Cronos Investment is just the latest in a long line of criminal fraud
aliases from the same money laundering mule criminals using
exactly the same method of operation and the website based on
his Draper investment fraud website. Basically all the
criminal has done is take his stolen Draper Investment fraud site
clone and
alter the name to Cronos Investment.
The Cronos Investment fraudsters
have once again stolen the website of
the genuine
Draper Investment Company who have nothing whatsoever to do with this
fraud. Their genuine
website is here
and
the criminal's bogus Cronos Investmentwebsite is currently here.
The
Registrar Nic.ac
continue to host this criminal's Ascension Island, (.ac), criminal
fraud domains despite
many attempts to contact them by webform and email without a single
reply. The company has
no telephone contact number and the office address is a PO box number.
The other interesting thing to note is that
there appears to be no whois data available for the domain nic.ac. The
parent company of Nic.ac is the "Internet Computer Bureau"
- their
contact details are the same as for Nic.ac, i.e. a PO box number for an
address and no telephone contact number - just a Fax number. If they
have a telephone number it appears to be ex-directory as a search on
BT's Directory Enquiries produces the
message "This business could not be found. The number you are searching
for may be ex-directory".
The network provider AbdAllah Internet Hizmetleri
also ignores all abuse reports.
Cronos Investment :
Evidence
of Criminal Fraud
i) The Cronos
Investment criminal fraudsters
have stolen the website of the genuine Draper
Investment Company
as detailed above - this fraud is exactly the same as his original
Draper Investment fraud with the name simply changed to Cronos. The
genuine company have a warning of these copyright thieves on
their
home page.
ii) The genuine Draper
Investment's location is in San
Francisco, the
criminals have a bogus address in France on their stolen website. The
given address 63 Quai De la Seine, Paris,
75019 France is in fact the
address of La
Péniche
Cinéma & not Cronos
Investment!
iii) The
criminal's site has a 'Career' menu option
which the genuine site does not have. It is spamvertising the usual 'Regional associate' money laundering mule 'job' as
follows:
Regional
associate
Description:
In this position regional associates are responsible for supervising
the money transfers and payments from regional clients. They are hired
part-time and are free to plan their schedule themselves. The key
responsibilities are fastening the procedure of the payment delivery
and maximizing the profit of the company. No direct communication or
meetings with the clients are required. Regional associates take net
10% commission out of each deal (transfer) they have completed. All the
related charges they might have are covered by Cronos Investment.
Position includes traveling, that normally does not take more than
1-1,5 hours every second/third working day. The successful candidate
will be a responsible for accurate record keeping and accurate
scheduling individual.
The
responsibilities of the individual in this position include:
Monitor the alerts about the new transfers made into the bank account.
Communicate with the head office regularly.
Make calculations and take record regarding each payment.
Travel around to the bank and to the Western Union.
Transfer the payments to the regional branches of Cronos Investment via
Western Union.
iv)
The 'Our Team' page on the fake site has different fake
managers from his Draper Investment
clone - at least this time he has the sexes right. The fake Michel
Humbert is still based on the biography of Pat Hatler from Nationwide Insurance. Mauricette
Gagnot's bio is based on Nationwide's Robert Rosholt. If
anyone knows where they stole the photo's from, please let me know.
v) The Cronos
Investment criminal
uses lots of recently registered domains, with newly
registered
ones appearing all the time as the spamvertized ones are suspended by
responsible registrars.
vi) From
their bogus website's 'History' page, the criminals claim that Cronos
Investment has been in existence since 1956 yet Google have not heard
of them.
vii) The Cronos
Investment spam contains forged header information and the
usual bayesian
filter avoidance code that irrefutably link it to the Draper
Investment, Harvey
Investment, Adamant Global, Sydney Car Centre and all this criminal's
many other aliases along with the 'rockphish' phishing criminals.
viii) The
criminals prolific spam is zombie botnet distributed as is easily
demonstrated by the source IPs.
ix) The
criminal's spams are all signed by different random names - they appear
to have an infinite number of fake 'employees'.
The above
evidence clearly demonstrates beyond any doubt that this
stolen Cronos Investment Company website has been set up by money laundering
criminals purely for
the
purpose of spamvertising an illegal money laundering 'mule' job and is
undoubtedly just a copy of his Draper Investment scam which is related
to Harvey Investment, Adamant Global, Sydney Car
Centre and the rest of the money
laundering criminal fraudsters' aliases
documented here. If you are an abuse team that has received an abuse
report regarding these fraudsters, please
consider immediate
termination of their services in view of the absolutely undeniable
evidence of
site theft, copyright offences, criminal money laundering activity and
spamming - please don't delay - these criminals will not
respond to any communication from you, (all their whois data is false),
but will simply take advantage of any attempt
at communication as a delaying tactic to allow them time to carry on
their criminal activity and prepare
their
next network.
