how-to block ads
|
music man
join:2008-08-12
| reply to MGD
Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto
From the same stable as therecruiternetwork.org- »webrecruit.org
As usual all contact details are cloaked using images. For total confirmation that this is a faker we have the usual robots.txt file.
Registry Data
Created: 2009-05-05
Expires: 2010-05-05
Another hidden registrant as well. | |
music man
join:2008-08-12
| reply to MGD
Yet another on 72.34.55.197, ladies and gentlemen I give you »acrossthescreenuniverse.com
As with all of the work of our Slav friends it comes complete with
User-agent: *
Disallow: /
Registry Data
ICANN Registrar: ENOM, INC.
Created: 2009-03-24
Expires: 2010-03-24
Etc, etc etc!!! | |
Scammed2
@dcentral.com | reply to MGD
Not to mention that the address they used to file is a bogus box at a ups store, per federal address validation:
UpS Store The (630) 554-5955 - 2758 Route 34, Oswego, IL | |
iDeceive
join:2008-11-03
| reply to MGD
Skydex Soft
Here's another mule recruitment email. A quick search of this topic finds no previous mention of "Malenkovsky" or "Skydex". For the record, skydexsoft.com was registered on 07-Aug-2009.
From: Skydex HR Team <career@skydexsoft.com>
Good afternoon,
My name is Alex Malenkovsky; I am the HR Manager of the company Skydex Soft Ltd., China. Several days ago, you filled out the application form for the position of the Project Manager/Sales Representative on our website. We have reviewed the information that you have provided to us, along with the information we have found at careerbuilder, and have come to the conclusion that you are likely to become a suitable candidate for the position of the Project Manager/Sales Representative. Although I must say that it is not our final decision, as we will need to carry out additional screening procedures and analyze you as a potential candidate for this position one more time.
However, I would like to tell you about the project that we will offer to you, your role in it and the tasks you will be tackling. So, let me begin here:
As you already know, we are a software development company with the head office located in Shanghai. For the past few months, we have been analyzing the market with the view to enter the segment of retail sales of software providing comprehensive computer security and protection. We have developed several unique products, each of which boasts several competitive advantages compared to products offered by our competitors.
What are these products?
1) Antivirus - with high-quality heuristics, capability to recognize and identify yet unknown viruses, Trojans, malware, adware, etc.
2) Firewall - a program for protecting the computer from external intrusions and fighting off hacker attacks.
3) Eraser - a program for secure and irreversible deleting of sensitive information from the computer, for example, files containing confidential information.
It will be these three products that will be offered for retail in the US market.
Where will these products be sold?
Nowadays, the most relevant and effective sales venue is the Internet; all large-scale companies sell their products through their own websites, and we are no exception from this rule: we are going to develop a unique website for selling each product separately.
How will these products be sold?
Since all sales will be carried out through the Internet, it is necessary to use one of the most relevant payment methods on the Internet, which at the present moment is online payments via a credit card, when a customer can pay for the product he/she likes with his/her credit card in real-time mode.
What is the role of the Project Manager/Sales Representative when he/she participates in a project?
The key role and objective is to provide the sales platform, namely it is the following: we enter into a formalized, legally binding agreement, which confirms your official status of the Reseller.
For you to be able to carry out sales through the Internet, you will need to open:
1) Company (it can be any type of company, from LLC to Inc, Corp)
If you already have a company of your own, we can formalize our business relationship as partnership and give the status of the “Reseller” to your existing company.
1) Obtain the Tax ID
2) Open a business checking account for your company at a local bank
3) Receive the website from us (free of charge) and we carry out all the necessary setup work (free of charge); the website will contain the complete information on the products and present the product itself.
4) At the bank, where you opened the business checking account for your company, you will have to open an E-commerce Merchant Account; this account will allow you to accept payments made on your website with credit cards.
That concludes the preliminary stage of the project; our experts carry out the complete work for setting up the entire system, so that the customer – upon having made the payment through the Internet – could immediately receive the software purchased, or rather – receive the activation key and use it to activate the program he/she just purchased on the website.
