Money Laundering Fraud |
Email Based Job Scams |
Abuse Reporting | Contact Us | Don't Bear Internet Fraud |  |
|---|
| Please be aware that criminals attack this website & my reputation. I never accept money and I never send out spam, so do not be fooled by any spam referring to my domain bobbear.co.uk in any way whatsoever. To learn more and to find out how to report all of these criminal fraudsters to their hosts and registrars yourself, check out my site and fight back! This Sophos blog & this Sophos press release refer to the criminal's last efforts as does this VNUNET article - no doubt there will be more attacks. Thanks to everyone for all the support I've received. If it hadn't have been for the criminals attacking me I would not have had the publicity, so I guess I owe them one too. | ||
|
  |
Money Laundering Fraudsters |
The above are all verified money laundering criminal fraud websites & prolific spammers run by criminal gangs who frequently, (but not always), host their sites using 'botnets' of 'zombie' computers, i.e. PCs that have been infected with a trojan/virus. See The Zombie Botnet 'Host By Proxy' section for an explanation of this common method by which these criminals host their fraud sites.
The well known 'Rockphish' phishing criminals also operate money laundering websites - they frequently use a zombie botnet method of distributing their spam, (not to be confused with the above different zombie botnet method of hosting websites), and the 'phishing' emails often contain exactly the same spurious code used as Bayesian filter avoidance text.
The registrars of the above criminal's domains are generally chosen by the criminals to be ones they think will be resistant to abuse reports. The criminals generally favour a mixed selection of domain registrars & they vary all the time as they attempt to find a 'criminal friendly' one. Most registrars eventually respond positively once they appreciate the situation, although there are always going to be a small minority of 'blackhat' providers who irresponsibly adopt a "we don't get involved" attitude and ignore abuse reports.
Where multiple domains are used for the same website, the whois data in the registrar look-up for a domain is almost always different and always bogus.
The criminals also naturally favour hosts and zombie botnet nameserver hosts that they also think will be the least responsive to abuse reports. Unfortunately, they are occasionally right - there are a few unethical providers who continue to provide services for these criminals despite having been notified of the clear criminal abuse.
Money Laundering & Re-shipping Fraud Information
Fraudsters send unsolicited e-mails or place job offers on legitimate Internet recruitment sites or forums looking to recruit 'money transfer agents' with bank or Paypal accounts. These bogus companies offer part-time employment as an agent receiving payments for goods which the company claims to be supplying, and then passing the payment on to the company via a money transfer company such as Moneygram and/or Western Union less an 'agent's percentage', (usually in the range 5-10%).These job offers are always illegal and fraudulent. Any person who agrees to act as an agent, (more correctly a money laundering 'mule'), is actually receiving stolen or counterfeit funds into their account. The final destination of the transferred funds will be an organised crime syndicate, generally overseas.
Another variation of this fraud is to offer part time employment as a 'Re-shipping Agent'. This consists of accepting parcels to your home address and forwarding them on to criminals. Needless to say these goods are either stolen or obtained by fraudulent means.
No legitimate company would offer an illegal money transfer 'job' to a home-based private individual - such a job is always illegal and the company offering it is always a criminally run 'front' company. Similarly, no legitimate company would offer a job as a 'Re-shipping Agent' to a home based private individual. Such a 'job' is always a solicitation from a bogus criminal company to fence stolen goods.
These companies can be very convincing in their attempts to perpetrate their fraud. Many of them try and give an air of legitimacy by displaying bogus 'Verisign' and other certificates. Learn to recognise fake 'Verisign' certificates which will simply be .gif images on the criminal's own webserver and when clicked on will not display information that originates from the genuine Verisign https secure server, but simply another bogus .gif image from the criminal's site.
Any person who suffers financial loss as a result of acting as an "agent" for any of these organisations would not be eligible for any form of refund from the bank concerned who would recover any monies, close the account involved in this scam and criminal charges could follow, not just for the "agent" but for anyone knowingly involved in provision of services to the criminal:
Knowingly supplying services to these fraudsters is a criminal offence in the UK under the UK Proceeds of Crime act (2002) Section 328 "A person commits an offence if he enters into or becomes concerned in an arrangement which he knows or suspects facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person". The notification level for this offence is low. Would all hosts and registrars with a UK presence please bear this in mind. Other countries will undoubtedly have similar provisions.
If you think that being a money 'mule' is a relatively safe and profitable occupation, then think again - the paper trail leads directly to you and you may well find yourself in the same position as these 14 Dutch entrepreneurs.
