Arena Financial Group scam

Arena Financial Group Fraud

Don't Bear Internet Fraud

Arena Financial Group screenshot (Stolen Website) - 27-Aug-2009

This fraud should not be confused with any other company of the same or similar name - the following fraud evidence defines and refer to this fake Arena Financial Group company alone and no other. The above website has been stolen from the legitimate company AXIS Financial Group - clear evidence of criminal fraud in itself. These criminals have also stolen their name from the genuine Sydney company of the same name - do not be fooled.

Arena Financial Group is yet another 'Rockphish' serial fraud consisting of a fake, (stolen), financial site used as a vehicle to legitimise a money laundering fraud job scam. The only reason it looks so glossy and professional is because the website content has been stolen in its entirety from the website of the genuine financial organisation AXIS Financial Group. That much is self evident and as such it is irrefutable evidence of fraud. The fake website is also hosted on a 'Fastflux' botnet using zombies that are also used for other frauds and also for 'phishing' fraud domains - no legitimate website is hosted on a zombie botnet, let alone a 'Rockphish' one. It's not the only scam website this fraudster has produced using an identical MO. He has previous aliases of Paramount Finance, First Rate Finance, World Finance Group, Zeus Financial Group, Toll Finance, Range Financial Corporation, Adriatic Finance Services and many others, in fact this latest scam website botnet is still hosted on the same WholeSale Internet, Inc./Hosting Ventures, LLC IP address and using the same criminal registered nameserver domain voda-fon.com as was used for the Adriatic Finance Services fraud which makes this fraud a clear follow-on fraud to the the Adriatic Finance Services scam.

The initial website fraud domain arenafinancialgroup.com was only registered with TODAYNIC.COM, INC. on 26-aug-2009 for the usual 'criminal's domain' minimum period of only one year and the crook has no web presence at all, (not to be confused with genuine Sydney based Australian company of the same name whose identity the criminal has stolen, as is their normal MO). The website is zombie botnet hosted which irrefutably defines it as a criminal website - no legitimate website is zombie botnet hosted. Reverse IP data on the zombies show it to be a 'Rockphish' operation without doubt and it uses the same zombies as other 'Rockphish' scams such as the Global Shipping Agency Ltd fraud and all the others listed above. Their contact telephone number used, (+61 03 8648 5842), is the same as used for the other 'Rockphish' fraudsters - Toll Finance and the Adriatic Finance Services at completely different fake addresses. All absolutely irrefutable evidence of fraud.

Evidence of Criminal Fraud:

i) Zombie botnet hosted: First and foremost, this criminal fraud site is hosted on a 5-IP 'FastFlux' 'Rockphish' zombie botnet as clearly evidenced by the DNS data. As no legitimate site is hosted on a zombie botnet this site is irrefutably defined as criminal. The zombies involved are also hosting other 'Rockphish' frauds such as the Global Shipping Agency Ltd scam and all his other aliases as listed above. Reverse IP data on the zombies involved shows other hosted 'Rockphish' domains and phishing URLs.

ii) Stolen website: It is perfectly obvious that the Arena Financial Group criminals have stolen their entire fraud site from the genuine AXIS Financial Group and modified it for their own fraud purposes by adding a fake "Payment Protection" menu option under the Online Service tab that leads the potential mule into their web of deceit and ultimately into criminal activity - clear evidence of site theft and fraud.

iii) As the Arena Financial Group criminals have stolen the website from the genuine AXIS Financial Group, the content has no real relevance, although as can be seen in the above screenshot, they claim a 15-Year history, but the fraudster's domain arenafinancialgroup.com was only registered with TODAYNIC.COM, INC. on 26-aug-2009 for the usual 'criminal's domain' minimum period of only one year. Clear evidence of fraudulent misrepresentation.

iv) Serial fraudster - the use of the criminal registered nameserver domain voda-fon.com links this criminal to a previous alias, Adriatic Finance Services.

v) As is usual for these criminals, a Google search shows that they have no internet presence at all despite the claim on their Home page to have a "fifteen year history". Do not confuse the criminals with a genuine Australian company of the same name & ABN number, (but located in Sydney), whose identity these crooks have stolen as is their normal practice from previous aliases.

vi) The Spam:

Date: Wed, 26 Aug 2009 18:07:53 -0400
From: job@recruitarenafinancialgroup.com
Subject: TotalJobs

Arena Financial Group Pty. Ltd.
350 Charman Rd, Cheltenham,
VIC, 3192, Australia.

Hello,
my name is Michael Nguyen and I am Arena Financial Group Hiring manager. We have found your CV at TotalJobs jobs board and decided to offer this job to you.

