| Adamant Global Fraud |
|
Don't Bear Internet Fraud
|
 |
Adamant Global is one of the latest additions to the money transfer criminal fraudster aliases that have included Swiss Invest, Impex Consult, Bronsard Advantage, Norden United, FIC Financial Inc/Ltd, United Cargo Solutions, Radius Investments, Lux Capital, Aegis Capital Group & Sydney Car Centre. One indication that Adamant Global is a replacement or addition to the Sydney Car Centre fraud is that the initial Adamant Global spams contained the subject line - "account managers vacant position in the Sydney Car Centre".
All of the above are aliases of well known money transfer criminal fraudsters & prolific spammers that usually, (but not always), host their sites using 'botnets' of 'zombie' computers which are PCs that have been infected with a trojan/virus. They are also exactly the same gang of criminals that operate the 'Rockphish' 'phishing' empire - so please, if you can take action against these criminals then do so.
For anyone interested in these things, the above artwork for this bogus Adamant Global site is a screenshot which has been taken by the criminals from the Shockwave Flash animated template number 9440 sold by templatemonster.com
N.B. - The bogus Adamant Global company is nothing to do with the genuine company Adamant Global Pty Ltd. which is an Australian based management consulting service & whose website is http://www.adamantglobal.com.au/
__________________________________________________________________________________________________________________________
Method of Operation
I am confident that this method of operation equally applies to the rest of the criminal aliases I document.
Once you have contacted them, these criminals ask you to set up a bank account, or ask for existing account details or merely use your Paypal account if you have one. After you have done that, you will receive an email to tell you that funds have been transferred to that account and to wire it on to them less 10% for yourself. Those funds will be counterfeit or obtained illegally - a favourite way at the moment seems to be from fake Ebay auctions that name you as the seller, so you will receive an irate email from someone who hasn't received the computer that you have received the money for. This is the Adamant Global scam that Ms. X in the USA fell for and who sent me this information:
I have been taken by this scam. I received money on my paypal account and transferred the money to two people. Islam Nikaev 02-758 Mangalia 3B Warszawa, Poland (1078.38) and Idris Mazaev 04-12824 04-128 24 Omulewska Str, Warszawa, Poland (1082.38). Following is the email that I got letting me know that the money was in my paypal account. I was to keep 10% and wire the rest. I now have a very angry person contacting me because he said he won a computer on ebay and spoke to a women (not me) and still has not received the computer:
From: a.melba@globaladamant.com Save Address To: xxxxxxxxx@xxxxxxxx Subject: new payment, instructions Date: Tuesday, September 18, 2007 2:33:09 PM [View Source] Good day, New payment of $2,601 has been transfered to your paypal account, please withdraw them to your bank account (instruction below). Log in to your PayPal account. Click Withdraw. Click the Transfer funds to your bank account link. Enter the amount of the withdrawal, choose the bank account to withdraw funds to and click Continue. Click Submit. Please confirm reception of the funds and let us know when they are cleared. Regards, A. Melba
Mr. X in the USA received this email after falling for this fraud:
Dear Mr. X,
As soon as your bank has confirmed that the money is available to be
withdrawn, please calculate and take out your 10% commission out of the
total amount that you have on your account.
After that, withdraw the remaining 90% balance and carry it to the
Western Union.
The money should be transferred via Western Union for the
following person(he is our agent in the regional branch).
First name: Magomed
Last name: Ezhiev
Country: Poland
City: Warszawa
Adress: 04-128 24 Omulewska str.
As can be seen, the recipients of these transfers are based in Warsaw, this seems to be consistent so far.
It's interesting to note that the criminals use variations of the fraud domains purely as maildrop domains - i.e. the domain globaladamant.com is actually parked but the criminal is using the mail facility of the domain as a 'secure' mail service. I say secure because it's often hard enough to convince some registrars that the main fraud domains are just that, never mind trying to convince them that a parked domain is being used for criminal purposes as well....
__________________________________________________________________________________________________________________________
| Current Service Providers to The Adamant Global Criminals [Updated 19/11/2007] |
| Zombie Botnet Nameserver & Host(s) |
ns1.biosigndata.com [72.249.96.26] hosted by Colo4Dallas
Please notify me of any errors or required amendments to this running list.
| Main Domains and Registrars |
adtgl.li - Switch.ch
adgl.ch - Switch.ch
adtg.li - Switch.ch
See table below for the full list of known active & suspended main domains for this criminal.
| Nameserver Domains and Registrars |
See table below for the full list of known nameserver domains for this criminal.
Please notify me of any errors or required amendments to this running list.
__________________________________________________________________________________________________________________________
Evidence of Criminal Fraud
i) Letters from US victims tell me of losses of thousands of dollars to this criminal.
ii) The Adamant Global criminals host their website and distribute their prolific spam using the now familiar zombie botnet - real time DNS data below.
iii) Initial Adamant Global spams have contained the subject lines Account manager vacant position in the Sydney Car Centre, New Openings In The Sydney Car Centre & Vacant position in the Sydney Car Centre as per the example spam below, thus demonstrating without doubt that this scam is from the same stable as the identical Sydney Car Centre fraud.
iv) The website states that Adamant Global were "founded in 1994" yet the multiplicity of domains were only registered in the last few weeks.
v) Numerous domains have been very recently registered with various registrars, all with different forged whois data, (the two Joker ones are of course the same, as you would expect them to be). Most of the domains have already been suspended by the registrars as detailed below.
vi) They are still wanting to "fasten the process of the delivery of the payments" - exactly the same wording as the Sydney Car Centre scammers.
