Moranna (Stolen Identity) scam

Moranna (Stolen Identity) Fraud

Don't Bear Internet Fraud

This fraud should not be confused with any other company of the same or similar name - the following fraud evidence defines and refer to this fake Moranna company alone and no other. The website has been stolen in its entirety from the legitimate company Lumina IP Pty Ltd - clear evidence of criminal fraud in itself. These criminals have also stolen their name from this genuine Australian NSW company - do not be fooled, it is their usual modus operandi.

Moranna scam screenshot (Stolen Website & Identity) - 02-Oct-2009

Moranna scam screenshot (Stolen Website) - 02-Oct-2009

Moranna scam is yet another 'Rockphish' serial fraud consisting of a fake, (stolen), financial site used as a vehicle to legitimise a money laundering fraud job scam. The only reason it looks so glossy and professional is because the website has been stolen in its entirety from the genuine financial organisation Lumina IP Pty Ltd. That much is self evident and as such it is irrefutable evidence of fraud. The fake website is also hosted on a 'Fastflux' botnet using zombies that are also used for other frauds and also for 'phishing' fraud domains. It's not the only scam website this fraudster has produced using an identical MO. He has previous aliases of Paramount Finance, First Rate Finance, World Finance Group, Zeus Financial Group, Toll Finance, Range Financial Corporation, Adriatic Finance Services, Arena Financial Group, Rams International and many others.

The initial website fraud domain moranna.com was only registered with TODAYNIC.COM, INC. on 30-Sep-2009 for the usual 'criminal's domain' minimum period of only one year and the crook has no genuine web presence at all, (not to be confused with the A.C.T. based Australian company of the same name whose identity the criminal has stolen, as is their normal MO). All absolutely irrefutable evidence of fraud. This latest fraud remains botnet hosted, initially on the same WebNX (Los Angeles) IP as used by the crook's previous Rams International alias.

Current Zombie Botnet Controller Hosts

- ns1.loginjors.com [] - Notified 13-Oct-2009

Ethical hosts respond within hours to abuse reports of these criminals. Unfortunately there are hosts who are quite happy to shelter them and ignore abuse reports.

Evidence of Criminal Fraud:

i) Zombie botnet hosted: First and foremost, this criminal fraud site is hosted on a 5-IP 'FastFlux' 'Rockphish' zombie botnet as clearly evidenced by the DNS data. As no legitimate site is hosted on a zombie botnet this site is irrefutably defined as criminal. The zombies involved are also hosting other 'Rockphish' frauds such as the Rams International scam and all his other aliases as listed above. Reverse IP data on the zombies involved shows other hosted 'Rockphish' domains and phishing URLs.

ii) Stolen website: It is perfectly obvious that the Moranna criminals have stolen their entire fraud site from the genuine Lumina IP Pty Ltd and modified it for their own fraud purposes by adding the usual fake "Payment Protection" menu option, (under the 'Our Services' flash menu tab), that leads the potential mule into their web of deceit and criminal activity - clear evidence of site theft and fraud.

iii) As the Moranna criminals have stolen the website from the genuine Lumina IP Pty Ltd company, the content has no real relevance, although they claim on their 'About Us' page to have been in business since 2006, but the fraudster's domain moranna.com was only registered with TODAYNIC.COM, INC. on 30-Sep-2009 for the usual 'criminal's domain' minimum period of only one year. Clear evidence of fraudulent misrepresentation.

iv) Serial fraudster - this is just the latest zombie botnet hosted alias from the 'Rockphish' group as listed above.

v) As is usual for these criminals, a Google search shows that they have absolutely no internet presence at all despite the claim on their About Us page to have been in business since 2006. Do not confuse the criminals with a genuine Australian company of the same name whose identity these crooks have stolen as is their normal practice from previous aliases.

vi) The 'Payment Protection Services' scam job from the website (can be found under 'Services'):

Payment Protection Services

When buying-selling operations via the Internet are concerned, the buyer and the seller don’t know
each other and are placed in different corners of the world. Therefore it is important both to the buyer
and the seller their transaction to be made without fraud. Payment Protection means receiving
money, documents, goods (it might be both seller’s and the buyer’s) concerning the transaction into the
hands of a reliable, experienced, impartial person - our Payment Protection agent. The agent will hold
all the money and documents until all the terms of the deal are satisfied.

