This Newman, Esmond & Eisenberg LLP
fraud uses a
website stolen from the genuine company
Neal,
Gerber & Eisenberg LLP who are a Chicago based law
firm.
This fraud is just the latest in a long line that have recently
included Harvey Investment, Draper
Investment, Sydney Car Centre, Cronos
Investment and
lastly the Waller
Truck Co.
fraud
to name but five. Its sole purpose is to lend a glossy legitimacy to a
fraud website, (stolen from a genuine company), which is hosting a
money laundering mule job that is heavily spamvertised by highly
characteristic spams that
contain the same Bayesian avoidance 'white text' code as all the other
frauds
mentioned along with the current and past runs of 'Rockphish' phishing
spams.
A Google search
for Newman, Esmond & Eisenberg LLP only throws
up hits for this criminals numerous different fraud domains, (usually
suspended), and listings from various anti-fraud & anti-spam
sites. However, the fraudulent company
Newman, Esmond & Eisenberg should not be confused with any
possible
similarly named companies.
The Newman, Esmond & Eisenberg LLP fraud
website is currently hosted by a zombie botnet in exactly the same
manner as all the previous aliases mentioned above.
If
you've either received an active website link in a spam, or know of an
active domain and it is not listed in the domain tables below, then
please let us know by reporting it using the 'Report Active Domain'
option in the title bar above.
The above table shows the
current providers of hosting services to the criminals and how long
they have been providing them for. The
decent ethical majority of service providers, (all credit to them -
they are a pleasure to deal with), act within
1-24 hours of being informed of the
criminal abuse of their system, (the
best in less than 1 hour), but there are unfortunately
some that, for whatever reason,
do not.
Misc.
Other Hosts
Turktelekom
- 212.174.25.241
JSC "EnginiaSystem" Network -
81.9.106.17
JSC Electrosvyaz of Buryatia Republic (burnet.ru) - 212.0.85.6
Sripatum University/KSC Commercial Internet Co. Ltd - ns2.newmanesrg.com [202.44.71.148]
Orange Nederland Breedband B.V. - 85.150.209.34
If you are an abuse team that
has taken action, please let me
know so that I can update the current status by removing the record. Newman, Esmond
& Eisenberg :
Evidence
of Criminal Fraud
i) The criminal fraudsters
have stolen the website of the genuine
Neal,
Gerber & Eisenberg LLPas detailed above - this fraud
is exactly the same as his Harvey Investment, Draper Investment, Cronos
Investment frauds
etc with a new company as the victim. ii) The bogus websites are zombie botnet
hosted as demonstrated by the DNS data below and the nameserver
ns1.biosigndata.com was
also used by the Adamant
Global Fraud.
iii)
The criminal's spams, (example below), contain the illegal clear money
mule function of accepting payments into a private bank account and
transferring them back out to the criminals less 10% via Moneygram or
Western Union.
iv)
The Newman, Esmond & Eisenberg
website contains the usual smokescreen of bogus jobs but among them is
the following part-time, working from home, clear money mule
function advertised as "Customer Service Associate": Customer
service associate
This
is a part time job position, that enquires 1-2 hours a day to be dealt
with. The candidate will be responsible for dealing with the customer
payments in his local area, this will include: monitoring the payments
to arrive on his banking account, making calculations regarding each
payment, transmitting the payments further to the regional business
partners, associates and branches by the means of Western Union or
Money Gram services and being in an interactive communication with the
headquaters continiously.
The
successful applicant will have computer literacy coupled with the
ability to communicate at a good level and will enjoy being flexible,
enthsiastic and driven.
The
applicant can expect a part-time working agreement to be signed up
after the trial period is over. The employee is paid on a regular basis
in the end of every month, as well as he gets a 10% commission out of
each customer payment he has dealt with.