For further information regarding UK money laundering law, please refer to:
http://www.lawsociety.org.uk/professional/conduct/guideonline/view=page.law?POLICYID=225029
Whether the fraudster uses a website, as in the examples above, or simply uses a response email address, (as these criminals also do - see below), the fraud is exactly the same. Remember the first rule of spam, i.e. All spammers are liars - if you receive a 'job offer' in an unsolicited email, (spam) it is invariably a scam. Always abide by the Boulder Pledge and never respond in any way whatsoever to anything that is spamvertized whether it is goods or services. [Return To Top]
The Victims
I receive many responses from visitors to my site, some from victims who have been defrauded by the fraudsters that I document on this website and many more who are just upset by the volume and nature of these criminal's spam. I find some of them quite upsetting myself. An example of the former is a response from a CEO of a Credit Union who tells me of some of her members who have lost thousands of dollars to these criminals. An example of the latter, and these can be just as upsetting, is from a UK lady who wrote to me, (& has kindly given me permission to print this):
"Harvey Investment Co.- totally sick of their invites. I am a 73 year old UK voiceless (cancer) female needing my pc for my only communication".
So, if you are the sort of host or registrar who sees nothing wrong in providing services to these criminal fraudsters under the argument that "What they do with the hosting/domain I provide is none of my business" then I have zero regard for you. If you knowingly host these criminal's zombie botnets and register their domains and ignore abuse reports then as far as I am concerned you are aiding and abetting their criminal activity and that makes you as guilty as they are.
If you are tempted by the thought of easy money and wonder what might happen if you reply to these fraudsters and take up their offer, then this cautionary tale received from "Dave" from California might just dissuade you:
"I have been recruited by 5 different companies. 3 of which actually have sent me checks or moneygrams. 2 of which I have deposited into my account. Although I have not released any funds, Thank God. Due to the fraudulent payments that were deposited into my account have I committed a crime? My bank has frozen all of my assets and are talking about criminal charges".
Then this is what "John" from the UK tells me happened to him:
"Hi, Good Evening. I've just this afternoon had my Bank Account suspended - yes, you may have guessed - Cronos. I fell for it. Laid off work on the 19 Sep so searched the internet for home based jobs, which most are scams and I avoided them. There amongst the other emails was one from Cronos inviting me to be a 'regional rep' for their company. All I had to do was have money transferred to my account and then pass via western union to their reps. in Poland. Yes, same addresses you have here on your website. They transferred £2115.00 cash which was immediately available and I duly transferred the monies, (what a fool I was ), & took 10%. This morning there was another cash transfer of £3882. What alerted me this morning was that I went to the hole in the wall, like you do, and it took my card. I went straight to the call centre who gave me a number to ring which turned out to be the fraud dept. I had an interesting conversation and went straight to my branch with all the details I had - emails, Western Union transfers and addresses of the people, (although I guess these will be false). Hope this helps someone somewhere".
John also tells me that the number that they called him from was 44+78124496357 [Return To Top]
Notes For Abuse Teams
Please appreciate that I do receive a lot of spam from these fraudsters & I think it only fair to pass appropriate reports on to the relevant abuse teams. If you disagree with this policy and do not wish to receive further abuse reports then please click on the 'Contact Us' link to send me a request - I have no wish to annoy you unnecessarily, but please bear in mind that the spam is not the major issue - the major issue is the victims that are sucked into this criminal's net of deception & theft - those are the ones to consider. The spam is very much a secondary issue compared to the misery and distress these criminals cause to their victims.
I'd like to thank the many honest, ethical & caring hosts, (& registrars), who have disconnected these fraudsters within an hour of receiving an evidential abuse report, (several in c. 20 minutes). However, the zombie botnet controlling nameservers seem to be occasionally hosted by Colocation/VPS service providers who do not respond to criminal fraud abuse reports in a reasonable time scale. The vast majority of honest, ethical & caring SPs will respond with an immediate, (preferably not 24 hours or 48 hours & certainly not never...), disconnection on receipt of a criminal abuse report, having quite rightly considered the evidence & investigated, but a few service providers stall or simply ignore abuse reports. This latter minority of uncaring, unethical or even downright criminal hosts are aiding and abetting criminal fraud and the victims suffer because of it.
