Money Laundering and Reshipping Fraud

Email Based
Job Scams
Abuse Reporting Contact Us Don't Bear Internet Fraud
Please be aware that criminals attack this website & my reputation. I NEVER accept money and I NEVER send out spam, so do not be fooled by any spam referring to my domain bobbear.co.uk in any way whatsoever. If you receive any unsolicited email referring to me or my website - PLEASE tell me about it. To learn more and to find out how to report all of these criminal fraudsters to their hosts and registrars yourself, check out my site and fight back! This Sophos blog & this Sophos press release refer to the criminal's last efforts against me, as does this VNUNET article - no doubt there will be more attacks. Thanks to everyone for all the support I've received. If it hadn't have been for the criminals attacking me I would not have had the publicity, so I guess I owe them one too.
Search This Site (Javascript must be enabled)
Powered ByDNSStuff.com - Your Destination For DNS and Networking Tools Money Laundering and Reshipping Fraudsters
On This Page
Money Laundering & Re-shipping Fraud Information
The Strawberry Site (Asprox) Money Laundering Fraud
The Victims
Notes For Abuse Teams
Money Laundering - One detailed Method of Operation
Email based fraud
Fraud Forums
The Zombie Botnet 'Host By Proxy' - Fastflux, Asprox etc.
Further Reading on Money Mule and Re-shipping fraud
Law Enforcement Links
Other Useful Links & Victim Support
Are You A Victim Or Have You Any Information?
Top Twenty [05-Sep-2008]
Most visited pages in order of popularity which reflects the level of spamming or other activity.
www.bobbear.co.uk/
www.bobbear.co.uk/sunreefyachts.html
www.bobbear.co.uk/morganinvestment.html
www.bobbear.co.uk/page8.html
www.bobbear.co.uk/index.html
www.bobbear.co.uk/westerncargologistics.html
www.bobbear.co.uk/logisticworldwideservice.html
www.bobbear.co.uk/malfourfginc.html
www.bobbear.co.uk/tylersuccessgroup.html
www.bobbear.co.uk/firstmiamicargo.html
www.bobbear.co.uk/paramountfinance.html
www.bobbear.co.uk/transfex.html
www.bobbear.co.uk/acconsultfinance.html
www.bobbear.co.uk/ericagerlogistics.html
www.bobbear.co.uk/worlddutyfree.html
www.bobbear.co.uk/uniquefabriks.html
www.bobbear.co.uk/mutrustcompany.html
www.bobbear.co.uk/snbauctions.html
www.bobbear.co.uk/worldfinancegroup.html
www.bobbear.co.uk/mgpagroup.html

If you receive any offers of employment either cashing checks and transferring the balance, or reshipping parcels, be aware that ALL such offers are fraudulent and are simply attempting to involve you in criminal activity which will result in your bank account being closed, your assets frozen and you possibly ending up with a criminal record.

If you have received a suspect job spam and it doesn't appear to be listed on my website then please send me the details, for example a working website link and/or a copy of the spam and I will be happy to investigate.

My website is purely voluntary and I don't accept monetary donations, but if you are willing to offer services that may be of help in investigating and fighting this sort of fraud then I am always grateful for such help. Website hosting, for instance, or if you are a company that offers subscription accounts for investigative services such as DNS tools, passive RDNS data etc than I would be most grateful for the donation of a free account for which in return I can offer an advertising slot on the site. Any other suggestions gratefully received!
Active Frauds

ABP Properties
Accent Company
AC Consult Finance
Ace Check Express
Ace Rentals
ADT Solutions Inc.
ADX Trans Express
AFC Financial Services
AlfaCor
Alfred Simons Textiles & Fabric Company
Ameca
AnimalSafe Inc.
Apollo Business Services
Asia Consultancy Group
Baltic Finance Group
BBI Business Finance
Belgium Market Money (MarketMoney.cc)
Best Global Road
Better Rentals
BNT Express International Finance
Business Care
Business Trade
Cargo Alliance
Cargo East Line
Cargo Giant (Cargo Gaint)
Cargo Logistic
CBA Properties
Charles Jones Textiles & Fabric Company
Chernobyl Child Project International
Clayton Investments
Coffe Furniture Design
Crampton Investments
DBI Business Finance
Diamond-Exchange Inc.
Direct Commerce GmbH
Divine Fabriks
Dominion Financial Co.
Duty Free International
East Way Inc.
e-Digital Corporation Inc
E-Investments Provider Inc.
Electronic Payment Services, Inc.
Electronics Distribution Group
Elite Finance Group
Emarket Solutions Inc.
Enter-Post Inc.
Epayment Solutions Inc.
Eric Ager Logistics Inc.
ESB Finance Group
EU Investment Solutions
Euro Globax
EURO Investment Solutions
Euro Invest Germany
Euro Transfer Group
Expressdeal
Active Frauds - continued

