Globalsoft is
yet another
spamvertized money transfer
fraudster from exactly the same criminals that brought you Sydney Car
Centre, Harvey Investment, Draper Investment, Adamant
Global, STK Consult and all
the others listed on the
General
Information page plus the 'rockphish' phishing scammers. The Globalsoft spam
headers, (example below), show that the spam
is
distributed by zombie botnet, (i.e. from infected end user machines on
ADSL/Broadband/Cable
accounts), and contain forged delivery details, (i.e. all different
'From' & 'Return Path' addresses).
N.B. - There are many
genuine
companies with the name Globalsoft in their title. Recognise the
fraudulent one by the work at home money mule job offer.
Globalsoft :
Evidence
of Criminal Fraud
i) The Globalsoft
criminal fraudsters
have stolen their website content from other sources, e.g the
Globalsoft 'Products'
page is stolen from the Borland Israel 'products'
page. There are many other examples stolen from the Borland site.
If anyone has a sample 'Contract
of Employment' from these crooks, would they please send me it, thanks.
The 'Job' Description 23
October 2007 Job Title: Customer Service Assistant (available!) Company: GlobalSoft Salary: piece-rate payment (commission
5-10%) The closing date for receipt of
applications is: Friday, October 26th 2006
Our
company is improving the new business model in Europe, with using help
of young talented software developers from many different countries
(countries of EU, Azerbaijan, Armenia, China, Baltic States, Georgia,
Hong Kong, Indonesia, Kazakhstan, Russia, Vietnam, etc).
Now
we are hiring a group of people (Customer Service Assistants) from UK,
Spain,Italy and Germany to help our team organize cooperation between
these young talented software developers and our clients.
This is a new opportunity from GlobalSoftCompany.
No special skills or experience required
Our friendly working team will be always ready to contact you for any
questions and will help you to achieve success in all your beginnings.
We offer you: payments 1900 – 3100 GBP per month; time flexibility - arranging your own hours,
working according to your own time schedule; Stability/Security
- working in a secure job that pays you reasonably well; Independence/Autonomy - doing what you want to do
without much direction from others; Group membership - belonging to a group with a
common purpose and/or interest.
Requirements
To start this position you have to be over 18,
to have computer with internet access and
mobile phone.
Previous experience is not important for this position, but we will ask
you for your CV. Also you will need to send us the copy of your ID,
driving license or passport. It will be used for employment agreement.
The employment agreement will be signed, with special right to
terminate it at any time upon giving writing notice.
If you are interested in this position or want to get more detailed
information, please apply
here and we will contact you as soon as
possible.
The above
evidence clearly demonstrates that this
stolen Globalsoft website has been set up by money laundering
criminals purely for
the
purpose of spamvertising an illegal money laundering 'mule' job and is
undoubtedly related to Draper Investment, Harvey Investment, Adamant
Global, Sydney Car
Centre and the rest of the money
laundering criminal fraudsters' aliases
documented here. If you are an abuse team that has received an abuse
report regarding these fraudsters, please
consider immediate
termination of their services in view of the evidence of
site theft, copyright offences, criminal money laundering activity and
spamming - please don't delay - these criminals will not
respond to any communication from you, (all their whois data is false),
but will simply take advantage of any attempt
at communication as a delaying tactic to allow them time to carry on
their criminal activity and prepare
their
next network.
Do not be misled -
these are professional criminals
with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering them and
aiding and abetting their criminal 'phishing' fraud activities.
Globalsoft Fraudsters -
current hosting details [Updated 10/10/2007]
Current Hosts
AbdAllah
Internet Hizmetleri (88.255.90.226)
Current Main Domains
and Registrars
glb-soft.com
- ONLINENIC, INC. (Rustelekom Ltd.) Suspended
See table below for the full
list of known active & suspended main domains for this
criminal.
Current Botnet Nameserver Domains
and
Registrars
Not botnet hosted at present
See table below for the full
list of known active & suspended nameserver domains for this criminal.
The
Spam Headers
Return-Path: <eddy@la-mark.com.pl>
Received: from mwinf3428.me.freeserve.com (mwinf3428.me.freeserve.com)
by mwinb3406 (SMTP Server) with LMTP;
Wed, 24 Oct 2007 06:40:20 +0200
X-Sieve: Server Sieve 2.2
Envelope-to: xxxxxxxxxx.freeserve.co.uk
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf3428.me.freeserve.com (SMTP
Server) with ESMTP id xxxxxxxxxx
for
<xxxxxxxxxx.freeserve.co.uk>; Wed, 24 Oct 2007 06:40:20
+0200 (CEST) Received:
from ip-197.88.126.206.dsl-cust.ca.inter.net
(ip-197.88.126.206.dsl-cust.ca.inter.net [206.126.88.197])
by mwinf3428.me.freeserve.com (SMTP Server) with SMTP id xxxxxxxxxx
for <xxxxxxxxxx>; Wed, 24
Oct 2007 06:40:20 +0200 (CEST)
X-ME-UUID: xxxxxxxxxx@mwinf3428.me.freeserve.com
Message-ID: <xxxxxxxxxx@la-mark.com.pl>
Date: Wed, 24 Oct 2007 00:39:31 -0400
From: Helen Evans <Eddy@la-mark.com.pl>
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: xxxxxxxxxx.freeserve.co.uk
Subject: Work 2 hours a day
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Recipient
& message id munged.
