Walker and Sons Inc Fraud

Don't Bear Internet Fraud

Walker & Sons Inc (Walker&Sons) scam website screenshot:

If you've either received an active website link in a Walker & Sons Inc fraud spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above.

This Walker & Sons Inc criminal fraud website with content stolen from Ernst & Young and HLB international should not be confused with any other company of the same name. The above website graphics and the following content define this criminal alone.

Walker & Sons Inc (Walker&Sons) is the latest fraud from the money laundering department of the well known 'Rockphish/Asprox' phishing criminals. It is the replacement zombie botnet hosted fraud for the Sunreef Yachts criminal fraudster and in fact is still using the same PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) botnet nameserver host IP 89.46.37.173 as was used for the Sunreef Yachts fraud et al and uses a generic flash banner with website content stolen from the Ernst & Young website. They are also claiming to be partners with the international accounting firm HLB International & HLB Nathans - this is a lie and the HLB company have published a fraud warning of these criminals on their home page.

The payload of the site is the usual clear money laundering mule fake job which is also heavily spamvertised, (spam copy below). If you are a registrar or a host who has received an abuse report concerning this criminal then please review the irrefutable evidence below and take prompt and permanent action to shut this criminal down. The stolen Ernst & Young content and the fake claim of partnership with HLB link this site inextricably with other frauds such as NTI Consult and IC Audit & Consulting and via them to many others. Most of the criminal's current known domains are/were registered with the registrar 123-reg.co.uk/Webfusion (GX Networks Ltd) as were Sunreef Yachts domains and Green Tree (Warehousing) Ltd fraud domains.

Current Zombie Botnet Controller Hosts

Mountain Cablevision LTD./Clearance Rack Inc - ns1.paradiserouse.com [24.213.90.172] - Notified 22-Oct-2008
WholeSale Internet, Inc./Webhostone - ns1.americanstool.com [208.110.88.88] -

The above table shows the current providers of zombie botnet hosting services to the criminals and how long they have been providing them for. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act within 1-24 hours of being informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some that, for whatever reason, do not. Any hosting company that remains in the above list for more than 48 hours has unfortunately not responded positively to abuse reports and may possibly be a 'blackhat' or even a criminal controlled host.

If you are an abuse team that has taken action, please let me know so that I may remove the above record and update the data.

Walker & Sons Inc (Walker&Sons) : Evidence of Site Theft and Criminal Fraud

i) The Walker & Sons Inc (Walker&Sons) fraud website is hosted on a 7-IP 'Fastflux' zombie botnet on exactly the same IP address (89.46.37.173) as was latterly used for the Sunreef Yachts fraud as evidenced below - No legitimate company would use a zombie botnet to host their website - irrefutable evidence of criminality.

ii) The Walker & Sons website contains the usual part-time, working from home, clear money mule function advertised as "Financial Coordinator" under the 'Careers' tab which is the only post that is also advertised in the criminal's spam, (sample below):

Financial Coordinator

Job summary :

As a regional Financial Coordinator for our company you will be responsible to administer customer payments. You will help to fasten customer settlements and payments delivery. You will participate in internal and external company funds flow to speed up maturity of bills and other transactions. We need you to support our international team to be able to raise capital, attract more and more customers and expand into new economical markets and assist in the development of the company in general.

Responsibilities:

      Deal with order and bill payment projects
    * Receive and manage customer payments and any other business payments ( your existing accounts is to be used for the trial period of first three customer payments and a business account to be opened especially for the company needs in the future)
    * Implement calculations regarding each new coming payment project to be dealt with
    * Ensure the high-speed delivery of the funds to the final destination through Western Union or Money Gram quick collect services
    * Be in a tight collaboration with the Head Office and report directly to the Finance Manager

      Required skills and experience:
    * Excellent project management skills
    * Written and verbal communication skills
    * High School diploma or equivalent preferred
    * Excellent time management skills
    * Excellent organizational and communication skills
    * Capable of managing multiple projects and prioritizing deadlines

This position offers part employment (1-2 hours a day) and net 10% commission
If you are interested in this opportunity, click the �Apply Now!� button.

Apply Now!

