This stolen criminal fraud
website should not be confused with the blameless legitimate UK company
of the same name from which the criminals have
stolen the above website content and who are as much a victim of this
criminal as anyone else.
Green Tree (Warehousing) Ltdscam
is the latest fraud from the money laundering department of the
well known 'rockphish' criminals. It is the replacement zombie botnet
hosted fraud for the Newman,
Esmond & Eisenberg
criminal fraudster as clearly evidenced by the same nameservers and
host
IPs and uses a website stolen from the genuine
Green Tree (Warehousing) Ltd company. If you are a registrar or a host who has received
an abuse report
concerning this criminal then please review the irrefutable evidence
below and take prompt and permanent action to shut this criminal down.
The registrar 123-reg.co.uk,
(Webfusion),
(part of GX Networks Ltd who
are the old Pipex
group), are refusing to act to suspend their criminal clients
fraud domains without "the
relevant
documentation from the police, trading standards or courts",
in other words they will only respond to 'take down' notices from the
above authorities and ignore all other information of criminal activity
involving their customers. They have been informed of
the clear, proven illegal activity that they are providing services for
and directed
to the clear and easily verifiable evidence of criminal activity
provided on
this website but refuse to act by suspending their criminal
client's domains and
continue to provide services for these criminals despite the activity
being clearly prohibited by their AUP.
This lack of response is allowing the criminals a free hand to
perpetrate their fraud activity at the expense of the victims and the
innocent company. They also ignore requests to suspend the
affiliated 'rockphish' phishing domains even when provided with a
working phishing URL. ***Update - 23-Sep-2008 - 123-reg.co.uk, (Webfusion) are now responding ethically and promptly to abuse reports for the Walker & Sons Inc fraudsters***
If
you've either received an active website link in a Green Tree
(Warehousing) Ltd fraud spam, or know of an
active domain and it is not listed in the domain tables below, then
please let us know by reporting it using the 'Report Active Domain'
option in the title bar above.
The above table shows the
current providers of zombie botnet hosting services to the criminals and how long
they have been providing them for. The
decent ethical majority of service providers, (all credit to them -
they are a pleasure to deal with), act within
1-24 hours of being informed of the
criminal abuse of their system, (the
best in less than 1 hour), but there are unfortunately
some that, for whatever reason,
do not. Any hosting company that remains in the above list for more
than 48
hours has unfortunately not responded positively to abuse reports. If you are an abuse team that
has taken action, please let me
know and I will immediately remove the above
record.
Open
Data
Network (JAPAN TELECOM CO.,LTD.) -
211.3.149.208
Orange Nederland Breedband B.V. - 85.150.209.34
Complex Telmatic Systems Siberia
network - ns1.greentwo.net
[81.16.131.40]
Sripatum University
- ns2.grnew.me.uk
[202.44.71.148]
SC
Electrosvyaz of Buryatia Republic (Burnet.ru)
- 212.0.85.6
AT&T
Internet Services/ANDREA WHITE -
76.232.230.182
The
above are general IPs regularly used by these criminals. Abuse reports
have not been actioned. The host IPs appear to be single zombies
controlled by the listed nameservers. If you are an abuse team that has
taken action, please contact me and your entry will be removed
immediately.
Green Tree (Warehousing) Ltd :
Evidence
of Site Theft and Criminal Fraud
i)The criminal fraudsters
have stolen the website of the genuineGreen
Tree (Warehousing) Ltdas detailed above - this fraud
is simply the latest in the series of frauds including Harvey Investment, Draper
Investment, Cronos
Investment, Waller
Truck Co., Newman,
Esmond & Eisenberg
frauds
etc with an unfortunate new company as the victim. Examine the above
screenshot of the stolen site and compare it to the genuinesite. The evidence of site theft is
indisputable.
The criminals have simply changed the boxed location details, (but
sloppily omitted to change the footer details), added a 'Vacancy' tab
for their money laundering job and posted a fake Belgian telephone
number.
The genuine Green Tree website owners have
posted the following warning of these criminals:
ii) The bogus websites
are zombie botnet
hosted as clearly demonstrated by the DNS data below. The initial
nameservers,
(ns1.uneedmc.com, ns1.book-xm.com and ns1.iwarzone.com), and initial
host IP's are exactly the same as
were used by the Newman,
Esmond & Eisenberg criminal fraudsters which
clearly demonstrate the fact that they are one and the same criminal
organisation. In fact they are using one of
the 'old' Newman, Esmond & Eisenberg domains (newmanesrb.net) for the Green Tree (Warehousing) Ltd
fraud website. You don't get any better proof than that it's the same
gang. No legitimate company would use a
zombie botnet to host their websites.
iii) The criminal's
spams, (example below), contain the illegal
money mule function of accepting payments into a private bank account
and transferring them back out to the criminals less 10% via Moneygram
or Western Union - clear
and irrefutable evidence of solicitation to commit money laundering
fraud.
iv) The fakeGreen Tree (Warehousing) Ltd website contains the usual
smokescreen of bogus jobs under the 'Vacancy'
tab, but at the bottom is the following part-time, working from home, clear money mule function
advertised as "Regional Financial Coordinator" which is the only post
that is advertised in the criminal's spam, (sample below): Regional Financial Coordinator
We
are currently looking
to recruit a Regional Financial Coordinator to manage payments from the
customers based within the limits of his country. You will be our
financial intermediary in your local area and will be responsible to
remit customer payments for the ordered warehousing or shipping to
facilitate and fasten payment receipt at the headquarters of the
company. This is a brand new part-time position and has been created to
improve supply chain performance for the company as we move into a
period of substantial expansion where we will double our current
turnover.
The
role includes dealing with 2-3 customer payments
a week; reviewing the balance of the bank account, where the payment is
supposed to be debited to; ensuring precise settlements regarding each
payment; transmitting the payments to the Headquarters and subsidiaries
of the company by means of instant Western Union payment system and
providing regular feedback and reports to the Headquaters OfficeManager
and Supervisor.
It
is essential that the candidate promotes positive/can do attitude and
discharges his duties urgently, has literate communicational and
PC-user skills to interact with other team members and make external
contacts related to the job nature.
Successful applicants
will need to have a bank account to be used for the customer payments
to be debited to, be energetic, enthusiastic and naturally ambitious.
This is very much seen as a career progression role that could lead to
a management position, so if you are willing to work 1-2 hours a day
and be paid on an interest basis ( net 10% out of each customer payment
you have dealt with) you are welcome to apply now.
Apply for this
PositionThe above role is clearly the
ILLEGAL role of a money laundering mule. Notice the illiterate
trademark phrase 'fasten
payment receipt' that these criminals always use.
v) If you click on the 'Apply
for this position' link, you will see the following first
line: Newman,
Green Tree (Warehousing) Ltd, hereinafter referred to as “Company”, in
the person of Mr Joachim Schroder, Chairman of board of the Directors,
acting on the grounds of the bylaws of the Company, on one hand, and
Applicant on the other hand, have concluded this agreement as follows: Oops!
- they've forgotten to delete the 'Newman'
from their previous 'Newman,
Esmond & Eisenberg' alias. No doubt if you look
further you'll see more examples of this criminal's slip-ups.... vi) The
criminal's numerous fraud domains, which are all used for the same fake
website, are all registered with different fake whois details
with various registrars in the
last few days, but mainly now with 123-reg.co.uk (part of GX Networks Ltd who
are the old Pipex
group).
vii) The criminal's spam contains
forged header information and the usual bayesian filter
avoidance 'white text' code that irrefutably link it to the Cronos
Investment, Draper Investment, Harvey Investment, Adamant Global,
Sydney Car Centre, Waller Truck, Newman, Esmond and Eisenberg and all
this criminal's many other aliases along with the 'rockphish' phishing
criminals.
viii) Their spam is
zombie botnet distributed as is easily demonstrated by the source IP
RDNS data.
ix) As
usual, the criminal's
spams are all signed by different random names - they appear to have an
infinite number of fake 'employees'.
x)
A Google
Earth check on the address (Antwerpen 2020) on
the fake
website shows no such installation as depicted. A check on the genuine
address (DN7 6HD)
clearly does
show the genuine company's installation. Clear evidence that the Antwerp
address is fake.The above
irrefutable evidence
clearly demonstrates beyond any doubt that the
stolen website has been set up by money laundering
and phishing
criminals purely for
the
purpose of spamvertising an illegal money laundering 'mule' job and is
undoubtedly just a stolen copy of the genuine site and is directly related
to Cronos Investment, Draper Investment, Harvey Investment, Adamant
Global, Sydney Car
Centre, Waller Truck, Newman, Esmond & Eisenberg and
the rest of the money
laundering/phishing criminal fraudsters' aliases
documented here. If you are an abuse team that has received an abuse
report regarding these fraudsters, please
consider immediate
termination of their services in view of the absolutely undeniable
evidence of
site theft, copyright offences, criminal money laundering activity
and
spamming -
please don't delay - these criminals will not
respond to any communication from you, (all their whois data is false),
but will simply take advantage of any attempt
at communication as a delaying tactic to allow them time to carry on
their criminal activity and prepare
their
next network.
Do
not
be misled -
these are professional criminals
with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering the
'rockphish' phishing fraudsters and
aiding and abetting their criminal 'phishing' fraud activities.