The
main aim of the role is to attract new customers by offering them the
high-speed delivery of their orders and to fasten customer payment
delivery by prompt collection of their payments. Notice the usual illiterate "fasten customer payment"
which appears in numerous other scams from this fraudster.
v) On their bogus website
they claim: "Today, Newman Esmond Eisenberg
is a firm of over 200 attorneys spanning 22 practice groups".
A Google search for "Newman, Esmond & Eisenberg"
throws up zero
hits as a genuine company, although there are many suspended domains
and fraud website listings.
vi) All of the
criminal's domains were registered with different registrars in the
last few days.
vii)
Domains have
totally different bogus whois data although they are used for
the same fraud website.
viii) The Newman,
Esmond & Eisenberg spam contains forged header information and
the
usual bayesian
filter avoidance 'white text' code that irrefutably link it to the
Cronos
Investment, Draper
Investment, Harvey
Investment, Adamant Global, Sydney Car Centre and all this criminal's
many other aliases along with the 'rockphish' phishing criminals.
ix) The
criminals prolific spam is zombie botnet distributed as is easily
demonstrated by the source IPs.
x) The
criminal's spams are all signed by different random names - they appear
to have an infinite number of fake 'employees'.
The above
evidence clearly demonstrates beyond any doubt that this
stolen Newman, Esmond &
Eisenberg website has been set up by money laundering
and phishing
criminals purely for
the
purpose of spamvertising an illegal money laundering 'mule' job and is
undoubtedly just a stolen copy of the genuine Neal, Gerber &
Eisenberg LLP site and is directly related
to Cronos Investment, Draper Investment, Harvey Investment, Adamant
Global, Sydney Car
Centre and the rest of the money
laundering/phishing criminal fraudsters' aliases
documented here. If you are an abuse team that has received an abuse
report regarding these fraudsters, please
consider immediate
termination of their services in view of the absolutely undeniable
evidence of
site theft, copyright offences, criminal money laundering activity
and
spamming -
please don't delay - these criminals will not
respond to any communication from you, (all their whois data is false),
but will simply take advantage of any attempt
at communication as a delaying tactic to allow them time to carry on
their criminal activity and prepare
their
next network.
Do
not
be misled -
these are professional criminals
with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering the
'rockphish' phishing fraudsters and
aiding and abetting their criminal 'phishing' fraud activities.
Newman, Esmond &
Eisenberg Fraudsters -
current hosting details.
Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Parked Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended DNS Looped DNS Looped Suspended Unhosted Unhosted Suspended Suspended Suspended Suspended Suspended Active Suspended Unhosted Unhosted Active Active DNS Looped Suspended DNS Looped Suspended Suspended Suspended Suspended Active Suspended Suspended Suspended Suspended Active Suspended Suspended Suspended Active Active DNS Failure
Suspended Suspended Suspended Suspended Suspended Parked Parked Parked Suspended Parked Suspended Suspended Parked Suspended Suspended Suspended Active Active Active Active Active Active
Spiritdomains/IARegistry (19-Oct-2007) Spiritdomains/IARegistry
(19-Feb-2008)
Register.com (07-Feb-2008) Register.com
(07-Feb-2008)
IARegistry/Spiritdomains
(07-Feb-2008)
Register.com
(23-Feb-2008) Register.com (25-Feb-2008)
Spiritdomains/IARegistry (27-Feb-2008) Register.com (25-Feb-2008)
Register.com (27-Feb-2008)
KEY-SYSTEMS GMBH (Imena.ua) (07-mar-2008)
Spiritdomains/IARegistry (07-Mar-2008) Register.com (07-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (04-mar-2008) KEY-SYSTEMS GMBH (Imena.ua)
(11-mar-2008)
INTERNET INVEST, INC. DBA IMENA.UA (28-Mar-2008)
Spiritdomains/IA Registry (28-Mar-2008)
REGISTER.COM, INC. (28-Mar-2008)
INTERNET INVEST, INC. DBA IMENA.UA (29-Mar-2008)
REGISTER.COM, INC. (03-Apr-2008) Spiritdomains/IA Registry (03-Apr-2008)
REGISTER.COM, INC. (07-Apr-2008)
Please notify me of any errors or domains not listed here.