How will customer support be provided?
We will provide a call center for your project; therefore, each customer will have the opportunity to ask the questions he/she may have directly at the call center and receive prompt response.
Who will be handling the advertising and promotion for the project?
At the initial stage, we will provide 100% support to the project in terms of promoting it and advertising it.
How will the project’s revenue be distributed?
There are 2 variants here:
1) If you sell products through the website on your own, you will receive 50% of each sale made, and send the other 50% to our company.
2) If sales are made due to our advertising and promotion campaign and the customers were attracted due to our promotional efforts, you will receive a commission in the amount of 5 % of each sale made.
If the 2nd option is the main variant of work, there are several options in terms of your compensation; for example, it may be a fixed salary per month, which will not depend on the sales level, or it may be a combination of the two, i.e. a fixed-sum salary + a certain % from each sale made. We will be able to discuss this possibility in more detail at a later stage.
The above is a brief introduction and information on the project, but it is sufficient for you to already have a certain impression of the vacancy of the Sales Representative/Project Manager offered by our company.
Now, we will need to analyze the information you provided and you as a potential candidate one more time, in greater detail; in the meantime while we are doing that, you can compile a list of any questions that you may have to send to me; we are expecting to hear from you within the next 72 hours. If we receive no reply from you within the next 72 hours, we will no longer be considering you as a potential candidate for the position of the Sales Representative/Project Manager.
Looking forward to your reply.
--
Best Regards,
Alex Malenkovsky,
HR Manager,
Skydex Soft Ltd
--
Suckers Wanted -- Employment Opportunities That Will Cost You | |
Whip
join:2009-01-23
Califon, NJ
1 edit | quote:
Domain Name: SKYDEXSOFT.COM
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: »www.PublicDomainRegistry.com
Name Server: NS1.VIP-NAME.COM.UA
Name Server: NS2.VIP-NAME.COM.UA
Status: clientTransferProhibited
Updated Date: 07-aug-2009
Creation Date: 07-aug-2009
Expiration Date: 07-aug-2010
Current Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
IP Address: 195.189.226.159 (ARIN & RIPE IP search)
IP Location: UA(UKRAINE)-KYYIV-KIEV
Lock Status: clientTransferProhibited
DMOZ no listings
Y! Directory: see listings
Data as of: 23-Apr-2008
They appear to be flooding the net with sales pitches for a site that isn't even online yet. Some are from at least 20 days ago.
»www.google.com/search?q=Skydex+S···irefox-a | |
Whip
join:2009-01-23
Califon, NJ
| reply to MGD
Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto
Looks like there is a new (old) one coming online.
Was tipped off by this:
quote:
Re: Bright World Games
Does anyone out there know if this company is a scam or not? Please reply
»scam.com/showthread.php?p=803165#post803165
quote:
Registration Service Provided By: Landis Holdings Inc.
Contact: sales@jaguarpc.com
Domain name: BRIGHTWORLDGAMES.COM
Administrative Contact:
-
Paul Murphy (paullmurph@yahoo.com)
+1.9158087683
Fax: -
334 Cornelia Street
Plattsburg, NY 12901
US
Technical Contact:
-
Paul Murphy (paullmurph@yahoo.com)
+1.9158087683
Fax: -
334 Cornelia Street
Plattsburg, NY 12901
US
Registrant Contact:
-
Paul Murphy ()
Fax:
334 Cornelia Street
Plattsburg, NY 12901
US
Status: Locked
Name Servers:
ns51.domaincontrol.com
ns52.domaincontrol.com
Creation date: 08 Nov 2007 21:47:25
Expiration date: 08 Nov 2009 21:47:25
Familiar format to the email address and the phone number is a Sweetwater Texas area code.
All the links get redirected to this same page regardless and has their link names added on to the end of the url.
The copyright of the site is 2009, not the year of registration 2007. So maybne this has just been sitting around dormant.
And of course:
this was posted on this site:
»www.xceedspeed.com/forums/showth···&page=32
quote:
from Mark Carson
reply-to Mark Carson
to Gregory Haberek
date Tue, Aug 5, 2008 at 3:13 PM
subject Job Offer from Careerbuilder.com for you.
