Sunreef Yachts scam website screenshot, (stolen by criminals from the genuine Polish (Gdansk) Sunreef Yachts company):
This stolen criminal fraud
Sunreef Yachts website should not be confused with the blameless legitimate company
of the same name from which the criminals have
stolen the above website content and who are as much a victim of this
criminal as anyone else.
Sunreef
Yachts is the latest fraud from the money laundering
department of the
well known 'rockphish' criminals. It is the replacement zombie botnet
hosted fraud for the Green
Tree (Warehousing) Ltdcriminal fraudster and in fact is still using the
same botnet host IP 89.46.34.93 as was used for the GTW botnet and uses
a website stolen from the genuineSunreef
Yachts company. If you are a registrar or a host who has received
an abuse report
concerning this criminal then please review the irrefutable evidence
below and take prompt and permanent action to shut this criminal down.
If
you've either received an active website link in a Sunreef
Yachts fraud
spam, or know of an
active domain and it is not listed in the domain tables below, then
please let us know by reporting it using the 'Report Active Domain'
option in the title bar above.
The registrar 123-reg.co.uk,
(Webfusion),
(part of GX Networks Ltd who
are the old Pipex
group), were requested to suspend their criminal clients
fraud domains on the dates shown in the tables but are refusing to do so without "the
relevant
documentation from the police, trading standards or courts",
in other words they will only respond to 'take down' notices from the
above authorities and ignore all other valid evidence of criminal activity
involving their customers. They have been informed of
the clear, proven illegal activity that they are providing services for
and directed
to the clear and easily verifiable evidence of criminal activity
provided on
this website but refuse to accept it and disable their criminal
client's domains and
continue to provide services for these 'rockphish' criminals despite the activity
being clearly prohibited by their Terms of Service.
This 'turning a blind eye' to obvious & proven illegal activity is allowing the
criminals a free hand to
perpetrate their fraud at the expense of the victims and the
innocent Sunreef Yachts company while 123-reg.co.uk,
(Webfusion)
themselves make money from the proceeds of this criminal activity. ***Update - 23-Sep-2008 - 123-reg.co.uk, (Webfusion) are now responding ethically and promptly to abuse reports for the Walker & Sons Inc fraudsters***
The above table shows the
current providers of zombie botnet hosting services to the criminals and how long
they have been providing them for. The
decent ethical majority of service providers, (all credit to them -
they are a pleasure to deal with), act within
1-24 hours of being informed of the
criminal abuse of their system, (the
best in less than 1 hour), but there are unfortunately
some that, for whatever reason,
do not. Any hosting company that remains in the above list for more
than 48
hours has unfortunately not responded positively to abuse reports. If you are an abuse team that
has taken action, please let me
know and I will immediately remove the above
record.
Sunreef Yachts :
Evidence
of Site Theft and Criminal Fraud
ii)The genuine Sunreef Yachts company have published the
following warning of this criminal activity on their homepage - clear evidence of the criminal
theft of their website.
iii) The bogus websites
are zombie botnet
hosted on the usual 7-IP site hosting zombie botnet as used by the Green
Tree (Warehousing) Ltd fraudsters as clearly
demonstrated by the DNS data below. The initial botnet
nameserver host IP (89.46.34.93) is the same as used by the
previous GTW fraudsters. See here
for information on this method of site hosting favoured by these
criminals. No legitimate
company would use a
zombie botnet to host their websites - clear evidence of criminality.
iv) The criminal's
spams, (example below), contain the illegal
money mule function of accepting payments into a private bank account
and transferring them back out to the criminals less 10% via Moneygram
or Western Union - clear
and irrefutable evidence of solicitation to commit money laundering
fraud.
v) The fakeSunreef
Yachts
website contains the usual
smokescreen of bogus jobs under the 'Careers'
tab, but included is the following part-time, working from home, clear money mule function
advertised as "Financial Associate" which is the only post
that is advertised in the criminal's spam, (sample below):
Financial
Associate
Today
we are looking for an enthusiastic individual to hold a
part-time position of a Financial Associate to work with customer
payments and develop the payment delivery processes.
Role
description:
The
Financial Associate is responsible for dealing with the customer
payments coming into his/her bank account and optimizing payment
delivery dates. As a financial associate you will help to improve
customer order delivery cycles set up with the company regional
affiliations. You will get paid a net 10% commission out of the total
amount of each payment you have dealt with. In order to avoid long
distance international bank payments, you will have to wire customer
payments through Western Union/Money Gram services to fasten payment
delivery dates. You should notice that the related charges should be
covered by the company. You will be actively involved into a part-time
position offered for approximately 2 hours 2-3 times a week.
