Buyer Guardian scam

Buyer Guardian Fraud

Don't Bear Internet Fraud

Buyer Guardian scam screenshot (02-Apr-2009)

This fraudster should not be confused with any legitimate company of the same or similar name - the above website graphics and theluded money laundering job clearly identify the fake website and these criminal fraudsters.

Buyer Guardian This is just a standard scam website that has been set up to form a front for illegal activity, in this case escrow fraud. The domain buyerguardianinc.com was only registered with XIN NET TECHNOLOGY CORPORATION on 07-Mar-2009 for the usual criminal domain minimum period of one year only and is hosted on a 19-IP 'fastflux' zombie botnet, (network data below), which guarantees its criminality without any of the other damning evidence, such as the fact that they are displaying a fake Verisign certificate and a fake Better Business Bureau certificate. They have another domain, buyerguardianllc.com registered with CSL GmbH (Joker.com) on 01-Mar-2009 once again for one year only and using Joker nameservers pointing to the Joker IP address 159.25.17.253. This faker and his ilk have probably been instrumental in forcing the real Buyer Guardian, (www.buyerguardian.com), of Centennial, Colorado, (whose identity they have stolen), to close down. They are also using a Joker.com fake Better Business Bureau domain (bbb-colorado.com) under the sub-domain http://www.bbb.org.bbb-colorado.com/ to post a fake Better Business Bureau report.

Buyer Guardian : Evidence of Criminal Fraud

i) The Buyer Guardian website domain buyerguardianinc.com is hosted on a 19-IP fastflux zombie botnet. Irrefutable evidence of a criminal operation - no legitimate website is hosted on a zombie botnet.

ii) The initial Buyer Guardian website domain buyerguardianinc.com was only registered with XIN NET TECHNOLOGY CORPORATION on 07-Mar-2009 for the usual criminal domain minimum period of one year only - a clear indication of fraud.

iii) Fake Verisign certificate - the website is displaying a fake Verisign seal on their car selling page that is simply a .gif image on the criminal's website - a genuine certificate should link to the Verisign secure server for verification purposes.

iv) Fake Better Business Bureau report - the criminal is displaying a "BBB - Accredited Business" seal which links to a fake report on the domain bbb-colorado.com which he has registered with Joker.com specifically for that purpose, using the sub-domain http://www.bbb.org.bbb-colorado.com/. ***Note - this is a fake report***.

v) This criminal and others like him have forced the closure of the genuine Buyer Guardian company, (www.buyerguardian.com), at the address they have assumed. The genuine Buyer Guardian website is not resolving at the moment, (it may have closed down or it may be under a Distributed Denial Of Service attack by these criminals), as it contained the following notice: (Thanks to the guys at badwhois.info - their copy of the original notice can be seen here - scroll to the bottom)

    Important Notice

    August 18, 2008

    To Our Faithful Customers:

    We are sad to report that after careful and lengthy consideration we have made the decision to cease operations at BuyerGuardian.com. This is a very difficult decision and one that is made primarily due to the rapid growth of online escrow fraud.

    Unfortunately, individuals have at times used altered copies of our web site content to defraud auto buyers. We do not want to enable these fraudulent transactions in any manner whatsoever. Any website using the BuyerGuardian.com logo, our site layout or our color scheme is doing so without our permission and is a fraudulent website.

    Please check with www.escrow-fraud.com or your local Better Business Bureau before using an escrow company. The only other national vehicle escrow service of which we are aware of at this time is Escrow.com (www.escrow.com).

    We want to thank all of the people whom we were able to help experience a seamless and successful interstate or international automobile transaction. We appreciate the kind words and support from our customers and hope to serve the automotive industry again in the future.

    Sincerely,

    The BuyerGuardian.com Team

The above evidence clearly demonstrates beyond any doubt that the Buyer Guardian website has been set up by criminal fraudsters purely for illegal activity. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminal fraud - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Buyer Guardian Fraudsters - hosting details

Main Domains, Registrars and Hosts

Domain

buyerguardianinc.com
buyerguardianllc.com
bbb-colorado.com

Registrar

XIN NET TECHNOLOGY CORPORATION (07-Mar-2009)
CSL GMBH DBA JOKER.COM (01-mar-2009)
CSL GMBH DBA JOKER.COM (10-mar-2009)

Host Network

Zombie Botnet - see data
CSL GMBH DBA JOKER.COM
GigeNET of Arlington Illinois

Host IP

Zombie Botnet - see data
159.25.17.253
66.252.9.204

Current Zombie Botnet Nameserver Domains and Registrars

Nameserver Domain

allycom1.com

Nameserver Domain Registrar

BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN (09-Mar-2009)

Key:
Active
Suspended or Inactive
Parked

Please notify me of any other current domains used by this criminal.

