dynamoo.com home

 
Site navigation

home
blog
technical
diary
webmaster
orange book
moobiles
shop
contact
links
  
Updated
2rd August 2005

   Dynamoo 2005

  

 

 

Mikro-n.com Job Offer Scam

19th June 2005

The micro-n.com job offer is FRAUDULENT. If you have been "recruited" by this company then you should immediately contact your local law enforcement office.

Recent months have seen a huge increase in the number of fake "job offer" spam email messages circulating. In all cases that we have seen, these job offers are fraudulent and are either money laundering or a cashier's check fraud attempt. In the case of the mikro-n.com job offer, this appears to be money laundering and if you get involved in this you may well be liable to criminal proceedings unless you take immediate action to protect yourself.

If you have been recruited it is most likely to be YOU who will be caught first. Protect your own interests and take immediate legal advice.

The Mikro-n.com Email

The email pitch is very simple:

Get a JOB!

TODAY WE ARE THE ONLY WHO OFFER YOU A UNIQUE OPPORTUNITY TO EARN TOGETHER WITH OUR UNIQUE PARTNERSHIP PROGRAM.

We have many clients world-wide and today we are taking a closer and better look at the market's potential in United Kingdom for a possible sale
of our merchandize.

This might not be your general income. All You need to do is to receive money from our clients and to send the money back to us.
No special skills or experience is required.

You get 6% from the total sum for every successful money transfer.
For example we send L2000 to You. You take 6% from this money - that is L120.

To get any additional information about our site and to get the contract from us,

Send us an email and we'll reply in a couple of hours.


contact us: uk@mikro-n.com

Best regards,
Anny Sivley

There are several tell-tale signs that this is a fraud though:

  • The From: and Reply To: addresses do not match the contact name and address at the bottom.
  • The so-called "Job Offer" does not mention you by name.
  • There is no physical contact address or telephone number.
  • The job appears to be able to generate significant sums of money for no effort.

We believe that in this scenario, the most likely funds that you will be transferring will be originating from bank fraud, pirated software and pornography. We can back this up by digging into the background behind mikro-n.com.

Mikro-n.com Domain

Although there is at present no web site for mikro-n.com, it does have a server registered at IP address 210.22.50.97, registered to:

inetnum:    

210.22.50.0 - 210.22.50.127

netname:    

shilong-trade-ltd

country:    

cn

descr:    

xian city,shanxi province

admin-c:    

TC254-AP

tech-c:    

TC254-AP

status:    

ASSIGNED NON-PORTABLE

changed:    

moujh@china-netcom.com 20021106

mnt-by:    

MAINT-CN-ZM28

source:    

APNIC

 

 

person:    

TECH GROUP CNC

address:    

9/F, Building A, Corporate Square, No. 35 Financial Street,

address:    

Xicheng District, Beijing 100032, P.R.China

country:    

CN

phone:    

+86-10-88093588

fax-no:    

+86-10-88091442

e-mail:    

tech-group@china-netcom.com

nic-hdl:    

TC254-AP

mnt-by:    

MAINT-CN-ZM28

changed:    

zhaomq@china-netcom.com 20010917

source:    

APNIC

China Netcom are one of the world's favourite sites for hosting spam and scam sites such as this. You might speculate as to the financial incentives that China Netcom managers might be getting in order to keep the spam sites operating.

Since this seems to be an email orientated-fraud, then a lookup of the mikro-n.com mailserver gives up the following result:

mikro-n.com mail is handled by 50 mx.nltzone.biz 

And mx.ntlzone.biz is.. 210.22.50.97 - so we know that the mail operation is being run off the same server.

The domain name mikro-n.com is registered by spam-friendly hosts Yesnic, a Korean company who seem to be the preferred choice of many internet fraudsters due to their poor controls and non-existant abuse reporting facilities.

       Domain Name: MIKRO-N.COM
       Registrar: YESNIC CO. LTD.
       Whois Server: whois.yesnic.com
       Referral URL: http://www.yesnic.com
       Name Server: NS4.NLTZONE.BIZ
       Name Server: NS3.NLTZONE.BIZ
       Name Server: NS2.NLTZONE.BIZ
       Name Server: NS1.NLTZONE.BIZ
       Status: ACTIVE
       Updated Date: 01-jun-2005
       Creation Date: 01-jun-2005
       Expiration Date: 01-jun-2006

It appears that Yesnic might be supressing the WHOIS details, but in fact they were recently changed from:

    ::Registrant:: 
               Name      : Alberto Hetman
               Email     : larson93@safe-mail.net
               Address   : 6 via caballo
               Zipcode   : 92688
               Nation    : US
               Tel       : 38915274591
               Fax       :  
    ::Administrative Contact:: 
               Name      : Alberto Hetman
               Email     : larson93@safe-mail.net
               Address   : 6 via caballo
               Zipcode   : 92688
               Nation    : US
               Tel       : 38915274591
               Fax       :  
    ::Technical Contact:: 
               Name      : Alberto Hetman
               Email     : larson93@safe-mail.net
               Address   : 6 via caballo
               Zipcode   : 92688
               Nation    : US
               Tel       : 38915274591
               Fax       :
    ::Name Servers:: 
               ns1.nltzone.biz
               ns2.nltzone.biz
               ns3.nltzone.biz
               ns4.nltzone.biz  
    ::Dates & Status:: 
               Created Date   2005-06-01 05:45:24 EDT 
               Updated Date   2005-06-01 05:45:24 EDT
               Valid Date     2006-06-01 05:45:24 EDT
               Status         ACTIVE

The "Via Caballo" address is almost certainly fake and just chosen at random, as is the contact name.

Nltzone.biz Domain

The references to nltzone.biz are interesting - and pretty much every server on 210.22.50.97 is using nltzone.biz name servers for their domain. This has the following contact details:

Domain Name

NLTZONE.BIZ

Domain ID

D9713754-BIZ

Sponsoring Registrar

GANDI SARL

Sponsoring Registrar IANA ID

81

Domain Status

clientTransferProhibited

Registrant ID

O-912181-GANDI

Registrant Name

Oleg Aprelenko

Registrant Organization

Private person

Registrant Address1

706 Willowbrook rd.

Registrant City

Staten Island

Registrant State/Province

NY

Registrant Postal Code

10314

Registrant Country

United States

Registrant Country Code

US

Registrant Phone Number

+1.8006698488

Registrant Email

altarrozzo@yahoo.com

Administrative Contact ID

OA216-GANDI

Administrative Contact Name

Oleg Aprelenko

Administrative Contact Organization

Private person

Administrative Contact Address1

706 Willowbrook rd.

Administrative Contact City

Staten Island

Administrative Contact Postal Code

10314

Administrative Contact Country

United States

Administrative Contact Country Code

US

Administrative Contact Phone Number

+1.8006698488

Administrative Contact Email

altarrozzo@yahoo.com

Billing Contact ID

AR41-GANDI

Billing Contact Name

CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois

Billing Contact Organization

Gandi SARL

Billing Contact Address1

38 rue Notre-Dame de Nazareth

Billing Contact City

Paris

Billing Contact Postal Code

75003

Billing Contact Country

France

Billing Contact Country Code

FR

Billing Contact Email

support@gandi.net

Technical Contact ID

OA216-GANDI

Technical Contact Name

Oleg Aprelenko

Technical Contact Organization

Private person

Technical Contact Address1

706 Willowbrook rd.

Technical Contact City

Staten Island

Technical Contact Postal Code

10314

Technical Contact Country

United States

Technical Contact Country Code

US

Technical Contact Phone Number

+1.8006698488

Technical Contact Email

altarrozzo@yahoo.com

Name Server

NS1.NLTZONE.BIZ

Name Server

NS3.NLTZONE.BIZ

Name Server

NS2.NLTZONE.BIZ

Name Server

NS4.NLTZONE.BIZ

Created by Registrar

GANDI SARL

Last Updated by Registrar

GANDI SARL

Domain Registration Date

Thu May 12 21:55:53 GMT 2005

Domain Expiration Date

Thu May 11 23:59:59 GMT 2006

Domain Last Updated Date

Thu May 12 22:15:12 GMT 2005

You can be reasonably assured that the Staten Island address is fake, however Gandi.net really exist and are a spam-friendly registrar according to general feedback from around the web.

It seems that nltzone.biz is the heart of this operation. In fact, the domain can be connected by this listing in the Spamhaus SBL to spammer Leo Kuvayev aka "BadCow". So, either mikro-n.com is Kuvayev, or he is providing hosting and network services for them.Kuveyev is being prosecuted by the Massachusetts attorney general (see this BBC News article for more information).

Laundering What?

A fair question for a money laundering operation like this is "laundering what?". Quite aside from the Leo Kuvayev connection, there are a cluster of sites that can be directly traced to nltzone.biz which presumably are the reason for this so-called job offer.

