emails, I have yet to come across a single legitimate user of a +44 70 number. I really don’t understand why the British government has allowed those services to continue to operate.

Now, of course the service operators can claim that they don’t know that their services are being used for criminal purposes unless someone tells them about it. On the other hand, they are not exactly making it easy to report abuse and the high prices of these services means that it’s unlikely that they’ll get much legitimate use, if any.

There are several ways to curb abuse, other than suspending +44 70 numbers altogether and I would encourage the UK government to seriously consider them:

  • The UK regulators could make it a requirement that calls via this service either originate in the UK or terminate in the UK, i.e. to prevent unrestricted global relaying, with say calls from India or the US being forwarded to Nigeria or Côte d’Ivoire.
  • The UK regulators could require service providers to announce the country name of the phone number to which the call is being forwarded if the destination number is not a UK number.
  • The UK regulators could require service providers to block forwarding to mobile phone numbers in certain countries, e.g. Nigeria

Below is a sample list of +44 70 numbers that appeared in Nigerian scams reported to Scam-O-Matic over the course of the last seven days. These roughly 60 phone numbers per day are only the tip of the iceberg:

+447005801505
+447005802020
+447005810692
+447005934945
+447005942459
+447005963237
+447005977097
+447006001100
+447006002121
+447006002413
+447006029116
+447006062478
+447010023307
+447010027439
+447010027978
+447010027983
+447010028455
+447010030769
+447010285923
+447010306559
+447010476294
+447010786457
+447011120379
+447011120510
+447011120524
+447011121450
+447011121596
+447011128170
+447011129280
+447011129286
+447011129446
+447011130062
+447011130670
+447011130769
+447011131077
+447011131152
+447011133259
+447011140499
+447011140945
+447011140989
+447011146747
+447011146830
+447011147295
+447011149054
+447011152991
+447011153129
+447011162749
+447011163186
+447011163846
+447011164243
+447011182522
+447011183455
+447011184113
+447011196412
+447011197245
+447011197787
+447014225697
+447014232391
+447014232411
+447014232442
+447014236733
+447014244984
+447014275175
+447014275728
+447017026507
+447017430128
+447017769494
+447017848035
+447023011587
+447023056559
+447023058575
+447023069806
+447023086665
+447023087509
+447023092593
+447024010876
+447024010915
+447024011554
+447024012660
+447024013770
+447024014859
+447024016712
+447024017968
+447024018504
+447024018707
+447024018725
+447024018963
+447024019584
+447024019588
+447024021204
+447024021389
+447024023138
+447024023643
+447024024530
+447024024914
+447024024938
+447024025942
+447024028606
+447024029852
+447024032255
+447024033542
+447024034362
+447024034768
+447024035958
+447024036606
+447024037907
+447024038051
+447024038950
+447024041571
+447024041989
+447024042397
+447024043571
+447024045842
+447024046548
+447024047607
+447024047708
+447024051081
+447024051604
+447024053655
+447024054764
+447024056650
+447024056684
+447024057656
+447024057695
+447024059725
+447024061362
+447024061659
+447024061805
+447024062162
+447024063633
+447024063645
+447024064180
+447024065549
+447024066713
+447024066858
+447024067752
+447024068617
+447024069933
+447024070671
+447024071597
+447024071804
+447024071867
+447024072603
+447024072995
+447024073988
+447024074220
+447024074568
+447024074742
+447024075722
+447024075954
+447024077025
+447024078351
+447024079530
+447024079908
+447024080526
+447024080571
+447024080634
+447024082668
+447024082680
+447024082728
+447024083093
+447024083705
+447024084762
+447024084918
+447024084994
+447024086967
+447024087401
+447024087599
+447024087905
+447024091678
+447024091701
+447024091706
+447024092775
+447024092795
+447024092863
+447024095774
+447024095778
+447024095878
+447024096802
+447024096869
+447024097854
+447024098802
+447024098874
+447024099606
+447031740924
+447031742574
+447031744227
+447031744980
+447031744994
+447031745967
+447031746067
+447031746887
+447031747046
+447031747509
+447031749721
+447031801246
+447031801866
+447031803498
+447031803820
+447031808512
+447031809778
+447031814575
+447031814720
+447031815436
+447031816735
+447031818230
+447031821851
+447031822608
+447031823431
+447031824330
+447031825003
+447031826670
+447031830878
+447031833248
+447031833760
+447031834660
+447031835615
+447031835762
+447031837227
+447031843396
+447031844360
+447031845639
+447031846542
+447031850801
+447031851126
+447031855107
+447031855527
+447031858919
+447031859268
+447031859327
+447031859972
+447031861174
+447031861534
+447031865718
+447031877392
+447031877975
+447031880502
+447031885537
+447031890014
+447031891762
+447031894541
+447031898197
+447031903871
+447031906765
+447031908701
+447031909751
+447031911974
+447031913322
+447031915331
+447031918554
+447031918592
+447031918698
+447031918840
+447031920863
+447031928723
+447031930960
+447031931805
+447031934581
+447031938867
+447031940670
+4470319419882
+447031943771
+447031954666
+447031956661
+447031958680
+447031960513
+447031964131
+447031971731
+447031971766
+447031972833
+447031972850
+447031973785
+447031974969
+447031978795
+447031979858
+447031982694
+447031983660
+447031983882
+447031984862
+447031988864
+447031993596
+447031993967
+447031996818
+447032334576
+447035900183
+447035900344
+447035900914
+447035901588
+447035902188
+447035902683
+447035910276
+447035911140
+447035912873
+447035913994
+447035915768
+447035922616
+447035923742
+447035924448
+447035927916
+447035928180
+447035931142
+447035937446
+447035939194
+447035939320
+447035940617
+447035944729
+447035944779
+447035947431
+447035950853
+447035951254
+447035951405
+447035954295
+447035955376
+447035956312
+447035959966
+447035960942
+447035965038
+447035966176
+447035966188
+447035966289
+447035966480
+447035968588
+447035969249
+447035969496
+447035969754
+447035969801
+447035969823
+447035972572
+447035973164
+447035973821
+447035977317
+447035978042
+447035978343
+447035978550
+447035983963
+447035988651
+447035988847
+447035989086
+447035992118
+447035996148
+447035997215
+447035997533
+447035998886
+447035999080
+447040110515
+447041743214
+447045702581
+447045704323
+447045704570
+447045705126
+447045705374
+447045706975
+447045707234
+447045707660
+447045708253
+447045709129
+447045709292
+447045710531
+447045710917
+447045711325
+447045712243
+447045712434
+447045712662
+447045712816
+447045712993
+447045713815
+447045714219
+447045719541
+447045720546
+447045721125
+447045721617
+447045722125
+447045724094
+447045725176
+447045727388
+447045729804
+447045733035
+447045733518
+447045736862
+447045742669
+447045743467
+447045747569
+447045748609
+447045754338
+447045759317
+447045767521
+447045768060
+447045770961
+447045776356
+447045780693
+447045782120
+447045783777
+447045785147
+447045785239
+447045790181
+447045791709
+447045795051
+447045798638
+447045799030
+447053491702
+447053492393
+447075158182
+447092849621
+447092861761
+447092864823
+447092980578
+447092981646
+447092981769
+447092982175