The Zombie Botnet DNS Data (Valid for domain buyerguardianinc.com)
Looking up at the 5 buyerguardianinc.com parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.allycom1.com. [79.113.221.127]	79.115.112.182 24.131.252.45 79.117.155.200 114.40.135.126 222.120.191.130 81.196.76.18 80.252.251.79 79.115.37.239 78.96.178.110 211.215.252.126 95.104.90.146 68.48.17.196 78.152.179.11 95.84.7.206 98.226.94.222 95.24.146.17 79.113.130.117 93.100.64.22 188.24.39.229
ns2.allycom1.com. [188.24.39.229]	79.115.112.182 24.131.252.45 79.117.155.200 114.40.135.126 222.120.191.130 81.196.76.18 80.252.251.79 79.115.37.239 78.96.178.110 211.215.252.126 95.104.90.146 68.48.17.196 78.152.179.11 95.84.7.206 98.226.94.222 95.24.146.17 79.113.130.117 93.100.64.22 188.24.39.229
ns3.allycom1.com. [94.52.78.211]	79.115.112.182 24.131.252.45 79.117.155.200 114.40.135.126 222.120.191.130 81.196.76.18 80.252.251.79 79.115.37.239 78.96.178.110 211.215.252.126 95.104.90.146 68.48.17.196 78.152.179.11 95.84.7.206 98.226.94.222 95.24.146.17 79.113.130.117 93.100.64.22 188.24.39.229
ns4.allycom1.com. [95.104.38.97]	79.115.112.182 24.131.252.45 79.117.155.200 114.40.135.126 222.120.191.130 81.196.76.18 80.252.251.79 79.115.37.239 78.96.178.110 211.215.252.126 95.104.90.146 68.48.17.196 78.152.179.11 95.84.7.206 98.226.94.222 95.24.146.17 79.113.130.117 93.100.64.22 188.24.39.229
ns5.allycom1.com. [93.100.172.50]	79.115.112.182 24.131.252.45 79.117.155.200 114.40.135.126 222.120.191.130 81.196.76.18 80.252.251.79 79.115.37.239 78.96.178.110 211.215.252.126 95.104.90.146 68.48.17.196 78.152.179.11 95.84.7.206 98.226.94.222 95.24.146.17 79.113.130.117 93.100.64.22 188.24.39.229

The data shows a 19-IP site hosting zombie botnet where the criminal owned nameservers ns1.allycom1.com to ns5.allycom1.com hosted on various rotating IPs are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

In this instance not only do all of the 'A' record IPs rotate, but also the nameserver hosting, (which is also on either zombies or possibly criminal owned machines), also rotates meaning that ceasing the main and nameserver domain registrations is the only practical method of taking the criminal down. It also means that the above table is simply a snapshot in time - if you plot the main and nameserver host IPs you will get all different ones - there may be hundreds or even thousands of IPs involved.

Network Data (buyerguardianllc.com)
How I am searching:

Searching for buyerguardianllc.com A record at k.root-servers.net [193.0.14.129]: Got referral to i.gtld-servers.net. (zone: com.)
Searching for buyerguardianllc.com A record at i.gtld-servers.net. [192.43.172.30]: Got referral to b.ns.joker.com. (zone: buyerguardianllc.com.)
Searching for buyerguardianllc.com A record at b.ns.joker.com. [66.197.237.21]: Reports buyerguardianllc.com. Response:

Domain	Type	Class	TTL	Answer
buyerguardianllc.com.	A	IN	86400	159.25.17.253
buyerguardianllc.com.	NS	IN	86400	a.ns.joker.com.
buyerguardianllc.com.	NS	IN	86400	b.ns.joker.com.
buyerguardianllc.com.	NS	IN	86400	c.ns.joker.com.

Looking up at the 3 buyerguardianllc.com. parent servers:

Server	Response
c.ns.joker.com [207.44.185.10]	159.25.17.253
a.ns.joker.com [207.44.185.100]	159.25.17.253
b.ns.joker.com [66.197.237.21]	159.25.17.253

The host, (and the registrar), of this criminal fraud domain buyerguardianllc.com is COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM on IP address 159.25.17.253

Network Data (bbb-colorado.com)
How I am searching:

Searching for bbb-colorado.com A record at l.root-servers.net [199.7.83.42]: Got referral to k.gtld-servers.net. (zone: com.)
Searching for bbb-colorado.com A record at k.gtld-servers.net. [192.52.178.30]: Got referral to a.ns.joker.com. (zone: bbb-colorado.com.)
Searching for bbb-colorado.com A record at a.ns.joker.com. [207.44.185.100]: Reports bbb-colorado.com. Response:

Domain	Type	Class	TTL	Answer
bbb-colorado.com.	A	IN	900	66.252.9.204
bbb-colorado.com.	NS	IN	86400	a.ns.joker.com.
bbb-colorado.com.	NS	IN	86400	b.ns.joker.com.
bbb-colorado.com.	NS	IN	86400	c.ns.joker.com.
a.ns.joker.com.	A	IN	7200	207.44.185.100
b.ns.joker.com.	A	IN	86400	66.197.237.21
c.ns.joker.com.	A	IN	86400	207.44.185.10

Looking up at the 3 bbb-colorado.com. parent servers:

Server	Response
c.ns.joker.com [207.44.185.10]	66.252.9.204
a.ns.joker.com [207.44.185.100]	66.252.9.204
b.ns.joker.com [66.197.237.21]	66.252.9.204

Once again the criminal is using Joker nameservers, but this time pointing to the IP address 66.252.9.204 which belongs to GigeNET of Arlington Illinois.

***Latest News*** Webpage set up 02-Apr-2009 - Thanks to Sara for the heads up on this one.

***Latest News*** 03-Apr-2009
News from Sara Bear - Joker.com have suspended the registration of the criminal fraud domains buyerguardianllc.com and bbb-colorado.com