Harvey
Investment Company is an identical money laundering/money transfer
fraud to the Adamant Global and Sydney Car Centre frauds - exactly the
same modus operandi as SCC, i.e. a stolen Harvey Investment website
offering an illegal
'Customer Service Associate/Representative' so-called 'job' as a money
laundering mule/transfer fraud victim and generally hosting the stolen
website using a zombie botnet, unfortunately more and more frequently
with a host
such as Convergent
Network Services, (aka Ironcolo.com), who
don't respond to abuse reports & thus apparently have
no
problem with hosting thieves and fraudsters or zombie botnets. (They
also hosted the Sydney Car Centre and
Aegis Capital criminals without response).
The domains
harveyinvestment.net & harveyinvest.com
used
the Yahoo 'Small Business' network as seen before with Sydney Car
Centre but they were quickly terminated.
This time the bogus
Harvey
Investment site is stolen from a genuine Harvey Investment
Company.
This is the fake site: http://hinv.cc/, (many
other domains used), and this is the genuine site
that has nothing to do with the fraudsters: http://www.harveyinvestment.com/
__________________________________________________________________________________________________________________________
Harvey Investment Fraudsters -
current hosting details [Updated
01/10/2007]
Current Zombie Botnet Hosts
Convergent Network
Services aka Ironcolo.com, Hicksville, NY.
(ns1.star-cy.com
[206.71.145.83]) since 16/09/2007 and Sydney
Car
Centre criminals before that and Aegis Capital before that. Secured Private Network, Santa Ana, CA. (ns1.mmnhome.com [66.212.16.212]) since
14/09/2007
No response from the above criminal's
service providers to
numerous abuse reports and no response from their upstream provider,
Global Crossing. Convergent Network
Services Botnet
Hosting ceased 10th. October 2007 Secured Private Network
Botnet ceased 7th. October 2007
Please notify me of any errors or required amendments to this running
list.
No abuse report response or action from Register.com.
See table below for the full
list of known nameserver domains for this criminal.
__________________________________________________________________________________________________________________________
Evidence of Criminal Fraud
i)
The
Harvey
Investment fraudsters have
stolen the website and the identity of the genuine 'Harvey Investment
Company' for their bogus
site & not bothered to disguise it - their fake site is an
obvious
clone of the above genuine site.
ii) The
genuine
Harvey
Investment Company have a clear warning about these fraudsters
on the home
page of their website - the fake
Harvey
Investment site does not.
iii)
The fake
Harvey
Investment site has a bogus address for the company of 32
Route
Francois-Peyrot, Geneva, 1218 Switzerland. The genuine company is
located in Louisville, Kentucky, USA.
iv)
The fake
Harvey
Investment site has a 'Job' tab in the menu, the
genuine site does not as there is no such genuine job on offer from the
real
Harvey
Investment Company.
v)
The fraudster uses a multiplicity of recently registered domains, often
registered with various different registrars & all with
different
false whois data. (Listed below)
vi)
The
Harvey
Investment spam contains the
same Bayesian filter avoidance whitetext 'code' as used in the Sydney
car Centre and Adamant Global spams and also in the same criminal's
'rockphish' phishing spams.
vii)
The fraudster uses the usual zombie botnet of infected end user
machines to host his site and distribute his spam - details below. Two
domains, (harveyinvestment.net & harveyinvest.com), use the
Yahoo
'small business' network as did two of the Sydney Car Centre domains.
viii)
The fraudster offers one 'job' of 'Customer Service
Associate/Representative'. Details of the 'job' taken directly from the
stolen bogus
Harvey
Investment website include:
* Provides the company management with an appropriate bank account
* Accepts customer bank payments
* Makes certain calculations
* Visits the bank regularly to collect customer transactions
* Deducts the 10% interest for the service granted
* Additionally deducts the related charges
* Completes transfers via Western Union/Money Gram pay systems to the
regional departments of the company
In
other words acceptance of counterfeit or criminal proceeds into your
personal bank account and forwarding it on to these crooks via Western
Union or MoneyGram - that is clearly just another money transfer
scam/money laundering mule job, i.e. criminal fraud.
ix) Forged email headers - 'From' & 'Return To'
addresses are
all different random forged addresses.
x) The source IP's show that a zombie botnet is also used
to distribute
the spam.
Do not be fooled by their
stolen website - these are professional criminals with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering them.
__________________________________________________________________________________________________________________________
The
Spam Headers
Needless to say
these are the headers from an actual received Harvey Investment spam.