The above role is clearly the ILLEGAL role of a money laundering mule. Notice the illiterate trademark phrase 'fasten customer settlements and payments delivery' that these criminals always use. The fake 'job' will get your bank account and your assets frozen and will get you a visit from the police and possibly earn you a criminal record. Don't be tempted.

iii) The criminal's website content is largely stolen from the Ernst & Young website, (in particular compare the criminal's home page with the Ernst & Young 'About Us' page), with minor modifications. This is their way of getting around the usual 'Runglish' that generally gives these criminal's game away - wherever they use their own content it becomes obvious.

iv) The criminal's spam contains forged header information and the usual bayesian filter avoidance 'white text' code that irrefutably link it to the Cronos Investment, Draper Investment, Harvey Investment, Adamant Global, Sydney Car Centre, Waller Truck, Newman, Esmond and Eisenberg, Green Tree (Warehousing) Ltd, Sunreef Yachts and all this criminal's many other aliases along with the 'rockphish' and 'Asprox' phishing criminals.

v) The criminal's spams, (example follows), contain the illegal money mule function of accepting payments into a private bank account and transferring them back out to the criminals less 10% via Moneygram or Western Union - clear and irrefutable evidence of solicitation to commit money laundering fraud.

vi) The Spam Content

The Walker & Sons Inc spam headers contain many different forged/bogus 'From' & 'Return Path' addresses & various forged 'Receive' lines. The subject lines vary & all indicate that there is a job opportunity to be had. There is - an illegal job as a money laundering 'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit proceeds into your account and forwarding them on via Western Union or Moneygram for a percentage cut. Needless to say it is these mules that will probably feel the full weight of the law while the remote money launderers are safe. The bogus or stolen funds in the mules account may well also be recovered, leaving them with large losses.

This is the content of an actual Walker&Sons scam spam received from a site contact:

From: Walker and Sons Inc <Twila.Latham8265@kellychen.com>
Date: Sep 13, 2008 9:12 PM
Subject: vacant position

Dear Sir/Madam,

We are writing from the "Walker and Sons Inc" in a response to the employee application form that you have recently posted at www.monster.com. Today we are happy introduce a part-time Regional Coordinator vacancy we have recently opened in the USA.
We are the world leaders in assurance, tax, transaction and advisory services. We aim to have a positive influence on business and markets, as well as on society as a whole. We attract talented people from diverse backgrounds. We try to be the best in our field and, thus, do everything to achieve it. As business challenges become more complex, we need to call upon the widest spectrum of views and opinions to address them. Our company offers different ways of personal and professional development, because when our people grow and succeed, our company benefits as well. Our staff includes 130,000 people who are the foundation of our success. We created the multi-disciplinary team for our business with the help of our global network of professionals. Working in collaboration with you, we can see the way you work and strive for identifying issues before they become problems.
As a regional Financial Coordinator for our company, you will be responsible to administer customer payments. You will help to fasten customer settlements and payments delivery. You will participate in internal and external company funds flow to speed up maturity of bills and other transactions. We need you to support our international team to be able to raise capital, attract more and more customers, expand into new economical markets and assist in the development of the company in general.

Your major responsibilities are going to include: dealing with order and bill payment projects, receiving and managing customer payments and any other business payments (your existing accounts is to be used for the trial period of first three customer payments and a business account to be opened especially for the company needs in the future), implementing calculations regarding each new coming payment project to be dealt with, ensuring the high-speed delivery of the funds to the final destination through Western Union or Money Gram quick collect services, being in a tight collaboration with the Head Office and reporting directly to the Finance Manager.

In order to suit the position you have to be energetic and motivated and obtain excellent time management skills.