Companies who deal with these criminals should be aware that according to my information from abuse teams they have in the past paid for their services using Paypal linked to stolen credit cards, so a chargeback may be expected. Even if a chargeback is not forthcoming, please bear in mind that the money that is paying for the hosting or domain is money obtained from the proceeds of crime & in accepting it you are also profiting from the crime. The bottom line is please be proactive in attacking these criminals - please do not be an accessory to internet crime by ignoring abuse reports or dragging your feet - please be a part of the solution, not a part of the problem - please spare a thought for the victims of these fraudsters. A prompt response to criminal abuse reports is essential, i.e. preferably minutes, but at worst hours - certainly not days. These criminals rely on abuse teams who take days to react if at all. If you do not respond to abuse reports, or if you do not receive them due to spam filtering on your abuse reporting address, please do not criticise me for simply posting the fact in my daily blogs - they are simply a factual record of my daily experiences. N.B. - Spam filters on abuse reporting addresses are a serious hindrance to genuine abuse reporting, especially if NDRs are disabled. These remarks are not aimed at the ethical majority of hosts who are a pleasure to deal with, just the unethical or simply uncaring few.
These are prolific criminals who have been in this business for many years & most are linked to the 'rockphish' phishing criminals and other commercial crime. If you aid and abet these criminals then you are aiding and abetting the 'phishing' & auction fraudsters too. Please consider immediate termination of these fraudster's accounts when I report them to you. If you receive an abuse report from this website you can be assured that the utmost care has been taken to ensure its accuracy and justification, including the use of reputable 'real time' DNS tools and top level whois data from the likes of ARIN APNIC, LACNIC, RIPE etc. I do not rely on conjecture or opinion - my reports are based on solid, irrefutable evidence of criminality.
Abuse teams may wish to consider passing on any details to the authorities that might lead to arrests & convictions. It is possible to glean a lot of information from the criminal's server before it is shut down. [Return To Top]
Money Laundering - Detailed Method of Operation
This method of operation is documented for the Adamant Global fraudster, but I am confident that it equally applies to the rest of the criminal aliases that I document who are all from the same stable.Once you have contacted them, these criminals ask you to set up a bank account, or ask for existing account details, (or merely use your Paypal account if you have one). After you have done that, you will receive an email to tell you that funds have been sent or transferred to that account and to wire it on to them as soon as possible less 10% for yourself. Those funds may be in the form of a direct transfer or a mailed cheque, but whichever way you receive the funds, they will be counterfeit or the proceeds of fraud - one method at the moment seems to be using fake Ebay auctions that name you as the recipient of the funds, so you will probably receive an irate email from someone who hasn't received the computer or camera or whatever that you have received the money for. This is the Adamant Global scam that Ms. X in the USA fell for and who sent me this information:
I have been taken by this scam. I received money on my paypal account and transferred the money to two people. Islam Nikaev 02-758 Mangalia 3B Warszawa, Poland (1078.38) and Idris Mazaev 04-12824 04-128 24 Omulewska Str, Warszawa, Poland (1082.38). Following is the email that I got letting me know that the money was in my paypal account. I was to keep 10% and wire the rest. I now have a very angry person contacting me because he said he won a computer on ebay and spoke to a women (not me) and still has not received the computer:
From: a.melba@globaladamant.com Save Address To: xxxxxxxxx@xxxxxxxx Subject: new payment, instructions Date: Tuesday, September 18, 2007 2:33:09 PM [View Source] Good day, New payment of $2,601 has been transfered to your paypal account, please withdraw them to your bank account (instruction below). Log in to your PayPal account. Click Withdraw. Click the Transfer funds to your bank account link. Enter the amount of the withdrawal, choose the bank account to withdraw funds to and click Continue. Click Submit. Please confirm reception of the funds and let us know when they are cleared. Regards, A. Melba
Mr. X in the USA received this email after falling for this fraud:
Dear Mr. X,
As soon as your bank has confirmed that the money is available to be
withdrawn, please calculate and take out your 10% commission out of the
total amount that you have on your account.
After that, withdraw the remaining 90% balance and carry it to the
Western Union.
The money should be transferred via Western Union for the
following person(he is our agent in the regional branch).
First name: Magomed
Last name: Ezhiev
Country: Poland
City: Warszawa
Adress: 04-128 24 Omulewska str.
As can be seen, the recipients of these transfers are ostensibly based in Warsaw, Poland, but with these criminals everything is fake and nothing is ever quite what it seems..
If you have any information regarding these fraudsters along the above lines then please do contact me. If you are sending me any communications from one of these criminals then to be of most use the full email headers are necessary. How to reveal these are shown here for many popular mail clients. If you come across any money laundering fraud that is not documented on my website then do please let me know.
