Duty Free International

Duty Free International Fraud

Don't Bear Internet Fraud

This fraudulent Duty Free International company should not be confused with any other company that may have a similar name. The web graphics and the fraudulent 'job' betray the fake site as documented here.

This Duty Free International fraud is another fairly standard spamvertised money laundering mule recruitment operation. It is a direct replacement for the Marvell Financial Group fraud, (it's been seen in the wild on a MFG URL). There isn't much that sets it apart from the rest of the scams highlighted on this site. It's currently zombie botnet hosted which pretty well confirms its criminal status even without any of the other damning evidence set out below. The website exists purely to convey a sense of legitimacy to the inevitable money mule job posted under the 'Careers' tab. These criminals are also spamvertising a stolen goods handling job as is becoming more common.

These Duty Free International criminals operate(d) a veritable multitude of sites, e.g. Marvell Financial Group, Eden Financial Group, BestTradeSolutions, Royal Finances & Consulting Group and Progold Investments to name but three others. Text similarities also link them to Expressdeal

Evidence of Criminal Fraud:

i) This bogus Duty Free International company has no internet presence other than wide recognition as spammers and scammers.

ii) According to their website footer they have been in business since 2003, but their domains dfi-refferals.com and dfi-refferals.net were only registered with KEY-SYSTEMS GMBH (IMENA.ua) on 19-Jan-2008.

iii) The 'jobs' (from the website):

Description of Duties

Careers and Vacancies

1. Payment handling manager

The applicant should meet the following requirements:
- PC user skills
- stable access to Internet
- ability to use and operate e-mail
- responsiveness
- personal banking account (in order to receive and handle payments transactions from our customers)
- 1-2 hours of free time during a day (from Monday to Friday to perform assignments)

Payment:
-10% value of the amount of handled payments
- salary is paid every 10 day since the first order is handled

2. Mail handling manager

The applicant should meet the following requirements:
- PC user skills
- stable access to Internet
- ability to use and operate e-mail
- responsiveness
- availability of actual address for receiving and sending of goods and products to our customers (but not P.O. box)
- 1-2 hours of free time during a day (from Monday to Friday to perform assignments)

Payment:
-8% value of handled mail cost
- salary is paid on a monthly basis

It is self evidently the usual money mule function with the additional criminal role of fencing stolen goods.

iv) No legitimate company would employ private individuals working unsupervised and uncontrolled at home as illegal money transfer agents or goods re-shipping clerks.

v) The Duty Free International website is zombie botnet hosted using exactly the same network & servers as was used by the Marvell Financial Group fraudsters - see DNS data below.

vi) They use multiple domains for the same website.

vii) They've stolen their 'Legal Statement' straight from the Zurich Financial Services website.

ix) Their 'Privacy Statement' has been stolen from this HSBC page.

The above evidence clearly demonstrates beyond any doubt that the Duty Free International website has been set up by money laundering/re-shipping fraudsters purely for the purpose of spamvertising an illegal money laundering 'mule' job and a re-shipping fraud 'job'. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminal activity and spamming - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

DNS Data (dfi-refferals.com, dfi-refferals.net, dfi-taskmanager2.com, duty-free-international.net, dfi-refferals.net)

How I am searching:

Searching for dfi-refferals.com A record at h.root-servers.net [128.63.2.53]: Got referral to l.gtld-servers.net. (zone: com.)
Searching for dfi-refferals.com A record at l.gtld-servers.net. [192.41.162.30]: Got referral to ns2.proimageweb.com. (zone: dfi-refferals.com.)
Searching for dfi-refferals.com A record at ns2.proimageweb.com. [208.21.54.77]: Timed out. Trying again.
Searching for dfi-refferals.com A record at ns1.proimageweb.com. [193.33.179.179]: Reports dfi-refferals.com. Response:

Domain	Type	Class	TTL	Answer
dfi-refferals.com.	A	IN	1800	79.114.93.108
dfi-refferals.com.	A	IN	1800	79.115.30.103
dfi-refferals.com.	A	IN	1800	86.123.130.62
dfi-refferals.com.	A	IN	1800	89.43.75.75
dfi-refferals.com.	A	IN	1800	195.189.209.131
dfi-refferals.com.	NS	IN	1800	ns2.proimageweb.com.
dfi-refferals.com.	NS	IN	1800	ns1.proimageweb.com.
ns1.proimageweb.com.	A	IN	1800	193.33.179.179
ns2.proimageweb.com.	A	IN	1800	208.21.54.77