This position offers part employment (1-2 hours a day) and net 10% commission.
If you are interested in this opportunity for more information and an on-line application form, please visit our web site at:

http://walerson.tk

If you have any questions, please do not hesitate to contact us.
We are looking forward to establishing some business ship with you asap!
Yours sincerely, Alyce Lindsay

FJY: 0x2772, 0x45, 0x38020441, 0x9, 0x1, 0x8075, 0x271 EI1F serv root IKTD 35DE TLK TB5 7JQ4 close. 0x5, 0x7, 0x04, 0x1267, 0x86130572, 0x906, 0x69052391, 0x1, 0x2841, 0x40, 0x12, 0x738, 0x25, 0x1171, 0x5 P1VL: 0x11, 0x7819, 0x75449866, 0x45965881, 0x0410, 0x6845, 0x503 0x34, 0x876 UFE: 0x7063 create: 0x9, 0x0971, 0x5, 0x0300, 0x85, 0x70, 0x4, 0x996, 0x1, 0x79, 0x6 K606: 0x5993, 0x1101, 0x9, 0x41, 0x50 ACZS: 0x2022, 0x588, 0x01, 0x84596887, 0x33203889, 0x279

rev: 0x1224, 0x1, 0x61, 0x860 0x682, 0x9253, 0x9, 0x1, 0x6, 0x1863, 0x524, 0x21777643 0x168, 0x2351, 0x82 cvs, start, start, serv, 4P7K, common, YXY2, function. 0x371, 0x3, 0x2540, 0x617, 0x09, 0x07626347 0x87, 0x70, 0x8, 0x6, 0x75, 0x17, 0x938, 0x888 update GW5W define FPQ2 TAVQ common MXX 3LY. 0x04, 0x9, 0x424, 0x23, 0x63343578, 0x289, 0x91, 0x0706 0x94, 0x4, 0x02413291, 0x4603, 0x902, 0x3, 0x432, 0x15 0x7826, 0x1, 0x66

0x62449444, 0x4383, 0x946, 0x04231731, 0x079, 0x64960063, 0x1, 0x681, 0x068, 0x251, 0x089, 0x9, 0x28362124 0x27, 0x04471328, 0x747, 0x15, 0x852, 0x810, 0x3 MZPT: 0x92 0x80496095, 0x8323, 0x4597, 0x53, 0x39382766, 0x927, 0x0, 0x60, 0x816, 0x8, 0x579, 0x90, 0x17278335, 0x110 interface, Q5IF close, type. rcs: 0x89, 0x24, 0x8, 0x3430, 0x795, 0x7774, 0x48415247 0x5, 0x5, 0x5, 0x008, 0x5244, 0x2, 0x328, 0x30623421, 0x042, 0x658, 0x3925, 0x4928, 0x2776 0x4246, 0x3, 0x1, 0x63, 0x48 LJXJ, update, exe, interface, WXD 0x81, 0x63, 0x80403696, 0x3

Note the usual Bayesian filter avoidance 'code', commonly used by these criminals and the 'rockphish/asprox' scammers alike. It's normally in 'whitetext' so it's invisible, but here I've greyed it in.

vii) Fake contact details from the website:

Ukraine
4, A Tarasova St
Kiev
01001

General email:
ukr@walkson.co.uk
International Contact Partner:
Andrew Gellie

Hong Kong
6 Pacific Place
88 Queensway
Central, Hong Kong Island

General email:
info@walkson.co.uk
International Contact Partner:
Kevin Lin

Germany
Brahmsstrasse 10
Berlin
BE 14193

General email:
de@walkson.co.uk
International Contact Partner:
Hermann Handlhuber

• - They are not registered at Germany's 'Companies House' - clear evidence of fraud
• - Their bogus German address of Brahmsstrasse 10 is actually the address of the Schlosshotel Im Grunewald, Berlin - Clear evidence of fraud.

The above irrefutable evidence clearly demonstrates beyond any doubt that the Walker & Sons website has been set up by money laundering and phishing criminals purely for the purpose of spamvertising an illegal money laundering 'mule' job and is directly related to Cronos Investment, Draper Investment, Harvey Investment, Adamant Global, Sydney Car Centre, Waller Truck, Newman, Esmond & Eisenberg, Sun Reef Yachts and the rest of the money laundering/phishing criminal fraudsters' aliases documented here. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of site theft, copyright offences, criminal money laundering activity and spamming - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'rockphish' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'rockphish' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities.

Walker & Sons Inc Fraudsters - current hosting details.

