Adecco Fraud

Don't Bear Internet Fraud

Adecco stolen website screenshot (14-Feb-2009)

If you've either received an active website link in a Adecco fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above.

This Adecco criminal fraud website with content stolen from the genuine Adecco website and others as detailed below should not be confused with any other company. The following evidence defines this criminal alone. Please be aware that the above website has been stolen by these criminals from the genuine Adecco company who are innocent victims of this criminal as much as anyone else. They have published a warning of this criminal activity here.

Adecco is the latest fraud from the money laundering department of the well known 'Rockphish/Asprox' phishing criminals. It is the follow-on fraud to the Bullet Motorsports Speedlab (BMS) fraud. The criminal's website is hosted on a standard 'Rockphish' site hosting zombie botnet using the very recently registered initial fraud domain adehum.eu (NameScout Corporation (25-Jan-2009)), the rockphish link being confirmed by passive DNS checks on the zombies. The website template and some content is stolen from the genuine Adecco company, a fact which is self evident and irrefutable evidence of fraud, as is the fact that the criminal's website is zombie botnet hosted - no legitimate website is hosted on a zombie botnet. The criminal also currently have a regular Yahoo hosted domain, adeccohr.com. N.B. The criminal's domains are constantly being suspended by the registrars and added to - see the tables below for the latest information.

The criminals have changed their tactics with this latest generation of their fraud - instead of posting a clear money laundering job on their website, they simply have a webform, (where they have even managed to spell Adeco (sic) wrongly...), and are spamvertising an invitation to apply for your "next dream job" or whatever without specifying any details in an attempt to reduce the evidence against them, but do not be fooled - the clear evidence of a stolen fraudulent website, including the zombie botnet hosting is irrefutable - these are 'Rockphish' criminal fraudsters and their only aim is to engage you in criminal activity which will certainly cost you a lot of money and could lose you your liberty - do not be fooled. Copy of botnet distributed received spam below. N.B. - The crooks are also operating an email based scam, spamming Craigslist with bogus job solicitations using gmail response addresses, e.g. adeccorecruitments@gmail.com

Current Zombie Botnet Controller Hosts

Level 3 Communications, Inc./RelyNet Inc. - ns1.bigthework.com [8.12.160.176] - Notified 27-Apr-2009 [Still active 03-May-2009]
Level 3 Communications, Inc./RelyNet Inc. - ns1.dortfoot.com [8.12.160.176] - Notified 27-Apr-2009 [Still active 03-May-2009]

The above table shows the current providers of zombie botnet hosting services to the criminals and how long they have been providing them for. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act promptly when informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some that, for whatever reason, do not respond, do not act and in some cases clearly do not care. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host. Please be aware that 'accessory after the fact' complaints against blatantly 'criminal friendly' hosts are usually filed with law enforcment agencies and upstream providers after all contact attempts have failed. It's only fair to the victims.

If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Adecco: Evidence of Site Theft and Criminal Fraud

N.B. - Check tables and ***Latest News*** items for domain and hosting updates.

i) The Adecco fraud website is hosted on a standard site hosting zombie botnet - No legitimate company would use a zombie botnet to host their website - irrefutable evidence of criminality.

ii) The fake Adecco website is based on a stolen copy of the genuine Adecco website, with additional content in the screenshot above that doesn't appear on the genuine Adecco website, (the section under the heading "A message from the principal"), which has been stolen from the genuine TBN Consulting company. Clear verifiable evidence of site theft, misrepresentation and criminal fraud.

iii) Passive DNS replication checks on the zombies listed below link this fraud to other 'Rockphish' group scams and include numerous phishing links. Details available on request.

iv) The criminal's spam contains forged header information and is zombie botnet distributed.

v) The Spam Content

The Adecco spam headers contain different forged/bogus 'From' & 'Return Path' addresses, forged 'Receive' lines and are distributed by zombie botnet. The subject lines indicate that there is a job opportunity to be had. There is - an illegal job as a money laundering 'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit proceeds into your account and forwarding them on via Western Union or Moneygram for a percentage cut. Needless to say it is these mules that will feel the full weight of the law while the remote money launderers are safe. The bogus or stolen funds in the mules account will also be recovered, leaving them with large losses.

This is the content of an actual Adecco scam spam received from a site contact:

From: Adecco Consulting <>
Date: Fri, Feb 13, 2009 at 4:27 PM
Subject: Looking for work?

Adecco Consulting, LLC is a search firm for direct-hire, contract, and freelance professionals within various professions (Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate, Transportation).

Looking for a job?

Registered in Switzerland and managed by a multinational team with expertise in markets spanning the globe, Adecco Consulting Group delivers an unparalleled range of flexible staffing and career resources to both companies and employees.

Through our global network of clients, we can introduce you to a variety of roles in different sectors to help you determine what field is most interesting to you. We can provide you with specialist training and personal development to help prepare you for new experiences. We will offer hottest jobs that match your criteria available in your area!

Please visit our web-site in order to learn about Adecco's current job opportunities and how to apply for them.

http://adehu.com/Looking_for_Work.php

Sign up to receive e-mail alerts from Adecco Consulting! Receive hottest job offers and/or our latest press releases, financial news and research products directly in our inbox!

We work with an impressive selection of clients, which will improve your chances of finding your new role quickly whether that position is a junior or senior role.
The services we offer our candidates are absolutely free.