Fair Group Inc.
Farelli.net
Fargo Shipping
Fartex Group Inc.
FASEX (Fine Art Services)
F-Consulting Group
Finance and Credit
Finance Corp International Inc.
Fine Rentals
First Global Road
First Miami Cargo
First Rate Finance
Fortix Investments
Front Asset
GamePower Systems
GCS Group
Geneva Finance (Stolen website)
Global Financial Group
Global Trans Funding LLC
Global Union Inc.
Globe Group
Great Game Ltd.
Green Tree (Warehousing) Ltd
Guardian Consulting
Guardian Trading Inc
Happy Children
Happy Kids
Harsdorf's Financial Group
Hays Financial Consulting (Hays Transfers)
High Level
Horizon Company
IC Audit & Consulting
Independent Group Inc.
Independent Postal Service
Infobite Software
InterBuyers
InterLink Development Ltd
International Bidding Solutions
International Trading Place
Interpay Group
IntFinanz GmbH
IT-security Business Alliance
ITV Solutions
Jeanius Delivery Company
JS Partner Group
Ketler Group Inc.
King Finance Group
Latvia Web Finance
Legal Operations Inc.
Logic Group Inc.
Logistic Worldwide Service
Loox Company
Maestro Hosting
Magnus Business Community
Malfour F.G. Inc.
Marseille-shipping
Maxi Group Inc.
MGPA Group Inc.
Morgan Investment Co.
Morrison Business Solutions
MT Rushphase
MU Trust Company
M Web Hosting
Mynes Consulting & Finance
NESCO Accounting & Finance
NTI Consult
O&V Brokerage
Office Online
Olan Complex Co.
Onis Business Group
OPO Consulting Estonia
Optimus Inc.
Oranta Group Inc.
Osell International
Palmer & Stokes Ltd
Paramount Finance
Penton & Sullivan Ltd.
PF Inc.
Phillips & Seymoure Ltd.
Polo Company
Preston & Swane Ltd.
Principle Partners World GmbH
Priority Global Road
Private Business Consulting
Profit Financing Inc.
Progold Incorporation
Progold Investments
Progressive Escrow
Projection Technologies Inc.
Renaissance Capital Advisors Ltd.
Retoneva
Royals Yacht Sales
Secure Financing Inc.
Secure Operations Inc.
Services R Us
Shaller Finance
Sky Group Inc.
SmartOne Inc.
SNB Auctions
SouthWool Land
SP Group
Star Net
Summit Trading
Sun Hosting
Sunreef Yachts
Synovus Trade Inc.
T-Consulting Group
Terpax
TradeFinans
Transfer Invest
Transfex Inc.
TransWest Pacific
TR-Finanz GmbH
Treenity Real Estate
Trust Company Inc
TR-Wires GmbH
Tyler Success Group
Ultragame
Unique Fabriks
Unix Hosting
VBV-Logistic
Velocity Global Resources
Venice Inc.
Vienna Finance
Wangle Group Inc.
Webcardmaster
Web Ground
Web Star
Western Cargo Logistics
WestHold Transfers
WidePay Inc.
World Duty Free
World Finance Group
WorldTrans Inc.
Xerpat
Zales

Undocumented verified fraud sites

Aucstrade
Australian Financial Group
Box Express Logistics
Capital Science
Golden Finance
Grand Financial
Payday Loan
Platinumbank Donation Corp.
Transport Financial Inc.
United Merchants
United Sellers
Usfin Standart
Value Trans Financial Group
West Eagle Cargo
World Wide Mail Inc.
WSCC International

Previous Aliases

Abyline
AceChecktronic
Ace Global Inc.
Adamant Global
Aegis Capital Group
Alpha Financial
Asian E-Gold (AEG)
Aska Group
Avanta Group
Axxiom International
Best Finance Invest
Best Money Invest
BestTradeSolutions
Brintex Trading