vii) They claim "Adamant Global Inc. has offices in the United States and Canada " and "Adamant Global Inc. has achieved universal appeal in the home appliances, electronics and video equipment and operates a highly successful international business in 24 countries." yet Google has never heard of these facilities and operations. They are clearly bogus & quite laughable claims.
viii) The contact fax number 0207 022 2908 is bogus - when I rang it, it announced itself as a "telephony test line" & asked for a PIN number.
ix) The UK postcode SE18 6SJ in their location details does not correspond to the location Woolwich road, a search on the UK postcode checker by me showed it only applies to addresses on Grand Depot Road - the address details are clearly bogus.
xi) The Adamant Global fraudster offers one 'job' of "regional assistant". Details of the 'job' taken directly from the bogus website include:
Supervise customer payments on the PayPal account constantly;
Be available to receive 2-3 payments on your PayPal account from the customers every week;
Make calculations regarding each customer order;
Withdraw the funds from the bank account (less your 10% fee);
Be responsible for banking and cash up procedures via Western Union;
In other words acceptance of criminal or counterfeit proceeds into your personal bank account and forwarding it on to these crooks via Western Union - that is clearly just another money transfer mule job - criminal fraud.
xii) Forged email headers in the prolific spams - 'From' & 'Return To' addresses are all different random forged addresses.
xiii) All the Adamant Global spams are signed by different random names, (exactly the same as the Sydney Car Centre spams). They appear to have an unlimited number of employees.
xiv) The spam bodies contain exactly the same Bayesian filter avoidance 'pseudo-code', (example below), as seen both in the Sydney Car Centre spams and in the 'rockphish' 'phishing' fraud spams which links the two operations inextricably together as does the identical zombie botnet method of spam distribution.
xv) Their stated location & contact info. appears to be identical to another very similar dubious 'company', (http://www.elgounaltd.com/contact.html), Elgouna Ltd. They also appear to be linked to other suspect operations - Wireless Global Inc, which appears to be off-line at the moment & western-eshop.com which ran a previous similar operation.
xvi) Google "Adamant Global"
Do not be fooled by their slick spoof site - these are professional criminals with a long history of fraud as detailed on the General Information & Sydney Car Centre pages.
__________________________________________________________________________________________________________________________
The Spam Headers
Needless to say these are the headers from an actual received Adamant Global spam.
From: “Adamant Global Inc”
To: “ANother”
CC:
Subject: Vacant position in the Sydney Car Centre [letter id: xxxxxxxxxxxxx]
Date: Mon, 6 Aug 2007 23:10:33 +0000 (GMT)
Return-Path:
Delivered-To: ANother:xxxxxx@xxxxx.com
Received: (qmail 18861 invoked by uid 0); 6 Aug 2007 23:10:37 -0000
X-Ob-Received: from unknown (192.168.8.16) by mta1-7.us4.outblaze.com; 6 Aug 2007 23:10:37 -0000
Received: from 78-2-92-88.adsl.net.t-com.hr (78-2-92-88.adsl.net.t-com.hr [78.2.92.88]) by spf17.us4.outblaze.com (Postfix) with SMTP id 0D6BCB34F0 for ; Mon, 6 Aug 2007 23:10:33 +0000 (GMT)
Received: from sequoia.staryoskol.com (unknown [24.102.193.42]) by diznoya.com with SMTP id WUXSM2JA3D for ; Mon, 06 Aug 2007 16:13:16 -0800
Received: from echoes.australiamail.com (australiamail.com.ono.com [57.32.208.214]) by abac.com with SMTP id Q6C6Y0YYPL for ; Mon, 06 Aug 2007 21:13:16 -0300
Organization: Adamant Global Inc Cecil.Lunsford@hotbox.com
User-Agent: Internet Mail Service (5.5.2650.21)
X-Mailer: Internet Mail Service (5.5.2650.21)
X-Priority: 3 (Normal)
Mime-Version: 1.0
Content-Type: multipart/alternative;
Recipient & message id munged.
1) The first thing to note is the Subject: "Vacant position in the Sydney Car Centre" which ties the Adamant Global scammers to the Sydney Car Centre scammers - anything that applies to those site thieves and criminals equally applies to these fraudsters.
2) The second important thing to notice is the source IP. Reading from the bottom upwards as is the norm when parsing headers, the first two received lines (red) can be rejected as unsafe, almost certainly forged or proxy servers. The actual trusted source IP that cannot be forged is the one received by the recipients email provider (Outblaze) and that is in this line (green):
Received: from 78-2-92-88.adsl.net.t-com.hr (78-2-92-88.adsl.net.t-com.hr [78.2.92.88]) by spf17.us4.outblaze.com (Postfix) with SMTP id 0D6BCB34F0 for ; Mon, 6 Aug 2007 23:10:33 +0000 (GMT)
In this received line the source IP address is 78.2.92.88 the reverse DNS (RDNS) for which is correctly indicated as 78-2-92-88.adsl.net.t-com.hr which confirms that the source address is genuine.
In the above RDNS identity note the letters adsl. These stand for Asymmetric Digital Subscriber Line and tell you that the spam has come from an end user's computer on an ADSL network in Republike Hrvatske (Croatia). "Well", you say, "there's your criminal". Unfortunately not - he or she may be guilty of criminal stupidity by not having a firewall or clicking on the latest nude pictures of Britney Spears, but unfortunately not criminal fraud - he/she is just one of tens of thousands of 'zombies' - computers that have been infected with a zombie virus or worm. All it tells you is that the Adamant Global spammer uses a zombie botnet both to host his site and distribute his spam in exactly the same way as Sydney Car Centre, Harvey Investment and all the rest of these scumbags.
