Toll Finance Pty. Ltd. Fraud

Don't Bear Internet Fraud

Toll Finance Pty. Ltd. scam website screenshot (29-Jul-2009)

Toll Finance scam website screenshot (29-Jul-2009)

If you've either received an active website link in a Toll Finance fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above. Copies of spam are welcome. Scroll down or click for latest news.

This Toll Finance Pty. Ltd. criminal fraud website should not be confused with any other company with the same or similar name. The above screenshot and the following evidence defines this criminal alone. These criminals have stolen the website of the genuine company Boutique Wealth Management Group for their fraudulent purposes as detailed below and have also stolen the identity of a genuine 'Toll Finance Pty. Ltd.' Australian company in a futile attempt to try and give their botnet hosted site some credibility.

Toll Finance Pty. Ltd. is another zombie botnet hosted fraud from the money laundering department of the well known 'Rockphish/Asprox' phishing criminals. Passive DNS data shows that this fraud site is hosted on the same zombies that are hosting other Rockphish criminal fraudsters and phishing sites. The fact that it is zombie botnet hosted is undeniable evidence of criminal fraud as no legitimate site is botnet hosted, but there is plenty of other evidence of fraud such as the self evident fact that they have stolen the website of the genuine company Boutique Wealth Management Group and are using it for fraudulent purposes, plus the fact that they have stolen the identity and company registration of another genuine innocent Australian company, 'Toll Finance Pty. Ltd.', at a different address to their own fake one. Their modus operandi this time is exactly the same as for their Landor Financial and Romad Financial Services scams, even down to the same spams from the same fake person, John Alison.

Current Zombie Botnet Controller Hosts

WholeSale Internet, Inc./Aarons.Net/Jumpserver.net - ns1.advertigemsonline.com [69.197.142.240] - Notified 29-Jul-2009

The above table shows the current providers of zombie botnet hosting services to the criminals and when they were notified. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act within 1-24 hours of being informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some that, for whatever reason, do not. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host.

If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Toll Finance : Evidence of Site Theft and Criminal Fraud

N.B. - Initial information correct at 29-Jun-2009 - Check the domain tables and ***Latest News*** items for domain and hosting updates.

i) The Toll Finance Pty. Ltd. fraud website is hosted on a five-IP 'fastflux' zombie botnet as evidenced below - No legitimate company would use a zombie botnet to host their website - that is undeniable evidence of criminality.

ii) Passive DNS replication data research on the listed zombies hosting the site show that the same zombies are used to host other 'Rockphish' fraud sites, attack and 'phishing' URLs.

iii) A Google search for "Toll Finance Pty. Ltd." returns the criminals fake site and a registered Australian company of the same name at a slightly different address to the one claimed by these fraudsters - they have stolen the ID of the genuine Toll Finance Pty. Ltd. and are claiming it as their own, using the ABN of the genuine company and a slightly different (fake) location address to the genuine Toll Finance Pty. Ltd.

iv) Stolen website - the criminals have stolen the website of the genuine UK company, Boutique Wealth Management Group and are using it for their fraudulent purposes - irrefutable evidence of criminal fraud and site theft.

v) They claim on their about webpage "Toll Finance was established in May 2002 after taking the business over from Integral Mortgage Services which had been servicing Toll Finance clients for a period of 4 years prior", however the crook's initial domain tollfinance.com was only registered with the usual unresponsive XIN NET TECHNOLOGY CORPORATION on 28-Jul-2009 for the usual criminal's domain minimum period of only one year - clear evidence of a fraudulent registration.

vi) The 'Payment Protection' fake job from the crook's website: (this 'Payment Protection' nonsense doesn't appear on the stolen genuine website)

Payment Protection Services

When buying-selling operations via the Internet are concerned, the buyer and the seller don’t know each other and are placed in different corners of the world. Therefore it is important both to the buyer and the seller to ensure that their transaction is made safely. Payment Protection means receiving payments, documents, goods (it might be both the seller’s and the buyer’s) concerning the transaction by a reliable, experienced, impartial person - our Payment Protection agent. The agent will hold the funds and documents until all the terms of the deal are satisfied.s

