Global Shipping Agency Ltd. Fraud

Don't Bear Internet Fraud

Global Shipping Agency Ltd. scam website screenshot (03-May-2009)

If you've either received an active website link in a Global Shipping Agency Ltd. fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above.

This Global Shipping Agency Ltd. criminal fraud website, (with content stolen from the genuine Westward Freight website and the Mediterranean Shipping Company), should not be confused with any other company of the same or similar name. The following evidence defines this criminal alone.

Global Shipping Agency Ltd. is the latest fraud from the money laundering department of the well known 'Rockphish/Asprox' phishing criminals. It is the follow-on fraud to the Adecco Rockphish fraud and is still currently using the two botnet controlling nameservers latterly used by the Adecco fraud. The criminal's website is hosted on a standard 'Rockphish' site hosting zombie botnet using the recently registered initial fraud domain adems.eu (Interdomain SA (10-Apr-2009)), the above website content is mostly stolen from the genuine Westward Freight company with the rest stolen from the Mediterranean Shipping Company, a fact which is self evident and irrefutable evidence of fraud, as is the fact that the criminal's website is zombie botnet hosted - no legitimate website is hosted on a zombie botnet. N.B. The criminal's domains are constantly being suspended by the registrars and replaced - see the tables below for the latest information. The purpose of the website is to lend an air of legitimacy to a spam campaign intended to recruit money laundering mules, and to that end they are also advertising a clear money mule position on their website. Despite their ludicrous website claims of being a large company in the business since 1996, their domains are all recently registered and they have no Google internet presence whatsoever, (do not confuse them with the genuine Hong Kong based freight forwarder of the same name whose details they have stolen). This fraud is an existing scam that has been transferred to zombie botnet hosting - the original scam record is here.

Current Zombie Botnet Controller Hosts

WholeSale Internet, Inc./Hosting Ventures, LLC/jumpserver.net - ns1.scothc.net. [204.12.210.235] - Notified 01-Oct-2009
WholeSale Internet, Inc./Hosting Ventures, LLC/jumpserver.net - ns1.forvardpool.net. [204.12.210.235] - Notified 01-Oct-2009

The above table shows the current providers of zombie botnet hosting services to the criminals and how long they have been providing them for. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act promptly when informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some that, for whatever reason, do not respond, do not act and in some cases clearly do not care. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host. N.B. - To ignore reports of criminal activity is an offence under US law codes, UK law and undoubtedly also under other country's legal provisions. Please be aware that complaints against unresponsive hosts are filed with upstream providers and that 'accessory after the fact' complaints are filed with law enforcment agencies after all contact attempts have failed. It's only fair to the victims of these criminals.

If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Global Shipping Agency Ltd.: Evidence of Site Theft and Criminal Fraud

N.B. - Check tables and ***Latest News*** items for domain and hosting updates.

i) The Global Shipping Agency Ltd. fraud website is hosted on a standard site hosting zombie botnet - No legitimate company would use a zombie botnet to host their website - irrefutable evidence of criminality.

ii) Their above home page website content appears to have been half stolen from the Westward Freight website and half from the Mediterranean Shipping Company website - Clear verifiable evidence of site theft, misrepresentation and criminal fraud.

iii) Passive DNS replication checks on the zombies listed below link this fraud to other 'Rockphish' group scams and include numerous phishing links.

iv) The criminal's spam contains forged header information and is zombie botnet distributed.

v) The Website Money Mule job:

Customer Service Financial Assistant

Customer Service Financial Assistant coordinates customer payments and supports company�s growth in his local area, by providing customers by the fastest and excellent service, so that to enable the Head Office arrange customer order delivery in shortest dates.

Responsibilities:

    * Provides financial customer support in his local area.
    * Professionally processes customer payments, using his bank account ( or bank account set up especially for the company needs).
    * Works in a close cooperation with the Head Office: makes arrangements and reports about any sufficient changes.
    * Arranges, monitors, coordinates and processes every new customer payment in an efficient and professional manner.
    * Directs the payments to the final destination in one of company affiliations.
    * Minimizes payment delivery period by using Western Union Instant Transfer System only.

Requirements:

    * Excellent oral and written communication skills.
    * Skilled in applicable computer software applications, such as Microsoft Word, Excel, Power Point.
    * Knowledgeable on the Internet in order to obtain resource material and execute work duties.
    * Achievement Motivated.
    * Punctual.
    * Customer Service/ Service Partner Orientated.
    * Stable employment history.

Note: Salary makes out of base pay and commission for each payment processed. GSA Ltd. offers a 10% commission out of each customer payment dealt with successfully.
Please note, this is a part-time position, you need to be available for 2 hours a day only!

vi) The Spam Content

The Global Shipping Agency Ltd. spam headers contain different forged/bogus 'From' & 'Return Path' addresses, forged 'Receive' lines and are distributed by zombie botnet. The subject lines indicate that there is a job opportunity to be had. There is - an illegal job as a money laundering 'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit proceeds into your account and forwarding them on via Western Union or Moneygram for a percentage cut. Needless to say it is these mules that will feel the full weight of the law while the remote money launderers are safe. The bogus or stolen funds in the mules account will also be recovered, leaving them with large losses.

This is the content of an actual Global Shipping Agency Ltd. scam spam as received:

From: "Global Shipping Agency" <xxxxxx@walla.com>
Subject: Part Time Job
Date: Mon, 4 May 2009 06:06:33 +0200

Dear Sir/Madam,

My name is Angel Story, I am a Personnel Department manager in Global Shipping Agency Ltd and I would like to offer you a job of Customer Service Financial Assistant in our company.

First of all, I would like to make a brief review on our company. Global Shipping Agency Ltd.– is a world famous full service transportation company with the head office based in Hong-Kong. Our company is a leader and one of the most famous freight services providers. We work both with companies and private individuals. We specialize both in transportations by air, sea and road as well as in household removal services. GSA Ltd. has more than 10 affiliated branches around Europe and Asia and constantly develops. For more information, please visit our web-site http://gshipagc.com/.

Today we would like to offer you a position of our Customer Service Financial Assistant with a prospect of a career growtsh.

In January, 2009 our Marketing Department started a research in the USA to determine the states with the highest customer activity. By the time research finishes, there will be 5 states chosen, with the highest level of clients’ activity. We will be happy to offer you a position of a full-time manager at one of our newly opened US offices, once you perform well at a part-time position.