Domain appraisal scam

Be careful if you receive an email like the following:

We are interested to buy your domain name YOUR-DOMAIN-HERE and offer to buy it from you for 80% of the appraised market value.

As of now we accept appraisals from either one of the following leading appraisal companies:

– fleos.com
– sedo.com

If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use paypal for amounts less than $2,000 and escrow for amounts above $2,000) as well as
further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Yours truly,

Mark Evans

The offered percentage or the alias of the sender may be different. The list of appraisal companies may vary too and the catch is in the requested appraisal: Whereas sedo.com is a well established company dealing in domain resale and appraisal, domains fleos.com, flyrating.com and others are new:

Domain Name: FLEOS.COM
Registrar: WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC
Whois Server: whois.webnic.cc
Referral URL: http://www.webnic.cc
Name Server: NS1.EZYDOMAIN.COM
Name Server: NS2.EZYDOMAIN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 04-jul-2009
Creation Date: 04-jul-2009
Expiration Date: 04-jul-2010

Registrant Contact:
Modern Outlook Sdn Bhd
Modern Outlook Sdn Bhd (reg_460127@whoisprotection.cc)
Lot 13-01A, Level 13 (East Wing) Berjaya Times Square, No.1, Jalan Imbi
Kuala Lumpur, Wilayah Persekutuan, Malaysia 55100
P: +603.21491999 F: +603.21431685

This one was used earlier than in the above sample:

Domain Name: FLYRATING.COM
Registrar: WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC
Whois Server: whois.webnic.cc
Referral URL: http://www.webnic.cc
Name Server: NS1.EZYDOMAIN.COM
Name Server: NS2.EZYDOMAIN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 26-may-2009
Creation Date: 26-may-2009
Expiration Date: 26-may-2010

Registrant Contact:
Modern Outlook Sdn Bhd
Modern Outlook Sdn Bhd (reg_449229@whoisprotection.cc)
Lot 13-01A, Level 13 (East Wing) Berjaya Times Square, No.1, Jalan Imbi
Kuala Lumpur, Wilayah Persekutuan, Malaysia 55100
P: +603.21491999 F: +603.21431685

Notice how they’re both registered via the same registrar. If anyone checks out the fees they’ll find that not coincidentally these no-names charge less than Sedo.com for their service, so they might easily get picked by domain owners hoping to make quick cash.

