dynamoo.com home

Site navigation

orange book
March 2005

   Dynamoo 2005






www.TransferGate.com / TransferGate Group Scam

14th March 2005

PLEASE NOTE: if you have visited the transfergate.com web site your machine is probably now infected with spyware if you use Internet Explorer - read more. Visiting spamvertised sites in Internet Explorer is dangerous.

If you find this article useful, please consider linking to us.

The following scam email is currently in circulation. Please note that you should not visit the site listed under any circumstances.

    From: Estrella JOYCE [mailto:coccolith@ezagenda.com]
    Sent: 13 March 2005 03:48
    To: [removed]
    Subject: Job Offer!

    Dear, Izaiah!

    >>> WHO WE ARE?

    TransferGate Group was founded in August 2001 by an international team of experts in the sphere of finance and marketing to solve currency exchange problem. Our cooperation with large Internet companies includes rendering their clients convenient payment services.


    We suggest simple, and at the same time perspective and well paid job! As TransferGate develops very rapidly, we permanently need new people to occupy the position of Processing Manager, able to receive and send payments. This part-time job does not require any special skills. You do not have to spend much time to earn sufficient money to be added to your main salary.


    The task of the Processing Manager is to process payments between our partners' clients and our company. Every payment will be accompanied by detailed instruction. The brief training course is enclosed.


    - Honesty, responsibility and promptness in operations;
    - PC with Internet and e-mail access;
    - We don't work with persons under 21;
    - One or several bank accounts.


    You will earn 5-8% from each transaction! For example, you received 5,000 GBP wire transfer to your bank account. You should withdraw the money, take 5% (250 GBP) for yourself and then send the remaining part to our company authorized agent. As you see, all operations are very easy.

    >>> HOW TO APPLY?

    Please, visit our website, read the job description thouroughly and fill in the candidate pre-employment questionnaire.



    Please, visit our corporate website to get more information about our company and the job offered. If you have any questions, feel free to get in contact with me using contact methods, described on the Contact Us page.

    Thank you for attention.

    Have a nice day.

    Sincerely yours,
    Jeremiah SUTHERLAND

This email is either a money laundering scam or wire fraud. If you actually participated in this scheme, it is quite possible that you would face criminal charges and a prison sentence, or at the very least end up seriously out of pocket.

Let's look at the business proposition more carefully. Essentially, the offer is that you receive a transfer into your account (in this case by wire transfer, but possibly also including other traceable electronic transfer systems), then you withdraw cash from your account and transfer the majority of it to an agent, "keeping" 5%-8%.

It looks like money for nothing, right? Right - that's the classic hallmark of a scam: it appears that you can get rich quick for very little effort.

There's also some very clever social engineering here - notice that the email asks if you are trustworthy, not the sender. And by using carefully measured, businesslike language it adds credibility to the email.

However, what will actually be happening is one of two things:

Wire Fraud

The simplest way a scam like this will work is that the bank transfer you receive will actually be bogus, and though the money may appear to be in your account, it may later be detected as fraud and the transaction cancelled. Unfortunately, by this time you will have already withdrawn cash from the account and forwarded that on to somebody else who will no longer be traceable. You will be liable for the debt, which may run into many thousands of pounds.

Money Laundering

An increasing common occurrence - the money being transferred to you will be from criminal activities. It may have been taken from a hacked bank account, or possible some other criminal enterprise. By accepting the transfer and then forwarding it, you will be criminally liable for processing stolen goods or proceeds of a criminal enterprise. The scam is carefully constructed so that all the fingers will be pointing at you, and you will have no evidence of who you actually passed the cash to. In this case, you may well be looking at a prison sentence.

Supporting Evidence

The UK's Metropolitan Police offer general advice on this type of fraud, but the simplest rule is - "If it sounds too good to be true, then it is!" - after all, if you believe what this email tells you, then you can make hundreds or thousands of pounds for very little effort. Unfortunately,real life isn't quite like that.

As outlined above, the money trail ends at you - because in this case you would then be making an untraceable transfer. The aim of this scam is to put you firmly in the frame. Your new business partners will not care what happens to you after you get caught - they'll simply find someone else.

This email was spam - completely unsolicited. You should never respond to a spam email and never even visit the site (this will be explained in more detail below). The From: details do not match the signature at the bottom of the email, and the sending domain is incorrect. Also, the salutation is wrong ("Dear Izaiah") in this case. You should not rely on scammers making errors of this nature, however.

