Analytics Fraud

Don't Bear Internet Fraud

Analytics scam website screenshot (30-May-2009)

This Analytics criminal fraud website should not be confused with any other company of the same or similar name. The above screenshot and the following evidence defines this criminal alone.

If you've either received an active website link in a Analytics fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above.

Analytics is the latest fraud from the money laundering department of the well known 'Rockphish/Asprox' phishing criminals. The criminal's website is hosted on a standard 'Rockphish' 'Fastflux' site hosting zombie botnet using the recently registered initial fraud domain directpotential.com (BIZCN.COM, INC. (08-Apr-2009)) which is irrefutable evidence of fraud - no legitimate website is hosted on a zombie botnet. The purpose of the website is to lend an air of legitimacy to a spam campaign intended to recruit money laundering mules, and to that end they are also advertising a clear money mule position under the Careers tab on their website. Despite their website claims that "Analytics, was founded in 2002" and "has been the backbone of many international and local financial operations", they have no Google internet presence whatsoever, (do not confuse them with any other company of the same name).They are using a common virtual office/accommodation address in London, (29 Harley Street), as was used by the Alliance Global Ltd scammers. THis scam is just the Trend Analytics scam with the 'Trend' removed from the name - clear evidence of fraud.

Current Zombie Botnet Controller Hosts

The above table shows the current providers of zombie botnet hosting services to the criminals and how long they have been providing them for. The decent ethical majority of service providers, (all credit to them - they are a pleasure to work with), act promptly when informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some that, for whatever reason, do not respond, do not act and in some cases clearly do not care. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host. N.B. - To ignore reports of criminal activity is an offence under US law codes[¹], UK law and undoubtedly also under other country's legal provisions and may result in a law enforcement complaint being filed.
[¹]
U.S. Code collection
§ 1956. Laundering of monetary instruments
§ 3. Accessory after the fact

If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Analytics: Evidence of Site Theft and Criminal Fraud

Check tables and ***Latest News*** items for domain and hosting updates.

i) The Analytics fraud website is hosted on a standard 'Rockphish' site hosting zombie botnet - No legitimate company would use a zombie botnet to host their website - irrefutable evidence of criminality.

ii) Passive DNS replication data checks on the zombies listed in the table below link this fraud to other 'Rockphish' group scams and include numerous phishing links - irrefutable evidence of criminal fraud.

iii) These criminals claim to have been in business since 2002, but their initial domain directpotential.com was only registered with BIZCN.COM, INC. on 08-Apr-2009 for the usual criminal's domain minimum period of one year - a clear indication of a fraudulent domain.

iv) Despite their claim of having been in business since 2002 and this sort of grandiose 'Runglish' claim on their 'About Us' page: "We are world-widely recognized financial management company with operating headquarters in the London, United Kingdom", (note THE London, by the way - it's a common grammatical error these Russian scammers make), they have no Google presence whatsoever, (not even their own clearly very new fake website is returning any hits in the first ten Google pages as I write this). Not to be confused with any other company of the same name.

v) The criminals claim to be involved in Investment Management, Loans and Accounting, but a webcheck shows that they are not registered with the UK regulatory body in the finance field, the FSA, (Financial Services Authority), which they would have to be to be able to legally trade in the financial sector in the UK. Clear & absolutely irrefutable evidence of fraud. Check for yourself.

vi) There is no company by the name of 'Analytics' registered with the UK Companies House at the registered 'virtual office' address of 29 Harley Street, London, W1G 9QR - check for yourself.

vii) The Website money mule job:

Career Opportunities

Are you in search for some extra work? Or maybe you need a full-time job. Wherever and whoever you are, if you think that you may be of some value to us – get in touch, because we value every chance finding new employees from all around the world. Analytics knows no boundaries when it comes to employment. Work from the comfort of home or from your office, full-time or part-time. There are no strict requirements or guidelines to get a job with us, simply send in your resume and a cover letter and we'll get in touch with you as soon as possible.

Thank you for your interest to our current openings.

Regional Manager

    * Position Type: Permanent (work from home).
    * Operating hours: between 9:00 AM to 1:00 PM weekdays. Variable overtime is also required. NO evening/weekend work allowed.
    * Occupation Type: Part-time (1-5 hours a day occupation).
    * Salary: $30 per hour + a bonus per processed transaction.

Job Requirements

The job nature is a payment processing between our customers (sellers and buyers). You will be receiving daily tasks from your Personal Manager by e-mail. Each task will include detailed instruction on how to process current payment(s), and to be accomplished the same day within working hours (9-1). You should have ability to check your e-mail in mornings and several times/day, and respond to requests from your Manager promptly. We do not require any investments from our applicants. You must be reachable with your contact phone also.The position does NOT involve sales.

How to Get Started

Send us your resume and one of our HR Managers will contact you.

