This Happy
Kids
fraud is a particularly odious spamvertized bogus
charity criminal scam from the same criminals that have also
brought you the Next Level fraud and its
replacement, the High Level fraud among many
others. The Happy Kids scam website has been stolen
from a genuine US kids charity, Stoney's
Kids.
The initial domains hk-usa.org and freelanceusa.org are listed as
registered with OnlineNic in the whois data, (as are all
the Next Level/High Level fraud domains, albeit via their reseller
Uzak.net). Domains job-in-usa.net and
freelance-job-usa.com are listed as registered with OnlineNic/ Uzak.net
and Uzak.net also provide the
nameservers for the hosting of all of these and other fraudsters. The
host IP is 88.255.78.75 and according to
the whois data is owned by Narweb.net and maintained by Sistemnet
Telekom, but the owner of Narweb.net has written to me to tell
me that the data is incorrect and the block is actually now owned by Sistemnet Telekom. In
any event it is the host IP for these fraudsters and the High
Level criminals.
The domain children-europe.nu is hosted on the well-known Russian RBN criminal's AbdAllah Internet
Hizmetleri network IP 88.255.90.138
The
domain happykids-europe.org is the odd one out, being registered with
PublicDomainRegistry.Com and hosted by HostForWeb Inc. of Chicago. It
has now been suspended by PublicDomainRegistry.Com.
Other Happy
Kids domains and hosting listed under
***Latest News*** below as they are added.
Numerous
classified adverts and forum spams have been found, (Google
for "Happy Kids is a charity organization in
Poland"),
that have been placed by this criminal to fraudulently solicit
charitable donations using the stolen website as the medium for
donation. Evidence
of Site Theft, Fraud & Spamming.
i) The
fake Happy
Kids website has been stolen from
the genuine Stoney's
Kids website which has been in existence since 2005 and is a
well respected, US, (San Diego), children's charity.
ii) They are
spamvertising a money laundering mule job on http://children-europe.nu/JobinUK.html
iii)
The multiple fraud domains whois data is clearly bogus with different
registration addresses, companies, telephone numbers etc, email
addresses, etc.
iv) The Happy Kids
criminal
fraud domains are also mostly registered with OnlineNic/Uzak as are
most of the High
Level and Next
Level
fraudster's domains, but other registrars and hosts arer used - see
list.
v)
Shared IP with money laundering fraudsters - the Happy Kids fraud
websites (http://www.hkids-europe.org/
etc), are hosted on the same Turkish Sistemnet Telekom
server farm
IP as used by the High
Level
fraudsters - 88.255.78.75 and
using the same ns1.uzaknet.org & ns2.uzaknet.org nameservers as
the High Level criminals. The latter website http://www.children-europe.nu/ is hosted on a known criminal owned IP
88.255.90.138
vi) The
bogus charity webpage says they were founded in 2002, however all the
fraudsters domains were registered in December 2007 or later.
vii)
Multiple domain
registrations for the same bogus website - what has job-in-usa.net or
freelanceusa.org got to do with a childrens charity? The answer is
nothing, but they have lots to do with with money laundering,
charity fraud and
other criminality...
viii)
Googling on scraps of the Happy Kids website text, e.g. "The
team
arrived at the hospital to meet Dr Olas Mindyuk, Director", show that
this fake site is a direct replacement for the www.donationeurope.org
fake charity scam which was suspended in
May 2007, the text for which was originally mainly stolen from
sos-childrensvillages.org among others and was extensively covered by
many fraud forums e.g. http://forum.aa419.org/viewtopic.php?t=6644
ix) Other
text for the site has been stolen from many sources, e.g. the 'End
Homelessness Now' text on this
page was stolen from this Romanian childrens charity
page and below that, the 'Aid For Teens' text on the left hand
of this page was stolen from the
'Aims' text on this
Bulgarian Charity page, complete with the same spelling mistakes, i.e.
'accute' and 'sponsering'. The list is endless, but definite proof of
fraud.
You
can earn money and help children with us.
We receive donations in United Kingdom, you have a possibility to
become a
"Freelance financial representative" of our organization.