Looking up at the 2 dfi-refferals.com & dfi-refferals.net parent servers:

Server	Response
ns1.proimageweb.com [193.33.179.179]	195.189.209.131 79.114.93.108 79.115.30.103 86.123.130.62 89.43.75.75
ns2.proimageweb.com [208.21.54.77]	Timeout

The data shows a standard zombie botnet where the nameserver ns1.proimageweb.com hosted by No Wires Ltd on IP 193.33.179.179 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). These are exactly the same DNS details, (including nameservers), as used for the previous Marvell Financial fraud. The nameserver domain proimageweb.com was registered by the criminals with SPIRITDOMAINS/IAREGISTRY on 12-Nov-2007

Known Website Domains

dfi-refferals.com (Unhosted)
dfi-refferals.net (Unhosted)
dfi-taskmanager2.com (Suspended)
duty-free-international.net (Unhosted)
dfi-refferals.net (Unhosted)
refferals-dfi.com (Unhosted)
dutyfreeinternational.net (Suspended)
dfi-manager1.com (Unhosted)
job-serv3.com (Suspended)
dutyfreeinternational.org (Active)
job-server3.com (DNS Looped)
job-server52.com (Unhosted)
recruiting-info.com (Active)
duty-free-international.org (Active)

Registrar:

KEY-SYSTEMS GMBH (IMENA.ua) 19-Jan-2008
KEY-SYSTEMS GMBH (IMENA.ua) 19-Jan-2008
KEY-SYSTEMS GMBH (IMENA.ua) 19-Jan-2008
KEY-SYSTEMS GMBH (IMENA.ua) 19-Jan-2008
KEY-SYSTEMS GMBH (IMENA.ua) 19-Jan-2008
KEY-SYSTEMS GMBH (IMENA.ua) 18-Feb-2008
KEY-SYSTEMS GMBH (IMENA.ua) 20-Feb-2008
KEY-SYSTEMS GMBH (IMENA.ua) 20-Feb-2008
KEY-SYSTEMS GMBH (IMENA.ua) 20-Mar-2008
PublicDomainRegistry.Com (13-Mar-2008)
INTERNET INVEST, INC. DBA IMENA.UA (28-Mar-2008)
INTERNET INVEST, INC. DBA IMENA.UA (06-Apr-2008)
PublicDomainRegistry.Com (10-Apr-2008)
PublicDomainRegistry.Com (28-Apr-2008)

Nameserver Domains

proimageweb.com - IA Registry/Spiritdomains 12-nov-2007 Suspended
mabbl.com - REGISTER.COM, INC. 11-Feb-2008 Suspended
tmcount.com - REGISTER.COM, INC. 13-Feb-2008 Suspended
novtp.com - IA Registry/Spiritdomains 27-Dec-2007 Suspended
polevm.com - REGISTER.COM, INC. 19-Feb-2008 Suspended
yessno.com - Spiritdomains/IARegistry 23-Feb-2008 Suspended
timerpo.com - REGISTER.COM, INC. 31-Mar-2008 Active

Spam: [as received]

Subject: Available positions at Duty Free International

Due to business expansion Duty Free International has opened vacancy Payment handling manager:

You are supposed to work at home having several hours of free time.
Competitive high salary.
Moreover, you dont need to make initial payments (not network marketing).

The applicant should meet the following requirements:
- -PC user skills
- - stable access to Internet
- - ability to use and operate e-mail
- - responsiveness

Please, contact us employmentinfo@dfi-refferals.net to get more detailed information in case you are interested in our proposal.

Initial entry created 21st. January 2008
***Latest News 6th. February 2008***
New domains reported by site contact - dfi-taskmanager2.com, duty-free-international.net, dfi-refferals.net. All three are also hosted on the above zombie botnet.

***Latest News 20th. February 2008***

New domain received in spam - refferals-dfi.com - unfortunately it would seem that both KEY-SYSTEMS GMBH and their reseller IMENA.ua will not take action against the criminal fraudsters that they are providing a service for despite the clear evidence of criminal activity and spamming.