Benefits for Payment Protection Agents

The main chain of our Payment Protection service is a Payment Protection agent who is carefully selected before he is admitted to the job. We need agents all over the world that is why the majority of our agents work on a part-time basis from home, although there are agents who work full-time. Payment Protection agents get the commission for every successfully-completed transaction, which is 5-7% (depending on the quantity of processed transactions) from the amount of each transaction. As an agent, you will be granted 24/7 support and assistance from our help-desk in case of emergency. A secure online environment makes the work of a Payment Protection agent easier. Bank deposits and withdrawals are not taxable by EU/EU/US/AU law, making it a comfortable source of income.

Benefits for the seller

The seller must be ensured that while selling goods or services online he/she will eventually receive the payment. That is why online sellers turn to our company; on our behalf we garantee that if they sell online, they will receive payments according to the terms agreed upon in advance. Our company provides a safe environment for internet transactions making it easy for all participants to be completely protected.

Benefits for the buyer

The buyer must be ensured that while purchasing goods or services online he/she will eventually receive the item he/she paid for. Conducting online payments through our Payment Protection agents garantees a risk-free internet purchase, because Payment Protection agents release the payment to the seller only after all the terms of the agreement are satisfied and the required documents are processed.

Benefits for our company

Year by year the amount of e-commerce is increasing, the services of our company are becoming more and more demanded, which gives us an opportunity to expand our business and provide fast, secure and professional services. The more Payment Protection agents we attract the quicker we can perform Payment Protection procedures, as inner transfers take no more than an hour. The transaction time depends on the physical location of the sender and the receiver of the funds. Our agents get 5-7% from each transaction, while we get 3% more for our services, and that's how we benefit from the business to ensure a sustainable growth and development.

'Payment Protection Agent' is simply a euphemism for 'Money Laundering Mule'. The job consists of accepting stolen funds to a personal account and transferring a balance back to these crooks via Moneygram or Western Union before the deposited money comes back as stolen, (which it will). It will get your bank account closed, your assets frozen and leave you under investigation for fraud - don't be tempted - there is nothing to be gained and a great deal to be lost, and not only money.

vii) Fake contact details from the website:

Contact Us

Address:
417 St Kilda Road Service Ln,
Melbourne, VIC, 3004, Australia

Postal Address:
417 St Kilda Road Service Ln,
Melbourne, VIC, 3004, Australia

Phone: 03 8648 5842
Fax: 03 8648 5842

Email: mail@tollfinance.com

• - The crooks have simply taken the address of the genuine Toll Finance Pty. Ltd. company and changed the street number.
• - A Google Search for "417 St Kilda Road Service Ln, Melbourne, VIC" simply returns the crooks fake website and nothing else.
• - A Google Maps Search for "417 St Kilda Road Service Ln, Melbourne, VIC" also shows no sign of these criminals and lists no business at that address.
• - Notice the common phone and Fax. number - common for these criminals but unlikely for a genuine reputable business of any size.
• - A Google search for the telephone number (03 8648 5842) simply returns the crooks fake website and nothing else.
• - These fake details are different from the correct address details of the genuine Toll Finance Pty. Ltd. whose identity they have stolen.

All clear evidence of fake details and fraud.

viii) The Spam:

Hello,

my name is John Alison and I am Toll Finance Pty. Ltd. Staff manager. We have found and reviewed your CV at Totaljobs job board and decided to offer this job to you.