Our services
When buying-selling operations via the Internet are concerned, the buyer and the seller don't know each other (they may be placed in different corners of the world) - it is very important both to the buyer and the seller for their deal to be made safely. Payment Protection means receiving money, documents, goods (it might be both the seller's and the buyer's) concerning the transaction to a reliable, experienced, impartial person - our Payment Protection agent. The agent will hold all the documents and money until all the terms of the deal are satisfied and only then release them to the intended receiver. Please, visit our web-site for more information. (http://www.arenafinancialgroup.com/)

Why we need Payment Protection agents
Having a Payment Protection agent in every country we can quickly transfer funds inside a country without wasting time on the international bank transfers, and continue our rapid growth rather than overwhelming our own bank account with inbound and outbound transactions leading to severe hold times and possible service interruption. It is time that is of significant importance to our clients.

Career and Benefits
Your main task will be receiving money transactions to any bank account you would like to use for the purposes of this job; and then forwarding these transactions to the next party of the Payment Protection process according to our instructions. You will benefit from the commissions, which are 5-7% of each transaction and depend on the quantity of the completed transactions and the speed of your work. Besides, you will be paid a basic salary of 1700 EUR per month.

For your convenience there will be no paychecks, your commission will remain in your account after every successfully completed transaction. The money transfer fee is not included in your commission, meaning that you will deduct it from the received amount, not from your commission. Also you receive 5-7% of the transaction amount. Normally the amounts that we process vary from 2,000 EUR to 10,000 EUR, but can go higher on special occasions.

Job details
As the financial activity in your area is not too high, a Payment Protection agent will be processing approximately 1-2 transactions per week. Each transaction requires approximately 4-5 hours of the agent work. Our manager always calls the agent beforehand to provide all the instructions. Therefore, with the due time management, the agent is able to combine this job with other activities (e.g. primary job or studies).

If you are ready to proceed, please provide your AVAILABLE phone number to our hiring manager (Paul Marsden) at hiring@arenafinancialgroup.com

Please do not hesitate to contact us if you need more information.

--
Sincerely yours,
Michael Nguyen,
Arena Financial Group Pty. Ltd.
http://arenafinancialgroup.com/

It's an identical spam to their previous aliases. More information and employment agreement is located here.

vii) You do not get a clearer definition of the illegal part time money mule function: "Your main task will be receiving money transactions to any bank account you would like to use for the purposes of this job; and then forwarding these transactions to the next party of the Payment Protection process according to our instructions", i.e. transferring them on via Moneygram or Western Union less a percentage commission - that on its own defines the company without doubt as criminal and bogus and is clear evidence of criminal fraud. It is also a more or less identical spam to the criminal's previous identical aliases as listed above.

viii) No legitimate company is going to advertise for this sort of illegal part time, 'work from home' money transfer position among the untrained, inexperienced and uncertified general population overseas. It will get your bank account and your assets frozen and could well earn you a criminal record - do not be tempted.

ix) Fake 'Contact Us' Details from website:

Contact Us

Arena Financial Group
350 Charman Rd
Cheltenham, 3192
VIC, Australia

ABN: 64 116 420 958

Telephone: 03 8648 5842
Email: advice@arenafinancialgroup.com
Website: www.arenafinancialgroup.com

• - The ABN number 64 116 420 958 belongs to this genuine Sydney based company and not these crooks - clear evidence of fraud.
• - The telephone number +61 03 8648 5842 is a new Melbourne number, not a Cheltenham number, (City code 03 8).
• - A Google search for the address "350 Charman Rd Cheltenham, 3192 VIC" only returns an employment agency and an accountancy firm, (ignoring their own fake website, of course).
• - A Google Maps business search for the address "350 Charman Rd Cheltenham, 3192 VIC" also shows no signs of these criminals - just the above accountancy firm.
• - A Google search for the Australian telephone number "03 8648 5842" shows that it has also been used for another 'Rockphish' frauds, i.e. the Toll Finance fraudster and the Adriatic Finance Services fraudster at completely different fake addresses.

All absolutely irrefutable evidence of fake contact/location details and a fake company.

The above evidence clearly demonstrates beyond any doubt that the Arena Financial Group website has been set up very recently by 'Rockphish' money laundering criminals purely for the purpose of spamvertising an illegal money laundering 'mule' job. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminal activity - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Main Website Domains

arenafinancialgroup.com
recruitarenafinancialgroup.com

Registrar

TODAYNIC.COM, INC. (26-aug-2009)
DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM (NICS.NAME) (25-aug-2009)

Botnet Nameserver Domains

voda-fon.com

Registrar

RANGER REGISTRATION (MADEIRA) LLC. - 21-jul-2009

Nameserver Host

WholeSale Internet, Inc./Hosting Ventures, LLC

Host IP

69.197.142.240

Active
Suspended/Disabled
Parked

Domain Whois Data

Domain: arenafinancialgroup.com

Registrar:     TODAYNIC.COM, INC.
Status:        clientTransferProhibited
Dates:         Created 26-aug-2009   Updated 26-aug-2009 Expires 26-aug-2010
DNS Servers:   NS1.VODA-FON.COM NS2.VODA-FON.COM
Domain name: arenafinancialgroup.com
Status: Active

