Please
note that these
criminals have stolen the company details of a genuine UK company by
the
name of High Level Ltd. who are in no way involved in this fraud - they
are also victims of this criminal.
The High
Level fraud
is the replacement fraud for the Next Level fraud
& still uses the same
website which has been stolen from a genuine UK company,
solutions-inc.co.uk based in Brighton and the surrounding area. The
genuine website store page is http://www.solutions-inc.co.uk/
and the fraudster's current fake store page is http://www.highlevel-ltd.com/.
The fact that the stolen site is a clone of
the genuine one is self-evident. Further evidence of fraud and
the use of the website to spamvertize a money laundering mule 'job'
under the address http://highlevel-ltd.com/JobinNetherlands.html is presented below.
If you click on this 'job' link you will see that the page title is
still 'Next Level Jobs' - the crooks have forgotten to change it to
High Level.
The
registrar for the first noticed criminal domain apple-netherlands.com
is the OnlineNic reseller Uzak.net. The host for the criminal's website
(88.255.78.75) is NARWEB
Internet Hizmetleri. No relation to the Russian RBN criminal host
Abdallah Internet Hizmetleri,
I hope! Also, where does Uzak.net fit into this pattern of
fraud? They
registered most of the domains for the Next Level fraudster and ignored
all abuse reports for a long time. Other
hosts and registrars listed as they appear - also see ***Latest News***The
Genuine Solutions Inc. Store:
The High Level fake store:
Evidence
of Site Theft & Fraud
i) The fake High
Level website, e.g. has been stolen from
the genuine company Solutions-inc.
ii) This
fraud is identical to the Next Level fraud
- the fraudsters have simply changed the name to High Level.
iii) I have
contacted by telephone, (01273 200801), the genuine company
Solutions-inc whose website has been stolen and they confirm that is in
fact the case.
iv) The
contact telephone number of
020 3239 9757 on the stolen High Level
website is answered by an answering machine which announces itself as
'Next Level'
v) On the
genuine site store page
you
can actually buy things - on the fake
site store page everything is greyed out with no links - you
cannot buy anything - the store is clearly fake.
vi) The
general link from the spams, e.g. (http://highlevel-ltd.com/JobinNetherlands.html)
leads to a job page on the fake site. This
job page contains a money laundering mule job description.
There is no such job page on the genuine site.
vii) The
spam
is zombie botnet distributed.
viii) This
time the
fraudsters have assumed the identity of a completely different company
to the Next Level fraudsters:
High
Level Ltd.
United Kingdom 1 MOORFIELDS ROAD
CANFORD CLIFFS
POOLE
DORSET BH13 7HA Company No. 02203202
The above address is in a different area of the UK to the bogus
'High Level' company itself which is supposedly in the Brighton area of
Sussex.
The
director of the above genuine company has contacted me and has asked me
to make it clear that his company is in no way involved with these
fraudsters - he confirms that they have simply stolen the company
details.
x) The company address is clearly
bogus - a
planning
application has been submitted to demolish the
above location which is a private
residence
as stated in the planning application & as
demonstrated by
site photographs contained within the planning application.
xi)
Multiple domain registrations with various different or even missing,
(in the case of the Uzak.net registrations), bogus whois data.
The High Level spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses. The
Spam Headers
The
Spam
The Fraudster's known domains
Here are all the known
domains that are/have been used for the fraud:
Status Suspended Suspended Suspended Unhosted Unhosted Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Active Active Active
Registrar
ONLINENIC, INC. (Uzak Net)
ONLINENIC, INC. (Uzak Net) ONLINENIC, INC. (Uzak Net)
PublicDomainRegistry.Com
PublicDomainRegistry.Com
ONLINENIC, INC. (Uzak Net)
ONLINENIC, INC. (Uzak Net) ONLINENIC, INC. (Uzak Net)
ONLINENIC, INC. (Uzak Net)
ONLINENIC, INC. (Uzak Net) ONLINENIC, INC. (Uzak Net)
ONLINENIC, INC. (Uzak Net)
ONLINENIC, INC. (Uzak Net) ONLINENIC, INC. (Uzak Net)
ONLINENIC, INC. (Uzak Net)
ONLINENIC, INC. (Uzak Net) ONLINENIC, INC. (Uzak Net)
PUBLICDOMAINREGISTRY.COM (WEB4AFRICA) ONLINENIC, INC. (Uzak Net)
ONLINENIC, INC. (Uzak Net) ONLINENIC, INC. (Uzak Net)
DNS Data: apple-netherlands.com, apple-nl.com,
ipods-nl.com and all domains listed in green above.