Lastly, Cecil.Lunsford@hotbox.com is not Adamant Global - this is just another forged email address. Incidentally, never 'bounce' spam back to the 'sender' as it only bounces back to a forged address which, if real, will only belong to an innocent third party who will understandably be a little peeved with you and if you do it a lot you could get your ISP's SMTP IP range blacklisted and they will be even more upset with you.
__________________________________________________________________________________________________________________________
The Spam Content
The headers contain many different forged/bogus 'From' & 'Return Path' addresses & various forged 'Receive' lines. The subject lines vary greatly, but include "Years may pass in looking for part-time a job, we offer it right now", "Stop Looking For A New Part-Time Job - Here It Is", "job offer." all of which indicate that there is a job opportunity to be had. There is - a job as a money laundering 'mule', i.e. accepting counterfeit or stolen criminal proceeds into your account and forwarding them on via Western Union or Moneygram for a percentage cut, (usually 10%). Needless to say it is you the mule that will inevitably feel the full weight of the law while the remote money launderers are safe & in the case of counterfeit funds you will lose it all when the funds are recovered & your account is closed. In addition you will lose whatever real money you have sent on via Western Union which is unrecoverable.
This is the spam content:
__________________________________________________________________________________________________________________________
Subject Vacant Position In The Sydney Car Centre (sic)
Good day,
Today Adamant Global Inc. would like to offer you a part-time job of our regional sales assistant. If you are motivated, goal oriented and desire to build your future with an industry leader, consider career opportunities with Adamant Global.
Adamant Global Inc. has achieved universal appeal in the home appliances, electronics and video equipment and operates a highly successful international business in 24 countries.
Help Adamant Global be a leader in this unique retail industry by being Regional Assistant for our company in the United States. Qualified candidates must posses computer and internet literacy, be industrious and goal-oriented, be precise and punctual, be motivated and team-oriented. An availability of internet PayPal account is a must.
We
expect our Managers to:
- Offer exceptional customer service
- Maximize company sales and profitability
- Supervise customer payments on PayPal account constantly
- Make calculations regarding each customer order
- Be responsible for banking and cash up procedures via Western Union
To sum up, the position offered requires 2 free hours a day, direct communication with the office manager from the head office and operations with the customer payments by means of your PayPal account and Western Union system. You are NOT supposed to seek for customers, cooperate with them or travel around to deliver the orders. Your major responsibility is to deal with the financial means and fasten the process of the delivery of the payments.
Adamant
Global offers competitive salary and wages. In addition to your wages
we pay bonuses and incentive awards. For our Full Time Associates we
offer paid sick days, paid holidays, paid vacation, and paid personal
days. We also offer a comprehensive medical and prescription drug plan.
Adamant Global is an equal opportunity employer and values a diverse
combination of ideas, perspectives and cultures.
FOR
IMMEDIATE CONSIDERATION PLEASE APPLY ON-LINE AT:
http://adamant-global.st/index-3.php
For
more information please visit our web-site http://adamant-global.st/
We are looking forward to hearing from you.
Once you have any questions, please do not hesitate to visit our site.
Regards, Alexandria Bartley
Adamant Global Inc. ©
2007
***********************************************************************************************
exe: 0x97, 0x90, 0x6, 0x24727229, 0x301 type, P6RO, 07NQ 0x82, 0x81 0x99224262, 0x6073, 0x789, 0x591, 0x44208906, 0x28 PDJ: 0x9, 0x72, 0x85, 0x5, 0x99, 0x14, 0x9 rcs: 0x1, 0x922, 0x88, 0x1, 0x8024, 0x82472839, 0x7, 0x6892, 0x69, 0x39, 0x6, 0x5826, 0x046 0x9806, 0x7416, 0x012, 0x02, 0x4817, 0x21, 0x99374044, 0x46692879 0x4, 0x54, 0x36230617, 0x40, 0x5, 0x4, 0x7 include: 0x91673098, 0x99181504, 0x1, 0x6541, 0x572, 0x86278209, 0x94
0x4, 0x3226, 0x079 J5U8: 0x3, 0x85, 0x224, 0x15111929, 0x51, 0x70422969, 0x179, 0x85850103, 0x999, 0x129, 0x53084869 5XR: 0x64 SZWA. 0x1952, 0x880, 0x2057, 0x03, 0x4, 0x03 0x100, 0x8018, 0x3952, 0x73, 0x45, 0x3346, 0x5145, 0x7341, 0x23, 0x4122, 0x347, 0x240 define, interface, close, cvs, exe, KC7, XOCD, update. 0x68, 0x6 O8JU: 0 x20, 0x81, 0x3015, 0x1127, 0x1, 0x781, 0x93 ONBB: 0x14, 0x0, 0x333, 0x0682, 0x126, 0x42900930, 0x2, 0x4769, 0x429, 0x3, 0x88755613, 0x93, 0x390, 0x61
hex: 0x7100, 0x36327091, 0x47, 0x7, 0x6, 0x4579, 0x4396, 0x21680739, 0x0, 0x2, 0x104, 0x81 SRQE: 0x15724812, 0x705, 0x863, 0x0903, 0x453, 0x00709633, 0x2898 serv: 0x06, 0x793, 0x3933, 0x8004, 0x84, 0x7 0x8, 0x42, 0x8616, 0x43086087, 0x5, 0x11, 0x3123, 0x30243839, 0x73, 0x53120897, 0x78, 0x1, 0x89543064, 0x411 1HE.0x6712 0x65214896, 0x37083980, 0x0885 stack: 0x1, 0x605, 0x4728, 0x975, 0x0848, 0x356, 0x4, 0x3039, 0x6319, 0x15246649, 0x3 J0C interface 9KX type 66O3 tmp rcs interface D7I. 0x533, 0x36352470, 0x14, 0x93
__________________________________________________________________________________________________________________________It's the usual advertisement for a money transfer mule, i.e. accepting payments into your bank account and forwarding them on to the crooks using Moneygram & Western Union keeping 10% for yourself. Totally illegal, of course & as previously said, it is the 'mules' that will get the visit from the police, (not the fraudsters), if they accept the 'job' offer. They will also lose any of the stolen or counterfeit 'funds' deposited by the criminal as evidenced by some of the US victims that have contacted me who have lost thousands of dollars to this criminal.