Candidate requirements:
- Location in UK.
- free2-3 hours a day;
- 21+ years old;
- Honest, responsible and prompt in operations;
- Have an adaptable, flexible and professional attitude;
- Polite, tactful;
- Have constant internet access for communication with us via e-mail.
This
job will give you:
- part-time employment;
- work from home;
- communication and business skills for working in other spheres of
activity;
- possibility to combine this job with your full-time employment and
own schedule.
Additionally, you will receive awards and bonuses for high-quality and
accurate work.
The
salary for private persons is 200 - 1500 GBP per week.
Frequently
Asked Questions about Freelance Job:
Q1: What do
I
need to do?
A:
Your functions will include controlling our donations flow in United
Kingdom.
You will receive donations from our members to your bank account at a
time and date convenient to you
and then forward the money to needy
children in Europe via Western Union and MoneyGram money transfers.
Your
commission from each transaction will be 5%.
We do NOT require
any investment of money on your part.
Q2:What a profit
for you?
A:
Bank transfers to countries with
needy children take 3-5 days, Western Union and MoneyGram transfers are
instant.
Working with
freelancers we save time on the transfers.
Q3: Please give me an example of the job
process.
A: 1. The Member sends
the donation via his bank account to your
bank account and notifies us. * 2. We inform you by
phone and email that the transfer is made. And send you
notification
email (example): "Transfer has been made to your bank
account. Amount is 5000 GBP. Check your account
please, withdraw money and send them via Western Union or MoneyGram
transfers to Kate
Lewis, Kiev, Ukraine". 3. You go to your
bank and withdraw funds. 4. Take your salary
(5% of
amount) and go to Western Union or MoneyGram agent with remaining cash (95%
of amount), send
it to Kate Lewis, Kiev,
Ukraine" 5. You send us
details of Western Union or MoneyGram transfer and
scanned copy of transfer's receipt via email.
* Our manager will call you before bank transfer, if you are not able
to receive the transfer then we'll make the transfer another day.
So you can combine the work with your own schedule.
Q4: What bank and bank account should I use
for work?
A: You can use any suitable bank and
bank account for work. You can open a new
bank account for this work as well.
Q5: How many transfers a day/week/month shall I process? What is
average amount of each transfer?
A: We can do 2-3 transfers a week
for first time. Average amount of each bank transfer is 2000-8000 GBP.
Q6:Do
you have members
for donations already? Or need i find them for you?
A: We have members
already, you do not need to
find anybody.
Q7: How can I
send money via MoneyGram or
Western Union transfers?
A: You should send the money in
GBP. You
don't need to exchange the currency.
Western Union and
MoneyGram do this by themselves.
Q9: Who pays fees for sending the money via Western
Union and MoneyGram transfers?
Is it
subtracted from my commission?
A: The fees for Western
Union and MoneyGram
transfers are paid by our company. Absolutely nothing
is subtracted from your salary; you get exactly 5%
from amount. The fees will be
discounted from the money that you will send via Western
Union or MoneyGram transfers.
Q10: Where can I find Western Union or MoneyGram agent?
A: You can find your Western
Union
agent location here You can find your MoneyGram agent location here This is the standard money mule
jobThe
Fraudster's known domains
Here are all the known
domains that are/have been used for the fraud:
Status Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended DNS Refusal Suspended Redirects to Google Active
Registrar
ONLINENIC, INC. (Uzak.net) (11-Dec-2007)
PublicDomainRegistry.Com (14-Dec-2007)
ONLINENIC, INC. (Uzak.net) (11-Dec-2007)
ONLINENIC, INC. (Uzak.net) (11-Dec-2007)
ONLINENIC, INC. (Uzak.net)
(11-Dec-2007)
ONLINENIC, INC. (Uzak.net) (17-Dec-2007)
ONLINENIC, INC. (Uzak.net) (17-Dec-2007)
PublicDomainRegistry.Com (23-Dec-2007)
Nic.nu (Enom.com) PublicDomainRegistry.Com (18-Jan-2008) Enom Inc. (13-Feb-2008) ONLINENIC, INC. (Uzak.net) (17-Dec-2007) Enom Inc. (06-Jan-2008) Enom Inc. (29-Jan-2008) Enom Inc. (28-Feb-2008)
The fraudster uses the following network(s) :
DNS Data hk-usa.org,
job-in-usa.net,
freelanceusa.org
and freelance-job-usa.com
Looking up at the 2 parent servers:
Server
Response
ns2.uzaknet.org
[88.255.78.75]
88.255.78.75
ns1.uzaknet.org
[88.255.78.74]
88.255.78.75
In all cases the above nameservers are stealthed through
domain nameservers.