My name is Mark Carson and I represent Bright World Games Inc.
We received your contact information from the services of www.Careerbuilder.com recruiting agency and we would like to offer you a home based position with our company. The job we offer is under our Affiliate Program and I hope we will be able to build a successful
cooperation with you as our Affiliate.
We will be glad if you find interesting the detailed information given in the text documents attached and get back to me at your earliest convenience.
You can also have a look at our website
www.BrightWorldGames.com in order to get a better understanding of the business.
Respectfully,
Mark Carson
Human Resources Head
Bright World Games, Inc.
| |
music man
join:2008-08-12
1 edit | reply to MGD
@Whip
Now with added website
| |
Whip
join:2009-01-23
Califon, NJ
| Contact Us page:
quote:
Head Office:
KIC Plaza
290 Songhu Rd.,YangPu
Shanghai
China
International Business Unit:
BEA Tower
Millennium City 5, 418 Kwun Tong Road, Kwun Tong, Kowloon
Hong Kong
China
tel: +852-8197-7232
Copyright 2005-2009 © Skydex Soft Ltd. All rights reserved.
Powered by Skydex Soft Ltd
So they allege to be website developers yet use dark blue font on a black background on their own 'site' that is hidden from archiving anyway.
| |
FrgtMyLogin
@comcast.net
| reply to MGD
Nice. I just got hit up for $9.85 from GAMARTON.COM on Aug 23.
Of course, the idiot at the bank CS line wants ME to try to have them refund it. At least they've shut off the card and are sending a new one.
I'm still following up on this one and will be reporting it as fraudulent with the IC3 whether or not the bank cooperates. | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to music man
said by music man  :From the same stable as therecruiternetwork.org- » webrecruit.orgAs usual all contact details are cloaked using images. For total confirmation that this is a faker we have the usual robots.txt file. Registry Data Created: 2009-05-05 Expires: 2010-05-05 Another hidden registrant as well. Great finds, a recap of the criminal contents of IP 72.34.55.197 Uswebhosting.com
Whois Record
OrgName: IH Networks
OrgID: IHNET
Address: 16060 Ventura Blvd
Address: Suite 105
City: Encino
StateProv: CA
PostalCode: 91436
Country: US
.
NetRange: 72.34.32.0 - 72.34.63.255
CIDR: 72.34.32.0/19
NetName: IHNET-PI-1
NetHandle: NET-72-34-32-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
.
RegDate: 2005-02-09
Updated: 2006-08-14
.
OrgTechHandle: IHNET-ARIN
OrgTechName: IH Networks
OrgTechPhone: +1-213-634-1497
OrgTechEmail: admin[AT]ihnetworks.net
Hosted on IP Address: 72.34.55.197 via Uswebhosting.com
Cheapestthemes.com 904-352-1238 = Card Fraud money laundering
Still processing card fraud charges. First report in February 2009. Most recent fraud charge report September 10th 2006 »800notes.com/Phone.aspx/1-904-352-1238/4
acrossthescreenuniverse.com 786-522-9361 = Card Fraud money laundering
this1isawesome.com = Card Fraud money laundering
imagestudiodesign.com 813-200-4105 = Card Fraud money laundering
therecruiternetwork.org = JOB SCAM = RECRUIT FRAUD
webrecruit.org = JOB SCAM = RECRUIT FRAUD
Dear -,
I represent recruiting company Web Recruit specialized in searching the candidates at the request of employers all over the world. I have found this position on Career Builder.
There is a position available at the moment offered by European company. Please see below a short description of this position.
Assistant Director
I'm pleased to offer you a part time employment as a representative of European company, interested in expanding the business to the US market. The company will create the web site oriented to the US customers with high revenues guaranteed by the complex of high-performance promotional measures. In spite of the project's intricate, your duties will be quite easy to perform. No special education or experience are required from your side. Your personal manager will lead you step by step to the success by providing you with detailed and quite easy to understand instructions. This position has a very high potential in a personal income boost as a result of business growing all in all.