Our services
When buying-selling operations via the Internet are concerned, the buyer and the seller don’t know each other and are placed in different corners of the world. Therefore, it is important both to the buyer and the seller for their transaction to be made safely. Payment Protection means receiving money, documents, goods (it might be both the seller’s and the buyer’s) concerning the transaction by a reliable, experienced, impartial person - our Payment Protection agent. The agent will hold all the money and documents until all the terms of the deal are satisfied and only then release them to the intended receiver. Please, visit our web-site for more information. (http://www.tollfinance.org/)

Why we need Payment Protection agents
Having a Payment Protection agent in every country we can quickly transfer funds inside a country without wasting time on the international bank transfers, and continue our rapid growth rather than overwhelming our own bank account with inbound and outbound transactions leading to severe hold times and possible service interruption. It is time that is of significant importance to our clients.

Career and Benefits
Your main task will be receiving money transactions to any bank account you would like to use for the purposes of this job; and then forwarding these transactions to the next party of the Payment Protection process according to our instructions. You will benefit from the commissions, which are 5-7% of each transaction and depend on the quantity of the completed transactions and the speed of your work. Besides, you will be paid a basic salary of 1700 EUR per month.

For your convenience there will be no paychecks, your commission will remain in your account after every successfully completed transaction. The money transfer fee is not included in your commission, meaning that you will deduct it from the received amount, not from your commission. Also you receive 5-7% of the transaction amount. Normally the amounts that we process vary from 2,000 EUR to 10,000 EUR, but can go higher on special occasions.

Job details
As the financial activity in your area is not too high, a Payment Protection agent will be processing approximately 1-2 transactions per week. Each transaction requires approximately 4-5 hours of the agent work. Our manager always calls the agent beforehand to provide all the instructions. Therefore, with the due time management, the agent is able to combine this job with other activities (e.g. primary job or studies).

If you are ready to proceed, please provide your AVAILABLE phone number to our hiring manager (Charles McAlister) at staffmanager@tollfinance.com

Please do not hesitate to contact us if you need more information.

Sincerely yours,

John Alison,
Toll Finance Pty. Ltd.
visit us at http://tollfinance.org/

ix) This is the identical spam as used for the Landor Financial and Romad Financial Services scam aliases - even using the same fake name of John Alison. See those fraud webpage for further information, i.e. fake contract and job specification.

That is a clear, illegal, part-time, work-from-home job of accepting payments into your personal bank account and transferring a balance back to these crooks via Western Union or Moneygram.. In this instance they have dressed it up as "payment protection", which appears to be basically a type of escrow, but no legitimate company would use unknown private individuals in a foreign country on a part-time basis in this way - not only is the whole idea totally preposterous, but it is also illegal - this is undeniably a 'Rockphish' criminal running the botnet hosted operation, so the funds are guaranteed to be stolen from phished accounts. If you engage in the above activity you can expect to have your bank account closed, your assets frozen and possibly investigated by the police for involvement in illegal activity. You will also lose any money that you have transferred to these criminals - don't be tempted.

The above irrefutable evidence clearly demonstrates beyond any doubt that the Toll Finance Pty. Ltd. website is a stolen fake website that has been set up by 'Rockphish' criminals purely for the purpose of deception and fraud. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminality - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'Rockphish/Asprox' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'Rockphish/Asprox' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities.

Fraud Domains

Domain

tollfinance.com
tollfinance.org

Criminal Registered Nameserver Domains

advertigemsonline.com

Registrar

XIN NET TECHNOLOGY CORPORATION - 28-Jul-2009
Bizcn.com, Inc. (03-Aug-2009)

INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM (27-Jul-2009)

Key:
Active
Suspended/Disabled
Parked

Please notify me of any domains not listed here.

Notes for Registrars

i) The Toll Finance Pty. Ltd. criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver domain(s) are listed above.

ii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension without warning is essential.

