Trend Analytics Fraud

Don't Bear Internet Fraud

Trend Analytics scam website screenshot (13-May-2009)

This Trend Analytics criminal fraud website should not be confused with any other company of the same or similar name. The above screenshot and the following evidence defines this criminal alone.

If you've either received an active website link in a Trend Analytics fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above.

Trend Analytics is the latest fraud from the money laundering department of the well known 'Rockphish/Asprox' phishing criminals. The criminal's website is hosted on a standard 'Rockphish' 'Fastflux' site hosting zombie botnet using the recently registered initial fraud domain potentialproducts.net (BIZCN.COM, INC. (07-Apr-2009)) which is irrefutable evidence of fraud - no legitimate website is hosted on a zombie botnet. The purpose of the website is to lend an air of legitimacy to a spam campaign intended to recruit money laundering mules, and to that end they are also advertising a clear money mule position under the Careers tab on their website. Despite their website claims that "Trend Analytics, was founded in 2002" and "has been the backbone of many international and local financial operations", they have no Google internet presence whatsoever, (do not confuse them with any other company of the same name). They have hijacked or created a registration of a UK company that was only incorporated in 2008 and are using the same virtual office/accommodation address in London, (29 Harley Street), as was used by the Alliance Global Ltd scammers.

Current Zombie Botnet Controller Hosts

Global Net Access, LLC - ns1.online-groups.net [74.81.90.74] - Notified 19-May-2009

The above table shows the current providers of zombie botnet hosting services to the criminals and how long they have been providing them for. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act promptly when informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some that, for whatever reason, do not respond, do not act and in some cases clearly do not care. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host. N.B. - To ignore reports of criminal activity is an offence under US law codes, UK law and undoubtedly also under other country's legal provisions. Please be aware that complaints against unresponsive hosts are filed with upstream providers and that 'accessory after the fact' complaints are filed with law enforcment agencies after all contact attempts have failed. It's only fair to the victims of these criminals.

If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Trend Analytics: Evidence of Site Theft and Criminal Fraud

Check tables and ***Latest News*** items for domain and hosting updates.

i) The Trend Analytics fraud website is hosted on a standard 'Rockphish' site hosting zombie botnet - No legitimate company would use a zombie botnet to host their website - irrefutable evidence of criminality.

ii) Passive DNS replication data checks on the zombies listed in the table below link this fraud to other 'Rockphish' group scams and include numerous phishing links - irrefutable evidence of criminal fraud.

iii) These criminals claim to have been in business since 2002, but their initial domain potentialproducts.net was only registered with BIZCN.COM, INC. on 07-Apr-2009 for the usual criminal's domain minimum period of one year - a clear indication of a fraudulent domain.

iv) These criminals claim to have been in business since 2002, but the company whose details they have hijacked was only incorporated on 01-Apr-2008 - clear evidence of misrepresentation and fraud.

v) Despite their claim of having been in business since 2002 and this sort of grandiose 'Runglish' claim on their 'About Us' page: "We are world-widely recognized financial management company with operating headquarters in the London, United Kingdom", (note THE London, by the way - it's a common grammatical error these Russian scammers make), they have no Google presence whatsoever, (not even their own clearly very new fake website is returning any hits as I write this). Not to be confused with any other company of the same name.

vi) The criminals claim to be involved in Investment Management, Loans and Accounting, but a webcheck shows that they are not registered with the UK regulatory body in the finance field, the FSA, (Financial Services Authority), which they would have to be to be able to legally trade in the financial sector in the UK. Clear & absolutely irrefutable evidence of fraud. Check for yourself.

vii) The Website money mule job:

Career Opportunities

Are you in search for some extra work? Or maybe you need a full-time job. Wherever and whoever you are, if you think that you may be of some value to us – get in touch, because we value every chance finding new employees from all around the world. Trend Analytics knows no boundaries when it comes to employment. Work from the comfort of home or from your office, full-time or part-time. There are no strict requirements or guidelines to get a job with us, simply send in your resume and a cover letter and we'll get in touch with you as soon as possible.