The minimum salary at this position is $30,000/year (5 from the project revenues). There are no fees to pay from your side.
As a part-time position it will take only 7-9 hours a week to perform the duties. The same time the company offers you a long term business relationship that is definitely very important in difficult times of financial crisis, because it means a guarantee of getting a stable income regardless of the situation on the labour-market.
To ask for detailed description including duties and responsibilities of the position just respond to this offer with the following subject:
"Interested in getting the position of Assistant Director."
or in case you don't like this offer for any reason, please let me know and I'll try to find something else for you.
Best regards,
Maria Olson
Gjorwellsgatan 28, 112 60 Stockholm, Sweden
Emphasis added
Ref: »www.419legal.org/employment-scam···uit.html
MGD | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to Whip
said by Whip :Looks like there is a new (old) one coming online. Was tipped off by this: quote:
Re: Bright World Games
Does anyone out there know if this company is a scam or not? Please reply
... Great catch !!
It appears that the site was taken offline by the hosting company sometime within the past 48 hours.
MGD | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to FrgtMyLogin
said by FrgtMyLogin :
Nice. I just got hit up for $9.85 from GAMARTON.COM on Aug 23.
keeps us posted on the outcome. Many banks go out of their way to avoid processing these charges as fraudulent, as there is more paperwork involved. However it is what it is, and the avoidance maneuvers only serve to facilitate the fraud operation. The only way the fraudulent account will get halted, barring investigative intervention, is when the chargeback ratios are exceeded.
Also be advised that recent communication interceptions from the organized crime syndicate, reveal that they are actively disputing the chargebacks. This is done by submitting fraud documentation that purports to show the data transaction history, which includes a USA IP address that the purchase originated from, along with a user id /pw and email address that was created prior to the purchase. Though all of the documentation is faked, some chargebacks have been reversed to the victim as a result of that submission.
I never ceased to be amazed by some of the information that is uncovered.
MGD | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to iDeceive
Re: Skydex Soft
said by iDeceive :Here's another mule recruitment email. A quick search of this topic finds no previous mention of "Malenkovsky" or "Skydex". For the record, skydexsoft.com was registered on 07-Aug-2009. ...... .. Absolutely outstanding work my friend !!.
I have been shadowing this operation since you posted. I have confirmed that it is this organized crime syndicate. Though you have reported this operation at the very early stage, unfortunately, I was unable to prevent a massive recruiting operation that began on Friday and is still underway. I am preparing a detailed post of what went on, nd the absolute failure of reasonable due diligence that is about to rival the mutli year incompetence of Authorize.net / Cybersource.
said by Whip : ... They appear to be flooding the net with sales pitches for a site that isn't even online yet. Some are from at least 20 days ago. Good catch, what you uncovered was part of a set up plan which included "seeding" of search engines ahead of time. In this case the seeding involved paid posters writing blog comments about the company, fake customer testimonials. This was done in advance as advance preparation for another stage that would have generated searches from potential cyber-mule recruits. When potential recruits attempt to vet the company by conducting online searches, they will see hundreds of these fake "Testimonials" and are intended to dupe them into believing that the job offer is legit.
Secondly, since these fake blog comments began as soon as the domain was registered they will rank ahead of any potential subsequent posts that report this as a scam.
I have tracked the posting origination of many of these manufactured fake blog testimonials to a specific IP address in Moldova. Which coincidentally, is the same country where the forum spam posts listing many of the card fraud laundering domains and their phone numbers originated from.
More to follow.