Benefits for the seller

The seller should be sure that while purchasing goods or services he/she will receive the money for
that. That is why the sellers turn to our company. It makes them sure that if they sell something they
will receive their money in time and our company will provide a successful transaction and will see it to
the performance of the terms of the purchase agreement.

Benefits for the buyer

The buyer should be sure that while passing the money to the seller he/she will receive the thing
he/she pays for. You will avoid any fraud if you turn to our payment protection agents, which
ensures passing the money only after all the instructions of the agreement are performed and all the
documents are executed.

Benefits for Payment Protection Agents

The main chain of our Payment Protection services is an Payment Protection agent who are seriously
checked before they are admitted to the job. We need agents all over the world that is why the
majority of our agents work part-time and on the remote, although there are agents who work full-time.
Our agents mainly get money (percentage) for every successfully-completed transaction. The Payment
Protection agent makes 5-7% (depending on the quantity of the transactions performed) from the amount
of each transaction. Bank deposits and withdrawals are not taxable by EU/UK/AU/US law, making this a
comfortable source of income.

Benefits for other companies from our service

During carrying out different financial transactions via the Internet fraud might appear. It is
especially widespread when something is bought on the Internet. It happened that the seller didn’t get the
money for the purchase sent or vice versa - the buyer didn’t get the purchase having paid the money for it.
Our company as an impartial member is an agent between the buyer and the seller and guarantees the
security of the transaction. There are a lot of huge companies that should be confident about the
reliability of the transaction and shouldn’t be interfered with by solving the problems of security.

Benefits for our company

Year by year the amount of commerce on the Internet is increasing, the services of our company are
becoming more and more wanted, which gives us an opportunity to expand our business and render fast,
secure and professional services. Our agents get 5-7% from each transaction, we get 3% more above this
for our services, and that's how we benefit from the business.

"Payment Protection" fraud is of course simply "Escrow" Fraud under a new name.

vii) The Spam:

Moranna Pty. Ltd.
148 Fern St, Gerringong,
NSW, 2534, Australia.

Hello,
my name is Michael Nguyen and I am Moranna Pty Ltd Hiring manager. We have found your CV at TotalJobs jobs board and decided to offer this job to you.

Our services
When buying-selling operations via the Internet are concerned, the buyer and the seller don't know each other (they may be placed in different corners of the world) - it is very important both to the buyer and the seller for their deal to be made safely. Payment Protection means receiving money, documents, goods (it might be both the seller's and the buyer's) concerning the transaction to a reliable, experienced, impartial person - our Payment Protection agent. The agent will hold all the documents and money until all the terms of the deal are satisfied and only then release them to the intended receiver. Please, visit our web-site for more information. (http://www.moranna.com/)

Why we need Payment Protection agents
Having a Payment Protection agent in every country we can quickly transfer funds inside a country without wasting time on the international bank transfers, and continue our rapid growth rather than overwhelming our own bank account with inbound and outbound transactions leading to severe hold times and possible service interruption. It is time that is of significant importance to our clients.

Career and Benefits
Your main task will be receiving money transactions to any bank account you would like to use for the purposes of this job; and then forwarding these transactions to the next party of the Payment Protection process according to our instructions. You will benefit from the commissions, which are 5-7% of each transaction and depend on the quantity of the completed transactions and the speed of your work. Besides, you will be paid a basic salary of 1500 GBP per month.

For your convenience there will be no paychecks, your commission will remain in your account after every successfully completed transaction. The money transfer fee is not included in your commission, meaning that you will deduct it from the received amount, not from your commission. Also you receive 5-7% of the transaction amount. Normally the amounts that we process vary from 2,000 GBP to 10,000 GBP, but can go higher on special occasions.

Job details
As the financial activity in your area is not too high, a Payment Protection agent will be processing approximately 1-2 transactions per week. Each transaction requires approximately 4-5 hours of the agent work. Our manager always calls the agent beforehand to provide all the instructions. Therefore, with the due time management, the agent is able to combine this job with other activities (e.g. primary job or studies).