Current Main Domains, Hosts and Registrars

Domain

Registrar

Host IP Network /Botnet Nameserver Host

Mountain Cablevision LTD./Clearance Rack Inc - ns1.paradiserouse.com
WholeSale Internet, Inc./Webhostone - ns1.americanstool.com

Host IP/Botnet Nameserver IP

24.213.90.172
208.110.88.88

Current Zombie Botnet Nameserver Domains and Registrars

Nameserver

ns1.globalthetrabel.com
ns1.minicroun.com
ns1.paradiserouse.com
ns1.netvorkdiscover.com
ns1.americanstool.com

Domain Registrar

INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM (10-sep-2008)
REGISTER.COM, INC. (15-Sep-2008)
REGISTER.COM, INC. (18-Sep-2008)
REGISTER.COM, INC. (18-Sep-2008)
REGISTER.COM, INC. (18-Sep-2008)

Host IP

24.213.90.172
66.197.241.15
208.110.88.88

See table below for a list of all known active & suspended main & nameserver domains used by this criminal.

List of all known domains used by the Walker&Sons Fraudsters

Domain

walkson.org.uk
walkson.me.uk
walkson.co.uk
wolkeson.org.uk
wolkeson.me.uk
wolkeson.co.uk
walkes.org.uk
walkes.me.uk
walkes.co.uk
waalker.org.uk
waalker.me.uk
waalker.co.uk
wallker.org.uk
wallker.me.uk
wallker.co.uk
salker.org.uk
salker.me.uk
salker.co.uk
walkeer.org.uk
walkeer.me.uk
walkeer.co.uk
walsoon.org.uk
walsoon.me.uk
walsoon.co.uk
wallkker.org.uk
wallkker.me.uk
wallkker.co.uk
walkker.org.uk
walkker.me.uk
walkker.co.uk
wakson.org.uk
wakson.me.uk
wakson.co.uk
wallkerr.org.uk
wallkerr.me.uk
wallkerr.co.uk
wallkers.org.uk
wallkers.me.uk
wallkers.co.uk
wolkers.org.uk
wolkers.me.uk
wolkers.co.uk
allkers.org.uk
allkers.me.uk
allkers.co.uk
waleron.org.uk
waleron.me.uk
waleron.co.uk
was-inc.info
was-inc.org
walkerandsons.org
walker-and-sons.com
walker-and-sons.net
walker-and-sons.org
wandsinc.com
wandsinc.net
wandsinc.org
wsinc.org
w-and-s.org
w-and-s.net
w-and-s.com
walern.org.uk
walern.me.uk
walern.co.uk
walker-and-sons.com.kg
walker-and-sons.net.kg
walker-and-sons.org.kg
w-inc.eu
was-inc.eu
wandsinc.eu
waalker.eu
wallker.eu
walkeer.eu
walkker.eu
waksson.eu
waklson.eu
wallson.eu
waalke.eu
wallson.ph
wallson.tk
walkons.tk
wallker.tk
waalker.tk
walers.tk
wallkers.tk
walerson.tk

Criminal Registered Nameserver Domains

worldinschool.com
tvnetsite.com
transmo.net
bmnpro.com
globalthetrabel.com
mltime.net
landvich.com
minicroun.com
paradiserouse.com
netvorkdiscover.com
americanstool.com

Status

Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Active (DNS Error)
Active (DNS Error)
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Active (DNS Error)
Active (DNS Error)
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Active (DNS Looped)
Active (DNS Looped)
Active (DNS Looped)
Active (DNS disabled)
Active (DNS Error)
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Active (Parked)
Active (DNS Error)
Active (DNS Error)
Active (Parked)
Suspended
Active (Parked)
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Parked
Parked
Parked
Parked
Parked
Parked
Parked

Suspended
Suspended
Suspended
Parked
Active
Suspended
Parked
Parked
Active
Active
Active