happykids-europe.org
How I am searching:
Searching for happykids-europe.org A record at h.root-servers.net
[128.63.2.53]: Got referral to d0.org.afilias-nst.org. (zone: org.)
Searching for happykids-europe.org A record at
d0.org.afilias-nst.org. [199.19.57.1]: Got referral to
dns2.iksserver.com. (zone: happykids-europe.org.)
Searching
for happykids-europe.org A record at dns2.iksserver.com.
[205.234.212.246]: Reports happykids-europe.org. Response:
Domain
Type
Class
TTL
Answer
happykids-europe.org.
A
IN
14400
205.234.212.246
happykids-europe.org.
NS
IN
86400
ns1.xtraorbit.com.
happykids-europe.org.
NS
IN
86400
ns2.xtraorbit.com.
ns2.xtraorbit.com.
A
IN
66246
67.15.206.210
Looking up at the 2 happykids-europe.org. parent servers:
Server
Response
dns2.iksserver.com
[205.234.212.246]
205.234.212.246
dns1.iksserver.com
[205.234.212.246]
205.234.212.246
Stealthed
nameservers once again and also once again we see the nameserver
domain iksserver.com as used by the Next Level
fraudster. The
host for this one is HostForWeb Inc. of Chicago (205.234.212.246) for
both the nameservers and the domain IP.
happykids-eu.org
Looking up at the 2 happykids-eu.org. parent servers:
Server
Response
ns2.remotemachsys.net
[75.126.139.218]
75.126.132.7
ns1.remotemachsys.net
[75.126.132.7]
75.126.132.7
The hosting for this alias of
the criminal is provided by Softlayer
Technologies on IP 75.126.132.7
Softlayer are
quite a regular choice of these criminals. The
Spam Headers
The
Spam
This criminal fraudulently solicits for donations by placing countless
adverts in forums and on classified ad. sites as follows: (Google
for "Happy
Kids is a charity organization in Poland")
Happy
Kids
Happy Kids is a charity
organization in Poland
who help and support the community in the Central and East Europe
region through his tireless efforts to help children of all ages.
Find
out more about the people behind the Happy Kids Charity Organization
and why they inspire others to help and make a difference at http://happykids-eu.org
The spams are noted as posted by someone who registers
himself as an Albanian with the email addressfetamernmooft@mymail-in.net
__________________________________________________________________________________________________________________________ Spam also received as
follows, spamvertising the above money mule job website link: Subject: Freelancers
needed
Body:
15th. Dec. 2007
The
domain happykids-europe.org has already been suspended by
PublicDomainRegistry.com - well done guys. All the OnlineNic/Uzak ones
however are still active. 16th. Dec. 2007 All
the OnlineNic/Uzak.net domains are still active this morning. I'm not
sure what has happened to OnlineNic - in the past I've always found
them to be ethical and helpful in closing down these fraudsters, but
lately they are failing to respond to abuse reports and are effectively
aiding and abetting not only this fraudster but the related High Level
fraudster too. Come on guys, what's going on at OnlineNic.com? Why are
you supporting these criminals? 21st. Dec. 2007
Both
Uzak.net and OnlineNic are fully aware of this despicable
criminal's thieving activities at the expense of underprivileged
children and yet neither act to end the criminal fraud. It seems clear
to me that Uzak.net are directly involved in the criminality and
OnlineNic are are least guilty of aiding and abetting this criminal
fraud. Sistemnet.com.tr are also fully aware of this crime and also do
nothing to end the criminality. All in all it amounts to a pretty
amoral nest of thieves - the same bunch that are harbouring
the High
Level money laundering fraudsters. 22nd. Dec. 2007
Domain happykids-eu.org
spotted on classified ads. website. The criminal is obviously using
that medium to reach his victims. Once again the domain is registered
with OnlineNic who are knowingly aiding and abetting these criminals by
ignoring requests to suspend the domains.
