Pacific Corporation Fraud

Don't Bear Internet Fraud

Pacific Corporation website screenshot (21-Jan-2009)

Pacific Corporation stolen website screenshot (21-Jan-2009)

If you've either received an active website link in a Pacific Corporation fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above. Copies of spam are welcome.

This Pacific Corporation criminal fraud website should not be confused with any other company with the same or similar name. The above screenshot and the following evidence defines this criminal alone.

Pacific Corporation is another fraud from the money laundering department of the well known 'Rockphish/Asprox' phishing criminals. It is the clear replacement zombie botnet hosted fraud for the Cash-Transfers Inc. criminal fraudster and passive DNS data shows that this fraud site is hosted on the same zombies that are hosting other Rockphish criminal fraudsters such as Bullet Motorsports Speedlab (BMS). The fact that it is zombie botnet hosted is absolute evidence of criminal fraud as no legitimate site is botnet hosted, but there is plenty of other evidence of fraud such as the fact that they claim "Todd Stern joined Pacific Corporation in May 2004" yet their domain pac-corp.st was only registered on 12-Jan-2009 and his maildrop domain pac-corp.com was only registered with Enom on 10-Jan-2009. A Google search for "Todd Stern joined" also links these crooks to the Optimus Inc., Global Union Inc., Transfex Inc. and WorldTrans Inc. frauds to name but a few.

Current Zombie Botnet Controller Hosts

Rcp.net/Velcom - ns1.suptertools.net [206.53.55.49] - Notified 26-Jan-2009

The above table shows the current providers of zombie botnet hosting services to the criminals and how long they have been providing them for. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act within 1-24 hours of being informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some that, for whatever reason, do not. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host.

If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Pacific Corporation : Evidence of Site Theft and Criminal Fraud

N.B. - Information correct at 21-Jan-2009 - Check tables and ***Latest News*** items for domain and hosting updates.

i) The Pacific Corporation fraud website is hosted on a five-IP 'fastflux' zombie botnet as evidenced below - No legitimate company would use a zombie botnet to host their website - irrefutable evidence of criminality.

ii) Passive DNS data research on the zombies hosting the site show that the same zombies are used to host the Bullet Motorsports Speedlab (BMS) website, the Duty Free Shopping fraudsters, attack URLs and 'phishing' URLs.

iii) A Google search for "Pacific Corporation" returns several companies of that name, but not these criminals - they have absolutely no web presence.

iv) This statement on their 'About Us' page: "Having been in business for only 17 months, our speed of growth is accelerating virtually day by day." is in complete contradiction to this statement "Todd Stern joined Pacific Corporation in May 2004" on their 'How' page

v) You'll notice that some of the bio's on their 'How' page mistakenly refer to the company as one of the crook's previous aliases, FranklinCo Inc.

vi) Fake contact details from the website:

423 Harvard Ave.,
E. Seattle, WA 98102
Telephone: +1 509 695 3741
FAX: +1 509 695 3741
E-mail: info@pac-corp.com

• - The address 423 Harvard Ave., E. Seattle does not exist - a USPS zipcode check returns the error message "The address you provided is not recognized by the US Postal Service as an address we serve. Mail sent to this address may be returned" - clear evidence of fraud - check for yourself.
• - The telephone number +1 509 695 3741 is located in Spokane, 200 miles from Seattle - Clear evidence of fraud - check for yourself.
The above evidence clearly demonstrates that the above location details are fake.

vii) A websearch of the Washington State Company Register shows that this particular "Pacific Corporation" company, (not to be confused with a different company of the same or similar name), is not registered in the state of WA - clear & irrefutable evidence of a fake company. Check for yourself.

The above irrefutable evidence clearly demonstrates beyond any doubt that the Pacific Corporation website is a fake website that has been set up by criminals purely for the purpose of deception and fraud. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminality - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'Rockphish/Asprox' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'Rockphish/Asprox' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities.

Fraud Domains

Domain

pac-corp.st
pac-corp.com (maildrop domain)

Criminal Registered Nameserver Domains

checkpoypsi.net
grandpris.net
windersfoot.com
suptertools.net

Status

Active
Suspended

Parked
Parked
Parked
Suspended

Registrar

ST Registry - 12-Jan-2009
Enom 10-Jan-2009

REGISTER.COM, INC. 07-Jan-2009
REGISTER.COM, INC. 03-Dec-2009
REGISTER.COM, INC. 17-Jan-2009
GANDI SAS 27-Jan-2009

N.B. - The Enom registered maildrop domain pac-corp.com appears in the criminal's contact details on his fake website.

Please notify me of any domains not listed here.

Notes for Registrars

i) The Pacific Corporation criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver(s) are: ns1.windersfoot.com

ii) The criminal's domains have different false whois registration data.

iii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension is requested, please.