Thank you for your interest to our current openings.

Regional Manager

    * Position Type: Permanent (work from home).
    * Operating hours: between 9:00 AM to 1:00 PM weekdays. Variable overtime is also required. NO evening/weekend work allowed.
    * Occupation Type: Part-time (1-5 hours a day occupation).
    * Salary: $30 per hour + a bonus per processed transaction.

Job Requirements

The job nature is a payment processing between our customers (sellers and buyers). You will be receiving daily tasks from your Personal Manager by e-mail. Each task will include detailed instruction on how to process current payment(s), and to be accomplished the same day within working hours (9-1). You should have ability to check your e-mail in mornings and several times/day, and respond to requests from your Manager promptly. We do not require any investments from our applicants. You must be reachable with your contact phone also.The position does NOT involve sales.

How to Get Started

Send us your resume and one of our HR Managers will contact you.

You do not get a clearer example of the illegal money laundering mule position than that. The job consists of accepting transferred stolen funds into your private bank account, deducting 10% and forwarding the balance on to these criminals via Western Union. The problem is that the funds are transferred from a victims 'phished' account without his knowledge and once he discovers that they are missing, he will inform his bank who will recover the funds from your bank leaving you out of pocket by the amount you have sent to the crooks, not only that, but you will have to answer some very awkward questions about why you are involved in criminal activity - don't be tempted.

viii) Fake contact details from the fraudulent website:

Headquarters:

29 Harley Street,
London, W1G 9QR

Tel: +44 (0) 20 3287 4835
Fax: +44 (0) 20 3287 4835

• - A Google search for "29 Harley Street, London" clearly shows that this is an accommodation address, (and a virtual office service), and a well used one at that. It's also the registered office of the company number 06552144 whose details they've hijacked, (or created), a company that was only incorporated on 01-Apr-2008, has never filed any accounts according to the Companies House data and for which no genuine trading address or independent trading information can be found and no telephone numbers can be found in UK telephone directories.
• - Notice the common 'phone and Fax. number - it is the usual 'virtual office' rented voicemail number that these crooks use which just defaults to the message: "The person you are trying to reach is not available, please leave a message after the following beep" in the same voice that answers all these fake phone numbers.
• - A Google search for the telephone number +44 (0) 20 3287 4835 returns no results, if it were the real number of a genuine company that has been trading for seven years it would be listed - it is not.

ix) The Spam

Analytics position (30 hourly)

Hello xxxxxx,
Thank you for your interest to our current openings.
Thereby we confirm that your expertise and abilities conform to our requirements for Customer Service Specialist post.

Position Type: Permanent (work from home).
Working hours: between 9:00 AM to 1:00 PM weekdays. Alternating overtime is also required. NO evening / weekend work allowed.
Occupation: Part-time (one-five hr. a day required).
Salary: 30 usd per hour + a bonus per processed transaction.

Vacancy Requirements

We do not demand any initial payments from our candidates. The job basis is a payment transferring from our customers (independent investors). You will be getting daily tasks from your Personal Manager by email. Every task will include accurate directions on how to process current transaction(s), and has to be finished the same day within working hours 9 AM - 1 PM. You should have ability to check your email 9:00 AM and few times /day, and react to inquiries from your Manager duly. You should be available with your daily phone either. The job does NOT include sales.

How to Get Started

To advance with this career we recommend to adhere to the following procedure:
1. Acquaint with our website http://tdlifetrust.com
2. Get Employment Agreement and the Application Form (MS Word files attached to this email).
3. Look through both papers carefully and fill them out in typing, then print them and sign, and submit with current letter REPLY or fax them.

IMPORTANT NOTICE: By signing the Agreement and the Application you consent to our terms and privacy policy rules. Analytics takes obligation to not share your personal data with third parties in any circumstances.

As soon as we receive duly filled documents, we will provide you shortly with all required points and further instructions.