Green Tree (Warehousing)
Ltd Fraudsters -
current hosting details.
Host
IP/Botnet Nameserver
IP
89.46.34.93 89.46.34.93 89.46.34.93
Current Zombie Botnet Nameserver
Domains
and
Registrars
uneedmc.com - REGISTER.COM, INC.
(03-Apr-2008) book-xm.com
- REGISTER.COM, INC. (07-Apr-2008) netipm.com -
KEY-SYSTEMS GMBH/Imena.ua (20-Mar-2008) regnme.com -
REGISTER.COM, INC. (29-Apr-2008) morestp.com - Spiritdomains/IA Registry
(12-May-2008) costmbb.com -
INTERNET INVEST, INC. DBA IMENA.UA (15-May-2008) jumpzo.com -
INTERNET INVEST, INC. DBA
IMENA.UA (05-Jun-2008) moonfires.com - Spiritdomains/IA Registry
(05-Jun-2008) See table below for the full
list of known active
& suspended main domains used by
this
criminal.
List of all known domains used by
the Green Tree (Warehousing) Ltd
Fraudsters
Active (Parked) Suspended Active Suspended Active Active Suspended Suspended Active Suspended Suspended Suspended Suspended Suspended Active Active Active Active Active Active
REGISTER.COM, INC.
(03-Apr-2008) Spiritdomains/IA Registry
(28-Mar-2008) REGISTER.COM, INC.
(07-Apr-2008)
Spiritdomains/IA Registry (30-Apr-2008)
KEY-SYSTEMS GMBH/Imena.ua (20-Mar-2008)
REGISTER.COM, INC. (29-Apr-2008) Spiritdomains/IA Registry
(30-Apr-2008) Spiritdomains/IA Registry
(30-Apr-2008)
REGISTER.COM, INC. (05-May-2008) Spiritdomains/IA Registry
(05-May-2008) INTERNET
INVEST, INC. DBA IMENA.UA (10-May-2008) Spiritdomains/IA Registry
(06-May-2008) NETWORK SOLUTIONS, LLC.
(12-May-2008) Spiritdomains/IA Registry
(12-May-2008)
INTERNET INVEST, INC. DBA IMENA.UA (15-May-2008) INTERNET INVEST, INC. DBA
IMENA.UA (05-Jun-2008)
Spiritdomains/IA Registry (05-Jun-2008) REGISTER.COM, INC. (20-Jun-2008)
Spiritdomains/IA Registry (29-Jun-2008) INTERNET INVEST, INC. DBA
IMENA.UA (17-Jun-2008)
Please notify me of any errors or domains not listed here.
Notes
for Registrars
i) The Green Tree (Warehousing) Ltd criminal uses his
own nameserver
domains
to control his zombie botnets or provide his DNS. By definition there
can be no legitimate
domains using his dedicated botnet nameservers & his
conventional nameserver domains are always very recently registered.
This
provides an ideal database search option for you to identify and delete
all of this criminal's fraud domains without
any risk of hurting an innocent domain. All of the
criminal's
current botnet
nameservers are - ns1.costmbb.com, ns1.jumpzo.com, ns1.moonfires.com, ns1.querymm.com, ns1.toohotdot.com, ns1.sevengh.com
ii)
The criminal's domains have different false
whois registration data.
iii) The criminal will not respond to your challenge but will use the
notice to prepare a new network -
immediate suspension is requested, please.The
Spam Content
The Green
Tree (Warehousing) Ltd spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a
money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses.
This is the content of an actual Green Tree (Warehousing) Ltd
scam spam received from a site contact:
Dear Sir/Madam,
Your
resume has been furnished to our company by www.monst er.com web-site
as one of the best-qualified job-seekers for a position offered.
Our
company - Green Tree (Warehousing) Ltd., as a Third Party Logistics
provider (3PL), works closely with major Blue Chip Companies &
SME’s, providing mainstream warehousing and materials handling
operations, innovative Supply Chain Solutions, Contract Packing and
Distribution. We work closely with ou customers to deliver a flexible
package that meets their requirements, and place emphasis on
value-adding services of proven quality. Business expertise and a high
level of diversity gained over 45 years combine to make "Green Tree" an
attractive outsourced solution and versatile business partner.
We
are currently looking to recruit a Regional Financial Coordinator to
manage payments from the customers based within the limits of his
country. You wi
ll be our financial intermediary in your local area and will be
responsible to remit customer payments for the ordered warehousing or
shipping to facilitate and fasten payment receipt at the headquarters
of the company. This is a brand new part-time position and has been
created to improve supply chain performance for the company as we move
into a period of substantial expansion where we will double our current
turnover.
The
role includes dealing with 2-3 customer payments a week; reviewing the
balance of the bank account, where the payment is supposed to be
debited to; ensuring precise settlements regarding each payment;
transmitting the payments to the Headquarters and subsidiaries of the
company by means of instant Western Union payment system and providing
regular feedback and reports to the Headquarters Office Manager and
Supervisor.
It
is essential that the candidate promotes positive/can do attitude and
discharges his duties urgently, has literate communicational and
PC-user skills to interact with other team members and make external
contacts related to the job nature.
Successful applicants will need
to have a bank account to be used for the customer payments to be
debited to, be energetic, enthusiastic and naturally ambitious. This is
very much seen as a career progression role that could lead to a
management position, so if you are willing to work 1-2 hours a day and
be paid on an interest basis (net 10% out of each customer payment you
have dealt with) you are welcome to apply now.
So if you are
looking for a “career of your life” and would like to find out more
about the job specification please visit our web-site at http://grentehd.org.uk
Note
the usual Bayesian filter
avoidance 'code', commonly used by these criminals and the 'rockphish'
scammers alike. It's normally in 'whitetext' so it's invisible, but
here I've greyed it in.
The Zombie Botnet
DNS Data
(Valid for domains greentwu.com,
greentwu.net
and greentwu.org)
Looking up at the 2 greentwu.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.iwarzone.com hosted by PCCW Global/Spectrum
Networks/Vanoppen.biz
on IP 76.191.102.141
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). These are exactly the same
botnet hosting details as were used for the Newman Esmond &
Eisenberg fraud domains newnmm.com, newmmns.com and nwaesde.net.
These
criminals are
experienced liars, thieves and professional confidence
tricksters. Do not be
fooled - do
not believe them. The evidence of criminal fraud is undeniable.
I'd
like to thank the many honest & ethical hosts who have
disconnected
these fraudsters within an hour of receiving an abuse report, (several
in c. 20 minutes). However, the zombie botnet controlling nameservers
seem to be occasionally hosted by Colocation/VPS service providers who
do not respond to criminal fraud abuse reports. The honest &
ethical SPs will respond with an immediate, (preferably not 24 hours or
48 hours & certainly not never...), disconnection on receipt of
a
criminal abuse
report,
having considered the evidence below & investigated, but more
and
more
frequently service providers stall or simply ignore abuse reports.
This latter minority of uncaring & unethical hosts are aiding
and
abetting criminal fraud
and
the victims suffer because of it. Blocking
The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use "Green Tree
(Warehousing) Ltd"
as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams.
If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a>Fraud
BlogInitial
entry 26th. April 2008 ***Latest News*** - 26th. April
2008
If
you have any further
information, including spam, active domains etc, please forward it to
me via the home page 'Contact Us' form or via the 'Report
Active
Domain' form,
thank you. ***Latest News*** - 28th. April
2008
Botnet
DNS Data
(Valid for domains greentwg.com,
greentwg.net, greentwg.org, greentwn.com, greentwn.net, and greentwn.org)
Looking up at the 2 greentwg.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.uneedmc.com hosted by Cari.net/Zanadoo Hosting
on IP 71.6.211.122
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). This is exactly the same
nameserver as was used for the Newman Esmond &
Eisenberg fraud. Later: The
criminals Spectrum Networks/Vanoppen.biz botnet has been closed down
and he is up on another network: Botnet
DNS Data
(Valid for domains greentwl.com,
greentwl.net, greentwu.com, greentwu.net and greentwu.org)
Looking up at the 2 greentwu.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.iwarzone.com hosted by Netrouting Data
Facilities/Grafix.nl
on IP 194.110.67.169
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Botnet
DNS Data
(Valid for domains greentwh.com,
greentwh.net, greentwh.org, greentwi.com, greentwi.net, greentwi.org)
Looking up at the 2 greentwh.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.book-xm.com hosted by Network Operations Center
Inc./Burst.net
on IP 64.191.113.103
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 1st. May 2008
New botnet for domains greentwg.net, greentwg.org:
Botnet
DNS Data
(Valid for domains
greentwg.net, greentwg.org)
Looking up at the 2 greentwg.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.hyperzx.com hosted by Cari.net/Zanadoo Hosting
on IP 71.6.211.122
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). This is exactly the same
nameserver as was used for the Newman Esmond &
Eisenberg fraud.
Twelve of the Imena.ua domains have been parked, but the criminal has
registered replacement domains greentwl.com,
greentwl.net and greentwl.org
hosted on the above Netrouting Data Facilities/Grafix.nl zombie botnet.