Return-Path: <andrew.byrd791@punkass.com>
Received: from mwinf3202.me.freeserve.com (mwinf3202.me.freeserve.com)
by mwinb3406 (SMTP Server) with LMTP;
Tue, 04 Sep 2007 07:28:47 +0200
X-Sieve: Server Sieve 2.2
Envelope-to: xxxxx@xxxxx.freeserve.co.uk
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf3202.me.freeserve.com (SMTP
Server) with ESMTP id xxxxxxxxxxxx
for
<xxxx@xxxxx.freeserve.co.uk>; Tue, 4 Sep 2007
07:28:47 +0200 (CEST) Received:
from 80.178.70.43.adsl.012.net.il (80.178.70.43.adsl.012.net.il
[80.178.70.43])
by mwinf3202.me.freeserve.com (SMTP
Server) with SMTP id xxxxxxxxxxxxx
for
<xxxx@xxxxx.freeserve.co.uk>; Tue, 4 Sep 2007
07:28:45 +0200 (CEST)
X-ME-UUID: xxxxxxxxxxxxxx.xxxxxxx@mwinf3202.me.freeserve.com Received:
from astral.australiamail.com (unknown [40.243.248.32])
by cash-traffic.com with SMTP id HHWA9V8WRW
for <xxxx@xxxxx.freeserve.co.uk>;
Mon, 03 Sep 2007 22:28:43 -0800
From: "Harvey Investment Company"
<Andrew.Byrd791@punkass.com>
To: "xxxxx" <xxxx@xxxxxx.freeserve.co.uk>
Subject: please, get acquainted with our vacancies and you will be our
employee with a high payment! [letter id: xxxxxxxxxx]
X-Kaspersky-Antivirus: passed
User-Agent: PObox II beta1.0
X-Mailer: PObox II beta1.0
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--JVZYN1A00Z9IVS_Z4NP1W65"
Message-Id:
<xxxxxxxxx.xxxxxxxxx@mwinf3202.me.freeserve.com>
Date: Tue, 4 Sep 2007 07:28:45 +0200 (CEST)
X-me-spamlevel: med
X-me-spamrating: 94.966269
X-Antivirus: AVG for E-mail 7.5.485 [269.13.2/985]
Recipient & message id ONLY munged.
The first thing to notice is the spam source IP. Reading
from the bottom upwards, (as is the norm when parsing headers), the
first of the two received
lines (red) can be rejected as unsafe, almost certainly forged. The
actual trusted source IP that cannot be forged is the one
received by the recipients email provider (Freeserve) and that is in
this line (green):
Received:
from 80.178.70.43.adsl.012.net.il (80.178.70.43.adsl.012.net.il
[80.178.70.43])
In this received line the source IP address is 80.178.70.43
the reverse DNS (RDNS) for which is correctly indicated as 80.178.70.43.adsl.012.net.il
which confirms that the source address is genuine.
In the above RDNS sender identity note the letters adsl. These stand
for Asymmetric Digital Subscriber Line and tell you
that the spam has come from an end user's computer on an ADSL
network in Tel Aviv, (from the
whois data for the IP address).
"Well", you say, "there's your criminal". Unfortunately not - he or she
may be guilty of criminal stupidity by not having a firewall or
clicking on the latest nude pictures of Britney Spears, but
unfortunately not criminal fraud - he/she is just one of tens of
thousands of 'zombies' - computers that have been infected with a
zombie virus or worm. What it does tell you is that the Harvey
Investment
spammer uses a zombie botnet both to host his site and distribute his
spam in exactly the same way as Sydney Car Centre, Adamant Global
and all the rest of these criminals.
Lastly, andrew.byrd791[at]punkass.com
is not "Harvey Investment Company" - this is just another forged email
address which may or may not actually exist.
Incidentally, never 'bounce' spam back to the 'sender' as it only
bounces back to a forged address which, if real, will only belong to an
innocent third party who will understandably be a little upset with
you and if you do it a lot you could get your ISP's SMTP IP range
blacklisted and they will be even more upset with you & could
justifiably close your account.
__________________________________________________________________________________________________________________________
The Spam Content
The
headers contain many different forged/bogus 'From' & 'Return
Path'
addresses & various forged 'Receive' lines. The subject lines
vary
greatly, but include "Vacant position in the Harvey Investment
Company", "Account manager vacant position in the Harvey Investment
Company", "We’d like to offer you the vacant position" etc,
etc &
all indicate that there is a job opportunity to be had. There is - an
illegal job as a money laundering 'mule' or transfer fraud victim, i.e.
accepting stolen or counterfeit proceeds into your account and
forwarding it on via Western Union or Moneygram for a percentage cut.
Needless to say it is these mules that will probably feel the full
weight of the law while the remote money launderers are safe. The bogus
or stolen funds in the mules account may well also be recovered,
leaving them with
large losses.
The spam link to the website is of the general form http://hinv.cc/ &
the bogus job link from the spam is of the general form: http://hinv.cc/job.php
where
the domain hvinvt.li can be
replaced by any of the active domains
listed below.
The
spam body is followed by the usual 'whitetext' bayesian filter
avoidance text, but in this case it seems to be a random section of
code, exactly the same as in the Sydney Car Centre spams & the
'rockphish' spams. AFAIK it has
no other significance, but if anyone knows better..
This is the content of an actual Harvey Investment spam with
the bayesian filter
avoidance 'code' enhanced to grey:
__________________________________________________________________________________________________________________________
Join
Harvey Investment Company team.
Our customized employment solutions and personalized approach give job
seekers access to great opportunities with competitive salaries. Our
company offers comprehensive benefits that allow making good money,
without spending too much time for that. Don't put your career in the
hands of just anyone; put it in the hands of a specialist. Launch or
rejuvenate your career today with Harvey Investment Company
and its subsidiaries are equal opportunity employers.
Today
we are looking for customer service associates who share our command
spirit and are looking to land an outstanding position with a company
who has consistently been recognized on the national level for their
work in the investment and securities area. We work tirelessly to build
solid relationships with well-recognized organizations across the
nation to learn about projects and opportunities.
Take
a look at the job responsibilities and qualifications below and if you
think you would be an asset to the team, we invite you to apply for the
position.
Customer service associate is responsible for being in close touch with
the staff from the head office, accepting customer payments to his bank
account and making further calculations regarding them. The associate
should deduct his 10% interest out of every transaction he is going to
deal with, as well as all the related charges. The associate further
makes a Western Union/MoneyGram transfer of the balance left to the
company's regional department.
A
position requires excellent customer service skills, employee's ability
to manage time and accomplish duties with a minimum of supervision.