If you are ready to proceed, please provide your AVAILABLE phone number to our hiring manager (Paul Marsden) at hiring@moranna.com

Please do not hesitate to contact us if you need more information.

--
Sincerely yours,
Michael Nguyen,
Moranna Pty. Ltd.
http://moranna.com/

It's the same fake 'Michael Nguyen' and the same clear fraud spam as their previous aliases, e.g. Rams International.

viii) You do not get a clearer definition of the illegal part time money mule function: "Your main task will be receiving money transactions to any bank account you would like to use for the purposes of this job; and then forwarding these transactions to the next party of the Payment Protection process according to our instructions", i.e. transferring them on via Moneygram or Western Union less a percentage commission - that on its own defines the company without doubt as criminal and bogus and is clear evidence of criminal fraud. It is also a more or less identical spam to the criminal's previous identical aliases as listed above.

ix) No legitimate company is going to advertise for this sort of illegal part time, 'work from home' money transfer position among the untrained, inexperienced and uncertified general population overseas. It will get your bank account and your assets frozen and could well earn you a criminal record - do not be tempted. All of the transferred stolen money in your account will be recovered and you will be left with large financial losses.

x) Fake 'Contact Us' Details from website:

Moranna Pty Ltd
148 Fern Street, Gerringong
NSW, 2534, Australia.

Tel: (+61) 03 9015 7542

• - The telephone number (+61) 03 9015 7542 is exactly the same number that the crooks used for their Rams International scam.
• - The telephone number 03 9015 7542 is not a New South Wales number, but a Victoria/Tasmania number.
• - A Google search for "148 Fern Street, Gerringong" shows that these criminals are certainly not there, confirmed by a Google Maps business lookup.

All clear evidence of fake contact/location details and a fake company.

The above evidence clearly demonstrates beyond any doubt that the Moranna website has been set up very recently by 'Rockphish' money laundering criminals purely for the purpose of spamvertising an illegal money laundering 'mule' job. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminal activity - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Main Website Domains

moranna.com
recruitmoranna.com

Registrar

TODAYNIC.COM, INC. (30-Sep-2009)
DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM (NICS.NAME) (02-Oct-2009)

Botnet Nameserver Domains

loginjors.com

Registrar

RANGER REGISTRATION (MADEIRA) LLC. - 24-sep-2009

Nameserver Host

Host IP

Active
Suspended/Disabled
Parked

Domain Whois Data

Domain name: moranna.com
Status: Active

Registrar:     TODAYNIC.COM, INC.
Status:        clientTransferProhibited
Dates:         Created 30-sep-2009   Updated 30-sep-2009 Expires 30-sep-2010
DNS Servers:   NS1.LOGINJORS.COM NS2.LOGINJORS.COM

Protection Status: public
( make contact info private at http://www.now.cn/domain/domainPrivate.php )

Registrant:
Name: Feri Deroo
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 133327

Administrative Contact:
Name: Feri Deroo
Organization: Feri Deroo
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 133327
Phone: +7.9957733389
Fax: +7.9957733389
Email: mold33333avimo@safe-mail.net

Technical Contact:
Name: Feri Deroo
Organization: Feri Deroo
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 133327

Nameserver Information:
    ns1.loginjors.com
    ns2.loginjors.com

Create: 2009-09-30 23:01:27
Update: 2009-09-30
Expired: 2010-09-30

Domain Name: RECRUITMORANNA.COM

Registrar:     DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Status:        clientTransferProhibited
Dates:         Created 02-oct-2009   Updated 02-oct-2009 Expires 02-oct-2010
DNS Servers:   NS1.LOGINJORS.COM NS2.LOGINJORS.COM

Registration Service Provided By: NICS.NAME
Contact: +7.8469724045
Website: http://nics.name

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Creation Date: 02-Oct-2009
Expiration Date: 02-Oct-2010

Domain servers in listed order:
    ns2.loginjors.com
    ns1.loginjors.com

Administrative Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Technical Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Billing Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Status:ACTIVE

Domain Name: loginjors.com

Registrar:     RANGER REGISTRATION (MADEIRA) LLC.
Status:        clientTransferProhibited
Dates:         Created 24-sep-2009   Updated 24-sep-2009 Expires 24-sep-2010
DNS Servers:   NS1.LOGINJORS.COM NS2.LOGINJORS.COM

   Registrant:

Stolen details - redacted.