Notes
for Registrars
i) The Newman, Esmond & Eisenberg criminal uses his
own nameserver
domains
to control his zombie botnets or provide his DNS. By definition there
can be no legitimate
domains using his dedicated botnet nameservers & his
conventional nameserver domains are always very recently registered.
This
provides an ideal database search option for you to identify and delete
all of this criminal's fraud domains without
any risk of hurting an innocent domain. All of the criminal's botnet
nameservers are - ns1.mmbopc.com, ns1.iwarzone.com, ns1.bonoxc.com, ns1.walillc.com,
ns1.uneedmc.com, ns1.callsroar.com, ns1.book-xm.com
ii)
The criminal's domains have different false
whois registration data.
iii) The criminal will not respond to your challenge but will use the
notice to prepare a new network -
immediate suspension is preferred, please.The
Spam Content
The Newman,
Esmond & Eisenberg spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses.
This is the content of an actual Newman, Esmond & Eisenberg
scam spam:
Newman,
Esmond, & Eisenberg LLP is a Berne-based law firm providing
legal services to a diverse group of clients in a wide array of
domestic and global business transactions and litigation matters. Our
clients include privately and publicly held companies, financial
institutions, not-for-profit organizations and high net worth
individuals. Our client base reflects virtually every business
industry, including a number of Fortune 100 companies.
Our company has a current opening for a part-time position of a
Customer Service Associate. Join a team of professionals dedicated to
the international growth, brand recognition, and successful partnering
with clients to achieve exceptional expansion.
This is a part time job position, that enquires 1-2 hours a day to be
dealt with. The candidate will be responsible for dealing with the
customer payments in his local area; this will include: monitoring the
payments to arrive on his banking account, making calculations
regarding each payment, transmitting the payments further to the
regional business partners, associates and branches by the means of
Western Union or Money Gram services and being in an interactive
communication with the headquaters continiously.
The successful
applicant will have computer literacy coupled with the ability to
communicate at a good level and will enjoy being flexible, enthsiastic
and driven.
The applicant can
expect a part-time working agreement to be signed up after the trial
period is over. The employee is paid on a regular basis in the end of
every month, as well as he gets a 10% commission out of each customer
payment he has dealt with.
The main aim of the
role is to attract new customers by offering them the high-speed
delivery of their orders and to fasten customer payment delivery by
prompt collection of their payments.
In NEE LLP we believe,
that career is more than a job. It's about skills training. Competitive
salaries. Flexible scheduling. Comprehensive benefits. Job
satisfaction. At NEE LLP, we offer all this and more. Because we want
to help you enjoy your work… and your life.
If you feel interested in a position, please visit our
web-site to apply now!
If you have any questions, please do not hesitate to contact us.
Please consider, this is not a spam distribution. Your contact details
were kindly put into our disposal by our partners: www.monster.com and
www.careerbuilder.com.
We are looking to
hearing from you asap,
Yours sincerely, Jayson Sanders
Note
the usual Bayesian filter
avoidance 'code', commonly used by these criminals and the 'rockphish'
scammers alike. It's normally in 'whitetext' so it's invisible, but
here I've greyed it in.
Searching for neegl.org A record at m.root-servers.net
[202.12.27.33]: Got referral to C0.ORG.AFILIAS-NST.INFO. (zone: org.)
[took 139 ms]
Searching for neegl.org A record at C0.ORG.AFILIAS-NST.INFO.
[199.19.53.1]: Got referral to ns2.biosigndata.com. (zone: neegl.org.)
[took 67 ms]
Searching for neegl.org A record at ns2.biosigndata.com.
[212.78.44.91]: Timed out. Trying again.
Searching for neegl.org A record at ns2.biosigndata.com.
[212.78.44.91]: Timed out. Trying again.
