Green Tree (Warehousing) Ltdscam is the latest fraud from the money laundering department of the
well known 'rockphish' criminals. It is the replacement zombie botnet
hosted fraud for the Newman,
Esmond & Eisenberg
criminal fraudster as clearly evidenced by the same nameservers and host
IPs and uses a website stolen from the genuine company. If you are a registrar or a host who has received an abuse report
concerning this criminal then please review the indisputable evidence below and take prompt and permanent action to shut this criminal down.
This stolen criminal fraud website should not be confused with the blameless legitimate UK company of the same name from which the criminals have stolen the above website content and who are as much a victim of this criminal as anyone else.
If
you've either received an active website link in a spam, or know of an
active domain and it is not listed in the domain tables below, then
please let us know by reporting it using the 'Report Active Domain'
option in the title bar above.
Open Data Network (JAPAN TELECOM CO.,LTD.) - 211.3.149.208
Orange Nederland Breedband B.V. - 85.150.209.34
Complex Telmatic Systems Siberia network - ns1.greentwo.net [81.16.131.40]
Sripatum University - ns2.greentwo.net [202.44.71.148]
The above table shows the
current providers of hosting services to the criminals and how long
they have been providing them for. The
decent ethical majority of service providers, (all credit to them -
they are a pleasure to deal with), act within
1-24 hours of being informed of the
criminal abuse of their system, (the
best in less than 1 hour), but there are unfortunately
some that, for whatever reason,
do not. Any hosting company that remains in the above list for more than 48
hours has not responded positively to abuse reports. If you are an abuse team that
has taken action, please let me
know so that I can update the current status by removing the above record.
Green Tree (Warehousing) Ltd :
Evidence
of Site Theft and Criminal Fraud
i)The criminal fraudsters
have stolen the website of the genuineGreen Tree (Warehousing) Ltdas detailed above - this fraud
is simply the latest in the series of frauds including Harvey Investment, Draper
Investment, Cronos
Investment, Waller
Truck Co., Newman,
Esmond & Eisenberg
frauds
etc with an unfortunate new company as the victim. Examine the above
screenshot of the stolen site and compare it to the genuinesite. The evidence of site theft is indisputable.
The criminals have simply changed the boxed location details, (but
sloppily omitted to change the footer details), added a 'Vacancy' tab
for their money laundering job and posted a fake Belgian telephone
number. The genuine Green Tree website owners have posted the following warning of these criminals:
ii) The bogus websites
are zombie botnet
hosted as clearly demonstrated by the DNS data below. The initial nameservers,
(ns1.uneedmc.com, ns1.book-xm.com and ns1.iwarzone.com), and initial host IP's are exactly the same as
were used by the Newman,
Esmond & Eisenberg criminal fraudsters which clearly demonstrate the fact that they are one and the same criminal organisation. In fact they are using one of the 'old' Newman, Esmond & Eisenberg domains (newmanesrb.net) for the Green Tree (Warehousing) Ltd fraud website. You don't get any better proof than that it's the same gang. No legitimate company would use a zombie botnet to host their websites.
iii) The criminal's spams, (example below), contain the illegal
money mule function of accepting payments into a private bank account
and transferring them back out to the criminals less 10% via Moneygram
or Western Union - clear and irrefutable evidence of solicitation to commit money laundering fraud.
iv) The fakeGreen Tree (Warehousing) Ltd website contains the usual smokescreen of bogus jobs under the 'Vacancy' tab, but at the bottom is the following part-time, working from home, clear money mule function
advertised as "Regional Financial Coordinator" which is the only post
that is advertised in the criminal's spam, (sample below): Regional Financial Coordinator
We are currently looking
to recruit a Regional Financial Coordinator to manage payments from the
customers based within the limits of his country. You will be our
financial intermediary in your local area and will be responsible to
remit customer payments for the ordered warehousing or shipping to
facilitate and fasten payment receipt at the headquarters of the
company. This is a brand new part-time position and has been created to
improve supply chain performance for the company as we move into a
period of substantial expansion where we will double our current
turnover.
The role includes dealing with 2-3 customer payments
a week; reviewing the balance of the bank account, where the payment is
supposed to be debited to; ensuring precise settlements regarding each
payment; transmitting the payments to the Headquarters and subsidiaries
of the company by means of instant Western Union payment system and
providing regular feedback and reports to the Headquaters OfficeManager
and Supervisor.
It
is essential that the candidate promotes positive/can do attitude and
discharges his duties urgently, has literate communicational and
PC-user skills to interact with other team members and make external
contacts related to the job nature.