BroadCapital
Bronsard Advantage
Burneys Finance
Business & Professional Consultants Inc.
Calisto Trading Inc.
Cargo Express
Central Access
Consumer Financial Group
Creovision Laboratories
Cronos Investment
David Stanley Redfern Ltd (Cloned Site)
Decapolis Investments
De Cart Ltd.
DeMarck Pharmaceuticals
Depositguard Ltd
DES Group Inc.
Digital Investment Projects Inc.
Diversified 1
Draper Investment
EastAntiques
Eden Financial Group
E-Investment Projects Inc.
Escrow Deals
Eu Trust Invest Inc.
FastTransfer
FIC Financial
Finance International
Financial Open Inc
First Promote Invest Inc.
Form Promo Invest Inc.
Fresh Solutions Inc.
Gen Corp Financial Consulting Group
German Autoimport
Global Austrian Syndicate
Global Eu Invest Inc.
GlobalSoft
GlobaxTrans Finance
GUARANTEE-TRADING Corporation
H&A Trade Group Inc
Harris Business Solutions
Harvey Investment
HeartMicrotech Inc.
Henwood Business Solutions
Honda-Handle
ICDBShipping
ICG Technology
iCTransport, Inc
Impex Consult
Indigo Global Consulting Services
Israeli Brokerage Services
ITV International
Job Stock Resource
Joy & Joseph Inc.
K-Investment Group
LCD Systems
Lux Capital
Marvell Financial Group
Millennium Business Online
Necessary Financial Solutions
NeoLenses Laboratories
Newman, Esmond & Eisenberg
Next Level
NitrosGroup Finance
Norden United
Norway Consulting Group
Premium Invest (Premium Finance)
Promo Invest
Quality Style Reliability, Inc.
Radius Group
Rain Solutions Inc.
Rapid Delivery System
Reynolds Investments
Safe Way Worldwide
Ship It, Inc.
Sigma Motion
Silverlens Laboratories
Simple Investments Inc.
Smartec-uk
Smart Pay Inc
STK Consult
Swiss Invest
Sydney Car Centre
Transfer Invest
Transinvest Gateway Corporation
TransWest Pacific
TriplexDirect Finance
TrusInvest Gateway Corporation
Trust-Key Inc.
TrustSolution Gateway
United Cargo Solutions
United Finance GmbH
US Money Invest
Waldman Business Solutions
Waller Truck Co.
Western Solutions
World Money Transfer Service Company
www-firstusa.com
ZinexFinance

The above are all verified money laundering & reshipping criminal fraud websites & prolific spammers run by criminal gangs who frequently, (but not always), host their sites using 'botnets' of 'zombie' computers, i.e. PCs that have been infected with a trojan/virus. See The Zombie Botnet 'Host By Proxy' section for an explanation of this common method by which these criminals host their fraud sites.

The well known 'Rockphish' phishing criminals also operate money laundering websites - they frequently use a zombie botnet method of distributing their spam, (not to be confused with the above different zombie botnet method of hosting websites), and the 'phishing' emails often contain exactly the same spurious code used as Bayesian filter avoidance text.

The registrars of the above criminal's domains are generally chosen by the criminals to be ones they think will be resistant to abuse reports. The criminals generally favour a mixed selection of domain registrars & they vary all the time as they attempt to find a 'criminal friendly' one. Most registrars eventually respond positively once they appreciate the situation, although there are always going to be a small minority of 'blackhat' providers who irresponsibly adopt a "we don't get involved" attitude and ignore abuse reports.

The registrar 123-reg.co.uk, (aka Webfusion - part of the GX Networks/Pipex group), refused to suspend the Green Tree (Warehousing) Ltd fraud domains unless they were instructed to do so by the police, courts, solicitors etc. They refused to act on any clearly valid abuse reports from this site, not only for the above money laundering fraud domains, but also for the affiliated 'rockphish' phishing domains. They are now knowingly providing registration services for the GTW follow-up fraud, the
Sunreef Yachts criminal fraudster and are once again ignoring valid third party abuse reports unless they are from an 'official source' such as the above, thus allowing the criminals an easy ride whilst profiting from their criminal activity. They are also knowingly providing hosting and registrar services for the Divine Fabriks and Unique Fabriks criminals.

Where multiple domains are used for the same website, the whois data in the registrar look-up for a domain is almost always different and always bogus.

The criminals also naturally favour hosts and zombie botnet nameserver hosts that they also think will be the least responsive to abuse reports. Unfortunately, they are occasionally right - there are a few unethical providers who continue to provide services for these criminals despite having been notified of the clear criminal abuse.

Money Laundering & Re-shipping Fraud Information

Fraudsters send unsolicited e-mails or place job offers on legitimate Internet recruitment sites or forums looking to recruit 'money transfer agents' with bank or Paypal accounts. These bogus companies offer part-time employment as an agent receiving payments for goods which the company claims to be supplying, and then passing the payment on to the company via a money transfer company such as Moneygram and/or Western Union less an 'agent's percentage', (usually in the range 5-10%).