How I am searching:
Searching for apple-netherlands.com A record at f.root-servers.net
[192.5.5.241]: Got referral to B.GTLD-SERVERS.NET. (zone: com.)
Searching for apple-netherlands.com A record at
B.GTLD-SERVERS.NET. [192.33.14.30]: Got referral to ns1.uzaknet.org.
(zone: apple-netherlands.com.)
Searching for apple-netherlands.com A record at ns1.uzaknet.org.
[88.255.78.74]: Reports apple-netherlands.com. Response:
Domain
Type
Class
TTL
Answer
apple-netherlands.com.
A
IN
86400
88.255.78.75
apple-netherlands.com.
NS
IN
86400
ns.apple-netherlands.com.
ns.apple-netherlands.com.
A
IN
86400
88.255.78.75
Looking up at the 2 apple-netherlands.com. parent servers:
Server
Response
ns2.uzaknet.org
[88.255.78.75]
88.255.78.75
ns1.uzaknet.org
[88.255.78.74]
88.255.78.75
The host for this site is NARWEB.net
internet hizmetleri (88.255.78.75). Any relation to the
Russian RBN criminal host Abdallah
Internet Hizmetleri,
I wonder? Also, where does Uzak.net
fit into this pattern of fraud?
They also registered all of the Next Level criminal's domains as a
reseller of OnlineNic and ignored every single abuse report submitted..
DNS
Data: highlevel-ltd.co.uk
How I am searching:
Searching for highlevel-ltd.co.uk A record at i.root-servers.net
[192.36.148.17]: Got referral to NS3.NIC.uk. (zone: uk.) [took 49 ms]
Searching for highlevel-ltd.co.uk A record at NS3.NIC.uk.
[213.219.13.131]: Got referral to ns1.amberhost.com. (zone:
highlevel-ltd.co.uk.) [took 123 ms]
Searching for highlevel-ltd.co.uk A record at ns1.amberhost.com.
[72.29.67.31]: Reports highlevel-ltd.co.uk. [took 735 ms]
Response:
Domain
Type
Class
TTL
Answer
highlevel-ltd.co.uk.
A
IN
14400
72.29.67.30 (HostDime.com,
Inc.)
highlevel-ltd.co.uk.
NS
IN
86400
ns1.primaryserv.com.
highlevel-ltd.co.uk.
NS
IN
86400
ns2.primaryserv.com.
Looking up at the 2 highlevel-ltd.co.uk. parent servers:
Server
Response
Time
ns1.amberhost.com [72.29.67.31]
72.29.67.30
702ms
ns2.amberhost.com [72.29.67.32]
72.29.67.30
717ms
The criminal is once again using stealthed
nameservers. It may be just coincidence but a Google for amberhost.com
shows the advert "AmberHost - cheap web hosting for e-gold."
The host for this site is HostDime.com,
Inc. (72.29.67.30)
DNS Data: apple-europe.co.uk
How I am searching:
Searching for apple-europe.co.uk A record at a.root-servers.net
[198.41.0.4]: Got referral to NSC.NIC.uk. (zone: uk.) [took 37 ms]
Searching for apple-europe.co.uk A record at NSC.NIC.uk.
[199.7.66.44]: Got referral to ns3.hosting2nv.com. (zone:
apple-europe.co.uk.) [took 15 ms]
Searching for apple-europe.co.uk A record at ns3.hosting2nv.com.
[83.98.157.142]: Reports apple-europe.co.uk. [took 128 ms]
Response:
Domain
Type
Class
TTL
Answer
apple-europe.co.uk.
A
IN
14400
83.98.157.80
apple-europe.co.uk.