Successful applicants
will need to have a bank account to be used for the customer payments
to be debited to, be energetic, enthusiastic and naturally ambitious.
This is very much seen as a career progression role that could lead to
a management position, so if you are willing to work 1-2 hours a day
and be paid on an interest basis ( net 10% out of each customer payment
you have dealt with) you are welcome to apply now.
Apply for this PositionThe above role is clearly the ILLEGAL role of a money laundering mule. Notice the illiterate trademark phrase 'fasten payment receipt' that these criminals always use.
v) If you click on the 'Apply for this position' link, you will see the following first line: Newman,
Green Tree (Warehousing) Ltd, hereinafter referred to as “Company”, in
the person of Mr Joachim Schroder, Chairman of board of the Directors,
acting on the grounds of the bylaws of the Company, on one hand, and
Applicant on the other hand, have concluded this agreement as follows: Oops! - they've forgotten to delete the 'Newman' from their previous 'Newman,
Esmond & Eisenberg' alias. No doubt if you look further you'll see more examples of this criminal's slip-ups.... vi) The
criminal's numerous fraud domains, which are all used for the same fake website, are all registered with different fake whois details with various registrars in the
last few days, but mainly now with Internet Invest Inc.(Imena.ua).
vii) The criminal's spam contains forged header information and the usual bayesian filter
avoidance 'white text' code that irrefutably link it to the Cronos
Investment, Draper Investment, Harvey Investment, Adamant Global,
Sydney Car Centre, Waller Truck, Newman, Esmond and Eisenberg and all
this criminal's many other aliases along with the 'rockphish' phishing
criminals.
viii) Their spam is zombie botnet distributed as is easily demonstrated by the source IP RDNS data.
ix) As usual, the criminal's
spams are all signed by different random names - they appear to have an
infinite number of fake 'employees'.
x)
A Google Earth check on the address (Antwerpen 2020) on the fake
website shows no such installation as depicted. A check on the genuine address (DN7 6HD) clearly does show the genuine company's installation. Clear evidence that the Antwerp address is fake. The above
irrefutable evidence clearly demonstrates beyond any doubt that the
stolen website has been set up by money laundering
and phishing
criminals purely for
the
purpose of spamvertising an illegal money laundering 'mule' job and is
undoubtedly just a stolen copy of the genuine site and is directly related
to Cronos Investment, Draper Investment, Harvey Investment, Adamant
Global, Sydney Car
Centre, Waller Truck, Newman, Esmond & Eisenberg and the rest of the money
laundering/phishing criminal fraudsters' aliases
documented here. If you are an abuse team that has received an abuse
report regarding these fraudsters, please
consider immediate
termination of their services in view of the absolutely undeniable
evidence of
site theft, copyright offences, criminal money laundering activity
and
spamming -
please don't delay - these criminals will not
respond to any communication from you, (all their whois data is false),
but will simply take advantage of any attempt
at communication as a delaying tactic to allow them time to carry on
their criminal activity and prepare
their
next network.
Do
not
be misled -
these are professional criminals
with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering the
'rockphish' phishing fraudsters and
aiding and abetting their criminal 'phishing' fraud activities.
Green Tree (Warehousing) Ltd Fraudsters -
current hosting details.
Current Zombie Botnet Nameserver
Domains
and
Registrars
uneedmc.com - REGISTER.COM, INC. (03-Apr-2008) book-xm.com - REGISTER.COM, INC. (07-Apr-2008) netipm.com - KEY-SYSTEMS GMBH/Imena.ua (20-Mar-2008) regnme.com - REGISTER.COM, INC. (29-Apr-2008) mnink.com - Spiritdomains/IA Registry (30-Apr-2008) viemn.com - Spiritdomains/IA Registry (30-Apr-2008) schemeetc.com - Spiritdomains/IA Registry (05-May-2008) See table below for the full
list of known active & suspended main domains used by
this
criminal.
