Draper Investment Company, is
yet another
spamvertized money transfer
fraudster from exactly the same criminals that brought you Sydney Car
Centre, Harvey Investment, Adamant Global, STK Consult and all
the others listed on the
General
Information page plus the 'rockphish' phishing scammers. The Draper Investment spam
headers, (example below), show that the spam
is
distributed by zombie botnet, (i.e. from infected end user machines on
ADSL/Broadband/Cable
accounts), and contain forged delivery details, (i.e. all different
'From' & 'Return Path' addresses).
The stolen Draper Investment fraud website is, (as usual), generally
hosted by a zombie
botnet controlled using the criminal's own registered nameserver domain
- this has to be his own fraud domain as it is not possible AFAIK to
host a zombie botnet using a legitimate nameserver.
The Draper Investment fraudsters have once again stolen the website and
the good name of
the genuine
Draper Investment Company who have nothing whatsoever to do with this
fraud. Their genuine
website is here
and
the criminal's bogus Draper Investmentwebsite is here.
The differences are covered in the evidential data below.
Draper
Investment :
Evidence
of Criminal Fraud
i) The Draper
Investment criminal fraudsters
have stolen the website of the genuine Draper Investment Company as
detailed above and the genuine
company have a warning
about these fraudsters on their home page & several others.
ii) The
genuine Draper Investment's location is in San
Francisco, the
criminals have a bogus address in France on their stolen website. The
given address 63 Quai De la Seine, Paris,
75019 France is in fact the
address of La
Péniche
Cinéma.
iii)The genuine Draper Investment Company
does not have any jobs advertised, the criminal's site has a 'Career'
menu option
which is advertising the usual 'Regional associate' money laundering mule 'job' as
follows:
Regional associate
Description: In this position
regional associates are responsible for supervising
the money transfers and payments from regional clients. They are hired
part-time and are free to plan their schedule themselves. The key
responsibilities are fastening the procedure of the payment delivery
and maximizing the profit of the company. No direct communication or
meetings with the clients are required. Regional associates take net
10% commission out of each deal (transfer) they have completed. All the
related charges they might have are covered by Draper Investment.
Position includes traveling, that normally does not take more than
1-1,5 hours every second/third working day. The successful candidate
will be a responsible for accurate record keeping and accurate
scheduling individual.
The
responsibilities of the individual in this position include:
Monitor the alerts about the new transfers made into the bank account.
Communicate with the head office regularly.
Make calculations and take record regarding each payment.
Travel around to the bank and to the Western Union.
Transfer the payments to the regional branches of Draper Investment via
Western Union.
iv) The fraudulent
site's 'Our Team'
page is well worth a visit for some amusement at these fraudster's
expense. "Pierre A.
Rosholt" appears to have had a sex-change, as has "Jeannette
Arnauld". In fact all of the bogus CV's have been copied from other
sites such as Nationwide
Insurance where the CV for "Jeannette
Arnauld" is a mangled version of the CV for Patricia R. Hatler.
v) Draper Investment is a
long-established company, but the fraudulent Draper Investment
criminal's initial
domain, drapco.cc was only registered with Todaynic on October the 1st.
2007 and all of his other domains are just as recent or more so.
vi) The criminal's website is
hosted by the usual zombie botnet, (botnet details below), and the spam
is also botnet propagated, (spam details below).
vii) The Draper Investment spam contains details and the
usual bayesian
filter avoidance code that irrefutably link it to the Harvey
Investment, Adamant Global, Sydney Car Centre and all this criminal's
many other aliases along with the 'rockphish' phishing criminals.
The above
evidence clearly demonstrates beyond any doubt that this
stolen Draper Investment Company website has been set up by money laundering
criminals purely for
the
purpose of spamvertising an illegal money laundering 'mule' job and is
undoubtedly related to Harvey Investment, Adamant Global, Sydney Car
Centre and the rest of the money
laundering criminal fraudsters' aliases
documented here. If you are an abuse team that has received an abuse
report regarding these fraudsters, please
consider immediate
termination of their services in view of the absolutely undeniable
evidence of
site theft, copyright offences, criminal money laundering activity and
spamming - please don't delay - these criminals will not
respond to any communication from you, (all their whois data is false),
but will simply take advantage of any attempt
at communication as a delaying tactic to allow them time to carry on
their criminal activity and prepare
their
next network.
Do not be misled -
these are professional criminals
with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering them and
aiding and abetting their criminal 'phishing' fraud activities.