Your guess is as good as mine who sends out those buy offer spams that drive business to those cookie cutter domain appraisal firms, who take $22.95 from anyone falling for this scam.

Unless you enjoy getting scammed, avoid any domain purchase offer in which the would be buyer does not come up with an offer price on his own but asks you to get an appraisal from a third party and promises to pay you a percentage of the appraised value!

Other “appraisal company” domains used:

  • nameorange.com
  • pedma.com
  • pozde.com
  • podzz.com
  • domainexplorer.org
  • pddomains.com

See also:

Last updated: 2009-08-10

“…, has added you as a friend on SiliconIndia” scam emails

Over the past year I’ve been getting a steady trickle of “friend requests”, i.e. invitations to join a service, for a website called SiliconIndia. Virtually all the supposed senders were women from India. Job titles included Software Engineer, Business Analyst and HR Executive. Most were very pretty. By that I mean not just better than average looking, more like the portfolio of a modeling agency.

Because of my volunteer work against online scams, some email accounts of mine end up in address books of thousands of people who over time have forwarded me samples of questionable mails. Consequently, I also receive a lot of requests to join online networking and other websites, many of which make it too easy to invite everyone in your address book to join a particular service when you join. One mail folder that I keep exclusively for such invitations from people I don’t recognize currently contains over 1,100 examples.

When I received another SiliconIndia invitation yesterday, I decided to take a closer look and a very interesting picture evolved. I had 42 invitations going back to February 2008. Nine of them (originating with three indivuals) did not include a photograph and almost all of those were from the first month. They may have been real invitations. The interesting thing about the other 33 invitations was that the senders were all female. Not one guy! 23 of these were sent from Gmail accounts and 10 from AOL or AIM accounts. One picture I received from both a Gmail and an AOL account. It wasn’t just that these emails had AOL or Gmail sender addresses, they also did not come from a SiliconIndia mail server as one might expect for regular “tell a friend” invitations. All were sent from regular personal Gmail and AOL accounts through the respective mail servers.

What this tells me is that someone is manually making up invitation mails, using pictures of pretty women to attract mostly male job seekers to join that service. And somebody somewhere is making money out of people who respond.

Out of curiosity I joined the service under an assumed identity. The profile for the person who had invited me the day before had a list of 456 “friends”. If she were to “stay in touch” with all of them as it said in the invitation, she’d be a pretty busy lady. So next time you get an invitation to join SiliconIndia to connect with some pretty woman, don’t delude yourself. Most likely some guy somewhere is being paid a few rupees to mail pictures of pretty girls to thousands of guys in order to drive traffic to a commercial website.

Domain registration scam in China

Various companies in China are trying to scare domain owners in other countries into registering Chinese variants of their domain names by claiming some other party was trying to register these variants. Examples of this scam have been reported widely throughout 2008, involving the domains asiaton.cn, erimut.com, erimart.com, erimart-domains.com.cn, hknsc.hk, hongkongnet.org, hk-net.org.cn, hknetwork.hk.cn and others (erimut.com, erimart.com, erimart-domains.com.cn and hknsc.hk are linked by IP address).

Here is one that I received on 2008-12-08, originating from IP 58.38.209.249:

From: “andy” <andy@asiaton.cn>
To: “joewein” <joewein@pobox.com>
Sent: Monday, December 08, 2008 14:11
Subject: Urgent-Notification of intellectual property

Dear CEO,

We are Asiaton Network Service Co., Ltd, which is the Internet Trademark&domain name register center in China. I have something need to confirm with you. We have received an formal application. An international company named “ROB GmbH” wants to apply “joewein” for its own Internet Trademark and CN domain name on Dec 8, 2008 in china. We need to know your opinion because the Internet Trademark And CN domain name may relate to the copyright of your company name on internet. If your company do not intervene in it,we will formally consent their registration
because the registration principle is that “Every company or individual can register the domain name and Internet Trademark which is not registered,and who registers first who owns first.”
we would like to get the affirmation of your company. If you have any question,please contact us by telephone or email as soon as possible!