   Registrar Name....: Register.com
   Registrar Whois...: whois.register.com
   Registrar Homepage: www.register.com

      Created on..............: 2009-09-24
      Expires on..............: 2010-09-24

   Administrative Contact:

Stolen details - redacted.

   Technical Contact:
      Registercom
      Domain Registrar
      575 8th Avenue
      New York, NY 10018
      US
      Phone: +1.9027492701
      Email: domainregistrar@register.com

   DNS Servers:
      ns1.loginjors.com
      ns2.loginjors.com

The Zombie Botnet DNS Data (Valid for domain moranna.com)

DNS Lookup: moranna.com A record
Searching for moranna.com A record at c.root-servers.net [192.33.4.12]: Got referral to D.GTLD-SERVERS.NET. (zone: com.)
Searching for moranna.com A record at D.GTLD-SERVERS.NET. [192.31.80.30]: Got referral to ns2.loginjors.com. (zone: moranna.com.)
Searching for moranna.com A record at ns1.loginjors.com. [67.220.213.24]: Reports moranna.com.
Response:

Domain	Type	Class	TTL	Answer
moranna.com.	A	IN	1800	85.136.128.59
moranna.com.	A	IN	1800	201.139.75.79
moranna.com.	A	IN	1800	201.241.32.247
moranna.com.	A	IN	1800	79.109.162.189
moranna.com.	A	IN	1800	79.117.206.51
moranna.com.	NS	IN	1800	ns2.loginjors.com.
moranna.com.	NS	IN	1800	ns1.loginjors.com.
ns1.loginjors.com.	A	IN	1800	67.220.213.24
ns2.loginjors.com.	A	IN	1800	146.30.45.31

Looking up at the 2 moranna.com. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.loginjors.com [67.220.213.24]	67.164.7.67 79.109.162.189 79.119.84.66 79.125.41.181 85.136.128.59
ns2.loginjors.com [146.30.45.31]	Timeout

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.loginjors.com hosted by WEBNX.COM of Los Angeles on IP address 67.220.213.24 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting. This is exactly the same botnet host IP as used for the crook's previous Rams International scam.

***Latest News*** 2nd. October 2009
Webpage created.

***Latest News*** 5th. October 2009
News from Simon Bear: The domain recruitmoranna.com has been suspended by the registrar.

***Latest News*** 7th. October 2009
The IP 67.220.213.24 has finally been null routed.

***Latest News*** 8th. October 2009
The criminal now has a new botnet host:
The Zombie Botnet DNS Data (Valid for domain moranna.com)

Looking up at the 2 moranna.com. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.loginjors.com [65.60.6.143]	116.65.199.187 121.141.44.120 121.181.5.75 211.220.122.249 94.189.175.182
ns2.loginjors.com [146.30.45.31]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.loginjors.com hosted by SingleHop, Inc. of Chicago on IP address 65.60.6.143 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 13th. October 2009
The Zombie Botnet DNS Data (Valid for domain moranna.com)
The criminal's Singlehop botnet hosting has finally been disconnected and the criminal's botnet is now being hosted on the ColoGuys, Inc. (Cologuys.com) IP address 66.207.173.148 as follows:
Looking up at the 2 moranna.com. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.loginjors.com [66.207.173.148]	121.129.14.231 213.60.229.137 61.82.161.51 89.230.142.32 92.100.207.188
ns2.loginjors.com [146.30.45.31]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.loginjors.com hosted by ColoGuys, Inc. (Cologuys.com) on IP address 66.207.173.148 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 23th. October 2009
Fortunately TODAYNIC.COM, INC. appear to have suspended the criminal fraud domain moranna.com. Unfortunately the criminals have simply moved on to a new fraud using the domain zoomfinancialservices.com hosted on the same botnetwork above that is still being hosted by ColoGuys.com. New fraud page: Zoom Financial Services.

Later: botnet disconnected by ColoGuys after transferred to Zoom Financial Fraud.