List of all known domains used by
the Green Tree (Warehousing) Ltd Fraudsters
Active (Parked) Suspended (Parked) Suspended Suspended DNS Looped Suspended Active (Parked) Active (Parked Active (Parked Active (Parked Active (Parked Active (Parked Active (Parked Active (Parked Active (Parked Active (Parked) Active (Parked) Active (Parked) Active (Parked) Active (Parked) Active (Parked) Suspended Suspended DNS Looped Active (Unhosted) Active (Unhosted) Active(Unhosted) Active Active Active Active(Unhosted) Active(Unhosted) Active(Unhosted) Suspended Suspended Suspended Suspended Suspended DNS Looped Suspended Suspended Suspended Suspended Active Active Suspended Suspended Suspended Active(DNS Error) Suspended Suspended Suspended Active Active Active Active Active Active
Active (Parked) Suspended Active Suspended Active Active Active Active Active Active
Registrar
M.G. INFOCOM PVT. LTD. DBA MINDGENIES (01-May-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (25-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (28-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (28-Apr-2008) INTERNET INVEST, INC. DBA IMENA.UA (28-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (29-Mar-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) Spiritdomains/IARegistry (30-Apr-2008) GX Networks Ltd t/a 123-Reg.co.uk GX Networks Ltd t/a 123-Reg.co.uk GX Networks Ltd t/a 123-Reg.co.uk GX Networks Ltd t/a 123-Reg.co.uk GX Networks Ltd t/a 123-Reg.co.uk GX Networks Ltd t/a 123-Reg.co.uk
REGISTER.COM, INC. (03-Apr-2008)
Spiritdomains/IA Registry (28-Mar-2008) REGISTER.COM, INC. (07-Apr-2008) Spiritdomains/IA Registry (30-Apr-2008) KEY-SYSTEMS GMBH/Imena.ua (20-Mar-2008) REGISTER.COM, INC. (29-Apr-2008) Spiritdomains/IA Registry (30-Apr-2008) Spiritdomains/IA Registry (30-Apr-2008) REGISTER.COM, INC. (05-May-2008) Spiritdomains/IA Registry (05-May-2008)
Please notify me of any errors or domains not listed here.
Notes
for Registrars
i) The Green Tree (Warehousing) Ltd criminal uses his
own nameserver
domains
to control his zombie botnets or provide his DNS. By definition there
can be no legitimate
domains using his dedicated botnet nameservers & his
conventional nameserver domains are always very recently registered.
This
provides an ideal database search option for you to identify and delete
all of this criminal's fraud domains without
any risk of hurting an innocent domain. All of the
criminal's
current botnet
nameservers are - ns1.uneedmc.com, ns1.book-xm.com, ns1.netipm.com, ns1.regnme.com, ns1.mnink.com, ns1.viemn.com, ns1.nx-web.com, ns1.schemeetc.com
ii)
The criminal's domains have different false
whois registration data.
iii) The criminal will not respond to your challenge but will use the
notice to prepare a new network -
immediate suspension is requested, please.The
Spam Content
The Green Tree (Warehousing) Ltd spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses.
This is the content of an actual Green Tree (Warehousing) Ltd
scam spam received from a site contact:
Dear Sir/Madam,
Your
resume has been furnished to our company by www.monst er.com web-site
as one of the best-qualified job-seekers for a position offered.
Our
company - Green Tree (Warehousing) Ltd., as a Third Party Logistics
provider (3PL), works closely with major Blue Chip Companies &
SME’s, providing mainstream warehousing and materials handling
operations, innovative Supply Chain Solutions, Contract Packing and
Distribution. We work closely with ou customers to deliver a flexible
package that meets their requirements, and place emphasis on
value-adding services of proven quality. Business expertise and a high
level of diversity gained over 45 years combine to make "Green Tree" an
attractive outsourced solution and versatile business partner.
We
are currently looking to recruit a Regional Financial Coordinator to
manage payments from the customers based within the limits of his
country. You wi
ll be our financial intermediary in your local area and will be
responsible to remit customer payments for the ordered warehousing or
shipping to facilitate and fasten payment receipt at the headquarters
of the company. This is a brand new part-time position and has been
created to improve supply chain performance for the company as we move
into a period of substantial expansion where we will double our current
turnover.
The
role includes dealing with 2-3 customer payments a week; reviewing the
balance of the bank account, where the payment is supposed to be
debited to; ensuring precise settlements regarding each payment;
transmitting the payments to the Headquarters and subsidiaries of the
company by means of instant Western Union payment system and providing
regular feedback and reports to the Headquarters Office Manager and
Supervisor.
It
is essential that the candidate promotes positive/can do attitude and
discharges his duties urgently, has literate communicational and
PC-user skills to interact with other team members and make external
contacts related to the job nature. Successful applicants will need
to have a bank account to be used for the customer payments to be
debited to, be energetic, enthusiastic and naturally ambitious. This is
very much seen as a career progression role that could lead to a
management position, so if you are willing to work 1-2 hours a day and
be paid on an interest basis (net 10% out of each customer payment you
have dealt with) you are welcome to apply now. So if you are
looking for a “career of your life” and would like to find out more
about the job specification please visit our web-site at http://grntwr.com
Note
the usual Bayesian filter
avoidance 'code', commonly used by these criminals and the 'rockphish'
scammers alike. It's normally in 'whitetext' so it's invisible, but
here I've greyed it in.