Ideal candidate should possess 1-2 free hours a day, a bank account,
available to be used for the company needs, should be outgoing,
dedicated to meeting deadlines and objectives and able to follow
procedures.
Whether
you're interested in short-term temporary work or full-time permanent
hire, we are confident that we have the right job for you. Apply today
and let Harvey Investment Company help you realize
your true potential.
For
further, more detailed information, please visit our web site
The Zombie Botnet
The zombie botnet method of
operation of these criminals is exactly the same as for all the other
frauds listed above, the only difference is in the domains, nameserver
domains & host IP:
Looking up the 2 hinvcy.liparent servers DNS details:
The above DNS data shows a nameserver ns1.goldenrg.com
[206.71.145.83] acting as a zombie botnet controller referencing five
'zombie' IPs in the 'A' Record Response, (site host IPs), column on a
rotating basis. The second nameserver is always a fake and never
resolves. It is only needed to make up the requirement for a minimum of
two nameservers as per RFCs.
The nameserver ns1.goldenrg.com is hosted on IP 206.71.145.83 by
Convergent Network Services, (aka Ironcolo.com) who do not respond to
reports of criminal activity and zombie botnet use involving their
network.
Note that there are many main & nameserver domains registered
&
the host IP can change very frequently, (unless they find a 'criminal
friendly' service provider), so the details that you see may be
different to the above. See the 'Latest News' below for the latest
domains & host IP.
See the 'General Information' page for more detailed information on a
typical zombie botnet setup.
__________________________________________________________________________________________________________________________
These criminals are
experienced liars, thieves and professional confidence tricksters. When
they are challenged by network abuse teams they may deny any wrongdoing
& plead complete innocence & legitimacy. Do not be
fooled - do
not believe them. The evidence of criminal fraud & zombie
botnet
use is undeniable as is the link to the 'rockphish' 'phishing' frauds.
I'd
like to thank the many honest & ethical hosts who have
disconnected
these fraudsters within an hour of receiving my abuse report, (several
in c. 20 minutes). However, the zombie botnet controlling nameservers
seem to be occasionally hosted by Colocation/VPS service providers who
do not respond to criminal fraud abuse reports. The honest &
ethical SPs will respond with an immediate, (not 24 hours or
48 hours & certainly not never...), disconnection on receipt of
a
criminal abuse
report,
having considered the evidence below & investigated, but more
and
more
frequently service providers stall or simply ignore abuse reports.
This latter minority of uncaring & unethical hosts are aiding
and
abetting criminal fraud
and
the victims suffer because of it.
Knowingly
supplying services to these fraudsters is a criminal offence in the UK
under the UK Proceeds of Crime act (2002) Section 328 "A
person
commits an offence if he enters into or becomes concerned in an
arrangement which he knows or suspects facilitates (by whatever means)
the acquisition, retention, use or control of criminal property by or
on behalf of another person". The notification level for this
offence is low.
Would all hosts and registrars with a UK presence, (other countries
will undoubtedly have similar provisions), please bear this in mind and
please do not ignore any criminal fraud abuse
reports you may receive or if you do, please
don't be surprised or offended if I file a crime complaint against you
with local law enforcement agencies after reasonable notice of abuse -
the victims, (who
could be your mother, father, grandmother, grandfather, the helpless,
the disabled or any loved one - these criminals are exactly the same as
doorstep conmen), deserve better.
The unethical hosts, (and
registrars), should appreciate that taking the 'blind eye' approach
involves them in the crime, creates a great deal of ill-will, bad
publicity & hurts everybody, especially the victims of these
fraudsters. They should also bear in mind that these crooks pay for
their services using Paypal linked to stolen credit card details so
they are likely to get a charge-back which will also leave them out of
pocket, unless, of course, they have a more intimate relationship with
the criminals.
A CEO of a Credit Union tells me of clients who
have lost thousands of pounds cashing counterfeit money orders for
these criminals, & I myself have had letters from worried
victims,
so do not under any circumstances get involved with them and also please
think twice about doing business with the unethical service providers
who continue to provide this criminal with the means to perpetrate his
crime despite being notified of the criminal activity.
The
following service providers failed to respond to abuse reports
regarding their hosting of this fraudster or the
Harvey
Investment sister scammers, the
Sydney Car Centre (SCC) fraudsters:
Eonix Corporation,
(Infinitie.net) of Las Vegas, Nevada, &
IDC Inc. (Serenitynet) failed to respond in
any
way to all evidential abuse reports concerning the SCC fraudster, (the
first submitted on June the 5th.), and continued to host the criminal's
zombie botnet on the nameserver ns1.search-pnd.com [66.196.43.228]
until June the 20th. They also hosted the previous Lux Capital
fraudster's botnet controller on the same nameserver/botnet controller
domain & IP from 13th. May onwards and ignored all abuse
reports
then too. Crime complaint filed with IC3.gov.
PoundHost
Internet Services Ltd./Euroconnex Networks LLP (Maidenhead
- UK), are
another host that ignored all criminal fraud abuse reports concerning
SCC from July the 2nd. and continued to allow the criminal to operate
his zombie botnet and his criminal operation on their network until
July the 20th. when they were contacted by the Metropolitan police
following a crime complaint.
Convergent Network Services of
Hicksville, NY,(aka Ironcolo.com), were informed of the SCC criminal's
zombie botnet nameserver ns1.infobiodata.com on their IP 206.71.145.83
on July the 26th. To date they have not responded to abuse reports or
webform submissions. Crime complaint filed against them with IC3.gov. They are
now knowingly hosting
the Harvey Investment zombie botnet on the same IP (206.71.145.83) as
from 16th.