These job offers are always illegal and fraudulent. Any person who agrees to act as an agent, (more correctly a money laundering 'mule'), is actually receiving stolen or counterfeit funds into their account. The final destination of the transferred funds will be an organised crime syndicate, generally overseas.

Another variation of this fraud is to offer part time employment as a 'Re-shipping Agent'. This consists of accepting parcels to your home address and forwarding them on to criminals. Needless to say these goods are either stolen or obtained by fraudulent means. This type of fraud is well documented by many authoritiative sources such as Monster and the US Postal Inspection Service

No legitimate company would offer an illegal money transfer 'job' to a home-based private individual - such a job is always illegal and the company offering it is always a criminally run 'front' company. Similarly, no legitimate company would offer a job as a 'Re-shipping Agent' to a home based private individual. Such a 'job' is always a solicitation from
a bogus criminal company to fence stolen goods.

These companies can be very convincing in their attempts to perpetrate their fraud. Many of them try and give an air of legitimacy by displaying bogus 'Verisign' and other certificates. Learn to recognise fake 'Verisign' certificates which will simply be .gif images on the criminal's own webserver and when clicked on will not display information that originates from the genuine Verisign https secure server, but simply another bogus .gif image from the criminal's site. Always ensure that the URL of the pop-up seal verification page begins with the address https://seal.verisign.com. If it doesn't, the seal is fraudulent.

Any person who suffers financial loss as a result of acting as an "agent" for any of these organisations would not be eligible for any form of refund from the bank concerned who would recover any monies, close the account involved in this scam and criminal charges could follow, not just for the "agent" but for anyone knowingly involved in provision of services to the criminal:

Knowingly supplying services to these fraudsters is a criminal offence in the UK under the UK Proceeds of Crime act (2002) Section 328 "A person commits an offence if he enters into or becomes concerned in an arrangement which he knows or suspects facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person". The notification level for this offence is low. Would all hosts and registrars with a UK presence please bear this in mind. Other countries will undoubtedly have similar provisions.

If you think that being a money 'mule' is a relatively safe and profitable occupation, then think again - the paper trail leads directly to you and you may well find yourself in the same position as these 14 Dutch entrepreneurs.

For further information regarding UK money laundering law, please refer to:
http://www.lawsociety.org.uk/professional/conduct/guideonline/view=page.law?POLICYID=225029

Whether the fraudster uses a website, as in the examples above, or simply uses a response email address, (as these criminals also do - see below), the fraud is exactly the same. Remember the first rule of spam, i.e. All spammers are liars - if you receive a 'job offer' in an unsolicited email, (spam) it is invariably a scam. Always abide by the Boulder Pledge and never respond in any way whatsoever to anything that is spamvertized whether it is goods or services. [Return To Top]
The Strawberry Site Money Laundering Fraud
[AKA Devbill, Ebooks etc webites]

This is a variation of the standard money mule operation and recruits unwitting mules who are requested to register 'genuine' limited companies complete with merchant accounts in what on the face of it appears to be a franchise operation selling website templates or software or whatever, (the actual 'product' doesn't even exist - it is irrelevant to the fraud). The criminals supply a website, (in the UK this currently has a distinctive 'Strawberry' 'Flash' template) which bears the name of the company that has been set up by the 'mule'. This is the scam operated by Infobite Software and has been in existence for some time in the US, with many previous aliases. The criminals use stolen credit card data to make small charges against numerous cards for fake products allegedly supplied by the 'front' company which has been newly registered by the unwitting mule. The mules function is then to wire 90% of these fraudulent charges back to the controlling criminals.

This is a simple overview of what is a huge worldwide credit card fraud operation. For a full history and an amazing in depth analysis of the fraud, have a look here, along with the aa419.org coverage here.

So, if you are offered what appears to be a franchise operation, (especially if it comes out of the blue in a spam, probably purporting to come from a job website), and are asked to set up a limited company and open a merchant account to operate a website supplied by the 'company', then it is likely that you are being recruited for this illegal money laundering operation. Don't be tempted.

If you see a small, (usually £9.90), unknown charge on your credit card from one of these 'front' companies
then your credit card data is known to the criminals. You should report it as a fraudulent charge, (not a disputed charge), and request a new card and associated details. You may also wish to file a crime report on the Metropolitan police 'Fraudalert' website.

This fraud has now been replaced by a new alias and a new generic mule website - see
AlfaCor for details. [Return To Top]
The Victims

I receive many responses from visitors to my site, some from victims who have been defrauded by the fraudsters that I document on this website and many more who are just upset by the volume and nature of these criminal's spam. I find some of them quite upsetting myself. An example of the former is a response from a CEO of a Credit Union who tells me of some of her members who have lost thousands of dollars to these criminals. An example of the latter, and these can be just as upsetting, is from a UK lady who wrote to me, (& has kindly given me permission to print this):

"Harvey Investment Co.- totally sick of their invites. I am a 73 year old UK voiceless (cancer) female needing my pc for my only communication".