Searching for neegl.org A record at ns1.biosigndata.com.
[194.169.192.131]: Reports neegl.org. [took 138 ms]
Response:
Domain
Type
Class
TTL
Answer
neegl.org.
A
IN
1800
89.136.146.112
neegl.org.
A
IN
1800
89.178.108.90
neegl.org.
A
IN
1800
91.196.44.203
neegl.org.
A
IN
1800
79.114.92.75
neegl.org.
A
IN
1800
82.37.145.218
neegl.org.
A
IN
1800
86.123.247.45
neegl.org.
A
IN
1800
89.33.91.15
neegl.org.
NS
IN
1800
ns2.biosigndata.com.
neegl.org.
NS
IN
1800
ns1.biosigndata.com.
ns1.biosigndata.com.
A
IN
1800
194.169.192.131
ns2.biosigndata.com.
A
IN
1800
212.78.44.91
Looking up at the 2 neegl.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.biosigndata.com hosted by Funke Internet Services Ltd.
on
IP 194.169.192.131 is acting as a zombie botnet controller
'herding'
the rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). These
criminals are
experienced liars, thieves and professional confidence
tricksters. Do not be
fooled - do
not believe them. The evidence of criminal fraud is undeniable.
I'd
like to thank the many honest & ethical hosts who have
disconnected
these fraudsters within an hour of receiving an abuse report, (several
in c. 20 minutes). However, the zombie botnet controlling nameservers
seem to be occasionally hosted by Colocation/VPS service providers who
do not respond to criminal fraud abuse reports. The honest &
ethical SPs will respond with an immediate, (preferably not 24 hours or
48 hours & certainly not never...), disconnection on receipt of
a
criminal abuse
report,
having considered the evidence below & investigated, but more
and
more
frequently service providers stall or simply ignore abuse reports.
This latter minority of uncaring & unethical hosts are aiding
and
abetting criminal fraud
and
the victims suffer because of it. Blocking
The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use "Newman, Esmond,
& Eisenberg"
as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams.
If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a>Fraud
BlogInitial
entry 21st. February 2008 ***Latest News*** - 23rd.
February 2008
The
criminal has had his nameserver domain suspended by Spiritdomains. His
new one is TOTDCOM.COM. His botnet is still located
on the Funke Internet Services Ltd.
IP 194.169.192.131
They have
not responded to an abuse report.
Searching for neei.la A record at e.root-servers.net
[192.203.230.10]: Got referral to NS0.CENTRALNIC.NET. (zone: la.)
Searching for neei.la A record at NS0.CENTRALNIC.NET.
[213.146.149.169]: Got referral to ns1.totdcom.com. (zone: neei.la.)
Searching for neei.la A record at ns1.totdcom.com. [194.169.192.131]:
Reports neei.la. Response:
Domain
Type
Class
TTL
Answer
neei.la.
A
IN
1800
89.137.200.165
neei.la.
A
IN
1800
62.231.91.77
neei.la.
A
IN
1800
79.114.90.75
neei.la.
A
IN
1800
79.114.221.130
neei.la.
A
IN
1800
82.79.233.221
neei.la.
A
IN
1800
84.108.239.70
neei.la.
A
IN
1800
89.43.205.130
neei.la.
NS
IN
1800
ns2.totdcom.com.
neei.la.
NS
IN
1800
ns1.totdcom.com.
ns1.totdcom.com.
A
IN
1800
194.169.192.131
ns2.totdcom.com.
A
IN
1800
67.74.18.77
Looking up at the 2 neei.la. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a
standard 7-IP site hosting zombie
botnet where the nameserver ns1.totdcom.com hosted by Funke
Internet Services Ltd. on IP 194.169.192.131 is acting as a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). ***Latest News*** - 25th.
February 2008 Information
supplied by site contact -
The
criminal has already had his nameserver domain totdcom.com suspended by
Spiritdomains and is now using a new one - my-cpm.com
registered with
Register.com.
