Abela Financial Group Fraud
Report
Active
Domain
Don't Bear Internet Fraud
Home
Bobbear Icon
Abela Financial Group website screenshot (06-May-2009)
Abela Financial Group website screenshot (06-May-2009)
If you've either received an active website link in a Abela Financial Group fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above. Copies of spam are welcome. Scroll down or click for latest news.
This Abela Financial Group criminal fraud website should not be confused with any other company with the same or similar name. The above screenshot and the following evidence defines this criminal alone. These criminals have stolen the identity of a genuine company of the same name AND they have stolen the website of another genuine Australian company for their fraudulent purposes as detailed below.

Abela Financial Group  is another zombie botnet hosted fraud from the money laundering department of the well known 'Rockphish/Asprox' phishing criminals. Passive DNS data shows that this fraud site is hosted on the same zombies that are hosting other Rockphish criminal fraudsters and phishing sites. The fact that it is zombie botnet hosted is undeniable evidence of criminal fraud as no legitimate site is botnet hosted, but there is plenty of other evidence of fraud such as the self evident fact that they have stolen the website of the genuine company Turner Financial Group and are using it for fraudulent purposes, plus the fact that they have stolen the identity and registration of another innocent Australian company at a different address.
Current Zombie Botnet Controller Hosts

 - ns1.mybabals.com [] - 

The above table shows the current providers of zombie botnet hosting services to the criminals and how long they have been providing them for. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act within 1-24 hours of being informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some thatfor whatever reason, do not. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host.
If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Abela Financial Group : Evidence of Site Theft and Criminal Fraud

N.B. - Initial information correct at 06-May-2009 - Check the domain tables and ***Latest News*** items for domain and hosting updates.

i) The Abela Financial Group fraud website is hosted on a five-IP 'fastflux' zombie botnet as evidenced belowNo legitimate company would use a zombie botnet to host their website - that is undeniable evidence of criminality.

ii) Passive DNS replication data research on the listed zombies hosting the site show that the same zombies are used to host other 'Rockphish' fraud sites, attack and 'phishing' URLs.

iii) A Google search for "Abela Financial Group" returns a registered Australian company at a different address to the one claimed by these fraudsters and with a different website - they have stolen the ID of the genuine Abela Financial Group Pty Ltd and are claiming it as their own, using the ABN of the genuine company, although they are using a different (fake) location address/contact details and website stolen from another company.

iv) Stolen website - the criminals have stolen the website of the genuine Australian company, Turner Financial Group and are using it for their fraudulent purposes - irrefutable evidence of criminal fraud and site theft.

v) Notice the statement on the above screenshot of their home page: "Abela Financial Group has provided high quality accounting and taxation services to clients for over 8 years", however the crook's initial domain abelafinancial.com was only registered with XIN NET TECHNOLOGY CORPORATION on 05-May-2009 for the usual criminal's domain minimum period of only one year - clear evidence of a fraudulent registration.

vi) The fraud job as posted on their website:
 Why Payment Protection service

When buying-selling operations via the Internet are concerned, the buyer and the seller don’t know each other and are placed in different corners of the world. Therefore it is important both to the buyer and the seller to ensure that their transaction is made safely. Payment Protection means receiving payments, documents, goods (it might be both the seller’s and the buyer’s) concerning the transaction by a reliable, experienced, impartial person - our Payment Protection agent. The agent will hold the funds and documents until all the terms of the deal are satisfied.     

Benefits for Payment Protection Agents

The main chain of our Payment Protection service is a Payment Protection agent who is carefully selected before he is admitted to the job. We need agents all over the world that is why the majority of our agents work on a part-time basis from home, although there are agents who work full-time. Payment Protection agents get the commission for every successfully-completed transaction, which is 5-7% (depending on the quantity of processed transactions) from the amount of each transaction. As an agent, you will be granted 24/7 support and assistance from our help-desk in case of emergency. A secure online environment makes the work of a Payment Protection agent easier. Bank deposits and withdrawals are not taxable by EU/UK/US/AU law, making it a comfortable source of income.

Benefits for the seller

The seller must be ensured that while selling goods or services online he/she will eventually receive the payment. That is why online sellers turn to our company; on our behalf we garantee that if they sell online, they will receive payments according to the terms agreed upon in advance. Our company provides a safe environment for internet transactions making it easy for all participants to be completely protected.