September 2007. Further complaint filed against them with ic3.gov.
Secured Private Network
of
Santa Ana, California were informed that they were hosting the Harvey
Investment criminal's zombie botnet on September the 14th. 2007 on the
nameserver ns1.osttitles.com [66.212.16.212].
To date they have not responded to any of several abuse reports
and are still hosting the criminal fraudster on the same IP. Crime
complaint filed against them with IC3.gov.
__________________________________________________________________________________________________________________________
Blocking The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use the name Harvey Investment Company as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams.
The only problem then is if someone sends you a wanted email containing
the name Harvey Investment Company.
So,
to get around that unlikely event you could of course pick any
combination of letters from the spam as I believe that they are all the
same, for example you could use the phrase "Ideal candidate should
possess 1-2 free hours a day" as the detection phrase using the above
rule. That should detect them all and also be pretty safe from false
positives.
__________________________________________________________________________________________________________________________
If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a>
__________________________________________________________________________________________________________________________
Here are
all the known domains that are/have been used for the
Harvey
Investment fraud:
Suspended Suspended Suspended Suspended Suspended Suspended Active
(Unhosted) Active (Unhosted) Suspended Suspended Suspended Suspended Active (Unhosted) Active (Unhosted) Active (Unhosted) Active (Unhosted) Suspended Suspended Suspended Suspended Suspended Active (DNS looped) Suspended Suspended Suspended Suspended Suspended Active (Hosting ceased) Suspended Active (Hosting ceased) Suspended Active (Hosting ceased) Suspended Suspended Active (DNS looped)
Active Suspended Active Suspended Active Suspended Active Transferred out of criminal control Active
Please notify me of any errors or domains not listed here.
Tips for Pro-active Registrars
i) The Harvey Investment criminal uses his own nameserver
domains
to control his zombie botnets. By definition there can be no legitimate
domains using his dedicated botnet nameservers, currently
ns1.mmnhome.com and ns1.star-cy.com.
This
provides an ideal database search option for you to identify and delete
all of this criminal's fraud domains without
any risk of hurting an innocent domain.
ii) All of the criminal's domains have different false
whois data.
iii) The criminal will not respond to your challenge but will use the
notice to ready a new network -
immediate suspension is preferred.
__________________________________________________________________________________________________________________________
If
you have been a victim of this fraudster & would like to tell
your
story on this page as a warning & to help others, please
contact us.
__________________________________________________________________________________________________________________________
Fraud Blog
Initial entry created 27th. August 2007 - Further Information to follow.
__________________________________________________________________________________________________________________________ 28th. August 2007
Domains hinvestment.st, starid.st, you-pm.com & botnet hosting
ns1.you-pm.com [72.37.221.244] abuse reported to Nic.st, Register.com
& Nobis Technology Group, LLC/Mzima Networks, Inc. respectively. Later
Domains harveyinvestment.net & harveyinvest.com, (Joker.com),
spotted which use the Yahoo 'small business' network as used before by
the Sydney Car Centre criminals:
Looking up the 2 harveyinvest.com, (& harveyinvestment.net),
parent servers:
Abuse report filed with Yahoo & Joker.
__________________________________________________________________________________________________________________________ 29th. August 2007
Response from Yahoo abuse - fraud domains harveyinvestment.net
&
harveyinvest.com have been disconnected from the Yahoo 'small business'
network - thanks guys for the quick response.
__________________________________________________________________________________________________________________________ 30th. August 2007
UbiquityServers have passed a complaint on re the zombie botnet
controller IP 72.37.221.244. Reply awaited. The IP is still active this
morning, but the criminals have changed their nameserver domain,
presumably Register.com have suspended their original domain
you-pm.com. The current zombie botnet details are:
Looking up at the 2 hinvestment.st parent servers:
================Server============='A'
Record Response (Zombie host
IPs)=============
ns1.modelnt.com [72.37.221.244] 59.94.188.103 59.95.19.146
68.252.248.139 74.75.129.227 79.12.79.197
ns2.modelnt.com [20.77.85.51] [Error: Port Unreachable] - Fake
nameserver to
make up RFC requirement for 2 nameservers, (never resolves)
The criminal's new nameserver domain modelnt.com is registered with
IARegistry/Spiritdomains
I
see the criminal's domain harveyinvest.com is back up on the Yahoo
'Small Business Network', (I'm not sure if that's meant to be a
euphemism or not..). This seems to be a recurrent problem with Yahoo.
Second abuse report sent. Later harveyinvest.com disconnect by Yahoo once
again.
__________________________________________________________________________________________________________________________ 31st. August 2007
Feedback from Domains.ph - they have suspended the criminal's domain
hinvestment.ph - thanks guys for your quick & ethical response.
Unfortunately no action as yet from UbiquityServers - the zombie botnet
is still active on their IP 72.37.221.244. More Harvey Investment fraud
spam received this am.
__________________________________________________________________________________________________________________________ 1st. September 2007
Another month..another fraud update... Thanks are due to registrars
Nic.st & Domains.ph who are doing a sterling job of suspending
this
fraudsters registrations, (see list of known domains above for latest
situation). So much so, the fraudsters have turned their attention now
to Nic.li (Nic.ch) and are trying their luck with Liechtenstein
registrations - first one noted is hcompany.li still on the following
Ubiquity Server Solutions zombie botnet:
================Server============='A'
Record Response (Zombie host
IPs)=============
ns1.modelnt.com [72.37.221.244] 217.236.207.185 80.137.199.123
80.143.114.110 84.149.119.24 89.136.81.176
ns2.modelnt.com [20.77.85.51] Timeout - Fake nameserver to make up RFC
requirement for 2 nameservers, (never resolves)
Unfortunately
it looks as though we have another unhelpful zombie botnet host for the
nameserver ns1.modelnt.com [72.37.221.244]. They come up as Nobis
Technology Group, LLC (Nobistech.net) but a look at their 'website'
shows that behind them is Ubiquity Server Solutions who responded to my
initial abuse report dated 28th. August, (so they know the situation),
but have failed to take any action to stop the criminal activity even
though they are mandated to do so by their AUP. Reports to the parent
block owner Mzima Networks, Inc. also fail to generate any response.