Do not be misled -
these are professional criminals
with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering them and
aiding and abetting their criminal 'phishing' fraud activities.
Cronos Investment Fraudsters -
current hosting details.
Host IP Network /Botnet Nameserver IP Network AbdAllah Internet Hizmetleri AbdAllah Internet
Hizmetleri RoadRunner
AbdAllah
Internet Hizmetleri
AbdAllah Internet Hizmetleri RoadRunner
See table below for the full
list of known active & suspended main domains used by
this
criminal.
Current Zombie Botnet Nameserver
Domains
and
Registrars
The
Spam Headers
Return-Path: <frey8292@grungecafe.com>
Received: from mwinf3016.me.freeserve.com (mwinf3016.me.freeserve.com)
by mwinb3406 (SMTP Server) with LMTP;
Tue, 16 Oct 2007 14:44:26 +0200
X-Sieve: Server Sieve 2.2
Envelope-to: xxxxxxxxxx.freeserve.co.uk
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf3016.me.freeserve.com (SMTP
Server) with ESMTP id xxxxxxxxxx
for <xxxxxxxxxx.freeserve.co.uk>;
Tue, 16 Oct 2007 14:44:26 +0200 (CEST)
Received: from 62.117.184.37.dyn.user.ono.com
(62.117.184.37.dyn.user.ono.com [62.117.184.37])
by mwinf3016.me.freeserve.com (SMTP
Server) with SMTP id xxxxxxxxxx
for <xxxxxxxxxx.freeserve.co.uk>;
Tue, 16 Oct 2007 14:44:25 +0200 (CEST)
X-ME-UUID: xxxxxxxxxx@mwinf3016.me.freeserve.com Received:
from malden.aol.com (ehlo cobblestone.rupornosex.com [39.70.105.0])
by cimdesign.com with SMTP id DVC4X9OFFI
for <xxxxxxxxxx.freeserve.co.uk>;
Tue, 16 Oct 2007 07:44:26 -0600
Received: from tenchiclub.com (ehlo collie.tenchiclub.com
[38.206.96.198])
by shinbiro.com with SMTP id 9PK26I5K9C
for <xxxxxxxxxx.freeserve.co.uk>;
Tue, 16 Oct 2007 07:44:26 -0600
From: "Cronos Investment Company LLC"
<Frey8292@grungecafe.com>
To: "xxxxxxxxxx"
<xxxxxxxxxx.freeserve.co.uk>
Organization: Cronos Investment Company LLC
Donn.Langston4888@chocofan.com
Subject: all majors welcome... no experience necessary [message
id: xxxxxxxxxx]
User-Agent: Pegasus Mail for Win32 (v2.53/R1)
X-Mailer: Pegasus Mail for Win32 (v2.53/R1)
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--J66O936_FZEWE8LN"
Message-Id: <xxxxxxxxxx@mwinf3016.me.freeserve.com>
Date: Tue, 16 Oct 2007 14:44:25 +0200 (CEST)
X-me-spamlevel: med
X-me-spamrating: 70.720782
X-Antivirus: AVG for E-mail 7.5.488 [269.14.12/1072]
Recipient
& message id munged.
The
first thing to notice is the spam source IP. Reading
from the bottom upwards, (following the routing as is the norm when
parsing headers), the
first of the received
lines (red)
can be rejected as unsafe, almost certainly forged. The
actual trusted source IP that cannot be forged is the one
received by the recipients email provider (Freeserve) and that is in
this line (green):
Received:
from 62.117.184.37.dyn.user.ono.com (62.117.184.37.dyn.user.ono.com
[62.117.184.37])
by mwinf3016.me.freeserve.com (SMTP
Server) with SMTP id xxxxxxxxxx
for <xxxxxxxxxx.freeserve.co.uk>;
Tue, 16 Oct 2007 14:44:25 +0200 (CEST)
In
this received line the source IP address is 62.117.184.37 the reverse
DNS (RDNS) for which correctly indicates 62.117.184.37.dyn.user.ono.com which confirms that the source
address is genuine.In
the above RDNS sender identity note the letters dyn This indicates a
dynamic IP allocation and tell you
that the spam has come from an end user's computer on
a cable network in Spain, (from the
whois data for the IP address).