The Zombie Botnet
DNS Data (Valid for domains greentwu.com, greentwu.net and greentwu.org)
Looking up at the 2 greentwu.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.iwarzone.com hosted by PCCW Global/Spectrum Networks/Vanoppen.biz
on IP 76.191.102.141
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). These are exactly the same
botnet hosting details as were used for the Newman Esmond &
Eisenberg fraud domains newnmm.com, newmmns.com and nwaesde.net.These
criminals are
experienced liars, thieves and professional confidence
tricksters. Do not be
fooled - do
not believe them. The evidence of criminal fraud is undeniable.
I'd
like to thank the many honest & ethical hosts who have
disconnected
these fraudsters within an hour of receiving an abuse report, (several
in c. 20 minutes). However, the zombie botnet controlling nameservers
seem to be occasionally hosted by Colocation/VPS service providers who
do not respond to criminal fraud abuse reports. The honest &
ethical SPs will respond with an immediate, (preferably not 24 hours or
48 hours & certainly not never...), disconnection on receipt of
a
criminal abuse
report,
having considered the evidence below & investigated, but more
and
more
frequently service providers stall or simply ignore abuse reports.
This latter minority of uncaring & unethical hosts are aiding
and
abetting criminal fraud
and
the victims suffer because of it. Blocking
The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use "Green Tree (Warehousing) Ltd"
as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams.
If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a>Fraud
BlogInitial
entry 26th. April 2008 ***Latest News*** - 26th. April 2008
If
you have any further
information, including spam, active domains etc, please forward it to
me via the home page 'Contact Us' form or via the 'Report Active
Domain' form,
thank you. ***Latest News*** - 28th. April 2008
Botnet
DNS Data (Valid for domains greentwg.com, greentwg.net, greentwg.org, greentwn.com, greentwn.net, and greentwn.org) Looking up at the 2 greentwg.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.uneedmc.com hosted by Cari.net/Zanadoo Hosting
on IP 71.6.211.122
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). This is exactly the same nameserver as was used for the Newman Esmond &
Eisenberg fraud. Later: The criminals Spectrum Networks/Vanoppen.biz botnet has been closed down and he is up on another network: Botnet
DNS Data (Valid for domains greentwl.com, greentwl.net, greentwu.com, greentwu.net and greentwu.org)
Looking up at the 2 greentwu.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.iwarzone.com hosted by Netrouting Data Facilities/Grafix.nl
on IP 194.110.67.169
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Botnet
DNS Data (Valid for domains greentwh.com, greentwh.net, greentwh.org, greentwi.com, greentwi.net, greentwi.org) Looking up at the 2 greentwh.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.book-xm.com hosted by Network Operations Center Inc./Burst.net
on IP 64.191.113.103
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 1st. May 2008 New botnet for domains greentwg.net, greentwg.org:
Botnet
DNS Data (Valid for domains greentwg.net, greentwg.org)
Looking up at the 2 greentwg.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.hyperzx.com hosted by Cari.net/Zanadoo Hosting
on IP 71.6.211.122
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). This is exactly the same nameserver as was used for the Newman Esmond &
Eisenberg fraud.
Twelve of the Imena.ua domains have been parked, but the criminal has registered replacement domains greentwl.com, greentwl.net and greentwl.org
hosted on the above Netrouting Data Facilities/Grafix.nl zombie botnet.
Two of the three hosts have failed to reply to abuse reports. Later: New domainsgreentwe.com, greentwe.net, greentwe.org, greentwr.com, greentwr.net, greentwr.org found,
all registered with Spiritdomains on 30-Apr-2008 and unhosted at
present but showing 'A' records on the criminal's nameserver
ns1.uneedmc.com New domains greentwo.net, greentwo.org, greentwo.biz also found and also registered with Spiritdomains on 30-Apr-2008 and all hosted on a new botnet hosted by ns1.book-xm.com: Botnet
DNS Data (Valid for domains greentwo.net, greentwo.org, greentwo.biz)
Looking up at the 2 greentwo.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.book-xm.com hosted by Global Technology Solutions, Inc/KevWorks, LLC/ANS Communications
on IP 67.207.75.11
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 2nd. May 2008
The above criminal fraudsters US hosts, namely Netrouting Data Facilities/Grafix.nl and Cari.net/Zanadoo Hosting
have been informed of the illegal activities that they are aiding and
abetting but appear to be happy to continue to do so. In addition Cox.net are uninterested that they are carrying the illegal traffic on behalf of their clients Cari.net/Zanadoo Hosting.