As for now, let me tell more about a part-time position of a Customer Service Financial Assistant.
At this position, you would be responsible to deal with the payments form our American customers; these can be companies or private individuals. You will be a middleman between our customers based in the US and the regional branches of the company based in Europe and Asia. Your mission will be to fasten the process of payment delivery, so that to help us get the payments in regional branches efficiently, deal with each of the customer orders in shortest possible dates, attract extra customers and improve company’s total profit.

Moreover, it is important to notice, that we work on special program under patronage of U.S. Government for reducing cheap-contracts taxes. The reason we join that program is the European Union economic restrictions that affect us. If the payment is forwarded directly to one of our European accounts, our customers would have to pay another 25%-27% as a fee to the European government, which would make their expenses much higher. This 27%-Law was made by European Bank Association to protect the interests of European banks, but it affects us as well.

This is a step-by-step description of your responsibilities on a position during the approbation period:

You will have to deal with the customer payments, arranged by the Company Head Office for you. Our Head office will arrange every new coming payment with you in advance over the phone (so that to make sure you are available) and then send you an e-mail with all the details that you might need, a step-by-step instruction, exact amount transferred, the name of the customer who made the payment and the details of the regional branch the money is supposed to be sent to.
We try to arrange all the customer payments to be made like wire transfers – we consider this way of sending money to be the safest and the fastest one – transaction is checked by a Federal Wire System and is normally released for the beneficiary in 1 hour after the money has been sent.
So, after the customer makes a payment to your bank account, we will send you an e-mail with all the details of the payment. Once the payment is shown at your available balance, you are supposed to deduct your 10% commission first. Out of the 90% left you are supposed to deduct the related charges for the Western Union fee. The amount left after all the deductions are made is supposed to be transferred by Western Union to one of our regional branches (depending from and to what destination the transportation is required).

We use Western Union service to fasten the process of payment delivery – this I an instant money transfer service, and the money you sent is available for the receiver immediately.

As this is a part-time job position – you will get 2 payments a week to deal with during the approbation period and then up to 3-4 payments a week once we sign up a working agreement with you. Once you get some experience, you will probably need less than 1,5 hours to finish the whole task.

We offer that for the approbation period for the incoming customer payments you either use the existing bank account of yours or open a separate bank account for the company needs (the amount of each payment on the trial period will not exceed 10000 usd). Once we sign up a long-term working agreement with you, we will assist you in opening a business account for the company payments as we will expect more payments of larger amounts to be arranged for you to deal with. The business account takes some time and effort to be opened, and so that not to lose time (as we are just going to test each other) we advice to start with some private account first.

The approbation period lasts for 2 weeks, which allows both of us make sure we are comfortable to deal with each other. We will sign up a pre-contract agreement with you, which will be valid through the approbation period only. Once the approbation period has gone through successfully, we will be happy to sign up a long-term working agreement for part-time employment on a regular basis with you. Some of our lawyers come to the US every 1-2 months, so once a lawyer comes to the USA, we will arrange a meeting for you, for all the papers to be signed up.

This position offers excellent benefits and basic salary of $2000 a month, along with long term career progression opportunity. Apart from a basic salary, we also offer you a 10% commission out of each project you are dealing with, so that to encourage you to deal with more payments and keep your interest in finishing any new coming task in shortest possible dates.

Once you get more experienced and are able to come with your duties easily, you will be offered to take more responsibility on a position. Experienced managers normally do all the arrangements regarding new coming customer orders themselves – communicating with the customers and regional branches, making lists of transportations, authorizing each new customer order with the company Head Office, dealing with the payments and sending them to the final destination. These responsibilities involve more time to be spent, but as well higher earnings. For all the business calls to go through successfully, you will be equipped with an iPhone. As well we will cover your international call expenses.

If you have any questions, please, do not hesitate to e-mail us.
We are looking forward to hearing from you ASAP.

I see that these Rockphish crooks are still seeking to "fasten the process of payment delivery".Their 'Runglish' doesn't change much, but "approbation period" is a new one on me.

You do not get a clearer example of the illegal money laundering mule position than that. The job consists of accepting transferred stolen funds into your private bank account, deducting 10% and forwarding the balance on to these criminals via Western Union. The problem is that the funds are transferred from a victims 'phished' account without his knowledge and once he discovers that they are missing, he will inform his bank who will recover the funds from your bank leaving you out of pocket by the amount you have sent to the crooks, not only that, but you will have to answer some very awkward questions about why you are involved in criminal activity - don't be tempted. The 'approbation' (sic) period IS the job - after several 'test' transactions things go 'pear shaped' and you never hear from these crooks again.

viii) Fake contact details from the fraudulent website:

Global Shipping Agency Ltd.
Unit 5, 8/F., Sands Building,
17 Hankow Road,
Tsim Sha Tsui, Kowloon,
Hong Kong
Email: GSA@adems.eu
Tel: (852) 2882 9706
Fax: (852) 2882 9610

• - A Google search for the address Unit 5, 8/F., Sands Building, 17 Hankow Road, Tsim Sha Tsui returns no results apart from the criminal's own fraud website.
• - A Google search for the telephone number (852) 2882 9706 and Fax. Number (852) 2882 9610 clearly indicates that this criminal has stolen the details of a genuine company called Global Shipping Agency who are not listed as having their own website, but are listed as the Hong Kong branch office of the genuine Shenzhen Global Net Logistics Ltd company at the address: Global Shipping Agency Ltd, Rm 5,3/F, No.13-29, Foever Industrial Building Kuiyong Kuixi Road Hongkong
Tel：00852-2882 9706/31658924 Fax: 00852-28829610
Mobile：13827453332 （Shenzhen）

The above irrefutable evidence clearly demonstrates beyond any doubt that the Global Shipping Agency Ltd. website has been set up on a zombie botnet using stolen website content for criminal fraud purposes and is directly related to Cronos Investment, Draper Investment, Harvey Investment, Adamant Global, Sydney Car Centre, Waller Truck, Newman, Esmond & Eisenberg, Sun Reef Yachts, Walker & Sons, Bullet Motorsports Speedlab (BMS), Adecco and the rest of the Rockphish/Asprox money laundering/phishing criminal fraudsters' aliases documented here. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of site theft, criminal deception and spamming - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'Rockphish/Asprox' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'Rockphish/Asprox' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities. N.B. - To ignore reports of criminal activity is an offence under US law codes, UK law and undoubtedly also under other country's legal provisions.

Global Shipping Agency Ltd. Fraudsters - current hosting details.