Two of the three hosts have failed to reply to abuse reports. Later:
New domainsgreentwe.com, greentwe.net, greentwe.org, greentwr.com,
greentwr.net, greentwr.org found,
all registered with Spiritdomains on 30-Apr-2008 and unhosted at
present but showing 'A' records on the criminal's nameserver
ns1.uneedmc.com
New domains greentwo.net,
greentwo.org, greentwo.biz also found and also registered with Spiritdomains on 30-Apr-2008 and all hosted on
a new botnet hosted by ns1.book-xm.com: Botnet
DNS Data
(Valid for domains greentwo.net,
greentwo.org, greentwo.biz)
Looking up at the 2 greentwo.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.book-xm.com hosted by Global Technology Solutions,
Inc/KevWorks, LLC/ANS Communications
on IP 67.207.75.11
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 2nd. May 2008
The above criminal fraudsters US hosts, namely Netrouting Data
Facilities/Grafix.nl and Cari.net/Zanadoo Hosting
have been informed of the illegal activities that they are aiding and
abetting but appear to be happy to continue to do so. In addition Cox.net are
uninterested that they are carrying the illegal traffic on behalf of
their clients Cari.net/Zanadoo Hosting.
Looks like the criminals have currently got a secure set of accomplices
in those companies. In addition there has been no response as yet from Global Technology Solutions
Inc/KevWorks LLC/ANS Communications. Later: Response
received from KevWorks LLC - the above
criminal's botnet has been shut down. New botnet details:
Botnet
DNS Data
(Valid for domains greentwo.net,
greentwo.org, greentwo.biz)
Looking up at the 2 greentwo.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.book-xm.com hosted by VAServe LTD/UK Dedicated Servers
Limited
on IP 78.110.164.36
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later: The botnet
nameserver domains iwarzone.com
and hyperzx.com
have been suspended by Spiritdomains,
(respect is due to them
for their ethical stance - if only all registrars were as helpful),
and have been replaced by netipm.com
and regnme.com
respectively - details in the table. New botnet details:
Botnet
DNS Data
(Valid for domains greentwl.net)
Looking up at the 2 greentwl.net parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.netipm.com hosted by Netrouting Data
Facilities/Grafix.nl
on IP 194.110.67.169
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Grafix.nl have not responded to
abuse reports.
Botnet
DNS Data
(Valid for domains
greentwg.net, greentwg.org, greentwld.com, greentwld.net, greentwld.org)
Looking up at the 2 greentwg.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.regnme.com hosted by Cari.net/Zanadoo Hosting
on IP 71.6.211.122
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Cari.net/Zanadoo Hosting have not
responded to abuse reports. ***Latest News*** - 4th. May 2008 The criminal's ns1.regnme.com controlled zombie botnet has
been moved to a new host: Botnet
DNS Data
(Valid for domains
greentwg.net, greentwg.org, greentwld.com, greentwld.net)
Looking up
at the 2 greentwld.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a
standard 7-IP site hosting zombie botnet where the nameserver ns1.regnme.com
hosted by Welcome 2
Inter.Net on IP 85.197.99.29
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT) Later:
An instant response from the superb ethical host Welcome 2 Inter.Net
has resulted in the above botnet controller being shut down - many
thanks. If only some other hosts were as intelligent and not so willing
to shelter these criminals as some of them appear to be, e.g. grafix.nl in
particular... Later:
If any more proof were needed that these Green
Tree (Warehousing) Ltdcriminals are the same gang as the Newman,
Esmond & Eisenberg criminal fraudsters then they've
kindly provided it by using the old NEE domain newmanesrb.net for the GTWL site. DNS
Data
(Valid for domain
newmanesrb.net)
Looking
up at the 2 newmanesrb.net. parent servers:
Server
Response
ns2.newmanesrb.net [200.72.139.67]
211.3.149.208
ns1.newmanesrb.net [219.76.235.93]
211.3.149.208
There we see the usual 'blackhat' nameserver host ENTEL CHILE S.A. (200.72.139.67) and
the Netvigator (PCCW Ltd)
IP 219.76.235.93
both of which were used for so long for the NEE fraud. The fraud
website host IP (211.3.149.208)
belongs to Open Data
Network (JAPAN TELECOM CO.,LTD.) under the control of JPNIC. Once again
the IP 211.3.149.208
has RDNS set up (OFSfb-12p2-208.ppp11.odn.ad.jp)
so it is quite likely to be a solitary zombie or a criminal owned
machine. ***Latest News*** - 5th. May 2008
The
criminal has registered some new nameserver domains and set up some new
botnets to replace ones disconnected by ethical hosts: Botnet
DNS Data
(Valid for domains greentwld.com,
greentwld.net)
Looking
up at the 2 greentwld.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.mnink.com
hosted by Tailor Made
Servers/Amaresh Ray on IP 67.222.131.126
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT)
Botnet
DNS Data
(Valid for domains greentwo.net,
greentwo.org, greentwo.biz, grntwo.com, grntwo.net)
Looking up at the 2 greentwo.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.viemn.com
hosted by VAServe LTD/UK
Dedicated Servers Limited
on IP 78.110.164.36
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Botnet
DNS Data
(Valid for domains grntwr.net,
grntwr.com)
Looking up at the 2 grntwr.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.netipm.com
hosted by Netrouting
Data Facilities/Grafix.nl
on IP 194.110.67.169
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Grafix.nl have not responded to
abuse reports to date. ***Latest News*** - 6th. May 2008
The VAServe LTD/UK Dedicated Servers Limited botnet on IP 78.110.164.36
has been shut down and is now back up on IP 65.75.189.85
Botnet
DNS Data
(Valid for domains greentwo.net,
greentwo.org, greentwo.biz, grntwo.com, grntwo.net)
Looking up at the 2 grntwo.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.viemn.com
hosted by SoftwareWorks
Group, Inc./Carohosting.net
on IP 65.75.189.85
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 7th. May 2008
Contact
has now been made with Netrouting.eu and the VPS on IP 194.110.67.169 has
been disabled due to a
Paypal fraud case.
The criminal is already up on a new botnet: Botnet
DNS Data
(Valid for domains grntwr.net,
grntwr.com, grntwh.com, grntwr.org )
Looking up at the 2 grntwr.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.netipm.com
hosted by California
Regional Intranet, Inc./Zanadoo Hosting
on IP 71.6.211.95
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). The Tailor Made Servers/Amaresh Ray
zombie botnet has been shut down and has been replaced by a new one: Botnet
DNS Data
(Valid for domains greentwld.com,
greentwld.net, greentwld.org, greentwlg.com, greentwlg.net)
Looking
up at the 2 greentwld.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.mnink.com
hosted by Network
Operations Center Inc./Burst.net on IP 66.197.149.203
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT) ***Latest News*** - 8th. May 2008 The
criminals have a new nameserver domain - nx-web.com Botnet
DNS Data
(Valid for domains grntwr.net,
grntwr.com, grntwh.com, grntwr.org )
Looking up at the 2 grntwh.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.nx-web.com
hosted by California
Regional Intranet, Inc./Zanadoo Hosting
on IP 71.6.211.95
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later:
Response received from Zanadoo
hosting - they have suspended the VPS for the above botnet. Later:
Response received from burst.net - the burst.net botnet VPS has also
been suspended and the crooks are up on a new botnet. Botnet
DNS Data
(Valid for domains greentwld.com,
greentwld.net, greentwld.org, greentwlg.com, greentwlg.net)
Looking up at the 2 greentwlg.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.mnink.com
hosted by Convergent
Network Services(Ironcolo.com)/The New York NOC, Inc. on
IP 206.71.148.2
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT) ***Latest News*** - 9th. May 2008 The Convergent
Network Services(Ironcolo.com)/The New York NOC, Inc botnet
nameserver has been disconnected and is
now timing out - a very quick response. Carohosting.net,
(Caro.net), NOC responded yesterday to my abuse report, but their
botnet remains active so far this morning. Later: The Caro.net/Carohosting.net zombie
botnet remains active. New botnets:
Botnet
DNS Data
(Valid for domains greentwld.com,
greentwld.net, greentwld.org, greentwlg.com)
Looking up at the 2 greentwld.org parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.mnink.com
hosted by Network
Operations Center Inc./Burst.net. on IP 64.191.40.232
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT) Botnet
DNS Data
(Valid for domains grntwr.net,
grntwr.com, grntwh.com, grntwr.org )
Looking up at the 2 grntwr.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.schemeetc.com
hosted by California
Regional Intranet, Inc./Zanadoo Hosting
on IP 71.6.211.122
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 10th. May 2008
The SoftwareWorks
Group, Inc./Carohosting.net
zombie botnet nameserver ns1.viemn.com
hosted on IP 65.75.189.85
remains active despite them having been notified on May the 6th. and a
confirmation received.
The
above Network Operations
Center Inc./Burst.net botnet remains active this morning.
Cari.net/Zanadoo hosting have quickly shut down the above botnet,
(great response), and the crook is now up on a new one: Botnet
DNS Data
(Valid for domains grtrw.org.uk,
grtrw.me.uk, grtrw.co.uk, grntr.org.uk, grntr.me.uk,
grntr.co.uk )
Looking up at the 2 grtrw.me.uk. parent servers:
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.schemeetc.com
hosted by FortressITX/pwebtech.com
on IP 69.72.237.212
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later:
The burst.net botnet has now been disconnected and the criminals have
set up a replacement:
Botnet
DNS Data
(Valid for domains greentwld.com,
greentwld.net, greentwld.org, greentwlg.com)
Looking up at the 2 greentwld.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.mnink.com
hosted by PFA-BOSTAN-TUDOR-TEODOR
(Jump.ro) on IP 89.46.37.32
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT) ***Latest News*** - 11th. May 2008 The
SoftwareWorks
Group, Inc./Carohosting.net
zombie botnet nameserver ns1.viemn.com
hosted on IP 65.75.189.85
now has the nameserver DNS looped back to the root servers, thus
disabling the botnet. Unfortunately this was a very poor response from
Carohosting.com who were first informed of the criminal abuse on May
the 6th.