Yahoo
seem to have blocked the hosting for domains harveyinvestment.net and
harveyinvest.com and they are now coming up as "Under Construction"
pages - thanks guys. New domain received in this morning's spam -
hicompany.hk. Abuse reported to HKDNR.
__________________________________________________________________________________________________________________________ 2nd. September 2007
Another of this criminal's domains reported to me by a site visitor -
hcompany.ch. Spiritdomains have suspended the criminal's nameserver
domain modelnt.com - thanks guys. The new zombie botnet details are:
================Server============='A' Record Response (Zombie host
IPs)=============
ns1.modenm.com [72.37.221.244] 64.131.248.155 82.37.182.165
86.124.215.42 89.123.32.148 89.34.251.144
ns2.modenm.com [70.14.44.78] Timeout - Fake nameserver to make up RFC
requirement for 2 nameservers, (never resolves)
The
zombie botnet is still hosted by UbiquityServers, (at least since 28th.
August, probably earlier). No sign yet of them taking any executive
action to end the criminal activity they are knowingly hosting. The
nameserver domain modenm.com is registered with Register.com - the
criminal seems to switch between Spiritdomains and Register.com for
these.
__________________________________________________________________________________________________________________________ 4th. September 2007
More spam received from this criminal usingdomain
hcompany.li on the Ubiquity Servers, (aka Nobis
Technology Group, LLC (Nobistech.net)),
zombie botnet. Ubiquity servers have asked me not to send them any more
abuse reports relating to the problem on this particular IP. They have
hosted
this fraudster at least since August the 28th. without action.
On the positive side, the domains hicompany.hk & hcompany.ch
appear
to have been suspended. Thanks are due to nic.ch and HKDNR.
Later - The
UbiquityServers
abuse team have told me that the criminal's account has been terminated
by their downstream customer. From talking to them I'm sure that if I
had to go back to them with a similar problem then the outcome would be
much speedier. I'm persuaded that they are not an unethical host.
A new domain spotted in the wild - hicosite.li
Later - The
criminal has now just moved his zombie botnet to an Everyones Internet
IP. The new zombie botnet details are:
The
above DNS data shows a nameserver
ns1.modenm.com [209.62.95.55] acting
as a zombie botnet controller referencing
five 'zombie' IPs in the 'A'
Record Response, (site host IPs), column on a rotating basis. The
second nameserver is always a fake and never resolves. It is needed to
make up the requirement for a minimum of two nameservers as per RFCs.
The
nameserver ns1.modenm.com is now hosted on IP 209.62.95.55
by Everyones Internet (The
Planet).
Abuse report submitted to nic.ch, (for the criminal's domains
hcompany.li and hicosite.li), nic.st, (as domain hic.st
remains
active), Register.com (for domain modenm.com), & Everyones
Internet
and The Planet for IP 209.62.95.55. Let's hope that The Planet abuse
team, (et al), are on the ball for a prompt outcome.
__________________________________________________________________________________________________________________________ 6th. September 2007
New domain
received in this morning's complement of Harvey Investment scam spam - investmentco.st. No action
from Everyones Internet (The Planet). Later -
Nic.st have suspended
the criminal's website hic.st - thanks guys. All the other listed
active domains are still resolving on the Everyones Internet/The Planet
zombie botnet, so no prompt action from them against these criminals,
unfortunately. I find it odd that Nic.ch have suspended the criminal's .ch registration, but not the
.li ones.
__________________________________________________________________________________________________________________________ 7th. September 2007 New domain received in this
morning's Harvey Investment scam spam - hcom.li
All the other .li domains are still active, too along with investmentco.st.
Unfortunately the criminal's zombie botnet is also still active on the Everyones Internet (The
Planet) IP 209.62.95.55
__________________________________________________________________________________________________________________________ 8th. September 2007
New domain received in this morning's Harvey Investment spam
- machid.ch
Unfortunately no action has been taken against the criminal's zombie
botnet hosted by Everyones Internet (The
Planet) of Houston, Texas on IP 209.62.95.55 which was first abuse
reported on September the 4th. and is still running at the heart of
this criminal's operation: Looking
up at the 2 machid.ch. parent servers:
Nameserver (Botnet Controller)
DNS 'A' Record Response (Rotating Zombie host IPs)
__________________________________________________________________________________________________________________________ 10th. September 2007
More spam received this am using the domain investmentco.st. All the
criminal's listed domains remain active & no action has been taken by
any of the registrars or the zombie botnet host, (Everyones
Internet (The
Planet) of Houston, Texas), despite the criminal abuse, (in direct
violation of their published AUP), having first been reported to them
on September the 4th. As no response has been received & no
action
taken, abuse report re-filed in recognition of the continuing fraud
spam received. Later
- In response to a
standard abuse report detailing the criminal activity and referring to
this site for evidence I got this response form Everyones
Internet (The
Planet) of Houston, Texas):
Reference: [ThePlanetAbuse-C8378157H]
To Whom It May Concerns:
Please note that we are
unable to proceed our investigation without logs detailing the activity
in question. Please provide a text log, including date time stamp (with
time zone relation to GMT), source IP and port and destination IP and
port. Please provide at least
five lines of logs.