***Latest News 26th. February 2008***

The criminal has moved his zombie botnet, (several times as ethical registrars and hosts suspend and disconnect him on receipt of abuse reports...). Here's his latest hosting and domain data:

DNS Data: (refferals-dfi.com, dutyfreeinternational.net, dfi-manager1.com, dfi-taskmanager2.com, duty-free-international.net, job-serv3.com)
How I am searching:

Searching for refferals-dfi.com A record at g.root-servers.net [192.112.36.4]: Got referral to A.GTLD-SERVERS.NET. (zone: com.)
Searching for refferals-dfi.com A record at A.GTLD-SERVERS.NET. [192.5.6.30]: Got referral to ns2.yessno.com. (zone: refferals-dfi.com.)
Searching for refferals-dfi.com A record at ns2.yessno.com. [24.81.52.10]: Timed out. Trying again.
Searching for refferals-dfi.com A record at ns1.yessno.com. [78.110.164.36]: Reports refferals-dfi.com. Response:

Domain	Type	Class	TTL	Answer
refferals-dfi.com.	A	IN	1800	79.172.65.156
refferals-dfi.com.	A	IN	1800	84.108.239.70
refferals-dfi.com.	A	IN	1800	86.122.154.85
refferals-dfi.com.	A	IN	1800	78.106.224.38
refferals-dfi.com.	A	IN	1800	79.114.91.22
refferals-dfi.com.	NS	IN	1800	ns1.yessno.com.
refferals-dfi.com.	NS	IN	1800	ns2.yessno.com.
ns1.yessno.com.	A	IN	97743	67.14.18.25

Looking up at the 2 refferals-dfi.com. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.yessno.com [78.110.164.36]	78.106.224.38 79.114.91.22 79.172.65.156 84.108.239.70 86.122.154.85
ns2.yessno.com [24.81.52.10]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the nameserver ns1.yessno.com [78.110.164.36] hosted by VAServe LTD on IP 78.110.164.36 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). Their latest nameserver domain yessno.com was registered by the criminals with Spiritdomains/IARegistry on 23-Feb-2008

***Latest News 4th. March 2008***
New domain notified by site contact - dutyfreeinternational.net on the above botnet.

***Latest News 10th. March 2008***
New domain notified by site contact - dfi-manager1.com on the above zombie botnet.

***Latest News 26th. March 2008***
New domain reported to me by site contact - job-serv3.com. Once again this domain is registered with the KEY-SYSTEMS GMBH reseller IMENA.ua who have stated that they will not take action against these criminal fraudsters. KEY-SYSTEMS GMBH also do not respond to abuse reports. The domain is hosted on the above zombie botnet so any further evidence of illegitimacy and illegality, (and there's plenty of it), is almost superfluous.

***Latest News 4th. April 2008***
New domain notified by site contact dutyfreeinternational.org - registered with PublicDomainRegistry.Com. The criminal has a new botnet:

DNS Data: (dutyfreeinternational.net, job-serv3.com, dutyfreeinternational.org)

How I am searching:

Searching for dutyfreeinternational.net A record at i.root-servers.net [192.36.148.17]: Got referral to E.GTLD-SERVERS.net. (zone: net.)
Searching for dutyfreeinternational.net A record at E.GTLD-SERVERS.net. [192.12.94.30]: Got referral to ns1.yessno.com. (zone: dutyfreeinternational.net.)
Searching for dutyfreeinternational.net A record at ns1.yessno.com. [66.197.245.92]: Reports dutyfreeinternational.net. Response:

Domain	Type	Class	TTL	Answer
dutyfreeinternational.net.	A	IN	1800	78.106.172.82
dutyfreeinternational.net.	A	IN	1800	85.217.201.213
dutyfreeinternational.net.	A	IN	1800	86.126.80.28
dutyfreeinternational.net.	A	IN	1800	89.32.140.225
dutyfreeinternational.net.	A	IN	1800	89.136.78.86
dutyfreeinternational.net.	NS	IN	1800	ns1.yessno.com.
dutyfreeinternational.net.	NS	IN	1800	ns2.yessno.com.
ns1.yessno.com.	A	IN	1800	66.197.245.92
ns2.yessno.com.	A	IN	1800	24.81.52.10

Looking up at the 2 dutyfreeinternational.net. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.yessno.com [66.197.245.92]	78.106.172.82 85.217.201.213 86.126.80.28 89.136.78.86 89.32.140.225
ns2.yessno.com [24.81.52.10]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the nameserver ns1.yessno.com [66.197.245.92] hosted by HostNoc (BurstNET Technologies, Inc.™) on IP 66.197.245.92 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). Their latest nameserver domain yessno.com was registered by the criminals with Spiritdomains/IARegistry on 23-Feb-2008.