Registrar

GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 14-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 14-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 14-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 14-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 14-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 14-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 15-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 15-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 15-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 15-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 15-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 15-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 16-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 16-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 16-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 18-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 18-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 18-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 18-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 18-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (10-Sep-2008) [Reported 18-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 18-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 18-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 18-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 20-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 20-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 20-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 20-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 20-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 20-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 21-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 21-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 21-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 21-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 21-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 21-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (17-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (21-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (21-Sep-2008) [Reported 23-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (21-Sep-2008) [Reported 23-Sep-2008]
PublicDomainRegistry.com (23-Sep-2008)
IARegistry/Spiritdomains (23-Sep-2008) [Reported 25-Sep-2008]
Internet Invest, Ltd. dba Imena.ua (23-Sep-2008)
Internet Invest, Ltd. dba Imena.ua (23-Sep-2008)
Internet Invest, Ltd. dba Imena.ua (23-Sep-2008)
Internet Invest, Ltd. dba Imena.ua (23-Sep-2008)
Internet Invest, Ltd. dba Imena.ua (23-Sep-2008)
Internet Invest, Ltd. dba Imena.ua (23-Sep-2008)
Internet Invest, Ltd. dba Imena.ua (23-Sep-2008)
Internet Invest, Ltd. dba Imena.ua (23-Sep-2008)
Internet Invest, Ltd. dba Imena.ua (25-Sep-2008)
Internet Invest, Ltd. dba Imena.ua (25-Sep-2008)
Internet Invest, Ltd. dba Imena.ua (25-Sep-2008)
GX Networks Ltd t/a 123-Reg.co.uk (21-Sep-2008) [Reported 28-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (21-Sep-2008) [Reported 28-Sep-2008]
GX Networks Ltd t/a 123-Reg.co.uk (21-Sep-2008) [Reported 28-Sep-2008]
Domain.kg (26-Sep-2008) [Reported 01-Oct-2008]
Domain.kg (26-Sep-2008) [Reported 01-Oct-2008]
Domain.kg (26-Sep-2008) [Reported 01-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (30-Sep-2008) [Reported 02-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (30-Sep-2008) [Reported 03-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (30-Sep-2008) [Reported 03-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (30-Sep-2008) [Reported 06-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (30-Sep-2008) [Reported 06-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (30-Sep-2008) [Reported 06-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (30-Sep-2008) [Reported 06-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (01-Oct-2008) [Reported 06-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (01-Oct-2008) [Reported 06-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (01-Oct-2008) [Reported 08-Oct-2008]
GX Networks Ltd t/a 123-Reg.co.uk (01-Oct-2008)
Domains.ph (09-Oct-2008) [Reported 09-Oct-2008]
Dot.tk (10-Aug-2008) [Reported 09-Oct-2008]
Dot.tk (10-Sep-2008) [Reported 11-Oct-2008]
Dot.tk (10-Sep-2008) [Reported 11-Oct-2008]
Dot.tk (10-Sep-2008) [Reported 11-Oct-2008]
Dot.tk (10-Sep-2008) [Reported 13-Oct-2008]
Dot.tk (12-Oct-2008) [Reported 22-Oct-2008]
Dot.tk (12-Oct-2008) [Reported 22-Oct-2008]

Network Solutions LLC (06-Sep-2008)
IA Registry (Spiritdomains) (14-jul-2008)
Network Solutions LLC (15-jul-2008)
REGISTER.COM, INC. (10-jul-2008)
INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM (10-sep-2008)
Network Solutions LLC (14-jul-2008)
Register.com Inc. (14-Sep-2008)
Register.com Inc. (15-Sep-2008)
Register.com Inc. (18-Sep-2008)
Register.com Inc. (18-Sep-2008)
Register.com Inc. (18-Sep-2008)

Please notify me of any domains not listed here.

Notes for Registrars

i) The Walker & Sons Inc criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. The criminal's current botnet nameserver(s) are: ns1.paradiserouse.com, ns1.netvorkdiscover.com and ns1.americanstool.com

ii) The criminal's domains have different false whois registration data.

iii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension is requested, please.

The Zombie Botnet

See here for information on this method of site hosting favoured by these criminals.

The Zombie Botnet DNS Data (Valid for domains wallker.org.uk, wallker.me.uk, wallker.co.uk)

Looking up at the 2 walkson.co.uk. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.worldinschool.com [89.46.37.173]	125.234.106.129 195.116.186.130 212.80.46.208 80.73.12.66 82.137.41.49 82.78.230.197 86.100.97.110
ns2.worldinschool.com [205.1.190.10]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.worldinschool.com hosted by PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) on IP 89.46.37.173 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

The Zombie Botnet DNS Data (Valid for domain wolkeson.org.uk, wolkeson.me.uk, wolkeson.co.uk, waalker.org.uk, waalker.me.uk, waalker.co.uk)