Current Main Domains, Hosts and Registrars

Domain

gshipagc.com

gshipagc.net

Registrar

REG2C.COM, INC.(01-Aug-2009)

REG2C.COM, INC.(01-Aug-2009)

Host IP Network /Botnet Nameserver Host

WholeSale Internet, Inc./Hosting Ventures, LLC/jumpserver.net - ns1.scothc.net. [204.12.210.235]
WholeSale Internet, Inc./Hosting Ventures, LLC/jumpserver.net - ns1.forvardpool.net. [204.12.210.235]

WholeSale Internet, Inc./Hosting Ventures, LLC/jumpserver.net - ns1.scothc.net. [204.12.210.235]
WholeSale Internet, Inc./Hosting Ventures, LLC/jumpserver.net - ns1.forvardpool.net. [204.12.210.235]

Current Zombie Botnet Nameserver Domains and Registrars

Nameserver Domain

scothc.net
forvardpool.net

Nameserver Domain Registrar

IARegistry/Spiritdomains (21-Jul-2009)
Tucows/opensrs.net (11-sep-2009)

Host IP

204.12.210.235
204.12.210.235

See table below for a list of all known active & suspended main & nameserver domains used by this criminal.

List of all known domains used by the Global Shipping Agency Ltd. Fraudsters

Domain

adems.eu
adums.eu
dumac.eu
ahure.eu
adecol.eu
adesol.eu
ademan.eu
adusco.eu
dumaso.eu
heroc.eu
shipag.eu
shige.eu
gloshi.eu
shipa.eu
globash.eu
gloship.eu
hurec.eu
shage.eu
systdll.net
shipbal.com
shipbal.net
gshipagc.com
gshipagc.net
dhippag.com
dhippag.net
dhippan.net
globipp.com
globipp.net
globipi.com

Criminal Registered Nameserver Domains

dortfoot.com
bigthework.com
estate-rx.com
holdendsold.net
mcdomen.net
mail-start.net
globalsinet.com
viperdomains.net
forvard-direct.com
searchusing.com
compare-translated.net
frox-tory.com
scothc.net
forvardpool.net

Status

Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
DNS Looped
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Disabled
Suspended
Suspended
Suspended
Suspended
Active
Active
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended

Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Inactive
Suspended
Suspended
Suspended
Active

Registrar

INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (14-Apr-2009)
INTERDOMAIN, S.A. (14-Apr-2009)
INTERDOMAIN, S.A. (14-May-2009)
INTERDOMAIN, S.A. (14-Apr-2009)
INTERDOMAIN, S.A. (14-Apr-2009)
INTERDOMAIN, S.A. (14-Apr-2009)
INTERDOMAIN, S.A. (10-Apr-2009)
INTERDOMAIN, S.A. (14-Apr-2009)
GANDI SAS (26-Jan-2009)
GKG.NET, INC. (05-Aug-2009)
GKG.NET, INC. (05-Aug-2009)
REG2C.COM, INC.(01-Aug-2009)
REG2C.COM, INC.(01-Aug-2009)
GKG.NET, INC. (12-Aug-2009)
GKG.NET, INC. (12-Aug-2009)
GKG.NET, INC. (12-Aug-2009)
GKG.NET, INC. (12-Aug-2009)
GKG.NET, INC. (12-Aug-2009)
GKG.NET, INC. (12-Aug-2009)

GANDI SAS (19-Feb-2009)
Network Solutions (10-Mar-2009)
Network Solutions (19-May-2009)
IARegistry/Spiritdomains (20-may-2009)
IARegistry/Spiritdomains (30-may-2009)
GANDI SAS (31-May-2009)
GANDI SAS (03-Jun-2009)
MONIKER ONLINE SERVICES, INC. (06-Jun-2009)
INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM (07-Jun-2009)
NETWORK SOLUTIONS, LLC. (05-Jun-2009)
MONIKER ONLINE SERVICES, INC. (05-Jun-2009)
IARegistry/Spiritdomains (21-Jul-2009)
IARegistry/Spiritdomains (21-Jul-2009)
Tucows/opensrs.net/123-reg.co.uk (11-sep-2009)

Please notify me of any domains not listed here.

Notes for Registrars

i) The Global Shipping Agency Ltd. criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver domain(s) are listed in the above table.

ii) The criminal's domains have different false whois registration data.

iii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension is requested, please.

The Zombie Botnet DNS Data (Valid for domains adems.eu, adums.eu, dumac.eu, ahure.eu, adecol.eu, adesol.eu, ademan.eu, adusco.eu, dumaso.eu)

How I am searching:

Searching for adems.eu A record at i.root-servers.net [192.36.148.17]: Got referral to L.EU.DNS.BE. (zone: eu.)
Searching for adems.eu A record at L.EU.DNS.BE. [193.2.221.60]: Got referral to ns1.dortfoot.com. (zone: adems.eu.)
Searching for adems.eu A record at ns1.dortfoot.com. [8.12.160.176]: Reports adems.eu. Response:

Domain	Type	Class	TTL	Answer
adems.eu.	A	IN	1800	84.125.46.65
adems.eu.	A	IN	1800	89.178.107.245
adems.eu.	A	IN	1800	96.33.71.104
adems.eu.	A	IN	1800	60.46.56.190
adems.eu.	A	IN	1800	65.96.173.102
adems.eu.	NS	IN	1800	ns2.dortfoot.com.
adems.eu.	NS	IN	1800	ns2.bigthework.com.
adems.eu.	NS	IN	1800	ns1.dortfoot.com.
adems.eu.	NS	IN	1800	ns1.bigthework.com.
ns1.dortfoot.com.	A	IN	1800	8.12.160.176
ns1.bigthework.com.	A	IN	1800	8.12.160.176
ns2.dortfoot.com.	A	IN	1800	44.131.151.42
ns2.bigthework.com.	A	IN	1800	196.21.236.29

Looking up at the 2 adems.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dortfoot.com [8.12.160.176]	60.46.56.190 65.96.173.102 84.125.46.65 89.178.107.245 96.33.71.104
ns1.bigthework.com [8.12.160.176]	60.46.56.190 65.96.173.102 84.125.46.65 89.178.107.245 96.33.71.104

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.bigthework.com hosted by Level 3 Communications, Inc./RelyNet Inc. on IP 8.12.160.176 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** Initial entry 3rd. May 2009

This botnet hosting was originally reported to Level3 and Rely Net Inc on 27-Apr-2009 when it was being used for the 'Rockphish' Adecco fraud. No response has been received and no action has been taken by either Level3 or Rely Net against this criminal activity involving their network.