Looking up at the 2 happykids-eu.org. parent servers:
Server
Response
ns2.remotemachsys.net
[75.126.139.218]
75.126.132.7
ns1.remotemachsys.net
[75.126.132.7]
75.126.132.7
The hosting for this alias of
the criminal is provided by Softlayer
Technologies on IP 75.126.132.7
Softlayer are
quite a regular choice of these criminals.
All the other domains used by this criminal fraudster are still hosted
on the Sistemnet Telekom
server farm IP 88.255.78.75 using
Uzak.net.tr nameservers with the full knowledge and collusion
of the owners. 24th. Dec. 2007
No response from Softlayer who continue to host this fraudster's happykids-eu.org
domain and no response from the fraudster's other hosts either, but
than I wouldn't expect a response from Uzak.net.tr or Sistemnet Telekom
who also host the High
Level money laundering fraudsters on the same IP, (88.255.78.75). PublicDomainRegistry.Com
are the only company to show any understanding and ethical behaviour by
suspending the crook's domain happykids-europe.org - so thanks to them.
Looks like the criminals are going to have a happy and profitable
Christmas courtesy of OnlineNic.com, Uzak.net.tr, Sistemnet Telekom and
Softlayer Technologies. ***Latest News*** 28th. Dec. 2007
After
an unnecessarily long and no doubt profitable run for these criminals,
their domains have now all finally been suspended. If whoever is
responsible for the suspension would care to contact me with any
information I will be happy to publish your side of the story.
Softlayer Technologies are continuing to host the suspended
domain happykids-eu.org in the form of a 'Domain
Suspended' information page.
Uzak.net.tr - perhaps you would now care to turn your attention to the
numerous High Level criminal fraudster's
domains that you are also hosting.... ***Latest News*** 20th. Jan. 2008
Well, it didn't last long - these criminals are back up to their usual
tricks, spamming with a new domain - hkids-europe.org
(OnlineNic/Uzak.net), using the usual Sistemnet Telekom
server farm IP 88.255.78.75
& using Uzak.net.tr nameservers exactly as before.
DNS Data (hkids-europe.org):
How I am searching:
Searching for hkids-europe.org A record at i.root-servers.net
[192.36.148.17]: Got referral to A0.ORG.AFILIAS-NST.INFO. (zone: org.)
Searching for hkids-europe.org A record at
A0.ORG.AFILIAS-NST.INFO. [199.19.56.1]: Got referral to
ns1.uzaknet.org. (zone: hkids-europe.org.)
Searching for hkids-europe.org A record at ns1.uzaknet.org.
[88.255.78.74]: Reports hkids-europe.org. Response:
Domain
Type
Class
TTL
Answer
hkids-europe.org.
A
IN
86400
88.255.78.75
hkids-europe.org.
NS
IN
86400
ns.hkids-europe.org.
ns.hkids-europe.org.
A
IN
86400
88.255.78.75
Looking up at the 2 hkids-europe.org. parent servers:
Server
Response
ns2.uzaknet.org
[88.255.78.75]
88.255.78.75
ns1.uzaknet.org
[88.255.78.74]
88.255.78.75
***Latest News*** 26th. Jan. 2008 No active
domains are known for this fraudster - if you come across any, please
let me know. ***Latest News*** 27th. January
2008
I have been informed that these criminals are active again with new
domain(s). Domain hk-europe.org
notified to me - please
let me know of any others. DNS Data
for hk-europe.org:
How I am searching:
Searching for hk-europe.org A record at b.root-servers.net
[192.228.79.201]: Got referral to B0.ORG.AFILIAS-NST.org. (zone: org.)
Searching for hk-europe.org A record at B0.ORG.AFILIAS-NST.org.
[199.19.54.1]: Got referral to ns4.lovinghosting.com. (zone:
hk-europe.org.)