So, if you are the sort of host or registrar who sees nothing wrong in providing services to these criminal fraudsters under the argument that "What they do with the hosting/domain I provide is none of my business" then I have zero regard for you. If you knowingly host these criminal's zombie botnets and register their domains and ignore abuse reports then as far as I am concerned you are aiding and abetting their criminal activity and that makes you as guilty as they are.

If you are tempted by the thought of easy money and wonder what might happen if  you reply to these fraudsters and take up their offer, then this cautionary tale received from "Dave" from California might just dissuade you:

"
I have been recruited by 5 different companies. 3 of which actually have sent me checks or moneygrams. 2 of which I have deposited into my account. Although I have not released any funds, Thank God. Due to the fraudulent payments that were deposited into my account have I committed a crime? My bank has frozen all of my assets and are talking about criminal charges".

Then this is what "John"
from the UK tells me happened to him:

"Hi, Good Evening. I've just this afternoon had my Bank Account suspended - yes, you may have guessed - Cronos. I fell for it. Laid off work on the 19 Sep so searched the internet for home based jobs, which most are scams and I avoided them. There amongst the other emails was one from Cronos inviting me to be a 'regional rep' for their company. All I had to do was have money transferred to my account and then pass via western union to their reps. in Poland. Yes, same addresses you have here on your website. They transferred £2115.00 cash which was immediately available and I duly transferred the monies, (what a fool I was ), & took 10%. This morning there was another cash transfer of £3882. What alerted me this morning was that I went to the hole in the wall, like you do, and it took my card. I went straight to the call centre who gave me a number to ring which turned out to be the fraud dept. I had an interesting conversation and went straight to my branch with all the details I had - emails, Western Union transfers and addresses of the people, (although I guess these will be false). Hope this helps someone somewhere".

John also tells me that the number that they called him from was
44+78124496357

Sometimes the consequences of getting involved with any of the criminals that I document on my website can be very traumatic. This is the cautionary tale sent to me by a lady from the US:

Well I was actually arrested for fraud after getting lured into the Trans Invest Site. After being pulled over for speeding I discovered there was a warrant for my arrest and was taken to jail. After a call to a local detective it seems that the forgery charges are a result of me receiving a check, cashing and transferring funds...i have now taken the brunt of the scam. I can tell you that I have NEVER been arrested and was HORRIFIED that this has happened. Yes, after the fact I am completely taken back about what has happened and the fact that I let myself be taken like this. As I now face criminal charges and trying to investigate this I am trying to find others that have been scammed by this particular Company in hopes that it may help my case. I have seen this on TV, radio..etc but never in a million years thought it would be me. I would appreciate any information that you can provide that might be able to help me. Thanks.

The message is clear, unless you have a strange liking for prison food, do not get involved with any of the criminals that I publicise and always be wary of part time work at home 'jobs' where the rewards seem to be too good to be true - they almost certainly will be. NEVER accept checks into your personal bank account or goods for reshipping.
[Return To Top]
Notes For Abuse Teams

Please appreciate that I do receive a lot of spam from these fraudsters & I think it only fair to pass appropriate reports on to the relevant abuse teams. If you disagree with this policy and do not wish to receive further abuse reports then please click on the 'Contact Us' link to send me a request - I have no wish to annoy you unnecessarily, but please bear in mind that the spam is not the major issue - the major issue is the victims that are sucked into this criminal's net of deception & theft - those are the ones to consider. The spam is very much a secondary issue compared to the misery and distress these criminals cause to their victims.

I'd like to thank the many honest, ethical & caring hosts, (& registrars), who have disconnected these fraudsters within an hour of receiving an evidential abuse report, (several in c. 20 minutes). However, the zombie botnet controlling nameservers seem to be occasionally hosted by Colocation/VPS service providers who do not respond to criminal fraud abuse reports in a reasonable time scale. The vast majority of honest, ethical & caring SPs will respond with an immediate, (preferably not 24 hours or 48 hours & certainly not never...), disconnection on receipt of a criminal abuse report, having quite rightly considered the evidence & investigated, but a few service providers stall or simply ignore abuse reports. This latter minority of uncaring, unethical or even downright criminal hosts are aiding and abetting criminal fraud and the victims suffer because of it.