__________________________________________________________________________________________________________________________
The zombie botnet method of operation of these criminals, (when used - they don't always), is exactly the same as for the Sydney Car Centre fraud - reference should be made to that page for more detail. The only difference is in the domains, nameserver domains & host IP.
__________________________________________________________________________________________________________________________
Blocking The spam
I have had quite a few queries about how to block the criminal's spam in Outlook Express. Fortunately they are easily detected using the OE 'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the From, To etc addresses will never work as the header data is all forged. The message body remains constant, however & that can be used to detect them.
Use the rule "Where the message body contains specific words" and use the name Adamant Global as the search item then choose 'delete' (or whatever action you prefer) as the action then that will definitely detect every single one of these spams.
The only problem then is if someone sends you a wanted email containing the name Adamant Global.
So, to get around that you could of course pick any combination of letters from the spam as I believe that they are all the same, for example you could use the phrase "international business in 24 countries" as the detection phrase using the above rule. That should detect them all and also be pretty safe from false positives.
__________________________________________________________________________________________________________________________
If you find this site helpful then please feel free to link to it on your website by inserting the following HTML code, (opens site in new window):
<a href="http://www.bobbear.co.uk" target="_blank">Money Laundering Fraud Websites</a>
__________________________________________________________________________________________________________________________
Here are all the known domains that are/have been used for the Adamant Global fraud:
| Domain adamant-global.ph adamant-global.com adamant-global.net adamantglobal.hk adamant-global.com.ph adamant-global.hk global-adamant.com.ph global-adamant.net.ph adamant-globalinc.st adamantglobal.st adamant-global.st globaladamant.com adgl.li adtg.ch adtgl.li adgl.ch adtg.li Nameserver Domains mounthdd.com western-eshop.com vol-dx.com leehomeworld.com biosigndata.com |
Status Suspended Active (Hosting ceased 08/08) Active (Not hosted) Suspended Suspended Suspended Suspended Suspended Active (Unhosted) Active (Unhosted) Active (Unhosted) Suspended Suspended Suspended Suspended Suspended Suspended Status Active Active Active Suspended Suspended |
Registrar domains.ph Joker.com Joker.com HKDNR Domains.ph HKDNR Domains.ph Domains.ph Nic.st Nic.st Nic.st NETWORK SOLUTIONS, LLC. Switch.ch Switch.ch Switch.ch Switch.ch Switch.ch Registrar Register.com Joker.com Spiritdomains/IARegistry Spiritdomains/IARegistry Spiritdomains/IARegistry |
Please notify me of any errors or domains not listed here.
Tips for registrars
i)
The Adamant
Global criminal
uses his own nameserver domain to control his zombie
botnet. By definition there can be no legitimate
domains using his
dedicated botnet nameserver(s), currently ns1.biosigndata.com. This
provides a good database search option for you to
identify & delete all of this criminal's
fraud domains & suspend them if you so wish.
ii) All of the Adamant Global criminal's domains have different false whois data.
ii) All of the Adamant Global criminal's domains have different false whois data.
__________________________________________________________________________________________________________________________
Adamant Global Fraud Blog
7th. August 2007
Let's have a look at this Adamant Global criminal's network:
DNS traversal data for adamant-global.net:
Nameserver
(Zombie botnet controller)---------------'A' Records (Zombie Host IPs)--------------------
ns1.vol-dx.com [207.10.232.123] 80.99.110.190 81.57.229.240 83.255.126.121 84.58.175.148 86.126.65.19
ns2.vol-dx.com [20.15.21.77] Timeout - Fake nameserver to make up RFC requirement for two nameservers, (never resolves).
The above data also holds true for all domains apart from adamant-global.com. The crook's network for the domain adamant-global.com shows a conventionally hosted website:
-------Nameserver----------'A' Records (Site host IP)
ns1.hqhost.net [80.77.85.135] 88.214.198.35
ns0.hqhost.net [80.77.80.67] 88.214.198.35
The first set of data shows a bog-standard zombie botnet where the nameserver ns1.vol-dx.com is acting as a zombie botnet controller 'herding' the zombies in the 'A' records list.
This list will change at a pre-determined interval as infected computers are added or fall off the list.
The zombie IPs can be confirmed as such by checking their RDNS. This will usually, (depending on the depth of the whois data), confirm them to be ADSL or cable pool IPs, i.e. end users/customers. A tracert done on the Adamant Global domain will end up on one of the zombie IP's showing it to be the host of the site at the time the tracert was done.
The nameserver domain vol-dx.com is once again registered with Spiritdomains who have been less than helpful against these fraudsters of late. The nameserver/zombie botnet controller itself is hosted on IP 207.10.232.123 which belongs to a sub-block used by SAID INC of Perkasie, PA, part of a main block owned by Uslec Corp. of Charlotte, NC.
__________________________________________________________________________________________________________________________
8th. August 2007 The host for adamant-global.com, (UAONLINE-IPIPE), have confirmed closure of the criminal's account - thank you for your prompt action.
__________________________________________________________________________________________________________________________
9th. August 2007 Response received yesterday from USLEC abuse to the effect that they are "working with the customer to resolve the problem". Unfortunately the criminal's botnet remains active this morning and all his botnet hosted domains are still resolving.