*************************************

vi) The crooks are also operating an email based scam, spamming Craigslist with bogus job solicitations using gmail response addresses, e.g. adeccorecruitments@gmail.com as follows:

Adecco Human Resources Solutions (Online)
Reply to: adeccorecruitments@gmail.com [Errors when replying to ads?]
Date: 2009-03-08, 4:43AM EDT

Adecco are looking for representatives in your area in the state. The required job is done online and little time is needed. You will receive weekly wages plus attractive commission. Contact us for more details only through this private e-mail adeccorecruitments@gmail.com

# Requirement Age: Must be 19 and Above
# English Speaking

Regards,
Brian Nelson
Recruitment Manager
Adecco Human Resources Solutions
Website: www.adecco.com

    * Location: Online
    * Compensation: Minimum Of $200 Daily
    * This is a part-time job.
    * OK to highlight this job opening for persons with disabilities
    * Principals only. Recruiters, please don't contact this job poster.
    * Please, no phone calls about this job!
    * Please do not contact job poster about other services, products or commercial interests.

PostingID: 1065390275

vii) Contact details from the fraudulent website:

Global Headquarters
Adecco management & consulting SA
Sagereistrasse 10, P.O. Box
CH-8152 Glattbrugg / Switzerland

Telephone: +41 44 878 88 99
Fax: +41 44 829 88 99
Email: contact@adehum.eu

• - The address "Sagereistrasse 10, P.O. Box CH-8152 Glattbrugg / Switzerland" is simply the address of the genuine Adecco group headquarters.
• - A Google search for the telephone number "+41 44 878 88 99" returns zero results - if it were a genuine number it would be listed in a variety of sources. It is simply the genuine Adecco contact number of +41 44 878 88 88 with the last two digits changed.

The above irrefutable evidence clearly demonstrates beyond any doubt that the Adecco website has been set up on a zombie botnet using stolen website content for criminal fraud purposes and is directly related to Cronos Investment, Draper Investment, Harvey Investment, Adamant Global, Sydney Car Centre, Waller Truck, Newman, Esmond & Eisenberg, Sun Reef Yachts, Walker & Sons, Bullet Motorsports Speedlab (BMS) and the rest of the Rockphish/Asprox money laundering/phishing criminal fraudsters' aliases documented here. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of site theft, copyright offences, criminal deception and spamming - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'Rockphish/Asprox' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'Rockphish/Asprox' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities.

Adecco Fraudsters - current hosting details.

Current Main Domains, Hosts and Registrars

Domain

Registrar

Host IP Network /Botnet Nameserver Host

Host IP/Botnet Nameserver IP

Current Zombie Botnet Nameserver Domains and Registrars

Nameserver Domain

bigthework.com
dortfoot.com

Nameserver Domain Registrar

Network Solutions (10-Mar-2009)
GANDI SAS (19-Feb-2009)

Host IP

8.12.160.176
8.12.160.176

See table below for a list of all known active & suspended main & nameserver domains used by this criminal.

List of all known domains used by the Adecco Fraudsters

Domain

adehum.eu
adeccohr.com
adeccohr.net
aducan.eu
rehum.eu
adecco.bz
adecco-co.name
adecco-co.net
adecco-co.com
adecco-co.eu
adecco.mn
adeccocompany.com
hadur.eu
ressoh.eu
resum.eu
acesou.eu
adecour.eu
acuman.eu
huadec.eu
ressol.eu
adesour.eu
hucco.eu
hursec.eu
hudans.eu
hudaco.eu
decum.eu
dumah.eu
ducco.eu
reccoh.eu
reccot.eu
resso.eu
adechu.eu
resums.eu
hdeco.eu
rehums.eu
asorce.eu
humanr.eu
admans.eu
adeces.net
husour.com
adolut.com
adolut.org
husour.net
hudeco.net
huadr.org
hamades.com
arucco.com
acohr.org
acohr.net
ahurs.com
ahucco.com
adehs.com
adehu.net
adehu.com
admude.com
adhude.com
adecman.com
readec.com
readecs.com

Criminal Registered Nameserver Domains

distructions-sr.net
builldings-r.net
sprit-online.com
spasesport.net
dortfoot.com
bigthework.com

Status

DNS Looped
Suspended
Parked
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Disabled
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
DNS Looped
DNS Looped
DNS Looped
DNS Looped
Suspended
Suspended
DNS Looped
DNS Looped
DNS Looped
Suspended
DNS Looped
DNS Looped
Disabled
Suspended
Suspended
Disabled
Disabled
Disabled