The Zombie Botnet DNS Data (Valid for domain pac-corp.st)

Looking up at the 2 pac-corp.st. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.checkpoypsi.net [74.63.224.230]	69.154.241.108 76.212.225.70 81.104.238.159 84.121.121.129 99.145.182.20
ns2.checkpoypsi.net [33.222.17.16]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.checkpoypsi.net hosted by Limestone Networks, Inc. on IP address 74.63.224.230 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

These criminals are experienced liars, thieves and professional confidence tricksters. Do not be fooled - do not believe them. The evidence of criminal fraud is undeniable. I'd like to thank the many honest & ethical hosts and registrars who have disconnected/suspended these fraudsters within an hour of receiving an abuse report, (several in c. 20 minutes). However, the zombie botnet controlling nameservers seem to be occasionally hosted by Colocation/VPS service providers who do not respond to criminal fraud abuse reports. The honest & ethical SPs will respond with an immediate, (preferably not 24 hours or 48 hours & certainly not never...), disconnection on receipt of a criminal abuse report, having considered the evidence, but more and more frequently service providers stall or simply ignore abuse reports. This latter minority of uncaring & unethical hosts and registrars are aiding and abetting criminal fraud and the victims suffer because of it.

***Latest News*** Initial entry 21st. January 2009
Thanks to Frank Bear for the 'heads-up' on this one.

***Latest News*** 22nd. January 2009
Limestone Networks have null-routed the above botnet and the crook is immediately back up on a NOC4Hosts hosted botnet:
The Zombie Botnet DNS Data (Valid for domain pac-corp.st)
Looking up at the 2 pac-corp.st. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.checkpoypsi.net. [74.50.127.65]	98.217.125.105 69.154.241.108 71.227.123.55 84.121.121.117 89.136.81.252
ns2.checkpoypsi.net [33.222.17.16]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.checkpoypsi.net hosted by NOC4Hosts Inc. on IP address 74.50.127.65 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 23rd. January 2009
NOC4Hosts/HiVelocity have null routed the above botnet and the criminal is back up on a UK Dedicated Servers Ltd/CONNECT SWITCH LIMITED IP RANGE 6 IP:
The Zombie Botnet DNS Data (Valid for domain pac-corp.st)
Looking up at the 2 pac-corp.st. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.checkpoypsi.net [94.229.64.119]	67.191.9.146 71.227.123.55 84.121.126.91 88.177.171.15 89.136.81.252
ns2.checkpoypsi.net [33.222.17.16]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.checkpoypsi.net hosted by UK Dedicated Servers Ltd/CONNECT SWITCH LIMITED IP RANGE 6 on IP address 94.229.64.119 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
Later: The UK Dedicated Servers Ltd/CONNECT SWITCH LIMITED IP RANGE 6 hosted botnet has been terminated.

***Latest News*** 25th. January 2009
The UK Dedicated Servers Ltd/CONNECT SWITCH LIMITED IP RANGE 6 botnet has been disconnected and the criminal is up on a new Rcp.net/Velcom IP address:
The Zombie Botnet DNS Data (Valid for domain pac-corp.st)
Looking up at the 2 pac-corp.st. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.checkpoypsi.net [206.53.55.49]	67.191.9.146 68.72.138.206 71.194.79.158 81.203.94.197 98.217.125.105
ns2.checkpoypsi.net [33.222.17.16]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.checkpoypsi.net hosted by Rcp.net/Velcom on IP address 206.53.55.49 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
Later: - The nameserver domain checkpoypsi.net has been parked by Register.com which has had the effect of parking the main domain pac-corp.st.

***Latest News*** 26th. January 2009
News from Frank Bear: The criminal has slotted in a new nameserver domain grandpris.net - the new botnet details are as follows:
Looking up at the 2 pac-corp.st. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.grandpris.net [206.53.55.49]	65.91.73.62 76.226.52.208 84.121.116.50 88.177.171.15 89.103.102.175
ns2.grandpris.net [72.14.212.131]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.grandpris.net hosted by Rcp.net/Velcom on IP address 206.53.55.49 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
Later: Somebody is busy - the crooks nameserver domain grandpris.net also now appears to have been parked.

***Latest News*** 27th. January 2009
Info. from Frank Bear - the nameserver domain grandpris.net has been parked and the crooks have slotted in the domain windersfoot.com (Register.com; Jan 17, 2009):
The Zombie Botnet DNS Data (Valid for domain pac-corp.st)
Looking up at the 2 pac-corp.st. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.windersfoot.com [206.53.55.49]	24.136.214.48 72.253.177.150 76.11.157.39 84.121.116.50 98.217.125.105
ns2.windersfoot.com [71.25.19.23]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.windersfoot.com hosted by Rcp.net/Velcom on IP address 206.53.55.49 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 28th. January 2009
News from Frank Bear - the nameserver domain has been parked by the registrar and they crooks have slotted in a new one, (suptertools.net - Gandi SAS):
The Zombie Botnet DNS Data (Valid for domain pac-corp.st)
Looking up at the 2 pac-corp.st. parent servers:

Server	Response
ns1.suptertools.net [206.53.55.49]	173.29.244.170 72.253.177.150 75.34.43.192 76.123.156.63 98.217.125.105
ns2.suptertools.net [89.125.34.81]	Timeout

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.suptertools.net (Gandi SAS) hosted by Rcp.net/Velcom on IP address 206.53.55.49 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 21st. February 2009

News from Frank Bear - the nameserver domain suptertools.net has been suspended by Gandi SAS. The maildrop domain pac-corp.com has also been suspended by Enom. No action has been taken by ST Registry against pac-corp.st, but the domain is not resolving due to the nameserver having been suspended - please notify me of any avtive domains for this criminal.