__________________________________________________________________________________________________________________________
11th. August 2007 Still no action from USLEC to cease the hosting of this criminal's zombie botnet. New domain notified to me - adamant-global.hk - thank you for that. It's also hosted on the USLEC/SAID zombie botnet.
__________________________________________________________________________________________________________________________
14th. August 2007 Response from Said Inc. to the effect that they have ceased the botnet controller hosting - thanks. The criminal has now moved his botnet controller ns1.vol-dx.com to IP 8.9.64.198 which is owned by Kramer Ceilley and Associates. Abuse report sent. DNSStuff is slow to register these botnet IP changes - domaintools.com is much quicker & more reliable. DNS data:
__________________________________________________________________________________________________________________________
15th. August 2007 The crook has already moved his botnet again to 89.145.96.145 which is an IP owned by Gyron Internet Ltd, a UK host. Abuse report filed.
Later - Action taken notice received from Gyron customer support and their hosting for the criminal on IP 89.145.96.145 now appears to be ceased. Thanks to all involved for the quick response.
Both the crook's .hk domains have been suspended - thanks to HKDNR.
__________________________________________________________________________________________________________________________
28th. August 2007
Reports of this fraudster's demise were a little premature - report received of domain global-adamant.com.ph
Adamant Global Zombie Botnetwork details:
Looking up at the 2 global-adamant.com.ph. parent servers:
----------Botnet Nameserver-----------'A' Record Response (Zombies)------
ns1.leehomeworld.com[198.145.182.7] 142.217.62.13 24.212.72.73 81.98.106.52 82.54.211.235 88.70.247.247
ns2.leehomeworld.com [67.14.18.22] Timeout - Fake nameserver to meet RFC requirement for two nameservers, (never resolves)
The data shows a standard zombie botnet where the nameserver ns1.leehomeworld.com hosted by VPSByte.com on IP 198.145.182.7 in an IP sub-block of Infinity Internet, Inc. is acting as a zombie botnet controller 'herding' the rotating zombies in the 'A' records list.
__________________________________________________________________________________________________________________________
30th. August 2007
Feedback from domains.ph - domains global-adamant.com.ph and global-adamant.net.ph have been suspended - thanks guys.
__________________________________________________________________________________________________________________________
5th. September 2007
Feedback from site visitor - new Adamant Global domain notified - adamant-globalinc.st. Checking the current network.....
Looking up at the 2 adamant-globalinc.st. parent servers:
----------Botnet Nameserver-----------'A' Record Response (Zombies)------
ns1.leehomeworld.com[198.145.182.7] 85.178.25.58 86.104.81.222 88.70.62.45 82.39.13.223 82.41.246.247
ns2.leehomeworld.com[67.14.18.22] Timeout - Fake nameserver to meet RFC requirement for two nameservers, (never resolves)
Disappointing to see that it is still on the VPSByte.com network that was first reported on August the 28th. and that the nameserver domain leehomeworld.com is still active. Further action required. Abuse reported to Nic.st, Infinity Internet, Spiritdomains & VPSByte.
__________________________________________________________________________________________________________________________
7th. September 2007
The criminal's zombie botnet is unfortunately, (for the victims, that is), still active on the VPSByte.com network despite having been initially reported to them by email on August the 29th. To be fair, VPSByte did write to me earlier today to say that they have written to their client and say to me: "It has been 1 day and 6 hours and no reply. I will update you when it has been 72 hours." Unfortunately, from experience, the situation appears to be that the criminal's contact details are bogus, but even if they aren't, the criminals are not likely to respond, so taking that path just gives them another few days to steal from victims that are sucked into the fraud as VPSByte will never receive a reply from the criminals.
Later - New domain reported to me by site visitor - adamantglobal.st Abuse reported to Nic.st
__________________________________________________________________________________________________________________________
***Latest News*** 9th. September 2007
The Adamant Global criminal's zombie botnet has eventually been disconnected by VPSByte which has unfortunately given the crooks a much longer run than they probably anticipated. They now **appear**, (unless it's a feint), to have switched their attentions to Layeredtech, who on the last couple of occasions with the criminal's other aliases of Sydney Car Centre & Harvey Investment have been admirably quick to take action. The domains are not yet resolving in DNS as I write this so no action as yet. DNS data:
Looking up the 2 adamant-globalinc.st. parent servers:
I know of just the two criminal's domains still active - adamant-globalinc.st & adamantglobal.st. If anyone knows of any others then please do let me know.
Later - New fraud domain adamant-global.st notified to me by site visitor - thank you.
Later - domains resolving in DNS on above Layeredtech zombie botnet - abuse report sent.
__________________________________________________________________________________________________________________________
11th. September 2007
Layeredtech have quickly terminated this Adamant Global crook's hosting, (thanks guys), and they have now moved on to IP 72.249.76.56 which the whois data shows to belong to Networld Internet Services in a sub-block of IPs belonging to Colo4Dallas, (abuse reported): DNS data:
Looking up the 2 adamant-globalinc.st. parent servers:
The data shows a standard zombie botnet where the nameserver ns1.leehomeworld.com hosted by Networld Internet Services on IP 72.249.76.56 in an IP sub-block of Colo4Dallas IPs is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
__________________________________________________________________________________________________________________________
13th. September 2007
Unfortunately the Adamant Global zombie botnet is still active on the Networld Internet Services/Colo4Dallas IP 72.249.76.56 and his criminal money transfer fraud site is still operational.
__________________________________________________________________________________________________________________________
14th. September 2007
Unfortunately the Adamant Global zombie botnet is still active on the Networld Internet Services/Colo4Dallas IP 72.249.76.56 and his criminal money transfer fraud site is still operational.