Searching for hk-europe.org A record at ns4.lovinghosting.com.
[220.232.130.90]: Reports hk-europe.org. Response:
Domain
Type
Class
TTL
Answer
hk-europe.org.
A
IN
14400
220.232.130.89
hk-europe.org.
NS
IN
86400
ns3.lovinghosting.com.
hk-europe.org.
NS
IN
86400
ns4.lovinghosting.com.
Looking up at the 2 hk-europe.org. parent servers:
Server
Response
ns4.lovinghosting.com
[220.232.130.90]
220.232.130.89
ns3.lovinghosting.com
[220.232.130.89]
220.232.130.89
The
current host for this criminal is Pacific Internet (Hong Kong) Ltd
(220.232.130.89) ***Latest News*** 1st. February
2008
New domain received in spam - children-europe.nu
DNS Details: (children-europe.nu) How I am searching:
Searching for children-europe.nu A record at j.root-servers.net
[192.58.128.30]: Got referral to NS.NIC.nu. (zone: nu.)
Searching for children-europe.nu A record at NS.NIC.nu.
[69.25.75.70]: Got referral to dns4.name-services.com. (zone:
children-europe.nu.)
Searching for children-europe.nu A record at dns4.name-services.com.
[69.64.145.225]: Reports children-europe.nu. Response:
Domain
Type
Class
TTL
Answer
children-europe.nu.
A
IN
1800
88.255.90.138
children-europe.nu.
NS
IN
3600
dns1.name-services.com.
children-europe.nu.
NS
IN
3600
dns2.name-services.com.
children-europe.nu.
NS
IN
3600
dns3.name-services.com.
children-europe.nu.
NS
IN
3600
dns4.name-services.com.
children-europe.nu.
NS
IN
3600
dns5.name-services.com.
dns1.name-services.com.
A
IN
3600
69.25.142.42
dns2.name-services.com.
A
IN
3600
216.52.184.248
dns3.name-services.com.
A
IN
3600
63.251.92.200
dns4.name-services.com.
A
IN
3600
69.64.145.225
dns5.name-services.com.
A
IN
3600
70.42.37.7
Looking up at the 5 children-europe.nu. parent servers:
Server
Response
dns4.name-services.com
[69.64.145.225]
88.255.90.138
dns5.name-services.com
[70.42.37.7]
88.255.90.138
dns2.name-services.com
[216.52.184.248]
88.255.90.138
dns1.name-services.com
[69.25.142.42]
88.255.90.138
dns3.name-services.com
[63.251.92.200]
88.255.90.138
The
first thing to notice is that they are still using the Russian RBN
AbdAllah Internet Hizmetleri criminal's IP 88.255.90.138. Details here.
It's time this IP range was removed from these criminals.
If
the criminal's past history is anything to go by, there will be many
more similar domains registered by them. ***Latest News*** 4th. February
2008 Nic.nu have forwarded
a request to Enom to "take the necessary steps" regarding the
criminal's domain children-europe.nu. Mind, Enom had
already been copied an abuse report on 1st. February.... ***Latest News*** 22nd. February
2008
New domains notified by site contact - childreneurope.org andchildreneurope.co.uk registered with Enom & publicdomainregistry.com respectively and hosted with Hostfresh of Hong Kong as detailed below:
Searching for childreneurope.co.uk A record at i.root-servers.net
[192.36.148.17]: Got referral to NS6.NIC.uk. (zone: uk.) Searching for childreneurope.co.uk A record at NS6.NIC.uk.
[213.248.254.130]: Got referral to ns2.cybns.info. (zone:
childreneurope.co.uk.) Searching for childreneurope.co.uk A record at ns2.cybns.info. [58.65.239.11]: Reports childreneurope.co.uk.
Response:
Domain
Type
Class
TTL
Answer
childreneurope.co.uk.
A
IN
14400
58.65.239.10
childreneurope.co.uk.
NS
IN
86400
ns2.cybns.info.
childreneurope.co.uk.
NS
IN
86400
ns1.cybns.info.
ns1.cybns.info.
A
IN
14400
58.65.239.10
ns2.cybns.info.
