Site
navigation
home
blog
technical
diary
webmaster
orange
book
moobiles
shop
contact
links
Updated
2rd August 2005
© Dynamoo 2005
Mikro-n.com Job Offer Scam19th June 2005 The micro-n.com job offer is FRAUDULENT. If you have been "recruited" by this company then you should immediately contact your local law enforcement office. Recent months have seen a huge increase in the number of fake "job offer" spam email messages circulating. In all cases that we have seen, these job offers are fraudulent and are either money laundering or a cashier's check fraud attempt. In the case of the mikro-n.com job offer, this appears to be money laundering and if you get involved in this you may well be liable to criminal proceedings unless you take immediate action to protect yourself. If you have been recruited it is most likely to be YOU who will be caught first. Protect your own interests and take immediate legal advice. The Mikro-n.com EmailThe email pitch is very simple:
There are several tell-tale signs that this is a fraud though:
We believe that in this scenario, the most likely funds that you will be transferring will be originating from bank fraud, pirated software and pornography. We can back this up by digging into the background behind mikro-n.com. Mikro-n.com DomainAlthough there is at present no web site for mikro-n.com, it does have a server registered at IP address 210.22.50.97, registered to:
China Netcom are one of the world's favourite sites for hosting spam and scam sites such as this. You might speculate as to the financial incentives that China Netcom managers might be getting in order to keep the spam sites operating. Since this seems to be an email orientated-fraud, then a lookup of the mikro-n.com mailserver gives up the following result: mikro-n.com mail is handled by 50 mx.nltzone.biz And mx.ntlzone.biz is.. 210.22.50.97 - so we know that the mail operation is being run off the same server. The domain name mikro-n.com is registered by spam-friendly hosts Yesnic, a Korean company who seem to be the preferred choice of many internet fraudsters due to their poor controls and non-existant abuse reporting facilities. Domain Name: MIKRO-N.COM It appears that Yesnic might be supressing the WHOIS details, but in fact they were recently changed from: ::Registrant:: ::Administrative Contact:: ::Technical Contact:: ::Name Servers:: ::Dates & Status:: Created Date 2005-06-01 05:45:24 EDT The "Via Caballo" address is almost certainly fake and just chosen at random, as is the contact name. Nltzone.biz DomainThe references to nltzone.biz are interesting - and pretty much every server on 210.22.50.97 is using nltzone.biz name servers for their domain. This has the following contact details:
You can be reasonably assured that the Staten Island address is fake, however Gandi.net really exist and are a spam-friendly registrar according to general feedback from around the web. It seems that nltzone.biz is the heart of this operation. In fact, the domain can be connected by this listing in the Spamhaus SBL to spammer Leo Kuvayev aka "BadCow". So, either mikro-n.com is Kuvayev, or he is providing hosting and network services for them.Kuveyev is being prosecuted by the Massachusetts attorney general (see this BBC News article for more information). Laundering What?A fair question for a money laundering operation like this is "laundering what?". Quite aside from the Leo Kuvayev connection, there are a cluster of sites that can be directly traced to nltzone.biz which presumably are the reason for this so-called job offer. Antispywarecash.comA domain reported many times for spamming with an offer for dubious anti-spyware software. It is unlikely that the software is effective and even possible that it may do more harm than good. Note that although the "Donald Roberson" name and address are valid, it is also likely that Mr Roberson has nothing at all to do with this site and the registrations details are fake. It is also odd that a Californian would be using name services from Webrider.ru in Russia. Registrant:
However, back in May 2005, the contact address for this domain was admin@neon-soft.com. Through a number of sites registered to what appear to be fake contact details, we find that neon-soft.com use to be be identical to ipflyer.com, which later became ipbroadcasting.com, and these last two domains are registered to: Registration Service Provided By: JoePro
Contact: ron@davies.ca
Visit: http://www.joepro.com
Domain name: ipflyer.com
Administrative Contact:
Rick Davies (rick@davies.ca)
+1.6133971596
Fax:
PO Box 46
Wooler, ONTARIO K0K 3M0
CA
Billing Contact:
Rick Davies (rick@davies.ca)
+1.6133971596
Fax:
PO Box 46
Wooler, ONTARIO K0K 3M0
CA
Technical Contact:
Rick Davies (rick@davies.ca)
+1.6133971596
Fax:
PO Box 46
Wooler, ONTARIO K0K 3M0
CA
Registrant Contact:
Rick Davies (rick@davies.ca)
+1.6133971596
Fax:
PO Box 46
Wooler, ONTARIO K0K 3M0
CA
Status: Locked
Name Servers:
NS1.JOEPRO.COM
NS2.JOEPRO.COM
Creation date: 24 Jan 2003 00:00:20
Expiration date: 24 Jan 2006 00:00:20
This is part of a cluster of sites including 1stpromotion.com and joepro.com. 1stpromotion.com is a spammy site that is an affiliate of Clickbank. So, is Antispywarecash.com a Rick Davies operation? Well, it looks like it used to be run be neon-soft.com which was an exact duplicate of the ipflyer.com site, which is Rick Davies. It may well be though that neon-soft.com was just a downsream affiliate. Appela-watch.comRegistered with fake details to an apparent address in Nottinghamshire, UK. Although this now uses nltzone.biz nameservers, the site recently switched from ijfndgct.com nameservers, a domain linked to arch-spammer Robert Soloway. Cepi-ua.comSome sort of Ukranian outfit involved in transportation along with other business activities. Why Cepi-ua.com should be hosted on a spam-friendly host in China is a mystery - but perhaps the WHOIS entry might be correct on this one: Registrant: The site previously had namesever services set to ns555.biz and ijfndgct.com - ns555.biz is also linked to Robert Soloway. Cevriye1.com, huysuz1.com, it-pay.net, zubeyde1.com,Purpose unknown, but registered with clearly fake contact details. Dangerousteens.com, savagebabes.com, sweatsweet.com, sweettiny.comPornography sites. Accused of spamming Usenet news groups with child pornography. The contact details for these domains are almost definitely fake. The mikro-n.com job offer scam could possibly be laundering the proceeds of this type of pornography. Of course, if these sites do contain child pornography then laundering the proceeds could be a very serious offence. Easternloads.com, eastloads.com, eloadsfast.com, egetfast.com,Purpose unknown. Although the contact details are clearly fake, there is a valid contact email address of storm_c@hotmail.com which can be found on Google search and Google Groups relating to someone called "Dale". Dale uses anonymous proxies to hide his identity. Energydrug.com, Xxenergy.comPurpose unknown. Likely to be an RX or dietry supplements spam site. Fastgetsoft.com, mnogochego.com, oemdownloads.com, progs4you.info, realoemsales.com, setitfast.com, setupitfast.com, soemchik.com, softforcheap.net,Registered to a presumably bogus address in Bangkok, using the spam-friendly Gandi registrar, plus others registered to fake addresses in other coutries, these domains sell pirated software - they call it "OEM" software, but in reality it is cut-price unlicensed software being sold illegally. The mikro-n.com job offer spam can be assumed to be a way of laundering the proceeds of this illegal activity. Bestteenssites.com, fdgshd.com, fjerdes92.com, funfunfun.biz, hurioma.com, sgeyudh.com, teenssitesonly.com, vvideos.net, yvideos.net, z-videos.netSpammy sites selling various different type of hardcore pornography. Get4fast.comIllegal DVD duplication software. Goldfxclub.comAn MLM scheme that appears to be affiliated with an outfit called MasterFX Trading LLC of which their appears to be no trace of anywhere on the web. The domain name is WhoisGuard protected and there are no contact details on the site. The domain was only registered on the 13th July, so it's likely to be a real fly-by-night operation. Given the nature of the other related sites, any foolish investor in goldfxclub.com would most likely lose all their investment, which would then promptly be laundered using the scheme outlined at the beginning of this email. Max-pays.netUnlawful MLM scheme that appears to have collapsed. Domain name is parked with a reference to italpay.com Moneypeak.bizAnother MLM site, with the following tagline: "© 2002-2005 Wireless Multimedia LLC d.b.a. MoneyPeak.biz. MoneyPeak.biz activities are regulated in Americas, Europe and Asia/Pacific region.". Although the WHOIS details have been hidden, we can trace them back to: Administrative Contact ID: 882905FAC2D62684
Moneypeak.biz is typical of so-called HYIP (high yield investment program) scams - offering 256% interest over 100 days, a rate which clearly is not sustainable. The domain was only registered on 13th March 2005, so it is unlikely to have a long term future. Mynewdg.infoA laughable attempt at selling doctorates, degrees and diplomas over the web with no need to actually study or do any research. The domain now redirects to thebesthgh.com through an affiliate link, http://thebesthgh.com/dip which means that the webmaster the thebesthgh.com probably has valud contact details for mynewdg.info - an ideal candidate for serving legal papers to: Registration Service Provided By: JD Link LLC
Contact: sales@jdlinkllc.com
Visit:
Domain name: thebesthgh.com
Registrant Contact:
George Stevens
George Stevens (hostmaster@thebesthgh.com)
+1.999-999-9999
Fax: +.
8348 Cascade Ln
Charleston, WV 25233
US
Administrative Contact:
George Stevens
George Stevens (hostmaster@thebesthgh.com)
+1.999-999-9999
Fax: +.
8348 Cascade Ln
Charleston, WV 25233
US
Technical Contact:
George Stevens
George Stevens (hostmaster@thebesthgh.com)
+1.999-999-9999
Fax: +.
8348 Cascade Ln
Charleston, WV 25233
US
Billing Contact:
George Stevens
George Stevens (hostmaster@thebesthgh.com)
+1.999-999-9999
Fax: +.
8348 Cascade Ln
Charleston, WV 25233
US
Status: Active
Name Servers:
ns1.tlink.net
ns2.tlink.net
Creation date: 24 Mar 2005 20:05:17
Expiration date: 24 Mar 2006 20:05:17
Pics-daily.comRegistered to: the purpose of this site is unknown. Searchin9.comRegistered at parava.net who are unable to supply any contact details. The purpose of this site is unknown. Solidfutures.bizAnother suspect MLM/HYIP site with a tagline: " © 2000-2005 SF Evolution Inc. Office 401, World Trading Center, Marbella, Panama City ". The domain name is WhoisGuard protected to protect the true identity of the registrants. Claiming up to 298% interest over 100 days, the scheme is clearly not sustainable and most likely unlawful. Southtrust-ibank.comPresumably registered in an attempt to carry out a highly illegal "phishing" attempt where bank details are collected and then funds stolen. You can safely assume that the "job" offered at the top of the page would involve moving stolen funds around. The site currently forwards to hackru.info - but it is quite possible that these Russian hackers have deliberately disabled the phishing site before it was used. While we don't condone hacking, if these Russians have saved somebody from being ripped off them they are arguable doing a public service. Casinosfree.info, freecasinosgames.netTwo sites which are not active yet, but will probably follow the same theme of spamming. Update #1 - micro-tech.com3rd August 2005 The scammer have changed hosts to yet another Chinese host at 58.20.160.34, and with a different set of domain names:
The current email reads something along the lines of:
Again, this is a fraudulent offer for money laundering and/or check fraud. If you have been recruited into these scheme, you should not cash any checks and contact your local police department.
|
home technical diary webmaster stuff orange book shop contact links your privacy