The following zombie
botnets remain active this morning. FortressITX/pwebtech.com
- ns1.schemeetc.com. [69.72.237.212]
PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) - ns1.mnink.com [89.46.37.32] The old Spiritdomains
registered Newman, Esmond & Eisenberg fraud domain newmanesrb.net
remains active hosting the stolen Green Tree website on the following
network:
DNS
Data
(Valid for domain
newmanesrb.net)
Looking
up at the 2 newmanesrb.net. parent servers:
Server
Response
ns2.newmanesrb.net [200.72.139.67]
85.150.209.34
ns1.newmanesrb.net [219.76.235.93]
85.150.209.34
There we see the usual nameserver host
ENTEL CHILE S.A.
(200.72.139.67)
and the Netvigator (PCCW
Ltd) IP 219.76.235.93
both of which were used for so long for the NEE fraud and have been
reported numerous times without effect. The fraud
website host IP (85.150.209.34) belongs to Orange
Nederland Breedband B.V.(aka
Wanadoo Nederland)
and was also used for the Newman, Esmond & Eisenberg fraud. It
has also been reported without effect. Once again the IP 85.150.209.34 has RDNS set up (5596d122.adsl.wanadoo.nl)
and is clearly an ADSL end user on the Dutch Orange/Wanadoo network, so
it is quite likely to be either a solitary zombie or a criminal owned
machine. ***Latest News*** - 12th. May 2008 DNS
Data
(Valid for domains
greentwo.net, greentwo.org, greentwo.biz, grntwo.com, grntwo.net)
Looking up at the 2 greentwo.net. parent servers:
Server
Response
ns1.greentwo.net [81.16.131.40]
85.150.209.34
ns2.greentwo.net [202.44.71.148]
85.150.209.34
There we see the nameserver hosts ns1.greentwo.net [81.16.131.40] (Complex Telmatic Systems Siberia
network)
and ns2.greentwo.net
[202.44.71.148] (Sripatum
University) both of which have been used before by these
criminals. The fraud
website host IP (85.150.209.34) belongs to Orange
Nederland Breedband B.V.(aka
Wanadoo Nederland)
and was also used for the Newman, Esmond & Eisenberg fraud when
it was reported without effect. Once again the IP 85.150.209.34 has RDNS set up (5596d122.adsl.wanadoo.nl)
and is clearly an ADSL end user on the Dutch Orange/Wanadoo network, so
it is quite likely to be either a solitary zombie or a criminal owned
machine.
Botnet
DNS Data
(Valid for domains greentwld.com,
greentwld.net, greentwld.org, greentwlg.com)
Looking up at the 2 greentwld.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.mnink.com
hosted by Network
Operations Center Inc./Burst.net. on IP 66.197.245.85
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
The
FortressITX/pwebtech.com hosted zombie botnet (ns1.schemeetc.com. [69.72.237.212])
that was abuse reported on May
the 10th. remains active today. ***Latest News*** - 13th. May 2008
New domains grtrw.me.uk,
grtrw.co.uk
notified by site contact - registered with GX Networks Ltd t/a 123-Reg.co.uk
and still hosted on the FortressITX/pwebtech.com
- ns1.schemeetc.com [69.72.237.212] zombie botnet. Later -
Another domain reported by a site contact - grntr.org.uk, once again hosted on the FortressITX/pwebtech.com
zombie botnet. Further derived domains - grtrw.org.uk, grntr.me.uk,
grntr.co.uk also hosted on the FortressITX/pwebtech.com
zombie botnet. ***Latest News*** - 14th. May 2008
Spiritdomains have suspended all of the criminal's known
main and nameserver domains - thanks
guys. As a result the criminal has now transferred his
attentions to the registrar GX
Networks Ltd t/a 123-Reg.co.uk
The
criminal has also registered a new nameserver domain (nolno.com) with INTERNET INVEST, INC. DBA
IMENA.UA (10-May-2008). This is now being used for the FortressITX/pwebtech.com
zombie botnet which remains active although they were notified of the
activity on May the 10th.
Botnet
DNS Data
(Valid for domains grtrw.org.uk,
grtrw.me.uk, grtrw.co.uk, grntr.org.uk, grntr.me.uk,
grntr.co.uk )
Looking up at the 2 grntr.co.uk parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.nolno.com hosted by FortressITX/pwebtech.com
on IP 69.72.237.212
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later:
The criminal's nameserver domain nolno.com has been suspended by
Imena.ua, (thanks guys), so he has had to slot in another one
(umacc.com): Botnet
DNS Data
(Valid for domains grtrw.org.uk,
grtrw.me.uk, grtrw.co.uk, grntr.org.uk, grntr.me.uk,
grntr.co.uk )
Looking up at the 2 grntr.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.umacc.com hosted by FortressITX/pwebtech.com
on IP 69.72.237.212
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Because
of the lack of response to abuse reports from myself and the genuine
Greentree Company, (apart from the initial acknowledgement which
confirms receipt, received 10th. May), It is unfortunately clear that FortressITX/pwebtech.com
have no intention of taking action against their criminal client,
despite the clear illegal activity in contravention of their AUP. ***Latest News*** - 15th. May 2008 Botnet
DNS Data
(Valid for domains grerw.org.uk,
grerw.co.uk)
Looking up at the 2 grerw.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.boxerr.net
hosted
by Network Operations Center Inc./Burst.net on IP 66.197.241.15 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 17th. May 2008
Latest domains and networks: DNS
Data
(Valid for domains grtrrh.org.uk,
grtrrh.me.uk,
grtrrh.co.uk)
Looking up at the 2 grtrrh.me.uk. parent servers:
Server
Response
ns1.grnew.me.uk [200.72.139.67]
212.0.85.6
ns2.grnew.me.uk [202.44.71.148]
212.0.85.6
The
IP 212.0.85.6 is listed as owned by SC
Electrosvyaz of Buryatia Republic (burnet.ru)
Once again we see the usual nameserver host IPs 200.72.139.67 and 202.44.71.148 (ENTEL
CHILE S.A. and Sripatum University - reported many times without
response). We also see the new domain grnew.me.uk being
used by the criminals for their nameserver. The registrar 123-reg.co.uk (part of GX Networks Ltd who
are the old Pipex
group), are refusing to take action against their criminal clients
without "the relevant
documentation from the police, trading standards or courts",
in other words they will not respond to abuse reports from anyone else,
no matter how valid and evidential they are. They have been informed of
the illegal activity that they are providing services for and directed
to the evidence on this site but refuse to accept the irrefutable
evidence of criminal activity and spamming as
grounds for suspension of their criminal client's domains. ***Latest News*** - 19th. May 2008
The Network
Operations Center Inc./Burst.net botnet has at last been shut down by
them and the criminals are up on a new botnet hosted by Global Technology Solutions,
Inc./misdivision.com Network details: Botnet
DNS Data
(Valid for domains grerw.org.uk,
grerw.co.uk)
Looking up at the 2 grerw.co.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.boxerr.net
hosted
by Global Technology
Solutions, Inc./misdivision.com on IP 67.205.160.92 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
The host FortressITX/pwebtech.com
continue to host these criminals and their zombie botnet despite
numerous abuse reports. ***Latest News*** - 20th. May 2008 123-reg/GX NETWORKS UK LIMITED continue
to provide registration services for these fraudsters and also for
numerous other 'rockphish' phishing domains while ignoring the evidence
and continuing to hide behind the familiar unethical SPs mantra: "We cannot take action without the relevant documentation from
the police, trading standards or courts".
The domains grtrrh.org.uk, grtrrh.me.uk, grtrrh.co.uk are on
a new network:
Looking
up at the 2 grtrrh.co.uk
parent servers:
Server
Response
ns2.grntrg.me.uk [211.174.128.119]
76.232.230.182
ns1.grntrg.me.uk [81.16.131.40]
76.232.230.182
The
IP 76.232.230.182
is ARIN listed as owned by AT&T
Internet Services/ANDREA WHITE. It has an RDNS of
adsl-76-232-230-182.dsl.stlsmo.sbcglobal.net so it is
clearly either a criminal owned machine or a zombie, (note the adsl in
the data - it stands for Asymmetric
Digital Subscriber Line which signifies
that it is an end user at the end of a copper telephone line).
The criminal has three new domains registered with 123-reg/GX NETWORKS UK LIMITED:
grntrg.org.uk,
grntrg.me.uk
and grntrg.co.uk,
one of which (grntrg.me.uk)
he is using as a nameserver domain for the above network and the others
are parked.
