Landor Financial Fraud

Don't Bear Internet Fraud

Landor Financial scam website screenshot (11-Jun-2009)

Landor Financial website screenshot (11-Jun-2009)

If you've either received an active website link in a Landor Financial fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above. Copies of spam are welcome. Scroll down or click for latest news.

This Landor Financial criminal fraud website should not be confused with any other company with the same or similar name. The above screenshot and the following evidence defines this criminal alone. These criminals have stolen the website of the genuine company AES International for their fraudulent purposes as detailed below and have also stolen the identity of a genuine 'Landor Financial' Australian company in a futile attempt to try and give their botnet hosted site some credibility.

Landor Financial is another zombie botnet hosted fraud from the money laundering department of the well known 'Rockphish/Asprox' phishing criminals. Passive DNS data shows that this fraud site is hosted on the same zombies that are hosting other Rockphish criminal fraudsters and phishing sites. The fact that it is zombie botnet hosted is undeniable evidence of criminal fraud as no legitimate site is botnet hosted, but there is plenty of other evidence of fraud such as the self evident fact that they have stolen the website of the genuine company AES International and are using it for fraudulent purposes, plus the fact that they have stolen the identity and registration of another innocent Australian company, 'Landor Financial Services', at a different address to their own fake one. Their current botnet nameserver, ns1.mybabals.com, was last used by the Abela Financial Group fraud.

Current Zombie Botnet Controller Hosts

Colo4Dallas LP - ns1.mybabals.com [174.136.4.150] - Notified 13-Jun-2009

The above table shows the current providers of zombie botnet hosting services to the criminals and when they were notified. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act within 1-24 hours of being informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some that, for whatever reason, do not. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host.

If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Landor Financial : Evidence of Site Theft and Criminal Fraud

N.B. - Initial information correct at 11-Jun-2009 - Check the domain tables and ***Latest News*** items for domain and hosting updates.

i) The Landor Financial fraud website is hosted on a five-IP 'fastflux' zombie botnet as evidenced below - No legitimate company would use a zombie botnet to host their website - that is undeniable evidence of criminality.

ii) Passive DNS replication data research on the listed zombies hosting the site show that the same zombies are used to host other 'Rockphish' fraud sites, attack and 'phishing' URLs.

iii) A Google search for "Landor Financial" returns a registered Australian company at a different address to the one claimed by these fraudsters - they have stolen the ID of the genuine Landor Financial Pty Ltd and are claiming it as their own, using the ABN of the genuine company, although they are using a different (fake) location address/contact details and website stolen from another company.

iv) Stolen website - the criminals have stolen the website of the genuine UK company, AES International and are using it for their fraudulent purposes - irrefutable evidence of criminal fraud and site theft.

v) They claim on the above screenshot: "Landor Financial draw on unparalleled expertise, experience and resources to deliver positive change and the maximum possible benefit to our clients", however the crook's initial domain landorfinancial.com was only registered with XIN NET TECHNOLOGY CORPORATION on 08-Jun-2009 for the usual criminal's domain minimum period of only one year - clear evidence of a fraudulent registration.

vi) Fake contact details from the website:

Landor Financial
78 Beecroft Rd, Epping
2121, NSW
Australia
T: +61 (0) 280 886 404
F: +61 (0) 280 886 404

E: info@landorfinancial.com

• - A Google search for "78 Beecroft Rd, Epping" shows no sign of these criminals - however, it is the location of several eateries.
• - Notice the single, (incorrectly formatted), phone/fax number +61 (0) 280 886 404. A Google search for it or the correctly formatted number (02 8088 6404) returns zero results.
• - The correct address details of the genuine Landor Financial Pty Ltd, (whose identity they have stolen), are different, (also as shown in the Dun & Bradstreet listing for the genuine company).

vii) The Bogus 'Payment Protection Agent' Job from the Website

Protection

Benefits for Payment Protection Agents

The main chain of our Payment Protection service is a Payment Protection agent who is carefully selected before he is admitted to the job. We need agents all over the world that is why the majority of our agents work on a part-time basis from home, although there are agents who work full-time. Payment Protection agents get the commission for every successfully-completed transaction, which is 5-7% (depending on the quantity of processed transactions) from the amount of each transaction. As an agent, you will be granted 24/7 support and assistance from our help-desk in case of emergency. A secure online environment makes the work of a Payment Protection agent easier. Bank deposits and withdrawals are not taxable by EU/EU/US/AU law, making it a comfortable source of income.

