These Next Level fraudsters use a
website which has been stolen from a genuine UK company,
solutions-inc.co.uk based in Brighton and the surrounding area. The
genuine website store page is http://www.solutions-inc.co.uk/storelocator.php
and the fraudster's fake store page is http://www.nextlevel-uk.com/storelocator.htm.
The fact that the stolen site is a clone of
the genuine one is self-evident. Further evidence below of fraud and
the use of the website to spamvertize a money laundering mule 'job'
under the address http://nextlevel-uk.com/job.php.
Same shop,
different angle....
Spot the difference
The Genuine Company Solutions
Inc.
The Faked Next
Level Website Photograph
ii) I have
contacted by telephone, (01273 200801), the genuine company
Solutions-inc whose website has been stolen and they confirm that is in
fact the case.
iii) The
contact telephone number of 20 8133 2803 on the stolen Next Level
website is not a valid UK number & does not connect.
v) The
general link from the spams, e.g. (http://nextlevel-uk.com/job.php)
leads to a job page on the fake site. This
job page contains a money laundering mule job application form for
a 'freelance
financial representative'.
There is no such job page on the genuine site.
vi) The spam
is zombie botnet distributed - see headers below.
vii) The
fraudsters have assumed the identity of:
Next Level Ltd.
United Kingdom
1 WATERLOO WAY
LE1 6LP LEICESTER
Company Registration No. 02783459
The Companies House listed registered
trading address is in a totally different area of the UK to the bogus
'Next Level' company itself, and the listed
company is clearly shown as not having any branches or overseas details.
The accounts information indicates that this company is dormant. It is
obviously an assumed bogus identity.
viii) The
reputable F-Secure company have produced the following information on
this fraudster:
The Next Level spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses. The
Spam Headers
Return-Path: <davy@searchhound.com>
Received: from mwinf3423.me.freeserve.com (mwinf3423.me.freeserve.com)
by mwinb3406 (SMTP Server) with LMTP;
Fri, 19 Oct 2007 16:21:35 +0200
X-Sieve: Server Sieve 2.2
Envelope-to: xxxxxxxxxx.freeserve.co.uk
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf3423.me.freeserve.com (SMTP
Server) with ESMTP id xxxxxxxxxxxx
for
<xxxxxxxxxx.freeserve.co.uk>; Fri, 19 Oct 2007 16:21:35
+0200 (CEST) Received:
from adsl-caller-212-243-218-30.wws24.ch
(adsl-caller-212-243-218-30.wws24.ch [212.243.218.30])
by mwinf3423.me.freeserve.com (SMTP Server) with ESMTP
id xxxxxxxxxx
for <xxxxxxxxxx.freeserve.co.uk>; Fri, 19 Oct 2007
16:21:34 +0200 (CEST)
X-ME-UUID: xxxxxxxxxx@mwinf3423.me.freeserve.com Received:
from [212.243.218.30] by dns5.name-services.com; Fri, 19 Oct 2007
14:20:49 +0000
Message-ID: <xxxxxxxxxx@nnxohryx>
From:
"srinivas@uk.psi.com|mail.uk.psi.com|154.8.2.142|pri3.dns.uk.psi.net|154.32.109.30|sec1.dns.uk.psi.net|154.32.105.34|sec2.dns.uk.psi.net|154.32.107.34|pri1.dns.uk.psi.net|154.32.105.30|pri2.dns.uk.psi.net|154.32.107.30"
<davy@searchhound.com>
To: <xxxxxxxxxx.freeserve.co.uk>
Subject: Freelance job
Date: Fri, 19 Oct 2007 12:33:27 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0004_01C8125B.03BB5A4C"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
X-me-spamlevel: med
X-me-spamrating: 86.122483
X-Antivirus: AVG for E-mail 7.5.488 [269.15.1/1079]
Recipient
& message id munged.
The first thing to notice is the spam source IP. Reading
from the bottom upwards, (following the routing as is the norm when
parsing headers), the
first of the two received
lines (red)
can be rejected as unsafe, almost certainly forged. The
actual trusted source IP that cannot be forged is the one
received by the recipients email provider (Freeserve) and that is in
this line (green):
Received:
from clm90.neoplus.adsl.tpnet.pl (clm90.neoplus.adsl.tpnet.pl
[83.31.114.90])
by mwinf3004.me.freeserve.com (SMTP Server) with SMTP id xxxxxxxxxxxx
for <xxxxx@xxxxxx.freeserve.co.uk>;
Thu, 4 Oct 2007 20:00:32 +0200 (CEST)
In
this received line the source IP address is 83.31.114.90 the reverse
DNS (RDNS) for which correctly indicates clm90.neoplus.adsl.tpnet.pl which confirms that the source
address is genuine.
In the above RDNS sender identity note the letters adsl. These stand
for Asymmetric Digital Subscriber Line and tell you
for sure that the spam has come from an end user's computer on
an ADSL
network in Warsaw, Poland, (from the
whois data for the IP address).
"Well", you say, "there's your
criminal". Unfortunately not - he or she may be guilty of criminal
stupidity by not having a firewall or clicking on the latest nude
pictures of Britney Spears, but unfortunately probably not criminal
fraud -
he/she is just one of tens of thousands of 'zombies' - computers that
have been infected with a zombie virus or worm. What it does tell you
is that the Next Level
spammer uses a zombie botnet to distribute his spam in exactly the same
way as Draper Investment, Sydney Car Centre, Harvey Invest, Adamant
Global and all the
rest of these criminals.
Lastly, davy@searchhound.com
is not "Next Level" -
this is just another forged email
address which may or may not actually exist.
Incidentally, never 'bounce' spam back to the 'sender' as it only
bounces back to a forged address which, if real, will only belong to an
innocent third party who will understandably be a little peeved with
you and if you do it a lot you could get your ISP's SMTP IP range
blacklisted and they will be even more upset with you & could
justifiably close your account. The
Spam
JOB OFFER
Successful high-growing company (Apple dealer
in United Kingdom)
hire people for freelance work in European countries.
Suspended Suspended dns refusal Suspended dns refusal Suspended dns refusal dns refusal dns refusal dns refusal dns refusal Suspended Suspended dns refusal Suspended Suspended Suspended dns refusal
The fraudster does not use a zombie botnet so far. The various DNS
details are:
Looking up at the 2 iphone-euro.com. parent servers:
Server
Response
ns2.uzaknet.org
[88.255.78.75]
88.255.78.75
ns1.uzaknet.org
[88.255.78.74]
88.255.78.75
88.255.78.75 = NarwebNet
Looking up at the 2 nextlevel-ltd.co.uk. parent servers:
Server
Response
ns32.iksserver.com
[69.16.243.46]
69.16.243.45
ns31.iksserver.com
[61.16.243.45]
Timeout
69.16.243.45 = Liquid Web, Inc.
Looking up at the 2 nextlevel-mac.co.uk. parent servers:
Server
Response
ns17.redbackinternet.net
[91.186.0.9]
91.186.0.9
ns18.redbackinternet.net
[91.186.0.121]
91.186.0.9
91.186.0.9 =
Euroconnex Networks LLP
Please notify me of any errors or domains not listed here.
__________________________________________________________________________________________________________________________
The Spam Content
The
headers contain many different forged/bogus 'From' & 'Return
Path'
addresses & various forged 'Receive' lines. The subject lines
vary
greatly, but include "Work at home", " Freelance job", "Freelancers
needed" & "Job offer", all of which indicate that there is a
job
opportunity to be had. There is - a job as a money laundering 'mule',
i.e. accepting counterfeit or stolen criminal proceeds into your
account and forwarding them on via Western Union or Moneygram for a
percentage cut, (usually 10%). Needless to say it is you the mule that
will inevitably feel the full weight of the law while the remote money
launderers are safe & in the case of counterfeit funds you will
lose it all when the funds are recovered & your account is
closed.
In addition you will lose whatever real money you have sent on via
Western Union which is unrecoverable.
This is the content of an actual spam:
__________________________________________________________________________________________________________________________
Job offer for students, home-workers, companies and people
which have free 2-3 hours a day.
Our company (Apple Premium Reseller in UK) hires people for freelance
work in Europe and USA.
More information about us at http://nextlevel-ltd.com
More information about the job at http://nextlevel-ltd.com/job.php
__________________________________________________________________________________________________________________________
The Bogus Job
Page
Earn with Next Level!
This offer for EUROPE and USA ONLY!
We are currently looking for freelance financial representatives in
Europe and USA.
We sell Apple products and supporting accessories in Europe and USA,
you have a possibility to become a freelance financial representative
of our company in your country.
Candidate requirements:
- Location in USA or country of the EUROPEAN
UNION(Switzerland also accepted).
- free2-3 hours a day;
- 21+ years old;
- Honest, responsible and prompt in operations;
- Have an adaptable, flexible and professional attitude;
- Polite, tactful;
- Have constant internet access for communication with our company via
e-mail.
This job will give you:
- part-time employment;
- work from home;
- communication and business skills for working in other spheres of
activity;
- possibility to combine this job with your full-time employment and
own schedule;
- additionally, you will receive awards and bonuses for high-quality
and accurate work.
So we hire people for freelance
work. You can combine it with your full-time work.
The salary for private persons is 300 - 2500 EUR per week.
We have special offer for the companies also (earnings are 2000 - 5500
EUR per week ) .
If you have an interest to our
proposition fill out this form please:
As soon as your details will be received we
send you more information about the job
and terms of employment.
We Respect Your Privacy The
information provided on this form will be used exclusively by Next
Level
None of the information provided will be forwarded to a third party.
Next Level respect your privacy.
Contract of Employment
This
is the bogus
contract of employment that the fraudster sends out to his prospective
victims. Note the clear money mule function under 1.2.4
Representative Duties and Services :
EMPLOYMENT CONTRACT No XXXXX
THIS FREELANCE REPRESENTATIVE EMPLOYMENT CONTRACT ("Contract")
between Next Level Limited hereinafter "Company"
and (full name, according to passport)
hereinafter the "Representative" is drawn up and entered into force on
October 22, 2007 (the "Effective Date").
Company and Representative, intending to become legally bound,
agree:
ARTICLE 1.
EMPLOYMENT PLACEMENT AND TERMS
1.1 Employment Placement. After filling in
all necessary
forms and documents by Representative, the Company makes its best
efforts to provide a Representative partial employment accounting
his/her individual schedule as a representative (employee) of the
Company or any regional branch of it. The Company will put forth its
best efforts in making it possible for the representative to start
working within thirty (30) days from the signing of the contract.
The Representative's employment does not become official until he (she)
fills in all necessary forms in the contract.
1.2 Employment Placement Terms. Both
Representative and Company agree that the Employment shall include the
following terms:
Company shall be responsible for complying with all
applicable
laws, rules and regulations, including all applicable labor laws, rules
and regulations without any limitation.
Prevailing Wage Rate.
The Company pays the Representative a
salary in the amount of 7 % from each bank
transaction.
1.2.3 Minimum Time Commitment.
Representative agrees to remain with the Company and
satisfactorily
perform Representative’s employment duties before the Company
for a
minimum time period of one (1) month from the Employment Start Date
(the "Minimum Time Commitment");
In case the Representative fails to meet the Minimum Time
Commitment for any reason Representative is to notify Company about it
immediately.
Representative Duties and Services.
The contents of services:
Bank transfers are transferred from customers of the Company
to the
Representative’s bank account. The Representative is informed
by
Company’s financial representative about the bank transfers
by the
phone before the transfer. On receipt of the information about bank
transaction the Representative should receive money and send it through
Western Union or Money Gram money transfer services. Information for
Western Union and Money Gram transfers is received by the
Representative by email after the bank transaction.
Working schedule.
Company’s financial representative informs the
Representative by email or phone about any work and duty to be
performed.
1.2.5 Charges and fees.
Western Union and Money Gram charges and fees are paid by the
Company from each bank transfer received by the Representative.
ARTICLE 2.
ACKNOWLEDGEMENTS, REPRESENTATIONS AND WARRANTIES, AND
COVENANTS OF REPRESENTATIVE
2.1 Representative acknowledges, represents
and warrants, or covenants, as applicable, that:
Representative promptly complies with all Company
requests to information and documentation related to the Representative.
All the information and documentations provided by the
Representative to the Company prior to and after the Effective Date are
to be accurate and complete in all respects and not false or misleading
in any respect.
ARTICLE 3.
DEFAULT AND TERMINATION
3.1 Events of Default. Any of the
following events shall be deemed to be events of the
Representative’s default pursuant to this Contract:
3.1.1 Representative fails to satisfy the Minimum Time
Commitment.
The Company for purposes of this Section 3.1.1, "as the fault" shall
include (a) the Representative's habitual neglect or unsatisfactory
performance of employment responsibilities to Company, (b)
Representative’s failure to observe and comply with the terms
of
employment contract with the Company.
Any of the Representative’s representations
becomes untrue or
incorrect in any respect, if Representative fails or refuses to observe
any covenant(s) or any provision(s) of this Contract.
3.2 The Representative has a right to
terminate the
Contract informing the Company not later than one week before the day
of canceling the Contract.
ARTICLE 4.
MISCELLANEOUS
4.1 Assignment. Representative may not
assign
Representative's rights or duties herein without the prior consent of
the Company. Any such of the Representative’s assignments
without the
prior written consent of Company shall be null and void.
4.2 Waiver. The waiver expressed by any
party hereto
or breach of any provision of this Contract shall not operate or be
construed as a waiver of any other provision hereof and shall not be
effective at all unless being written and signed by both parties.
4.3Counterparts. This
Contract may be executed simultaneously in two or more counterparts,
each of which shall be deemed as original,
but all of which together shall constitute one and the same instrument.
Both parties of the Contract, Company and Representative, are
acquainted with the terms of the contract and undertake to fulfill
them.
Representative:
First name:
Last name:
Age:
Gender:
Country:
City:
Address:
Postal code / ZIP:
Home #:
Cell #:
Work #:
e-mail:
Signature (surname):
Next
Level Fraud Blog
__________________________________________________________________________________________________________________________ August 3rd - 4th. 2007 Numerous spams received from
this fraudster. October 5th.
2007
The fraudster is now using the domains iphone-euro.com and nl-europe.net
for this
Next Level fraud. Spams received using this domain.
October 19th.
2007
Email headers from this
fraudsters emails: Received: from
kent.webhosting.uk.com (91.186.0.9) by csmtpmx16.frontal.correo
(7.2.056.6)
id hfghfhhghghfgfghC for xxxxxxxxxxxx@terra.es; Sat, 20 Oct 2007
21:14:42 +0200
Received: from 53517bad.cable.casema.nl ([83.81.123.173]:31803
helo=[127.0.0.1])
by kent.webhosting.uk.com with esmtpa (Exim 4.68)
(envelope-from <job@nextlevel-mac.co.uk>)
id 1IjJmX-0004Kq-SM
for xxxxxxxxxxxx@terra.es; Sat, 20 Oct 2007 20:14:46
+0100
Message-ID: <471A53A2.40408@nextlevel-mac.co.uk>
Date: Sat, 20 Oct 2007 20:14:42 +0100
From: "Next Level Ltd." <job@nextlevel-mac.co.uk> It looks as though
the criminal
is using a zombie botnet controller on kent.webhosting.uk.com
(91.186.0.9) [zombie is 53517bad.cable.casema.nl
([83.81.123.173]]. The IP is owned by Poundhost/Euroconnex and
presumably leased by webhosting.uk.com. October 24th.
2007 Thanks are due to
Hostdime and Jomongee for ceasing the hosting of nextlevel-mac.co.uk on IP 72.29.78.58. Excellent service
from these guys as usual.October 26th.
2007
Uzak.net, (acting as a
domain
registration reseller for OnlineNic), have ignored all abuse reports
regarding this fraudster's domain registrations and OnlineNic have so
far failed to respond to requests for assistance. The known domains
involved are:
A
judicial notice of
adjudicative facts under applicable federal, state &
international
laws relating to the registration of these domains and the evidenced
criminal activity involving them has today been emailed to OnlineNic
and Uzak.net. OnlineNic cannot claim to be
unaware of the criminal activity involving their client Uzak.net.
October 29th.
2007
The criminal's domain nextlevel-mac.co.uk is now hosted on IP 91.186.0.9 which belongs to
Euroconnex/Poundhost.
Unfortunately the registrar OnlineNic appears to be quite happy to
ignore reports concerning the criminal activity involving all
of
the above criminal
domains registered by its reseller Uzak.net who are equally
uninterested in the criminal activity of their clients. November 1st.
2007
Another month and OnlineNic are still ignoring all abuse reports
regarding the above fraud domains. At least Public Domain registry have
suspended the domain nextlevel-mac.co.uk after a struggle. Later:
Complaints received from site visitors about this fraudster and his
spam. Later:
OnlineNic tell me that they have "sent
a notice mail to the current owner of these domains".
Not exactly the action warranted, given the undeniable evidence of
criminal fraud and spamming, but it's at least it's a recognition of
the problem. ***Latest News*** - November 5th.
2007
Unfortunately only partial action has been taken against this
fraudster's domains as follows:
ipods-europe.com - dns refusal
nextlevel-europe.com - OK
iphone-euro.com
- dns refusal
apple-eu.com
- dns refusal
apple-europe.net - OK
mac-eu-shop.com
- dns refusal
mac-eu.net
- dns refusal
mac-europe.net
- dns refusal
mac-uk.net - dns refusal
macbook-europe.com
- dns refusal
nextlevel-germany.com - OK
nextlevel-uk.com - OK
nextlevel-usa.com - OK
apple-usa-store.com - dns refusal
It makes no sense to me that 9 of the 14 domains have had their DNS
blocked, but the rest of the domains, (USED FOR THE SAME SPAMVERTISED
FRAUD WEBSITE), are still functional. None of them have been suspended,
which is what should have happened to ALL of them given the watertight
evidence of criminality and spamming. ***Latest News*** - November 8th.
2007
OnlineNic finally took action against the remaining crooks' domains and
none of the above ones are resolving.