Responsibilities:
Ideal
candidate would be able to work flexibly and have a generally
helpful and co-operative approach as well as a great customer service
attitude. Demonstrated strong interpersonal skills as well as a
collaborative style of working with company stuff to accomplish shared
goals and objectives are preferred. You should be able to show good
written & oral communication skills, as well as PC experience,
including Internet user skills. The successful applicant should as well
show ability to thrive in fast-paced environment and be Creative with
problem solving skills.
The above role is clearly the
ILLEGAL role of a money laundering mule. Notice the illiterate
trademark phrase 'fasten
payment delivery dates' that these criminals always use.
vi) As were the
majority of the
Green Tree (Warehousing) Ltd fraudster's domains, this
criminal's numerous fraud domains, (which are all used for the same
fake
website), are all registered with different fake whois details
with 123-reg.co.uk/Webfusion (part
of GX Networks Ltd who
are the old Pipex
group).
vii)
The genuine Sunreef Yachts have been in business for many
years,
but as is normal for these criminals, all of their scam domains were
only registered in the last week or two.
viii) The criminal's spam contains
forged header information and the usual bayesian filter
avoidance 'white text' code that irrefutably link it to the Cronos
Investment, Draper Investment, Harvey Investment, Adamant Global,
Sydney Car Centre, Waller Truck, Newman, Esmond and Eisenberg, Green Tree (Warehousing) Ltd and all
this criminal's many other aliases along with the 'rockphish' phishing
criminals.
ix) Fake
Website
Contact Details:
Telephone: +390660513198
Fax: +390660513328
Address: Great Siege Road
Floriana
FRN1810
Malta
• - A Google check on the address in the
fake website contact details, ("Great
Siege Road Floriana"), shows no such company at that
address. Clear
evidence that the address is fake.
• - The international dialling code for Malta is +356 - the telephone
numbers in the above contact details are clearly bogus - clear evidence of fraud.
x) Their spam is
zombie botnet distributed as is easily demonstrated by the source IP
RDNS data, e.g:
Received:
from 84.123.99.113.dyn.user.ono.com (84.123.99.113.dyn.user.ono.com
[84.123.99.113]) by mx.google.com with SMTP id b1a.5.2008.07.; Tue, 08
Jul 2008 23:11:03 -0700 (PDT)
In
this example the spam below was originated from
84.123.99.113.dyn.user.ono.com which is an IP that has been dynamically
allocated to an end user on the ono.com network indicating a
compromised end user machine, or zombie.
xi)The
Spam Content
The Sunreef
Yachts
spam headers
contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a
money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses.
This is the content of an actual Sunreef Yachts
scam spam received from a site contact:
From: Sunreef Yachts
<Patterson374@kichimail.com>
Date: Wed, Jul 9, 2008 at 12:11 AM
Subject: Great Job Opportunity - All Hours Available (Part Time
Evenings / Full Time / Job Shares Etc).
What is your experience? Finance, management, sales, customer
service or nothing of mentioned above? Are you looking to
advance your career? Do you want to join a successful company that can
offer you the stability and growth potential you've been looking for?
Sunreef Yachts is a leader in the marine industry and is so
much more than just yacht seller! In business for over 30 years,
Sunreef Yachts operates al over the world with the headquarters based
in Malta, Valetta in 7 countries with regional offices, service
operations, marinas and storage facilities.
Today we are looking for an enthusiastic individual to hold a part-time
position of a Financial Associate to work with customer payments and
develop the payment delivery processes. With Your assistance we will
design customer payment processes to assure efficiency of payment
delivery and compliance with the shortest delivery dates, that will
enable us to provide customers with rapid and high quality services.
The Financial Associate is responsible for dealing with the customer
payments coming into his/her bank account and optimizing payment
delivery dates. As a financial associate you will help to improve
customer order delivery cycles set up with the company regional
affiliations. You will get paid a net 10% commission out of the total
amount of each payment you have dealt with. In order to avoid long
distance international bank payments, you will have to wire customer
payments through Western Union/Money Gram services to fasten payment
delivery dates. You should notice that the related charges should be
covered by the company. You will be actively involved into a part-time
position offered for approximately 2 hours 2-3 times a week.