Mmm
- I don't think they've come across this sort of botnet hosting before
which rather surprises me - I think I may have a problem here.
Later
-
I finally convinced The Planet & they appear to have
disconnected the crook's hosting - thanks
guys. I've also received a report that the domains
hicosite.li,
investmentco.st, hcom.li, machid.ch & hcompany.li have all been
suspended today although I haven't yet been able to verify it
personally due to inadequate registrar whois data which doesn't display
their status. Certainly investmentco.st, hcom.li, machid.ch & hcompany.li still have 'A'
records at the root servers which usually indicates that they are still
active, but hicosite.li definitely hasn't so it's definitely gone.
I'll check them later when this crook comes up on a
new host. Not a good day for the Harvey Investment criminals, but good
for their victims. If anyone knows of any unlisted domains, please let
me know.
__________________________________________________________________________________________________________________________ 11th. September 2007
The criminals have now moved their zombie botnet onto the IP 82.146.53.39
Looking up at the 2 machid.ch. parent servers:
Nameserver (Botnet Controller)
DNS 'A' Record Response (Rotating Zombie host IPs)
The IP belongs to a company called ISPSYSTEM. Abuse report sent.
The domains hcom.li,
machid.ch & hcompany.li have unfortunately not been suspended.
The domain investmentco.st HAS been
suspended thanks to Nic.st as has hicosite.li courtesy of Nic.ch. Later
- New domain harvey-i-c.cn spotted in the wild - abuse reported to
cnnic.net.cn
__________________________________________________________________________________________________________________________ 12th. September 2007
The criminal's zombie botnet nameserver IP 82.146.53.39
is now timing out and his domains are not resolving so it appears
that ISPSYSTEM has taken prompt action - thanks.
Later - the criminal has now moved his zombie botnet to
the
IP 74.86.134.162 which is owned by SoftLayer Technologies Inc.
Botnet DNS details:
Looking up the 2 harvey-i-c.cn parent servers DNS data:
The data shows a standard zombie botnet where the nameserver
ns1.modenm.com hosted by SoftLayer Technologies Inc on IP 74.86.134.162
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
__________________________________________________________________________________________________________________________ 13th. September 2007
SoftLayer
Technologies Inc appear
to have disconnected the Harvey Investment zombie botnet on IP 74.86.134.162
- thanks guys for a fast and ethical response to this criminal's
activities. I only wish other hosts were so quick.
__________________________________________________________________________________________________________________________ 14th. September 2007
Another new domain for the Harvey Investment fraudster in todays batch
of fraud spam from him: harvey13.cn Mmm - I wonder...yes he's got
harvey12.cn as well. No surprise there. It looks like the domains are
registered through TodayNic/Now.net.cn which this crook's used before
for other aliases. Let's see where he's moved his zombie botnet to this
time:
Looking up the 2 hvyinvc.li parent servers DNS details:
He's got a new zombie botnet nameserver domain (osttitles.com) which
was only registered with IARegistry/Spiritdomains on September the
11th. He's got a new host for his botnet controller on IP 66.212.16.212
which belongs to a company called Secured Private Network who are an
unknown quantity to me.
The data shows a standard zombie botnet where the nameserver
ns1.osttitles.com hosted by Secured
Private Network on IP 66.212.16.212
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Later
-
Wow - I'm impressed. Neither of the two Harvey Investment criminal's
domains harvey12.cn and harvey13.cn have 'A' records at the root
servers so it looks as though the registrar has suspended them already
and deleted the DNS data - thanks guys. That has got to be one of the
quickest actions yet by a registrar, (CNNIC/TodayNic/Now.net) - full
marks to them, (probably TodayNic/Now.net). Why can't they all be like
that? (and a few of the hosts too....). Talking of which, the botnet
host IP 66.212.16.212 appears to be still active.
__________________________________________________________________________________________________________________________ 15th. September 2007
New domain received in this morning's spam - hvyinvc.li which is unfortunately
still hosted by the above 'Secured Private Network' zombie
botnet.
__________________________________________________________________________________________________________________________ 16th. September 2007
Another new domain received in this morning's spam - harvst.ch. The Harvey Investment
criminal has a new botnet hosting this domain:
Looking up the 2 harvst.ch parent servers DNS details:
My, he has been busy - he's registered himself a new nameserver domain
(goldenrg.com) with Register.com (31-aug-2007) and he's started another
zombie botnet on 206.71.145.83 which is the same IP owned by Convergent Network Services,
(aka Ironcolo.com)
as was used for the Sydney Car Centre alias of these
criminals and their Aegis Capital alias before that. In other words
Convergent Network Services has been a loyal provider of services to
these criminals for a long time and has unfortunately ignored every
single abuse report I've filed. I'll give them a (another!) fair chance
by abuse reporting it to them via email & webform, (as I have
done
many times before), but I don't expect any response or action -
however, it would be nice to be proved wrong.
It's interesting to note that the Secured
Private Network
zombie botnet above is also still active on IP 66.212.16.212 and
hosting the domain hvyinvc.li This is the first time that I recall
seeing him
running two zombie botnets together for a single scam. Later
-
Another new domain received in some more Harvey Investment spam -
hinvcy.li This one's on the above Convergent Network Services
zombie botnetcontrolled by ns1.goldenrg.com [206.71.145.83].