Companies who deal with these criminals should be aware that according to my information from abuse teams they have in the past paid for their services using Paypal linked to stolen credit cards, so a chargeback may be expected. Even if a chargeback is not forthcoming, please bear in mind that the money that is paying for the hosting or domain is money obtained from the proceeds of crime & in accepting it you are also profiting from the crime. The bottom line is please be proactive in attacking these criminals - please do not be an accessory to internet crime by ignoring abuse reports or dragging your feet - please be a part of the solution, not a part of the problem - please spare a thought for the victims of these fraudsters. A prompt response to criminal abuse reports is essential, i.e. preferably minutes, but at worst hours - certainly not days. These criminals rely on abuse teams who take days to react if at all. If you do not respond to abuse reports, or if you do not receive them due to spam filtering on your abuse reporting address, please do not criticise me for simply posting the fact in my daily blogs - they are simply a factual record of my daily experiences. N.B. - Spam filters on abuse reporting addresses are a serious hindrance to genuine abuse reporting, especially if NDRs are disabled. These remarks are not aimed at the ethical majority of hosts who are a pleasure to deal with, just the unethical or simply uncaring few.

These are prolific criminals who have been in this business for many years & most are linked to the 'rockphish' phishing criminals and other commercial crime. If you aid and abet these criminals then you are aiding and abetting the 'phishing' & auction fraudsters too. Please consider immediate termination of these fraudster's accounts when I report them to you. If you receive an abuse report from this website you can be assured that the utmost care has been taken to ensure its accuracy and justification, including the use of reputable 'real time' DNS tools and top level whois data from the likes of ARIN APNIC, LACNIC, RIPE etc. I do not rely on conjecture or opinion - my reports are based on solid, irrefutable evidence of criminality.

Abuse teams may wish to consider passing on any details to the authorities that might lead to arrests & convictions. It is possible to glean a lot of information from the criminal's server before it is shut down.
[Return To Top]

Money Laundering - One detailed Method of Operation

This method of operation is documented for the Adamant Global fraudster, but I am confident that it equally applies to the rest of the criminal aliases that I document who are all from the same stable.

Once you have contacted them, these criminals ask you to set up a bank account, or ask for existing account details, (or merely use your Paypal account if you have one). After you have done that, you will receive an email to tell you that funds have been sent or transferred to that account and to wire it on to them as soon as possible less 10% for yourself. Those funds may be in the form of a direct transfer or a mailed cheque, but whichever way you receive the funds, they will be counterfeit or the proceeds of fraud - one method at the moment seems to be using fake Ebay auctions that name you as the recipient of the funds, so you will probably receive an irate email from someone who hasn't received the computer or camera or whatever that you have received the money for. This is the Adamant Global scam that Ms. X in the USA fell for and who sent me this information:

I have been taken by this scam. I received money on my paypal account and transferred the money to two people. Islam Nikaev 02-758 Mangalia 3B Warszawa, Poland (1078.38) and Idris Mazaev 04-12824 04-128 24 Omulewska Str, Warszawa, Poland (1082.38). Following is the email that I got letting me know that the money was in my paypal account. I was to keep 10% and wire the rest. I now have a very angry person contacting me because he said he won a computer on ebay and spoke to a women (not me) and still has not received the computer:

From: a.melba@globaladamant.com Save Address To: xxxxxxxxx@xxxxxxxx Subject: new payment, instructions Date: Tuesday, September 18, 2007 2:33:09 PM [View Source] Good day, New payment of $2,601 has been transfered to your paypal account, please withdraw them to your bank account (instruction below). Log in to your PayPal account. Click Withdraw. Click the Transfer funds to your bank account link. Enter the amount of the withdrawal, choose the bank account to withdraw funds to and click Continue. Click Submit. Please confirm reception of the funds and let us know when they are cleared. Regards, A. Melba

Mr. X in the USA received this email after falling for this fraud:

Dear Mr. X,

As soon as your bank has confirmed that the money is available to be  
withdrawn, please calculate and take out your 10% commission out of the  
total amount that you have on your account.  
 
After that,  withdraw the remaining 90% balance and carry it to the  
Western Union.  
The money should be transferred via Western Union for the  
following person(he is our  agent in the regional branch).  
 
First name: Magomed
Last name: Ezhiev
Country: Poland
City: Warszawa   
      
Adress: 04-128 24 Omulewska str.

As can be seen, the recipients of these transfers are ostensibly based in Warsaw, Poland, but with these criminals everything is fake and nothing is ever quite what it seems..

If you have any information regarding these fraudsters along the above lines then please do contact me.
If you are sending me any communications from one of these criminals then to be of most use the full email headers are necessary. How to reveal these are shown here for many popular mail clients. If you come across any money laundering fraud that is not documented on my website then do please let me know.