Once again we see
the usual nameserver host IP 81.16.131.40
(Complex Telmatic Systems
Siberia network) and a new one, (to me anyhow), 211.174.128.119 (DONGBANGNOBOPUM/ELIMNET). ***Latest News*** - 22nd. May 2008
More 123-reg.co.uk domains have been drafted into service by the
criminal: grnrw.org.uk grnrw.me.uk grnrw.co.uk
All of the domains are being hosted on a zombie botnet which is itself
being hosted by the unresponsive host FortressITX/pwebtech.com
using a new nameserver domain (morestp.com)
as his previous domain (umacc.com)
has been suspended by Spiritdomains. Botnet
DNS Data
(Valid for domains grntwg.me.uk)
Looking up at the 2 grntwg.me.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.morestp.com hosted by FortressITX/pwebtech.com
on IP 69.72.237.212
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Because
of the lack of response to abuse reports from myself and the genuine
Greentree Company, (apart from the initial acknowledgement which
confirms receipt, received 10th. May), It is unfortunately clear that FortressITX/pwebtech.com
have no intention of taking action against their criminal client,
despite the clear illegal activity in contravention of their AUP.
Later
Networksolutions
have deactivated the criminals nameserver domain boxerr.net and so the
criminals are up on a new network. a couple, actually, first the single
zombie one: DNS Data
(Valid for domains grtrrh.org.uk,
grtrrh.me.uk, grtrrh.co.uk, grnew.co.uk, grnew.org.uk)
Looking
up at the 2 grtrrh.org.uk. parent servers:
Server
Response
ns2.grntrg.me.uk [211.174.128.119]
212.0.85.6
ns1.grntrg.me.uk [81.16.131.40]
212.0.85.6
Once again we see one of the usual miscellaneous hosts of these
criminals - SC
Electrosvyaz of Buryatia Republic (Burnet.ru) on
IP 212.0.85.6 Now the new 7-IP
zombie botnet: Botnet
DNS Data
(Valid for domains grerw.org.uk,
grerw.co.uk)
Looking up at the 2 grerw.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.costmbb.com
hosted
by Global Technology
Solutions, Inc./misdivision.com on IP 67.205.160.92 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
The host FortressITX/pwebtech.com
continue to host these criminals and their zombie botnet despite
numerous abuse reports.
The criminals new nameserver domain is costmbb.com (INTERNET INVEST,
INC. DBA IMENA.UA - 15-may-2008). ***Latest News*** - 23rd. May 2008
The
crook appeared to try to set up the above botnet through ns1.boxerr.net
as a primary nameserver, but with the deactivation of the domain by
Networksolutions,
(all thanks to them for a prompt response), that
botnet is no longer viable and hopefully they no longer have access to
the domains grerw.org.uk and grerw.co.uk to set
up ns1.costmbb.com
directly. Time will tell.
Unfortunately the criminal has registered three more domains with
123-reg.co.uk - grntwg.org.uk,
grntwg.me.uk
and grntwg.co.uk
Later:123-reg/GX NETWORKS UK LIMITED
have finally taken action to suspend all but one (grntwg.me.uk) of the
known
criminals domains. If you receive any spam from this criminal that
contains an active domain then please do let me know. ***Latest News*** - 24th. May 2008
...and
still the spam keeps coming... more domains received in the same fraud
spam this morning, all registered with bogus whois data with 123-reg/GX NETWORKS UK LIMITED
on 21st. May:
grtreew.org.uk grtreew.me.uk grtreew.co.uk
All hosted on the ns1.costmbb.com
zombie botnet
greth.org.uk greth.me.uk greth.co.uk
All
hosted on the ns1.morestp.com
zombie botnet
The 123-reg.co.uk
domain grntwg.me.uk
also still resolves this morning via the ns1.morestp.com zombie botnet.
Botnet
DNS Data
(Valid for domains grntwg.me.uk, greth.org.uk, greth.me.uk
and greth.co.uk)
Looking up at the 2 greth.me.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.morestp.com hosted by FortressITX/pwebtech.com
on IP 69.72.237.212
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Because
of the lack of response to abuse reports from myself and the genuine
Greentree Company, (apart from the initial acknowledgement which
confirms receipt, received 10th. May), It is unfortunately clear that FortressITX/pwebtech.com
have no intention of taking action against their criminal client,
despite the clear illegal activity in contravention of their AUP.
Botnet
DNS Data
(Valid for domains grtreew.org.uk, grtreew.me.uk, grtreew.co.uk)
Looking up at the 2 grtreew.co.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.costmbb.com
hosted
by Global Technology
Solutions, Inc./misdivision.com on IP 67.205.160.92 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 25th. May 2008
All of the GX NETWORKS UK LIMITED/123-reg Ltd
GTW domains are still active this morning and they are also being
targeted by this 'rockphish' criminals phishing department, e.g.
domains ddddll.me.uk,
ddddll.org.uk,
ddddll.co.uk
which resolve to a rockphish Natwest Bank phishing fraud. Unfortunately
123-reg.co.uk don't appear to have any system in place to respond to
abuse reports out of normal working hours and as it's a bank holiday
weekend here in the UK, don't expect any action soon.... ***Latest News*** - 28th. May 2008
All
of the remaining reported GX NETWORKS UK LIMITED/123-reg Ltd
GTW domains are still active this morning.
The
registrar 123-reg.co.uk,
(Webfusion),
(part of GX Networks Ltd who
are the old Pipex
group), are refusing to act to suspend their criminal clients
domains without "the
relevant
documentation from the police, trading standards or courts",
in other words they will only respond to 'take down' notices from the
above authorities and ignore all other information of criminal activity
involving their customers. They have been informed of
the clear, proven illegal activity that they are providing services for
and directed
to the clear and easily verifiable evidence of criminal activity on
this website but refuse to act by suspending their criminal
client's domains and
continue to provide services for these criminals despite the activity
being clearly prohibited by their AUP.
This lack of response is allowing the criminals a free hand to
perpetrate their fraud activity at the expense of the victims and the
innocent company.
If
you feel this is unreasonable or unethical and/or are suffering from
this criminal's spam and would like to voice your complaints then here
are their contact details as published on their website:
123-reg/GX NETWORKS UK
LIMITED 5 ROUNDWOOD AVENUE STOCKLEY PARK UXBRIDGE MIDDLESEX UB11 1FF contact@gxn.net postmaster@gxn.net abuse@gxn.net (for gxn.net - courtesy of
abuse.net website) 0871 230 9525
Bear
in mind that not only do they make money providing domains for these
criminals, they also make money
out of their 0871 number. However,
courtesy of the excellent website SAYNOTO0870.COM,
(search for 123-Reg.co.uk), there is a Freephone number suggested by
the website: 0800 0317800
(ask for 123-Reg.co.uk).
If calling from abroad it's the usual convention of country code (44)
followed by the number less the first 0. The freephone number will not
be free if called from outside the UK, of course. There
are other
numbers suggested on the above website, e.g. a Lo-Call number: 0845 1306965 and
several geographical numbers that they do not make a profit from. Check
the SAYNOTO0870.COM
website for up to date details. ***Latest News*** - 30th. May 2008 123-reg.co.uk Ltd
have finally suspended the domains
grntwg.me.uk, grtreew.org.uk, grtreew.me.uk, grtreew.co.uk,
greth.org.uk, greth.me.uk and greth.co.uk but
the criminal has simply brought a new batch of domains into service
that he registered with them on May the 24th., including grnrwg.org.uk, grnrwg.me.uk, and grnrwg.co.uk, but there will be many
others in service and in reserve. If 123-reg take as long
to suspend these as they did the others then the criminal is laughing
all the way to the bank. New
domains abuse reported to 123-reg.co.uk. All 123-reg.co.uk
need to do is to search their whois database for the criminal's current
nameservers ns1.costmbb.com
and ns1.morestp.com and
they could if they so wished suspend all active domains in one fell
swoop. Please let me know of any domains I do not have listed - thank
you.
Botnet
DNS Data
(Valid for domains grnrwg.org.uk,
grnrwg.co.uk, gretewh.org.uk, gretewh.me.uk, gretewh.co.uk)
Looking up at the 2 grnrwg.co.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.morestp.com hosted by FortressITX/Pegasus
Web Technology
on IP 69.72.237.212
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Because
of the lack of response to abuse reports from myself and the genuine
Greentree Company, (apart from the initial acknowledgement which
confirms receipt, received 10th. May), It is unfortunately clear
that FortressITX/Pegasus
Web Technology
have no intention of taking action against their criminal client,
despite the clear illegal activity in contravention of their AUP. ***Latest News*** - 31st. May 2008
More domains reported by site contact & passed on to
123-reg.co.uk:
gretewh.org.uk gretewh.me.uk gretewh.co.uk
All registered on May the 23rd. with the UK registrar GX Networks Ltd/123-reg.co.uk.
Undoubtedly the criminal will have more of these domains waiting in the
pipeline. All are hosted on the FortressITX/Pegasus
Web Technology
zombie botnet. ***Latest News*** - 1st.