Benefits for the seller

The seller must be ensured that while selling goods or services online he/she will eventually receive the payment. That is why online sellers turn to our company; on our behalf we garantee that if they sell online, they will receive payments according to the terms agreed upon in advance. Our company provides a safe environment for internet transactions making it easy for all participants to be completely protected.

Benefits for the buyer

The buyer must be ensured that while purchasing goods or services online he/she will eventually receive the item he/she paid for. Conducting online payments through our Payment Protection agents garantees a risk-free internet purchase, because Payment Protection agents release the payment to the seller only after all the terms of the agreement are satisfied and the required documents are processed.

Benefits for our company

Year by year the amount of e-commerce is increasing, the services of our company are becoming more and more demanded, which gives us an opportunity to expand our business and provide fast, secure and professional services. The more Payment Protection agents we attract the quicker we can perform Payment Protection procedures, as inner transfers take no more than an hour. The transaction time depends on the physical location of the sender and the receiver of the funds. Our agents get 5-7% from each transaction, while we get 3% more for our services, and that's how we benefit from the business to ensure a sustainable growth and development.

Please visit this page to learn more about Payment Protection Services Process

viii) The Spam:

Landor Financial Pty. Ltd.
78 Beecroft Rd, Epping,
2121, NSW, Australia.

Hello,
my name is Jack Alison and I am Landor Financial Pty. Ltd. Staff manager. We have found and reviewed your CV at totaljobs.com and decided to offer this job to you.

Our services
When buying-selling operations via the Internet are concerned, the buyer and the seller don’t know each other and are placed in different corners of the world. Therefore, it is important both to the buyer and the seller for their transaction to be made safely. Payment Protection means receiving money, documents, goods (it might be both the seller’s and the buyer’s) concerning the transaction by a reliable, experienced, impartial person - our Payment Protection agent. The agent will hold all the money and documents until all the terms of the deal are satisfied and only then release them to the intended receiver. Please, visit our web-site for more information. (http://www.landorfinancial.com/)

Why we need Payment Protection agents
Having a Payment Protection agent in every country we can quickly transfer funds inside a country without wasting time on the international bank transfers, and continue our rapid growth rather than overwhelming our own bank account with inbound and outbound transactions leading to severe hold times and possible service interruption. It is time that is of significant importance to our clients.

Career and Benefits
Your main task will be receiving money transactions to any bank account you would like to use for the purposes of this job; and then forwarding these transactions to the next party of the Payment Protection process according to our instructions. You will benefit from the commissions, which are 5-7% of each transaction and depend on the quantity of the completed transactions and the speed of your work. Besides, you will be paid a basic salary of 1500 GBP per month.

For your convenience there will be no paychecks, your commission will remain in your account after every successfully completed transaction. The money transfer fee is not included in your commission, meaning that you will deduct it from the received amount, not from your commission. Also you receive 5-7% of the transaction amount. Normally the amounts that we process vary from 2,000 GBP to 10,000 GBP, but can go higher on special occasions.

Job details
As the financial activity in your area is not too high, a Payment Protection agent will be processing approximately 1-2 transactions per week. Each transaction requires approximately 4-5 hours of the agent work. Our manager always calls the agent beforehand to provide all the instructions. Therefore, with the due time management, the agent is able to combine this job with other activities (e.g. primary job or studies).

If you are ready to proceed, please provide your AVAILABLE phone number to our hiring manager (Charles McAlister) at hiring@landorfinancial.com

Please do not hesitate to contact us if you need more information.

--
Sincerely yours,
Jack Alison,
Landor Financial Pty. Ltd.
visit us at http://www.landorfinancial.com/

That is a clear, illegal, part-time, work-from-home job of accepting payments into your personal bank account and transferring a balance back to these crooks via Western Union or Moneygram.. In this instance they have dressed it up as "payment protection", which appears to be basically a type of escrow, but no legitimate company would use unknown private individuals in a foreign country on a part-time basis in this way - not only is the whole idea totally preposterous, but it is also illegal - this is undeniably a 'Rockphish' criminal running the botnet hosted operation, so the funds are guaranteed to be stolen from phished accounts. If you engage in the above activity you can expect to have your bank account closed, your assets frozen and possibly investigated by the police for involvement in illegal activity. You will also lose any money that you have transferred to these criminals - don't be tempted.

