MU Trust Company Inc. Fraud

Don't Bear Internet Fraud

This criminal fraud website should not be confused with any other company of the same or similar name - the above screenshot of the criminal's website home page and the detailed evidence below are intended to identify this fraudster and this fraudster alone.

N.B - this criminal takes advantage of an SQL vulnerability to inject a javascript exploit into the webpage code on vulnerable websites which then attempts a 'drive-by' attack on susceptible victims, apparently aiming to download the 'Asprox' trojan.

MU Trust Company scam is a huge money mule scam and phishing operation combined. It is hosted, (as are the phishing sub-domains), on a zombie botnet, (which confirms its criminal nature beyond any doubt even without any of the following damning evidence), that has been created by the Danmec/Asprox trojan probably spread by the same criminals using, among other methods, SQL injection techniques to infect unpatched website databases resulting in an i-frame injection into the page source that attempts to force visitors to download and run a Javascript component, i.e. a 'drive-by' attack. This particular botnet uses a 15 IP 'Fastflux' configuration and the in-house nameservers/botnet controllers are also hosted on multiple zombies which is fairly unusual, although I have seen it used by the 'rockphish' phishing and ML fraudsters, albeit not in a 'fastflux' configuration.

The criminal claims to have been in business for some time but his domains were only registered very recently, (31-Jul-2008), he makes grandiose claims but has no internet presence and he heavily spams both job websites and by email. The 'About the Company' nonsense above apparently links this criminal to other fraudsters such as the Malfour Financial Group Inc., TradeFinans, Guardian Trading Inc and the Tyler Success Group to name but four current criminal operations. Information here and here clearly links these MU Trust Company criminals to a botnet created by the 'Asprox' trojan.

The criminal's domains all resolve to the above website, but they are also used to host phishing pages in various sub-domains, so you will see the domains themselves in the usual heavily obfuscated phishing spam links.

If you are a registrar or a host who has received an abuse report concerning this criminal then please review the irrefutable evidence of criminality below and take prompt and permanent action to shut this criminal down. Bear in mind that all of the host IP's appear to be compromised end user machines, (zombies), so if you are a host you are being asked to disconnect a trojan infected end user pending cleansing of his/her machine.

If you've either received an active website link in an MU Trust Company fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above.

MU Trust Company : Evidence of Criminal Fraud

i) The bogus MU Trust Company website is zombie botnet hosted as clearly demonstrated by the DNS data below.  No legitimate company would use a zombie botnet to host their websites - Clear evidence of criminal fraud.

ii) The criminal's claim on their 'Careers' page "Our Company was founded 4 years ago". In their spams below they claim: "Mortgagee Union Trust Company was founded 5 years ago". Despite their confusion about when they were actually founded, their multiple website domains (m-uniontrust.com, muniontrust.com and mortgageeunion.com) were only registered with BIZCN.COM, INC. on 31-Jul-2008. Clear evidence of criminal fraud.

iii) The fake contact details, (from the website):

If you would like to speak with one of our specialists, please write on this e-mail address. If you would rather contact us by telephone, call/fax us at:
+1(0)253-679-0252 (U.S. Processing Department)

info.muniontrust@gmail.com

Corporate Headquarter:

MU Trust Company Inc.

Human Resources Departamen
1204 Cours Du General De Montcalm,
Quebec City,
Canada,
G1R4W6

General Information: info.muniontrust@gmail.com

Technical Support: support.muniontrust@gmail.com

Job Service: resume.muniontrust@gmail.com

• - First of all notice the use of gmail contact addresses - no reputable company would use gmail contact addresses for business purposes.
• - A Google search on the address "1204 Cours Du General De Montcalm" Quebec shows a couple of things:
       i) Firstly it's the address of the "Centre d'information du Nunavik à Québec" and not these crooks.
       ii) Secondly there is clear evidence of heavy job website spamming with the usual money mule spam.
• - They've got the post code wrong for their bogus address - the Canadian post code lookup for the address gives the poscode as G1R 3G4. Their postcode G1R 4W6 is listed as for street numbers 1225-1225A (odd).
All clear evidence of fraud

iv) Note the usual spelling mistakes and grammatical errors common to these fraudsters, e.g. "Human Resources Departamen" for Human Resources Department in the above contact details and under their 'Services' tab: "Bussines Support Services". If you have any "Bussines" that need support, you know where to go... I like the web-page footer: "Use of this website signifies your agreement to the Therm Of Use." Is that equivalent to the BThU of use?