__________________________________________________________________________________________________________________________ 17th. September 2007
New domain received in this morning's spam - hvinvts.cn This domain is
hosted on the Convergent
Network Services/Ironcolo.com hosted zombie botnet using
nameserver ns1.goldenrg.com [206.71.145.83]
__________________________________________________________________________________________________________________________ 18th. September 2007
Another new Harvey Investment fraud domain in this morning's spam - hvinvt.li which is
hosted on the Secured
Private Network zombie botnet. The Convergent
Network Services/Ironcolo.com
botnet is also still fully functional so it looks as though the Harvey
Investment criminal has a couple of allies here - no response from
either. CNS have certainly not changed their spots... Later
- Well done nic.ch - domain
hvyinvc.li is suspended, but domains harvst.ch, (CNS botnet), hinvcy.li, (CNS botnet), and hvinvt.li, (SPN botnet),
remain active, as does hvinvts.cn, (CNS botnet). Neither botnet host has
responded to abuse reports or taken action.
__________________________________________________________________________________________________________________________ 19th. September 2007
Both of the Harvey Investment criminal's botnets are still active and
no response has been received from either of the two above hosts to
numerous abuse reports. I suggest that the policy of both companies
regarding the hosting of criminal fraudsters and botnets is
self-evident. I'll file a couple of complaints against them with
IC3.gov later on, for what good it may do... If you have suffered
losses at these criminal's hands, or you are sick of their continuing
flood of criminal fraud solicitations and
you feel like registering your disgust with these hosts for continuing
to host this fraudster and his zombie botnets then you may consider
popping over to http://www.IC3.gov/ to
file a complaint against them. The law enforcement agencies
are supposed to
monitor the complaints and they may take notice if
they get
enough complaints.
Alternatively, you could ring
them or write to them and ask why they continue to support these
criminals:
Host for zombie botnet controller ns1.osttitles.com
[66.212.16.212] =Secured Private Network:
1740 East Garry Ave.
Suite 234
Santa Ana, CA 92705.
Abuse phone: +1-877-434-2378
They don't seem to have their telephone number listed on their website
which I think is rather unusual....
IronColo.com is operated by Convergent
Network Services.
Convergent Network Services
51 Tec Street
Hicksville, NY 11801
Toll Free: 800-956-3226
+1 631-610-5710
+1-631-236-9090
Later
- more
spam from this criminal, now using the domain harvey.mn. Looks like
Mongolia is the latest region to be 'favoured' by the Harvey Investment
criminal. The criminal has changed his nameserver domain, but he is
still using the Convergent Network Services botnet:
Looking up the 2 harvey.mn parent servers DNS details:
He's got a new zombie botnet nameserver domain (divinegrail.com) which
was only registered with IARegistry/Spiritdomains on September the
11th.
The data shows a standard zombie botnet where the
nameserver ns1.divinegrail.com hosted by Convergent Network Services,
(aka Ironcolo.com)
on IP 206.71.145.83
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
__________________________________________________________________________________________________________________________ 20th. September 2007
Another
domain received in spam from the Harvey Investment criminals -
hicplace.li This new domain is on the above Secured Private Network
zombie botnet controlled by nameserver ns1.osttitles.com
[66.212.16.212]. Both the CNS and SPN zombie botnets are still active.
__________________________________________________________________________________________________________________________ 21st. September 2007
Another new domain received in spam from the Harvey Investment
criminals - hicplace.ch This one is also on the above Secured Private
Network
zombie botnet controlled by nameserver ns1.osttitles.com
[66.212.16.212]. Neither of the criminal's current botnet hosts, (Convergent Network Services,
(aka Ironcolo.com)
and Secured Private
Network))
respond in any way to abuse reports so one has to assume that they
are both either directly involved in the criminal activity or simply do
not want to know about the criminal activity their clients are involved
in which amounts to pretty much the same thing in my book.....
Upstream assistance sought from their
apparent provider, (from tracert), Global Crossing who, interestingly
enough, also appear to be the
upstream provider for Convergent Network Services who similarly ignore
reports of criminal activity by the Harvey Investment site thief and
fraudster.
__________________________________________________________________________________________________________________________ 23rd. September 2007
New domain reported by site visitor - hryit.li - still on
the Convergent Network
Services,
(aka Ironcolo.com) zombie
botnet. The criminal is definitely having an easy ride at the moment
with
an apparently completely unethical criminal accessory in Convergent Network Services,
(aka Ironcolo.com),
with Secured Private
Network
following a close second in the criminal friendly stakes, (it's
obviously a
waste of time abuse reporting to either of those two - contact details
above if you want to have a go), and the registrars are not exactly
acting
quickly or proactively, either.
Later
- New domain received in spam - hinv.cc (Register.com). Still on the Secured Private Network
criminal's zombie botnet (66.212.16.212) using nameserver domain osttitles.com
(Spiritdomains): Looking up the 2 hinv.cc parent servers DNS details:
__________________________________________________________________________________________________________________________ 24th. September 2007
Yet another Harvey Investment
domain received in this morning's spam - harveycy.li This one's on the Secured Private
Network zombie botnet. I
guess this crook's aiming to beat the Sydney Car Centre record for
number of criminal domains registered. With the aid of his two
'blackhat' US zombie botnet service providers, (not to mention
some of the registrars), I'm sure he'll make it... Later
-
A site contact tells me he's had a response back from
Switch.ch to the effect that domains harvst.ch, hinvcy.li, hvinvt.li,
hicplace.li, and hicplace.ch have all been suspended which is good
news. As far as I know, that just leaves hryit.li,
(CNS)(Switch.ch), hinv.cc,
(SPN)(Register.com), harveycy.li,
(SPN)(Switch.ch),
hvinvts.cn,
(CNS)(Todaynic.com/Now.net), and harvey.mn,
(CNS)(Nic.mn) still active.