It's interesting to note that the criminals use variations of the fraud domains purely as maildrop domains - i.e. the domain
globaladamant.com is actually parked but the criminal is using the mail facility of the domain as a 'secure' mail service. I say secure because it's often hard enough to convince some registrars that the main fraud domains are just that, never mind trying to convince them that a parked domain is being used for criminal purposes as well....
[Return To Top]


Email based fraud
These criminals do not always use a website. They send tremendous amounts of spam offering a part time job of "Regional Assistant" or "Local Manager" or "Finance Assistant" or some such bogus title. The job always consists of accepting stolen or just plain counterfeit funds into your account, (which they may stress doesn't need to have existing funds in it), and forwarding it on to the criminals using Moneygram or Western Union less a percentage for yourself. There may be all sorts of "sweeteners" included in the spam such as "prospects of promotion", "professional advice", "pension scheme" etc, etc. All totally bogus, of course. The initial contact email address is often a Yahoo or AOL, or Gmail or Hotmail address, but whatever it is, the 'job' is fraudulent and illegal and will end up with you losing a lot of money and possibly facing criminal charges. Don't fall for it!

See the section "Email Based Job Scams" for more information on current spamvertised job scams. [Return To Top]


Fraud Forums
I have been made aware of a new? twist to ML fraud. The pharma/rockphish criminal fraudsters are operating phpbb based web forums that actively and openly recruit money laundering mules without attempting to disguise the operation in any way, quite the opposite - they are portraying this activity as legitimate and easy and commonplace. I'm not going to give them any publicity by publishing the links, but if any sections of law enforcement wish further information, please contact me. They are targeting the gullible, the greedy and of course, the outright criminal elements. If you are criminal and/or greedy enough to deliberately get involved in this, let me spell out for you the inevitable course of events. You may initially find that doing these transactions IS easy and you will be making 10% or so from every transaction, but the banks involved are not stupid - they are watching out for this sort of thing. Inevitably, sooner rather than later and without warning your account(s) and all your assets will be frozen, the police will come knocking on your door and you will not be treated as a victim of these criminals but as a criminal accomplice.

These criminals regard their mules as expendable fools - they do not care what happens to them. They know full well that their mules will eventually be arrested, but it's of no interest to them as long as they themselves remain safe and anonymous - they just recruit new ones. Unfortunately there seems to be a plentiful supply. As PT Barnum probably didn't say - "There's a sucker born every minute".
[Return To Top]


The Zombie Botnet 'Host By Proxy' (aka 'Fastflux', 'Asprox' et al)
How to recognise a zombie botnet hosting arrangement, frequently, (but not always), used by these fraudsters to host their websites.

This arrangement is basically a 'hosting by proxy' arrangement where a traceroute, (tracert), to a criminal website URL ends up on one zombie (virus/trojan infected end user machine), of possibly thousands that are being controlled, ('herded'), by a nameserver or more accurately 'botnet controller' which is registered by the criminal and is the real villain in the piece.

All the tools to help you can be found on the sites:
http://www.domaintools.com/services/
http://www.centralops.net/co/
http://www.robtex.com/
http://www.dnsstuff.com
http://www.dnswatch.info/

1) Check the DNS data for the website domain in question, (e.g. for nwmsmds.org), using one of the above links, (I have done it using the dnsstuff.com 'DNS Traversal' tool as it formats the result conveniently, but the information can be deduced from any good DNS lookup tool):

Looking up at the 2 nwmsmds.org parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.walillc.com [74.62.155.57] 85.217.201.213 87.207.253.79 89.37.242.97 210.6.255.133 78.52.147.3 79.116.186.67 80.98.245.209
ns2.walillc.com [195.81.52.10] Timeout - Fake nameserver, (never resolves).

2) Note the set of seven IP's in the response column which are the 'A' records returned by the nameserver ns1.walillc.com. If a new lookup is done after a short interval they will have changed to a new set - they rotate at a predetermined interval.

3) Immediately do a tracert on the domain nwmsmds.org, (before the IP's rotate), & it will end up on one of these IP's, showing it to be the site host IP at the instant the tracert was done. Do it again some time later and you will get a different host IP from the 'A' records list.

4) Do a whois lookup & ReverseDNS lookup on these IP's - the data frequently shows them to be DSL pool or cable, dynamic or static end-user IP's on a myriad of different domains which confirms them to be 'zombie' PCs, (infected end-user machines).

