Duty Free Shopping Fraud

Don't Bear Internet Fraud

Duty Free Shopping website screenshot (21-Jan-2009)

Duty Free Shopping stolen website screenshot (21-Jan-2009)

If you've either received an active website link in a Duty Free Shopping fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above. Copies of spam are welcome.

This Duty Free Shopping criminal fraud website should not be confused with any other company with the same or similar name. The above screenshot and the following evidence defines this criminal alone.

Duty Free Shopping is another fraud from the money laundering/reshipping fraud department of the well known 'Rockphish/Asprox' phishing criminals. It is the clear replacement zombie botnet hosted fraud for the old Duty Free International criminal fraud that was going around last year and passive DNS data shows that this fraud site is hosted on the same zombies that are hosting other current Rockphish criminal frauds such as Bullet Motorsports Speedlab (BMS), Pacific Corporation and many others. The fact that it is zombie botnet hosted is absolute evidence of criminal fraud as no legitimate site is botnet hosted, but there is plenty of other evidence of fraud such as the fact that they are advertising exactly the same twin money laundering mule and reshipping donkey jobs of 'Payment handling manager' and 'Mail handling manager' respectively as were advertised by the Duty Free International scammer.

Current Zombie Botnet Controller Hosts

Mountain Cablevision Ltd/Carat Networks Inc - ns1.holtservice.com [24.102.56.118] -

The above table shows the current providers of zombie botnet hosting services to the criminals and how long they have been providing them for. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act within 1-24 hours of being informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some that, for whatever reason, do not. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host.

If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Duty Free Shopping : Evidence of Site Theft and Criminal Fraud

N.B. - Information correct at 21-Jan-2009 - Check tables and ***Latest News*** items for domain and hosting updates.

i) The Duty Free Shopping fraud website is hosted on a five-IP 'fastflux' zombie botnet as evidenced below - No legitimate company would use a zombie botnet to host their website - irrefutable evidence of criminality.

ii) Passive DNS data research on the zombies hosting the site show that the same zombies are currently used to host the Bullet Motorsports Speedlab (BMS) website, the Pacific Corporation fraudsters, attack URLs and 'phishing' URLs.

iii) A Google search for "Duty Free Shopping" returns loads of hits as you'd expect with a generic term like that, but nothing for these criminals - they have absolutely no web presence.

iv) Their 'Legal Statement' is stolen word-for-word from this Zurich corporate website, in fact they haven't even bothered to delete the word 'Zurich' under the Intellectual property section - Clear evidence of site theft and fraud.

v) They currently have three different domains registered recently on the same date (29-09-2008), which makes a complete nonsense of the news item on the above screenshot dated 11.01.08.

vi) The money mule and reshipping fraud jobs from the website:

1. Payment handling manager

The applicant should meet the following requirements:
- PC user skills
- stable access to Internet
- ability to use and operate e-mail
- responsiveness
- personal banking account (in order to receive and handle payments transactions from our customers)
- 1-2 hours of free time during a day (from Monday to Friday to perform assignments)

Payment:
-10% value of the amount of handled payments
- salary is paid every 10 day since the first order is handled

2. Mail handling manager

The applicant should meet the following requirements:
- PC user skills
- stable access to Internet
- ability to use and operate e-mail
- responsiveness
- availability of actual address for receiving and sending of goods and products to our customers (but not P.O. box)
- 1-2 hours of free time during a day (from Monday to Friday to perform assignments)

Payment:
-8% value of handled mail cost
- salary is paid on a monthly basis

Those two illegal jobs are the clear twin functions of money laundering mule, (consisting of accepting stolen funds into your bank account and transferring a balance back to these criminals), and reshipping donkey, (consisting of accepting stolen goods to your home address and posting them on to these fraudsters). Don't be tempted to do it unless you don't mind losing a lot of money and being arrested.

vii) No legitimate company would employ private individuals working unsupervised and uncontrolled at home as illegal money transfer agents or goods re-shipping clerks.

viii) A search of the Ohio state business register shows there is no company by the name of Duty Free Shopping registered in the state of Ohio.. Check for yourself.

ix) Fake contact details from the website:

Headquarters
4140 Executive Parkway, office 200
Westerville, OH 43081
Headquarters Toll Free
+(800) 263-0229

Company Pacific office
Aaron Goldstein
Customer Manager
225 Hollywood Road, Central, Hong Kong,
Sheung Wan, Hong Kong

+852 8193 0472 Hong Kong local phone
61 3 9005 6472 Australia local phone

• - A Google search for "4140 Executive Parkway" returns no evidence whatsoever that these criminals are there.
• - A Google search for "225 Hollywood Road, Hong Kong" returns no evidence whatsoever that these criminals are there.
• - A Google search for "+(800) 263-0229" returns no results apart from fraud site listing(s)
• - A Google search for "+852 8193 0472" returns no results apart from fraud site listing(s)

The above evidence clearly indicates that the above location details are fake.