MGD
==========================================
FRAUD JOB SCAM = SKYDEX SOFT LTD = MULE RECRUIT FRAUD
FRAUD JOB SCAM = SKYDEXSOFT.COM = MULE RECRUIT FRAUD
FRAUD JOB SCAM = Skydex = MULE RECRUIT FRAUD
FRAUD JOB SCAM = Skydex HR Dept. = MULE RECRUIT FRAUD
FRAUD JOB SCAM = career@skydexsoft.com = MULE RECRUIT FRAUD
Head Office:
KIC Plaza
290 Songhu Rd.,YangPu
Shanghai
China
International Business Unit:
BEA Tower
Millennium City 5, 418 Kwun Tong Road, Kwun Tong, Kowloon
Hong Kong
China
tel: +852-8197-7232
FRAUD JOB SCAM = SKYDEX SOFT LTD = MULE RECRUIT FRAUD
FRAUD JOB SCAM = SKYDEXSOFT.COM = MULE RECRUIT FRAUD
FRAUD JOB SCAM = Skydex = MULE RECRUIT FRAUD
FRAUD JOB SCAM = Skydex HR Dept. = MULE RECRUIT FRAUD
FRAUD JOB SCAM = career@skydexsoft.com = MULE RECRUIT FRAUD
========================================== | |
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| said by MGD :I have tracked the posting origination of many of these manufactured fake blog testimonials to a specific IP address in Moldova. Which coincidentally, is the same country where the forum spam posts listing many of the card fraud laundering domains and their phone numbers originated from. Not the best place to be. 
»https://www.cia.gov/library/publications···/md.html
Read the sections on "Trafficking in persons:" and "Illicit drugs:"
With the Government being corrupt and a large underground, it is going to a thorn a long time. I say cut them off of the tcp/ip grid.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? | |
dbflynn
@nc.us
| reply to MGD
MGD,
This is a very interesting post. You have obtained a very large amount of information on these companies and I must admit I did not read the entire 46 pages of posts. I am interested in what you know about the those involved in keeping this illegal business open and what you can prove. Also if there has been any low enforcement involvement. I work similar cases but I must admit that the information you have provided goes a bit over my head and I can't connect the dots yet. If you can present a case drop me an email.
dbflynn@pittcountync.gov | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL | Thanks dbflynn,
I will contact you.
MGD | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | reply to MGD
Re: Recruit Fraud: SKYDEX SOFT LTD aka SKYDEXSOFT.COM
********** WARNING !! **********
MALWARE INFECTED, DO NOT VISIT SKYDEXSOFT.COM >http://skydexsoft.comThe website has been under observation for the past two weeks. At 9.00 AM on 09/15/2009 a hidden Iframe drive by malware was detected on the skydexsoft.com website main index page. The hidden Iframe ran a script from >http:// red-wolf.ru:8080/index.php. The iframe was embedded in the main page as : 
The iframe source domain has been changed several times within the past 72 hours from red-wolf.ru to previous-life.ru to life-before.ru and past-another-life.ru, also suspected is theanotherlife.ru. The path format is identical to the others above. >http:// previous-life.ru:8080/index.php 
The last check at ~ 23.00hrs EST 09/18 shows another malware domain 
biozavr.ru. As you can see from the server response log below the latest iframe malware domain would have been updated when the site was last saved earlier Friday. quote:
09/18/09 22:49:15 Browsing >http://skydexsoft.com
Fetching >http://skydexsoft.com/ ...
GET / HTTP/1.1Host: skydexsoft.comConnection: close
Date: Sat, 19 Sep 2009 02:46:39 GMTServer: Apache/1.3.41 (Unix) mod_perl/1.30 PHP/4.4.9 mod_ssl/2.8.31 OpenSSL/0.9.8bLast-Modified: Fri, 18 Sep 2009 18:20:45 GMT
It is not known if the fake job site skydexsoft.com is self infected, or if it has been hacked. There is at least one report each coming from Australia, France, South Korea, and Iran, from people whose websites have been hacked and infected with the red-wolf.ru specific exploit. The .ru infector domains have dynamic DNS which can point to between 4 and 6 IPs where they are hosted. This is not a known modus-operandi of the crime syndicate with respect to this fraud operation. I am unable to rule anything in or out with respect to skydexsoft.com A typical hack vector for this form of Iframe is via FTP. An example .