If you respond to the above spam, you are sent the following email:

Dear xxxxx,,
Thank you for showing your interest in our organization.

In order to find more information about the Payment Protection Agent job
on our website, please, follow the link below.
http://www.landorfinancial.com/our-services.html

To join our team now, you have to confirm your intention by filling &
signing the Agent Agreement attached to this e-mail. Thank you for
choosing Landor Financial Pty. Ltd. I hope to hear from you soon.

P.S. If you agree with ALL conditions of the Agent Agreement, please fill
in the registration form online at
http://www.landorfinancial.com/registration.html

P.P.S. Please send us a scanned copy of your ID or DL.
NOTE: This is for the security and identification purposes.
--
Sincerely yours,
Charles McAlister
Landor Financial Pty. Ltd.
hiring@landorfinancial.com
Visit us at http://www.landorfinancial.com/

Attached to the above email is this usual unenforceable 'Agent Agreement':

                                    AGENT AGREEMENT

Landor Financial Pty Ltd (hereinafter referred to as “the Company”) on the one hand and
_________________ (hereinafter referred to as “the Contractor”) on the other hand, together
called Parties, have concluded the present Employment Agreement (further - Agreement) as
follows.

Payment Protection Agent

Duties, Term of the Agreement and Compensation

1. DUTIES:

1.1. The Company assigns and the Contractor undertakes the responsibility to provide the
following services to the Company in the context of the present Agreement:
• To receive protection payments from the clients of the Company to his personal bank
account;
• To effect protection payments to the Company’s partners via Western Union / Money
Gram or another mentioned money transfer system.
1.2. The Contractor will report directly to the senior manager and to any other party designated
by the senior manager in connection with the performance of the duties under this Agreement
and shall fulfill any other duties reasonably requested by the Company and agreed to by the
Contractor.

2. COMPENSATION:

2.1. The Contractor’s basic salary will be 1500 GBP per month. The Contractor will also benefit
from the commissions, which are 5-7% of every transaction and depend on the quantity of
completed transactions and the speed of the Contractor’s work.
2.2. The Company shall have the right to decrease the Contractor’s commission in case the
payment processing terms were violated by the Contractor. In this case the Contractor’s
commission will be decreased at a rate of 3% per day.

3. BENEFITS PACKAGE AND PROFESSIONAL ADVANTAGES

3.1. The Contractor, being the independent Party, independently bears responsibility for
execution of services in the context of the present Agreement. Therefore the Contractor agrees
that the Company shall not render the latter an employee, partner or agent with the Company for
any purpose.
3.2. The parties have agreed to consider any messages sent each other by means of facsimile or
e-mail communication to be legal.

4. TERM AND DURATION OF THE AGREEMENT:

4.1. No person, but the account holder, who is the Contractor, shall have the authority to the
withdrawal of any money from the account, which is to be requested from the Company. The
company’s sole purpose to such bank information: account number, routing number, BSB/sort
code, account name and address, is to deposit only. The account holder, who is the Contractor,
will have the authority to withdrawals of any kind in order to satisfactorily complete the “duties”
of the Contractor, who declares full responsibility of any requests to withdraw money for the
Company according to the instructions provided by the Company. The Contractor acknowledges
honesty and specific times to complete the tasks for the Company. The Company and The
Contractor understand that all the money deposited to the Contractor’s bank account by the
Company’s clients belong to the Company. No personal investments will be required on behalf
of the Contractor to execute the Contractor’s duties according to the provisions of the present
agreement. No information, which will be provided to the Company, shall be distributed to third
parties for any reasons and if doing so, the Agreement will be breeched by the Company.
4.2. The present Agreement signed by the means of facsimile or e-mail communication, stands
good in law. The present Agreement shall remain in force from the moment if it’s signing by the
Parties (“____“________________ 2009) for the period of 1 (one) year, unless terminated earlier
in accordance with the terms of this Agreement.