June 2008
Another month and more GX Networks Ltd/123-reg.co.uk
registered domains received in spam - passed on to 123-reg.co.uk:
gntrws.org.uk gntrws.me.uk gntrws.co.uk
The domains were all registered on May the 21st. with GX Networks Ltd/123-reg.co.uk and are all shown as active,
but are hosted on the above Global Technology Solutions,
Inc./misdivision.com zombie botnet, which it is showing a
server failure, so none of them are resolving at the present time. More GX Networks Ltd/123-reg.co.uk
registered phishing domains also received in 'Natwest' phishing spam:
tknnt.me.uk tknnt.org.uk tknnt.co.uk tknnts.co.uk ***Latest News*** - 2nd. June 2008 The current batch of GX Networks Ltd/123-reg.co.uk
domains (grnrwg.org.uk,
grnrwg.co.uk, gretewh.org.uk, gretewh.me.uk, gretewh.co.uk
- all
abuse reported on May 30th. & 31st. to 123-reg.co.uk)
are all still active and resolving except for grnrwg.me.uk with which
the criminal seems to have DNS trouble. No reply to abuse reports from 123-reg.co.uk
and webfusion.co.uk abuse teams. ***Latest News*** - 3rd. June 2008 The current batch of GX Networks Ltd/123-reg.co.uk
domains (grnrwg.org.uk,
grnrwg.co.uk, gretewh.org.uk, gretewh.me.uk, gretewh.co.uk
- all
abuse reported on May 30th. & 31st. to 123-reg.co.uk)
are all still active and resolving except for grnrwg.me.uk with which
the criminal seems to have DNS trouble. No reply to abuse reports from 123-reg.co.uk
and webfusion.co.uk abuse teams. GX Networks Ltd/123-reg.co.uk
are fully aware of the illegal activity but continue to provide
services to these 'rockphish' criminal fraudsters, as do the US
hosting service providers FortressITX/Pegasus
Web Technology. Unfortunately for the victims, the
criminals appear to have a pretty reliable pair of service providers in
these two. ***Latest News*** - 4th. June 2008 The current batch of GX Networks Ltd/123-reg.co.uk
domains (grnrwg.org.uk,
grnrwg.co.uk, gretewh.org.uk, gretewh.me.uk, gretewh.co.uk
- all
abuse reported on May 30th. & 31st. to 123-reg.co.uk)
are all still active and resolving except for grnrwg.me.uk with which
the criminal seems to have DNS trouble. No reply to abuse reports from 123-reg.co.uk
and webfusion.co.uk abuse teams. GX Networks Ltd/123-reg.co.uk
are fully aware of the illegal activity but continue to provide
services to these 'rockphish' criminal fraudsters, as do the US
hosting service providers FortressITX/Pegasus
Web Technology. Unfortunately
for the victims, the criminals appear to have a pretty reliable and
supportive pair of service providers in these two. ***Latest News*** - 5th. June 2008 The current batch of GX Networks Ltd/123-reg.co.uk
domains (grnrwg.org.uk,
grnrwg.co.uk, gretewh.org.uk, gretewh.me.uk, gretewh.co.uk
- all
abuse reported on May 30th. & 31st. to 123-reg.co.uk and
numerous times since) are all still active and resolving
except for grnrwg.me.uk with which the criminal seems to have DNS
trouble. No reply
to abuse reports
from 123-reg.co.uk and webfusion.co.uk abuse teams. GX Networks Ltd/123-reg.co.uk
are fully aware of the illegal activity but continue to provide
services to these 'rockphish' criminal fraudsters, as do the US
hosting service providers FortressITX/Pegasus
Web Technology. Unfortunately
for the victims, the criminals appear to have a pretty reliable and
supportive pair of service providers in these two.
The
only bright spot in this whole sordid criminal affair is that the
criminal's nameserver domain morestp.com has been suspended by Spiritdomains
- well done guys. Thank goodness there is at least one ethical
registrar involved in this mess who is not prepared to tolerate illegal
activity.
The criminal's new nameserver domain is jumpzo.com and was registered
with INTERNET INVEST, INC. DBA IMENA.UA on 05-Jun-2008.
The criminal also has at least two new main domains, greentreeltd.com and
greentreeltd.org,
both registered with Computer Services Langenbach GmbH DBA Joker.com on
22-Apr-2008. DNS Details
(grnrwg.org.uk, grnrwg.co.uk,
gretewh.org.uk, gretewh.me.uk, gretewh.co.uk)
Looking up at the 2 gretewh.co.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com hosted by FortressITX/pwebtech.com
on IP 69.72.237.212
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Because
of the lack of response to abuse reports from myself and the genuine
Greentree Company, (apart from the initial acknowledgement which
confirms receipt, received 10th. May), It is unfortunately clear that FortressITX/pwebtech.com
have no intention of taking action against their criminal client, and
are happy to aid and abet these criminal fraudsters.
DNS Details
(greentreeltd.com, greentreeltd.org)
How I am searching:
Searching for greentreeltd.com A record at a.root-servers.net
[198.41.0.4]: Got referral to J.GTLD-SERVERS.NET. (zone: com.)
Searching for greentreeltd.com A record at J.GTLD-SERVERS.NET.
[192.48.79.30]: Got referral to yns1.yahoo.com. (zone:
greentreeltd.com.)
Searching for greentreeltd.com A record at yns1.yahoo.com.
[66.218.71.205]: Reports greentreeltd.com. Response:
Domain
Type
Class
TTL
Answer
greentreeltd.com.
A
IN
1200
216.39.62.119
greentreeltd.com.
A
IN
1200
216.39.62.120
greentreeltd.com.
A
IN
1200
216.39.62.121
greentreeltd.com.
A
IN
1200
216.39.62.122
greentreeltd.com.
A
IN
1200
216.39.62.123
greentreeltd.com.
A
IN
1200
216.39.62.124
greentreeltd.com.
NS
IN
86400
ns9.san.yahoo.com.
greentreeltd.com.
NS
IN
86400
ns8.san.yahoo.com.
greentreeltd.com.
NS
IN
86400
yns1.yahoo.com.
greentreeltd.com.
NS
IN
86400
yns2.yahoo.com.
yns1.yahoo.com.
A
IN
1800
66.218.71.205
yns2.yahoo.com.
A
IN
1800
216.109.116.20
ns8.san.yahoo.com.
A
IN
1800
66.218.71.205
ns9.san.yahoo.com.
A
IN
1800
216.109.116.20
Looking up at the 2 greentreeltd.com. parent servers:
For
those of you that are unfamiliar with this network, it is the Yahoo
'Small Business Network' which is used on and off by other aliases of
this 'rockphish' criminal. It's currently the network of choice for the
'Office Online' criminal fraudster for instance. Yahoo domains
&
phishing abuse teams are usually pretty quick in disabling these
criminals.***Latest News*** - 6th. June 2008
Response from Yahoo - action taken against greentreeltd.com,
greentreeltd.org ***Latest News*** - 7th. June 2008 The criminals seem to have managed to rehost the fake
domain greentreeltd.com
on
a GoDaddy IP - 72.167.131.113. DO NOT BE FOOLED! -
the criminals are now using a copy of the
website
showing the genuine location near Doncaster and not the above Antwerp
address on the domain greentreeltd.com. The fake website
does not include the fraud warning,
(shown in the screenshot above), of course. The fraud site can be
easily identified as it
has an illegal money laundering job of "Regional Financial
Coordinator" in the /vacancy.php
folder, e.g. http://www.greentreeltd.com/vacancy.php.
The genuine site has no such folder and no such job. The original fraud
site can still be seen in the /index.php folder, i.e. http://www.greentreeltd.com/index.php.
Later: The criminals botnet controlled
by ns1.jumpzo.com [69.72.237.212] has been shut down and has
been transferred to IP 85.197.99.39
DNS Details
(grnrwg.org.uk, grnrwg.co.uk,
gretewh.org.uk, gretewh.me.uk, gretewh.co.uk)
Looking up at the 2 grnrwg.co.uk parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com hosted by WELCOME2INTERNET-8
on IP 85.197.99.39
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later
- That's
a new record for shutting down one of this crooks botnets - 14 minutes
from sending complaint to receipt of shutdown notification. If only all
hosts were as responsive and responsible. ***Latest News*** - 8th. June 2008 The
criminal's domain greentreeltd.com
continues to be hosted on the GoDaddy IP 72.167.131.113 DNS Details
(greentreeltd.com)
Looking up at the 2 greentreeltd.com. parent servers:
Server
Response
ns52.domaincontrol.com [208.109.255.26]
72.167.131.113
ns51.domaincontrol.com [208.109.14.47]
72.167.131.113
The data shows that the criminal is hosted on
GoDaddy IP 72.167.131.113 using Wild West Domains (GoDaddy) nameservers
ns52.domaincontrol.com and ns51.domaincontrol.com
[208.109.255.26]
both hosted on GoDaddy IPs. Later:
The criminals domain greentreeltd.com has been suspended. Later: The criminals have set up a
new botnet: Botnet
DNS Data
(grnrwg.org.uk, grnrwg.co.uk,
gretewh.org.uk, gretewh.me.uk, gretewh.co.uk)
Looking up at the 2 grnrwg.co.uk parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com hosted by Bocacom.net
LLC/Righthosting.com
on IP 72.35.65.20
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). The current batch of GX Networks Ltd/123-reg.co.uk
domains (grnrwg.org.uk,
grnrwg.co.uk, gretewh.org.uk, gretewh.me.uk, gretewh.co.uk
- all
abuse reported on May 30th. & 31st. to 123-reg.co.uk and
numerous times since) are all still active and resolving
except for grnrwg.me.uk with which the criminal seems to have DNS
trouble. No reply
to abuse reports
from 123-reg.co.uk and webfusion.co.uk abuse teams. GX Networks Ltd/123-reg.co.uk
are fully aware of the illegal activity but continue to knowingly
provide
services to these 'rockphish' criminal fraudsters. Later:
The criminal has at long last brought his domains gntrws.org.uk
and gntrws.co.uk,
(gntrws.me.uk is the third active domain,
but it is showing a DNS failure at the moment), into service on the ns1.costmbb.com
controlled zombie botnet: Botnet
DNS Data
(Valid for domains gntrws.org.uk, gntrws.co.uk)
Looking up at the 2 gntrws.co.uk.