Benefits for the buyer

The buyer must be ensured that while purchasing goods or services online he/she will eventually receive the item he/she paid for. Conducting online payments through our Payment Protection agents garantees a risk-free internet purchase, because Payment Protection agents release the payment to the seller only after all the terms of the agreement are satisfied and the required documents are processed.
 
Benefits for our company

Year by year the amount of e-commerce is increasing, the services of our company are becoming more and more demanded, which gives us an opportunity to expand our business and provide fast, secure and professional services. The more Payment Protection agents we attract the quicker we can perform Payment Protection procedures, as inner transfers take no more than an hour. The transaction time depends on the physical location of the sender and the receiver of the funds. Our agents get 5-7% from each transaction, while we get 3% more for our services, and that's how we benefit from the business to ensure a sustainable growth and development.
That is a clear, illegal, part-time, work-from-home job of accepting payments into your personal bank account and transferring a balance back to these crooks via Western Union or Moneygram.. In this instance they have dressed it up as "payment protection", which appears to be basically a type of escrow, but no legitimate company would use unknown private individuals in a foreign country on a part-time basis in this way - not only is the whole idea totally preposterous, but it is also illegal - this is undeniably a 'Rockphish' criminal running the botnet hosted operation, so the funds are guaranteed to be stolen from phished accounts. If you engage in the above activity you can expect to have your bank account closed, your assets frozen and possibly investigated by the police for involvement in illegal activity. You will also lose any money that you have transferred to these criminals - don't be tempted.
vii) Fake contact details from the website:
    
Abela Financial Group Pty Ltd
ABN   91 082 867 230
 
Address:      
24 Lincoln Rd, Essendon,
VIC, 3040, Australia
Phone:     +61-38-6485-896
Fax:     +61-38-6485-896
Email:     david@abelafinancial.com
Please email us, we will respond to you shortly.

• - The address 24 Lincoln Rd, Essendon does not return any Google hits.
• - A google street view search of the neighbourhood shows no evidence of these criminals - it appears to be a residential neighbourhood.
• - Notice the single phone/fax number +61-38-6485-896. The correctly formatted number, (03) 8648 5896, Googles as the Fax. number of Bloomberg in Melbourne - clear evidence of fraud.
viii) The Spam:
From: Andrew Iverson (job@recruitabelafinancial.com)

Abela Financial Group Pty. Ltd. 24 Lincoln Rd, Essendon, VIC, 3040, Australia.

Hello, my name is Andrew Iverson and I am Abela Financial Group Pty. Ltd. Staff manager.

We have found and reviewed your CV at totaljobs.com and decided to offer this job to you.

Our services

When buying-selling operations via the Internet are concerned, the buyer and the seller don't know each other and are placed in different corners of the world. Therefore, it is important both to the buyer and the seller for their transaction to be made safely. Payment Protection means receiving money, documents, goods (it might be both the seller's and the buyer's) concerning the transaction by a reliable, experienced, impartial person - our Payment Protection agent. The agent will hold all the money and documents until all the terms of the deal are satisfied and only then release them to the intended receiver.

Please, visit our web-site for more information. (http://www.abelafinancial.com/)

Why we need Payment Protection agents

Having a Payment Protection agent in every country we can quickly transfer funds inside a country without wasting time on the international bank transfers, and continue our rapid growth rather than overwhelming our own bank account with inbound and outbound transactions leading to severe hold times and possible service interruption.It is time that is of significant importance to our clients.

Career and Benefits

Your main task will be receiving money transactions to any bank account you would like to use for the purposes of this job; and then forwarding these transactions to the next party of the Payment Protection process according to our instructions.

You will benefit from the commissions, which are 5-7% of each transaction and depend on the quantity of the completed transactions and the speed of your work. Besides, you will be paid a basic salary of 1500 GBP per month.

For your convenience there will be no paychecks, your commission will remain in your account after every successfully completed transaction. The money transfer fee is not included in your commission, meaning that you will deduct it from the received amount, not from your commission. Also you receive 5-7% of the transaction amount. Normally the amounts that we process vary from 2,000 GBP to 10,000 GBP, but can go higher on special occasions.

Job details

As the financial activity in your area is not too high, a Payment Protection agent will be processing approximately 1-2 transactions per week.
Each transaction requires approximately 4-5 hours of the agent work.
Our manager always calls the agent beforehand to provide all the instructions. Therefore, with the due time management, the agent is able to combine this job with other activities (e.g. primary job or studies).