Protection Status: public

Registrant:
Name: Fedo Esar
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 134424

Administrative Contact:
Name: Fedo Esar
Organization: Fedo Esar
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 134424
Phone: +7.9957734420
Fax: +7.9957732293
Email: moldavimo@safe-mail.net

Technical Contact:
Name: Fedo Esar
Organization: Fedo Esar
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 134424

Nameserver Information:
    ns1.voda-fon.com
    ns2.voda-fon.com

Create: 2009-08-26 18:38:56
Update: 2009-08-26
Expired: 2010-08-26

Domain: recruitarenafinancialgroup.com

Registrar:     DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Status:        clientTransferProhibited
Dates:         Created 25-aug-2009   Updated 25-aug-2009 Expires 25-aug-2010
DNS Servers:   NS1.VODA-FON.COM NS2.VODA-FON.COM
Registration Service Provided By: NICS.NAME
Contact: +7.8469724045
Website: http://nics.name

**Updated on suspension** Results returned from whois.publicdomainregistry.com:

Registration Service Provided By: NICS.NAME
Contact: +7.8469724045
Website: http://nics.name

Domain Name: RECRUITARENAFINANCIALGROUP.COM

Registrant:
    Arena Financial Group
    Michael Morrison        (ceo@arenafinancialgroup.com)
    350 Charman Rd
    Cheltenham
    Victoria,3192
    AU
    Tel. +61.0386485842

Creation Date: 25-Aug-2009
Expiration Date: 25-Aug-2010

Domain servers in listed order:
    ns2.suspended-domain.com
    ns1.suspended-domain.com

Administrative Contact:
    Arena Financial Group
    Michael Morrison        (ceo@arenafinancialgroup.com)
    350 Charman Rd
    Cheltenham
    Victoria,3192
    AU
    Tel. +61.0386485842

Technical Contact:
    Arena Financial Group
    Michael Morrison        (ceo@arenafinancialgroup.com)
    350 Charman Rd
    Cheltenham
    Victoria,3192
    AU
    Tel. +61.0386485842

Billing Contact:
    Arena Financial Group
    Michael Morrison        (ceo@arenafinancialgroup.com)
    350 Charman Rd
    Cheltenham
    Victoria,3192
    AU
    Tel. +61.0386485842

Status:SUSPENDED

The Zombie Botnet DNS Data (Valid for domain arenafinancialgroup.com)
DNS Lookup: arenafinancialgroup.com A record
Searching for arenafinancialgroup.com A record at j.root-servers.net [192.58.128.30]: Got referral to K.GTLD-SERVERS.NET. (zone: com.)
Searching for arenafinancialgroup.com A record at K.GTLD-SERVERS.NET. [192.52.178.30]: Got referral to ns1.voda-fon.com. (zone: arenafinancialgroup.com.)
Searching for arenafinancialgroup.com A record at ns1.voda-fon.com. [69.197.142.240]: Reports arenafinancialgroup.com.
Response:

Domain	Type	Class	TTL	Answer
arenafinancialgroup.com.	A	IN	1800	89.46.59.20
arenafinancialgroup.com.	A	IN	1800	67.164.7.67
arenafinancialgroup.com.	A	IN	1800	74.3.203.93
arenafinancialgroup.com.	A	IN	1800	84.252.43.108
arenafinancialgroup.com.	A	IN	1800	87.206.96.75
arenafinancialgroup.com.	NS	IN	1800	ns1.voda-fon.com.
arenafinancialgroup.com.	NS	IN	1800	ns2.voda-fon.com.
ns1.voda-fon.com.	A	IN	1800	69.197.142.240
ns2.voda-fon.com.	A	IN	1800	146.30.45.31

Looking up at the 2 arenafinancialgroup.com. parent servers:

Server	Response
ns1.voda-fon.com [69.197.142.240]	67.164.7.67 74.3.203.93 84.252.43.108 87.206.96.75 89.46.59.20
ns2.voda-fon.com [146.30.45.31]	Timeout

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.voda-fon.com hosted by WholeSale Internet, Inc./Hosting Ventures, LLC
on IP address 69.197.142.240 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting. This is exactly the same botnet host and the same criminally registered nameserver as used for the crook's previous alias, Adriatic Finance Services.

***Latest News*** 27th. August 2009
Webpage created

***Latest News*** 31st. August 2009
New domain notified by Frank Bear - recruitarenafinancialgroup.com registered with DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM (NICS.NAME) (25-aug-2009) and hosted on the above botnet by WholeSale Internet, Inc./Hosting Ventures, LLC on IP address 69.197.142.240

***Latest News*** 1st. September 2009
News from Frank Bear - the domain recruitarenafinancialgroup.com has been suspended by DirectI.

***Latest News*** 16th. September 2009
News from site contact and Frank Bear - the domain arenafinancialgroup.com has been suspended by TODAYNIC.COM, INC. Please inform me of any active domains for this criminal.