__________________________________________________________________________________________________________________________
15th. September 2007
Unfortunately the Adamant Global zombie botnet is still active on the Networld Internet Services/Colo4Dallas IP 72.249.76.56 and his criminal money transfer fraud site is still operational, although Colo4Dallas have been aware of the criminal abuse since the 11th. September.
__________________________________________________________________________________________________________________________
17th. September 2007
The Colo4Dallas zombie botnet IP 72.249.76.56 is now timing out. I haven't had any feedback from Colo4Dallas, but it looks as though they have finally taken action against the Adamant Global criminal fraudster's botnet.
__________________________________________________________________________________________________________________________
18th. September 2007
The Adamant Global fraudster is back up on a new IP for his zombie botnet controller - DNS data:
Looking up the 2 adamant-globalinc.st. parent servers:
The data shows a standard zombie botnet where the nameserver ns1.leehomeworld.com hosted by FDCServers.net, LLC on IP 67.159.41.119 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
__________________________________________________________________________________________________________________________
22nd. September 2007
FDC Servers have had one abuse report and one reminder. Unfortunately they have failed to respond to the reports of criminal fraud activity and zombie botnet activity that they are hosting on their IP 67.159.41.119. I'll try one more report to alternate addresses and if they fail to respond to that I shall unfortunately have to write them off as just another criminally indifferent US colo/vps host and add them to the list.
__________________________________________________________________________________________________________________________
27th. September 2007
Spiritdomains have finally suspended the criminal's nameserver domain leehomeworld.com so all of the criminal's domains are now timing out as his DNS is failing.
27th. October 2007
I see no sign of any recent activity from this criminal, so unless anyone knows of any resolving domains or recent spam from him I shall shortly consign him to the dustbin of history...
18th. November 2007
Just when I thought it was safe to go back in the water, this criminal resurrects his Adamant Global fraud using domains adgl.li and adtg.ch
DNS data valid for both adgl.li and adtg.ch:
How I am searching:
Searching for adgl.li A record at e.root-servers.net [192.203.230.10]: Got referral to MERAPI.SWITCH.CH. (zone: li.) [took 48 ms]
Searching for adgl.li A record at MERAPI.SWITCH.CH. [130.59.211.10]: Got referral to ns1.biosigndata.com. (zone: adgl.li.) [took 146 ms]
Searching for adgl.li A record at ns1.biosigndata.com. [72.249.96.26]: Reports adgl.li. [took 2 ms] Response:
Looking up at the 2 adgl.li. parent servers (data also valid for adtg.ch):
The data shows a standard zombie botnet where the nameserver ns1.biosigndata.com hosted by Colo4Dallas on IP 72.249.96.26 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
19th. November 2007
New domain reported - adtgl.li on the same Colo4Dallas zombie botnet. Switch.ch have already suspended the domains adgl.li and adtg.ch - no response yet from Colo4Dallas.
***Latest News*** 20th. November 2007
New domain reported - adgl.ch on the same Colo4Dallas zombie botnet. No response at all from Colo4Dallas.
Later - reply from Colo4Dallas to the effect that they "have opened an abuse trouble ticket with our direct customer requiring the service to be terminated".
Later - new domain notified - adtg.li
***Latest News*** 21st. November 2007
Colo4Dallas report that "Our customer has terminated the offending VPS" (ns1.biosigndata.com [72.249.96.26]) and the IP appears to be dead.
Nic.ch have suspended all of the criminal's known active domains, (listed above). If you know of any other currently active domains, please let me know. No active domains known
Adamant Global Fraud Blog
7th. August 2007
Let's have a look at this Adamant Global criminal's network:
DNS traversal data for adamant-global.net:
Nameserver
(Zombie botnet controller)---------------'A' Records (Zombie Host IPs)--------------------
ns1.vol-dx.com [207.10.232.123] 80.99.110.190 81.57.229.240 83.255.126.121 84.58.175.148 86.126.65.19
ns2.vol-dx.com [20.15.21.77] Timeout - Fake nameserver to make up RFC requirement for two nameservers, (never resolves).
The above data also holds true for all domains apart from adamant-global.com. The crook's network for the domain adamant-global.com shows a conventionally hosted website:
-------Nameserver----------'A' Records (Site host IP)
ns1.hqhost.net [80.77.85.135] 88.214.198.35
ns0.hqhost.net [80.77.80.67] 88.214.198.35
The first set of data shows a bog-standard zombie botnet where the nameserver ns1.vol-dx.com is acting as a zombie botnet controller 'herding' the zombies in the 'A' records list.
This list will change at a pre-determined interval as infected computers are added or fall off the list.
The zombie IPs can be confirmed as such by checking their RDNS. This will usually, (depending on the depth of the whois data), confirm them to be ADSL or cable pool IPs, i.e. end users/customers. A tracert done on the Adamant Global domain will end up on one of the zombie IP's showing it to be the host of the site at the time the tracert was done.
The nameserver domain vol-dx.com is once again registered with Spiritdomains who have been less than helpful against these fraudsters of late. The nameserver/zombie botnet controller itself is hosted on IP 207.10.232.123 which belongs to a sub-block used by SAID INC of Perkasie, PA, part of a main block owned by Uslec Corp. of Charlotte, NC.
__________________________________________________________________________________________________________________________
8th. August 2007 The host for adamant-global.com, (UAONLINE-IPIPE), have confirmed closure of the criminal's account - thank you for your prompt action.
__________________________________________________________________________________________________________________________
9th. August 2007 Response received yesterday from USLEC abuse to the effect that they are "working with the customer to resolve the problem". Unfortunately the criminal's botnet remains active this morning and all his botnet hosted domains are still resolving.