"Well", you say, "there's your
criminal". Unfortunately not - he or she may be guilty of criminal
stupidity by not having a firewall or clicking on the latest nude
pictures of Britney Spears, but unfortunately probably not criminal
fraud -
he/she is just one of tens of thousands of 'zombies' - computers that
have been infected with a zombie virus or worm. What it does tell you
is that the Draper Investment
spammer uses a zombie botnet to distribute his spam in exactly the same
way as Sydney Car Centre, Harvey Invest, Adamant Global and all the
rest of these criminals.
Lastly, Frey8292@grungecafe.com
is not "Draper Investment"
& the spam has not come from that address -
this is just another forged email
address which may or may not actually exist.
Incidentally, never 'bounce' spam back to the 'sender' as it only
bounces back to a forged address which, if real, will only belong to an
innocent third party who will understandably be a little peeved with
you and if you do it a lot you could get your ISP's SMTP IP range
blacklisted and they will be even more upset with you & could
justifiably close your account. The
Spam Content
The Cronos
Investment spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses.
This is the content of an actual Cronos Investment
scam spam:
Dear Sir/Madam,
Cronos Investment Company
is a venture capital firm that specializes in investments in seed and
early-stage global information technology, telecommunications and
software companies. We seek international entrepreneurs with the
energy, vision, experience and desire to build great companies.
Due to our growth, we're
constantly on the lookout for qualified professionals to place in
contract, contract-to-hire, and permanent placement positions across a
number of different industries. We know it's more than just your
day-to-day responsibilities that can make or break a job. It's the
support you get. That's the reason Cronos Investment offers a variety
of benefits including medical, dental, optical, 401k, and many more.
Don't put your career in the hands of just anyone, put it in the hands
of a specialist. Join the Cronos team!
Today we are glad to offer
you an opportunity to become our regional associate. In this position
you will be responsible for supervising the money transfers and
payments from regional clients. You will be hired part-time and will be
free to plan your schedule yourself. The key responsibilities are
fastening the procedure of the payment delivery and maximizing the
profit of the company. No direct communication or meetings with the
clients are required. Regional associates take net 10% commission out
of each deal (transfer) they have completed. All the related charges
they might have are covered by Cronos Investment. Position includes
traveling, that normally does not take from the employee more than
1-1,5 hours every second/third working day. The successful candidate
will be a responsible for accurate record keeping and accurate
scheduling individual, with the availability of a bank account to be
used for the company transfers, willing to bring value to the employer.
If
you are interested in a position, please look for a more detailed
information on our web-site:
Note
the usual Bayesian filter
avoidance 'code', commonly used by these criminals and the 'rockphish'
scammers alike.
I
note that the usual phrase "fastening the process" used by these
criminals has now become "fastening the procedure".
The
spam is an exact copy of the Draper Investment spam with the name
changed from Draper to Cronos.
The Zombie Botnet
The criminal as not using a zombie botnet at this time. Normal DNS Data
below. Initial DNS Data
(cronco.ch and crinc.ac) [See latest DNS data in Fraud
Blog below]
Nameserver
'A' Record Response
dns1.gosperti.com [200.72.139.67]
221.2.210.149
dns2.gosperti.com [202.74.32.13]
Timeout
The DNS data shows the criminals hosting on IP
221.2.210.149 which is an IP belonging to CNC Group ShanDong
Network
These
criminals are
experienced liars, thieves and professional confidence
tricksters. Do not be
fooled - do
not believe them. The evidence of criminal fraud is undeniable.
I'd
like to thank the many honest & ethical hosts who have
disconnected
these fraudsters within an hour of receiving my abuse report, (several
in c. 20 minutes). However, the zombie botnet controlling nameservers
seem to be occasionally hosted by Colocation/VPS service providers who
do not respond to criminal fraud abuse reports. The honest &
ethical SPs will respond with an immediate, (preferably not 24 hours or
48 hours & certainly not never...), disconnection on receipt of
a
criminal abuse
report,
having considered the evidence below & investigated, but more
and
more
frequently service providers stall or simply ignore abuse reports.
This latter minority of uncaring & unethical hosts are aiding
and
abetting criminal fraud
and
the victims suffer because of it.
Knowingly
supplying services to these fraudsters is a criminal offence in the UK
under the UK Proceeds of Crime act (2002) Section 328 "A
person
commits an offence if he enters into or becomes concerned in an
arrangement which he knows or suspects facilitates (by whatever means)
the acquisition, retention, use or control of criminal property by or
on behalf of another person". The notification level for this
offence is low.