Parked
DNS Looped
DNS Looped
Inactive
Active
Active

Registrar

NameScout Corporation (25-Jan-2009)
INTERNET INVEST, LTD. DBA IMENA.UA (06-Feb-2009)
INTERNET INVEST, LTD. DBA IMENA.UA (06-Feb-2009)
NameScout Corporation (19-Jan-2009)
NameScout Corporation (19-Feb-2009)
Directi/PublicDomainRegistry.com (21-Feb-2009)
Directi/PublicDomainRegistry.com (21-Feb-2009)
IA REGISTRY/Spiritdomains (21-Feb-2009)
IA REGISTRY/Spiritdomains (21-Feb-2009)
Directi/PublicDomainRegistry.com (21-Feb-2009)
Directi/PublicDomainRegistry.com (21-Feb-2009)
IA REGISTRY/Spiritdomains (21-Feb-2009)
Directi/PublicDomainRegistry.com (23-Feb-2009)
Directi/PublicDomainRegistry.com (23-Feb-2009)
Directi/PublicDomainRegistry.com (23-Feb-2009)
Directi/PublicDomainRegistry.com (22-Feb-2009)
Directi/PublicDomainRegistry.com (22-Feb-2009)
Directi/PublicDomainRegistry.com (23-Feb-2009)
Directi/PublicDomainRegistry.com (23-Feb-2009)
Directi/PublicDomainRegistry.com (23-Feb-2009)
Directi/PublicDomainRegistry.com (22-Feb-2009)
Directi/PublicDomainRegistry.com (23-Feb-2009)
Directi/PublicDomainRegistry.com (23-Feb-2009)
Directi/PublicDomainRegistry.com (05-Mar-2009)
Directi/PublicDomainRegistry.com (25-Feb-2009)
Directi/PublicDomainRegistry.com (25-Feb-2009)
Directi/PublicDomainRegistry.com (25-Feb-2009)
Directi/PublicDomainRegistry.com (26-Feb-2009)
Directi/PublicDomainRegistry.com (25-Feb-2009)
Directi/PublicDomainRegistry.com (09-Mar-2009)
Directi/PublicDomainRegistry.com (09-Mar-2009)
Directi/PublicDomainRegistry.com (26-Feb-2009)
Directi/PublicDomainRegistry.com (26-Feb-2009)
Directi/PublicDomainRegistry.com (26-Feb-2009)
Directi/PublicDomainRegistry.com (26-Feb-2009)
Directi/PublicDomainRegistry.com (26-Feb-2009)
Directi/PublicDomainRegistry.com (13-Mar-2009)
Directi/PublicDomainRegistry.com (13-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (13-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (13-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (13-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (13-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (13-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (13-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (21-Mar-2009)
INTERDOMAIN, S.A. (27-Mar-2009)
INTERDOMAIN, S.A. (27-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (21-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (21-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (21-Mar-2009)
INTERDOMAIN, S.A. (27-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (21-Mar-2009)
The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (21-Mar-2009)
INTERDOMAIN, S.A. (27-Mar-2009)
INTERDOMAIN, S.A. (27-Mar-2009)
INTERDOMAIN, S.A. (27-Mar-2009)
INTERDOMAIN, S.A. (27-Mar-2009)
INTERDOMAIN, S.A. (27-Mar-2009)
INTERDOMAIN, S.A. (27-Mar-2009)

Register.com (07-Dec-2009)
IA REGISTRY/Spiritdomains (30-Jan-2009)
GANDI SAS (01-Feb-2009)
IA REGISTRY/Spiritdomains (07-Feb-2009)
GANDI SAS (19-Feb-2009)
Network Solutions (10-Mar-2009)

Please notify me of any domains not listed here.

Notes for Registrars

i) The Adecco criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver domain(s) are listed in the above table.

ii) The criminal's domains have different false whois registration data.

iii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension is requested, please.

The Zombie Botnet DNS Data (Valid for domain adehum.eu)

Looking up at the 2 adehum.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.distructions-sr.net [87.239.22.61]	220.125.74.134 76.110.128.82 84.121.126.14 91.89.41.43 98.216.155.50
ns2.distructions-sr.net [195.221.62.11]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.distructions-sr.net hosted by Layershift Limited (UK)/WizzVPS on IP 87.239.22.61 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** Initial entry 14th. February 2009

Later: The hosting of ns1.distructions-sr.net has been ceased by Layershift Limited (UK)/WizzVPS.

***Latest News*** 15th. February 2009
The criminal is up on a new botnet host - Limestone betworks on IP address 216.245.215.105
The Zombie Botnet DNS Data (Valid for domain adehum.eu)

Looking up at the 2 adehum.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.distructions-sr.net [216.245.215.105]	222.100.134.52 59.6.178.231 88.66.198.97 91.89.108.223 220.125.74.134
ns2.distructions-sr.net [195.221.62.11]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.distructions-sr.net hosted by Limestone Networks on IP 216.245.215.105 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 16th. February 2009
The Limestone Networks botnet has been disconnected and the crooks are now up on a new network on the Level 3 Communications, Inc./RelyNet Inc. IP address 8.12.160.172 as follows:
The Zombie Botnet DNS Data (Valid for domain adehum.eu)
Looking up at the 2 adehum.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.distructions-sr.net [8.12.160.172]	201.160.43.154 24.107.201.218 72.253.177.150 75.79.63.156 98.215.11.236
ns2.distructions-sr.net [195.221.62.11]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.distructions-sr.net hosted by Level 3 Communications, Inc./RelyNet Inc. on IP 8.12.160.172 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 18th. February 2009
No response from the RelyNet abuse team - abuse report copied to Level3 security team. Register.com have parked the nameserver domain distructions-sr.net and the criminals have changed the nameserver domain to builldings-r.net. This is the same nameserver that was latterly used for the Bullet Motorsports Speedlab (BMS) fraud, clearly indicating that this is the follow on 'Rockphish' fraud to that one. New network data:
The Zombie Botnet DNS Data (Valid for domain aducan.eu)
Looking up at the 2 adehum.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.builldings-r.net [8.12.160.172]	220.125.74.134 24.158.230.200 76.226.111.7 82.7.107.242 91.89.108.223
ns2.builldings-r.net [195.21.237.211]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.builldings-r.net hosted by Level 3 Communications, Inc./RelyNet Inc. on IP 8.12.160.172 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 19th. February 2009
The DNS for the domain adehum.eu has been looped back to the root servers.

New domain reported by site contact - adeccohr.com registered with INTERNET INVEST, LTD. DBA IMENA.UA (06-Feb-2009) and hosted by Yahoo on IP address 68.180.151.74. They also appear to have registered the domain adeccohr.net, although that is currently parked.