__________________________________________________________________________________________________________________________
11th. August 2007 Still no action from USLEC to cease the hosting of this criminal's zombie botnet. New domain notified to me - adamant-global.hk - thank you for that. It's also hosted on the USLEC/SAID zombie botnet.
__________________________________________________________________________________________________________________________
14th. August 2007 Response from Said Inc. to the effect that they have ceased the botnet controller hosting - thanks. The criminal has now moved his botnet controller ns1.vol-dx.com to IP 8.9.64.198 which is owned by Kramer Ceilley and Associates. Abuse report sent. DNSStuff is slow to register these botnet IP changes - domaintools.com is much quicker & more reliable. DNS data:
__________________________________________________________________________________________________________________________
15th. August 2007 The crook has already moved his botnet again to 89.145.96.145 which is an IP owned by Gyron Internet Ltd, a UK host. Abuse report filed.
Later - Action taken notice received from Gyron customer support and their hosting for the criminal on IP 89.145.96.145 now appears to be ceased. Thanks to all involved for the quick response.
Both the crook's .hk domains have been suspended - thanks to HKDNR.
__________________________________________________________________________________________________________________________
28th. August 2007
Reports of this fraudster's demise were a little premature - report received of domain global-adamant.com.ph
Adamant Global Zombie Botnetwork details:
Looking up at the 2 global-adamant.com.ph. parent servers:
----------Botnet Nameserver-----------'A' Record Response (Zombies)------
ns1.leehomeworld.com[198.145.182.7] 142.217.62.13 24.212.72.73 81.98.106.52 82.54.211.235 88.70.247.247
ns2.leehomeworld.com [67.14.18.22] Timeout - Fake nameserver to meet RFC requirement for two nameservers, (never resolves)
The data shows a standard zombie botnet where the nameserver ns1.leehomeworld.com hosted by VPSByte.com on IP 198.145.182.7 in an IP sub-block of Infinity Internet, Inc. is acting as a zombie botnet controller 'herding' the rotating zombies in the 'A' records list.
__________________________________________________________________________________________________________________________
30th. August 2007
Feedback from domains.ph - domains global-adamant.com.ph and global-adamant.net.ph have been suspended - thanks guys.
__________________________________________________________________________________________________________________________
5th. September 2007
Feedback from site visitor - new Adamant Global domain notified - adamant-globalinc.st. Checking the current network.....
Looking up at the 2 adamant-globalinc.st. parent servers:
----------Botnet Nameserver-----------'A' Record Response (Zombies)------
ns1.leehomeworld.com[198.145.182.7] 85.178.25.58 86.104.81.222 88.70.62.45 82.39.13.223 82.41.246.247
ns2.leehomeworld.com[67.14.18.22] Timeout - Fake nameserver to meet RFC requirement for two nameservers, (never resolves)
Disappointing to see that it is still on the VPSByte.com network that was first reported on August the 28th. and that the nameserver domain leehomeworld.com is still active. Further action required. Abuse reported to Nic.st, Infinity Internet, Spiritdomains & VPSByte.
__________________________________________________________________________________________________________________________
7th. September 2007
The criminal's zombie botnet is unfortunately, (for the victims, that is), still active on the VPSByte.com network despite having been initially reported to them by email on August the 29th. To be fair, VPSByte did write to me earlier today to say that they have written to their client and say to me: "It has been 1 day and 6 hours and no reply. I will update you when it has been 72 hours." Unfortunately, from experience, the situation appears to be that the criminal's contact details are bogus, but even if they aren't, the criminals are not likely to respond, so taking that path just gives them another few days to steal from victims that are sucked into the fraud as VPSByte will never receive a reply from the criminals.
Later - New domain reported to me by site visitor - adamantglobal.st Abuse reported to Nic.st
__________________________________________________________________________________________________________________________
***Latest News*** 9th. September 2007
The Adamant Global criminal's zombie botnet has eventually been disconnected by VPSByte which has unfortunately given the crooks a much longer run than they probably anticipated. They now **appear**, (unless it's a feint), to have switched their attentions to Layeredtech, who on the last couple of occasions with the criminal's other aliases of Sydney Car Centre & Harvey Investment have been admirably quick to take action. The domains are not yet resolving in DNS as I write this so no action as yet. DNS data:
Looking up the 2 adamant-globalinc.st. parent servers:
| Botnet Nameserver | 'A' Record Response (Zombie host IPs) |
|---|---|
| ns1.leehomeworld.com [72.36.142.255] | 74.78.118.52 79.66.59.137 81.182.29.172 82.158.152.78 89.40.224.104 |
| ns2.leehomeworld.com [67.14.18.22] | Timeout |
I know of just the two criminal's domains still active - adamant-globalinc.st & adamantglobal.st. If anyone knows of any others then please do let me know.
Later - New fraud domain adamant-global.st notified to me by site visitor - thank you.
Later - domains resolving in DNS on above Layeredtech zombie botnet - abuse report sent.
__________________________________________________________________________________________________________________________
11th. September 2007
Layeredtech have quickly terminated this Adamant Global crook's hosting, (thanks guys), and they have now moved on to IP 72.249.76.56 which the whois data shows to belong to Networld Internet Services in a sub-block of IPs belonging to Colo4Dallas, (abuse reported): DNS data:
Looking up the 2 adamant-globalinc.st. parent servers:
| Botnet Nameserver | 'A' Record Response (Zombie host IPs) |
|---|---|
| ns1.leehomeworld.com [72.249.76.56] | 69.230.195.10 74.13.160.178 81.213.152.116 121.247.251.118 69.55.249.1 |
| ns2.leehomeworld.com [67.14.18.22] | Timeout |
The data shows a standard zombie botnet where the nameserver ns1.leehomeworld.com hosted by Networld Internet Services on IP 72.249.76.56 in an IP sub-block of Colo4Dallas IPs is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
__________________________________________________________________________________________________________________________
13th. September 2007
Unfortunately the Adamant Global zombie botnet is still active on the Networld Internet Services/Colo4Dallas IP 72.249.76.56 and his criminal money transfer fraud site is still operational.