Antispywarecash.com

A domain reported many times for spamming with an offer for dubious anti-spyware software. It is unlikely that the software is effective and even possible that it may do more harm than good. Note that although the "Donald Roberson" name and address are valid, it is also likely that Mr Roberson has nothing at all to do with this site and the registrations details are fake. It is also odd that a Californian would be using name services from Webrider.ru in Russia.

    Registrant:
     Donald Roberson easy-card@popaccount.com +1.2108618119
     BlueHost
     17182 Avenida de la Herradura
     Pacific Palisades,CA,US 90272


    Domain Name:antispywarecash.com 
    Record last updated at 2005-05-28 09:31:07
    Record created on 2005/5/25
    Record expired on 2006/5/25


    Domain servers in listed order:
     ns2.nltzone.biz   ns3.nltzone.biz 

    Administrator:
     name:(Donald Roberson) 
    Email:(easy-card@popaccount.com) tel-- +1.2108618119
     BlueHost
     17182 Avenida de la Herradura
    \r
    t Pacific Palisades
    CA,
    US

     zipcode:90272

    Technical Contactor:
     name:(Donald Roberson) 
    Email:(easy-card@popaccount.com) tel-- +1.2108618119
     BlueHost
     17182 Avenida de la Herradura
    \r
    t Pacific Palisades
    CA,
    US

     zipcode:90272

    Billing Contactor:
     name:(Donald Roberson) 
    Email:(easy-card@popaccount.com) tel-- +1.2108618119
     BlueHost
     17182 Avenida de la Herradura
    \r
    t Pacific Palisades
    CA,
    US

     zipcode:90272


    Registration Service Provider:
    name: Regtime.net 
    tel: +7 8462788201
      fax: +7 8462788201
      web:http://www.webnames.ru

However, back in May 2005, the contact address for this domain was admin@neon-soft.com.

Through a number of sites registered to what appear to be fake contact details, we find that neon-soft.com use to be be identical to ipflyer.com, which later became ipbroadcasting.com, and these last two domains are registered to:

    Registration Service Provided By: JoePro
    Contact: ron@davies.ca
    Visit: http://www.joepro.com
    	
    Domain name: ipflyer.com
    
    Administrative Contact:
       
       Rick Davies (rick@davies.ca)
       +1.6133971596
       Fax: 
       PO Box 46
       Wooler, ONTARIO K0K 3M0
       CA
    
    Billing Contact:
       
       Rick Davies (rick@davies.ca)
       +1.6133971596
       Fax: 
       PO Box 46
       Wooler, ONTARIO K0K 3M0
       CA
    
    Technical Contact:
       
       Rick Davies (rick@davies.ca)
       +1.6133971596
       Fax: 
       PO Box 46
       Wooler, ONTARIO K0K 3M0
       CA
    
    Registrant Contact:
       
       Rick Davies (rick@davies.ca)
       +1.6133971596
       Fax: 
       PO Box 46
       Wooler, ONTARIO K0K 3M0
       CA
    
    Status: Locked
    
    Name Servers:
       NS1.JOEPRO.COM
       NS2.JOEPRO.COM
       
    Creation date: 24 Jan 2003 00:00:20
    Expiration date: 24 Jan 2006 00:00:20

This is part of a cluster of sites including 1stpromotion.com and joepro.com. 1stpromotion.com is a spammy site that is an affiliate of Clickbank. So, is Antispywarecash.com a Rick Davies operation? Well, it looks like it used to be run be neon-soft.com which was an exact duplicate of the ipflyer.com site, which is Rick Davies. It may well be though that neon-soft.com was just a downsream affiliate.

Appela-watch.com

Registered with fake details to an apparent address in Nottinghamshire, UK. Although this now uses nltzone.biz nameservers, the site recently switched from ijfndgct.com nameservers, a domain linked to arch-spammer Robert Soloway.

Cepi-ua.com

Some sort of Ukranian outfit involved in transportation along with other business activities. Why Cepi-ua.com should be hosted on a spam-friendly host in China is a mystery - but perhaps the WHOIS entry might be correct on this one:

    Registrant:
     NA
     Shulyavskaya 115
     Kiev, NA NA
     UA

     Domain name: CEPI-UA.COM

     Administrative Contact:
        Holod, Ivan  maps@ua.fm
        Shulyavskaya 115
        Kiev, NA NA
        UA
        +380.447342822
     Technical Contact:
        Holod, Ivan  maps@ua.fm
        Shulyavskaya 115
        Kiev, NA NA
        UA
        +380.447342822


     Registration Service Provider:
        Tucows/Opensrs, sales@opensrs.org
        416-535-0123
        http://referrals.tucows.com/



     Registrar of Record: TUCOWS, INC.
     Record last updated on 15-May-2005.
     Record expires on 25-Jan-2006.
     Record created on 25-Jan-2005.