***Latest News 8th. April 2008***
Domain job-serv3.com has been suspended by Imena.ua who now seem to be acting against these criminals which is good to see. The criminal has a new domain job-server3.com and has moved his botnet:

DNS Data: (job-server3.com, dutyfreeinternational.net, dutyfreeinternational.org).
How I am searching:

Searching for job-server3.com A record at h.root-servers.net [128.63.2.53]: Got referral to m.gtld-servers.net. (zone: com.)
Searching for job-server3.com A record at m.gtld-servers.net. [192.55.83.30]: Got referral to ns2.yessno.com. (zone: job-server3.com.)
Searching for job-server3.com A record at ns2.yessno.com. [24.81.52.10]: Timed out. Trying again.
Searching for job-server3.com A record at ns1.yessno.com. [66.197.245.85]: Reports job-server3.com. Response:

Domain	Type	Class	TTL	Answer
job-server3.com.	A	IN	1800	86.122.51.216
job-server3.com.	A	IN	1800	78.90.139.19
job-server3.com.	A	IN	1800	79.184.253.95
job-server3.com.	A	IN	1800	82.78.169.99
job-server3.com.	A	IN	1800	86.106.59.77
job-server3.com.	NS	IN	1800	ns1.yessno.com.
job-server3.com.	NS	IN	1800	ns2.yessno.com.
ns1.yessno.com.	A	IN	1800	66.197.245.85
ns2.yessno.com.	A	IN	1800	24.81.52.10

Looking up at the 2 job-server3.com. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.yessno.com [66.197.245.85]	78.90.139.19 79.184.253.95 82.78.169.99 86.106.59.77 86.122.51.216
ns2.yessno.com [24.81.52.10]	Timeout - Fake nameserver, (never resolves).

The criminal's nameserver is still hosted by HostNoc (BurstNET Technologies, Inc.™) on IP 66.197.245.85 this time

***Latest News 14th. April 2008***
The above Burst.net botnet has been closed and the criminal is up on a new botnet host with yet another domain added to the list (job-server52.com):

DNS Data: (job-server3.com, dutyfreeinternational.net, dutyfreeinternational.org, job-server52.com).
How I am searching:

Searching for job-server52.com A record at j.root-servers.net [192.58.128.30]: Got referral to G.GTLD-SERVERS.NET. (zone: com.)
Searching for job-server52.com A record at G.GTLD-SERVERS.NET. [192.42.93.30]: Got referral to ns1.yessno.com. (zone: job-server52.com.)
Searching for job-server52.com A record at ns1.yessno.com. [91.193.130.202]: Reports job-server52.com. Response:

Domain	Type	Class	TTL	Answer
job-server52.com.	A	IN	1800	89.32.171.214
job-server52.com.	A	IN	1800	89.36.249.90
job-server52.com.	A	IN	1800	89.137.9.59
job-server52.com.	A	IN	1800	81.198.252.48
job-server52.com.	A	IN	1800	89.32.140.225
job-server52.com.	NS	IN	1800	ns1.yessno.com.
job-server52.com.	NS	IN	1800	ns2.yessno.com.
ns1.yessno.com.	A	IN	1800	91.193.130.202
ns2.yessno.com.	A	IN	1800	24.81.52.10

Looking up at the 2 job-server52.com. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.yessno.com [91.193.130.202]	81.198.252.48 89.137.9.59 89.32.140.225 89.32.171.214 89.36.249.90
ns2.yessno.com [24.81.52.10]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the nameserver ns1.yessno.com [91.193.130.202] hosted by Inline Internet Online Dienste GmbH on IP 91.193.130.202 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). Their latest nameserver domain yessno.com was registered by the criminals with Spiritdomains/IARegistry on 23-Feb-2008.

