STK Consult

STK Consult Fraud

Don't Bear Internet Fraud

STK Consult, is yet another spamvertized money transfer fraudster from exactly the same criminals that brought you Sydney Car Centre, Harvey Investment, Adamant Global, Impex Consult, (direct link established - see below), and all the others listed on the General Information page plus the 'rockphish' phishing scammers. The spam headers, (example below), show that the spam is distributed by zombie botnet, (i.e. from end user machines such as ADSL/Broadband/Cable accounts), and contain forged delivery details, (i.e. all different 'From' & 'Return Path' addresses). I am also receiving significant numbers of spam on a 'dictionary attack' catch-all address, i.e. forged addresses of mine that have never been used.
__________________________________________________________________________________________________________________________

STK Consult : Evidence of Criminal Fraud

i) On the website http://stk-consult.info the company claim to be at 30, Mitcham Rd, London, SW17 9NA with a telephone number 44 (121) 2882187. Unfortunately that is a Birmingham number, not a London number and the address 30, Mitcham Rd, London SW17 9NA belongs to Herbary Chinese Medicine according to the UK Postcode finder. It is clearly a fake address.

ii) On the website http://stk-consult.com, although clearly exactly the same website & the same company, they claim to be resident in New York. They clearly do not know where they are.

iii) Needless to say there is no such company as STK Consult listed in UK Companies House resident at that London address - it is clearly a fake address AND a fake company.

iv) STK Consult do not appear on the UK Financial Services Authority (FSA) register which is a mandatory requirement in the UK for any company operating in the financial sphere which confirms that they are undoubtedly a fake company.

v) STK Consult use a zombie botnet to propagate their prolific criminal fraud spam - see example below.

vi) Numerous STK Consult spams received on spamtrap addresses.

vii) This STK Consult is unknown to Google, (except as a spammer and fraudster), but claims on their website to have been in operation since 1994, yet the domain stk-consult.com was only registered 22-sep-2007 and their other fraud domain stk-consult.info was only registered 22-Jun-2007.

viii) The one job that they offer on their website consists of working at home doing financial transactions for 5% per transfer. That is clearly just another money laundering 'mule' job.

ix) The bogus rubbish on this STK consult 'about us' page is mostly word for word the same as this hokum from the old Impex Consult scam that I thought had been killed off in early 2007, but appears to have resurfaced, demonstrating without doubt the fact that these are one and the same criminal gang.

x) As if further proof were required, check out the fake Impex Consult certificates here and STK Consult ones here. I'm rather impressed by their commitment to Greater Merseyside Enterprise Ltd, (UK Liverpool area), considering they claim to be in New York and London...... The fact that both 'Certificates of Ownership of Business' from the Champaign county clerk both carry the same serial number for two different companies is a dead giveaway of fraud and the fact that the scammers are one and the same....

The above evidence clearly demonstrates beyond any doubt that the so-called company STK Consult is a fake company & website set up purely for the purpose of spamvertising an illegal money laundering 'mule' job and is undoubtedly related to Impex Consult and the rest of the money laundering criminal fraudsters documented here. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminal activity - please don't delay - these criminals will not respond to any communication from you and will simply use any attempt at communication not only as a delaying tactic, but to prepare their next network.

Do not be fooled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'rockphish' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering them and aiding and abetting their criminal 'phishing' fraud activities. __________________________________________________________________________________________________________________________