Network Details:
How I am searching:

Searching for adeccohr.com A record at f.root-servers.net [192.5.5.241]: Got referral to B.GTLD-SERVERS.NET. (zone: com.)
Searching for adeccohr.com A record at B.GTLD-SERVERS.NET. [192.33.14.30]: Got referral to yns1.yahoo.com. (zone: adeccohr.com.)
Searching for adeccohr.com A record at yns1.yahoo.com. [98.136.43.32]: Reports adeccohr.com. Response:

Domain	Type	Class	TTL	Answer
adeccohr.com.	A	IN	1200	68.180.151.74
adeccohr.com.	NS	IN	86400	yns1.yahoo.com.
adeccohr.com.	NS	IN	86400	yns2.yahoo.com.
adeccohr.com.	NS	IN	86400	ns9.san.yahoo.com.
adeccohr.com.	NS	IN	86400	ns8.san.yahoo.com.

Looking up at the 2 adeccohr.com. parent servers:

Server	Response
yns2.yahoo.com [66.196.84.168]	68.180.151.74
yns1.yahoo.com [98.136.43.32]	68.180.151.74

The host of this criminal fraudster's domain is Yahoo on IP address 68.180.151.74. Unfortunately, Yahoo's current response to criminal fraud abuse reports is bad enough for them to be listed as a 'blackhat' provider.

***Latest News*** 20th. February 2009
Information from BKBear - new domain aducan.eu registered with NameScout Corporation (19-Jan-2009), hosted on the above RelyNet/Level3 botnet which remains active despite several abuse reports.
Later: The Domains aducan.eu and adeccohr.com have both been suspended by the registrars - please notify me of any domains for this criminal.

***Latest News*** 21st. February 2009
The Zombie Botnet DNS Data (Valid for domains: hadur.eu, ressoh.eu, resum.eu)
Looking up at the 2 adecco.bz. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.builldings-r.net [174.36.56.172]	67.186.121.38 69.234.146.136 71.207.227.245 75.118.162.91 98.246.115.7
ns2.builldings-r.net [195.21.237.211]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.builldings-r.net hosted by SoftLayer Technologies Inc./Obtrix.net on IP 174.36.56.172 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 23rd. February 2009
New domain notified by BK Bear - adecco-co.name registered with PublicDomainRegistry.com (21-Feb-2009) and hosted on the above SoftLayer Technologies Inc./Obtrix NET hosted zombie botnet. No action so far from SoftLayer Technologies Inc./Obtrix NET on the botnet nameserver hosting. Also spotted - adecco-co.net, adecco-co.com, adecco-co.eu, adecco.mn, adeccocompany.com

The second botnet these criminals normally use has also come to light:

The Zombie Botnet DNS Data (Valid for domains: adecco-co.eu, adecco.mn, adeccocompany.com)
Looking up at the 2 adecco-co.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.sprit-online.com [67.214.185.157]	208.120.237.132 68.114.3.67 68.42.64.37 70.77.122.139 75.118.162.91
ns2.sprit-online.com [195.109.16.53]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.sprit-online.com hosted by Colostore.com/turbovps.com on IP 67.214.185.157 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
Later: The above botnet was very quickly terminated by turbovps.com - all credit to them, they were a pleasure to deal with, but the crooks are immediately back up with their nameserver on another IP, 67.202.101.47 (Frantech Solutions/NoZone, Inc./Steadfast.net):
The Zombie Botnet DNS Data (Valid for domains: )
Looking up at the 2 adecco-co.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.sprit-online.com [67.202.101.47]	125.139.251.221 68.114.3.67 70.77.122.139 71.199.92.183 75.118.162.91
ns2.sprit-online.com [195.109.16.53]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.sprit-online.com hosted by Frantech Solutions/NoZone, Inc./Steadfast.net on IP 67.202.101.47 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 25th. February 2009
New domain reported by BK Bear - hadur.eu. hosted on the SoftLayer Technologies Inc./Obtrix NET hosted zombie botnet. Not sure what hadur.eu has got to do with Adecco, but it resolves to the crooks website and that's all that matters.
The registrars have been busy - all of the known domains apart from the latest one (hadur.eu) have been suspended. Please notify me of any active domains for this 'Rockphish' criminal.
No action by SoftLayer Technologies Inc./Obtrix NET - they continue to host the botnet nameserver ns1.builldings-r.net [174.36.56.172].

***Latest News*** 26th. February 2009
New domain notified by site contact - ressoh.eu hosted on the above SoftLayer Technologies Inc./Obtrix NET hosted zombie botnet. No response to abuse reports from either Softlayer or Obtrix.net. Not the first time for Softlayer, I'm afraid.
Later: Further domain reported by site contact - resum.eu also hosted on the unresponsive SoftLayer Technologies Inc./Obtrix NET hosted zombie botnet.

***Latest News*** 27th. February 2009
Softlayer Corporate (if01-gw01.dal01.softlayer.com - 66.228.118.67) visited this page at 13:16 GMT today following an email to their legal department, so they are undoubtedly fully aware of this criminal activity they and their customer Obtrix NET are facilitating. Unfortunately they do not respond to abuse reports to their listed abuse address.

Later: New domain notified by site contact: acesou.eu hosted on a second botnet on the same SoftLayer Technologies Inc./Obtrix.net IP address 195.109.16.53. They have both been notified several times to their registered abuse addresses and also to legal@softlayer.com, subsequent to which they were observed to be viewing this page. They have also been notified of the criminal activity by their transit supplier NTT.net. It is clear that Softlayer are fully aware of this criminal activity and by not taking action against it are arguably guilty of aiding and abetting criminal fraud as an accessory after the fact. There is no evidence that they are under any non-discussion clause and I cannot assume that. Second botnet details:
The Zombie Botnet DNS Data (Valid for domain: acesou.eu)
Looking up at the 2 acesou.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.sprit-online.com [174.36.56.172]	200.79.199.233 208.120.237.132 24.121.54.157 68.119.194.230 75.62.7.172
ns2.sprit-online.com [195.109.16.53]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.sprit-online.com hosted by SoftLayer Technologies Inc./Obtrix.net on IP 174.36.56.172 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 27th. February 2009
New domain notified by BK Bear - adecour.eu
Softlayer/Obtrix have presumably eventually taken action against their criminal clients, (first notified 22-Feb-2009), although they are instantly up on a new botnet, so no doubt they had plenty of warning. These criminals would have a much harder life if it wasn't for the help they get from US hosts like Softlayer, FDC Servers & their ilk. New botnet details:

***Latest News*** 28th. February 2009
The Zombie Botnet DNS Data (Valid for domains: )
Looking up at the 2 ressoh.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.builldings-r.net [67.214.139.212]	123.214.182.48 173.30.149.87 221.163.78.230 75.138.113.226 85.138.226.221
ns2.builldings-r.net [84.12.44.1]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.builldings-r.net hosted by Invision.com, Inc. on IP 67.214.139.212 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

The Zombie Botnet DNS Data (Valid for domains: )
Looking up at the 2 acesou.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.sprit-online.com [67.214.139.212]	173.30.149.87 75.138.113.226 85.138.226.221 96.32.132.179 99.141.20.152
ns2.sprit-online.com [195.109.16.53]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.sprit-online.com hosted by Invision.com, Inc. on IP 67.214.139.212 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
Later: The domain adecour.eu has been suspended by the registrar.

***Latest News*** 2nd. March 2009
Report from BK Bear - new domain acuman.eu hosted on the ns1.sprit-online.com [67.214.139.212] Invision.com, Inc. hosted zombie botnet.

***Latest News*** 3rd. March 2009
Report from BK Bear - new domain huadec.eu hosted on the ns1.builldings-r.net [67.214.139.212] Invision.com, Inc. hosted zombie botnet. Unfortunately both of this criminal's botnets are still active, (first notified 28th. Feb).
Later: New domain notified by BK Bear - ressol.eu registered with PublicDomainRegistry.com and hosted on the ns1.builldings-r.net [67.214.139.212] Invision.com, Inc. hosted zombie botnet.
Later: Directi/PublicDomainRegistry.com have suspended the domains hadur.eu, ressoh.eu, resum.eu, huadec.eu, acesou.eu acuman.eu and ressol.eu

***Latest News*** 4th. March 2009
New domain notified by site contact: adesour.eu registered with Directi/PublicDomainRegistry and hosted on the botnet below.

The Invision.com, Inc. botnet has been shut down and the criminal's nameservers are now on a new one on IP address 207.126.161.24 (SkipLink, LLC, Atlanta, GA):

The Zombie Botnet DNS Data (Valid for domains: adesour.eu)
Looking up at the 2 adesour.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.sprit-online.com [207.126.161.24]	75.62.4.106 201.160.98.63 68.45.12.57 71.210.196.197 75.34.33.45
ns2.sprit-online.com [195.109.16.53]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.sprit-online.com hosted by SkipLink, LLC,(skiplink.net) of Atlanta, GA on IP 207.126.161.24 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 8th. March 2009
New domain notified by site contact - hudans.eu hosted on a new botnet - details:
The Zombie Botnet DNS Data (Valid for domains: hudans.eu)
Looking up at the 2 hudans.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.spasesport.net [216.245.196.38]	12.169.62.190 208.120.237.132 24.136.214.23 75.57.61.6 98.199.233.231
ns2.spasesport.net [155.127.125.26]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.spasesport.net hosted by Limestone Networks, Inc. on IP 216.245.196.38 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 9th. March 2009
The domain hudans.eu has been suspended by the registrar.
Later: New domain notified by site contact - hudaco.eu hosted on a new botnet controlled by ns1.spasesport.net and hosted on IP address 66.96.201.43 (Network Operations Center Inc./Burst.net):
The Zombie Botnet DNS Data (Valid for domains: hudaco.eu, decum.eu)
Looking up at the 2 hudaco.eu parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.spasesport.net [66.96.201.43]	99.180.194.157 68.220.37.205 75.0.152.140 75.134.53.195 75.203.125.253
ns2.spasesport.net [155.127.125.26]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.spasesport.net hosted by Network Operations Center Inc./Burst.net on IP 66.96.201.43 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
Later: Another fraud domain decum.eu reported by site contact.
Later: The above Hostnoc/burst.net botnet has been shut down and the crooks are up on a new network:

The Zombie Botnet DNS Data (Valid for domains: hudaco.eu, decum.eu)
Looking up at the 2 hudaco.eu parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.spasesport.net [63.223.120.81]	75.134.53.195 208.120.237.132 24.196.2.132 66.138.7.3 68.220.37.205
ns2.spasesport.net [155.127.125.26]	Timeout - dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.spasesport.net hosted by Beyond The Network America, Inc./Sentris Network LLC on IP 63.223.120.81 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 10th. March 2009
Both domains hudaco.eu, decum.eu have been suspended by the registrar. The root server A record still lists 63.223.120.81 as the record for ns1.spasesport.net so it looks as though the crook hasn't yet moved the above botnet which has been null-routed by Sentris.
New domain notified by BK Bear - ducco.eu hosted on a non-functional botnet controlled by ns1.dortfoot.com which was also on the above null routed Beyond The Network America, Inc./Sentris Network LLC IP 63.223.120.81.
Later: New domains reccoh.eu, reccot.eu, resso.eu discovered The criminal has the following new botnet:
The Zombie Botnet DNS Data (Valid for domains: )
Looking up at the 2 ducco.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [67.228.48.103]	208.120.237.132 24.136.214.23 66.138.7.3 68.119.204.153 93.197.175.194
ns2.dortfoot.com [44.131.151.42]	Timeout - dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.dortfoot.com hosted by SoftLayer Technologies Inc. on IP 67.228.48.103 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 11th. March 2009
The domains ducco.eu, reccoh.eu, reccot.eu, resso.eu have all been suspended by the registrar. The hosting of the criminal nameservers ns1.dortfoot.com and ns1.spasesport.net is still intact on IP address 67.228.48.103, which doesn't surprise me as SoftLayer Technologies Inc. have a record of failing to respond to abuse reports and of aiding and abetting criminal fraud by knowingly hosting and failing to take action against these criminals, (see above).