A Google search for "transfergate group" shows no legitimate web site. Even if there were a web site, it would not prove that such a company exists. You will note that there are no contact details in the email either - you would expect a telephone number to call if this was a genuine offer.

The email claims that the group was set up in 2001, but by using a WHOIS service (for example, whois.sc) we can see that the domain was actually registered in January 2005:

     Transfer Gate
     5,RUE ATLAS
     PARIS, ID 75019

     Domain name: TRANSFERGATE.COM

     Administrative Contact:
        CISSE, PATRICE  patrice_cisse2003@yahoo.fr
        5,RUE ATLAS
        PARIS, ID 75019

     Technical Contact:
        Domain Services, EV1 Servers  domains@ev1servers.net
        390 Benmar
        Suite 200
        Houston, Texas 77060
        +1.7133337873    Fax: +1.7139429332

     Registration Service Provider:
        Everyones Internet, domains@ev1servers.net

     Registrar of Record: TUCOWS, INC.
     Record last updated on 17-Feb-2005.
     Record expires on 17-Jan-2006.
     Record created on 17-Jan-2005.

     Domain servers in listed order:

     Domain status: ACTIVE

Note that the Paris address is almost definitely fake, and Everyones Internet and Tucows Inc are not parties to the fraud. As you can see, the domain was only registered on 17th January 2005 - any business founded in 2001 would surely have had a web site long before that. (Although our research shows us that the domain had also been registered and expired in 2000 by an unrelated party.)

The server is actually located at in China, along with several other sites, some of which are clearly typosquatting or are spam-related.

  • www.1cartoncigarettes.com
  • www.Allmysuccess.com
  • www.Allukrcharity.com
  • www.Annytime.biz
  • www.Antiquitaeten-gotthelf.com
  • www.Cliport.com
  • www.Emailpromo.us
  • www.Goodz.biz
  • www.Goodz.info
  • www.Heathertips.com
  • www.Ifxtrade.net
  • www.Ivoryvaughan.com
  • www.Lannygordon.com
  • www.Mysavingtips.com
  • www.Prioritet-2005.biz
  • www.S-way.biz
  • www.S-way.info
  • www.Safepayment.biz
  • www.Silverise.biz
  • www.Broadcastemail.us
  • www.Au-uk-usa.com
  • www.A-i-k.com
  • www.Tgbabez.com

Of course, this is not proof that any of the registered owners of the other sites listed on this server are in any way connected with this fraud.

Spyware Installation

Visiting the site in Internet Explorer will lead to your PC being infected with unsolicited software - most likely spyware and keyloggers designed to record your online banking activity (note that if you responded to the email, then you will almost definitely use some online banking because of the nature of the offer).

The spyware is specific to Internet Explorer - if you attempt to visit the site in any other browser (such as Firefox, Opera or Mozilla), you will get the following message:

Please, use Internet Explorer 5.0 or higher to access this website..

If you actually do visit using Internet Explorer, something very different happens - an encoded piece of Javascript will attempt to download an exploit on your machine. At present, we do not know the exact nature of this software, but it does appear that the exploit is not detected by major anti-virus applications.

If you have visited this web site, it is most likely that any banking accounts, including PayPal plus any other password protected resources will have been compromised. You should immediately contact your bank's security department and advise them of this.

Because we do not know the nature of the spyware installed on the system, we would recommend that the only safe approach is to reformat your hard disk and rebuild your system from scratch.

At your own risk, you may however try one or all of the following scanners:

These are all good products, but it's quite likely that no single product will be able to clean up your machine. You should also run a full virus scan with a reputable anti-virus package.

We strongly recommend never using Internet Explorer as it is inherently insecure. We strongly recommend the Firefox web browser.

You should not use your computer to make any financial transactions or access secure systems until you are 100% certain that your PC is cleaned of spyware. If in doubt, contact a qualified IT professional.

The mechanism here is particulary sneaky - by enticing you to the infected web site, the scammers can potentially access your banking systems, which they can then transfer out using "mules" who sign up for the scheme.

Remember -  "If it sounds too good to be true, then it is!"

If you have been defrauded by these scammers you should contact your local police.



 Subj: Shopping and Services


 home   technical   diary   webmaster stuff   orange book   shop   contact   links   your privacy