The Spam Headers

Return-Path: <hrmanager@takemail.info>
Received: from mwinf3422.me.freeserve.com (mwinf3422.me.freeserve.com)
    by mwinb3406 (SMTP Server) with LMTP; Tue, 25 Sep 2007 01:55:02 +0200
X-Sieve: Server Sieve 2.2
Envelope-to: xxxxx@xxxxxx.freeserve.co.uk
Received: from me-wanadoo.net (localhost [127.0.0.1])
    by mwinf3422.me.freeserve.com (SMTP Server) with ESMTP id BC6261C0009A
    for <xxxxx@xxxxxx.freeserve.co.uk>; Tue, 25 Sep 2007 01:55:02 +0200 (CEST)
Received: from 122.212.broadband2.iol.cz (122.212.broadband2.iol.cz [83.208.212.122])
    by mwinf3422.me.freeserve.com (SMTP Server) with ESMTP id 9FA531C0006C
    for <xxxxx@xxxxxx.freeserve.co.uk>; Tue, 25 Sep 2007 01:55:02 +0200 (CEST)
X-ME-UUID: 20070924235502653.9FA531C0006C@mwinf3422.me.freeserve.com
Received: from [83.208.212.122] by mail.takemail.info; Mon, 24 Sep 2007 24:55:51 +0100
Date:    Mon, 24 Sep 2007 24:55:51 +0100
From: "Austin Landry" <hrmanager@takemail.info>
X-Mailer: The Bat! (v3.62.03) Home
Reply-To: hrmanager@takemail.info
X-Priority: 3 (Normal)
Message-ID: <538709463.47547039131175@takemail.info>
To: xxxxx@xxxxxx.freeserve.co.uk
Subject: new kind of job
MIME-Version: 1.0
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
X-me-spamlevel: med
X-me-spamrating: 95.026673
X-Antivirus: AVG for E-mail 7.5.488 [269.13.30/1025]

Recipient & message id munged.

Notice the following 'Received' line in green. This is the address from which it was received by the recipients email system and cannot be forged:

Received: from 122.212.broadband2.iol.cz (122.212.broadband2.iol.cz [83.208.212.122])

In this received line the source IP address is 83.208.212.122 the reverse DNS (RDNS) for which correctly indicates 122.212.broadband2.iol.cz which confirms that the source address is genuine abd that the IP belongs to a broadband end user on the Czech telephone network. "Well", you say, "there's your criminal". Unfortunately not - he or she may be guilty of criminal stupidity by not having a firewall or clicking on the latest nude pictures of Britney Spears, but unfortunately not criminal fraud - he/she is just one of tens of thousands of 'zombies' - computers that have been infected with a zombie virus or worm. What it does tell you is that the STK Consult spammer uses a zombie botnet to distribute his spam in exactly the same way as Sydney Car Centre, Harvey Invest, Adamant Global and all the rest of these criminals.

Lastly, "Austin Landry" <hrmanager@takemail.info> is not "STK Consult" - this is just another forged email address which may or may not actually exist. Incidentally, never 'bounce' spam back to the 'sender' as it only bounces back to a forged address which, if real, will only belong to an innocent third party who will understandably be a little peeved with you and if you do it a lot you could get your ISP's SMTP IP range blacklisted and they will be even more upset with you & could justifiably close your account.
__________________________________________________________________________________________________________________________

The Spam Content

The headers contain many different forged/bogus 'From' & 'Return Path' addresses & various forged 'Receive' lines. The subject lines vary & all indicate that there is a job opportunity to be had. There is - an illegal job as a money laundering 'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit proceeds into your account and forwarding it on via Western Union or Moneygram for a percentage cut. Needless to say it is these mules that will probably feel the full weight of the law while the remote money launderers are safe. The bogus or stolen funds in the mules account may well also be recovered, leaving them with large losses.

This is the content of an actual STK Consult scam spam:
__________________________________________________________________________________________________________________________

Good day!

We inform you about new vacancies in our company.

Do you want to start a successful carrier right now without any entrance fees, without buying goods or involving other
people? Do you want to start a successful career in financial and consulting sphere without economical education or special
experience? If it is so, this suggestion is for you!

Our company is ready to offer you the chance. At this moment we are enlarging our staff and you have a chance to become
a member of our team and get additional earnings spending 2 - 3 hours per week. But it isn't all. We can send you a long
term contract if you prove us your reliability.

If you are interested in our suggestion please visit our site:
www.stk-consult.com

Sincerely your,
Richard Sessa
HR manager,
STK Consult
__________________________________________________________________________________________________________________________

These criminals are experienced liars, thieves and professional confidence tricksters. Do not be fooled - do not believe them. The evidence of criminal fraud is undeniable.