***Latest News*** 4th. May 2009
New domain received from site contact - adums.eu, registered with INTERDOMAIN, S.A. (10-Apr-2009) and hosted as above.
Further domains dug up: dumac.eu, ahure.eu, adecol.eu, adesol.eu, ademan.eu, adusco.eu, dumaso.eu all registered with INTERDOMAIN, S.A. (10-Apr-2009) and hosted as above.

***Latest News*** 5th. May 2009
All of the domains adems.eu, adums.eu, dumac.eu, ahure.eu, adecol.eu, adesol.eu, ademan.eu, adusco.eu, dumaso.eu have been suspended by the registrar

Unfortunately, Level3 and Rely Net Inc have taken no action against the botnet hosting (ns1.dortfoot.com [8.12.160.176] and ns1.bigthework.com [8.12.160.176]), so the criminal is probably already back up with new domains - please notify me of any active domains for this criminal

***Latest News*** 20th. May 2009
This criminal is back - new domains reported - heroc.eu and shipag.eu still hosted on the Level3/Rely Net Inc. botnet. No action has been taken by either of those providers. The nameserver domain bigthework.com has been suspended by Network Solutions and replaced by estate-rx.com, also registered with Network Solutions. Botnet details:
The Zombie Botnet DNS Data (Valid for domains heroc.eu, shipag.eu, shige.eu)
Looking up at the 2 heroc.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.estate-rx.com [8.12.160.176]	201.160.43.12 41.200.214.219 77.254.53.135 88.238.106.236 89.79.71.149
ns1.dortfoot.com [8.12.160.176]	201.160.43.12 41.200.214.219 77.254.53.135 88.238.106.236 89.79.71.149

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.estate-rx.com hosted by Level 3 Communications, Inc./RelyNet Inc. on IP 8.12.160.176 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.
Later: New domain reported by site contact - shige.eu hosted on the same Level3/Rely.net botnet.

***Latest News*** 21st. May 2009
The nameserver domain estate-rx.com has been deleted by the registrar. No reply from either Level3 or Rely.net, but it would appear that they have at last disconnected the criminal's botnet controller and the crook is up on a new host (Limestone Networks, Inc.) as follows.
The Zombie Botnet DNS Data (Valid for domains heroc.eu, shipag.eu, shige.eu)
Looking up at the 2 heroc.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.holdendsold.net [69.162.84.212]	83.20.44.3 88.238.134.185 24.6.69.60 41.200.216.239 77.254.42.61
ns1.dortfoot.com [69.162.84.212]	83.20.44.3 88.238.134.185 24.6.69.60 41.200.216.239 77.254.42.61

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.holdendsold.net hosted by Limestone Networks, Inc. on IP 69.162.84.212 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.
Later: Limestone Networks have disabled the above botnet and the crooks are back up on a new IP - 38.108.178.58 (PSINet, Inc.)
Later: New domain reported by site contact - gloshi.eu
The Zombie Botnet DNS Data (Valid for domains heroc.eu, shipag.eu, shige.eu, gloshi.eu, shipa.eu)
Looking up at the 2 gloshi.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.holdendsold.net [38.108.178.58]	190.174.76.186 68.42.185.5 83.20.43.62 86.104.52.93 89.79.71.149
ns1.dortfoot.com [38.108.178.58]	190.174.76.186 68.42.185.5 83.20.43.62 86.104.52.93 89.79.71.149

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.holdendsold.net hosted by Cogentco/PSINet, Inc./Take2/whirlhost.com on IP address 38.108.178.58 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 22nd. May 2009
New domain notified by site contact - shipa.eu (INTERDOMAIN, S.A. - 14-Apr-2009)
Excellent response from eleventy2.com - the above botnet has been quickly shut down and the crooks are immediately back up on a new IP with a new provider - 72.249.77.36 (Colo4Dallas/Networld Internet Services/tektonic.net). New botnet details:
The Zombie Botnet DNS Data (Valid for domains heroc.eu, shipag.eu, shige.eu, gloshi.eu, shipa.eu)
Looking up at the 2 shipa.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.holdendsold.net [72.249.77.36]	125.135.157.101 209.173.76.154 66.214.245.249 83.230.37.23 86.71.121.75
ns1.dortfoot.com [72.249.77.36]	125.135.157.101 209.173.76.154 66.214.245.249 83.230.37.23 86.71.121.75

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.holdendsold.net hosted by Colo4Dallas/Networld Internet Services/tektonic.net on IP address 72.249.77.36 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 28th. May 2009
Domain heroc.eu now has its DNS looped. Two new domains spotted - globash.eu and gloship.eu, both registered with INTERDOMAIN, S.A. (14-Apr-2009). All domains are now hosted on the following botnet:
The Zombie Botnet DNS Data (Valid for domains shipag.eu, shige.eu, gloshi.eu, shipa.eu, globash.eu and gloship.eu)
Looking up at the 2 gloship.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.holdendsold.net [208.43.102.172]	148.228.148.74 209.173.76.154 24.13.222.71 77.253.122.219 84.121.124.54
ns1.dortfoot.com [208.43.102.172]	148.228.148.74 209.173.76.154 24.13.222.71 77.253.122.219 84.121.124.54

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.holdendsold.net hosted by SoftLayer Technologies Inc. on IP address 208.43.102.172 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 1st. Jun 2009
All domains are now hosted on the following botnet:
The Zombie Botnet DNS Data (Valid for domains shipag.eu, shige.eu, gloshi.eu, shipa.eu, globash.eu, gloship.eu and hurec.eu)
Looking up at the 2 gloship.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.holdendsold.net [64.79.197.56]	148.228.148.74 213.100.228.140 69.248.87.164 84.121.125.44 94.231.51.29
ns1.dortfoot.com [64.79.197.56]	148.228.148.74 213.100.228.140 69.248.87.164 84.121.125.44 94.231.51.29

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.dortfoot.com and ns1.holdendsold.net hosted by Spry Hosting of Seattle
on IP address 64.79.197.56 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 2nd. Jun 2009
New domain notified by Frank Bear - welcome back, Frank - hurec.eu registered with the usual INTERDOMAIN, S.A. (10-Apr-2009) and hosted on the above Spry Hosting botnet.