***Latest News*** 15th. March 2009
New domain notified by site contact - adechu.eu registered with Directi/PublicDomainRegistry.com, (26-Feb-2009), and hosted on the ns1.spasesport.net controlled botnet hosted on IP address 38.102.48.37.

The Zombie Botnet DNS Data (Valid for domains: hdeco.eu)
Looking up at the 2 adechu.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.spasesport.net [38.102.48.37]	24.121.54.157 68.220.13.169 69.234.146.136 75.118.162.91 98.234.74.152
ns2.spasesport.net [155.127.125.26]	Timeout - dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.spasesport.net hosted by PSINet, Inc./Cogentco.com on IP 38.102.48.37 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

Later: The registrar has suspended the domain adechu.eu
Later: New domain reported by site contact - resums.eu registered with Directi/PublicDomainRegistry.com, (26-Feb-2009), and hosted on the above ns1.spasesport.net controlled botnet hosted on IP address 38.102.48.37.
Later: The registrar has suspended the domain resums.eu
Later: New domain notified by site contact - hdeco.eu registered with Directi/PublicDomainRegistry.com, (26-Feb-2009), and hosted on the above ns1.spasesport.net controlled botnet hosted on IP address 38.102.48.37.

***Latest News*** 16th. March 2009
New domain spotted: rehums.eu registered with Directi/PublicDomainRegistry.com, (26-Feb-2009), and hosted on the above ns1.spasesport.net controlled botnet hosted on a new IP address, 174.137.49.186

The Zombie Botnet DNS Data (Valid for domains: rehums.eu)
Looking up at the 2 rehums.eu parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.spasesport.net [174.137.49.186]	207.23.10.146 208.120.237.132 68.42.64.73 76.122.23.92 98.209.65.175
ns2.spasesport.net [155.127.125.26]	Timeout - dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.spasesport.net hosted by Carat Networks Inc on IP 174.137.49.186 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 18th. March 2009
Domain rehums.eu suspended by registrar - new domain notified by BK Bear - asorce.eu - already suspended by the registrar.

***Latest News*** 19th. March 2009
New fraud domains reported by site contacts- humanr.eu and admans.eu Registered with PublicDomainRegistry.com, (13th. March), and hosted on the ns1.dortfoot.com and ns1.spasesport.net controlled botnets respectively, both still hosted by Carat Networks Inc on IP 174.137.49.186 who have not responded to abuse reports. Network details:

The Zombie Botnet DNS Data (Valid for domains: humanr.eu)
Looking up at the 2 humanr.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [174.137.49.186]	150.46.96.133 208.120.237.132 76.112.174.28 83.93.18.155 85.136.129.220
ns2.dortfoot.com [44.131.151.42]	Timeout - dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.dortfoot.com hosted by Carat Networks Inc on IP 174.137.49.186 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

The Zombie Botnet DNS Data (Valid for domains: admans.eu)
Looking up at the 2 admans.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.spasesport.net [174.137.49.186]	150.46.96.133 208.120.237.132 76.112.174.28 83.93.18.155 85.136.129.220
ns2.spasesport.net [155.127.125.26]	Timeout - dummy nameserver, (never resolves).

***Latest News*** 25th. March 2009
New domain notified by BK Bear - adeces.net registered with THE REGISTRY AT INFO AVENUE D/B/A IA REGISTRY (Spiritdomains) and currently unusually hosted on two botnets controlled by different nameservers as the network data shows:
The Zombie Botnet DNS Data (Valid for domains: adeces.net)
How I am searching:

Searching for adeces.net A record at l.root-servers.net [199.7.83.42]: Got referral to j.gtld-servers.net. (zone: net.)
Searching for adeces.net A record at j.gtld-servers.net. [192.48.79.30]: Got referral to ns1.bigthework.com. (zone: adeces.net.)
Searching for adeces.net A record at ns1.bigthework.com. [69.162.118.118]: Reports adeces.net. Response:

Domain	Type	Class	TTL	Answer
adeces.net.	A	IN	1800	129.44.186.37
adeces.net.	A	IN	1800	200.109.36.241
adeces.net.	A	IN	1800	220.124.158.71
adeces.net.	A	IN	1800	75.14.23.245
adeces.net.	A	IN	1800	82.13.84.146
adeces.net.	NS	IN	1800	ns1.bigthework.com.
adeces.net.	NS	IN	1800	ns2.dortfoot.com.
adeces.net.	NS	IN	1800	ns2.bigthework.com.
adeces.net.	NS	IN	1800	ns1.dortfoot.com.
ns1.dortfoot.com.	A	IN	1800	69.162.118.118
ns1.bigthework.com.	A	IN	1800	69.162.118.118
ns2.dortfoot.com.	A	IN	1800	44.131.151.42
ns2.bigthework.com.	A	IN	1800	196.21.236.29

DNS Traversal data:
Looking up at the 2 adeces.net. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [69.162.118.118]	129.44.186.37 200.109.36.241 220.124.158.71 75.14.23.245 82.13.84.146
ns1.bigthework.com [69.162.118.118]	129.44.186.37 200.109.36.241 220.124.158.71 75.14.23.245 82.13.84.146