You do not get a clearer example of the illegal money laundering mule position than that. The job consists of accepting transferred stolen funds into your private bank account, deducting 10% and forwarding the balance on to these criminals via Western Union. The problem is that the funds are transferred from a victims 'phished' account without his knowledge and once he discovers that they are missing, he will inform his bank who will recover the funds from your bank leaving you out of pocket by the amount you have sent to the crooks, not only that, but you will have to answer some very awkward questions about why you are involved in criminal activity - don't be tempted.

viii) Fake contact details from the fraudulent website:

Headquarters:

29 Harley Street,
London, W1G 9QR

Tel: +44 (0) 20 3287 4835
Fax: +44 (0) 20 3287 4835

• - A Google search for "29 Harley Street, London" clearly shows that this is an accommodation address, (and a virtual office service), and a well used one at that.
• - Notice the common 'phone and Fax. number - it is the usual 'virtual office' rented voicemail number that these crooks use which just defaults to the message: "The person you are trying to reach is not available, please leave a message after the following beep" in the same voice that answers all these fake phone numbers.
• - A Google search for the telephone number +44 (0) 20 3287 4835 returns no results, if it were the real number of a genuine company that has been trading for seven years it would be listed - it is not.

ix) The Spam

Analytics position (30 hourly)

Hello xxxxxx,
Thank you for your interest to our current openings.
Thereby we confirm that your expertise and abilities conform to our requirements for Customer Service Specialist post.

Position Type: Permanent (work from home).
Working hours: between 9:00 AM to 1:00 PM weekdays. Alternating overtime is also required. NO evening / weekend work allowed.
Occupation: Part-time (one-five hr. a day required).
Salary: 30 usd per hour + a bonus per processed transaction.

Vacancy Requirements

We do not demand any initial payments from our candidates. The job basis is a payment transferring from our customers (independent investors). You will be getting daily tasks from your Personal Manager by email. Every task will include accurate directions on how to process current transaction(s), and has to be finished the same day within working hours 9 AM - 1 PM. You should have ability to check your email 9:00 AM and few times /day, and react to inquiries from your Manager duly. You should be available with your daily phone either. The job does NOT include sales.

How to Get Started

To advance with this career we recommend to adhere to the following procedure:
1. Acquaint with our website http://tripplecapital.com
2. Get Employment Agreement and the Application Form (MS Word files attached to this email).
3. Look through both papers carefully and fill them out in typing, then print them and sign, and submit with current letter REPLY or fax them.

IMPORTANT NOTICE: By signing the Agreement and the Application you consent to our terms and privacy policy rules. Analytics takes obligation to not share your personal data with third parties in any circumstances.

As soon as we receive duly filled documents, we will provide you shortly with all required points and further instructions.

Important: We use the VoIP calls to contact you, so the CallerID will be invalid or absent. Please don't overlook our calls.

Do not hesitate contacting your manager to eliminate any difficulties or if you have inquiries. Our support and a training course are always available.

Sincerely,

Robert Burch,
Human Resources Manager,
Analytics.
(516) 209-3788 (11 AM - 5 PM Eastern Time)

The above irrefutable evidence clearly demonstrates beyond any doubt that the Analytics website has been set up on a zombie botnet for criminal fraud purposes and is directly related to Cronos Investment, Draper Investment, Harvey Investment, Adamant Global, Sydney Car Centre, Waller Truck, Newman, Esmond & Eisenberg, Sun Reef Yachts, Walker & Sons, Bullet Motorsports Speedlab (BMS), Adecco and the rest of the Rockphish/Asprox money laundering/phishing criminal fraudsters' aliases documented here. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminal activity - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'Rockphish/Asprox' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'Rockphish/Asprox' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities. N.B. - To ignore reports of criminal activity is an offence under US law codes, UK law and undoubtedly also under other country's legal provisions.

Analytics Fraudsters - current hosting details.

Current Main Domains, Hosts and Registrars

Domain

angleprospective.com
angleprotective.com

Registrar

BIZCN.COM, INC. (14-Apr-2009)
BIZCN.COM, INC. (14-Apr-2009)

Host IP Network /Botnet Nameserver Host

Host IP/Botnet Nameserver IP

Current Zombie Botnet Nameserver Domains and Registrars

Nameserver Domain

Nameserver Domain Registrar

Host IP

See table below for a list of all known active & suspended main & nameserver domains used by this criminal.

List of all known domains used by the Analytics Fraudsters

Domain

directpotential.com
tdlifetrust.com
targettrust.net
tripplecapital.com
angleprospective.com
angleprotective.com

Criminal Registered Nameserver Domains

online-groups.net
find-buggersite.com
hotsmedical.net

Status

Disabled
Disabled
Disabled
Suspended
Disabled
Suspended

Parked
Suspended
Suspended

Registrar

BIZCN.COM, INC. (08-Apr-2009)
BIZCN.COM, INC. (07-Apr-2009)
BIZCN.COM, INC. (08-Apr-2009)
BIZCN.COM, INC. (14-Apr-2009)
BIZCN.COM, INC. (14-Apr-2009)
BIZCN.COM, INC. (14-Apr-2009)

REGISTER.COM, INC. (25-Mar-2009)
GANDI SAS (07-May-2009)
Network Solutions (03-Jun-2009)

Please notify me of any domains not listed here.