***Latest News*** 3rd. Jun 2009
The nameserver domain holdendsold.net has been suspended by the registrar and has been replaced by the two domains mail-start.net and mcdomen.net registered with IARegistry/Spiritdomains (30-may-2009). Updated botnet details:
The Zombie Botnet DNS Data (Valid for domains gloshi.eu, gloship.eu and hurec.eu)
Looking up at the 2 gloship.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mail-start.net [208.53.160.13]	24.13.222.71 77.253.95.107 77.41.98.56 78.90.21.227 79.112.16.210
ns1.dortfoot.com [208.53.160.13]	24.13.222.71 77.253.95.107 77.41.98.56 78.90.21.227 79.112.16.210

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.mail-start.net and ns1.dortfoot.com hosted by FDC Servers of Chicago on IP address 208.53.160.13 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

The Zombie Botnet DNS Data (Valid for domains shipag.eu, shige.eu, shipa.eu, and globash.eu)
Looking up at the 2 shipag.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mcdomen.net [208.53.160.13]	24.13.222.71 77.253.95.107 77.41.98.56 78.90.21.227 79.112.16.210
ns1.dortfoot.com [208.53.160.13]	24.13.222.71 77.253.95.107 77.41.98.56 78.90.21.227 79.112.16.210

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.mcdomen.net and ns1.dortfoot.com hosted by FDC Servers of Chicago on IP address 208.53.160.13 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.
Later: News from Frank Bear - the nameserver domain mcdomen.net has been suspended by the registrar.

***Latest News*** 4th. Jun 2009

News from Frank Bear - the crooks have a new nameserver domain - globalsinet.com, registered with Gandi SAS on 03-Jun-2009

The Zombie Botnet DNS Data (Valid for domains shipag.eu, shige.eu, shipa.eu, and globash.eu)
Looking up at the 2 shipag.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.globalsinet.com [208.53.160.13]	119.228.173.82 77.253.89.105 83.20.45.106 83.9.158.20 94.42.1.1
ns1.dortfoot.com [208.53.160.13]	119.228.173.82 77.253.89.105 83.20.45.106 83.9.158.20 94.42.1.1

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.globalsinet.com and ns1.dortfoot.com hosted by FDC Servers of Chicago on IP address 208.53.160.13 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 8th. Jun 2009
News from Frank Bear - the nameserver domains dortfoot.com, mail-start.net and globalsinet.com have finally been suspended by Gandi SAS. The crooks are back up on new nameservers:

The Zombie Botnet DNS Data (Valid for domains gloshi.eu, gloship.eu and hurec.eu)
Looking up at the 2 gloship.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.searchusing.com [208.53.160.13]	41.104.29.180 76.24.223.148 77.254.36.233 83.20.61.132 94.42.30.194
ns1.compare-translated.net [208.53.160.13]	41.104.29.180 76.24.223.148 77.254.36.233 83.20.61.132 94.42.30.194

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.searchusing.com and ns1.compare-translated.net hosted by FDC Servers of Chicago on IP address 208.53.160.13 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

The Zombie Botnet DNS Data (Valid for domains shipag.eu, shige.eu, shipa.eu, and globash.eu)
Looking up at the 2 shipag.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.viperdomains.net [208.53.160.13]	41.104.29.180 76.24.223.148 77.254.36.233 83.20.61.132 94.42.30.194
ns1.forvard-direct.com [208.53.160.13]	41.104.29.180 76.24.223.148 77.254.36.233 83.20.61.132 94.42.30.194

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.viperdomains.net and ns1.forvard-direct.com hosted by FDC Servers of Chicago on IP address 208.53.160.13 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 10th. Jun 2009
The criminals have a new botnet host - Spry Hosting of Seattle:
The Zombie Botnet DNS Data (Valid for domains gloshi.eu, gloship.eu and hurec.eu)
Looking up at the 2 gloshi.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.searchusing.com [67.223.241.148]	24.147.248.77 81.203.120.233 83.20.67.194 89.174.126.43 89.35.154.85
ns1.compare-translated.net [67.223.241.148]	24.147.248.77 81.203.120.233 83.20.67.194 89.174.126.43 89.35.154.85

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.searchusing.com and ns1.compare-translated.net hosted by Spry Hosting
of Seattle/VPSLink.com on IP address 67.223.241.148 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

The Zombie Botnet DNS Data (Valid for domains shipag.eu, shige.eu, shipa.eu, and globash.eu)
Looking up at the 2 shipag.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.viperdomains.net [67.223.241.148]	24.147.248.77 81.203.120.233 83.20.67.194 89.174.126.43 89.35.154.85
ns1.forvard-direct.com [208.53.160.13]	Timeout

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.viperdomains.net and ns1.forvard-direct.com hosted by Spry Hosting
of Seattle/VPSLink.com on IP address 67.223.241.148 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting. The crook has not transferred his nameserver ns1.forvard-direct.com on to the new host for some reason so it is currently timing out.

***Latest News*** 13th. Jun 2009
The Spry Hosting botnet has been shut down and the criminal has a new botnet host:
The Zombie Botnet DNS Data (Valid for domains gloshi.eu, gloship.eu and hurec.eu)
Looking up at the 2 gloshi.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.searchusing.com [94.76.240.2]	200.77.204.131 201.233.203.216 41.104.117.144 76.24.223.148 98.203.245.151
ns1.compare-translated.net [94.76.240.2]	200.77.204.131 201.233.203.216 41.104.117.144 76.24.223.148 98.203.245.151

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.searchusing.com and ns1.compare-translated.net hosted by Poundhost-4294/Blueconnex Networks Ltd on IP address 94.76.240.2 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

The Zombie Botnet DNS Data (Valid for domains shipag.eu, shige.eu, shipa.eu, and globash.eu)
Looking up at the 2 shipag.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.viperdomains.net [94.76.240.2]	200.77.204.131 201.233.203.216 41.104.117.144 76.24.223.148 98.203.245.151
ns1.forvard-direct.com [208.53.160.13]	Timeout

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.viperdomains.net hosted by Poundhost-4294/Blueconnex Networks Ltd on IP address 94.76.240.2 is acting as zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting. The crook has not transferred his nameserver ns1.forvard-direct.com on to the new host for some reason so it is currently timing out.