This confirmed crime syndicate's cyber-mule recruit fraud Skydex operation posted by iDeceive is a perfect example of one of the constant engines that drives this non stop massive organized fraud operation. The primary engine that drives it all of course, is the organized crime syndicate's constant unfettered hacked access to consumer's full card account data. The most crucial ingredient in processing that hacked data into cash, and laundering it out of the country, is the need for a consistent supply of duped cyber-mules. Consequently a large amount of resources are dedicated to this function, and the process is sophisticated. Not only have job adds been placed on Careerbuilder and Monster, the crminals have also opened business employer accounts with both, which enabled them to filter and peruse through their large databases of resumes. Some of the uncovered cyber-mules reported that they were directly targeted from their on file resumes with these online services
This confirms the belief that one the many components required to dismantle this multi year fraud operation is the alerting and educating of the population via mass media, etc, to this sophisticated recruiting vector. Reducing and eliminating the potential pool of recruits is a crucial ingredient of constricting this multi million dollar fraud laundering operation.
Let's have a look at the configuration phases of the cyber-mule fraud recruiting operation Skydex Soft Ltd aka skydexsoft.com Alex Malenkovsky career@skydexsoft.com
As noted by iDeceive and Whip , the domain was registered on 08/07/2009 and is hosted in Kiev, Ukraine at IP Address: 195.189.226.159 with hosting/DNS provided by VIP-NAME.COM.UA. The skydexsoft.com cyber-mule recruiting domain was fraudulently registered to a US name and address by someone whose primary language is Russian, via the usual:
ICANN Registrar:
DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM
.
Registration Service Provided By: HIGH QUALITY HOST COMPANY
Contact: +1.6462130098
.
Domain Name: SKYDEXSOFT.COM
.
Registrant:
GLENN llc.
JENNIFER GLENN (jglenn19@gmail.com)
2650 COUNTY ROAD 101
TULELAKE
California,96134
US
Tel. +743.3828992
.
Creation Date: 07-Aug-2009
Expiration Date: 07-Aug-2010
.
Domain servers in listed order:
ns2.vip-name.com.ua
.
Even though the registration including the email address, all appears to be US based, we can establish that Russian was the primary language of the user from the email account. When the lost password procedure for the Gmail account is activated, the password reset question that was selected at set up time is in Russian:
Password reminder reset for jglenn19@gmail.com
Translation: "Number of the bus, which I regularly use?"
Within days after the domain registration the search engine seeding began. As mentioned already, hundreds of fake blog testimonial postings were made. These are two of the shorter ones made on August 13, 2009 on businessweek.com June article:
quote:
Reader Comments
Jamie Heidlage
August 13, 2009 12:00 PM
Our firm has been working on the internet market for several years,
and we've dealt with a lot of companies during these years, but Skydex
Soft Ltd(www.skydexsoft.com) deserves a special attention. The specialists
from this company work hard in order to please their customers and deliver
the best service. Frankly, we have not seen such qualitative product as
Skydex provides to us. They always meet deadlines for all the project
with the precise accuracy and all wishes carried out. We are happy
with result of their work, and we plan to co-operate with them
further. Now they are in the list of the best companies with which we
deal! We advise to consider this company and see if you can buy it
out.
==============================================
Renae Kaiser
August 13, 2009 03:45 PM
How could you describe the Skydex Soft Ltd(www.skydexsoft.com) activity?
It is the highest quality and fast delivery! This is exactly what is
needed! There is nothing else to add! I have not seen any other company
who would pay so much attention to clients. It is just a simple pleasure
to work with them. They actually are the best in the business! I thank God
that I came to know this company when I was looking who to use to
execute my project. So if you want a qualitative decision of your
problem – you can use this company without any doubt. They have a lot
of talented professionals working there.
Ref: businessweek.com
The purpose is to create a fake history of testimonials, and flood pages of search engines with the results:
Potential recruits will see an extended positive history. Any posts regarding job suspicions or fraud alerts will have to compete with these already established rankings.
The fake skydexsoft.com is hidden from the rest of us:
Where did a majority of these fake postings originate from?