A
IN
14400
58.65.239.11
Looking up at the 2 childreneurope.co.uk. parent servers:
Server
Response
ns2.cybns.info [58.65.239.11]
58.65.239.10
ns1.cybns.info [58.65.239.10]
58.65.239.10
The listed owner of IP 58.65.239.10 is Hostfresh of Hong Kong
Later - two more domains notified - hk-jobs.org, kids-europe.org
DNS Data (hk-jobs.org)
How I am searching:
Searching for hk-jobs.org A record at h.root-servers.net
[128.63.2.53]: Got referral to tld1.ultradns.net. (zone: org.) [took 62
ms]
Searching for hk-jobs.org A record at tld1.ultradns.net.
[204.74.112.1]: Got referral to ns2.uzaknet.org. (zone: hk-jobs.org.)
[took 35 ms]
Searching for hk-jobs.org A record at ns2.uzaknet.org. [88.255.78.75]: Reports hk-jobs.org. [took 219 ms]
Response:
Domain
Type
Class
TTL
Answer
hk-jobs.org.
A
IN
86400
88.255.78.75
hk-jobs.org.
NS
IN
86400
ns.hk-jobs.org.
ns.hk-jobs.org.
A
IN
86400
88.255.78.75
Looking up at the 2 hk-jobs.org. parent servers:
Server
Response
ns2.uzaknet.org [88.255.78.75]
88.255.78.75
ns1.uzaknet.org [88.255.78.74]
88.255.78.75
The listed owner of IP 88.255.78.75 = SISTEMNET-TELECOM
DNS Data (kids-europe.org)
How I am searching:
Searching for kids-europe.org A record at m.root-servers.net
[202.12.27.33]: Got referral to TLD1.ULTRADNS.NET. (zone: org.) Searching for kids-europe.org A record at TLD1.ULTRADNS.NET.
[204.74.112.1]: Got referral to dns2.name-services.com. (zone:
kids-europe.org.) Searching for kids-europe.org A record at dns2.name-services.com. [216.52.184.248]: Reports kids-europe.org. Response:
Domain
Type
Class
TTL
Answer
kids-europe.org.
A
IN
1800
75.126.132.7
kids-europe.org.
NS
IN
3600
dns1.name-services.com.
kids-europe.org.
NS
IN
3600
dns2.name-services.com.
kids-europe.org.
NS
IN
3600
dns3.name-services.com.
kids-europe.org.
NS
IN
3600
dns4.name-services.com.
kids-europe.org.
NS
IN
3600
dns5.name-services.com.
dns1.name-services.com.
A
IN
3600
69.25.142.42
dns2.name-services.com.
A
IN
3600
216.52.184.248
dns3.name-services.com.
A
IN
3600
63.251.92.200
dns4.name-services.com.
A
IN
3600
69.64.145.225
dns5.name-services.com.
A
IN
3600
70.42.37.7
Looking up at the 5 kids-europe.org. parent servers:
Server
Response
dns5.name-services.com [70.42.37.7]
75.126.132.7
dns4.name-services.com [69.64.145.225]
75.126.132.7
dns3.name-services.com [63.251.92.200]
75.126.132.7
dns1.name-services.com [69.25.142.42]
75.126.132.7
dns2.name-services.com [216.52.184.248]
75.126.132.7
The listed owner of IP 75.126.132.7 = SoftLayer Technologies Inc. Looks like he's using Enom's DNS facilities. ***Latest News*** 3rd. March
2008 New domain notified by site contact - childreneurope.cn - registered with Enom 28-Feb-2008 - hosted by Hostfresh: DNS Data: (childreneurope.cn)
Looking up at the 5 childreneurope.cn. parent servers:
Server
Response
dns2.name-services.com [216.52.184.248]
58.65.239.10
dns4.name-services.com [69.64.145.225]
58.65.239.10
dns3.name-services.com [63.251.92.200]
58.65.239.10
dns5.name-services.com [70.42.37.7]
58.65.239.10
dns1.name-services.com [69.25.142.42]
58.65.239.10
The listed owner of IP 58.65.239.10 is Hostfresh of Hong Kong