Draper Investment Fraudsters -
current hosting details [Updated 10/10/2007]
Current Hosts
AbdAllah Internet (
88.255.90.228) since 12th. Oct. 2007
Current Main Domains
and Registrars
draperico.cn - Todaynic/Nownet
See table below for the full
list of known active & suspended main domains for this
criminal.
Current Botnet Nameserver Domains
and
Registrars
Not botnet hosted at present
See table below for the full
list of known active & suspended nameserver domains for this criminal.
The
Spam Headers
Return-Path: <juanita3542@free.fr>
Received: from mwinf3004.me.freeserve.com (mwinf3004.me.freeserve.com)
by mwinb3406 (SMTP Server) with LMTP;
Thu, 04 Oct 2007 20:00:34 +0200
X-Sieve: Server Sieve 2.2
Envelope-to: xxxxx@xxxxxx.freeserve.co.uk
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf3004.me.freeserve.com (SMTP
Server) with ESMTP id xxxxxxxxxxxxxx
for <xxxxx@xxxxxx.freeserve.co.uk>;
Thu, 4 Oct 2007 20:00:34 +0200 (CEST) Received:
from clm90.neoplus.adsl.tpnet.pl (clm90.neoplus.adsl.tpnet.pl
[83.31.114.90])
by mwinf3004.me.freeserve.com (SMTP Server) with SMTP id xxxxxxxxxxxx
for <xxxxx@xxxxxx.freeserve.co.uk>;
Thu, 4 Oct 2007 20:00:32 +0200 (CEST)
X-ME-UUID: xxxxxxxxxxxxxxxxxxxxxxxxxx@mwinf3004.me.freeserve.com
Received: from sesmail.com (capricorn.sesmail.com [66.208.202.65])
by maido3.com with SMTP id
T62LBF77S4
for <xxxxx@xxxxxx.freeserve.co.uk>;
Thu, 04 Oct 2007 13:00:31 -0600
Importance: Normal
From: "Draper Investment Company LLC"
<Juanita3542@free.fr>
To: "Bwovau" <xxxxx@xxxxxx.freeserve.co.uk>
Subject: Wanna earn five-figures a year? Work with us
Importance: Normal
User-Agent: SmartMailer Version 1.56 -German Privat License-
X-Mailer: SmartMailer Version 1.56 -German Privat License-
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--UKCY97TYUI8NL04PKLOLMF"
Message-Id:
<xxxxxxxxxxxxxxxxxxxxxxxxxxxxx@mwinf3004.me.freeserve.com>
Date: Thu, 4 Oct 2007 20:00:32 +0200 (CEST)
X-me-spamlevel: med
X-me-spamrating: 60.951027
X-Antivirus: AVG for E-mail 7.5.488 [269.14.0/1049]
Recipient
& message id munged.
The first thing to notice is the spam source IP. Reading
from the bottom upwards, (following the routing as is the norm when
parsing headers), the
first of the two received
lines (red) can be rejected as unsafe, almost certainly forged. The
actual trusted source IP that cannot be forged is the one
received by the recipients email provider (Freeserve) and that is in
this line (green):
Received:
from clm90.neoplus.adsl.tpnet.pl (clm90.neoplus.adsl.tpnet.pl
[83.31.114.90])
by mwinf3004.me.freeserve.com (SMTP Server) with SMTP id xxxxxxxxxxxx
for <xxxxx@xxxxxx.freeserve.co.uk>;
Thu, 4 Oct 2007 20:00:32 +0200 (CEST)
In
this received line the source IP address is 83.31.114.90 the reverse
DNS (RDNS) for which correctly indicates clm90.neoplus.adsl.tpnet.pl which confirms that the source
address is genuine.
In the above RDNS sender identity note the letters adsl. These stand
for Asymmetric Digital Subscriber Line and tell you
for sure that the spam has come from an end user's computer on
an ADSL
network in Warsaw, Poland, (from the
whois data for the IP address).
"Well", you say, "there's your
criminal". Unfortunately not - he or she may be guilty of criminal
stupidity by not having a firewall or clicking on the latest nude
pictures of Britney Spears, but unfortunately probably not criminal
fraud -
he/she is just one of tens of thousands of 'zombies' - computers that
have been infected with a zombie virus or worm. What it does tell you
is that the Draper Investment
spammer uses a zombie botnet to distribute his spam in exactly the same
way as Sydney Car Centre, Harvey Invest, Adamant Global and all the
rest of these criminals.
Lastly, juanita3542@free.fr
is not "Draper Investment" -
this is just another forged email
address which may or may not actually exist.