IP 91.214.201.92
IP Information for 91.214.201.92
IP Location: Moldova, Republic Of Srl Roxnet-com
Resolve Host: static-91-214-201-92.roxnet.md
IP Address: 91.214.201.92
Whois Record
inetnum: 91.214.200.0 - 91.214.203.255
netname: ROXNET-COM-NET
descr: SRL ROXNET-COM
descr: Chisinau, Moldova
country: MD
org: ORG-SR21-RIPE
admin-c: IFS1-RIPE
tech-c: IFS1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-ROXNET-COM
mnt-routes: MNT-ROXNET-COM
mnt-domains: MNT-ROXNET-COM
source: RIPE # Filtered
.
organisation: ORG-SR21-RIPE
org-name: SRL ROXNET-COM
org-type: OTHER
address: MD-2024
address: Chisinau, Moldova
address: str. T.Vladimiresku 8/1
e-mail:
mnt-ref: MNT-ROXNET-COM
mnt-by: MNT-ROXNET-COM
source: RIPE # Filtered
.
person: Igor F. Spac
address: MD-2024
address: Chisinau, Moldova
address: str.T.Vladimiresku 8/1
e-mail:
phone: +37369409540
phone: +373-22-438819
nic-hdl: IFS1-RIPE
mnt-by: MNT-ROXNET-COM
source: RIPE # Filtered
.
route: 91.214.200.0/22
descr: SRL ROXNET-COM
origin: AS49527
mnt-by: MNT-ROXNET-COM
source: RIPE # Filtered
.
ROXNET.MD
Coincidentally the same city and country where the numerous forum postings of the various card fraud websites originated from. In that case the seeding was intended to mask postings about the fraud charges. It is my conclusion that the Moldovian blackhat operation is one of hired posters. The quality of that work is sub par compared to the core operation. Indicative of hired hands is the sloppy methods which leave trails. For example, if you needed additional convincing that the Crayon Web template group, the later Anti virus malware group, and the new ragdesign.com group format were related, you only have to look at samples the SEO work.:
All posted consecutively on the same forum thread from Moldova. Ties them all to one source in a nice package.
We know from iDeceive 's posting alert, that by 08/26 the syndicate had opened a business account on Monster.com and was sifting through resumes looking for potential cuber-mules for targeting. Once the seeding of the search engines were completed another phase of the skydexsoft.com fraud recruiting operation began. During the evening hours of Friday September 11th 2009 the first signs of a mass job posting run was detected on Careerbuilder.com.
The posted fraud job:
Note that the job add included a direct link that when clicked opened the application page on skydexsoft.com within a window:
The posting of job adds on careerbuilder.com continued over the weekend By late Saturday night there were over one hundred and twenty job adds posted for cities around the US:
Even though they list limited Saturday hours, mutiple attempts top reach Careerbuilder by phone to get the adds pulled failed. That failure is what prompted me to write in an earlier report that authorize.net / Cybersource was in danger of loosing their number one ranking for incompetence relevant to this long running massive fraud operation. However in this case there was a positive outcome.
On Sunday 09/13 a stage two phase of job postings began. The reason that this was considered a second phase is that the text of the posted job add had changed. This may indicate that there were two syndicate members doing the posting. The listed requirements for the job were now different. For example one of the listed requirements of the the first add stated "Over 30 years of age". On the second phase of the run on Sunday that requirement had changed to "Be over 21 year old"
Also note the apparent embedded error code in the job posting, indicating that the format was prepared on a Computer with a Russian language / keyboard setting:
"normal 0 false false false RU X-NONE X-NONE MicrosoftInternetExplorer4"
The mass Careerbuilder job posting ultimately peaked between midnight Sunday 09/13 and 2AM Monday 09/14 with a total of 153 jobs posted on careerbuilder.com. A search of Carrerbuilder's database ran around midnight Sunday for "SKYDEX" produced 153 job entires in cities around the US totalling 7 pages of results:
The fraudulent job adds were targeted in 153 cities across the USA:
Worse yet, during Saturday and Sunday 09/12 & 09/13, the fraudulent cyber-mule recruiting jobs adds were propagating across many of careerbuilder.com afiliates, including indeed.com and AOL Jobs. It was crucial to get the careerbuilder source shut down as soon as possible. Shortly after 8AM on Monday 09/14 several reports were sent to careerbuilder.com detailing the mass run of fake job adds and their purpose, along with requests to immediately remove all 153 job adds from their database. Though no direct response was received, by around 11AM all the jobs were removed from the main database. Though all the propagated adds that filtered down though affiliates still existed, all the links to the careerbuilder jobs would be dead.