Would all hosts and registrars with a UK presence, (other countries
will undoubtedly have similar provisions), please bear this in mind and
please do not ignore any criminal fraud abuse
reports you may receive or if you do, please
don't be surprised or offended if I file a crime complaint against you
with local law enforcement agencies after a reasonable period of notice
of abuse - the victims, (who
could be your mother, father, grandmother, grandfather, the helpless,
the disabled or any loved one - these criminals are exactly the same as
doorstep conmen), deserve better.
The unethical hosts, (and
registrars), should appreciate that taking the 'blind eye' approach
involves them in the crime, creates a great deal of ill-will, bad
publicity & hurts everybody, especially the victims of these
fraudsters. They should also bear in mind that these crooks pay for
their services using Paypal linked to stolen credit card details so
they are likely to get a charge-back which will also leave them out of
pocket, unless, of course, they have a more intimate relationship with
the criminals.
A CEO of a Credit Union tells me of clients who
have lost thousands of pounds cashing counterfeit money orders for
these criminals, & I myself have had letters from worried
victims,
so do not under any circumstances get involved with them and also please
think twice about doing business with the unethical service providers
who continue to provide this criminal with the means to perpetrate his
crime despite being notified of the criminal activity.
Blocking
The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use "Cronos
Investment"
as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams.
If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a> Here are
all of the known domains that are/have been used for the Cronos
Investment fraud:
Status Suspended Active
(Unhosted) Suspended Suspended Active
(Unhosted) Active
(Unhosted) Suspended Suspended Suspended Suspended Active
(Parked) Active
(Unhosted) Active
(Unhosted) Suspended Active
(Unhosted)
Active (Unhosted) Suspended Active
(Unhosted) Suspended Suspended Suspended Suspended Active Active Suspended Active
(Unhosted) Active Suspended Suspended Active
(Parked) Suspended Suspended Suspended Suspended Active
(Unhosted) Suspended Active
(Unhosted) Active
(Unhosted) Suspended Parked Active
(Unhosted) Active Suspended Active Active
(Unhosted) Active
Suspended Suspended Suspended Active Active
Active Active Active Suspended? Suspended
DNS.be
Estdomains
Spiritdomains/IA Registry
Enom
BIZCN.COM, INC.
BIZCN.COM, INC.
SPIRITDOMAINS/IAREGISTRY Todaynic/Nownet/CNNIC Register.com Spiritdomains/IA
Registry
Please notify me of any errors or domains not listed here.
Notes
for Registrars
i) The Cronos Investment criminal uses his own nameserver
domains
to control his zombie botnets or provide his DNS. By definition there
can be no legitimate
domains using his dedicated botnet nameservers & his
conventional nameserver domains are always very recently registered.
This
provides an ideal database search option for you to identify and delete
all of this criminal's fraud domains without
any risk of hurting an innocent domain. Current criminal's
conventional namesever domains - myserverdns.com, nsters.com & botnet
nameserver domain -
thelastwall.com
ii) All of the criminal's domains have different false
whois registration data.
iii) The criminal will not respond to your challenge but will use the
notice to prepare a new network -
immediate suspension is preferred.If
you have been a victim of this or any other of these fraudsters
& would like to tell
your
story on these pages as a warning & to help others, please
contact me.
Fraud
Blog
Initial
entry 16th. October 2007 - spam received from the
criminals, (example
above), using domains cronco.ch and crinc.ac and hosted on IP 221.2.210.149 (CNC Group
ShanDong Network) October
17th. 2007 Domain
cronco.ch suspended by Switch.ch Domain crinc.li
spotted on the AbdAllah
Internet hosting and nameservers used by the fraudster for his
Draper Investment fraud.
DNS Data:
Looking up the 2 crinc.liparent servers DNS Details:
Nameserver
'A' Record Response
ns2.fordns.be [88.255.90.227]
88.255.90.226
ns1.fordns.be [88.255.90.226]
88.255.90.226
His host for the
domain crinc.li is AbdAllah Internet on IP
88.255.90.226
Later
- He's moved his hosting for domain
crinc.ac:
Looking up the 2 crinc.acparent servers DNS Details:
Nameserver
'A' Record Response
dns2.gosperti.com
[202.74.32.13]
211.60.129.140
dns1.gosperti.com
[200.72.139.67]
211.60.129.140
His host for the
domain crinc.ac is LG DACOM Corporation
(BORANET) on IP 211.60.129.140 Later
- fraud domains cronos.mn
& crons.cc
spotted in the wild - both on the AbdAllah Internet IP
88.255.90.226 October
18th. 2007
Another day, another host... The new DNS details for the criminal's
crinc.ac domain are as follows:
Looking up the 2 crinc.acparent servers DNS Details:
Nameserver
'A' Record Response
dns2.gosperti.com
[202.74.32.13]
82.78.124.160
dns1.gosperti.com
[200.72.139.67]
82.78.124.160
The host this time is RDSNET.RO on IP 82.78.124.160
Later: He's changed it again, that
was quick. I guess someone must have reported it earlier.
Looking up the 2 crinc.acparent servers DNS Details:
Nameserver
'A' Record Response
dns2.gosperti.com
[202.74.32.13]
221.12.43.189
dns1.gosperti.com
[200.72.139.67]
221.12.43.189
The crook's crinc.acdomain is not resolving yet, but the host IP it throws up
has the telltale sign of a 'rockphish' site on it at the moment - a "209 Host Locked"
bogus error report, so he's certainly using it for something and it's
just another link to the 'Rockphish' criminals, not that any further
confirmation was needed. The IP 221.12.43.189 is a CNC Group (Zhejiang
Province) Network IP
Well, I've found out what he's using it for: http://icg-technology.com/
which is another money mule scam using the same crook's CNC Group (Zhejiang Province) network above.
The domain crinc.cc
is also on the above host.
The domain cron.li
is on the AbdAllah Internet host. October
19th. 2007
Domain crinc.mn
received in spam - on the above AbdAllah Internet host. Later
- New domain received in spam - cronco.li - also on
the above AbdAllah Internet host. ***Latest
News*** October 20th. 2007
New criminal fraud domain notified by site visitor - cronos.li
AbdAllah Internet now seem to be bouncing all abuse
reports, (including webform submissions), with the following bogus NDR: <abuse@ahlen.biz>: host
ahlen.biz[85.17.184.21] said: 550 We are not accepting mail
from bots. Their email system also presently
generates bogus 'relaying
not permitted'
errors including from webmail submissions to their postmaster@ahlen.biz
address. In other words, they do not appear to accept any email or
webform submissions. What sort of business operates like that? In fact
it's a "Turkish private
offshore dedicated servers provider" business... (From
their website).
Other facts to note
about 'AbdAllah Internet' are:
1) Their domain ahlen.bizwas only
registered with Enom on August the 27th. 2007.
2) Even though they are a business, they are using Privacy Protection
to hide their whois data.
3) They
also host the http://unitedfinancegroup.org/
and http://www.ace-assist.biz/
criminal money laundering fraudsters and others on 88.255.90.53 and 88.255.90.226 respectively and have not so
far responded to abuse reports about them either. October 23rd. 2007 The domain gosperti.com has been
suspended as has domain crinc.li. The AbdAllah
Internet network is still operational and they appear not to be
interested in abuse reports. Nic.ac also appear not to want to know
about their criminal fraud .ac domains. The CNC Group (Zhejiang
Province) Network IP 221.12.43.189 appears to have
been disconnected. New DNS data for domains
crinc.ac, crinc.cc and cronos.li.
Looking up the 2 crinc.acparent servers DNS Details:
Nameserver
'A' Record Response
dns2.gosperti.com
[202.74.32.13]
202.134.177.24
dns1.gosperti.com
[200.72.139.67]
202.134.177.24
The IP 202.134.177.24 belongs to AR12HM/Laxmi Plaza
Sundervan Andheri October 24th. 2007
New domain received in spam - investmentcron.cn on the
'criminal's host' - AbdAllah Internet
New domain notified - crinc.jp October 27th. 2007
A lot of the crooks
previous host IPs are not resolving and his nameserver domains gosperti.com and fordns.be
have both been suspended, although the AbdAllah Internet IP 88.255.90.226 still seems to
be active, so I wouldn't be surprised to see them used again in the
future.
The crook is up on a new zombie botnet for a change with cronoscom.cn and cronos07.cn using 'in house'
nameserver domain regnewuser.com hosted on IP 194.169.192.141 (Funke
Internet Services Ltd):
The data shows a standard zombie botnet where the
nameserver ns1.regnewuser.com hosted by Funke Internet Services Ltd
on IP 194.169.192.141
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). The Cronos Investment
criminals are using a conventional host in parallel with his above
zombie botnet for domains iccronos.cn,
cronos.li, crinc.cc and crinc.ac.
I don't know why, but the criminal's nameservers dns1.gosperti.com and
dns2.gosperti.com are still working, even though Estdomains have
suspended the domain gosperti.com.
I can only assume that they haven't deleted the domain DNS data. The
host this time is KIBUTZ-NETZER-SIRENI. Later
- It looks as though the crook is up to something - the domains iccronos.cn, cronos.li, crinc.cc and crinc.ac
are all generating the 'rockphish' bogus error "209 Host Locked". I
think his DNS is dying. Prepare for another nameserver domain to be
slotted in.... October 29th. 2007
The Funke
Internet Services Ltd IP now appears to be dead and the cached data for
the gosperti.com DNS appears to be disappearing. The IP 212.199.95.108
is still showing the bogus "209 host locked" error. There are
indications that the crook is trying to set up a network on
200.114.0.185 using a new domain cront.ch but
still using gosperti.com which is never going to work for long:
October 30th. 2007 Reply
from Funke
Internet Services to the effect that the IP 194.169.192.141 has been
disabled, but it still appears to be active this morning.
Later - definitely seems to have gone now and the criminal
seems to be setting up ns1.regnewuser.com on IP 82.146.52.103 Later
- The only resolving domain that the criminal has left to my knowledge
is crons.ac
which is registered with the completely unresponsive 'criminal
friendly' registrar NIC.AC and hosted by the equally unresponsive
Turkish criminal host AbdAllah Internet Hizmetleri.
October 31st. 2007
New Cronos Investment domain received in spam - crin.ac hosted on the
AbdAllah Internet Hizmetleri network above. I'm sure the criminal will
use the UK based Nic.ac registrar more and more due to their
unresponsiveness to criminal abuse reports. Later
- spotted domain
croni.ch back up on the following KIBUTZ-NETZER-SIRENI network
(212.199.95.108):
The nameservers are registered with BIZCN.COM, INC. and hosted by ENTEL
CHILE S.A. on IP 200.72.139.67 Later
- croni.ch has been suspended by Switch.ch - an ethical registrar. The
only two known active Cronos Investment criminal domains are now
crons.ac and crin.ac on the AbdAllah Internet Hizmetleri
network. As the distinctly unethical registrar NIC.AC and host AbdAllah Internet Hizmetleri are both apparently happy to
aid and abet criminal fraud the crook should be pretty safe. Later
- There's a thing - NIC.AC haven't done anything, but the two
namservers hosted by AbdAllah Internet Hizmetleri
are timing out so domains
crons.ac and crin.ac are not resolving....
I may have to modify my opinion of them... Mind, I don't feel the
slightest bit guilty - they've hosted these fraudsters for far too long
without a response & it could just be a temporary power cut at
their server centre. November 2nd. 2007
New domain notified to me - cronof.li
The
DNS data shows a standard zombie botnet where the nameserver
ns1.regnewuser.com hosted by ISPSYSTEM on IP 82.146.52.103 is acting as
a zombie botnet controller 'herding' the rotating zombies, (as
determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
The host AbdAllah Internet Hizmetleri wasn't down for long. The
registrar
NIC.AC has also still not taken action over the criminal's .ac
registrations. They are both still aiding and abetting these criminal
fraudsters despite numerous abuse reports.
The 'Blackhat' Service
Provider list
Contact
Details:
AbdAllah Internet Hizmetleri:
ipadmin@ahlen.biz
abuse@ahlen.biz
ipg@turktelekom.com.tr
Later:In
contrast to the above two service providers we have three ethical ones:
1) Spiritdomains have suspended the criminal's
nameserver domain regnewuser.com.
2) ISPServer (ISPSystem)
have ceased the botnet hosting on IP 82.146.52.103.
3) Switch.ch
have suspended cronof.li
Thanks to you all.... November 3rd. 2007 New
domain notified to me by site visitor - cronof.tw.
The criminal is in the process of setting up a new network using
his own nameserver domain newstaruser.com on IP 85.197.99.144 - and
here it is:
DNS Data for cronof.tw:
The data shows a standard zombie botnet where the
nameserver ns1.newstaruser.com hosted by MOESSINGER-4,
(www.welcome2inter.net),
on IP 85.197.99.144
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Later
- New domain notified to me by a site visitor - cronf.ac. This one's
on his KIBUTZ-NETZER-SIRENI
IP 212.199.95.108: DNS Data
for cronf.ac, cronoscompany.cn and cronf.li
Nameserver
'A' Record
Response
ns1.nsters.com
[200.72.139.67]
212.199.95.108
ns3.nsters.com
[202.74.32.13]
212.199.95.108
The nameserver domain nsters.com
is 100% definitely also his own - it was only registered with Todaynic
on September the 9th. and generates the usual 'rockphish' bogus "209
Host Locked" error
on
access. It was also used by another of this fraudster's money
laundering scam sites id-electronics.net, now defunct. The criminal's
nameserver, (ns1.nsters.com [200.72.139.67]), host is ENTEL CHILE S.A. November 4th. 2007
New domain reported by site visitor - cronoscompany.cn,
registered with Todaynic and hosted on
the KIBUTZ-NETZER-SIRENI IP 212.199.95.108
New domain received in spam - cronf.li,
registered with Switch.ch and also on the above KIBUTZ-NETZER-SIRENI IP
212.199.95.108 November 5th. 2007
New domain reported by site visitor - crin.cc, registered with
Register.com and hosted on the blackhat AbdAllah Internet Hizmetleri
network
Spam received using domain cronf.ac, registered with the blackhat
registrar Nic.ac and still resolving on the KIBUTZ-NETZER-SIRENI network.
The criminal's MOESSINGER-4
botnet hosting has been disconnected and the botnet nameserver is now
shown hosted on 209.85.51.151 but that IP is also timing out at
present. However, I suspect it is on the way up as a tracert shows the
IP to be active. The criminals seem to have some uncaring &
unethical hosts and registrars at the moment, in particular Nic.ac and AbdAllah Internet Hizmetleri. November 6th. 2007
Switch.ch have suspended the domain cronf.li - thanks guys November 9th. 2007
New domain notified to me by site visitor - crico.li hosted on a new zombie
botnet. DNS details:
DNS Data for crons.ch, crico.li,
crons.li
The data shows a standard zombie botnet where the
nameserver ns1.41movie.com, (Register.com), hosted by Exportal
on IP 89.149.225.96
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud website (as determined by TRACERT).
Domain croni.li
noticed in the wild on the KIBUTZ-NETZER-SIRENI
IP 212.199.95.108
Domain crons.ch
noticed in the wild on the above zombie botnet Domain crons.li noticed in the wild on
the above zombie botnet
November 11th. 2007
Hosting details for croni.li and cronf.ac:
Still on the
KIBUTZ-NETZER-SIRENI network (212.199.95.108)
The criminals hosting
of crons.ac and crin.ac on the AbdAllah Internet Hizmetleri
network IP 88.255.90.226 is still intact despite many abuse reports
which pretty well confirms my suspicion of their complicity in the
fraud. Nic.ac
also ignore all
abuse reports regarding their criminal and spamming .ac domains which
pretty well demonstrates their position as a willing abettor of these
criminals and spammers. November 13th. 2007
New domains notified to me by site visitors: cronos1.cn, crono.li, croninvco.cn,
crons.ca
The data shows a standard zombie botnet where the
nameserver ns1.thelastwall.com, (Spiritdomains/IA Registry), hosted by Exportal
on IP 89.149.225.96
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud website (as determined by TRACERT). Other
current networks:
The data shows a standard zombie botnet where the
nameserver ns1.thelastwall.com, (Spiritdomains/IA Registry), hosted
by MOESSINGER-4
on IP 85.197.99.141
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud website (as determined by TRACERT). November 17th. 2007
DNS
Data forcroninvco.cn, cronf.ac, cronos.js.cn, & cic4you.cn
Nameserver
'A' Record
Response
ns1.nsters.com
[200.72.139.67] - ENTEL CHILE S.A.
60.209.122.34
- CNCGROUP Shandong province network
ns3.nsters.com
[202.74.32.13] - CHOMANANWORLDNET
60.209.122.34
- CNCGROUP Shandong province network
He seems to be swapping
between SK Networks co., Ltd and CNCGROUP Shandong province
network for his hosting on this network. November 19th. 2007
New domain reported by site visitor - cronin.jp on the
criminal AbdAllah Internet Hizmetleri network. November 21st. 2007 New domain received in spam - cronos.js.cn
(Todaynic/Nownet) hosted on the CNCGROUP Shandong province network. The
criminals are still being aided and abetted by AbdAllah Internet Hizmetleri
and Nic.ac
(aka nic.io,
nic.sh, nic.tm, UWhois.com, the Internet Computer Bureau
and 'InOne.com'
a 'one-stop' networking business, not that I'd touch them with a very
long barge pole - they operate from a PO box number, the technical
support is via a premium rate line costing £1 per minute, the
forums have been suspended for abuse and they have no other telephone
contact number. Personally I'd stay well clear, not that I'd do
business with anyone that aids and abets criminal fraudsters by
ignoring reports of such abuse anyway..... November 22nd. 2007
Unfortunately unless
the various law enforcement agencies act against this
criminal fraudster's accessories,
(in particular the UK police against Nic.ac
(aka nic.io, nic.sh,
nic.tm, UWhois.com, the Internet Computer Bureau and 'InOne' , a
'one-stop' networking business), and the Turkish authorities against
AbdAllah Internet Hizmetleri aka Ahlen.biz), then the Cronos Investment
fraudster is
free to continue to perpetrate his money laundering activity.
Domain crico.cc added to list,
(Todaynic/Nownet) - hosted on MOESSINGER-4 zombie botnet. November 24th. 2007
It's looking like Turk Telecom may have at least partially pulled the
plug on the criminal service provider AbdAllah Internet Hizmetleri,
at least as far as part of
their netrange is concerned, as pings and tracerts to
88.255.90.226 seem to be being blocked in TT webspace and the
domains crons.ac, crins.ac, cronin.jpand crin.ac are not resolving although
the DNS for all three looks intact. It's time this lot were put out of
business for good - see here
and here. November 26th. 2007
The criminal host AbdAllah
Internet Hizmetleri/Ahlen.biz network is still unreachable, (domains crons.ac, crins.ac, cronin.jpand crin.ac),
which is good news. Well done to whoever has taken that action. The
Cronos criminal seems to have replaced his own site content on the
Shandong IP 60.209.122.34, (Domains croninvco.cn, cronf.ac,cronos.js.cn& cic4you.cn),
with the commonly seen bogus R11.com site placing page for some reason.
The
only domains that seem to be resolving AFAIK are the domains cronos1.cn & crico.cc on the MOESSINGER-4
zombie botnet. November 27th. 2007
The MOESSINGER-4
zombie botnet is now finally disconnected, but the criminal has now
moved his botnet to a RoadRunner
IP (74.62.155.11) for
domains cronos1.cn & crico.cc:
Apparently
UK ISPs have
decided to take a stand against the RBN network and are blocking their
webspace. That includes the criminal network of AbdAllah
Internet Hizmetleri/Ahlen.biz so nothing in that webspace should be
accessible from the UK which explains why the Cronos criminals domains
using that network are not resolving for me. December 2nd. 2007
The cronos1.cn and
crico.cc domains are still active on the above zombie botnet hosted by
Road Runner HoldCo LLC on IP 74.62.155.11 and the domains crons.ac, crin.ac, crins.ac & cronin.jp
are still active and hosted on the AbdAllah Internet
Hizmetleri/Ahlen.biz criminal owned network. The criminal
registrar Nic.ac
hasn't taken any action against the numerous criminal Cronos domains he
has registered, in fact he's registered many more for the replacement
criminal scam - Waller Truck Co. No doubt he's doing quite well out of
supporting site theft, criminal fraud and spamming. The AbdAllah Internet
Hizmetleri/Ahlen.biz netrange is still blocked to the UK.December 4th. 2007
The
above zombie botnet is still active despite a couple of abuse reports
to RoadRunner. Despite short and absolutely clear reports to them on
this zombie botnet criminal activity, all I ever get back from
RoadRunner is a request for email headers. Such dumb responses are
incredibly frustrating and demonstrate an unfortunate level of
cluelessness or disinterest, I'm not sure which. Later:
In response to a filed report of the above
Cronos criminal's botnet nameserver hosting on IP 74.62.155.11 I Received a request from the
RoadRunner abuse team for: "Date of
Incident Time
of Incident Time
Zone Attacker
IP Your
IP Local
Port" without
which they cannot possibly take action - unbelievable! Rather sad if it
wasn't so frustrating.... I notice that they have a stern warning about
not abusing them in their abuse report auto acknowledgement. Somehow I
can imagine they get a lot of that.... December 6th. 2007
The criminals RoadRunner zombie botnet is still active on IP 74.62.155.11
Further
abuse report including DNS data sent to RoadRunner and copied to Level3
as their perceived upstream supplier in the hope that Level3 can
understand the data and possibly help RoadRunner to understand
the
situation where it appears that I cannot. ***Latest
News*** December 11th. 2007
The dns now seems to be looped at nameserver level on the above zombie
botnet and the criminal's two domains cronos1.cn & crico.cc are
not resolving on that network. As the Abdallah Internet IP range is
blocked here in the UK I do not know if the crooks are still
active or not on that network, but as things stand I know of no
resolving domains. Nic.ac has not suspended any of the criminal's .ac
domains as they have no AUP or pertinent abuse policy and do not care
what their registered domains are used for:
Confirmation
of Nic.ac's position on abuse has been received from them by a friend.
To sum up they have no enforced Acceptable Use Policy or Abuse Policy
of their own - to use their own words: "we do not get involved at all".
Their abuse policy is administered solely by WIPO,
i.e. intellectual property issues only, so it logically
follows that they are not concerned if
their domains are used for child pornography, spam or in this case
phishing and criminal fraud purposes. Unless you are a criminal, please
consider if you should deal with this company or any of its aliases.