v) The criminal's spams, (example below), spamvertise the usual part-time, work from home job that will inevitably turn out to be accepting payments into your private account and transferring them back to the criminals, less a percentage, using Western Union and Moneygram. The criminals now do not explicitly spell them out to avoid incriminating themselves, but taken in conjunction with the rest of the clear and irrefutable evidence of criminality it is easy to infer the purpose of a part-time, work from home "International Account Manager".

The Jobsite Spam

We are expanding, new supreme proposals for you! REF: 387

Mortgagee Union Trust Company.
Arranged by Markus Bruyere.
Canada

The following message is very important for you!
MU Trust Company is ready to offer great vacancy to responsible candidates.
Mortgagee Union Trust Company was founded 5 years ago and ever since trust and joint support of all our clients have been at the very heart of our success, financial growth and solvent reputation.

Despite global oil and mortgage crisis, we believe that our future lies in the hands of independent investment.
Mortgagee Union Trust Company offers you to become one of our affiliates. It is possible to apply from almost every region of EU and US because our investment program already applies to hundreds of independent investors from these regions.
That's when we need responsible individuals to cooperate with MU Trust Company processing department.

International Account Manager is the vacancy we are glad to offer for you.
Part-time employment with a earning of USD 3000 per month.

All applicants must match the following requirements:
- Age 18+ y.o.;
- United States Citizenship is not obligatory. Being a resident is enough;
- Email, phone (landline and mobile).

If you ready to get more information about MU Trust Company and current employment opportunities, CLICK HERE to apply for a Vacancy.

Thank You very much for your time!

Yours faithfully,
Mark Telford

The Email Spam

Monetary Accountant part-time position ref: 3724

Mortgagee UT Company.
Arranged by M. Bruyere.
Quebec, Canada

The following e-mail is extremely useful for you!
Mortgagee Union is pleased to offer great employment opportunity to responsible individuals.
MU Trust Company was founded five years ago and ever since trust and joint support of all our members have been at the very heart of our success, financial growth and solvent reputation.

Despite global oil and mortgage crisis, we believe that our future lies in the hands of independent investment.
Our company offers you to become one of our affiliates. It is possible to apply from almost every region of Europe and North America because our investment program already applies to hundreds of independent investors from these regions.
That's when we need responsible individuals to cooperate with Mortgagee UT Company processing department.

"International Accountant" is the vacancy we are glad to offer you.
Part-time work form home employment with a minimum earning of 2500 USD per month.

All applicants must match the following requirements:
- Age 18+;
- US Citizenship is not obligatory. Being a resident is enough;
- E-mail, phone connection (home and cell.).

If you ready to get more information about MU Trust and current vacancies, CLICK HERE to fill the job application.

We look forward to hearing from you soon.

Yours faithfully,
Markus Telford

vi) The part time, work from home, "International Accountant" position is undoubtedly the well known and totally illegal money laundering mule position which entails receiving stolen or fraudulent checks into your bank account and immediately wiring them back to the criminals via Moneygram or Western Union. Such activity will get your bank account and your assets frozen, will lose you a lot of money and will get you a criminal record - don't be fooled or tempted.

vii) No legitimate company is going to spamvertise among the untrained, inexperienced and uncertified general population for a part time "International Accountant". Such a proposition defines the company without doubt as criminal and fraudulent.

viii) The 'Asprox' Zombie Botnet DNS Data (Valid for domain m-uniontrust.com)
How I am searching:

Searching for m-uniontrust.com A record at m.root-servers.net [202.12.27.33]: Got referral to E.GTLD-SERVERS.NET. (zone: com.)
Searching for m-uniontrust.com A record at E.GTLD-SERVERS.NET. [192.12.94.30]: Got referral to ns2.m-uniontrust.com. (zone: m-uniontrust.com.)
Searching for m-uniontrust.com A record at ns2.m-uniontrust.com. [75.181.90.242]: Reports m-uniontrust.com. Response:

Domain	Type	Class	TTL	Answer
m-uniontrust.com.	A	IN	600	203.73.54.8
m-uniontrust.com.	A	IN	600	90.6.171.132
m-uniontrust.com.	A	IN	600	80.217.8.234
m-uniontrust.com.	A	IN	600	216.99.49.126
m-uniontrust.com.	A	IN	600	98.206.186.21
m-uniontrust.com.	A	IN	600	67.61.123.170
m-uniontrust.com.	A	IN	600	64.253.1.6
m-uniontrust.com.	A	IN	600	89.3.54.84
m-uniontrust.com.	A	IN	600	71.109.85.56
m-uniontrust.com.	A	IN	600	83.27.77.18
m-uniontrust.com.	A	IN	600	75.65.152.126
m-uniontrust.com.	A	IN	600	69.246.61.113
m-uniontrust.com.	A	IN	600	99.228.62.174
m-uniontrust.com.	A	IN	600	65.29.125.35
m-uniontrust.com.	A	IN	600	84.75.190.234

Looking up at the 3 m-uniontrust.com. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns2.m-uniontrust.com [75.181.90.242]	203.73.54.8 216.99.49.126 64.253.1.6 65.29.125.35 67.61.123.170 69.246.61.113 71.109.85.56 75.65.152.126 80.217.8.234 83.27.77.18 84.75.190.234 89.3.54.84 90.6.171.132 98.206.186.21 99.228.62.174
ns3.m-uniontrust.com [99.229.58.233]	203.73.54.8 216.99.49.126 64.253.1.6 65.29.125.35 67.61.123.170 69.246.61.113 71.109.85.56 75.65.152.126 80.217.8.234 83.27.77.18 84.75.190.234 89.3.54.84 90.6.171.132 98.206.186.21 99.228.62.174
ns1.m-uniontrust.com [24.44.191.232]	203.73.54.8 216.99.49.126 64.253.1.6 65.29.125.35 67.61.123.170 69.246.61.113 71.109.85.56 75.65.152.126 80.217.8.234 83.27.77.18 84.75.190.234 89.3.54.84 90.6.171.132 98.206.186.21 99.228.62.174

No matter which of the criminal's domains you look up, the basic network is the same although the zombies will constantly change.

The data shows a 15-IP site hosting zombie botnet controlled by in-house nameservers that are themselves hosted on compromised end user machines, or zombies. The criminal remotely controlled nameservers ns1.m-uniontrust.com, ns2.m-uniontrust.com and ns3.m-uniontrust.com are acting as a zombie botnet controllers 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site, (as determined by TRACERT). RDNS checks on the zombies show them on a wide variety of networks, but where the data is clear, you will see DSL ADSL and Cable end users who have been dumb enough to download & run the Asprox trojan or are victims of a 'drive by' website exploit and need to be disconnected by their ISPs until their machines are cleaned.

For a general explanation of this form of hosting, please see The Zombie Botnet 'Host By Proxy'

The above evidence clearly demonstrates beyond any doubt that the MU Trust Company criminal's website has been set up by money laundering and phishing criminals purely for the purpose of spamvertising an illegal money laundering 'mule' job. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of illegal activity and spamming - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Current Main Domains, Hosts and Registrars

Domain

cashtransfers.tk
cdport.eu
type53.eu
ujnc.ru

Registrar

Dot TK Domain Registry (13-Jul-2008)
PublicDomainRegistry.Com (13-Jul-2008)
PublicDomainRegistry.Com (07-Jul-2008)
NAUNET-REG-RIPN (14-Aug-2008)

***Beware*** The above domains contain an embedded exploit.

See table below for the full list of known active & suspended main domains used by this criminal.