By:

___________________________________                  ___________________________________
Contractor’s first and last name here           Contractor’s signature here

By: Landor Financial Pty. Ltd.,
78 Beecroft Rd, Epping,
2121, NSW, Australia.

ABN: 85 060 683 338

http://www.landorfinancial.com/

The above irrefutable evidence clearly demonstrates beyond any doubt that the Landor Financial website is a stolen fake website that has been set up by 'Rockphish' criminals purely for the purpose of deception and fraud. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminality - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'Rockphish/Asprox' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'Rockphish/Asprox' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities.

Fraud Domains

Domain

landorfinancial.com
recruitlandorfinancial.com

Criminal Registered Nameserver Domains

mybabals.com

Status

Active
Active

Active

Registrar

XIN NET TECHNOLOGY CORPORATION - 08-Jun-2009
XIN NET TECHNOLOGY CORPORATION - 09-Jun-2009

INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM (04-jun-2009)

Please notify me of any domains not listed here.

Notes for Registrars

i) The Landor Financial criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver(s) are listed above.

ii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension without warning is essential.

The Zombie Botnet DNS Data (Valid for domain landorfinancial.com, recruitlandorfinancial.com)
How I am searching:

Searching for landorfinancial.com A record at h.root-servers.net [128.63.2.53]: Got referral to g.gtld-servers.net. (zone: com.)
Searching for landorfinancial.com A record at g.gtld-servers.net. [192.42.93.30]: Got referral to ns1.mybabals.com. (zone: landorfinancial.com.)
Searching for landorfinancial.com A record at ns1.mybabals.com. [174.37.99.113]: Reports landorfinancial.com. Response:

Domain	Type	Class	TTL	Answer
landorfinancial.com.	A	IN	1800	125.167.102.28
landorfinancial.com.	A	IN	1800	24.99.240.67
landorfinancial.com.	A	IN	1800	78.106.170.195
landorfinancial.com.	A	IN	1800	83.20.41.133
landorfinancial.com.	A	IN	1800	98.203.245.151
landorfinancial.com.	NS	IN	1800	ns1.mybabals.com.
landorfinancial.com.	NS	IN	1800	ns2.mybabals.com.
ns1.mybabals.com.	A	IN	1800	174.37.99.113
ns2.mybabals.com.	A	IN	1800	76.22.244.15

Looking up at the 2 landorfinancial.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mybabals.com [174.37.99.113]	125.167.102.28 24.99.240.67 78.106.170.195 83.20.41.133 98.203.245.151
ns2.mybabals.com [76.22.244.15]	Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.mybabals.com hosted by SoftLayer Technologies Inc. on IP address 174.37.99.113 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** Initial entry 11th. June 2009

***Latest News*** 12th. June 2009
Their botnet hosting must have been terminated by SoftLayer Technologies Inc. as the criminals have a new botnet host:
The Zombie Botnet DNS Data (Valid for domain landorfinancial.com, recruitlandorfinancial.com)
Looking up at the 2 landorfinancial.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mybabals.com [67.220.211.162]	209.173.76.154 24.147.248.77 41.104.65.234 83.20.44.98 98.203.245.151
ns2.mybabals.com [76.22.244.15]	Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.mybabals.com hosted by WebNX Internet Services of Los Angeles on IP address 67.220.211.162 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 13th. June 2009
Another day, another botnet host.....
The Zombie Botnet DNS Data (Valid for domain landorfinancial.com, recruitlandorfinancial.com)
Looking up at the 2 landorfinancial.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mybabals.com. [204.124.180.216]	209.173.76.154 24.147.248.77 77.253.86.54 98.203.245.151 125.167.104.38
ns2.mybabals.com. [76.22.244.15]	Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.mybabals.com hosted by VolumeDrive of Clarks Summit, PA on IP address 204.124.180.216 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

Later: The VolumeDrive hosted botnet has been terminated and the crooks are back up on another host:
The Zombie Botnet DNS Data (Valid for domain landorfinancial.com, recruitlandorfinancial.com)
Looking up at the 2 landorfinancial.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mybabals.com [174.136.4.150]	209.173.76.154 24.147.248.77 41.104.117.144 76.24.223.148 98.203.245.151
ns2.mybabals.com [76.22.244.15]	Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.mybabals.com hosted by Colo4Dallas LP on IP address 174.136.4.150 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.