DNS data: (neegl.org, neemi.tl,
eisllpc.tl)
The data shows a
standard 7-IP site hosting zombie
botnet where the nameserver ns1.my-cpm.com hosted by Funke
Internet Services Ltd. on IP 194.169.192.131, (notified of abuse 22nd.
Feb - no response to date), is acting as a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT).
The
criminal has also drafted into service his zombie botnets that he used
for his Waller Truck fraud using nameserver
domains regtoo.com and iprintworld.com along with new main domains neegl.com (Spiritdomains,
ns1.iprintworld.com), neellp.com (Spiritdomains,
ns1.regtoo.com), and neellp.net (Spiritdomains,
ns1.regtoo.com). Both zombie botnets are hosted on a SoftLayer Technologies Inc. (vpswelcome.com) IP (74.86.253.100).
DNS Data:
(neegl.com) Looking up at the 2
neegl.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a
standard 7-IP site hosting zombie
botnet where the nameserver ns1.iprintworld.com hosted by SoftLayer
Technologies Inc. (vpswelcome.com) on IP 74.86.253.100 is acting as a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT).
DNS Data: (neellp.com,
neellp.net) Looking
up at the 2 neellp.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.regtoo.com hosted by SoftLayer
Technologies Inc. (vpswelcome.com) on IP 74.86.253.100 is acting as a
zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). ***Latest News*** - 26th.
February 2008 Response
from Funke Internet Services - hosting of ns1.my-cpm.com
[194.169.192.131] has
been ceased. ***Latest News*** - 27th.
February 2008
Nameserver domain my-cpm.com has been suspended by Register.com and has
been replaced by form-cm.com
(Register.com - 23-Feb-2008)
New zombie botnet DNS data: (neegl.org, neemi.tl,
eisllpc.tl)
Looking up at the 2 eisllpc.tl. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.form-cm.com hosted by Network
Operations Center Inc., (BurstNET Technologies, Inc.™), on IP
64.191.119.197 is acting as a zombie botnet controller 'herding' the
rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). Later -
Domain regtoo.com
suspended
New Botnet DNS Data:(neellp.org):
Looking up at the 2 neellp.org parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.alkgrp.com hosted by Globale
Internet InfoAccess (vexxhost.com) on IP 65.38.67.37 is acting
as
a zombie botnet controller 'herding' the
rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT).
DNS
Data:
(neer.la) Looking up at the 2 neer.la parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.iprintworld.com hosted by
PF-Pintiliescu-Paul (Maxnet.ro) on IP 89.33.8.17 is acting as
a
zombie botnet controller 'herding' the rotating zombies, (as determined
by RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). Later:
The criminal has had his Burst.net botnet disconnected... New details:
DNS Data (neegl.org, neemi.tl,
eisllpc.tl)
Looking up at the 2 eisllpc.tl. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.form-cm.com hosted by Cogentco.com,
(Performance Systems International Inc.) on IP 38.103.164.11
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
I see that they are back
with a regular supplier of services to these criminals, Cogentco.com,
(Performance Systems International Inc.) on IP 38.103.164.11 Later
- The crook seems to be hopping about with his botnet hosting, I wonder
if this is a new tactic - he's now with yet another of his regulars -
Net Access Corporation:
DNS Data (neemi.tl,
eisllpc.tl, neeg.la)
Looking up at the 2 eisllpc.tl. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.form-cm.com hosted by Net Access
Corporation (Moxiehosting) on IP 64.21.48.156 is acting as a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). ***Latest News*** - 28th.
February 2008
New domain reported by site contact - neer.la - hosted on
PF-Pintiliescu-Paul (Maxnet.ro) zombie botnet.
New domain reported by site contact - neellp.org - hosted
on Globale Internet InfoAccess (vexxhost.com) zombie botnet.
New domain spotted in the wild - neeg.la
- hosted on the Net Access
Corporation (Moxiehosting) zombie botnet.