List of all known domains used by the MU Trust Company/Asprox phishing Fraudsters

Domain

m-uniontrust.com
muniontrust.com
mortgageeunion.com
cash-transfers.eu
cashtransfers.tk
4cnw.ru
5kc3.ru
8hcs.ru
adwadb.mobi
adwbn.ru
adwr.ru
allocbn.mobi
asp7.co.uk
b4so.ru
bce8.ru
bgsr.ru
bjxt.ru
bnk3.co.uk
bnk7.co.uk
bnradd.mobi
bnrc.ru
bnrupdate.mobi
bosf.ru
bsko.ru
btoperc.ru
bywd.ru
catdbw.mobi
cdport.eu
cgt4.ru
ch34.co.uk
ch35.ru
cookie68.com
cv34.co.uk
cv43.co.uk
cw53.co.uk
db23.co.uk
db35.co.uk
db63.co.uk
dfs3.co.uk
dr6.co.uk
ds12.co.uk
ds92.co.uk
ecx2.ru
er74.co.uk
gb53.ru
gh52.co.uk
grtsel.ru
hd38.co.uk
io23.co.uk
iroe.ru
kc43.ru
keje.ru
kj5s.ru
kpo3.ru
kt27.co.uk
kt29.co.uk
libid53.com
lodse.ru
nm40.co.uk
nmr43.ru
nudk.ru
oics.ru
ojns.ru
op21.co.uk
op43.co.uk
op48.co.uk
pfd2.ru
prt3.co.uk
prt9.co.uk
rcdplc.ru
rr3.co.uk
sd28.co.uk
sslwer.ru
sss0.co.uk
sss2.co.uk
ter2.co.uk
type53.eu
uhwc.ru
ui27.co.uk
ujnc.ru
ver5.co.uk
ysh2.co.uk

Status

Suspended
Suspended
Suspended
Suspended
Active
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Active
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Active
Suspended
Suspended
Active
Suspended
Suspended