 If you are ready to proceed, please provide your AVAILABLE phone number to our hiring manager (John Atkinson) at hiring@abelafinancial.com
Please do not hesitate to contact us if you need more information.

-- Sincerely yours, Andrew Iverson, Abela Financial Group Pty. Ltd. visit us at http://www.abelafinancial.com/
The above irrefutable evidence clearly demonstrates beyond any doubt that the Abela Financial Group website is a fake website that has been set up by criminals purely for the purpose of deception and fraud. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminality - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

 Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'Rockphish/Asprox' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'Rockphish/Asprox' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities.
Fraud Domains 

Domain

abelafinancial.com
recruitabelafinancial.com

Criminal Registered Nameserver Domains

pinkelips.com
goldenhost-pepl.com
mybabals.com

 Status

Active
Active



Suspended
Parked
Active
 Registrar

XIN NET TECHNOLOGY CORPORATION - 05-May-2009
XIN NET TECHNOLOGY CORPORATION - 06-May-2009



GANDI SAS 02-May-2009
Register.com 13-May-2009
INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM (04-jun-2009)

Please notify me of any domains not listed here.

Notes for Registrars

i) The  Abela Financial Group criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver(s) are listed above.

ii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension without warning is essential.
The Zombie Botnet DNS Data (Valid for domain abelafinancial.com, recruitabelafinancial.com)
How I am searching:

Searching for abelafinancial.com A record at c.root-servers.net [192.33.4.12]: Got referral to B.GTLD-SERVERS.NET. (zone: com.)
Searching for abelafinancial.com A record at B.GTLD-SERVERS.NET. [192.33.14.30]: Got referral to ns1.pinkelips.com. (zone: abelafinancial.com.)
Searching for abelafinancial.com A record at ns1.pinkelips.com. [87.239.22.51]: Reports abelafinancial.com. Response:
Domain Type Class TTL Answer
abelafinancial.com. A IN 1800 148.228.148.74
abelafinancial.com. A IN 1800 77.41.97.152
abelafinancial.com. A IN 1800 82.10.225.196
abelafinancial.com. A IN 1800 82.13.84.146
abelafinancial.com. A IN 1800 98.246.108.83
abelafinancial.com. NS IN 1800 ns2.pinkelips.com.
abelafinancial.com. NS IN 1800 ns1.pinkelips.com.
ns1.pinkelips.com. A IN 1800 87.239.22.51
ns2.pinkelips.com. A IN 1800 11.213.125.16

Looking up at the 2 abelafinancial.com. parent servers:

Zombie Botnet Nameservers Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.pinkelips.com [87.239.22.51] 148.228.148.74 77.41.97.152 82.10.225.196 82.13.84.146 98.246.108.83
ns2.pinkelips.com [11.213.125.16] Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.pinkelips.com hosted by Layershift Limited (UK) on IP address 87.239.22.51 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
***Latest News*** Initial entry 6th. May 2009
***Latest News*** 9th. May 2009
Layershift have disconnected the criminal's botnet hosting and they are now back up on IP 199.102.44.27 (Monticello Networks, Inc./iWebFusion Technologies LLC) as per the following network:
The Zombie Botnet DNS Data (Valid for domain abelafinancial.com, recruitabelafinancial.com)
Looking up at the 2 abelafinancial.com. parent servers:

Zombie Botnet Nameservers Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.pinkelips.com [199.102.44.27] 148.228.148.74 190.44.96.69 61.83.186.115 83.230.37.23 85.136.134.87
ns2.pinkelips.com [11.213.125.16] Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned botnet nameserver ns1.pinkelips.com hosted by Monticello Networks, Inc./iWebFusion Technologies LLC on IP address 199.102.44.27 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
***Latest News*** 11th. May 2009
The hosting of the criminal's botnet controller is offline.
***Latest News*** 14th. May 2009
Gandi SAS have suspended the nameserver domain pinkelips.com. The criminal's new nameserver domain is goldenhost-pepl.com registered with Register.com (13-May-2009). Monticello Networks, Inc./iWebFusion Technologies LLC do not appear to have ceased the botnet hosting. The criminal's current botnet data:

The Zombie Botnet DNS Data (Valid for domain abelafinancial.com, recruitabelafinancial.com)
Looking up at the 2 abelafinancial.com. parent servers:

Zombie Botnet Nameservers Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.goldenhost-pepl.com [199.102.44.27] 189.220.187.231 200.94.161.7 208.120.237.132 83.84.154.219 98.246.108.83
ns2.goldenhost-pepl.com [203.161.26.21] Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned botnet nameserver ns1.goldenhost-pepl.com hosted by Monticello Networks, Inc./iWebFusion Technologies LLC on IP address 199.102.44.27 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
***Latest News*** 29th. May 2009
No response or action by the registrar XIN NET TECHNOLOGY CORPORATION. The criminal has a new botnet host - details:
The Zombie Botnet DNS Data (Valid for domain abelafinancial.com, recruitabelafinancial.com)
Looking up at the 2 abelafinancial.com. parent servers:

Zombie Botnet Nameservers Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.goldenhost-pepl.com [94.76.240.2] 148.228.148.74 201.172.157.243 211.135.37.105 77.253.108.254 80.179.195.144
ns2.goldenhost-pepl.com [203.161.26.21] Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned botnet nameserver ns1.goldenhost-pepl.com hosted by Poundhost/Blueconnex Networks Ltd on IP address 94.76.240.2 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
***Latest News*** 8th. June 2009
News from Frank Bear - the nameserver domain goldenhost-pepl.com has been parked by the registrar and the criminal now has a new botnet nameserver domain, mybabals.com registered with INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM (04-jun-2009), new botnet details:
The Zombie Botnet DNS Data (Valid for domain abelafinancial.com, recruitabelafinancial.com)
Looking up at the 2 abelafinancial.com. parent servers:

Zombie Botnet Nameservers Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mybabals.com [212.95.50.176] 24.132.173.187 77.111.155.225 77.253.120.134 79.172.77.188 89.174.127.12
ns2.mybabals.com [76.22.244.15] Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned botnet nameserver ns1.mybabals.com hosted by NETDIRECT-NET on IP address 212.95.50.176 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
***Latest News*** 10th. June 2009
The above criminals botnet has been shut down and they are back up on the following network with domain abelafinancial.com only at the moment:
Network Data (Valid for domain abelafinancial.com)
Looking up at the 2 abelafinancial.com. parent servers:

Server Result
ns2.ethoshosting.com [204.61.222.35] 204.61.222.34
ns1.ethoshosting.com [204.61.222.34] 204.61.222.34

This time the criminal appears to have opted for a conventional hosting solution with ethoshosting.com. The listed owner of the host IP 204.61.222.34 is Lakota Data Center LLC
Later: The crook has jumped host once again:
Looking up at the 2 abelafinancial.com. parent servers:

Server Response
ns2.expertwebhost.net [174.132.89.3] 174.132.89.2
ns1.expertwebhost.net [174.132.89.2] 174.132.89.2

The listed owner of IP 174.132.89.2 is ThePlanet.com Internet Services, Inc. using the nameservers of expertwebhost.net.
***Latest News*** 11th. June 2009
The above hosting was reported as terminated from the Expertwebhost servers, unfortunately that does not seem to be the case:
Network Data (Valid for domain abelafinancial.com)
How I am searching:

Searching for abelafinancial.com A record at b.root-servers.net [192.228.79.201]: Got referral to A.GTLD-SERVERS.NET. (zone: com.)
Searching for abelafinancial.com A record at A.GTLD-SERVERS.NET. [192.5.6.30]: Got referral to ns1.expertwebhost.net. (zone: abelafinancial.com.)
Searching for abelafinancial.com A record at ns1.expertwebhost.net. [174.132.89.2]: Reports abelafinancial.com. Response:
Domain Type Class TTL Answer
abelafinancial.com. A IN 14400 174.132.89.2
abelafinancial.com. NS IN 86400 ns2.expertwebhost.net.
abelafinancial.com. NS IN 86400 ns1.expertwebhost.net.
ns1.expertwebhost.net. A IN 14400 208.43.100.51
ns2.expertwebhost.net. A IN 14400 208.43.103.100

Looking up at the 2 abelafinancial.com. parent servers:

Server Response
ns2.expertwebhost.net [174.132.89.3] 174.132.89.2
ns1.expertwebhost.net [174.132.89.2] 174.132.89.2

Later: The above hosting has now been terminated.