The above irrefutable evidence clearly demonstrates beyond any doubt that the Duty Free Shopping website is a fake website that has been set up by criminals purely for the purpose of deception and fraud. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminality - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'Rockphish/Asprox' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'Rockphish/Asprox' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities.

Domain List

Domain

duty-free-shop.cn
duty-free-shopping.cn
dutyfree-shopping.cn

Criminal Registered Nameserver Domains

maxifairs.com
moonsdark.com
rocktreens.com
holtservice.com

Status

Active
Active
Active

Parked
Parked
Parked
Suspended

Registrar

Bizcn.com/DomainsReg, Inc. (29-09-2008)
Bizcn.com/DomainsReg, Inc. (29-09-2008)
Bizcn.com/DomainsReg, Inc. (29-09-2008)

REGISTER.COM, INC. 19-Aug-2008
REGISTER.COM, INC. 14-Sep-2008
REGISTER.COM, INC. 14-Jan-2009
Gandi SAS 27-Jan-2009

Please notify me of any inaccuracies or domains not listed here.

Notes for Registrars

i) The Duty Free Shopping criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver(s) are: ns1.holtservice.com

ii) The criminal's domains have different false whois registration data.

iii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension is requested, please.

The Zombie Botnet DNS Data (Valid for domain duty-free-shop.cn, duty-free-shopping.cn, dutyfree-shopping.cn )

Looking up at the 2 duty-free-shop.cn. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.maxifairs.com [208.77.101.199]	201.160.52.18 206.10.12.109 69.154.241.108 92.233.26.189 99.145.85.76
ns2.maxifairs.com [216.21.21.197]	Timeout

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.maxifairs.com hosted by Infinitum Technologies Inc./RapidVPS on IP address 208.77.101.199 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** Initial entry 21st. January 2009
Thanks for Frank Bear for the 'heads-up' on this one.

***Latest News*** 23rd. January 2009
The criminals nameserver domain maxifairs.com has been parked, thus parking all of the criminal's other domains pro-tem.

***Latest News*** 25th. January 2009
Information from Frank Bear: The crooks have a new nameserver domain moonsdark.com and the following botnet:
The Zombie Botnet DNS Data (Valid for domain duty-free-shop.cn, duty-free-shopping.cn, dutyfree-shopping.cn )
Looking up at the 2 duty-free-shop.cn. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.moonsdark.com [208.77.101.199]	24.147.152.81 67.191.9.146 71.194.79.158 76.11.157.39 91.123.159.112
ns2.moonsdark.com [192.21.213.15]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.moonsdark.com hosted by Infinitum Technologies Inc./RapidVPS on IP address 208.77.101.199 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 25th. January 2009
The Infinitum Technologies Inc./RapidVPS hosted botnet has been shut down and the criminals have a new botnet host in the form of Mountain Cablevision Ltd/Carat Networks Inc on IP address 24.102.56.118 as follows:
The Zombie Botnet DNS Data (Valid for domain duty-free-shop.cn, duty-free-shopping.cn, dutyfree-shopping.cn )
Looking up at the 2 duty-free-shop.cn. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.moonsdark.com [24.102.56.118]	193.39.73.14 67.191.9.146 72.253.177.150 76.226.52.208 88.177.171.15
ns2.moonsdark.com [192.21.213.15]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.moonsdark.com hosted by Mountain Cablevision Ltd/Carat Networks Inc on IP address 24.102.56.118 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 27th. January 2009
Info. from Frank Bear - the botnet nameserver domain moonsdark.com has been parked and the criminals have moved their botnet controller to ns1.rocktreens.com [24.102.56.118] still hosted by Mountain Cablevision Ltd/Carat Networks Inc. (N.B. - The alternate nameserver domain rocktreens.net is used by the BMS fraudsters).
The Zombie Botnet DNS Data (Valid for domain duty-free-shop.cn, duty-free-shopping.cn, dutyfree-shopping.cn )
Looking up at the 2 duty-free-shop.cn. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.rocktreens.com [24.102.56.118]	24.136.214.48 72.253.177.150 76.11.157.39 97.82.59.153 98.217.125.105
ns2.rocktreens.com [215.127.12.133]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.rocktreens.com hosted by Mountain Cablevision Ltd/Carat Networks Inc on IP address 24.102.56.118 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 2nd. February 2009
Information from Frank Bear - Register.com have suspended the nameserver domain rocktreens.com and the crooks have slotted in a new one - holtservice.com. New network data:
The Zombie Botnet DNS Data (Valid for domain duty-free-shop.cn, duty-free-shopping.cn, dutyfree-shopping.cn )
Looking up at the 2 duty-free-shop.cn. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.holtservice.com [24.102.56.118]	12.216.198.195 208.120.88.58 66.208.225.87 72.253.177.150 76.108.7.226
ns2.holtservice.com [215.115.38.124]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.holtservice.com hosted by Mountain Cablevision Ltd/Carat Networks Inc on IP address 24.102.56.118 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 21st. February 2009
News from Frank Bear - the nameserver domain holtservice.com has been suspended. All three main domains are still active registrations, but are not resolving due to the nameserver having been suspended - please notify me of any active domains for this criminal.