Important: We use the VoIP calls to contact you, so the CallerID will be invalid or absent. Please don't overlook our calls.

Do not hesitate contacting your manager to eliminate any difficulties or if you have inquiries. Our support and a training course are always available.

Sincerely,

Robert Burch,
Human Resources Manager,
Analytics.
(516) 209-3788 (11 AM - 5 PM Eastern Time)

The above irrefutable evidence clearly demonstrates beyond any doubt that the Trend Analytics website has been set up on a zombie botnet for criminal fraud purposes and is directly related to Cronos Investment, Draper Investment, Harvey Investment, Adamant Global, Sydney Car Centre, Waller Truck, Newman, Esmond & Eisenberg, Sun Reef Yachts, Walker & Sons, Bullet Motorsports Speedlab (BMS), Adecco and the rest of the Rockphish/Asprox money laundering/phishing criminal fraudsters' aliases documented here. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminal activity - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'Rockphish/Asprox' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'Rockphish/Asprox' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities. N.B. - To ignore reports of criminal activity is an offence under US law codes, UK law and undoubtedly also under other country's legal provisions.

Trend Analytics Fraudsters - current hosting details.

Current Main Domains, Hosts and Registrars

Domain

tdlifetrust.com

Registrar

BIZCN.COM, INC. (07-Apr-2009)

Host IP Network /Botnet Nameserver Host

Global Net Access, LLC - ns1.online-groups.net
Global Net Access, LLC - ns1.online-groups.net

Host IP/Botnet Nameserver IP

74.81.90.74
74.81.90.74

Current Zombie Botnet Nameserver Domains and Registrars

Nameserver Domain

online-groups.net

Nameserver Domain Registrar

REGISTER.COM, INC. (25-Mar-2009)

Host IP

74.81.90.74

See table below for a list of all known active & suspended main & nameserver domains used by this criminal.

List of all known domains used by the Trend Analytics Fraudsters

Domain

potentialproducts.net
advancepacific.com
tdlifetrust.com

Criminal Registered Nameserver Domains

online-groups.net

Status

Suspended
Suspended
Active

Active

Registrar

BIZCN.COM, INC. (07-Apr-2009)
BIZCN.COM, INC. (08-Apr-2009)
BIZCN.COM, INC. (07-Apr-2009)

REGISTER.COM, INC. (25-Mar-2009)

Please notify me of any domains not listed here.

Notes for Registrars

i) The Trend Analytics criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver domain(s) are listed in the above table.

ii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension without warning is essential.

The Zombie Botnet DNS Data (Valid for domain potentialproducts.net)

How I am searching:

Searching for potentialproducts.net A record at d.root-servers.net [128.8.10.90]: Got referral to A.GTLD-SERVERS.net. (zone: net.)
Searching for potentialproducts.net A record at A.GTLD-SERVERS.net. [192.5.6.30]: Got referral to ns1.online-groups.net. (zone: potentialproducts.net.)
Searching for potentialproducts.net A record at ns1.online-groups.net. [87.117.192.45]: Reports potentialproducts.net. Response:

Domain	Type	Class	TTL	Answer
potentialproducts.net.	A	IN	1800	208.120.237.132
potentialproducts.net.	A	IN	1800	77.254.60.149
potentialproducts.net.	A	IN	1800	83.84.154.219
potentialproducts.net.	A	IN	1800	148.228.148.74
potentialproducts.net.	A	IN	1800	189.220.187.231
potentialproducts.net.	NS	IN	1800	ns1.online-groups.net.
potentialproducts.net.	NS	IN	1800	ns2.online-groups.net.
ns1.online-groups.net.	A	IN	1800	87.117.192.45
ns2.online-groups.net.	A	IN	1800	21.214.23.151

Looking up at the 2 potentialproducts.net. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.online-groups.net [87.117.192.45]	148.228.148.74 189.220.187.231 208.120.237.132 77.254.60.149 83.84.154.219
ns2.online-groups.net [21.214.23.151]	Timeout - Dummy nameserver, (never resolves).