__________________________________________________________________________________________________________________________
14th. September 2007
Unfortunately the Adamant Global zombie botnet is still active on the Networld Internet Services/Colo4Dallas IP 72.249.76.56 and his criminal money transfer fraud site is still operational.
__________________________________________________________________________________________________________________________
15th. September 2007
Unfortunately the Adamant Global zombie botnet is still active on the Networld Internet Services/Colo4Dallas IP 72.249.76.56 and his criminal money transfer fraud site is still operational, although Colo4Dallas have been aware of the criminal abuse since the 11th. September.
__________________________________________________________________________________________________________________________
17th. September 2007
The Colo4Dallas zombie botnet IP 72.249.76.56 is now timing out. I haven't had any feedback from Colo4Dallas, but it looks as though they have finally taken action against the Adamant Global criminal fraudster's botnet.
__________________________________________________________________________________________________________________________
18th. September 2007
The Adamant Global fraudster is back up on a new IP for his zombie botnet controller - DNS data:
Looking up the 2 adamant-globalinc.st. parent servers:
| Botnet Nameserver | 'A' Record Response (Zombie host IPs) |
|---|---|
| ns1.leehomeworld.com [67.159.41.119] | 82.41.246.247 86.126.136.52 88.64.44.42 89.137.201.219 89.40.224.104 |
| ns2.leehomeworld.com [67.14.18.22] | Timeout |
The data shows a standard zombie botnet where the nameserver ns1.leehomeworld.com hosted by FDCServers.net, LLC on IP 67.159.41.119 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
__________________________________________________________________________________________________________________________
22nd. September 2007
FDC Servers have had one abuse report and one reminder. Unfortunately they have failed to respond to the reports of criminal fraud activity and zombie botnet activity that they are hosting on their IP 67.159.41.119. I'll try one more report to alternate addresses and if they fail to respond to that I shall unfortunately have to write them off as just another criminally indifferent US colo/vps host and add them to the list.
__________________________________________________________________________________________________________________________
27th. September 2007
Spiritdomains have finally suspended the criminal's nameserver domain leehomeworld.com so all of the criminal's domains are now timing out as his DNS is failing.
27th. October 2007
I see no sign of any recent activity from this criminal, so unless anyone knows of any resolving domains or recent spam from him I shall shortly consign him to the dustbin of history...
18th. November 2007
Just when I thought it was safe to go back in the water, this criminal resurrects his Adamant Global fraud using domains adgl.li and adtg.ch
DNS data valid for both adgl.li and adtg.ch:
How I am searching:
Searching for adgl.li A record at e.root-servers.net [192.203.230.10]: Got referral to MERAPI.SWITCH.CH. (zone: li.) [took 48 ms]
Searching for adgl.li A record at MERAPI.SWITCH.CH. [130.59.211.10]: Got referral to ns1.biosigndata.com. (zone: adgl.li.) [took 146 ms]
Searching for adgl.li A record at ns1.biosigndata.com. [72.249.96.26]: Reports adgl.li. [took 2 ms] Response:
| Domain | Type | Class | TTL | Answer |
|---|---|---|---|---|
| adgl.li. | A | IN | 1800 | 82.137.45.155 |
| adgl.li. | A | IN | 1800 | 87.248.69.112 |
| adgl.li. | A | IN | 1800 | 67.33.128.5 |
| adgl.li. | A | IN | 1800 | 74.13.153.198 |
| adgl.li. | A | IN | 1800 | 81.190.183.80 |
| adgl.li. | NS | IN | 1800 | ns2.biosigndata.com. |
| adgl.li. | NS | IN | 1800 | ns1.biosigndata.com. |
| ns1.biosigndata.com. | A | IN | 1800 | 72.249.96.26 (Colo4Dallas) |
| ns2.biosigndata.com. | A | IN | 1800 | 212.78.44.91 (N/A) |
Looking up at the 2 adgl.li. parent servers (data also valid for adtg.ch):
| Botnet Nameserver | Host | 'A' Record Response (Zombie host IPs) |
|---|---|---|
| ns1.biosigndata.com [72.249.96.26] | Colo4Dallas | 67.33.128.5 74.13.153.198 81.190.183.80 82.137.45.155 87.248.69.112 |
| ns2.biosigndata.com [212.78.44.91] | N/A | Timeout - Fake nameserver (Never resolves - needed to make up rfc requirement for two nameservers) |
The data shows a standard zombie botnet where the nameserver ns1.biosigndata.com hosted by Colo4Dallas on IP 72.249.96.26 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
19th. November 2007
New domain reported - adtgl.li on the same Colo4Dallas zombie botnet. Switch.ch have already suspended the domains adgl.li and adtg.ch - no response yet from Colo4Dallas.
***Latest News*** 20th. November 2007
New domain reported - adgl.ch on the same Colo4Dallas zombie botnet. No response at all from Colo4Dallas.
Later - reply from Colo4Dallas to the effect that they "have opened an abuse trouble ticket with our direct customer requiring the service to be terminated".
Later - new domain notified - adtg.li
***Latest News*** 21st. November 2007
Colo4Dallas report that "Our customer has terminated the offending VPS" (ns1.biosigndata.com [72.249.96.26]) and the IP appears to be dead.
Nic.ch have suspended all of the criminal's known active domains, (listed above). If you know of any other currently active domains, please let me know. No active domains known