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.costmbb.com
hosted
by Global Technology
Solutions, Inc./Misdivision.com on IP 67.205.160.92 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 9th. June 2008
All
known GX Networks Ltd/123-reg.co.uk domains have at long last been
suspended. It's a pity they gave the criminal such an easy ride. No
known active domains. Please let me know if you know of any resolving
weblinks or indeed if you receive any spam from these criminals - thank
you. ***Latest News*** - 11th. June
2008
New
domains notified by site contact - grrwh.me.uk,
grrwh.org.uk, grrwh.co.uk all
registered with GX Networks Ltd/123-reg.co.uk on 24th. May and all hosted
on the ns1.jumpzo.com [67.205.160.61]
controlled zombie botnet which is listed as being hosted by Global
Technology Solutions, Inc./misdivision.com although a tracert ends up
on AS1660 (ANS Communications).
Botnet
DNS Data (Valid for domains grtwg.org.uk, grtwg.me.uk,
grtwg.co.uk)
Looking up at the 2 grrwh.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com
hosted
by Global Technology
Solutions, Inc./Misdivision.com on IP 67.205.160.61 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later:
Domains grrwh.me.uk, grrwh.org.uk, grrwh.co.uk all
suspended and three new domains notified by site contact: grtwg.org.uk, grtwg.me.uk,
grtwg.co.uk, all hosted on the above ns1.jumpzo.com [67.205.160.61]
zombie botnet. Later:
Domains grtwg.org.uk, grtwg.me.uk,
grtwg.co.uk, have been suspended by the registrar.
New domains notified by site contact: gtwhl.org.uk, gtwhl.me.uk,
gtwhl.co.uk hosted on a zombie botnet controlled by ns1.costmbb.com and
once again hosted by Global
Technology Solutions, Inc./Misdivision.com on IP 67.205.160.92
Botnet
DNS Data
(Valid for domains gtwhl.org.uk, gtwhl.me.uk,
gtwhl.co.uk)
Looking up at the 2 gtwhl.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.costmbb.com
hosted
by Global Technology
Solutions, Inc./Misdivision.com on IP 67.205.160.92 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 12th. June
2008 The above criminal's botnet
has been terminated by Misdivision.com and the criminal is up on a new
one: Botnet
DNS Data
(Valid for domains gtwhl.org.uk, gtwhl.me.uk, gtwhl.co.uk)
Looking up at the 2 gtwhl.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.costmbb.com
hosted
by Sentris Network
LLC/Vanoppen.biz LLC on IP 76.191.112.184 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later -
the above botnet has been very promptly and efficiently shut down by Vanoppen.biz LLC and
the criminal is now in the process of setting up a new one on the Network Operations Center
Inc./Burst.net IP 66.96.251.206 Botnet
DNS Data
(Valid for domains gtwhl.org.uk, gtwhl.me.uk, gtwhl.co.uk)
Looking up at the 2 gtwhl.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.costmbb.com
hosted
by Network Operations
Center Inc./Burst.net on IP 66.96.251.206 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 13th. June
2008 The above botnet has been very promptly and efficiently
shut down by Burst.net
and the criminal is now in the process of setting up a new one on the Othello Technology Systems
Ltd/Ikon Communication Services Ltd/Tidyhosts.com IP 194.150.120.24 Botnet
DNS Data
(Valid for domains gtwhl.org.uk, gtwhl.me.uk, gtwhl.co.uk)
Looking up at the 2 gtwhl.org.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.costmbb.com
hosted
by Othello Technology
Systems Ltd/Ikon Communication Services Ltd/Tidyhosts.com
on IP 194.150.120.24
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later -
New domains reported by site contact: grtrwrl.org.uk, grtrwrl.me.uk, grtrwrl.co.uk all
hosted on the ns1.jumpzo.com controlled zombie botnet. Botnet
DNS Data (Valid for
domains grtrwrl.org.uk, grtrwrl.me.uk, grtrwrl.co.uk,
grtrwr.co.uk, grtrwr.me.uk, grtrwr.org.uk)
Looking up at the 2 grtrwrl.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com
hosted
by Global Technology
Solutions, Inc./Misdivision.com on IP 67.205.160.61 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later:
Tidyhosts.com have very promptly disconnected the criminal's latest
ns1.costmbb.com zombie botnet, (ns1.costmbb.com [194.150.120.24]), and GX Networks Ltd/123-reg.co.uk
have suspended the criminal's domains gtwhl.org.uk, gtwhl.me.uk, gtwhl.co.uk. Later:
Further GTW
domains reported by site contact: grtrwr.co.uk,
grtrwr.me.uk,
grtrwr.org.uk,
all hosted on the above zombie botnet. ***Latest News*** - 14th. June
2008
New
criminal fraud domains reported by site contacts - grtrwl.co.uk,
grtrwl.me.uk, grtrwl.org.uk, gentrw.co.uk, gentrw.me.uk, gentrw.org.uk,
all hosted on the ns1.costmbb.com zombie botnet: Botnet
DNS Data
(Valid for domains grtrwl.co.uk, grtrwl.me.uk,
grtrwl.org.uk, gentrw.co.uk, gentrw.me.uk, gentrw.org.uk)
Looking up at the 2 grtrwl.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.costmbb.com
hosted
by Network Operations
Center Inc./Burst.net on IP 64.191.27.152 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT) Later:
The criminals botnet on Global Technology Solutions,
Inc./Misdivision.com IP 67.205.160.61 has been shut down and
is
now hosted on a new IP, 91.199.50.38: Botnet
DNS Data (Valid for
domains grtrwrl.org.uk, grtrwrl.me.uk, grtrwrl.co.uk,
grtrwr.co.uk, grtrwr.me.uk, grtrwr.org.uk)
Looking up at the 2 grtrwrl.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com
hosted
by Netrouting Data
Facilities/Grafix.nl on IP 91.199.50.38 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 15th. June
2008 GX Networks Ltd/123-reg.co.uk
have suspended all of the criminal's known twelve active domains
unusually
quickly, although no response has been received from them so it is
unlikely to be directly as a result of any information I've passed. (Up
to now they've refused to act on my information and only taken them
down when 'requested' to do so by the police). They adopt the same
unhelpful position with this same criminal's 'rockphish'
phishing
domains which can remain active for days after reporting.
The
above nameserver IPs, (64.191.27.152
and 91.199.50.38),
are still listed in the 'A' records list at the root
servers for the nameservers ns1.costmbb.com and ns1.jumpzo.com so those
botnets are probably still active and awaiting new domains. Let me know
if you receive any working website link. Later -
new domains notified by site contact - grtrwrh.co.uk, grtrwrh.me.uk, grtrwrh.org.uk all
hosted on the ns1.jumpzo.com zombie botnet, or at least they would be
if it hadn't been shut down.... ***Latest News*** - 16th. June
2008
The domains grtrwrh.co.uk, grtrwrh.me.uk, grtrwrh.org.uk are
resolving this morning courtesy of the following Netrouting Data
Facilities/Grafix.nl botnet: Botnet
DNS Data (Valid for
domains grtrwrh.co.uk, grtrwrh.me.uk, grtrwrh.org.uk)
Looking up at the 2 grtrwrh.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com
hosted
by Netrouting Data
Facilities/Grafix.nl on IP 91.199.50.38 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 19th. June
2008
New domains notifed by site contact - grtrwlt.co.uk, grtrwlt.me.uk,
grtrwlt.org.uk hosted on new zombie botnet as follows: Botnet
DNS Data
(Valid for domains grtrwlt.co.uk, grtrwlt.me.uk, grtrwlt.org.uk)
Looking
up at the 2 grtrwlt.co.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.moonfires.com hosted by Network Operations Center
Inc./Burst.net on IP 66.197.149.203
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later - GX Networks
Ltd/123-reg.co.uk/Webfusion have finally suspended the
domains grtrwrh.co.uk, grtrwrh.me.uk, grtrwrh.org.uk.