     Domain servers in listed order:
        NS1.NLTZONE.BIZ   
        NS4.NLTZONE.BIZ   
        NS3.NLTZONE.BIZ   
        NS2.NLTZONE.BIZ 

The site previously had namesever services set to ns555.biz and ijfndgct.com - ns555.biz is also linked to Robert Soloway.

Cevriye1.com, huysuz1.com, it-pay.net, zubeyde1.com,

Purpose unknown, but registered with clearly fake contact details.

Dangerousteens.com, savagebabes.com, sweatsweet.com, sweettiny.com

Pornography sites. Accused of spamming Usenet news groups with child pornography. The contact details for these domains are almost definitely fake.

The mikro-n.com job offer scam could possibly be laundering the proceeds of this type of pornography. Of course, if these sites do contain child pornography then laundering the proceeds could be a very serious offence.

Easternloads.com, eastloads.com, eloadsfast.com, egetfast.com,

Purpose unknown. Although the contact details are clearly fake, there is a valid contact email address of storm_c@hotmail.com which can be found on Google search and Google Groups relating to someone called "Dale". Dale uses anonymous proxies to hide his identity.

Energydrug.com, Xxenergy.com

Purpose unknown. Likely to be an RX or dietry supplements spam site.

Fastgetsoft.com, mnogochego.com, oemdownloads.com, progs4you.info, realoemsales.com, setitfast.com, setupitfast.com, soemchik.com, softforcheap.net,

Registered to a presumably bogus address in Bangkok, using the spam-friendly Gandi registrar, plus others registered to fake addresses in other coutries, these domains sell pirated software - they call it "OEM" software, but in reality it is cut-price unlicensed software being sold illegally.

The mikro-n.com job offer spam can be assumed to be a way of laundering the proceeds of this illegal activity.

Bestteenssites.com, fdgshd.com, fjerdes92.com, funfunfun.biz, hurioma.com, sgeyudh.com, teenssitesonly.com, vvideos.net, yvideos.net, z-videos.net

Spammy sites selling various different type of hardcore pornography.

Get4fast.com

Illegal DVD duplication software.

Goldfxclub.com

An MLM scheme that appears to be affiliated with an outfit called MasterFX Trading LLC of which their appears to be no trace of anywhere on the web. The domain name is WhoisGuard protected and there are no contact details on the site. The domain was only registered on the 13th July, so it's likely to be a real fly-by-night operation.

Given the nature of the other related sites, any foolish investor in goldfxclub.com would most likely lose all their investment, which would then promptly be laundered using the scheme outlined at the beginning of this email.

Max-pays.net

Unlawful MLM scheme that appears to have collapsed. Domain name is parked with a reference to italpay.com

Moneypeak.biz

Another MLM site, with the following tagline: " 2002-2005 Wireless Multimedia LLC d.b.a. MoneyPeak.biz. MoneyPeak.biz activities are regulated in Americas, Europe and Asia/Pacific region.".

Although the WHOIS details have been hidden, we can trace them back to:

    Administrative Contact ID:                   882905FAC2D62684 
    Administrative Contact Name:                 Steven Niatas
    Administrative Contact Organization:         Wireless Media LLC
    Administrative Contact Address1:             One Commerce Center
    Administrative Contact Address2:             1201 Orange Street, Suite 700
    Administrative Contact City:                 Wilmington
    Administrative Contact State/Province:       DE
    Administrative Contact Postal Code:          19801
    Administrative Contact Country:              United States
    Administrative Contact Country Code:         US
    Administrative Contact Phone Number:         +1.3024215753

Moneypeak.biz is typical of so-called HYIP (high yield investment program) scams - offering 256% interest over 100 days, a rate which clearly is not sustainable. The domain was only registered on 13th March 2005, so it is unlikely to have a long term future.