***Latest News*** 29th. Jun 2009
Little has changed - all of the criminals .eu domains are still active courtesy of Interdomain SA/Eurid.eu. New domains reported by site contact - shage.eu and systdll.net registered with Interdomain SA and Gandi SAS respectively. New botnet details:

The Zombie Botnet DNS Data (Valid for domains gloshi.eu, gloship.eu, hurec.eu and systdll.net)
Looking up at the 2 gloshi.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.searchusing.com [194.150.121.92]	24.136.214.23 24.99.40.87 77.254.51.227 79.116.170.166 98.209.65.116
ns1.compare-translated.net [194.150.121.92]	24.136.214.23 24.99.40.87 77.254.51.227 79.116.170.166 98.209.65.116

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.searchusing.com and ns1.compare-translated.net hosted by IKCSNet/OthelloColo.net/tidyhosts.com on IP address 194.150.121.92 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

The Zombie Botnet DNS Data (Valid for domains shipag.eu, shige.eu, shipa.eu, shage.eu)
Looking up at the 2 shipag.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.viperdomains.net [194.150.121.92]	24.136.214.23 24.99.40.87 77.254.51.227 79.116.170.166 98.209.65.116
ns1.forvard-direct.com [208.53.160.13]	Timeout

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.viperdomains.net hosted by IKCSNet/OthelloColo.net/tidyhosts.com on IP address 194.150.121.92 is acting as zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

The Zombie Botnet DNS Data (Valid for domains globash.eu)
I include the DNS data in its entirety for this domain as there is something unusual, (and puzzling), about it:
DNS Lookup: globash.eu A record
Searching for globash.eu A record at h.root-servers.net [128.63.2.53]: Got referral to x.nic.eu. (zone: eu.)
Searching for globash.eu A record at x.nic.eu. [194.0.1.19]: Got referral to ns1.viperdomains.net. (zone: globash.eu.)
Searching for globash.eu A record at ns1.viperdomains.net. [194.150.121.92]: Reports globash.eu.
Response:

Domain	Type	Class	TTL	Answer
globash.eu.	A	IN	1800	84.121.117.57
globash.eu.	A	IN	1800	88.171.125.96
globash.eu.	A	IN	1800	94.26.40.78
globash.eu.	A	IN	1800	79.115.225.2
globash.eu.	A	IN	1800	83.20.53.3
globash.eu.	NS	IN	1800	ns2.viperdomains.net.
globash.eu.	NS	IN	1800	ns2.forvard-direct.com.
globash.eu.	NS	IN	1800	ns1.viperdomains.net.
globash.eu.	NS	IN	1800	ns1.forvard-direct.com.
ns1.viperdomains.net.	A	IN	1800	194.150.121.92
ns1.forvard-direct.com.	A	IN	172620	208.53.160.13
ns2.viperdomains.net.	A	IN	1800	66.52.17.156

DNS Traversal for globash.eu.
Getting NS record list at f.root-servers.net... Done!

Looking up at the 9 eu. parent servers:

Server	Response
u.nic.eu [204.74.112.247]	ns1.holdendsold.net. ns1.viperdomains.net.
x.nic.eu [194.0.1.19]	ns1.holdendsold.net. ns1.viperdomains.net.
a.nic.eu [91.200.16.100]	ns1.holdendsold.net. ns1.viperdomains.net.
m.nic.eu [217.29.76.13]	ns1.holdendsold.net. ns1.viperdomains.net.
b.eu.dns.be [193.190.135.100]	ns1.holdendsold.net. ns1.viperdomains.net.
v.nic.eu [204.74.113.247]	ns1.holdendsold.net. ns1.viperdomains.net.
p.nic.eu [195.47.235.130]	ns1.holdendsold.net. ns1.viperdomains.net.
l.nic.eu [195.66.241.178]	ns1.holdendsold.net. ns1.viperdomains.net.
l.eu.dns.be [193.2.221.60]	ns1.holdendsold.net. ns1.viperdomains.net.

Status: Records all match.

Looking up at the 2 globash.eu. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.holdendsold.net [204.116.57.2]	213.63.151.96 38.102.19.237 79.115.225.2 84.121.117.57 94.26.40.78
ns1.viperdomains.net [194.150.121.92]	79.115.225.2 83.20.53.3 84.121.117.57 88.171.125.96 94.26.40.78

Status: Records DO NOT all match: Results from ns1.holdendsold.net do not match results from ns1.viperdomains.net [TTL varies: 168 vs 1800].

As you can see, the Root Servers A record for globash.eu lists the nameservers for the domain as ns1.viperdomains.net [194.150.121.92], ns1.forvard-direct.com [208.53.160.13] and ns2.viperdomains.net [66.52.17.156]. The latter nameserver (ns2.viperdomains.net [66.52.17.156]). does not respond and is unpingable so I think it can be discounted as a genuine nameserver. Similarly the nameserver ns1.forvard-direct.com [208.53.160.13] has been disabled by FDC Servers. The nameserver ns1.holdendsold.net [204.116.57.2] is the puzzling one, it is using a supposedly suspended domain, (holdendsold.net - Spiritdomains), but it is hosted on a Spirit Telecom/Rock Hill Telephone Company/SUNBELT-AS IP (204.116.57.2) and is responding to a query and returning the zombie 'A' records.

***Latest News*** 1st. July 2009
The following actions have been taken:
1) The following domains have been suspended/disabled: globash.eu, gloshi.eu, gloship.eu, hurec.eu, shipag.eu, shige.eu, shipa.eu and shage.eu - in fact the only known domain that remains active is the Gandi SAS registered domain systdll.net
2) The botnet nameserver hosting on IP address 194.150.121.92 has been terminated by Tidyhosts.
Please notify me of any active domains for this criminal.
Later: The domain systdll.net has been suspended by Gandi SAS. Before it was suspended it was resolving to a new 'Rockphish' fraud - San Diego Car Centre which appeared to be a Spanish language version of the old Sydney Car Centre fraud. Please notify me of any active domains for either fraud.

***Latest News*** 10th. August 2009
I haven't had any feedback on this scam for a while, then a few snippets came in at once so perhaps it's time to update it. New domain notified: shipbal.com registered with GKG.NET, INC. (05-Aug-2009) also shipbal.net, GKG.NET, INC. (05-Aug-2009), both hosted on the following zombie botnet:

The Zombie Botnet DNS Data (Valid for domain shipbal.com, shipbal.net)
Looking up at the 2 shipbal.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.frox-tory.com [69.162.114.163]	122.124.131.249 190.64.159.66 78.37.241.71 83.2.169.14 83.29.56.146
ns1.compare-translated.net [69.162.114.163]	122.124.131.249 190.64.159.66 78.37.241.71 83.2.169.14 83.29.56.146

The data shows a dual 5-IP site hosting zombie botnet where the criminal owned nameservers ns1.frox-tory.com and ns1.compare-translated.net, both hosted by Limestone Networks, Inc. on IP address 69.162.114.163 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting. Please notify me of any unlisted active domains for this criminal.