It's interesting to note that the criminals use variations of the fraud domains purely as maildrop domains - i.e. the domain globaladamant.com is actually parked but the criminal is using the mail facility of the domain as a 'secure' mail service. I say secure because it's often hard enough to convince some registrars that the main fraud domains are just that, never mind trying to convince them that a parked domain is being used for criminal purposes as well.... [Return To Top]
Email based fraud
These criminals do not always use a website. They send tremendous amounts of spam offering a part time job of "Regional Assistant" or "Local Manager" or "Finance Assistant" or some such bogus title. The job always consists of accepting stolen or just plain counterfeit funds into your account, (which they may stress doesn't need to have existing funds in it), and forwarding it on to the criminals using Moneygram or Western Union less a percentage for yourself. There may be all sorts of "sweeteners" included in the spam such as "prospects of promotion", "professional advice", "pension scheme" etc, etc. All totally bogus, of course. The initial contact email address is often a Yahoo or AOL, or Gmail or Hotmail address, but whatever it is, the 'job' is fraudulent and illegal and will end up with you losing a lot of money and possibly facing criminal charges. Don't fall for it!See the section "Email Based Job Scams" for more information on current spamvertised job scams. [Return To Top]
Fraud Forums
I have been made aware of a new? twist to ML fraud. The pharma/rockphish criminal fraudsters are operating phpbb based web forums that actively and openly recruit money laundering mules without attempting to disguise the operation in any way, quite the opposite - they are portraying this activity as legitimate and easy and commonplace. I'm not going to give them any publicity by publishing the links, but if any sections of law enforcement wish further information, please contact me. They are targeting the gullible, the greedy and of course, the outright criminal elements. If you are criminal and/or greedy enough to deliberately get involved in this, let me spell out for you the inevitable course of events. You may initially find that doing these transactions IS easy and you will be making 10% or so from every transaction, but the banks involved are not stupid - they are watching out for this sort of thing. Inevitably, sooner rather than later and without warning your account(s) and all your assets will be frozen, the police will come knocking on your door and you will not be treated as a victim of these criminals but as a criminal accomplice.These criminals regard their mules as expendable fools - they do not care what happens to them. They know full well that their mules will eventually be arrested, but it's of no interest to them as long as they themselves remain safe and anonymous - they just recruit new ones. Unfortunately there seems to be a plentiful supply. As PT Barnum probably didn't say - "There's a sucker born every minute". [Return To Top]
The Zombie Botnet 'Host By Proxy'
How to recognise a zombie botnet hosting arrangement, frequently, (but not always), used by these fraudsters to host their websites.This arrangement is basically a 'hosting by proxy' arrangement where a traceroute, (tracert), to a criminal website URL ends up on one zombie (virus/trojan infected end user machine), of possibly thousands that are being controlled, ('herded'), by a nameserver or more accurately 'botnet controller' which is registered by the criminal and is the real villain in the piece.
All the tools to help you can be found on the sites:
http://www.domaintools.com/services/
http://www.centralops.net/co/
http://www.robtex.com/
http://www.dnsstuff.com
http://www.dnswatch.info/
1) Check the DNS data for the website domain in question, (e.g. for nwmsmds.org), using one of the above links, (I have done it using the dnsstuff.com 'DNS Traversal' tool as it formats the result conveniently, but the information can be deduced from any good DNS lookup tool):
Looking up at the 2 nwmsmds.org parent servers:
| Zombie Botnet Nameserver | Botnet Nameserver 'A' Records (Zombie Site Host IPs) |
|---|---|
| ns1.walillc.com [74.62.155.57] | 85.217.201.213 87.207.253.79 89.37.242.97 210.6.255.133 78.52.147.3 79.116.186.67 80.98.245.209 |
| ns2.walillc.com [195.81.52.10] | Timeout - Fake nameserver, (never resolves). |
2) Note the set of seven IP's in the response column which are the 'A' records returned by the nameserver ns1.walillc.com. If a new lookup is done after a short interval they will have changed to a new set - they rotate at a predetermined interval.
3) Immediately do a tracert on the domain nwmsmds.org, (before the IP's rotate), & it will end up on one of these IP's, showing it to be the site host IP at the instant the tracert was done. Do it again some time later and you will get a different host IP from the 'A' records list.
4) Do a whois lookup & ReverseDNS lookup on these IP's - the data frequently shows them to be DSL pool or cable, dynamic or static end-user IP's on a myriad of different domains which confirms them to be 'zombie' PCs, (infected end-user machines).
