Romad Financial Services Fraud

Don't Bear Internet Fraud

Romad Financial Services scam website screenshot (07-Jul-2009)

If you've either received an active website link in a Romad Financial Services fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above. Copies of spam are welcome. Scroll down or click for latest news.

This Romad Financial Services criminal fraud website should not be confused with any other company with the same or similar name. The above screenshot and the following evidence defines this criminal alone. These criminals have stolen the website of the genuine company Como Financial Services for their fraudulent purposes as detailed below and have also stolen the identity of a genuine 'Romad Financial Services' Australian company in a futile attempt to try and give their botnet hosted site some credibility.

Romad Financial Services is another zombie botnet hosted fraud from the money laundering department of the well known 'Rockphish/Asprox' phishing criminals. Passive DNS data shows that this fraud site is hosted on the same zombies that are hosting other Rockphish criminal fraudsters and phishing sites. The fact that it is zombie botnet hosted is undeniable evidence of criminal fraud as no legitimate site is botnet hosted, but there is plenty of other evidence of fraud such as the self evident fact that they have stolen the website of the genuine company Como Financial Services and are using it for fraudulent purposes, plus the fact that they have stolen the identity and company registration of another genuine innocent Australian company, 'Romad Financial Services', at a different address to their own fake one. Their botnet criminal registered nameserver, ns1.mybabals.com, was used by both the Abela Financial Group and the Landor Financial frauds. Their modus operandi this time is exactly the same as for their Landor Financial scam.

Current Zombie Botnet Controller Hosts

Softlayer Technologies/ZipServers Inc. - ns1.mybabals.com [74.86.43.145] - Notified 08-Jul-2009

The above table shows the current providers of zombie botnet hosting services to the criminals and when they were notified. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act within 1-24 hours of being informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some that, for whatever reason, do not. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host.

If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Romad Financial Services : Evidence of Site Theft and Criminal Fraud

N.B. - Initial information correct at 11-Jun-2009 - Check the domain tables and ***Latest News*** items for domain and hosting updates.

i) The Romad Financial Services fraud website is hosted on a five-IP 'fastflux' zombie botnet as evidenced below - No legitimate company would use a zombie botnet to host their website - that is undeniable evidence of criminality.

ii) Passive DNS replication data research on the listed zombies hosting the site show that the same zombies are used to host other 'Rockphish' fraud sites, attack and 'phishing' URLs.

iii) A Google search for "Romad Financial Services" returns a registered Australian company at a different address to the one claimed by these fraudsters - they have stolen the ID of the genuine Romad Financial Services and are claiming it as their own, using the ABN of the genuine company, although they are using a different (fake) location address/contact details and website stolen from another company.

iv) Stolen website - the criminals have stolen the website of the genuine UK company, Como Financial Services and are using it for their fraudulent purposes - irrefutable evidence of criminal fraud and site theft.

v) They claim on the above screenshot: "Romad Financial Services has been helping individuals and businesses achieve their goals since 2002", however the crook's initial domain romadfinancial.com was only registered with the usual unresponsive XIN NET TECHNOLOGY CORPORATION on 06-Jul-2009 for the usual criminal's domain minimum period of only one year - clear evidence of a fraudulent registration.

vi) Fake contact details from the website:

Contact Details

94 Woodhouse Grove
Box Hill North, VIC, 3129
Australia

Phone: +61 03 8648 5628
Fax: +61 03 8648 5628
Email: info@romadfinancial.com

• - A Google Search for "94 Woodhouse Grove Box Hill North" shows no sign of these criminals, or of any business for that matter.
• - A Google Maps Search for "94 Woodhouse Grove Box Hill North" also shows no sign of these criminals and lists no business at that address.
• - Notice the common phone and Fax. number - common for these criminals but unlikely for a genuine reputable business of any size.
• - A Google search for the telephone number (+61 03 8648 5628) returns zero results. In fact the city code is wrong for the Box Hill area - it should be 03 98, not 03 86 which is for Melbourne city centre.
• - These fake details are different from the correct address details of the genuine Romad Financial Services whose identity they have stolen.

All clear evidence of fake details and fraud.

vii) The Spam:

Employment Offer [HotOnline]

From: John Alison (job@recruitromadfinancial.com)
Sent: 06 July 2009 17:58:13

Romad Financial Services Pty. Ltd.
94 Woodhouse Grove, Box Hill North,
VIC, 3129, Australia

Hello, my name is John Alison and I am Romad Financial Services Pty. Ltd. Staff manager. We have found and reviewed your CV at hotonline.com and decided to offer this job to you.

Our services

When buying-selling operations via the Internet are concerned, the buyer and the seller don't know each other and are placed in different corners of the world. Therefore, it is important both to the buyer and the seller for their transaction to be made safely. Payment Protection means receiving money, documents, goods (it might be both the seller's and the buyer's) concerning the transaction by a reliable, experienced, impartial person - our Payment Protection agent.The agent will hold all the money and documents until all the terms of the deal are satisfied and only then release them to the intended receiver. Please, visit our web-site for more information. (http://www.romadfinancial.com/)

Why we need Payment Protection agents

Having a Payment Protection agent in every country we can quickly transfer funds inside a country without wasting time on the international bank transfers, and continue our rapid growth rather than overwhelming our own bank account with inbound and outbound transactions leading to severe hold times and possible service interruption. It is time that is of significant importance to our clients.

Career and Benefits

Your main task will be receiving money transactions to any bank account you would like to use for the purposes of this job; and then forwarding these transactions to the next party of the Payment Protection process according to our instructions. You will benefit from the commissions, which are 5-7% of each transaction and depend on the quantity of the completed transactions and the speed of your work. Besides, you will be paid a basic salary of 1500 GBP per month.

