Today I was contacted by someone about a domain flapstate.com which was still on my spam list from spam received last year. It looks like since then the domain had expired and been deleted, but then registered by a new owner for what appears to be a scam.
The same scam also uses domains
- mdanclub.com
- wayizer.com
- wayate.com
- coralnic.com
- grigga.com
- srcify.com
- azureclub.com
- flipality.com
and probably many others. The fact that they keep switching the domain of their website is already one giveaway that it’s a scam.
The four domains wayate.com, wayizer.com, mdanclub.com and flapstate.com are all hosted on the same server, at IP address 216.22.50.130. That IP address has been assigned the reverse DNS name “server1.bestunbeatableoffer.com”. Interestingly “bestunbeatableoffer.com” is not currently working, as it has been suspended by its registrant for spam or abuse. A Google search for the domain “bestunbeatableoffer.com” finds a blog entry that accuses the site owners of phishing, using a whole bunch of different domains that harvested personal details, including email addresses and passwords.
Do not enter your real name, email account or password on any of these websites. These sites are deceptive and harvest personal information which can (and probably will) be abused!
Here is what happens. If you access any of these websites it first gives you this message:
Our system indicates that a pic from your ip address has been uploaded to this site within the past 48 hours.
This is a blatant lie, because it will say that from whatever IP address you access from, as this is hard-coded into the website. It doesn’t even check what IP address you access from before it puts up this dialog.
Once you click OK it puts up another dialog:
Fill in to view your pics.
FULL Name of Friend
who referred you to this page:Your FULL Name:
Your FULL Email:
It then asks for your password. This is highly dangerous. With your email address on Yahoo, Hotmail, Gmail and many other services and your password, the website could access your online address book and find all your online contacts. What’s more it can then contact everyone in your address book in your name, sending them an email that looks like it was sent by you! Thus the deception would snowball. It would allow massive address harvesting.
This is especially true because they also ask about which social networking site you come from (e.g. Myspace, Facebook). If people happen to use the same password there, it will allow the scammers to break into social networking accounts and their associated address books, “friends lists”, etc. They can then tell every one that “their pic has been uploaded” and repeat the game ad infinitum, until they have stolen millions of names, email addresses and passwords.
After filling in the previous forms with bogus data, I got this dialog:
FINAL STEP BEFORE RETRIEVING RESULTS
Our system indicates that your friend recently bookmarked and reserved this page just for you.
It said that after I made up a bogus name for the friend who supposedly sent me there. My email address was also one I made up and had never used before (on a domain that I own). After that I got an error message:
Link unavailable
Possible causes are:
Your geographic location is not allowed for this offer.
Duplicate IP Address.
A system error ocurred.
The offer has expired.
The AFID or CID is not valid or authorized.
The domain flapstate.com was registered with these details, which appear to be forged (see comments below by the real Adam Arzoomanian, who appears to be an innocent party whose name was abused and reputation destroyed by the real scammer):
Registrant [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
NV
89109
USAdministrative Contact [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
NV
89109
US
Phone: +1.7029221911Billing Contact [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
NV
89109
US
Phone: +1.7029221911Technical Contact [1405632]:
Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
NV
89109
US
Phone: +1.7029221911Domain servers in listed order:
NS1.DOMAINSERVICE.COM 67.99.176.12
NS2.DOMAINSERVICE.COM 67.97.247.209
NS3.DOMAINSERVICE.COM 64.49.213.231
NS4.DOMAINSERVICE.COM 67.97.247.210Record created on: 2008-08-03 19:18:56.0
Database last updated on: 2008-08-03 19:16:31.357
Domain Expires on: 2009-08-03 19:18:56.0
(Note that registrant details are not generally verified by registrars, so there is little to stop a criminal from using someone else’s name for a fraudulent domain registration.)
Any other domains that are part of this same scam are likely to use the same address details.
The street address and phone number listed above appear to belong to a nightclub called Spin Nightclub.
Toptieprofiles.com appears to have been part of the same scam, because its HTML code used to reference IP address 216.22.4.42, as does flapstate.com.
Also, the email address used in the domain registration (bulletinpics@gmail.com) suggests a link to domain BulletinPics.com which was also used for an email address and password harvesting scam (see here). Website www.bulletinpics.com looks identical to flapstate.com but is hosted on a different server, on IP address 159.25.17.50. This site loads an iframe that points at domain destination-server.com, which is hosted at IP address 216.22.50.130 like flapstate.com, wayate.com, wayizer.com and mdanclub.com. Here’s the registration record for bulletinpics.com:
Registrars.domain: bulletinpics.com
owner: – –
organization: Spin Promotions
email: bulletinpics@gmail.com
address: 2255A Renaissance Drive
city: Las Vegas
state: —
postal-code: NV
country: US
phone: +1.7029221911
admin-c: CCOM-1288874 bulletinpics@gmail.com
tech-c: CCOM-1288874 bulletinpics@gmail.com
billing-c: CCOM-1288874 bulletinpics@gmail.com
nserver: a.ns.joker.com 69.39.224.27
nserver: b.ns.joker.com 66.197.237.21
nserver: c.ns.joker.com 69.39.224.26
status: lock
created: 2008-05-13 12:14:33 UTC
modified: 2008-05-14 10:01:57 UTC
expires: 2009-05-13 12:14:33 UTCcontact-hdl: CCOM-1288874
person: – –
organization: Spin Promotions
email: bulletinpics@gmail.com
address: 2255A Renaissance Drive
city: Las Vegas
state: —
postal-code: NV
country: US
phone: +1.7029221911
The name “Spin Promotions” suggests a possible connection to Spin Nightclub, whose street address was used for the other domain registrations.