NS
IN
300
ns3.hosting2nv.com.
apple-europe.co.uk.
NS
IN
300
ns1.hosting2nv.com.
Looking up at the 2 apple-europe.co.uk. parent servers:
Server
Response
ns3.hosting2nv.com
[83.98.157.142]
83.98.157.80
ns1.hosting2nv.com
[83.98.157.32]
83.98.157.80
The host for this one is
Hosting2nv of Amsterdam (83.98.157.80)
The
headers contain many different forged/bogus 'From' & 'Return
Path'
addresses & various forged 'Receive' lines. The subject lines
vary
greatly, but include "Work at home", " Freelance job", "Freelancers
needed" & "Job offer", all of which indicate that there is a
job
opportunity to be had. There is - a job as a money laundering 'mule',
i.e. accepting counterfeit or stolen criminal proceeds into your
account and forwarding them on via Western Union or Moneygram for a
percentage cut, (usually 10%). Needless to say it is you the mule that
will inevitably feel the full weight of the law while the remote money
launderers are safe & in the case of counterfeit funds you will
lose it all when the funds are recovered & your account is
closed.
In addition you will lose whatever real money you have sent on via
Western Union which is unrecoverable.
__________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________
The Illegal Job
Details from the website
Q1: What do I need to do?
A:
Your functions will
include controlling our money flow and conducting
part of the transactions.
You will receive payments from our clients to your bank account
at time and date convenient to you and then forward the money
to
us
or our partners in Europe.
Your commission from each transaction will be 5%.
We do NOT require any investment of money on your part.
Q2: What is reason for
you?
A: We have no
any branches in Netherlands.
Working with
freelancers we save time and money on transfers and you
earn 5%,
which makes it profitable for both sides.
Q3: Please give me an example of the job
process.
A: 1. The customer sends the payment via his
(her) bank account to your
bank account and notifies us. *
2. We inform you by phone that the transfer is made
and send you an email (example): "Transfer has been
made to your bank
account. Amount is 5000 EUR. Check your account
please, withdraw money and send them via Western
Union or MoneyGram
transfer to Helen
Lewis, Berlin, Germany"
3. You go to your bank and withdraw funds.
4. Take your salary (5%) from amount and go to Western Union or
MoneyGram with
remaining cash (95%), send it to Kate Lewis, Berlin, Germany.
5. You send us details of Western Union or MoneyGram transfer and
scanned copy of transfer receipt
via email.
* Our manager will call you before bank transfer, if you are not able
to receive the transfer then we'll make the transfer another day.
So you can combine the work with your own schedule.
Q4: What bank and bank account should I use
for work? What is average amount of each bank transfer?
A: You can use any suitable bank and
bank account for work, but business bank account is
more
preferred. You can open a new bank account as well.
Average amount of each bank transfer:
- 3000-8000 EUR if you have a personal
bank account;
- 11000-50000 EUR if you have a business
bank account.
Q5: How many transfers a day/week/month shall I process?
A: We can do 2-3 transfers a week
at first.
Q6:Do you have
customers already? Shall I find customers for you?
A: We have customers already, you need not to
find anybody. You have to receive the payments from them only.
Q7: How can I send money via MoneyGram or
Western Union transfers?
A: You should send the money in same
currency (EUR). You don't need to exchange the currency.
Q9: Who pays for sending the money? Is it
subtracted from my commission?
A: The fees for Western
Union and MoneyGram transfers will paid by our company.
Absolutely nothing is subtracted from your salary; you get exactly 5%
from amount.
The fees are taken from the money that you send via Western
Union or MoneyGram transfers.
Q10: Where can I find Western Union or MoneyGram?
A:
You can find your MoneyGram location here
You can find your Western
Union location here
Feel free
to contact us
if
you have any
questions . High
Level Fraud Blog
__________________________________________________________________________________________________________________________ December 6th. 2007 page set up. 7th. December 2007
The
HostForWeb Inc. of Chicago.
hosting and the Hosting2nv of Amsterdam
hosting have both been terminated and the domain
apple-europe.co.uk is now up on a new host:
How I am searching:
Searching for apple-europe.co.uk A record at k.root-servers.net
[193.0.14.129]: Got referral to nsb.nic.uk. (zone: uk.)