***Latest News 19th. April 2008***
IA Registry/Spiritdomains have suspended the criminal's nameserver domain yessno.com and they are now using the Register.com domain timerpo.com for their botnet controller on a new IP.
DNS Data: (dutyfreeinternational.org, job-server52.com).
How I am searching:

Searching for job-server3.com A record at h.root-servers.net [128.63.2.53]: Got referral to d.gtld-servers.net. (zone: com.)
Searching for job-server3.com A record at d.gtld-servers.net. [192.31.80.30]: Got referral to ns1.timerpo.com. (zone: job-server3.com.)
Searching for job-server3.com A record at ns1.timerpo.com. [65.75.191.207]: Reports job-server3.com. Response:

Domain	Type	Class	TTL	Answer
job-server3.com.	A	IN	1800	89.32.130.125
job-server3.com.	A	IN	1800	89.114.58.152
job-server3.com.	A	IN	1800	77.81.10.65
job-server3.com.	A	IN	1800	79.115.21.255
job-server3.com.	A	IN	1800	85.217.201.213
job-server3.com.	NS	IN	1800	ns1.timerpo.com.
job-server3.com.	NS	IN	1800	ns2.timerpo.com.
ns1.timerpo.com.	A	IN	1800	65.75.191.207
ns2.timerpo.com.	A	IN	1800	208.21.54.10

Looking up at the 2 job-server3.com. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.timerpo.com [65.75.191.207]	77.81.10.65 79.115.21.255 85.217.201.213 89.114.58.152 89.32.130.125
ns2.timerpo.com [208.21.54.10]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the nameserver ns1.timerpo.com [65.75.191.207] hosted by SoftwareWorks Group, Inc./CaroNet/WEBHOSTPLUS-INC/ on IP 65.75.191.207 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). Their latest nameserver domain timerpo.com was registered by the criminals with REGISTER.COM, INC. on 31-Mar-2008.

***Latest News 24th. April 2008***
Carohosting.com/Caro.net have now null routed the criminal's IP 65.75.191.207 and the criminals nameserver ns1.timerpo.com [65.75.191.207] is no longer reachable.

***Latest News 28th. April 2008***
New domain reported by site contact - recruiting-info.com
DNS Data: (recruiting-info.com)
Looking up at the 2 recruiting-info.com. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.timerpo.com [208.86.140.93]	116.125.72.96 85.217.201.213 89.32.130.125 89.41.182.152 89.41.8.243
ns2.timerpo.com [208.21.54.10]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the nameserver ns1.timerpo.com [208.86.140.93] hosted by Capris Group on IP 208.86.140.93 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). Their latest nameserver domain timerpo.com was registered by the criminals with REGISTER.COM, INC. on 31-Mar-2008.

***Latest News 06th. May 2008***
The crook has yet another new domain (duty-free-international.org) and a new botnet:
DNS Data: (recruiting-info.com, duty-free-international.org)
Looking up at the 2 duty-free-international.org. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.twoodpark.com [216.189.8.69]	77.41.60.198 86.126.214.164 86.22.65.217 89.114.17.91 89.33.119.85
ns2.twoodpark.com [122.105.52.11]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the nameserver ns1.twoodpark.com [216.189.8.69] hosted by High Speed Web/Genesis 2 Networks on IP 216.189.8.69 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). Their latest nameserver domain twoodpark.com was registered by the criminals with SPIRITDOMAINS/IAREGISTRY. on 23-Mar-2008.
Later: High Speed Web/Genesis 2 Networks appear to have responded quickly to an abuse report as the above botnet has now been moved - new DNS data:

DNS Data: (recruiting-info.com, duty-free-international.org)
Looking up at the 2 duty-free-international.org parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.twoodpark.com. [91.199.50.70]	89.33.213.53 79.114.213.188 79.182.232.226 84.232.157.154 89.33.119.85
ns2.twoodpark.com [122.105.52.11]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the nameserver ns1.twoodpark.com [91.199.50.70] hosted by Netrouting Data Facilities/Grafix.nl on IP 91.199.50.70 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). Netrouting Data Facilities/Grafix.nl also have also provided VPS hosting for the Green Tree (Warehousing) Ltd Fraud and this IP (91.199.50.70) has also been used to host the Newman, Esmond and Eisenberg criminal fraud before that, hosting the criminal nameserver ns1.newxmm.com.