Incidentally, never 'bounce' spam back to the 'sender' as it only
bounces back to a forged address which, if real, will only belong to an
innocent third party who will understandably be a little peeved with
you and if you do it a lot you could get your ISP's SMTP IP range
blacklisted and they will be even more upset with you & could
justifiably close your account. The
Spam Content
The Draper
Investment spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses.
This is the content of an actual Draper Investment
scam spam: Dear Sir/Madam,
Draper Investment Company
is a venture capital firm that specializes in investments in seed and
early-stage global information technology, telecommunications and
software companies. We seek international entrepreneurs with the
energy, vision, experience and desire to build great companies.
Due
to our growth, we're constantly on the lookout for qualified
professionals to place in contract, contract-to-hire, and permanent
placement positions across a number of different industries. We know
it's more than just your day-to-day responsibilities that can make or
break a job. It's the support you get. That's the reason Draper
Investment offers a variety of benefits including medical, dental,
optical, 401k, and many more. Don't put your career in the hands of
just anyone, put it in the hands of a specialist. Join the Draper team!
Today
we are glad to offer you an opportunity to become our regional
associate. In this position you will be responsible for supervising the
money transfers and payments from regional clients. You will be hired
part-time and will be free to plan your schedule yourself. The key
responsibilities are fastening the procedure of the payment delivery
and maximizing the profit of the company. No direct communication or
meetings with the clients are required. Regional associates take net
8% commission out of each deal (transfer) they have
completed. All the related charges they might have are covered by
Draper Investment. Position includes traveling, that normally does not
take from the employee more than 1-1,5 hours every second/third working
day. The successful candidate will be a responsible for accurate record
keeping and accurate scheduling individual, with the availability of a
bank account to be used for the company transfers, willing to bring
value to the employer.
If
you are interested in a position, please look for a more detailed
information on our web-site:
Note
the usual Bayesian filter
avoidance 'code', commonly used by these criminals and the 'rockphish'
scammers alike.
I
note that the usual phrase "fastening the process" used by these
criminals has now become "fastening the procedure".
The Zombie Botnet
The
zombie botnet method of
operation of these Draper
Investment criminals is exactly the same as for all the other
frauds listed above, the only difference is in the domains, nameserver
domains & host IP:
Looking up the 2 drapco.ccparent servers DNS Details:
The above DNS data shows a nameserver ns1.lonely-day.com
[82.146.52.112] acting as a zombie botnet controller referencing
five
'zombie' IPs in the 'A' Record Response, (site host IPs), column on a
rotating basis. The second nameserver is always a fake and never
resolves. It is only needed to make up the requirement for a minimum of
two nameservers as per RFCs.
The nameserver ns1.lonely-day.com [82.146.52.112] is
hosted on IP 82.146.52.112 by ISPSYSTEM.
Note that there are many main & nameserver domains registered
&
the host IP can change very frequently, (unless they find a 'criminal
friendly' service provider), so the details that you see may be
different to the above. See the 'Latest News' below for the latest
domains & host IP.
See the 'General Information' page for more detailed information on
this absolutely standard zombie botnet setup.
These criminals are
experienced liars, thieves and professional confidence
tricksters. Do not be
fooled - do
not believe them. The evidence of criminal fraud is undeniable.
I'd
like to thank the many honest & ethical hosts who have
disconnected
these fraudsters within an hour of receiving my abuse report, (several
in c. 20 minutes). However, the zombie botnet controlling nameservers
seem to be occasionally hosted by Colocation/VPS service providers who
do not respond to criminal fraud abuse reports. The honest &
ethical SPs will respond with an immediate, (preferably not 24 hours or
48 hours & certainly not never...), disconnection on receipt of
a
criminal abuse
report,
having considered the evidence below & investigated, but more
and
more
frequently service providers stall or simply ignore abuse reports.
This latter minority of uncaring & unethical hosts are aiding
and
abetting criminal fraud
and
the victims suffer because of it.
Knowingly
supplying services to these fraudsters is a criminal offence in the UK
under the UK Proceeds of Crime act (2002) Section 328 "A
person
commits an offence if he enters into or becomes concerned in an
arrangement which he knows or suspects facilitates (by whatever means)
the acquisition, retention, use or control of criminal property by or
on behalf of another person". The notification level for this
offence is low.