Another domain gshipagc.com is registered with and hosted on the following zombie botnet along with domain gshipagc.net:

The Zombie Botnet DNS Data (Valid for domain gshipagc.com, gshipagc.net)
Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.viperdomains.net [69.162.114.163]	217.197.253.132 77.239.68.38 81.218.141.170 87.116.244.16 95.76.124.96
ns1.scothc.net [69.162.114.163]	217.197.253.132 77.239.68.38 81.218.141.170 87.116.244.16 95.76.124.96

The data shows a dual 5-IP site hosting zombie botnet where the criminal owned nameservers ns1.viperdomains.net and ns1.scothc.net, both hosted by Limestone Networks, Inc. on IP address 69.162.114.163 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting. Please notify me of any unlisted active domains for this criminal.

***Latest News*** 14th. August 2009
News from Frank Bear - the domains shipbal.com, shipbal.net have been suspended by the registrar.
The Limestone Networks botnet has been disconnected and the crooks are up on a new botnet as follows:
The Zombie Botnet DNS Data (Valid for domain gshipagc.com, gshipagc.net)
Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.scothc.net [198.177.253.142]	124.122.91.173 217.75.56.78 218.220.193.58 82.131.239.92 83.10.34.71
ns1.viperdomains.net [198.177.253.142]	124.122.91.173 217.75.56.78 218.220.193.58 82.131.239.92 83.10.34.71

The data shows a dual 5-IP site hosting zombie botnet where the criminal owned nameservers ns1.viperdomains.net and ns1.scothc.net, both hosted by Allerion, Inc./NET2ATLANTA.COM, LLC on IP address 198.177.253.142 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting. Please notify me of any unlisted active domains for this criminal.
Later: The NET2ATLANTA.COM, LLC botnet has been promptly shut down and the criminals are back up again on their Limestone Networks hosted VPS again on IP address 69.162.114.163:

The Zombie Botnet DNS Data (Valid for domain gshipagc.com, gshipagc.net, dhippag.com, dhippan.net, dhippag.net)

Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.scothc.net [69.162.114.163]	189.81.104.145 189.81.233.95 201.235.189.80 77.253.15.91 79.185.130.155
ns1.viperdomains.net [69.162.114.163]	189.81.104.145 189.81.233.95 201.235.189.80 77.253.15.91 79.185.130.155

***Latest News*** 16th. August 2009
New domain spotted in the wild - dhippag.com registered with GKG.NET, INC. (12-Aug-2009) and hosted on the above Limestone Networks zombie botnet. Unfortunately Limestone Networks have not responded to any attempts to contact them regarding this criminal activity that they are hosting, (first attempt 10th. August).

***Latest News*** 17th. August 2009
New domain notified by site contact - dhippan.net and dhippag.net also discovered. All domains are hosted on the above Limestone Networks hosted 'Rockphish' zombie botnet. Unfortunately it would appear that Limestone networks are now a 'blackhat' host and have not responded to numerous attempts to contact them since 10-Aug-2009 regarding the criminal activity that they are hosting.

***Latest News*** 18th. August 2009
Limestone Networks have finally responded to abuse reports, (first sent 10-Aug-2009) and have disconnected the above botnet. They also state they are not a 'blackhat' host and say that they do their best to deal with all abuse issues in a timely manner.

***Latest News*** 19th. August 2009
New domains reported by site contacts - globipi.com and globipp.com, (also globipp.net noted), all registered with GKG.NET, INC. (12-Aug-2009) and hosted on the following botnet:

The Zombie Botnet DNS Data (Valid for domain globipp.com, globipp.net, globipi.com)
Looking up at the 2 globipp.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.frox-tory.com [12.191.45.201]	190.245.51.98 201.241.34.80 58.9.30.74 89.253.10.88 95.209.39.160
ns1.compare-translated.net [12.191.45.201]	190.245.51.98 201.241.34.80 58.9.30.74 89.253.10.88 95.209.39.160

The data shows a dual 5-IP site hosting zombie botnet where the criminal owned nameservers ns1.frox-tory.com and ns1.compare-translated.net, both hosted by AT&T WorldNet Service/Floyd Morrissette dba newwebsite.com on IP address 12.191.45.201 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting. Please notify me of any unlisted active domains for this criminal.

The Zombie Botnet DNS Data (Valid for domain gshipagc.com, gshipagc.net, dhippag.com, dhippan.net, dhippag.net)
Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers		Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.viperdomains.net [12.191.45.201]		200.127.193.108 217.132.191.122 77.239.71.251 85.137.234.211 88.244.235.137
ns1.scothc.net [12.191.45.201]		200.127.193.108 217.132.191.122 77.239.71.251 85.137.234.211 88.244.235.137

The data shows a dual 5-IP site hosting zombie botnet where the criminal owned nameservers ns1.viperdomains.net and ns1.scothc.net, both hosted by AT&T WorldNet Service/Floyd Morrissette dba newwebsite.com on IP address 12.191.45.201 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting. Please notify me of any unlisted active domains for this criminal.

***Latest News*** 20th. August 2009
The botnet hosting has been disconnected by Floyd Morrissette dba newwebsite.com and the crooks are back up on the VolumeDrive IP address 204.124.180.216 as follows:

The Zombie Botnet DNS Data (Valid for domains globipp.com, globipp.net, globipi.com)
Looking up at the 2 globipp.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.frox-tory.com [204.124.180.216]	79.191.24.32 81.192.46.20 124.121.183.248 59.95.214.156 78.177.236.67
ns1.compare-translated.net [204.124.180.216]	79.191.24.32 81.192.46.20 124.121.183.248 59.95.214.156 78.177.236.67

The data shows a dual 5-IP site hosting zombie botnet where the criminal owned nameservers ns1.frox-tory.com and ns1.compare-translated.net, both hosted by VolumeDrive of Clarks Summit, PA on IP address 204.124.180.216 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting. Please notify me of any unlisted active domains for this criminal.