Ideal candidate would be able to work flexibly and have a generally
helpful and co-operative approach as well as a great customer service
attitude. Demonstrated strong interpersonal skills as well as
a collaborative style of working with company stuff to accomplish
shared goals and objectives are preferred. You should be able to show
good written & oral communication skills, as well as PC
experience, including Internet user skills. The successful applicant
should as well show ability to thrive in fast-paced environment and be
Creative with problem solving skills.
A complete background check on each employee will be performed.
If you are interested in a position offered, You are welcome to fill in
the on-line application form at our web-site http://fyach.org.uk
If you have any questions, please do not hesitate to get back to us at
any time!
Note
the usual Bayesian filter
avoidance 'code', commonly used by these criminals and the 'rockphish'
scammers alike. It's normally in 'whitetext' so it's invisible, but
here I've greyed it in.
The above
irrefutable evidence
clearly demonstrates beyond any doubt that the
stolen Sunreef Yachts website has been set up by money laundering
and phishing
criminals purely for
the
purpose of spamvertising an illegal money laundering 'mule' job and is
undoubtedly just a stolen copy of the genuine site and is directly related
to Cronos Investment, Draper Investment, Harvey Investment, Adamant
Global, Sydney Car
Centre, Waller Truck, Newman, Esmond & Eisenberg and
the rest of the money
laundering/phishing criminal fraudsters' aliases
documented here. If you are an abuse team that has received an abuse
report regarding these fraudsters, please
consider immediate
termination of their services in view of the absolutely undeniable
evidence of
site theft, copyright offences, criminal money laundering activity
and
spamming -
please don't delay - these criminals will not
respond to any communication from you, (all their whois data is false),
but will simply take advantage of any attempt
at communication as a delaying tactic to allow them time to carry on
their criminal activity and prepare
their
next network.
Do
not
be misled -
these are professional criminals
with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering the
'rockphish' phishing fraudsters and
aiding and abetting their criminal 'phishing' fraud activities.
Sunreef
Yachts Fraudsters -
current hosting details.
i) The Sunreef Yachts criminal uses his
own nameserver
domains
to control his zombie botnets or provide his DNS. By definition there
can be no legitimate
domains using his dedicated botnet nameservers & his
conventional nameserver domains are always very recently registered.
This
provides an ideal database search option for you to identify and delete
all of this criminal's fraud domains without
any risk of hurting an innocent domain. All of the
criminal's
current botnet
nameservers are ns1.whilesite.com, ns1.vobreak.com, ns1.transmo.net and ns1.bmnpro.com
ii)
The criminal's domains have different false
whois registration data.
iii) The criminal will not respond to your challenge but will use the
notice to prepare a new network -
immediate suspension is requested, please.
The Zombie Botnet
See here
for information on this method of site hosting favoured by these
criminals.
DNS Data
(Valid for domains syach.org.uk,
syach.me.uk, syach.co.uk, sunyac.org.uk, sunyac.me.uk, sunyac.co.uk)
Looking
up at the 2 syach.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.whilesite.com
hosted by PFA-BOSTAN-TUDOR-TEODOR
(Jump.ro) on IP 89.46.34.93
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
The Zombie Botnet
DNS Data
(Valid for domains syacht.org.uk,
syacht.me.uk, syacht.co.uk)
Looking up at the 2 syacht.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.vobreak.com
hosted by PFA-BOSTAN-TUDOR-TEODOR
(Jump.ro) on IP 89.46.34.93
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
These
criminals are
experienced liars, thieves and professional confidence
tricksters. Do not be
fooled - do
not believe them. The evidence of criminal fraud is undeniable.
I'd
like to thank the many honest & ethical hosts and registrars who have
disconnected/suspended
these fraudsters within an hour of receiving an abuse report, (several
in c. 20 minutes). However, the zombie botnet controlling nameservers
seem to be occasionally hosted by Colocation/VPS service providers who
do not respond to criminal fraud abuse reports. The honest &
ethical SPs will respond with an immediate, (preferably not 24 hours or
48 hours & certainly not never...), disconnection on receipt of
a
criminal abuse
report,
having considered the evidence below & investigated, but more
and
more
frequently service providers stall or simply ignore abuse reports.
This latter minority of uncaring & unethical hosts and registrars are aiding
and
abetting criminal fraud
and
the victims suffer because of it. Blocking
The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use "Sunreef Yachts"
as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams.