Registrar

BIZCN.COM, INC. (31-Jul-2008)
BIZCN.COM, INC. (31-Jul-2008)
BIZCN.COM, INC. (31-Jul-2008)
PublicDomainRegistry.com (13-Jul-2008)
Dot TK Domain Registry (13-Jul-2008)
NAUNET-REG-RIPN (18-Jul-2008)
NAUNET-REG-RIPN (18-Jul-2008)
NAUNET-REG-RIPN (31-Jul-2008)
Beijing Innovative Linkage Technology Ltd dba dns.com.cn (03-Jul-2008)
NAUNET-REG-RIPN (17-Jul-2008)
NAUNET-REG-RIPN (17-Jul-2008)
Beijing Innovative Linkage Technology Ltd dba dns.com.cn (03-Jul-2008)
PublicDomainRegistry.Com (13-Aug-2008)
NAUNET-REG-RIPN (26-Jul-2008)
NAUNET-REG-RIPN (24-Jul-2008)
NAUNET-REG-RIPN (31-Jul-2008)
NAUNET-REG-RIPN (26-Jul-2008)
PublicDomainRegistry.Com (31-Jul-2008)
PublicDomainRegistry.Com (31-Jul-2008)
Beijing Innovative Linkage Technology Ltd dba dns.com.cn (03-Jul-2008)
NAUNET-REG-RIPN (17-Jul-2008)
Beijing Innovative Linkage Technology Ltd dba dns.com.cn (26-Jun-2008)
NAUNET-REG-RIPN (26-Jul-2008)
NAUNET-REG-RIPN (26-Jul-2008)
NAUNET-REG-RIPN (16-Jul-2008)
NAUNET-REG-RIPN (31-Jul-2008)
Beijing Innovative Linkage Technology Ltd dba dns.com.cn (03-Jul-2008)
PublicDomainRegistry.Com (13-Jul-2008)
NAUNET-REG-RIPN (21-Jul-2008)
PublicDomainRegistry.Com (01-Aug-2008)
NAUNET-REG-RIPN (24-Jul-2008)
PublicDomainRegistry.Com (13-May-2008)
PublicDomainRegistry.Com (08-Aug-2008)
PublicDomainRegistry.Com (13-Aug-2008)
PublicDomainRegistry.Com (13-Aug-2008)
PublicDomainRegistry.Com (08-Aug-2008)
PublicDomainRegistry.Com (08-Aug-2008)
PublicDomainRegistry.Com (08-Aug-2008)
PublicDomainRegistry.Com (06-Aug-2008)
PublicDomainRegistry.Com (01-Aug-2008)
PublicDomainRegistry.Com (06-Aug-2008)
PublicDomainRegistry.Com (06-Aug-2008)
NAUNET-REG-RIPN (18-Jul-2008)
PublicDomainRegistry.Com (08-Aug-2008)
NAUNET-REG-RIPN (18-Jul-2008)
PublicDomainRegistry.Com (08-Aug-2008)
NAUNET-REG-RIPN (16-Jul-2008)
PublicDomainRegistry.Com (08-Aug-2008)
PublicDomainRegistry.Com (05-Aug-2008)
NAUNET-REG-RIPN (24-Jul-2008)
NAUNET-REG-RIPN (18-Jul-2008)
NAUNET-REG-RIPN (18-Jul-2008)
NAUNET-REG-RIPN (26-Jul-2008)
NAUNET-REG-RIPN (24-Jul-2008)
PublicDomainRegistry.Com (13-Aug-2008)
PublicDomainRegistry.Com (08-Aug-2008)
VIVIDS MEDIA GMBH (28-May-2008)
NAUNET-REG-RIPN (17-Jul-2008)
PublicDomainRegistry.Com (13-Aug-2008)
NAUNET-REG-RIPN (24-Jul-2008)
NAUNET-REG-RIPN (17-Jul-2008)
NAUNET-REG-RIPN (26-Jul-2008)
NAUNET-REG-RIPN (31-Jul-2008)
PublicDomainRegistry.Com (05-Aug-2008)
PublicDomainRegistry.Com (08-Aug-2008)
PublicDomainRegistry.Com (13-Aug-2008)
NAUNET-REG-RIPN (24-Jul-2008)
PublicDomainRegistry.Com (31-Jul-2008)
PublicDomainRegistry.Com (13-Aug-2008)
NAUNET-REG-RIPN (16-Jul-2008)
PublicDomainRegistry.Com (05-Aug-2008)
PublicDomainRegistry.Com (08-Aug-2008)
NAUNET-REG-RIPN (17-Jul-2008)
PublicDomainRegistry.Com (06-Aug-2008)
PublicDomainRegistry.Com (06-Aug-2008)
PublicDomainRegistry.Com (06-Aug-2008)
PublicDomainRegistry.Com (07-Jul-2008)
NAUNET-REG-RIPN (31-Jul-2008)
PublicDomainRegistry.Com (05-Aug-2008)
NAUNET-REG-RIPN (14-Aug-2008)
PublicDomainRegistry.Com (13-Aug-2008)
PublicDomainRegistry.Com (06-Aug-2008)

This is unlikely to be a complete list of the domains. They are almost certainly generated by an automatic registration system and may well run into the thousands.

Please notify me of any errors or domains not listed here.

Notes for Registrars

i) The criminal's domains have false whois registration data.
ii) All of the domains are zombie botnet hosted so by definition they are not legitimate.
iii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension is requested, please.

Fraud Blog Initial entry 9th. August 2008

*** Latest News*** 11th. August 2008

This is a very worrying development - just to demonstrate the totally integrated nature of it, I received a Lloyds TSB phishing spam today with the link:
http://online-business1.lloydstsb.com.er74.co.uk/customer.ibc/ which resolves to the usual input form for your banking details, but guess where the domain er74.co.uk resolves to? You guessed it - this fraudsters website.

I'm just guessing here:

i) Russian connection
ii) Automated domain registration system
iii) Distribution & Use of trojans
iv) Extensive use of the registrar NAUNET-REG-RIPN
v) Botnet hosting
vi) Money laundering mule fraud
vii) Phishing

Now why does the alias Alex Polyakov come to mind?....

*** Latest News*** 13th. August 2008

Notification from site contact: domains m-uniontrust.com, muniontrust.com, mortgageeunion.com and cash-transfers.eu all suspended

*** Latest News*** 18th. August 2008
Domains suspended as listed - remaining domains contain an embedded JS download exploit.