Searching for apple-europe.co.uk A record at nsb.nic.uk.
[204.74.113.44]: Got referral to ns17.redbackinternet.net. (zone:
apple-europe.co.uk.)
Searching for apple-europe.co.uk A record at ns17.redbackinternet.net.
[91.186.0.9]: Reports apple-europe.co.uk. Response:
Domain
Type
Class
TTL
Answer
apple-europe.co.uk.
A
IN
14400
91.186.0.9
apple-europe.co.uk.
NS
IN
86400
ns17.redbackinternet.net.
apple-europe.co.uk.
NS
IN
86400
ns18.redbackinternet.net.
ns17.redbackinternet.net.
A
IN
14400
91.186.0.9
ns18.redbackinternet.net.
A
IN
14400
91.186.0.121
Looking up at the 2 apple-europe.co.uk. parent servers:
Server
Response
ns18.redbackinternet.net
[91.186.0.121]
91.186.0.9
ns17.redbackinternet.net
[74.53.59.165]
Timeout
Once again, the host of these criminals is Euroconnex Networks LLP
of Maidenhead, Berkshire, UK, (they also hosted the same Next
Level criminal fraudsters domain nextlevel-mac.co.uk on the
same IP). ***Latest News*** 14th. December
2007
OnlineNic
are fully aware of this criminal's activities and of all the domains
listed above. Unfortunately so far they have not responded to abuse
reports and have so far failed to take action against
their reseller Uzak.net.tr who are looking increasingly likely
to
be directly involved in the criminal activity especially as they are
still bouncing all emails to their advertised contact addresses.
The above apple-europe.co.uk hosting account has been suspended by
eukhost.com
The highlevel-ltd.co.uk hosting account has been suspended by Hostdime
Inc.
NarwebNet is now the only active known network for these criminals.
For
some reason the criminals have removed the bogus job page from their
fake website, but don't be fooled - it's still a fake website with the
content stolen from a real one, set up with intent to deceive
which is still criminal fraud, along with copyright abuse.
The owner of
Narweb.net has written to me to say that the owner of the IP block
88.255.78.0 - 88.255.78.255 is now Sistemnet Telekom,
although in the RIPE data, NarwebNet are still listed as the block
owner under NetName. ***Latest News*** 21st. December
2007 Both
Uzak.net and OnlineNic are fully aware of this criminal's thieving
activities and yet neither act to end the criminal fraud. It seems
clear
to me that Uzak.net are directly involved in the criminality and
OnlineNic are are least guilty of aiding and abetting this criminal
fraud. Sistemnet.com.tr are also fully aware of this crime and also do
nothing to end the criminality. All in all it amounts to a pretty
amoral nest of thieves - the same bunch that are harbouring the Happy
Kids charity thieves - a more despicable bunch of criminals you won't
find. ***Latest News*** 12th. January
2008 All of the listed Uzak.net.tr
active criminal fraud domains (save ipods-uk.com
for some reason) are still active on the Sistemnet.com.tr
network making it pretty obvious that both service providers are
involved with the criminal activity either directly or by association.
It makes me wonder just how crooked a service provider has to be before
they have their IP ranges removed or registrars their domains. The
answer seems to be infinitely so... ***Latest News*** 20th. January
2008
The
good news is that none of the High Level fraudster's domains are
resolving. The even better news is that none of Uzaknet domains are
resolving either so lets hope some decent soul has finally pulled the
plug on a large nest of crooks in one go... A TRACERT to the crooks
nameserver ns1.uzaknet.org ends at ttnet.net.tr, so if you are the ones
who've done the good deed - well done. Let's just hope it's permanent
and not just a temporary blip. ***Latest News*** 21st. January
2008 I thought
it was too good to be true - all the crooks domains are unfortunately back on line along
with Uzak.net.tr ***Latest News*** 26th. January
2008
No active domains are known for this fraudster - if you know of any,
please let me know, thank you. ***Latest News*** 27th. January
2008
I have been informed that these criminals are active again with new
domain(s). Domain highlevel-ltd.com
notified to me - please let me know of any others.