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.bigthework.com hosted by Limestone Networks, Inc. on IP 69.162.118.118 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.
Later - very quick response from Limestone Networks - hosting nulled.
Later - The criminal's domain adeces.net has already been suspended. Two new domains passed to me via a site contact - husour.com and adolut.com both hosted on the ns1.dortfoot.com controlled botnet which is now hosted by Limestone Networks, Inc. again on IP address 216.245.197.69

The Zombie Botnet DNS Data (Valid for domains: husour.com, adolut.com)
Looking up at the 2 adolut.com. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [216.245.197.69]	220.124.158.71 75.118.162.91 89.46.59.20 200.109.36.241 213.91.227.80
ns2.dortfoot.com [44.131.151.42]	Timeout - dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.dortfoot.com hosted by Limestone Networks, Inc. on IP 216.245.197.69 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 26th. March 2009
Limestone Networks have shut down the criminals botnet and he has now moved to the FDC Servers IP 76.73.12.11. Unfortunately, FDC Servers have previously not responded to abuse reports of this 'Rockphish' criminal activity. Let's see what happens this time.

The Zombie Botnet DNS Data (Valid for domains: adolut.org, husour.net)
Looking up at the 2 adolut.org. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [76.73.12.11]	122.111.56.235 77.41.90.255 88.6.202.26 91.89.110.91 92.237.25.216
ns2.dortfoot.com [44.131.151.42]	Timeout - dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.dortfoot.com hosted by FDCservers.net of Chicago on IP 76.73.12.11 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
Later: No response or action from FDC Servers as per usual, but IARegistry(SpiritDomains) have suspended the domains husour.com and adolut.com.

***Latest News*** 27th. March 2009
New domains: adolut.org, (notified by BK Bear) and husour.net (derived), both registered with IARegistry(SpiritDomains) and both hosted on the above botnet hosted by the unresponsive service provider FDCservers.net of Chicago on IP 76.73.12.11 who also hosted this crook's previous incarnation's (Bullet Motorsports Speedlab (BMS)) botnets for a long period of time without responding to abuse reports.
Later: This time around FDC Servers, although they haven't responded, appear to have taken action against the criminal's botnet.
Later: New domain reported by BK Bear - hudeco.net registered with IARegistry(SpiritDomains) and hosted on the ns1.dortfoot.com nameserver.

***Latest News*** 8th. April 2009

New domain notified by BKBear - huadr.org registered with The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (21-Mar-2009) and hosted on the 'twin botnet' system as follows:
The Zombie Botnet DNS Data (Valid for domains: huadr.org, hamades.com, arucco.com)
How I am searching:

Searching for huadr.org A record at c.root-servers.net [192.33.4.12]: Got referral to D0.ORG.AFILIAS-NST.org. (zone: org.)
Searching for huadr.org A record at D0.ORG.AFILIAS-NST.org. [199.19.57.1]: Got referral to ns1.bigthework.com. (zone: huadr.org.)
Searching for huadr.org A record at ns1.bigthework.com. [74.63.221.181]: Reports huadr.org. Response:

Domain	Type	Class	TTL	Answer
huadr.org.	A	IN	1800	221.126.238.216
huadr.org.	A	IN	1800	79.175.208.140
huadr.org.	A	IN	1800	81.84.73.235
huadr.org.	A	IN	1800	93.80.43.52
huadr.org.	A	IN	1800	124.66.240.30
huadr.org.	NS	IN	1800	ns1.dortfoot.com.
huadr.org.	NS	IN	1800	ns1.bigthework.com.
huadr.org.	NS	IN	1800	ns2.dortfoot.com.
huadr.org.	NS	IN	1800	ns2.bigthework.com.
ns1.dortfoot.com.	A	IN	1800	74.63.221.181
ns1.bigthework.com.	A	IN	1800	74.63.221.181
ns2.dortfoot.com.	A	IN	1800	44.131.151.42
ns2.bigthework.com.	A	IN	1800	196.21.236.29

Looking up at the 2 huadr.org. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [74.63.221.181]	124.66.240.30 221.126.238.216 79.175.208.140 81.84.73.235 93.80.43.52
ns1.bigthework.com [74.63.221.181]	124.66.240.30 221.126.238.216 79.175.208.140 81.84.73.235 93.80.43.52

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.bigthework.com hosted by Limestone Networks, Inc. on IP 74.63.221.181 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.
Later - new domain notified by site contact - hamades.com registered with a new, (for them) registrar, INTERDOMAIN, S.A. (27-Mar-2009) and hosted on the above 'twin botnet' system.
Later - New domain notified by site contact - arucco.com registered with the registrar, INTERDOMAIN, S.A. (27-Mar-2009) and also hosted on the above 'twin botnet' system.
Later - The criminal's hosting has been ceased by Limestone Networks, Inc.
Later - The criminal is back up on a new botnet hosted by Fortress ITX on IP address 69.72.243.17
The Zombie Botnet DNS Data (Valid for domains: huadr.org, hamades.com, arucco.com)
Looking up at the 2 huadr.org. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [69.72.243.17]	217.216.90.188 82.10.225.196 84.21.24.12 84.125.47.12 85.136.100.15
ns1.bigthework.com [69.72.243.17]	217.216.90.188 82.10.225.196 84.21.24.12 84.125.47.12 85.136.100.15

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.bigthework.com hosted by Fortress ITX/Pegasus Web Technologies on IP 69.72.243.17 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

Later - The criminal's hosting has been ceased by HostChum Solutions and the criminal is up on a new botnet host:

The Zombie Botnet DNS Data (Valid for domains: huadr.org, hamades.com, arucco.com, acohr.org, acohr.net, ahurs.com, ahucco.com, adehs.com)
Looking up at the 2 huadr.org. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [64.191.53.8]	91.122.124.230 201.160.189.30 79.79.45.152 84.21.24.12 85.136.100.15
ns1.bigthework.com [64.191.53.8]	91.122.124.230 201.160.189.30 79.79.45.152 84.21.24.12 85.136.100.15

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.bigthework.com hosted by Hostnoc/Burst.net on IP 64.191.53.8 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 9th. April 2009
This criminal seems to have got the bit between his teeth once again - more domains reported by site contacts - acohr.org, acohr.net, ahurs.com and ahucco.com all hosted on the above dual botnet hosted by Hostnoc/Burst.net. Unfortunately Hostnoc/Burst.net are not quick enough at disconnecting this criminal's hosting so they appear fairly frequently in these pages and no doubt will continue to do so until they improve their response time.
Later: New domain reported by site contact - adehs.com registered with The Registry at Info Avenue dba IA REGISTRY(Spiritdomains) (21-Mar-2009) and hosted on the above 'twin botnet' system

***Latest News*** 10th. April 2009
No action taken by the registrars, but the above botnet has been disconnected and the criminal is back up with his twin botnet on a new host as follows:
The Zombie Botnet DNS Data (Valid for domains: adehu.com)
Looking up at the 2 adehu.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [204.124.181.67]	190.191.128.106 71.192.183.218 72.12.175.90 76.78.215.121 96.32.136.105
ns1.bigthework.com [204.124.181.67]	190.191.128.106 71.192.183.218 72.12.175.90 76.78.215.121 96.32.136.105

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.bigthework.com hosted by VolumeDrive of Clark's Summit, PA on IP 204.124.181.67 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 14th. April 2009
New domain reported by BK Bear - adehu.com registered with the registrar INTERDOMAIN, S.A. (27-Mar-2009) and hosted on the above botnet. VolumeDrive of Clark's Summit, PA do not respond to reports of criminal activity and continue to provide hosting services for these criminals. Fortunately the registrars are finally taking action and adehu.com is the only known active domain at present

***Latest News*** 16th. April 2009
New domains reported by BK Bear - admude.com, adhude.com
VolumeDrive have finally disconnected the above criminal's dual botnet.

***Latest News*** 17th. April 2009
New domain reported by BK Bear - adecman.com registered with INTERDOMAIN, S.A. (27-Mar-2009) and hosted on the above dual botnet now hosted on the IP 67.220.208.218 (WebNX.com) as follows:
The Zombie Botnet DNS Data (Valid for domains: adehu.com, adecman.com, readec.com)
Looking up at the 2 adecman.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [67.220.208.218]	147.96.32.146 61.46.112.127 81.203.87.207 86.15.224.146 94.26.40.78
ns1.bigthework.com [67.220.208.218]	147.96.32.146 61.46.112.127 81.203.87.207 86.15.224.146 94.26.40.78

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.bigthework.com hosted by WebNX (AS18450) of Los Angeles, CA on IP 67.220.208.218 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.
Later - further fraud domain notified by BK Bear - readec.com

***Latest News*** 20th. April 2009
The domains admude.com, adhude.com have been suspended - all the other domains and the zombie botnet hosting hosting by WebNX (AS18450) of Los Angeles, CA on IP 67.220.208.218 remain active.
Later: WebNX/elitedatahosting.com have disconnected the criminals VPS on IP 67.220.208.218

***Latest News*** 21st. April 2009
The criminal is back up on a new botnet:
The Zombie Botnet DNS Data (Valid for domains: adehu.com, adecman.com, readec.com, readecs.com)
Looking up at the 2 adehu.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [91.199.50.78]	75.19.36.80 75.200.20.206 82.10.225.196 86.15.224.146 91.123.159.112
ns1.bigthework.com [91.199.50.78]	75.19.36.80 75.200.20.206 82.10.225.196 86.15.224.146 91.123.159.112

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.bigthework.com hosted by Netrouting Data Facilities/Grafix.nl on IP 91.199.50.78 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 25th. April 2009
No action from either Netrouting.eu or Grafix.nl who have received the abuse report as I have received an auto-response from them from the address beheer@grafix.nl
New domains notified from site contact: dumah.eu (inactive) and readecs.com, (active)

***Latest News*** 27th. April 2009
Netrouting have now disconnected the criminals botnet and the data showed an almost instantaneous changeover of the criminals botnet to a new Level 3 Communications, Inc./RelyNet Inc. IP (8.12.160.176):
The Zombie Botnet DNS Data (Valid for domains: adehu.com, adecman.com, readec.com, readecs.com)
Looking up at the 2 adehu.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [8.12.160.176]	124.66.240.44 221.127.241.126 79.172.83.81 82.176.183.9 82.32.28.246
ns1.bigthework.com [8.12.160.176]	124.66.240.44 221.127.241.126 79.172.83.81 82.176.183.9 82.32.28.246

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.bigthework.com hosted by Level 3 Communications, Inc./RelyNet Inc. on IP 8.12.160.176 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 3rd. May 2009

This 'Rockphish' criminal appears to have abandoned this fraud and has converted the Global Shipping Agency scam to replace it, (new documentation under Global Shipping Agency Ltd. - initial domain is adems.eu). Level 3 Communications, Inc./RelyNet Inc. have taken no action against the zombie botnet nameservers ns1.dortfoot.com [8.12.160.176] and ns1.bigthework.com [8.12.160.176] which are hosting the dual botnet which is hosting the new fraud website http://adems.eu/. Gandi SAS and Network Solutions have taken no action against the nameserver domains dortfoot.com and bigthework.com.

***Please notify me of any unlisted active domains for this criminal that you receive in spam***