The Zombie Botnet DNS Data (Valid for domain tollfinance.com)
DNS Lookup: tollfinance.com A record
Searching for tollfinance.com A record at j.root-servers.net [192.58.128.30]: Got referral to I.GTLD-SERVERS.NET. (zone: com.)
Searching for tollfinance.com A record at I.GTLD-SERVERS.NET. [192.43.172.30]: Got referral to ns1.advertigemsonline.com. (zone: tollfinance.com.)
Searching for tollfinance.com A record at ns1.advertigemsonline.com. [69.197.142.240]: Reports tollfinance.com.
Response:

Domain	Type	Class	TTL	Answer
tollfinance.com.	A	IN	1800	66.212.155.141
tollfinance.com.	A	IN	1800	67.202.28.203
tollfinance.com.	A	IN	1800	71.57.224.166
tollfinance.com.	A	IN	1800	89.229.198.123
tollfinance.com.	A	IN	1800	213.63.151.92
tollfinance.com.	NS	IN	1800	ns1.advertigemsonline.com.
tollfinance.com.	NS	IN	1800	ns2.advertigemsonline.com.
ns1.advertigemsonline.com.	A	IN	1800	69.197.142.240
ns2.advertigemsonline.com.	A	IN	1800	66.71.235.27

Looking up at the 2 tollfinance.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.advertigemsonline.com [69.197.142.240]	213.63.151.92 66.212.155.141 67.202.28.203 71.57.224.166 89.229.198.123
ns2.advertigemsonline.com [66.71.235.27]	Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP 'Fastflux' site hosting zombie botnet where the criminal owned nameserver ns1.advertigemsonline.com hosted by WholeSale Internet, Inc./Aarons.Net/Jumpserver.net on IP address 69.197.142.240 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** Initial entry 29th. July 2009

***Latest News*** 5th. August 2009
News from Frank Bear - the domain tollfinance.com has been suspended - new domain notified by site contact - tollfinance.org hosted by Bizcn.com, Inc. (03-Aug-2009) and hosted on the following updated zombie botnet, still hosted by WholeSale Internet, Inc./Aarons.Net/Jumpserver.net (First notified 29-Jul-2009):

DNS Lookup: tollfinance.org A record
Searching for tollfinance.org A record at m.root-servers.net [202.12.27.33]: Got referral to A0.ORG.AFILIAS-NST.INFO. (zone: org.)
Searching for tollfinance.org A record at A0.ORG.AFILIAS-NST.INFO. [199.19.56.1]: Got referral to ns2.advertigemsonline.com. (zone: tollfinance.org.)
Searching for tollfinance.org A record at ns2.advertigemsonline.com. [66.71.235.27]: Timed out. Trying again.
Searching for tollfinance.org A record at ns1.advertigemsonline.com. [69.197.142.240]: Reports tollfinance.org.
Response:

Domain	Type	Class	TTL	Answer
tollfinance.org.	A	IN	1800	79.121.57.228
tollfinance.org.	A	IN	1800	194.102.104.231
tollfinance.org.	A	IN	1800	71.198.12.66
tollfinance.org.	A	IN	1800	77.254.128.31
tollfinance.org.	A	IN	1800	78.157.82.12
tollfinance.org.	NS	IN	1800	ns2.advertigemsonline.com.
tollfinance.org.	NS	IN	1800	ns1.advertigemsonline.com.
ns1.advertigemsonline.com.	A	IN	1800	69.197.142.240
ns2.advertigemsonline.com.	A	IN	1800	66.71.235.27

Looking up at the 2 tollfinance.org. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.advertigemsonline.com [69.197.142.240]	194.102.104.231 71.198.12.66 77.254.128.31 78.157.82.12 79.121.57.228
ns2.advertigemsonline.com [66.71.235.27]	Timeout - Dummy nameserver, (never resolves).

The data shows a standard 5-IP 'Fastflux' site hosting zombie botnet where the criminal owned nameserver ns1.advertigemsonline.com hosted by WholeSale Internet, Inc./Aarons.Net/Jumpserver.net (First notified 29-Jul-2009) on IP address 69.197.142.240 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT/NSLOOKUP). See The Zombie Botnet 'Host By Proxy' for an explanation of this method of hosting.

***Latest News*** 17th. August 2009
News from Frank Bear - the domain tollfinance.org has been suspended - please notify me of any active domains for this criminal.