Mynewdg.info

A laughable attempt at selling doctorates, degrees and diplomas over the web with no need to actually study or do any research. The domain now redirects to thebesthgh.com through an affiliate link, http://thebesthgh.com/dip which means that the webmaster the thebesthgh.com probably has valud contact details for mynewdg.info - an ideal candidate for serving legal papers to:

    Registration Service Provided By: JD Link LLC
    Contact: sales@jdlinkllc.com
    Visit: 
    	
    Domain name: thebesthgh.com
    
    Registrant Contact:
       George Stevens
       George Stevens (hostmaster@thebesthgh.com)
       +1.999-999-9999
       Fax: +.
       8348 Cascade Ln
       Charleston, WV 25233
       US
    
    Administrative Contact:
       George Stevens
       George Stevens (hostmaster@thebesthgh.com)
       +1.999-999-9999
       Fax: +.
       8348 Cascade Ln
       Charleston, WV 25233
       US
    
    Technical Contact:
       George Stevens
       George Stevens (hostmaster@thebesthgh.com)
       +1.999-999-9999
       Fax: +.
       8348 Cascade Ln
       Charleston, WV 25233
       US
    
    Billing Contact:
       George Stevens
       George Stevens (hostmaster@thebesthgh.com)
       +1.999-999-9999
       Fax: +.
       8348 Cascade Ln
       Charleston, WV 25233
       US
    
    Status: Active
    
    Name Servers:
       ns1.tlink.net
       ns2.tlink.net
       
    Creation date: 24 Mar 2005 20:05:17
    Expiration date: 24 Mar 2006 20:05:17

Pics-daily.com

Registered to:
            Joesh Simonsel
            joeshw@xss-ltd.com
            +49.9114623172 
            Xss Ltd. 
            Zerzabelshofstr. 31/79 
            Nurlmberg,NA,GERMANY 90478 

the purpose of this site is unknown.

Searchin9.com

Registered at parava.net who are unable to supply any contact details. The purpose of this site is unknown.

Solidfutures.biz

Another suspect MLM/HYIP site with a tagline: "  2000-2005 SF Evolution Inc. Office 401, World Trading Center, Marbella, Panama City ". The domain name is WhoisGuard protected to protect the true identity of the registrants.

Claiming up to 298% interest over 100 days, the scheme is clearly not sustainable and most likely unlawful.

Southtrust-ibank.com

Presumably registered in an attempt to carry out a highly illegal "phishing" attempt where bank details are collected and then funds stolen. You can safely assume that the "job" offered at the top of the page would involve moving stolen funds around.

The site currently forwards to hackru.info - but it is quite possible that these Russian hackers have deliberately disabled the phishing site before it was used. While we don't condone hacking, if these Russians have saved somebody from being ripped off them they are arguable doing a public service.

Casinosfree.info, freecasinosgames.net

Two sites which are not active yet, but will probably follow the same theme of spamming.


Update #1 - micro-tech.com

3rd August 2005

The scammer have changed hosts to yet another Chinese host at 58.20.160.34, and with a different set of domain names:

  • www.Bulkanswers.com
  • www.Cepi-ua.com
  • www.Damcd.com
  • www.Getthefatoff.com
  • www.Dangerousteens.com
  • www.Einfach-sexy.com
  • www.Funfunfun.biz
  • www.Getitfast2005.com
  • www.Kalpler1.com
  • www.Mikro-n.com
  • www.Mikro-tech.com
  • www.Oem-cd.info
  • www.Postmaster-info.com
  • www.Savagebabes.com
  • www.Soemchik.com
  • www.Sweettiny.com
  • www.Teensloversites.com
  • www.Thruoutthegame.com
  • www.Tokyo-ex.com
  • www.Ukala1.com
  • www.Wrapitoff.net
  • www.Zubeyde1.com

The current email reads something along the lines of:

Get a JOB!

Our company works in the mikro electronics and precious metal market for a long time.
We have many clients and employees. We successfully worked and work in such countries like Germany,
France, UK, Spain, Lithuania and others.

The number of our employees exceeds 3000 people and the total turnover exceeds $100,000,000 a year.
Right now we decided to expand to Australian markets, because of considering them very perspective.
That's why we are hiring new employees in these countries.v
Average earnings of our employees are formed as $3000/month, and the maximum depends on quality and speed of your job
(your salary is % of transactions you have made).

We are hiring new employees at the post of payments processing manager.
All you need for the job is being Australian resident, having one or several bank accounts,
computer and a little of spare time.
We have already hired 100 employees successfully work, but we continue our hiring.
The number of positions to hire is limited, so hurry up and register. The registration is free!

Please mail us with any other questions you are interested in.
contact us: australian@mikro-tech.com

Best regards,
Mary Trip

Again, this is a fraudulent offer for money laundering and/or check fraud. If you have been recruited into these scheme, you should not cash any checks and contact your local police department.

 

 

 

 

 home   technical   diary   webmaster stuff   orange book   shop   contact   links   your privacy