I am not sure how much this operation cost at careerbuilder, however, an attempt to duplicate what the syndicate had set up, produced an estimate of several thousand dollars. I can not be positive that it was the alert which caused the removal, as no direct reply was received. Nevertheless the fake jobs were removed, and that is what counts.
Continued in next post .....
MGD | |
univenus
@mindspring.com
| reply to MGD
Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto
Also the same group known as Drive Recruitment is emailing purportedly as rep for this company: (»redballoondesign.org). The signature is as follows:
Best regards, Anika Morgan
Gjorwellsgatan 28, 112 60 Stockholm, Sweden | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
2 edits | Thanks for posting univenus,
Do you know if the email is targeted because of a resume posted with a online service?. Any additional info on that issue is appreciated.
The fake cyber-mule recruiting website REDBALLOONDESIGN.ORG is another clone in the year long Riddick Design Red Line theme
REDBALLOONDESIGN.ORG = FAKE JOB SCAM
REDBALLOONDESIGN.ORG is also hosted on the same server as the still active:
RIDDICK DESIGN aka RIDDICK-DESIGN.COM = JOB FRAUD SCAM
RED LINE aka REDLINE-WEBDESIGN.ORG = JOB FRAUD SCAM
RECRUIT CENTER aka RECRUIT-CENTER.ORG = JOB FRAUD SCAM
Both fraudulent addresses in Sweden are used:
======================
Gjorwellsgatan 28,
112 60 Stockholm, Sweden
======================
Frejgatan 13, 11479
Stockholm Sweden
+46-46-288 52 67
.
Frejgatan 13 11479
Stockholm
Sweden
======================
A fresh audit of the hosting on that California server DEEPTECHNOLOGY.NET / DT-HOSTING.COM at IP 69.80.200.112
======================
Server Data
Server Type: Apache/1.3.41 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.7a PHP/4.4.8
IP Address: 69.80.200.112 IP Location - California - San Jose - Deep Technology
Response Code: 200
Domain Status: Registered And Active Website
======================
Worth noting that the recruit Fraud Site's Testimonials:
Appear to be direct hijacked copies of those on an Indian site inika.com:
The IP 69.80.200.112 audit also shows a fresh fake mobile themed card fraud laundering website, which appears to be currently unassigned:
WORLDANDYOURGLOBAL.COM = CARD FRAUD LAUNDERING
That is in addition to the already known group on that server such as:
WORLDINYOURMOBILE.COM + CARD FRAUD LAUNDERING
and
ALARMWEBSTUDIO.COM = CARD FRAUD LAUNDERING
As in all of the previous red recruit mule fraud sites, REDBALLOONDESIGN.ORG has a cloaked privacy reigstration:
Whois Record
Domain ID:D156709748-LROR
Domain Name:REDBALLOONDESIGN.ORG
Created On:22-Jul-2009 21:00:25 UTC
Last Updated On:21-Sep-2009 03:56:55 UTC
Expiration Date:22-Jul-2010 21:00:25 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:fc0e1b498311df0e
Registrant Name:Whois Agent
Registrant Organization:Whois Privacy Protection Service, Inc.
Registrant Street1:PMB 368, 14150 NE 20th St - F1
Registrant Street2:
Registrant Street3:
Registrant City:Bellevue
Registrant State/Province:WA
Registrant Postal Code:98007
Registrant Country:US
Registrant Phone:+1.4252740657
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
Name Server:NS1.DEEPTECHNOLOGY.NET
Name Server:NS1.DT-HOSTING.CO
.
MGD | |
sbf
@cttel.net | mgd, I'm LE and would like to get in touch with you directly about some of this stuff.. is that possible? | |
|