Best Regards !

Andy

Principal of Checking Department

Overseas Registration Organization

Tel:+(86)731-8187 729

Fax:+(86)731-8187 739

Mobile:+(86)731 6735 121

Skype:chinaregistry

E-mail:andy@asiaton.cn

web:www.asiaton.cn

2008-12-08

Such email solicitations are fraudulent, because you can safely assume that the same email, with other domains substituted for yours, has gone out to thousands of domain owners. I found an almost identical email (listing the same third party supposedly trying to register a domain) in another blog. Somebody obviously thinks being a registrar is a license to milk foreigners.

Don’t fall for this scam, they’re playing on fear.

If you own a .com, .net or national TLD (.co.uk, de., .fr, etc) domain but are not planning to set up a Chinese office or not even doing any business in China you have no reason to spend money on a domain registration with a Chinese registrar. Also, trademarks and domains are largely separate issues. You don’t become a trademark owner merely by registering a domain and vice versa.

The only domains that really count for your business are .com/.net/.org (depending on the nature of your organisation) and/or the country code top level domain (ccTLD, such as .co.uk or .jp) if you’re based outside the USA.

Below are other examples of domain registration spams / scams that I have received before. I am sure there are a lot more out there.

Received on 2008-03-18 from 221.221.167.121:

From: “Bruce.li” <Bruce.li@erimut.com>
To: “jwspamspy” <jwspamspy@pobox.com>
Sent: Tuesday, March 18, 2008 12:53
Subject: Jwspamspy Domain Name

Dear joewein.de LLC,

We are Beijing Erimut Network Information Technology Co., Ltd in China, which is the domain name registration centre here. A formal application from the company called ChengGuang Investment (China) Co.,Ltd is to register ” jwspamspy ” as their domain name and internet keyword on Mar 17th 2008. Since this involves your company name or trade mark, in no time do we inform you of this. Please contact us timely if a first registration is needed to protect the domain names and internet keywords.

Kind Regards
Bruce.Li

Tel: +86-10-62667420 ext.602
Fax: +86-10-62667460

Email: Bruce.li@erimut.com
Beijing Erimut Network Information Technology Co.,Ltd
Website: www.erimut.com

2008-03-18

Bruce.li

Received on 2008-7-30 from 123.127.123.173:

From: “thomas.zhang” <thomas.zhang@erimart-domains.com.cn>
To: “419” <419@419scam.org>
Sent: Wednesday, July 30, 2008 12:55
Subject: Joewein Domain name & Internet keyword

July 30, 2008

Joewein

Domain name & Internet keyword

Dear Sir/Madam,

We are Beijing Erimart Network Service Co., Ltd which is the domain name register center in China. We received a formal application from a company who is applying to register “joewein” as their domain name and Internet keyword on July 27, 2008.Since after our investigation we found that this word has been in use by your company, and this may involve your company name or trade mark, so we inform you in no time. If you consider these domain names and internet keyword are important to you and it is necessary to protect them by registering them first, contact us soon. Thanks for your co-operation and support.

Kind Regards,

Thomas.Zhang

Tel: +86-10-62961631-8017

Fax: +86-10-82780671

Email: thomas.zhang@erimart-domains.com.cn

Beijing Erimart Network Service Co, Ltd

http://www.erimart.com

2008-07-30

thomas.zhang

Received on 2008-11-07 from IP 58.38.209.249:

From: “jackey.zhuang” <jackey.zhuang@hongkongnet.org>
To: “419” <419@419scam.org>
Sent: Friday, November 07, 2008 18:10
Subject: 419scam Notice

Dear Sir/Madam,

We are Hong Kong Network service Company Limited, the an official domain name registration center.

On Nov 06, we received an application from another company for the domain names “419scam” , but later we found your company is their original owner and this may involve your company name or trade mark and this may cause confusion between your products and others’ , and bring about negtive effect on your company.

Therefore we decided to inform you of this and check out your attitude toward thismatter.That is, do you want to protect these domain names by registrering them ahead or not? We would appreciate if you can spare some precious time to settle this issue.

Thank you for your cooperation and looking forwards to your early reply.

Kind Regards,

Jackey.zhuang

Tel: +852-31757930 ext.8012

Fax:+852-31757932

Email:jackey.zhuang@hongkongnet.org

Hong Kong Network Service Co. Ltd

Website:www.hknsc.hk