DNS Data for highlevel-ltd.com:
How I am searching:
Searching for highlevel-ltd.com A record at h.root-servers.net
[128.63.2.53]: Got referral to l.gtld-servers.net. (zone: com.)
Searching for highlevel-ltd.com A record at l.gtld-servers.net.
[192.41.162.30]: Got referral to ns1.remotemachsys.net. (zone:
highlevel-ltd.com.)
Searching for highlevel-ltd.com A record at ns1.remotemachsys.net.
[75.126.132.7]: Reports highlevel-ltd.com. Response:
Domain
Type
Class
TTL
Answer
highlevel-ltd.com.
A
IN
14400
75.126.132.7
highlevel-ltd.com.
NS
IN
86400
ns2.remotemachsys.net.
highlevel-ltd.com.
NS
IN
86400
ns1.remotemachsys.net.
ns1.remotemachsys.net.
A
IN
14400
75.126.132.7
ns1.remotemachsys.net.
A
IN
14400
66.118.187.80
ns2.remotemachsys.net.
A
IN
14400
75.126.139.219
ns2.remotemachsys.net.
A
IN
14400
66.118.187.81
Looking up at the 2 highlevel-ltd.com. parent servers:
Server
Response
ns2.remotemachsys.net
[75.126.139.218]
75.126.132.7
ns1.remotemachsys.net
[75.126.132.7]
75.126.132.7
The host of this criminal fraudster is our old friend Softlayer
Technologies Inc. (75.126.132.7) ***Latest News*** 5th. February
2008
The criminal has moved his hosting - latest
DNS details (highlevel-ltd.com): How I am searching:
Searching for highlevel-ltd.com A record at d.root-servers.net
[128.8.10.90]: Got referral to J.GTLD-SERVERS.NET. (zone: com.)
Searching for highlevel-ltd.com A record at J.GTLD-SERVERS.NET.
[192.48.79.30]: Got referral to ns19.esthost.com. (zone:
highlevel-ltd.com.)
Searching for
highlevel-ltd.com A record at ns19.esthost.com. [64.28.177.141]:
Reports highlevel-ltd.com. Response:
Domain
Type
Class
TTL
Answer
highlevel-ltd.com.
A
IN
86400
64.28.177.139
highlevel-ltd.com.
NS
IN
86400
ns20.esthost.com.
highlevel-ltd.com.
NS
IN
86400
ns19.esthost.com.
ns20.esthost.com.
A
IN
114107
64.28.185.4
Looking up at the 2 highlevel-ltd.com. parent servers:
Server
Response
ns20.esthost.com
[64.28.185.4]
64.28.177.139
ns19.esthost.com
[64.28.177.141]
64.28.177.139
The latest US host is
Cernel, Inc of Santa Clarita CA (64.28.177.139) ***Latest News*** 22nd. February
2008 No known active domains for this fraudster - if you know of any, please report them to me via the 'Report Active Domain' form. ***Latest News*** 25th. February
2008
New domains notified by site contact: iphones-nl.com, istore-denmark.com, istore-netherlands.com DNS Data: (iphones-nl.com, istore-denmark.com, istore-netherlands.com).
How I am searching:
Searching for iphones-nl.com A record at g.root-servers.net
[192.112.36.4]: Got referral to B.GTLD-SERVERS.NET. (zone: com.) Searching for iphones-nl.com A record at B.GTLD-SERVERS.NET.
[192.33.14.30]: Got referral to ns1.uzaknet.org. (zone:
iphones-nl.com.)
Searching for iphones-nl.com A record at ns1.uzaknet.org. [88.255.78.74]: Reports iphones-nl.com. Response:
Domain
Type
Class
TTL
Answer
iphones-nl.com.
A
IN
86400
88.255.78.75
iphones-nl.com.
NS
IN
86400
ns.iphones-nl.com.
ns.iphones-nl.com.
A
IN
86400
88.255.78.75
Looking up at the 2 iphones-nl.com. parent servers:
