Rams International (Stolen Identity)

Rams International (Stolen Identity) Fraud

Don't Bear Internet Fraud

Rams International (Stolen Identity) scam screenshot (Stolen Website) - 11-Sep-2009

Rams International screenshot (Stolen Website) - 11-Sep-2009

This fraud should not be confused with any other company of the same or similar name - the following fraud evidence defines and refer to this fake Rams International company alone and no other. The above website has been stolen from the legitimate company Verus International - clear evidence of criminal fraud in itself. These criminals have also stolen their name from this genuine, (but ASIC deregistered), Australian Capital Territory company - do not be fooled, it is their usual modus operandi. Mind, not only have they chosen an ASIC delisted company, they have also got its post code wrong.

Rams International (Stolen Identity) scam is yet another 'Rockphish' serial fraud consisting of a fake, (stolen), financial site used as a vehicle to legitimise a money laundering fraud job scam. The only reason it looks so glossy and professional is because the website has been stolen in its entirety from the genuine financial organisation Verus International. That much is self evident and as such it is irrefutable evidence of fraud. The fake website is also hosted on a 'Fastflux' botnet using zombies that are also used for other frauds and also for 'phishing' fraud domains. It's not the only scam website this fraudster has produced using an identical MO. He has previous aliases of Paramount Finance, First Rate Finance, World Finance Group, Zeus Financial Group, Toll Finance, Range Financial Corporation, Adriatic Finance Services, Arena Financial Group and many others, in fact this latest scam website botnet is still hosted on the same WholeSale Internet, Inc./Hosting Ventures, LLC IP address 69.197.142.240 and using the same criminal registered nameserver domain voda-fon.com as was used for both the Adriatic Finance Services fraud and the Arena Financial Group scam which makes this fraud a clear follow-on fraud to the the Arena Financial Group scam.

The initial website fraud domain ramsinternational.com was only registered with TODAYNIC.COM, INC. on 10-Sep-2009 for the usual 'criminal's domain' minimum period of only one year and the crook has no genuine web presence at all, (not to be confused with the A.C.T. based Australian company of the same name whose identity the criminal has stolen, as is their normal MO). All absolutely irrefutable evidence of fraud.

Current Zombie Botnet Controller Hosts

WebNX of Los Angeles - ns1.checkisnot.com [67.220.213.24] - Notified 23-Sep-2009

Ethical hosts respond within hours to abuse reports, unethical or even criminal hosts don't.

Evidence of Criminal Fraud:

i) Zombie botnet hosted: First and foremost, this criminal fraud site is hosted on a 5-IP 'FastFlux' 'Rockphish' zombie botnet as clearly evidenced by the DNS data. As no legitimate site is hosted on a zombie botnet this site is irrefutably defined as criminal. The zombies involved are also hosting other 'Rockphish' frauds such as the Arena Financial Group scam and all his other aliases as listed above. Reverse IP data on the zombies involved shows other hosted 'Rockphish' domains and phishing URLs.

ii) Stolen website: It is perfectly obvious that the Rams International criminals have stolen their entire fraud site from the genuine Verus International and modified it for their own fraud purposes by adding the usual fake "Payment Protection" menu option that leads the potential mule into their web of deceit and criminal activity - clear evidence of site theft and fraud.

iii) As the Rams International criminals have stolen the website from the genuine Verus International company, the content has no real relevance, although they claim on their 'Overview' page "Rams International was formed in early 2000", but the fraudster's domain ramsinternational.com was only registered with TODAYNIC.COM, INC. on 10-Sep-2009, (i.e. yesterday, as I write this....), for the usual 'criminal's domain' minimum period of only one year. Clear evidence of fraudulent misrepresentation.

iv) Serial fraudster - the use of the criminal registered nameserver domain voda-fon.com links this criminal to their previous aliases, Adriatic Finance Services and Arena Financial Group.

v) As is usual for these criminals, a Google search shows that they have no internet presence at all despite the claim on their Overview page to have been formed in 2000. Do not confuse the criminals with a genuine Australian company of the same name & ABN number whose identity these crooks have stolen as is their normal practice from previous aliases.

vi) The Spam:

Rams International Pty. Ltd.
PO Box 1400, Canberra City,
ACT, 2601, Australia.

Hello,
my name is Michael Nguyen and I am Rams International Hiring manager. We
have found your CV at TotalJobs jobs board and decided to offer this job
to you.

Our services
When buying-selling operations via the Internet are concerned, the buyer
and the seller don't know each other (they may be placed in different
corners of the world) - it is very important both to the buyer and the
seller for their deal to be made safely. Payment Protection means
receiving money, documents, goods (it might be both the seller's and the
buyer's) concerning the transaction to a reliable, experienced,
impartial person - our Payment Protection agent. The agent will hold all
the documents and money until all the terms of the deal are satisfied
and only then release them to the intended receiver. Please, visit our
web-site for more information.

http://www.ramsinternational.com/

Why we need Payment Protection agents
Having a Payment Protection agent in every country we can quickly
transfer funds inside a country without wasting time on the
international bank transfers, and continue our rapid growth rather than
overwhelming our own bank account with inbound and outbound transactions
leading to severe hold times and possible service interruption. It is
time that is of significant importance to our clients.

Career and Benefits
Your main task will be receiving money transactions to any bank account
you would like to use for the purposes of this job; and then forwarding
these transactions to the next party of the Payment Protection process
according to our instructions. You will benefit from the commissions,
which are 5-7% of each transaction and depend on the quantity of the
completed transactions and the speed of your work. Besides, you will be
paid a basic salary of 1700 EUR per month.

For your convenience there will be no paychecks, your commission will
remain in your account after every successfully completed transaction.
The money transfer fee is not included in your commission, meaning that
you will deduct it from the received amount, not from your commission.
Also you receive 5-7% of the transaction amount. Normally the amounts
that we process vary from 2,000 EUR to 10,000 EUR, but can go higher on
special occasions.

Job details
As the financial activity in your area is not too high, a Payment
Protection agent will be processing approximately 1-2 transactions per
week. Each transaction requires approximately 4-5 hours of the agent
work. Our manager always calls the agent beforehand to provide all the
instructions. Therefore, with the due time management, the agent is able
to combine this job with other activities (e.g. primary job or studies).

If you are ready to proceed, please provide your AVAILABLE phone number
to our hiring manager (Paul Marsden) at hiring@ramsinternational.com

Please do not hesitate to contact us if you need more information.

--
Sincerely yours,
Michael Nguyen,
Rams International Pty. Ltd.

http://www.ramsinternational.com/

It's the same 'Michael Nguyen' and the same clear fraud spam as their previous aliases, e.g. Arena Financial Group.

vii) You do not get a clearer definition of the illegal part time money mule function: "Your main task will be receiving money transactions to any bank account you would like to use for the purposes of this job; and then forwarding these transactions to the next party of the Payment Protection process according to our instructions", i.e. transferring them on via Moneygram or Western Union less a percentage commission - that on its own defines the company without doubt as criminal and bogus and is clear evidence of criminal fraud. It is also a more or less identical spam to the criminal's previous identical aliases as listed above.

viii) No legitimate company is going to advertise for this sort of illegal part time, 'work from home' money transfer position among the untrained, inexperienced and uncertified general population overseas. It will get your bank account and your assets frozen and could well earn you a criminal record - do not be tempted.

ix) Fake 'Contact Us' Details from website:

Contact Us

Rams International Pty Ltd
PO Box 1400, Canberra City,
ACT, 2601, Australia.

Tel: 03 9015 7542
E-mail: mail@ramsinternational.com

ABN: 46 068 627 681

• - Their stolen ABN number 46 068 627 681 belongs to this genuine A.C.T. based company and not these crooks.
• - The telephone number 03 9015 7542 is not an Australian Capital Territory number, but a Victoria/Tasmania number - clear evidence of fraud.
• - In choosing a company to steal the name of, they have managed to pick one that is ASIC deregistered and is therefore not licensed in the field that they claim to be in. Clear evidence of fraud.
• - The listed postcode for the genuine company is 2612, not 2601

All absolutely irrefutable evidence of fake contact/location details and a fake company.

The above evidence clearly demonstrates beyond any doubt that the Rams International website has been set up very recently by 'Rockphish' money laundering criminals purely for the purpose of spamvertising an illegal money laundering 'mule' job. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminal activity - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Main Website Domains

ramsinternational.com
recruitramsinternational.com
recruit-ramsinternational.com
jobramsinternational.com

Registrar

TODAYNIC.COM, INC. (10-Sep-2009)
DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM (NICS.NAME) (10-Sep-2009)
DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM (NICS.NAME) (14-Sep-2009)
DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM (NICS.NAME) (17-Sep-2009)

Botnet Nameserver Domains

voda-fon.com
checkisnot.com

Registrar

RANGER REGISTRATION (MADEIRA) LLC. - 21-jul-2009
TUCOWS INC. (123-reg.co.uk)

Nameserver Host

WholeSale Internet, Inc./Hosting Ventures, LLC
WebNX of Los Angeles

Host IP

69.197.142.240
67.220.213.24

Active
Suspended/Disabled
Parked

Domain Whois Data

Domain: ramsinternational.com

Registrar:     TODAYNIC.COM, INC.
Status:        clientTransferProhibited
Dates:         Created 10-sep-2009   Updated 10-sep-2009 Expires 10-sep-2010
DNS Servers:   NS1.VODA-FON.COM NS2.VODA-FON.COM

Domain name: ramsinternational.com
Status: Active

Protection Status: public
( make contact info private at http://www.now.cn/domain/domainPrivate.php )

Registrant:
Name: Pilatro Vaferi
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 443610

Administrative Contact:
Name: Pilatro Vaferi
Organization: Pilatro Vaferi
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 443610
Phone: +7.9957734434
Fax: +7.9957734434
Email: mold3332avimo@safe-mail.net

Technical Contact:
Name: Pilatro Vaferi
Organization: Pilatro Vaferi
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 443610

Nameserver Information:
    ns1.voda-fon.com
    ns2.voda-fon.com

Create: 2009-09-10 17:20:26
Update: 2009-09-10
Expired: 2010-09-10

Domain: recruitramsinternational.com

Registrar:     DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Status:        clientTransferProhibited
Dates:         Created 10-sep-2009   Updated 10-sep-2009 Expires 10-sep-2010
DNS Servers:   NS1.VODA-FON.COM NS2.VODA-FON.COM

Registration Service Provided By: NICS.NAME
Contact: +7.8469724045
Website: http://nics.name

Domain Name: RECRUITRAMSINTERNATIONAL.COM

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Creation Date: 10-Sep-2009
Expiration Date: 10-Sep-2010

Domain servers in listed order:
    ns2.voda-fon.com
    ns1.voda-fon.com

Administrative Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Technical Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Billing Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Status:ACTIVE

Domain Name: recruit-ramsinternational.com

   Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
   Name Server: NS1.VODA-FON.COM
   Name Server: NS2.VODA-FON.COM
   Status: clientTransferProhibited
   Updated Date: 14-sep-2009
   Creation Date: 14-sep-2009
   Expiration Date: 14-sep-2010
.Registration Service Provided By: NICS.NAME
Contact: +7.8469724045
Website: http://nics.name

Domain Name: RECRUIT-RAMSINTERNATIONAL.COM

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Creation Date: 14-Sep-2009
Expiration Date: 14-Sep-2010

Domain servers in listed order:
    ns2.voda-fon.com
    ns1.voda-fon.com

Administrative Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Technical Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Billing Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Status:ACTIVE

   Domain Name: CHECKISNOT.COM

Registrar: TUCOWS INC.
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net
   Name Server: NS1.CHECKISNOT.COM
   Name Server: NS2.CHECKISNOT.COM
   Status: ok
   Updated Date: 17-sep-2009
   Creation Date: 17-sep-2009
   Expiration Date: 17-sep-2010

Registrant:
Melissa Bagley
49 Goldring Drive
Whitby, ON L1P1B9
CA

Domain name: CHECKISNOT.COM

Administrative Contact:
    Bagley, Melissa stailsbestia@care2.com
    49 Goldring Drive
    Whitby, ON L1P1B9
    CA
    +1.9056652857
Technical Contact:
    Technical, GX Networks services@123-reg.co.uk
    5 Roundwood Avenue
    Stockley Park
    Uxbridge, Middlesex UB11 1FF
    UK
    +44.8712309525    Fax: +44.8701650437

Registration Service Provider:
    services@123-reg.co.uk
    08712309525
    08709126612 (fax)
    http://www.123-reg.co.uk
    This company may be contacted for domain login/passwords,
    DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 17-Sep-2009.
Record expires on 17-Sep-2010.
Record created on 17-Sep-2009.

Registrar Domain Name Help Center:
    http://domainhelp.tucows.com

Domain servers in listed order:
    NS2.CHECKISNOT.COM   35.88.17.39
    NS1.CHECKISNOT.COM   67.220.213.24

Domain status: ok

The Zombie Botnet DNS Data (Valid for domain ramsinternational.com)

DNS Lookup: ramsinternational.com A record
Searching for ramsinternational.com A record at a.root-servers.net [198.41.0.4]: Got referral to H.GTLD-SERVERS.NET. (zone: com.)
Searching for ramsinternational.com A record at H.GTLD-SERVERS.NET. [192.54.112.30]: Got referral to ns1.voda-fon.com. (zone: ramsinternational.com.)
Searching for ramsinternational.com A record at ns1.voda-fon.com. [69.197.142.240]: Reports ramsinternational.com.
Response:

Domain	Type	Class	TTL	Answer
ramsinternational.com.	A	IN	1800	74.3.203.93
ramsinternational.com.	A	IN	1800	88.156.39.27
ramsinternational.com.	A	IN	1800	89.229.198.123
ramsinternational.com.	A	IN	1800	91.195.98.36
ramsinternational.com.	A	IN	1800	66.212.155.140
ramsinternational.com.	NS	IN	1800	ns2.voda-fon.com.
ramsinternational.com.	NS	IN	1800	ns1.voda-fon.com.
ns1.voda-fon.com.	A	IN	1800	69.197.142.240
ns2.voda-fon.com.	A	IN	1800	146.30.45.31

Looking up at the 2 ramsinternational.com. parent servers:

Server	Response
ns1.voda-fon.com [69.197.142.240]	66.212.155.140 74.3.203.93 88.156.39.27 89.229.198.123 91.195.98.36
ns2.voda-fon.com [146.30.45.31]	Timeout

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.voda-fon.com hosted by WholeSale Internet, Inc./Hosting Ventures, LLC on IP address 69.197.142.240 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting. This is exactly the same botnet host and the same criminally registered nameserver as used for the crook's previous aliases, Adriatic Finance Services and Arena Financial Group.

***Latest News*** 11th. September 2009
Webpage created - thanks to Frank Bear for the heads up on this fraud.

***Latest News*** 12th. September 2009
News from Frank Bear - the domain recruitramsinternational.com has been suspended by DirectI. No response from Todaynic.com or the hosts of this 'Rockphish' criminal's zombie botnet, WholeSale Internet, Inc./Hosting Ventures, LLC

***Latest News*** 16th. September 2009
New domain reported by site contact - recruit-ramsinternational.com registered with DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM (14-Sep-2009) and hosted on the above zombie botnet.
Later: News from Simon Bear - domain recruit-ramsinternational.com has been suspended by the registrar.

***Latest News*** 23rd. September 2009
New domain reported by Frank Bear - jobramsinternational.com registered with DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM (17-Sep-2009) and hosted on this new zombie botnet:

The Zombie Botnet DNS Data (Valid for domains ramsinternational.com)

Looking up at the 2 jobramsinternational.com. parent servers:

Server	Response
ns1.checkisnot.com [67.220.213.24]	74.3.203.93 77.254.156.85 81.203.251.235 85.137.227.245 89.229.198.123
ns2.checkisnot.com [35.88.17.39]	Timeout

The data shows a standard 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.checkisnot.com hosted by WebNX of Los Angeles on IP address 67.220.213.24 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting. WebNX of Los Angeles are also hosting another 'Fastflux' zombie botnet for the Global Shipping Agency fraudster on IP address 67.220.213.26 (ns1.scothc.net. [67.220.213.26]). They have been informed of the criminal activity and are aware of it but so far have failed to act.
Later: news from Frank Bear - the domain jobramsinternational.com has been suspended by the registrar.

***Latest News*** 7th. October 2009
The above criminal's botnet appears to have fnally been disabled - please notify me of any active website for these criminals.