5) Check the date the nameserver domain, (i.e. walillc.com), was registered. They are always 'throw-away' domains registered very recently by the criminals themselves to use to control the zombie botnet as they cannot use a legitimate DNS service for that purpose.
In the above example the botnet controller ns1.walillc.com is hosted on the Roadrunner IP 74.62.155.57. The nameserver domain walillc.com was registered with INTERNET INVEST, INC. DBA IMENA.UA, (29-Mar-2008), by the criminals as an integral part of their botnet.
The criminals use numerous nameserver domains & nameserver IP's that are frequently shutdown. The life cycle of a nameserver IP of these fraudsters may be only a few days or even hours, depending on how good the relevant abuse team is at understanding the problem, how responsible they are & how quickly they act.
Note that the above is just an example of the arrangement. Some botnets use 5 zombie IPs, some use more and some use only 1. The domains and IPs do not stay active for long. Examples of active domains can be found on many current fraud pages on this website. [Return To Top]
If you find this site helpful then please feel free to link to it on your website by inserting the following HTML code, (opens site in new window):
<a href="http://www.bobbear.co.uk" target="_blank">Money Laundering Fraud Websites</a>
Further Reading on Money Mule and re-shipping fraud
The UK BankSafeOnline website, (produced by APACS - the UK trade association for payments), has an excellent description of the money 'mule' process, under the Money Mules Explained sub-heading, but there is also a much wider range of excellent information, including information on 'Phishing' and Trojans.
These criminals increasingly attack career and job websites. This Monster article explains both the money laundering and re-shipping fraud aspects.
For further information on these & similar criminal fraudsters, see under 'Job offer scams' on the Wiki page http://www.spamtrackers.eu/wiki/index.php?title=Category:Job_offer_scams and always remember, Google is your friend!
The international law firm Pinsent Masons has an excellent site called 'Out-Law' which has 7,000 pages of free legal news and guidance, mostly on IT and e-commerce issues. [Return To Top]
Law Enforcement Links
UK Metropolitan Police fraud alert
Philippines National Bureau of Investigation
Hong Kong Police
United States Secret Service, (Financial Crimes Division)
United States Department of Justice (Computer Crime & Intellectual Property Section)
● How to Report Cyber and IP Crime
The Swiss Coordination Unit for Cybercrime Control (CYCOS)
European Network And Information Security Agency (ENISA)
Europol
Interpol - International Police Justice links
FBI - Internet Crime Complaint Centre
Belgian Internet Crime Reporting Site (ECOPS)
The German Federal Criminal Police Office (BKA)
Do you know any links to local or national law enforcement bodies worldwide that may be useful in the field of reporting internet crime? Then please let me know and I'll publish them here.
*** If you are a law enforcement agency and would like feedback or information or copies of abuse reports concerning the providers of this criminal organisation's services pertinent to your area of policing then please contact me via the 'Contact Us' link. N.B. - as I have had some suspicious approaches I will require proof that you are who you say you are*** [Return To Top]
Other Useful Links & Victim Support
The UK Financial Services Authority - if a company claims to be operating in the UK in the financial sector then it must be registered here. However, it is becoming more common for a fake company to hijack the registration of an existing company.
Here is a useful list of "Unauthorised Internet Banks" from the FSA, but I don't know how up-to-date it is kept.
The UK Companies House - a registered UK company will be recorded here, but once again, thieves and fraudsters do hijack existing company names.
Fraud Aid - Fraud Aid is a US based non-profit website which not only offers a wealth of information on the mechanics of a wide variety of frauds, but in addition offers support to the victims of fraud. If you are, or suspect that you are the victim of fraud, then you will undoubtedly find help and support here. [Return To Top]
Are You A Victim Or Have You Any Information?
If you are a victim of any of the above criminal fraudsters and/or would like to help to bring them to justice then I would be interested in any information that you have received from them that could help towards that end. For example, that would include source code for any correspondence you have had with them, (or select "Forward as Attachment" in your email client to send the complete message including the headers), & scanned copies of any paper correspondence, (not the originals), such as Western Union receipts for transfers to them etc. If you wish, you may remain completely anonymous - I do not require your own personal details which may be obscured in any material supplied. Please contact me via the 'Contact Us' form if you are willing to help in this way. If you are sending me any communications from one of these criminals then to be of most use the full email headers are necessary. How to reveal these are shown here for many popular mail clients. [Return To Top]