Would all hosts and registrars with a UK presence, (other countries
will undoubtedly have similar provisions), please bear this in mind and
please do not ignore any criminal fraud abuse
reports you may receive or if you do, please
don't be surprised or offended if I file a crime complaint against you
with local law enforcement agencies after a reasonable period of notice
of abuse - the victims, (who
could be your mother, father, grandmother, grandfather, the helpless,
the disabled or any loved one - these criminals are exactly the same as
doorstep conmen), deserve better.
The unethical hosts, (and
registrars), should appreciate that taking the 'blind eye' approach
involves them in the crime, creates a great deal of ill-will, bad
publicity & hurts everybody, especially the victims of these
fraudsters. They should also bear in mind that these crooks pay for
their services using Paypal linked to stolen credit card details so
they are likely to get a charge-back which will also leave them out of
pocket, unless, of course, they have a more intimate relationship with
the criminals.
A CEO of a Credit Union tells me of clients who
have lost thousands of pounds cashing counterfeit money orders for
these criminals, & I myself have had letters from worried
victims,
so do not under any circumstances get involved with them and also please
think twice about doing business with the unethical service providers
who continue to provide this criminal with the means to perpetrate his
crime despite being notified of the criminal activity. Blocking
The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use "Draper
Investment"
as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams. If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a> Here are
all the known domains that are/have been used for the Draper Investment fraud:
Active
(Unhosted) Suspended Suspended Suspended Active (DNS error) Suspended Suspended Active
(Unhosted) Active
(Unhosted) Active
(Unhosted) Active
(Unhosted) Suspended Suspended Parked Suspended Suspended Active
Please notify me of any errors or domains not listed here.
Notes for Registrars
i) The Draper Investment criminal uses his own nameserver
domains
to control his zombie botnets. By definition there can be no legitimate
domains using his dedicated botnet nameserver, currently ns1.configkwf.com.
This
provides an ideal database search option for you to identify and delete
all of this criminal's fraud domains without
any risk of hurting an innocent domain.
ii) All of the criminal's domains have different false
whois data.
iii) The criminal will not respond to your challenge, but will use the
notice to ready a new network -
immediate suspension is requested please, if allowed for by your AUP
for these serious criminal offences of site theft, money laundering
fraud and prolific spamming. If
you have been a victim of this or any other of these fraudsters
& would like to tell
your
story on these pages as a warning & to help others, please
contact me. Fraud
Blog
Draper Investment - Initial entry created 3rd. October 2007 October 3rd.
2007 The Draper Investment
criminal's domain drapco.cc abuse reported to Todaynic, Zombie botnet
hosting IP 82.146.52.112 abuse reported
to Ispsystem & nameserver domain
lonely-day.com abuse reported to Register.com. Later
- Domain
drapco.eu notified to me. October 4th.
2007
Latest domains received in spam: drapcy.ch & drapcy.mn
Later
- looks like the Draper Investment crooks
have had their ISPSYSTEM hosting disconnected - thanks guys. I have to
say I am very impressed by the ethical and fast response by ISPSYSTEM
to valid abuse reports - they seem to take a 'zero tolerance' approach
and instantly disconnect these criminals. If only every team was as
efficient. New botnet details:
Looking up the 2 drapco.ccparent servers DNS Details:
(Valid for all known
fraud domains)
The new zombie botnet host is R & D Technologies, LLC of Las
Vegas (DBA Versaweb.net) - abuse report & webform submission
filed - response received. Later:
New domain received in spam - drapco.mn on the above R & D
Technologies botnet. October 5th.
2007 Thanks are due to
Domain.mn (Datacom) for their suspension of domains
drapcy.mn and drapco.mn, also RPI Inc. (REGISTER.COM) for their suspension of domain drapco.eu - thanks guys. On
the downside the R & D Technologies, LLC
of Las
Vegas, (DBA Versaweb.net), zombie botnet hosting is still active. Later:
The Draper Investment criminal
has been kicked off R & D Technologies, LLC of Las
Vegas (DBA Versaweb.net) - thanks guys, and has moved his
zombie botnet to IP 66.212.28.188 which is a sub-range IP of
Secured Private Networks owned by Pacific Rack.
DNS Data:
Looking up the 2 drapco.ccparent servers DNS Details:
(Valid for all known
active fraud domains)
Later
- new domain drapco.jp reported. October 6th.
2007
Auto response received from Secured Private Network/Pacific Rack to my
abuse report re the zombie botnet on IP 66.212.28.188, but no action so far - all
the Draper Investment criminal's active domains are still resolving
this morning.
New domain received in spam - drapper.ac. Abuse reported to
NIC.AC. New domain received in
spam - draperco.cn. Abuse reported to Todaynic/Nownet. October 7th.
2007 New Draper Investment
fraud domain received in spam - draperco.li
- on the Pacific Rack/Secured Private Network hosted zombie botnet. All
of the above listed active domains are still resolving on the above
botnet. October 8th.
2007 Domain draperic.ch reported to me -
abuse reported. Later
- Pacific Rack appear to have disconnected the criminal's zombie botnet
on ns1.lonely-day.com [66.212.28.188]- thanks guys for your ethical
action. The next host won't be long in coming, no doubt - and here it
is - ns1.lonely-day.com
[66.90.77.5] hosted by FDC Servers Inc:
DNS Data:
Looking up the 2 drapco.ccparent servers DNS Details:
(Valid for all known
active fraud domains)
They are still using
the register.com
nameserver domain lonely-day.com which has been abuse reported, but
Register.com do not have a good record of suspending these criminal
registered domains, despite the clear evidence of false whois data,
criminality & spamming. Zombie botnet on IP 66.90.77.5 abuse reported to
FDC Servers Inc. and acknowledgement received. October 9th.
2007
Despite having been abuse reported to the registrars and the host, and
despite the clear evidence of
site theft, criminality and spamming, all of the fraudster's current
domains are
still active and the criminal's zombie botnet hosting by FDC Servers Inc. of Chicago,
IL is also still operational. Later
- The connection to FDC
Servers on ns1.lonely-day.com [66.90.77.5] is now timing out, (thanks
guys), so presumably the Draper Investment criminal fraudster is now looking for a
new home for his zombie botnet. Who will it be this time? Watch this
space.... Later
- Switch.ch have suspended domains
draperco.li and draperic.ch - thanks guys. October 10th.
2007
All of the criminal's remaining active domains are still off line as he
hasn't bothered to move his botnet to a new host which is quite
unusual, but good news for his potential victims and the genuine Draper
Investment company.
Later
- Well, it didn't last long... He's back up on a new botnet on 74.62.155.33 (Road
Runner) and a new main domain (dracomy.eu -
registered with RPI Inc. [Register.com] on Oct. 10th. 2007) and a new
nameserver domain (configkwf.com
- registered with Register.com on Oct. 2nd. 2007):
Looking up the 2 dracomy.euparent servers DNS Details:
October 11th.
2007 Latest Draper
Investment fraud domain received in this morning's spam - drap.mn. It is on the
above Road Runner zombie botnet. Later
- Road Runner appear to have disconnected the criminal's zombie botnet
- thanks guys. Later
- Another domain received in spam - drap.ch It is also
on the now dead Road Runner zombie botnet. October 12th.
2007
The Draper Investment criminal is back up another host and
this time not a botnet for a change:
Looking up the 2 dracomy.euparent servers DNS Details:
Nameserver
'A' Record Response
ns1.fordns.be [88.255.90.226]
88.255.90.228
ns2.fordns.be [88.255.90.227]
88.255.90.228
His host this time around is AbdAllah Internet on IP
88.255.90.228 October
14th. 2007
Spam
received using domains dracomy.eu, drapco.li and a new one
draperico.cn. None of the domains are resolving for me although the
domains appear to be active and the DNS looks intact so I assume that
the host, AbdAllah Internet, has done something. October
15th. 2007 After being off all
weekend, the Draper Investment crooks are back up on the original
host, AbdAllah Internet on IP
88.255.90.228. Domains dracomy.eu and draperico.cn appear to be the
ones of choice at the moment. Drapco.li and drap.ch have been suspended
by Switch.ch October
16th. 2007
Register.com have parked the domain dracomy.eu
and the above network is returning a 'server failure' to a DNS lookup
so it looks as though the Draper Investment criminal is off-line at the
moment. No apparent action by Todaynic/Nownet/CNNIC against the domain draperico.cn, though. Register.com have
suspended the crook's nameserver domain lonely-day.com. Obituary
- 24th. October 16th. 2007
No further activity seen from this criminal fraudster in this guise.
For some reason they just changed the name from Draper Investment to
Cronos Investment and carried on with the same fraud site. No records
broken. Things to note are the fact that Nic.ac ignored all abuse
reports re .ac domains -
drapper.ac is still alive today. AbdAllah
Internet was seen for the first time and increasingly looks like a
'blackhat' host as it is now hosting a whole nest of these fraudster's
sites. Todaynic/Nownet/CNNIC
have not responded to abuse reports.