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.online-groups.net hosted by RapidSwitch Ltd on IP 87.117.192.45 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** Initial entry 13th. May 2009

Later: The criminal's botnet VPS has very promptly been shut down by Rapidswitch's client and has been transferred to a Softlayer IP address as follows:
The Zombie Botnet DNS Data (Valid for domain potentialproducts.net)
Looking up at the 2 potentialproducts.net. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.online-groups.net [174.37.98.210]	148.228.148.74 200.94.161.7 208.120.237.132 68.39.63.45 76.24.223.148
ns2.online-groups.net [21.214.23.151]	Timeout - Dummy nameserver, (never resolves).

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.online-groups.net hosted by SoftLayer Technologies Inc. on IP 174.37.98.210 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 14th. May 2009
The Softlayer botnet hosting appears to have been disconnected and the criminal is back up on a new host:
The Zombie Botnet DNS Data (Valid for domain potentialproducts.net)
Looking up at the 2 potentialproducts.net. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.online-groups.net [98.142.208.54]	189.220.187.231 200.94.161.7 77.254.252.186 83.84.154.219 94.42.17.3
ns2.online-groups.net [21.214.23.151]	Timeout - Dummy nameserver, (never resolves).

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.online-groups.net hosted by WireSix, Inc. on IP 98.142.208.54 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 19th. May 2009
News from site contact - the criminals have a new website domain - advancepacific.com and a new botnet host as follows:
The Zombie Botnet DNS Data (Valid for domains potentialproducts.net, advancepacific.com)
Looking up at the 2 advancepacific.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.online-groups.net [74.81.90.74]	200.79.218.114 41.200.215.174 88.238.125.165 89.79.66.89 98.203.245.151
ns2.online-groups.net [21.214.23.151]	Timeout - Dummy nameserver, (never resolves).

The data shows a 5-IP site hosting zombie botnet where the criminal owned nameserver ns1.online-groups.net hosted by Global Net Access, LLC on IP 74.81.90.74 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). See The Zombie Botnet 'Host By Proxy' for a general explanation of this method of hosting.

***Latest News*** 20th. May 2009
The domains potentialproducts.net and advancepacific.com have both been suspended by the registrar - please notify me of any active domains for this criminal.

***Latest News*** 22nd. May 2009
New fraud domain notified by site contact - tdlifetrust.com still hosted on the above botnet hosted by Global Net Access, LLC. Updated botnet details:
The Zombie Botnet DNS Data (Valid for domain tdlifetrust.com)
Looking up at the 2 tdlifetrust.com. parent servers:

Zombie Botnet Nameservers	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.online-groups.net [74.81.90.74]	208.95.177.34 77.253.116.137 83.20.45.116 83.9.75.218 94.42.25.61
ns2.online-groups.net [21.214.23.151]	Timeout - Dummy nameserver, (never resolves).

***Latest News*** 23rd. May 2009
Global Net Access, LLC (gnax.net) are fully aware of this 'Rockphish' criminal botnet hosted activity that they are aiding and abetting by providing services for, but do not appear to be interested in taking action against it. Unfortunately there are a few such service providers that are happy to flout the law by knowingly providing services for these criminals and it is the victims, (both the original 'phished' victims and the recruited money mules), that suffer because of it. If you wish to contact them direct to complain, you will find their contact details on their website. (They don't publish an address in their contact details, but it's 1100 White St. SW, Atlanta, GA 30310 US).

***Latest News*** 30th. May 2009
This company has now morphed into 'Analytics' by the simple dropping of the 'Trend' from their name. Their 'fastflux' botnet is still hosted on the unresponsive botnet host Global Net Access, LLC (gnax.net) who have ignored all requests to cease their hosting of this illegal activity and in so doing are committing an offence under the following US law codes:
U.S. Code collection
§ 1956. Laundering of monetary instruments
§ 3. Accessory after the fact