If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a>Fraud
BlogInitial
entry 9th. July 2008 ***Latest News*** 14th July 2008
The host, (PFA-BOSTAN-TUDOR-TEODOR
(Jump.ro)), and the registrar, (123-reg.co.uk, (Webfusion)),
were informed of this criminal activity on the 9th. and 10th. of July
respectively. Unfortunately they both appear to be happy to aid and
abet this criminal fraud and there appears to be little that can be
done about it, so if you are a victim of the spam or the criminality
then as far as these two companies
are concerned it's tough luck I'm afraid.
If you want to complain, you could try contacting jump.ro (office@jump.ro;
abuse@jump.ro)
and 123-reg.co.uk, (Webfusion) (abuse@webfusion.com;
abuse@gxn.net) or complain about
123-reg.co.uk, (Webfusion) to Nominet.org.uk. ***Latest News*** 21st. July 2008 The registrar 123-reg.co.uk,
(Webfusion),
(part of GX Networks Ltd), continues to knowingly aid and abet these criminals (all of the known criminal's domains were reported to them, (abuse@webfusion.com;
abuse@gxn.net), on July the 10th.), but the criminals have moved to a new botnet:
Zombie Botnet DNS Data
(Valid for domains syach.org.uk,
syach.me.uk, syach.co.uk, sunyac.org.uk, sunyac.me.uk, sunyac.co.uk)
Looking up at the 2 syach.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.whilesite.com
hosted by Netrouting Data Facilities (Grafix.nl) on IP 91.199.50.201
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Zombie Botnet
DNS Data
(Valid for domains syacht.org.uk,
syacht.me.uk, syacht.co.uk, sunreef.org)
Looking up at the 2 syacht.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.vobreak.com
hosted by Netrouting Data Facilities
(Grafix.nl) on IP 91.199.50.201
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** 23rd. July 2008 New
fraud domain reported by site contact - sunreef.org
(Spiritdomains/IARegistry - 14-Jul-2008). This domain is hosted on the
above ns1.vobreak.com controlled zombie botnet. ***Latest News*** 29th. July 2008 Both of the criminal's two botnets are now being hosted on a Lightup Network Solutions GmbH IP - 217.172.56.140 as follows:
Zombie Botnet DNS Data
(Valid for domains syach.org.uk,
syach.me.uk, syach.co.uk, sunyac.org.uk, sunyac.me.uk, sunyac.co.uk)
Looking up at the 2 syach.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.whilesite.com
hosted by Lightup Network Solutions GmbH on IP 217.172.56.140
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
Zombie Botnet
DNS Data
(Valid for domains syacht.org.uk,
syacht.me.uk, syacht.co.uk, sunreef.org) Looking up at the 2 syacht.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.vobreak.com
hosted by Lightup Network Solutions GmbH on IP 217.172.56.140
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** 1st. August 2008 The registrar 123-reg.co.uk/Webfusion
have finally suspended the criminal domains syach.org.uk, syach.me.uk,
syach.co.uk, sunyac.org.uk, sunyac.me.uk and sunyac.co.uk. My guess is
that they've had a Paypal fraud chargeback on them rather than a sudden outbreak of ethical behaviour as they have not suspended
the equally fraudulent domains syacht.org.uk, syacht.me.uk or
syacht.co.uk. There has been no response from the ISP Lightup Network Solutions GmbH to an abuse report for IP 217.172.56.140
Please let me know of any domains that are not listed here ***Latest News*** 2nd. August 2008 Very prompt response from M&M EDV - IP 217.172.56.140 disabled. Later: The criminal's botnet is up again on a Spry Hosting IP - 66.249.8.241 Zombie Botnet
DNS Data
(Valid for domains syacht.org.uk,
syacht.me.uk, syacht.co.uk, sunreef.org.uk, sunreef.me.uk, sunreef.org) Looking up at the 2 syacht.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.vobreak.com hosted by Spry Hosting on IP 66.249.8.241
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** 4th. August 2008 Spry Hosting appear to have taken action - the criminals have moved their botnet controller ns1.vobreak.com onto the IP 78.110.172.14: Zombie Botnet
DNS Data
(Valid for domain sunreef.org) Looking up at the 2 sunreef.org parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.vobreak.com hosted by AS42831 Ukservers.com/vaserv.com on IP 78.110.172.14
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
The registrar 123-reg.co.uk/Webfusion have suspended the criminal's domains syacht.org.uk, syacht.me.uk, syacht.co.uk, sunreef.org.uk, sunreef.me.uk and sunreef.co.uk - looks like they've had more Paypal chargebacks.... The domains sunyach.org.uk, sunyach.me.uk, sunyach.co.uk, suyach.org.uk, suyach.me.uk and suyach.co.uk
appear to be still active but parked, so as long as 123-reg.co.uk have
blocked the criminal's account then they should be unusable. Please notify me of any active website URLs.
Later:a2b2
Support (vaserv.com) have very promptly suspended the criminals latest
botnet VPS on IP 78.110.172.14. An excellent response. Later:The criminal has moved his botnet onto yet another IP listed as belonging to Colostore.com - 206.212.240.153. Lets hope that they are as 'on the ball' as a2b2 Support were this morning.
Zombie Botnet
DNS Data
(Valid for domainssunreef.org,sunrets.org.uk, sunrets.me.uk, sunrets.co.uk, syinc.org.uk, syinc.me.uk, syinc.co.uk, syiy.org.uk, syiy.me.uk, syiy.co.uk, sreef.org.uk, sreef.me.uk, sreef.co.uk) Looking up at the 2 sunreef.org parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.vobreak.com hosted by Colostore.com on IP 206.212.240.153
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later: New domains notified by site contact: sunrets.org.uk, sunrets.me.uk, sunrets.co.uk all hosted on the Colostore.com zombie botnet and all registered with 123-reg.co.uk,
(Webfusion),
(part of GX Networks Ltd who
are the old Pipex
group). ***Latest News*** 6th. August 2008 123-reg.co.uk,
(Webfusion) have suspended the domain sunrets.org.uk but not the domains sunrets.me.uk, sunrets.co.uk that were reported at the same time. Another Paypal chargeback? They never respond, so it's difficult to tell. The host Colostore.com have also not reponded to abuse reports so the criminal is having an easy ride. ***Latest News*** 8th. August 2008 The registrar 123-reg.co.uk/Webfusion has allowed the crook's three parked domains suyach.org.uk, suyach.me.uk, andsuyach.co.uk to be brought into service despite them having been notified of the criminal activity on July the 10th. As usual, the .me version of the domain seems to have DNS problems. Other new domains reported by site contact: syacts.org.uk, syacts.me.uk, syacts.co.uk I'm not wasting my time continually reporting these to 123-reg.co.uk/Webfusion
as they clearly have no scruples about knowingly providing services for
criminals and fraudsters. If you wish, you can complain about
123-reg.co.uk/Webfusion to the UK police and Nominet.org.uk. Zombie Botnet
DNS Data
(Valid for domainssyacts.org.uk, syacts.me.uk, syacts.co.uk, suyach.org.uk, suyach.me.uk, suyach.co.uk,suninc.org.uk, suninc.me.uk, suninc.co.uk, sunyc.org.uk, sunyc.me.uk, sunyc.co.uk) Looking up at the 2 syacts.org.uk. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.whilesite.com hosted by Colostore.com/VERSENET.ORG on IP 206.212.240.153
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later: The domains syacts.org.uk, syacts.me.uk, syacts.co.uk have been suspended by 123-reg.co.uk/Webfusion, but the domains sunrets.me.uk, sunrets.co.uk, suyach.org.uk, suyach.me.uk, and suyach.co.uk all remain active. ***Latest News*** 9th. August 2008 New domains notified by site contact: suninc.org.uk, suninc.me.uk, suninc.co.uk registered with 123-reg.co.uk, (Webfusion) and all hosted by Colostore.com/VERSENET.ORG on the above ns1.whilesite.com [206.212.240.153] zombie botnet. ***Latest News*** 10th. August 2008 New domains notified by site contact: syinc.org.uk, syinc.me.uk, syinc.co.uk registered with 123-reg.co.uk, (Webfusion) and all hosted by Colostore.com/VERSENET.ORG on the above ns1.vobreak.com [206.212.240.153] zombie botnet. ***Latest News*** 11th. August 2008 The registrar 123-reg.co.uk, (Webfusion) have surprisingly suspended the domains syinc.org.uk, syinc.me.uk, syinc.co.uk
I reported yesterday. Is just coincidence & they've been
suspended for some other reason such as a Paypal chargeback, or are
they perhaps beginning to act responsibly? Still no response from them,
though
so it's difficult to tell what is going on and they still have fraud
domains active that were reported to them on July the 10th. so I'm
inclined to believe that it is just coincidence.... ***Latest News*** 12th. August 2008 Domains
suyach.org.uk, suyach.me.uk, suyach.co.uk and sunreef.org have all been suspended but domains sunrets.me.uk, sunrets.co.uk, suninc.org.uk,