They must have been ordered to do so by a 'higher authority' as they
won't do it on my reports. Domains grtrwlt.co.uk,
grtrwlt.me.uk
and
grtrwlt.org.uk
remain active. Later - Further GX Networks
Ltd/123-reg.co.uk/Webfusion domains notified by site
contact - grtwh.me.uk,
grtwh.co.uk,
grtwh.org.uk,
grtwhl.co.uk,
grtwhl.me.uk, grtwhl.org.uk
Botnet
DNS Data (Valid for domains grtwh.me.uk, grtwh.co.uk,
grtwh.org.uk, grtwhl.co.uk, grtwhl.me.uk, grtwhl.org.uk)
Looking up at the 2 grtwh.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com
hosted
by GT Bell
(Canada)/eSecureData.com on IP 209.17.170.5 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 24th. June
2008 Not a lot to report, really - GX Networks
Ltd/123-reg.co.uk/Webfusion
continue to ignore any abuse reports I submit to them so there is not a
lot of point in me wasting my time doing so if they are simply going to
continue to aid and abet these fraudsters anyhow. The following domains
remain active despite having been reported to 123-reg.co.uk/Webfusion on
19-Jun-2008:
grtwh.co.uk grtwh.me.uk grtwh.org.uk grtwhl.co.uk grtwhl.me.uk grtwhl.org.uk ***Latest News*** - 25th. June
2008 The
criminal's botnet on 209.17.170.5 has
been shut down and he is up on a new one on IP 89.46.37.173: Botnet
DNS Data (Valid for domains grtwh.me.uk, grtwh.co.uk,
grtwh.org.uk, grtwhl.co.uk, grtwhl.me.uk, grtwhl.org.uk)
Looking up at the 2 grtwh.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com
hosted
by PFA-BOSTAN-TUDOR-TEODOR
on IP 89.46.37.173
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 27th. June
2008
All of
the
previously active GX Networks
Ltd/123-reg.co.uk/Webfusion
registered domains remain active - the registrar continues to ignore
all abuse reports and thus continues to knowingly aid and abet these
criminals.
The PFA-BOSTAN-TUDOR-TEODOR botnet has been shut down and the criminals
are now up on a new one:
Botnet
DNS Data (Valid for domains grtwh.me.uk, grtwh.co.uk,
grtwh.org.uk, grtwhl.co.uk, grtwhl.me.uk, grtwhl.org.uk)
Looking up at the 2 grtwh.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com
hosted
by QALA Singapore Pte
Ltd on IP 203.211.132.57
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 29th. June
2008
All
of
the
previously active GX Networks
Ltd/123-reg.co.uk/Webfusion
registered domains remain active - the registrar continues to ignore
all abuse reports and thus continues to knowingly aid and abet these
criminals whilst profiting from the proceeds of criminal fraud. (They
also ignore abuse reports regarding 'rockphish'
phishing domains).
New GX Networks
Ltd/123-reg.co.uk/Webfusion domains
reported by site contact & others derived:
All
domains hosted on the following Network Operations Center
Inc./Burst.net zombie botnet. (This abuse was previously reported on
19-Jun-2008): Botnet
DNS Data
(Valid for domains gtrw.org.uk, gtrw.me.uk,
gtrw.co.uk, grtw.org.uk, grtw.me.uk, grtw.co.uk)
Looking
up at the 2 gtrw.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.moonfires.com hosted by Network Operations Center
Inc./Burst.net on IP 66.197.149.203
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 30th. June
2008 QALA
Singapore Pte Ltd
have shut down the ns1.jumpzo.com zombie botnet on 203.211.132.57 and
the crooks are up on a new one on IP 89.46.34.93 which is listed as
belonging to PFA-BOSTAN-TUDOR-TEODOR
(Jump.ro). Network data:
Botnet
DNS Data (Valid
for domains grtwh.me.uk, grtwh.co.uk,
grtwh.org.uk, grtwhl.co.uk, grtwhl.me.uk, grtwhl.org.uk)
Looking up at the 2 grtwh.co.uk
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the criminal owned nameserver ns1.jumpzo.com
hosted
by PFA-BOSTAN-TUDOR-TEODOR
(Jump.ro) on IP 89.46.34.93
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Later: The
ns1.moonfires.com
[66.197.149.203] botnet has been shut down by the very
helpful Web Wide Hosting, (thanks guys), and the criminal is already up
again on IP 208.116.36.127
listed as FortressITX/Pwebtech.com who have ignored all abuse reports
in the past, necessitating upstream complaints and even a
filed report against them on IC3.gov. I just hope for the sake
of
the victims that they prove a little more helpful this time around. We
shall see. Network data:
Botnet
DNS Data
(Valid for domains gtrw.org.uk, gtrw.me.uk,
gtrw.co.uk, grtw.org.uk, grtw.me.uk, grtw.co.uk)
Looking
up at the 2 gtrw.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.moonfires.com hosted by FortressITX/Pwebtech.com
on IP 208.116.36.127
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 1st. July 2008 Surprisingly enough,
the above FortressITX/Pwebtech.com
botnet appears to have been shut down, although no response has been
received from the host. Still, that is encouraging. The criminal is now
up on a new botnet on IP 66.197.230.220 Botnet
DNS Data
(Valid for domains gtrw.org.uk, gtrw.me.uk,
gtrw.co.uk, grtw.org.uk, grtw.me.uk, grtw.co.uk)
Looking
up at the 2 gtrw.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.moonfires.com hosted by Network Operations Center
Inc.(Burst.net) on IP 66.197.230.220
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later:
For some reason the dreadful unethical registrar GX Networks
Ltd/123-reg.co.uk/Webfusion have suspended the three
domains gtrw.org.uk, gtrw.me.uk and gtrw.co.uk
but have left all the rest of the criminals domains untouched.
Hostnoc/Burst.net/Centicero have very quickly shut down the criminal's
botnet above - thanks guys. If only all of this criminal's service
providers were as ethical in their approach to criminal fraud. ***Latest News*** - 2nd. July 2008
The
criminals have set up a new botnet for the previously parked domains gtwl.org.uk, gtwl.me.uk, gtwl.co.uk, gtrwh.org.uk, gtrwh.me.uk and gtrwh.co.uk on the PFA-BOSTAN-TUDOR-TEODOR
(Jump.ro) IP 89.46.34.93,
although once again they seem to have incorrectly set up the DNS for
the .me.uk version of the domain. If anyone would like to report these
and the other active domains to the appalling 'criminal friendly'
registrar GX Networks
Ltd/123-reg.co.uk/Webfusion then feel free - it's a
complete waste of time me doing so - in my opinion they're just as
guilty as the criminal fraudsters that they knowingly shelter and
profit from. If
you're a customer of Pipex, or GX Networks Ltd or Webfusion
or 123-reg.co.uk
then perhaps you may consider whether you should be a customer of an
organisation that knowingly provides services for criminals and
fraudsters and carries on doing so even when informed of the activity. Unfortunately, without the co-operation of registrars such as this one, it is impossible to shut these criminals down.
Botnet
DNS Data
(Valid for domains gtwl.org.uk, gtwl.me.uk,
gtwl.co.uk, gtrwh.org.uk, gtrwh.me.uk and gtrwh.co.uk) Looking up at the 2 gtwl.org.uk. parent
servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.querymm.com hosted by PFA-BOSTAN-TUDOR-TEODOR (Jump.ro)
on IP 89.46.34.93
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 3rd. July 2008 Hopefully someone has kicked the registrar GX Networks Ltd/123-reg.co.uk/Webfusion
where they thoroughly deserve to be kicked as they have suspended all
FIFTEEN of the criminal's known active domains in one fell swoop at
long last, (all registered 15-Jun-2008). So far I know of 84 domains, (I'm
sure there'll be more), that the criminal has registered with this
registrar and for one reason only - they ignored all valid third party
abuse reports and as a result are giving the criminal an easy ride, profiting
well from the proceeds of crime along the way.
No
known currently active domains for this criminal - please do let me
know if you receive any active URLs in spam, or discover any active
domains. Later: Just when you thought it was safe to go back in the water.... new domain notified by site contact - grentehd.org.uk still registered with GX Networks Ltd t/a 123-Reg.co.uk (Webfusion)
on June 24th. 2008. The crooks obviously think there's still plenty of
mileage in them yet and they're probably right. Hosting is using a new
nameserver on the old PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) botnet:
Botnet
DNS Data
(Valid for domains grentehd.org.uk, grentehd.me.uk, grentehd.co.uk) Looking up at the 2 grentehd.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.toohotdot.com hosted by PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) on IP 89.46.34.93
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 4th. July 2008 New domain reported by site contact - gretw.org.uk (plus of course gretw.me.uk and gretw.co.uk) These domains are hosted on the following botnet: Botnet
DNS Data
(Valid for domains gretw.org.uk, gretw.me.uk, gretw.co.uk) Looking up at the 2 gretw.org.uk parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.sevengh.com hosted by PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) on IP 89.46.34.93
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 7th. July 2008 The registrar Pipex/GX Networks Ltd/123-reg.co.uk/Webfusion has still not taken any effective action to delete the domains grentehd.org.uk, grentehd.me.uk, grentehd.co.uk, gretw.org.uk, gretw.me.uk, gretw.co.uk, but fortunately the owner of the IP 89.46.34.93
does appear to have finally taken action as the DNS appears to be
looped back to the root servers on the criminal's nameservers
ns1.sevengh.com [89.46.34.93] and ns1.toohotdot.com [89.46.34.93], thus
preventing the fraudster's website from resolving. Later: The registrar Pipex/GX Networks Ltd/123-reg.co.uk/Webfusion appears to have suspended the domains gretw.org.uk, gretw.me.uk, gretw.co.uk, but not the same criminal's domains grentehd.org.uk, grentehd.me.uk, grentehd.co.uk
for some reason, (first reported to them 03-Jul-2008). Fortunately the
sites are still down as the host seems to have looped the DNS back to
the root servers.
No
resolving URLs are now known for this fraudster - if you receive any
spam that contains an active URL or know of any active domains, please
let me know. Another known fraud operated by these same criminals - ADX Trans Express, but the real replacement for this fraud has now manifested itself: Sunreef
Yachts