The Zombie Botnet DNS Data (Valid for domain gshipagc.com, gshipagc.net)
Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.viperdomains.net [204.124.180.216]	79.191.24.32 81.192.46.20 124.121.183.248 59.95.214.156 78.177.236.67
ns1.scothc.net [204.124.180.216]	79.191.24.32 81.192.46.20 124.121.183.248 59.95.214.156 78.177.236.67

The data shows a dual 5-IP site hosting zombie botnet where the criminal owned nameservers ns1.viperdomains.net and ns1.scothc.net, both hosted by VolumeDrive of Clarks Summit, PA on IP address 204.124.180.216 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting. Please notify me of any unlisted active domains for this criminal.

***Latest News*** 26th. August 2009
Domains dhippag.com, dhippag.net and dhippan.net suspended, otherwise situation unchanged. Many attempts have been made to contact VolumeDrive of Clarks Summit, PA using different email addresses, using minimal content in emails to bypass their spam filters and via their webform. As there has been no response to any approach I think it fair to say that they don't want to know that they are hosting criminal content and I'm happy to list them as a blackhat provider.

***Latest News*** 28th. August 2009
The domains globipp.com, globipp.net, globipi.com have been suspended by the registrar. The domains gshipagc.com, gshipagc.net remain active on the above botnet hosted by VolumeDrive of Clarks Summit, PA who are "looking into it" - please notify me of any unlisted active domains for this criminal.

***Latest News*** 3rd. September 2009
VolumeDrive of Clarks Summit, PA knowingly supported these 'Rockphish' criminals for a considerable time and considering the misery these criminals cause to their victims thoroughly deserved their 'blackhat' listing and filed 'accessory after the fact' complaint with law enforcement, but the crooks are now on a new botnet host - XO Communications/Next Growth, LLC on IP address 67.91.182.112. Botnet DNS details:
The Zombie Botnet DNS Data (Valid for domain gshipagc.com, gshipagc.net)

Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.viperdomains.net [67.91.182.112]	112.201.3.213 78.109.252.199 79.121.5.93 79.184.38.184 84.224.76.244
ns1.scothc.net [67.91.182.112]	112.201.3.213 78.109.252.199 79.121.5.93 79.184.38.184 84.224.76.244

The data shows a dual 5-IP site hosting zombie botnet where the criminal owned nameservers ns1.viperdomains.net and ns1.scothc.net, both hosted by XO Communications/Next Growth, LLC on IP address 67.91.182.112 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.
***Please notify me of any unlisted active domains for this criminal***.

***Latest News*** 4th. September 2009
In marked contrast to VolumeDrive of Clarks Summit, PA, XO Communications/Next Growth, LLC seem to have taken immediate action to cease the botnet hosting.

***Latest News*** 6th. September 2009
The criminal has a new botnet host:
The Zombie Botnet DNS Data (Valid for domain gshipagc.com, gshipagc.net)
Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.viperdomains.net [67.23.190.176]	195.56.239.220 79.109.144.180 82.131.239.201 88.109.26.47 88.243.244.141
ns1.scothc.net [67.23.190.176]	195.56.239.220 79.109.144.180 82.131.239.201 88.109.26.47 88.243.244.141

The data shows a dual 5-IP site hosting zombie botnet where the criminal owned nameservers ns1.viperdomains.net and ns1.scothc.net, both hosted by NETRIPLEX LLC of Asheville, NC on IP address 67.23.190.176 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 13th. September 2009
The VPS on 67.23.190.176 has been suspended by its owner, Turbovps.com and the criminal has a new botnet host:

The Zombie Botnet DNS Data (Valid for domain gshipagc.com, gshipagc.net)
Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.scothc.net [67.220.213.26]	66.212.155.140 69.207.48.49 74.3.203.93 77.22.125.13 89.74.19.174
ns1.viperdomains.net [67.23.190.176]	Timeout

The data shows a dual 5-IP site hosting zombie botnet where the criminal owned nameservers ns1.scothc.net and ns1.viperdomains.net, hosted by WebNX of Los Angeles and NETRIPLEX LLC of Asheville, NC/Turbovps.com (disconnected) respectively on IP addresses 67.220.213.26 and 67.23.190.176 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 26th. September 2009
The criminals WebNx botnet has been closed down and the crook is back up on a new botnet host:

The Zombie Botnet DNS Data (Valid for domain gshipagc.com, gshipagc.net)

Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.scothc.net [65.60.6.189]	173.30.136.86 74.3.203.93 79.164.56.192 89.229.198.123 98.206.249.20
ns1.viperdomains.net [67.23.190.176]	Timeout

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.scothc.net hosted by SingleHop, Inc. on IP address 65.60.6.189 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Please notify me of any unlisted active domains for this criminal***.

***Latest News*** 1st. October 2009
The above SingleHop botnet has been terminated and the criminal has moved back to his previous Netriplex IP address:
The Zombie Botnet DNS Data (Valid for domains gshipagc.com, gshipagc.net)
Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.viperdomains.net [67.23.190.176]	189.220.50.125 62.38.213.203 79.112.31.205 81.203.251.235 85.136.128.59
ns1.scothc.net. [67.23.190.176]	189.220.50.125 62.38.213.203 79.112.31.205 81.203.251.235 85.136.128.59
ns1.forvardpool.net. [67.23.190.176]	189.220.50.125 62.38.213.203 79.112.31.205 81.203.251.235 85.136.128.59

The data shows 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.viperdomains.net, ns1.scothc.net and ns1.forvardpool.net hosted by NETRIPLEX LLC of Asheville, NC/Turbovps.com on IP address 67.23.190.176 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 1st. October 2009 - Later: The criminal's botnet has been promptly shutdown by Turbovps.com and they are up on a new botnet as follows:
The Zombie Botnet DNS Data (Valid for domains gshipagc.com, gshipagc.net)
Looking up at the 2 gshipagc.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.scothc.net [204.12.210.235]	77.254.206.134 81.203.251.235 85.136.128.59 88.161.134.125 91.96.142.100
ns1.forvardpool.net. [204.12.210.235]	77.254.206.134 81.203.251.235 85.136.128.59 88.161.134.125 91.96.142.100

The data shows dual 5-IP site hosting zombie botnets where the criminal owned nameservers ns1.scothc.net and ns1.forvardpool.net hosted by WholeSale Internet, Inc./Hosting Ventures, LLC/jumpserver.net on IP address 204.12.210.235 are acting as zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Please notify me of any unlisted active domains for this criminal***.

***Latest News*** 1st. October 2009
IARegistry/Spiritdomains have suspended the nameserver domain scothc.net. No response from WholeSale Internet, Inc., (webform also submitted), GX Networks/123-reg.co.uk, or REG2C.COM, INC.