All the spam so far received comes from different source addresses.
The first thing to notice is the spam source IP. Reading
from the bottom upwards, (following the routing as is the norm when
parsing headers), the
actual trusted source IP that cannot be forged is the one
received by the recipients email provider (Freeserve) and that is in
this line (green):
Received:
from ip-197.88.126.206.dsl-cust.ca.inter.net
(ip-197.88.126.206.dsl-cust.ca.inter.net [206.126.88.197])
by mwinf3428.me.freeserve.com (SMTP
Server) with SMTP id xxxxxxxxxx
In
this received line the source IP address is 206.126.88.197 the reverse
DNS (RDNS) for which correctly indicates 197.88.126.206.dsl-cust.ca.inter.net which confirms that the source
address is genuine.
In the above RDNS sender identity note the letters adsl. These stand
for Asymmetric Digital Subscriber Line and tell you
for sure that the spam has come from an end user's computer on
an ADSL
network in Montreal, Canada, (from the
whois data for the IP address).
"Well", you say, "there's your
criminal". Unfortunately not - he or she may be guilty of criminal
stupidity by not having a firewall or clicking on the latest nude
pictures of Britney Spears, but unfortunately probably not criminal
fraud -
he/she is just one of tens of thousands of 'zombies' - computers that
have been infected with a zombie virus or worm. What it does tell you
is that the Globalsoft
spammer uses a zombie botnet to distribute his spam in exactly the same
way as Sydney Car Centre, Draper Invest, Harvey Invest, Adamant Global
and all the
rest of these criminals.
Lastly, Eddy@la-mark.com.pl
is not "Globalsoft" -
this is just another forged email
address which may or may not actually exist.
Incidentally, never 'bounce' spam back to the 'sender' as it only
bounces back to a forged address which, if real, will only belong to an
innocent third party who will understandably be a little peeved with
you and if you do it a lot you could get your ISP's SMTP IP range
blacklisted and they will be even more upset with you & could
justifiably close your account. The
Spam Content
The Globalsoft spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses.
This is the content of an actual Globalsoft
scam spam: Subjects:
Job Newsletter
A job
which is acceptable for
everybody
Work at your own
heart’s content (sic)
New vacancy
Work 2 hours a day
Your
occupation is only two hours
a day Content: We
are pleased to inform you about opening a new vacancy which provides
the following advantages:
Position
of Customer Service Assistant, we have 17 positions in total: -
Your salary may come up to 480-730 pounds a week. -
it is possible for you to work only 2-3 hours a day (full and partial
time work) -
No need in special skills and experience( we propose you an opportunity
to pass through a special training) -
You need not to make any prepayments, so you can start your work
without paying a cent.
In
order to get further information you need to make an application by
using the following
link www.glb-soft.com/apply.php
We
will be glad to answer everybody who will apply us for
the position of Reservation Manager.
Br, Helen
Evans Human
Resource Manger
Notice how that bogus job
starts off as Customer
Service Assistant
& ends up as Reservation
Manager.
Helen appears to
be a manger which will really come in handy at Christmas....
The Zombie Botnet
Not zombie botnet
hosted at the moment as they appear to have a 'criminal friendly'
blackhat host in AbdAllah
Internet Hizmetleri who bounce all
reports to their abuse address with the bogus NDR, (Non Delivery
Return), message "Remote host said: 550 We are
not accepting mail from bots". It is clear that AbdAllah
Internet Hizmetleri are not interested in whether their clients are
criminals or not.Blocking
The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use "Human
Resource Manger"
as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams. If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a> Here are
all the known domains that are/have been used for the Globalsoft fraud:
Domain
glb-soft.com
Nameserver
Domains
Status
Suspended
Registrar
ONLINENIC, INC. (Rustelekom
Ltd.)
Please notify me of any errors or domains not listed here.
Notes for Registrars
i) The criminal will not respond to your
challenge, but will use the
notice to ready a new network -
immediate suspension is requested please, if allowed for by your AUP
for these serious criminal offences of site theft, money laundering
fraud and prolific spamming. If
you have been a victim of this or any other of these fraudsters
& would like to tell
your
story on these pages as a warning & to help others, please
contact me. Fraud
Blog
Initial entry 24th October
2007 - more to follow...
Numerous spams received from this fraudster ***Latest
News*** - 27th. Oct. 2007 Domain
glb-soft.com
suspended by
OnlineNic. (Rustelekom Ltd.) No other
domains known.