I'd like to thank the many honest & ethical hosts who have disconnected these fraudsters within an hour of receiving my abuse report, (several in c. 20 minutes). However, the zombie botnet controlling nameservers seem to be occasionally hosted by Colocation/VPS service providers who do not respond to criminal fraud abuse reports. The honest & ethical SPs will respond with an immediate, (preferably not 24 hours or 48 hours & certainly not never...), disconnection on receipt of a criminal abuse report, having considered the evidence below & investigated, but more and more frequently service providers stall or simply ignore abuse reports. This latter minority of uncaring & unethical hosts are aiding and abetting criminal fraud and the victims suffer because of it.

Knowingly supplying services to these fraudsters is a criminal offence in the UK under the UK Proceeds of Crime act (2002) Section 328 "A person commits an offence if he enters into or becomes concerned in an arrangement which he knows or suspects facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person". The notification level for this offence is low. Would all hosts and registrars with a UK presence, (other countries will undoubtedly have similar provisions), please bear this in mind and please do not ignore any criminal fraud abuse reports you may receive or if you do, please don't be surprised or offended if I file a crime complaint against you with local law enforcement agencies after a reasonable period of notice of abuse - the victims, (who could be your mother, father, grandmother, grandfather, the helpless, the disabled or any loved one - these criminals are exactly the same as doorstep conmen), deserve better.

The unethical hosts, (and registrars), should appreciate that taking the 'blind eye' approach involves them in the crime, creates a great deal of ill-will, bad publicity & hurts everybody, especially the victims of these fraudsters. They should also bear in mind that these crooks pay for their services using Paypal linked to stolen credit card details so they are likely to get a charge-back which will also leave them out of pocket, unless, of course, they have a more intimate relationship with the criminals.

A CEO of a Credit Union tells me of clients who have lost thousands of pounds cashing counterfeit money orders for these criminals, & I myself have had letters from worried victims, so do not under any circumstances get involved with them and also please think twice about doing business with the unethical service providers who continue to provide this criminal with the means to perpetrate his crime despite being notified of the criminal activity. __________________________________________________________________________________________________________________________

Blocking The spam

I have had quite a few queries about how to block the criminal's spam in Outlook Express. Fortunately they are easily detected using the OE 'Mail Rules' (Tools - Message Rules - Mail).

Rules based on the From, To etc addresses will never work as the header data is all forged. The message body remains constant, however & that can be used to detect them.

Use the rule "Where the message body contains specific words" and use the grammatically incorrect phrase "without economical education" as the search item then choose 'delete' (or whatever action you prefer) as the action then that will definitely detect every single one of these spams.
__________________________________________________________________________________________________________________________ If you find this site helpful then please feel free to link to it on your website by inserting the following HTML code, (opens site in new window):
<a href="http://www.bobbear.co.uk" target="_blank">Money Laundering Fraud Websites</a>
__________________________________________________________________________________________________________________________

Here are all the known domains that are/have been used for the STK Consult fraud:

Domain

stk-consult.com
stk-consult.info

Status

Suspended
Active

Registrar

PUBLICDOMAINREGISTRY.COM
PUBLICDOMAINREGISTRY.COM

Please notify me of any errors or domains not listed here.

__________________________________________________________________________________________________________________________

DNS data:

Looking up the 2 stk-consult.com parent servers DNS details:

Nameserver	'A' Record Response
ns1.lighthost.info [203.121.67.117]	203.121.67.117
ns2.lighthost.info [203.121.67.118]	203.121.67.117

Looking up the 2 stk-consult.info parent servers DNS details:

Nameserver	'A' Record Response
ns2.openhosting.ru [81.176.237.10]	81.176.236.12
ns.openhosting.ru [81.176.236.10]	81.176.236.12

__________________________________________________________________________________________________________________________

If you have been a victim of this or any other of these fraudsters & would like to tell your story on these pages as a warning & to help others, please contact me.
__________________________________________________________________________________________________________________________