Notes for Registrars

i) The Analytics criminal uses his own nameserver domains to control his zombie botnets & provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver domain(s) are listed in the above table.

ii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension without warning is essential.

The Zombie Botnet DNS Data (Valid for domain directpotential.com, tdlifetrust.com, targettrust.net)

Looking up at the 2 directpotential.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.online-groups.net [74.81.90.74]	148.228.148.74 66.25.43.209 67.230.47.228 83.20.53.206 87.205.197.32
ns2.online-groups.net [21.214.23.151]	Timeout - Dummy nameserver, (never resolves).

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.online-groups.net hosted by Global Net Access, LLC on IP 74.81.90.74 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting. This is the same botnet host for the Trend Analytics scam and there was no response or action from Global Net Access, LLC to the reported abuse (19-May-2009).

***Latest News*** Initial entry 30th. May 2009

***Latest News*** 2nd. Jun 2009
Still no response from gnax.net to abuse reports first sent 19-May-2009 and no response from Level3 to a request for intervention. These criminals unfortunately seem to have a 'bombproof' host in gnax.net and there is no response from Bizcn.com to abuse reports either.
New domain notified by Frank Bear - welcome back, Frank - targettrust.net hosted on the above Global Net Access botnet as are all the others.

***Latest News*** 3rd. Jun 2009
News from Frank Bear - the criminal's nameserver domain online-groups.net has been parked by the registrar and none of the criminals domains are currently resolving - please notify me of any active domains for this criminal.

***Latest News*** 4th. Jun 2009
New domain notified by site contact - tripplecapital.com hosted on the following botnet:
The Zombie Botnet DNS Data (Valid for domain tripplecapital.com)
Looking up at the 2 tripplecapital.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.find-buggersite.com [208.85.6.39]	209.173.76.154 69.248.87.164 77.125.135.130 85.224.249.147 93.80.105.15
ns2.find-buggersite.com [64.23.245.111]	Timeout - Dummy nameserver, (never resolves).

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.find-buggersite.com hosted by Turnkey Internet Inc. on IP 208.85.6.39 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 6th. Jun 2009
No response from Turnkey Internet Inc. but the criminal has moved his botnet controller onto IP address 69.162.112.67. Network details:
The Zombie Botnet DNS Data (Valid for domain tripplecapital.com)
Looking up at the 2 tripplecapital.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.find-buggersite.com [69.162.112.67]	24.147.248.77 77.125.131.55 83.20.45.134 87.205.254.206 95.25.31.231
ns2.find-buggersite.com [64.23.245.111]	Timeout - Dummy nameserver, (never resolves).

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.find-buggersite.com hosted by Limestone Networks, Inc. on IP 69.162.112.67 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.
Later: The Limestone Networks botnet has been promptly disconnected and the criminal is back up on another network:
The Zombie Botnet DNS Data (Valid for domain tripplecapital.com)
Looking up at the 2 tripplecapital.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.find-buggersite.com [208.116.60.19]	201.233.203.216 201.26.154.249 24.147.248.77 89.174.124.89 89.178.8.185
ns2.find-buggersite.com [64.23.245.111]	Timeout - Dummy nameserver, (never resolves).

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.find-buggersite.com hosted by FortressITX/Cirtex Corp/HostV on IP 208.116.60.19 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 8th. Jun 2009
The domain tripplecapital.com has been suspended by the registrar.
News from Frank Bear - the domains directpotential.com, tdlifetrust.com, targettrust.net are still active registrations and have been switched to Yahoo hosting, but are currently showing 'DNS Refused' status - to be watched. Please notify me of any active domains for this criminal.

***Latest News*** 29th. Jun 2009
New domains reported by site contact: angleprospective.com and angleprotective.com
The Zombie Botnet DNS Data (Valid for domains angleprospective.com and angleprotective.com)
Looking up at the 2 angleprospective.com. parent servers:

Server	Response
ns1.hotsmedical.net [38.105.19.20]	38.102.19.237 66.212.155.141 77.111.149.236 79.116.170.166 91.146.142.197
ns2.hotsmedical.net [216.40.7.77]	Timeout

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.hotsmedical.net hosted by PSINet, Inc./Cogentco.com/Route Sense Corporation on IP 38.105.19.20 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 1st. Jul 2009
The main domain registrations are still active, but the hosting of the botnet nameserver ns1.hotsmedical.net on IP address 38.105.19.20 has been disabled and the domain hotsmedical.net has been suspended.

***Latest News*** 10th. Aug 2009
News from Simon Bear - The two domains angleprospective.com and angleprotective.com have both been disabled - please notify me of any active domains for this criminal.