Looks like the criminals have currently got a secure set of accomplices
in those companies. In addition there has been no response as yet from Global Technology Solutions Inc/KevWorks LLC/ANS Communications. Later: Response received from KevWorks LLC - the above criminal's botnet has been shut down. New botnet details:
Botnet
DNS Data (Valid for domains greentwo.net, greentwo.org, greentwo.biz)
Looking up at the 2 greentwo.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.book-xm.com hosted by VAServe LTD/UK Dedicated Servers Limited
on IP 78.110.164.36
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later: The botnet nameserver domains iwarzone.com and hyperzx.com have been suspended by Spiritdomains, (respect is due to them for their ethical stance - if only all registrars were as helpful), and have been replaced by netipm.com and regnme.com respectively - details in the table. New botnet details:
Botnet
DNS Data (Valid for domains greentwl.net)
Looking up at the 2 greentwl.net parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.netipm.com hosted by Netrouting Data Facilities/Grafix.nl
on IP 194.110.67.169
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Grafix.nl have not responded to abuse reports.
Botnet
DNS Data (Valid for domains greentwg.net, greentwg.org, greentwld.com, greentwld.net, greentwld.org)
Looking up at the 2 greentwg.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.regnme.com hosted by Cari.net/Zanadoo Hosting
on IP 71.6.211.122
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Cari.net/Zanadoo Hosting have not responded to abuse reports. ***Latest News*** - 4th. May 2008 The criminal's ns1.regnme.com controlled zombie botnet has been moved to a new host: Botnet
DNS Data (Valid for domains greentwg.net, greentwg.org, greentwld.com, greentwld.net)
Looking up at the 2 greentwld.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.regnme.com hosted by Welcome 2 Inter.Net on IP 85.197.99.29
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT) Later: An instant response from the superb ethical host Welcome 2 Inter.Net
has resulted in the above botnet controller being shut down - many
thanks. If only some other hosts were as intelligent and not so willing
to shelter these criminals as some of them appear to be, e.g. grafix.nl in particular... Later: If any more proof were needed that these Green Tree (Warehousing) Ltdcriminals are the same gang as the Newman,
Esmond & Eisenberg criminal fraudsters then they've kindly provided it by using the old NEE domain newmanesrb.net for the GTWL site. DNS Data (Valid for domain newmanesrb.net)
Looking up at the 2 newmanesrb.net. parent servers:
Server
Response
ns2.newmanesrb.net [200.72.139.67]
211.3.149.208
ns1.newmanesrb.net [219.76.235.93]
211.3.149.208
There we see the usual 'blackhat' nameserver host ENTEL CHILE S.A. (200.72.139.67) and the Netvigator (PCCW Ltd) IP 219.76.235.93
both of which were used for so long for the NEE fraud. The fraud
website host IP (211.3.149.208) belongs to Open Data Network (JAPAN TELECOM CO.,LTD.) under the control of JPNIC. Once again the IP 211.3.149.208 has RDNS set up (OFSfb-12p2-208.ppp11.odn.ad.jp) so it is quite likely to be a solitary zombie or a criminal owned machine. ***Latest News*** - 5th. May 2008 The
criminal has registered some new nameserver domains and set up some new
botnets to replace ones disconnected by ethical hosts: Botnet
DNS Data (Valid for domains greentwld.com, greentwld.net)
Looking up at the 2 greentwld.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.mnink.com hosted by Tailor Made Servers/Amaresh Ray on IP 67.222.131.126
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT)
Botnet
DNS Data (Valid for domains greentwo.net, greentwo.org, greentwo.biz, grntwo.com, grntwo.net)
Looking up at the 2 greentwo.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.viemn.com hosted by VAServe LTD/UK Dedicated Servers Limited
on IP 78.110.164.36
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Botnet
DNS Data (Valid for domains grntwr.net, grntwr.com)
Looking up at the 2 grntwr.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.netipm.com hosted by Netrouting Data Facilities/Grafix.nl
on IP 194.110.67.169
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Grafix.nl have not responded to abuse reports to date. ***Latest News*** - 6th. May 2008 The VAServe LTD/UK Dedicated Servers Limited botnet on IP 78.110.164.36 has been shut down and is now back up on IP 65.75.189.85
Botnet
DNS Data (Valid for domains greentwo.net, greentwo.org, greentwo.biz, grntwo.com, grntwo.net)
Looking up at the 2 grntwo.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.viemn.com hosted by SoftwareWorks Group, Inc./Carohosting.net
on IP 65.75.189.85
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). **