ProfileMirrors.com is another domain that loads a page off destination-server.com. This job offer on GetAFreelancer.com for people doing captcha entry mentions both destination-server.com and bulletinpics. This is very interesting because CAPTCHAs are commonly used to defeat spammers who automatically set up or log in to email accounts at free email providers or BBSes or social networking sites. Here’s a copy of the posting, just in case it gets removed:
searching for good and reliable Teams for desntination captcha entry project . we can pay good rate . PM for more details
when you will PM , please include in your PM
* how many entries you will do everyday
* how many peoples you have to work on this project********************************************************************
Before bidding work for 15 mins then give us feedback
http://www.destination-server.com/bulletinpics/entry.cgi
entry ID : demo
When I tried the URL given I got this message:
TOO MANY AGENTS LOGGED IN AT ONCE:
PLEASE TAKE A 30 MINUTE REST.
After 30 minutes CLICK HERE to continue work.
Project Manager: Scott Shaw
bulletinpics at gmail dot comThe reason this error page continues to appear is
because agents NEED to take a 30 minute break.
Do not keep attempting to open page.
PLEASE WAIT 30 MINUTES or this
error will continue to appear.
When I tried it again, I got a CAPTCHA to solve. It turned out to be from MySpace:
Could it be that these people use software to log into MySpace accounts using passwords obtained via the scam and then use job seekers in Bangla Desh, India and other low-wage countries to defeat the CAPTCHA test thrown at them by MySpace, so they can get at the data in the account afterwards?
With bulk CAPTCHA tests they can also invite anyone on MySpace to become “friends” of the phished accounts, so they can potentially reach every active MySpace user.
Here’s another job offer (a Google search finds many more offers like this):
we need captcha entry team for destination capthca project . we need teams who can deliver minimum 15,000 captcha entries to 50,000 captcha entries daily
http://www.destination-server.com/bulletinpics/entry.cgi
entry ID : demo
please go to the link and work for 15 mins , then give us feedback how many entries you can handle daily.interested team can PM us . but u should check the given link before PM us
Rate is negotiable
happy bidding
The following offer that mentions “bulletinpics” even talks of millions of CAPTCHAs to be solved:
Status: Open
Budget: $30-250
Created: 06/15/2008 at 5:07 EDT
Bidding Ends: 08/14/2008 at 5:07 EDT (2 days, 2 h left)
Project Creator: bulletinpics
Buyer Rating:
(2 reviews)
Description: As many people know, the BulletinPics CAPTCHA project has been very succesful, solving over 250,000 captcha entries per day for several teams earning very good money. We are looking to expand to over one million captchas per day but in order to do this, we need to rotate new domain names to host our images.We are now looking for people/companies who own unused .COM domain names. We need to point these domains to our main image server for two weeks per domain.
For example, if you own 10 unused domains, we would need you to change the DNS so the A record of each domain would point to our captcha server’s IP address. We are willing to pay $1USD (or best lowest bid) to use up to 1000 domains for 2 weeks each. Please let us know if you can provide this type of service.
More related domains (see also):
- tellafriendrewards.com
- stolenprofiles.com
- profilemirrors.com
- ownyourfriendarchive.com
- tradepeopleprofiles.com
- friendownership.com
- mirrorsocialsites.com
- bulletinpics.com
- peepatpeeps.com
- buddyspots.com
- saveyour profile.com
- seepeopleprofiles.com
- socialprofilemirror.com
- discussprofiles.com
UPDATE 2008-10-21:
The server at 216.22.50.130 (http://www.destination-server.com/bulletinpics/entry.cgi
) now displays this message, suggests the scam has ended:
This website has been discontinued
All team leaders will be paid in full this week.
UPDATE (2008-11-06):
Spin nightclub happened to be where infamous spammer Sanford “Spamford” Wallace aka “DJ Masterweb” worked (see here). According to the WikiPedia article on Wallace he has been targeting MySpace users before:
On 2008-01-26 the UK Register reported that the Federal Trade Commission has asked the Judge overseeing the 2006 settlement to find Wallace and partner Walter Rines in civil contempt of court for their use of malware and social engineering on MySpace to promote porn and gambling sites.[8] In May 2008 Wallace and Rines were found guilty and ordered to pay $230 million to MySpace by the L.A. District Court when they failed to appear for trial.
What a remarkable coincidence!