5) Check the date the nameserver domain, (i.e. walillc.com), was registered. They are always 'throw-away' domains registered very recently by the criminals themselves to use to control the zombie botnet as they cannot use a legitimate DNS service for that purpose.

In the above example the botnet controller ns1.walillc.com is hosted on the Roadrunner IP 74.62.155.57. The nameserver domain walillc.com was registered with INTERNET INVEST, INC. DBA IMENA.UA, (29-Mar-2008), by the criminals as an integral part of their botnet.


The criminals use numerous nameserver domains & nameserver IP's that are frequently shutdown. The life cycle of a nameserver IP of these fraudsters may be only a few days or even hours, depending on how good the relevant abuse team is at understanding the problem, how responsible they are & how quickly they act.

Note that the above is just an example of the arrangement - the IP addresses and domains used are real but are no longer active as the host & registrar have taken action. Some botnets use 5 zombie IPs, some use more and some use only 1. The possibilities are unfortunately almost limitless. The 'Asprox' botnet is currently running 15 zombies per nameserver and the nameservers themselves appear to be hosted on zombies. (See
MU Trust Company)

The domains and IPs do not stay active for long if the service providers are ethical. Examples of active domains can be found on many current fraud pages on this website. 
[Return To Top]
If you find this site helpful then please feel free to link to it on your website by inserting the following HTML code, (opens site in new window):
<a href="http://www.bobbear.co.uk" target="_blank">Money Laundering Fraud Websites</a>

Further Reading on Money Mule and re-shipping fraud

The UK BankSafeOnline website, (produced by APACS - the UK trade association for payments), has an excellent description of the money 'mule' process, under the Money Mules Explained sub-heading, but there is also a much wider range of excellent information, including information on 'Phishing' and Trojans.

These criminals increasingly attack career and job websites. This Monster article explains both the money laundering and re-shipping fraud aspects.

For further information on these & similar criminal fraudsters, see under 'Job offer scams' on the Wiki page http://www.spamtrackers.eu/wiki/index.php?title=Category:Job_offer_scams and always remember, Google is your friend!

The international law firm Pinsent Masons has an excellent site called 'Out-Law' which
has 7,000 pages of free legal news and guidance, mostly on IT and e-commerce issues. [Return To Top]
Law Enforcement Links

UK Metropolitan Police fraud alert

Philippines National Bureau of Investigation

Hong Kong Police

United States Secret Service, (Financial Crimes Division)

United States Department of Justice (Computer Crime & Intellectual Property Section)
     ●     How to Report Cyber and IP Crime 

The Swiss Coordination Unit for Cybercrime Control (CYCOS)

European Network And Information Security Agency (ENISA)

Europol

Interpol  - International Police Justice links

FBI  - Internet Crime Complaint Centre

Belgian Internet Crime Reporting Site (ECOPS)


The German Federal Criminal Police Office (BKA)


Do you know any links to local or national law enforcement bodies worldwide that may be useful in the field of reporting internet crime? Then please let me know and I'll publish them here.

*** If you are a law enforcement agency and would like feedback or information or copies of abuse reports concerning the providers of this criminal organisation's services pertinent to your area of policing then please contact me via the 'Contact Us' link. N.B. - as I have had some suspicious approaches I will require proof that you are who you say you are***
[Return To Top]
Other Useful Links & Victim Support

The UK Financial Services Authority - if a company claims to be operating in the UK in the financial sector then it must be registered here. However, it is becoming more common for a fake company to hijack the registration of an existing company.

Here is a useful list of "Unauthorised Internet Banks" from the FSA, but I don't know how up-to-date it is kept.

The UK Companies House - a registered UK company will be recorded here, but once again, thieves and fraudsters do hijack existing company names.

Fraud Aid - Fraud Aid is a US based non-profit website which not only offers a wealth of information on the mechanics of a wide variety of frauds, but in addition offers support to the victims of fraud. If you are, or suspect that you are the victim of fraud, then you will undoubtedly find help and support here. 
[Return To Top]
Are You A Victim Or Have You Any Information?

If you are a victim of any of the above criminal fraudsters and/or would like to help to bring them to justice then I would be interested in any information that you have received from them that could help towards that end. For example, that would include source code for any correspondence you have had with them, (or select "Forward as Attachment" in your email client to send the complete message including the headers), & scanned copies of any paper correspondence, (not the originals), such as Western Union receipts for transfers to them etc. If you wish, you may remain completely anonymous - I do not require your own personal details which may be obscured in any material supplied. Please contact me via the 'Contact Us' form if you are willing to help in this way. If you are sending me any communications from one of these criminals then to be of most use the full email headers are necessary. How to reveal these are shown here for many popular mail clients. [Return To Top]