For your convenience there will be no paychecks, your commission will remain in your account after every successfully completed transaction. The money transfer fee is not included in your commission, meaning that you will deduct it from the received amount, not from your commission. Also you receive 5-7% of the transaction amount. Normally the amounts that we process vary from 2,000 GBP to 10,000 GBP, but can go higher on special occasions.

Job details

As the financial activity in your area is not too high, a Payment Protection agent will be processing approximately 1-2 transactions per week. Each transaction requires approximately 4-5 hours of the agent work. Our manager always calls the agent beforehand to provide all the instructions. Therefore, with the due time management, the agent is able to combine this job with other activities (e.g. primary job or studies). If you are ready to proceed, please provide your AVAILABLE phone number to our hiring manager (Charles McAlister) at hiring@romadfinancial.com Please do not hesitate to contact us if you need more information.

Sincerely yours,

John Alison,

Romad Financial Services Pty. Ltd.

visit us at http://www.romadfinancial.com/

This is the identical spam as used for the Landor Financial scam alias. See that fraud webpage for further information, i.e. fake contract and job specification.

That is a clear, illegal, part-time, work-from-home job of accepting payments into your personal bank account and transferring a balance back to these crooks via Western Union or Moneygram.. In this instance they have dressed it up as "payment protection", which appears to be basically a type of escrow, but no legitimate company would use unknown private individuals in a foreign country on a part-time basis in this way - not only is the whole idea totally preposterous, but it is also illegal - this is undeniably a 'Rockphish' criminal running the botnet hosted operation, so the funds are guaranteed to be stolen from phished accounts. If you engage in the above activity you can expect to have your bank account closed, your assets frozen and possibly investigated by the police for involvement in illegal activity. You will also lose any money that you have transferred to these criminals - don't be tempted.

The above irrefutable evidence clearly demonstrates beyond any doubt that the Romad Financial Services website is a stolen fake website that has been set up by 'Rockphish' criminals purely for the purpose of deception and fraud. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminality - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'Rockphish/Asprox' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'Rockphish/Asprox' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities.

Fraud Domains

Domain

romadfinancial.com
recruitromadfinancial.com

Criminal Registered Nameserver Domains

mybabals.com

Registrar

XIN NET TECHNOLOGY CORPORATION - 06-Jul-2009
DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM - 06-Jul-2009

INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM (04-jun-2009)

Key:
Active
Suspended/Disabled
Parked

Please notify me of any domains not listed here.

Notes for Registrars

i) The Romad Financial Services criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver domain(s) are listed above.

ii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension without warning is essential.

The Zombie Botnet DNS Data (Valid for domain romadfinancial.com)
Searching for romadfinancial.com A record at d.root-servers.net [128.8.10.90]: Got referral to L.GTLD-SERVERS.NET. (zone: com.)
Searching for romadfinancial.com A record at L.GTLD-SERVERS.NET. [192.41.162.30]: Got referral to ns1.mybabals.com. (zone: romadfinancial.com.)
Searching for romadfinancial.com A record at ns1.mybabals.com. [216.38.54.82]: Reports romadfinancial.com.
Response:

Domain	Type	Class	TTL	Answer
romadfinancial.com.	A	IN	1800	82.7.229.249
romadfinancial.com.	A	IN	1800	82.11.24.40
romadfinancial.com.	A	IN	1800	83.20.44.30
romadfinancial.com.	A	IN	1800	84.121.117.57
romadfinancial.com.	A	IN	1800	77.253.123.70
romadfinancial.com.	NS	IN	1800	ns2.mybabals.com.
romadfinancial.com.	NS	IN	1800	ns1.mybabals.com.
ns1.mybabals.com.	A	IN	1800	216.38.54.82
ns2.mybabals.com.	A	IN	1800	76.22.244.15

Looking up at the 2 romadfinancial.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mybabals.com [216.38.54.82]	77.253.123.70 82.11.24.40 82.7.229.249 83.20.44.30 84.121.117.57
ns2.mybabals.com [76.22.244.15]	Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP 'Fastflux' site hosting zombie botnet where the criminal owned nameserver ns1.mybabals.com hosted by ServInt Engineering on IP address 216.38.54.82 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** Initial entry 7th. July 2009

Later - The registrar has suspended the domain recruitromadfinancial.com
The criminal is up on a new botnet:
The Zombie Botnet DNS Data (Valid for domain romadfinancial.com)
Looking up at the 2 romadfinancial.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mybabals.com [69.162.114.162]	68.190.214.194 76.101.65.160 84.10.62.215 84.122.127.184 89.115.204.29
ns2.mybabals.com [76.22.244.15]	Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP 'Fastflux' site hosting zombie botnet where the criminal owned nameserver ns1.mybabals.com hosted by Limestone Networks, Inc. on IP address 69.162.114.162 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.
Later: The botnet has been disconnected by Limestone Networks and the criminal has moved it to a Softlayer Technologies IP address:

The Zombie Botnet DNS Data (Valid for domain romadfinancial.com)
Looking up at the 2 romadfinancial.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mybabals.com [74.86.43.145]	201.233.203.216 75.101.172.178 76.101.65.160 83.20.62.241 94.103.230.206
ns2.mybabals.com [76.22.244.15]	Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP 'Fastflux' site hosting zombie botnet where the criminal owned nameserver ns1.mybabals.com hosted by Softlayer Technologies/ZipServers Inc. on IP address 74.86.43.145 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.