__________________________________________________________________________________________________________________________ 25th. September 2007
Domains hryit.li and harveycy.li have both been suspended by Switch.ch.
The criminal's two US botnet hosts are still knowingly providing the
criminals with the means to perpetrate their fraud.
__________________________________________________________________________________________________________________________ 28th. September 2007
New domain received in this morning's spam batch - harvinv.tw The
criminal has moved his attentions to the .tw domain. The domain
harvinv.tw is on the below Convergent Network Services zombie botnet.
The
domain harvey.mn has finally been suspended by the registrar domain.mn. Later
- The good news is that Spiritdomains have finally suspended the
criminal's nameserver domains divinegrail.com and
osttitles.com. The bad news is that the criminal has two new nameserver
domains - mmnhome.com
registered with Register.com which he's using on the SPN botnet and fullflesh.com
registered with Spiritdomains again that he is using on his CNS botnet.
DNS Data:
Looking up the 2harvinv.tw parent servers DNS details:
(206.71.145.83 = Convergent Network Services
zombie botnet)
__________________________________________________________________________________________________________________________ 29th. September 2007
New fraud domain received in this morning's spam batch
- 1hic.li
This one's on his Secured Private Network hosted zombie botnet. Later
- The criminal has changed his fullflesh.com, (Spiritdomains),
nameserver domain to star-cy.com,
(Register.com), for some reason. I suspect it is unfortunately because Register.com
are more criminal friendly than Spiritdomains although
I'd be happy to be proved wrong....
New DNS details for CNS botnet:
Looking up the 2harvinv.tw parent servers DNS details:
(206.71.145.83 = Convergent Network Services
zombie botnet)
__________________________________________________________________________________________________________________________ 1st. October 2007 Another month and the
Harvey Investment criminal's blackhat hosts Convergent
Network Services,
(aka Ironcolo.com) and Secured
Private
Network
are still providing the criminals with their zombie botnet hosting
despite many reports and are thus aiding and abetting the Harvey
Investment criminal's continuing site theft, fraud and spamming
activity. Even their upstream providers, Global Crossing sadly ignore
all requests for assistance in ending the criminality.
Another criminal fraud domain received in this morning's spam batch
- harveycomp.tw
(CNS botnet) Later
- Further fraud domains noted - hvinst.li and harin.mn both on the above CNS botnet. Later
- domain 1hic.li has been suspended by Switch.ch 7th. October 2007
Although no further spam has been received by me from this criminal,
(it's been replaced by an identical Draper
Investment
scam). The criminal's CNS zombie botnet is still intact and he seems to
be in the process of moving his SPN botnet to FDCServers.net LLc. on
IP 67.159.41.119
so this fraud is far from dead, apparently aided and abetted as it is
by his service provider Convergent Network Services. I guess it's just
too easy to carry on.... ***Latest News***
10th. October 2007
I haven't looked at
these crooks for a few days as the spam has dried up - lets have a look
at the last domains I recorded as active:
hvinvts.cn -
Domain 'A' record still present - dns looped at nameserver level. hinv.cc -
Domain 'A' record still present - CNS hosting apparently ceased, (IP
206.71.145.83 not responding). harvinv.tw -
Domain 'A' record still present - CNS hosting apparently ceased, (IP
206.71.145.83 not responding). harveycomp.tw
- Domain 'A' record still present - CNS hosting apparently ceased, (IP
206.71.145.83 not responding). harin.mn -
No 'A' Record - domain suspended by registrar. hvinvt.cc -
Domain 'A' record still present - dns looped at nameserver level. star-cy.com
- Domain 'A' record still present - CNS hosting apparently
ceased, (IP 206.71.145.83 not responding). mmnhome.com
- Domain 'A' record still present - DNS looped at nameserver.
Looks like most of the registrars haven't responded as the domain 'A'
records are still present at the root servers, but he seems to have
pretty well given up sorting out his DNS...It must be a hard life being
a fraudster.... Harvey Investment Fraud Obituary
There now appears to be no further activity from this particular alias
of the criminal. If anyone knows different, please do let me know, (resolving
domains or email source code containing resolving
domains, please). He seems to be concentrating on his Draper Investment
and Adamant Global aliases and other scams. No doubt there will be
another one along
shortly from his stable - keep your eyes peeled...
No
records have been beaten for the
number of domains registered - in fact down from the maximum of 56 set
by the
Sydney Car Centre alias to only 35 by my reckoning. The most shameful
record is for the fact that this criminal's zombie botnet has been
hosted from September the 16th. to the finish by Convergent Network
Services aka Ironcolo.com, Hicksville, NY. who
ignored every single abuse report concerning the zombie botnet on their
IP 206.71.145.83.
This company also hosted the Sydney Car Centre alias of this fraudster
from July the 26th. until the end of that fraud on 12th. September 2007
and the Aegis Capital fraudster before that.
I'd like to thank all of the honest, decent and ethical hosts that
responded positively to abuse reports and did their bit to make the
internet a little safer for all - thank you from me, but mainly from
all of this criminal's victims.
Registrar
response to abuse reports has been a little patchy. Switch.ch switched
on, (groan...), after a slow start and were responding well at the end.
Domains.ph, Nic.st and Domain.mn also eventually cottoned on
to
this criminal after a slow start. Nil response to abuse reports
recorded from the
Registrars SEEDNET, TODAYNIC/NOWNET and REGISTER.COM.