Looking up at the 2 wolkeson.co.uk parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.tvnetsite.com [67.152.43.83]	124.50.244.43 24.161.201.221 80.73.12.66 82.137.41.106 82.166.129.203 86.125.248.54 87.226.70.101
ns2.tvnetsite.com [95.81.37.105]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.tvnetsite.com hosted by XO Communications on IP 67.152.43.83 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

These criminals are experienced liars, thieves and professional confidence tricksters. Do not be fooled - do not believe them. The evidence of criminal fraud is undeniable. I'd like to thank the many honest & ethical hosts and registrars who have disconnected/suspended these fraudsters within an hour of receiving an abuse report, (several in c. 20 minutes). However, the zombie botnet controlling nameservers seem to be occasionally hosted by Colocation/VPS service providers who do not respond to criminal fraud abuse reports. The honest & ethical SPs will respond with an immediate, (preferably not 24 hours or 48 hours & certainly not never...), disconnection on receipt of a criminal abuse report, having considered the evidence, but more and more frequently service providers stall or simply ignore abuse reports. This latter minority of uncaring & unethical hosts and registrars are aiding and abetting criminal fraud and the victims suffer because of it.

Blocking The spam

I have had quite a few queries about how to block the criminal's spam in Outlook Express. Fortunately they are easily detected using the OE 'Mail Rules' (Tools - Message Rules - Mail).

Rules based on the From, To etc addresses will never work as the header data is all forged. The message body remains constant, however & that can be used to detect them.

Use the rule "Where the message body contains specific words" and use "Walker and Sons Inc" as the search item then choose 'delete' (or whatever action you prefer) as the action then that will definitely detect every single one of these spams.

If you find this site helpful then please feel free to link to it on your website by inserting the following HTML code, (opens site in new window):
<a href="http://www.bobbear.co.uk" target="_blank">Money Laundering Fraud Websites</a>

Fraud Blog Initial entry 14th. September 2008

***Latest News*** 15th. September 2008
New fraud domains reported by site contact - all registered with GX Networks Ltd t/a 123-Reg.co.uk/Webfusion

walkes.org.uk
walkes.me.uk
walkes.co.uk
waalker.org.uk
waalker.me.uk
waalker.co.uk

No response has been received from GX Networks Ltd t/a 123-Reg.co.uk/Webfusion to yesterday's abuse report for the original six domains and the domains are still active. The abuse ticket has been marked "SPAM Delete" and somehow I don't think that refers to the domains... No response received from abuse reports to botnet hosts. This criminal is unfortunately experienced in picking hosts and registrars that will willingly aid and abet his criminal activity.

***Latest News*** 16th. September 2008
No response received from GX Networks Ltd t/a 123-Reg.co.uk/Webfusion, but surprisingly, most of the criminal's domains have been suspended, just two of them remain, waalker.me.uk and waalker.co.uk and of those two, waalker.me.uk has a DNS setup error, so only the one active domain is known for the criminal, waalker.co.uk. If you know of any more, please notify me.
Later: The last two domains waalker.me.uk and waalker.co.uk appear to have been suspended by 123-reg.co.uk/Webfusion.
Later: Three more domains belonging to this criminal spotted, all registered with GX Networks Ltd t/a 123-Reg.co.uk/Webfusion
- wallker.org.uk, wallker.me.uk, wallker.co.uk and hosted on the ns1.worldinschool.com [89.46.37.173] hosted zombie botnet.
Please notify me of any active websites/domains.

***Latest News*** 17th. September 2008
New domains notified by site contact - salker.org.uk, salker.me.uk, salker.co.uk all hosted on the above PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) hosted zombie botnet. No response from 123-reg.co.uk/Webfusion to my reports yesterday regarding domains wallker.org.uk, wallker.me.uk and wallker.co.uk. Sadly, it appears that my optimism regarding their having come over from the dark side may have been misplaced. I hope not.

***Latest News*** 18th. September 2008
Information from site contacts: The nameserver domain tvnetsite.com has been suspended by Spiritdomains and the criminal has now slotted in one of his pre-registered domains transmo.net, (previously used for the Sunreef Yachts fraud), and has six new domains on a botnet controlled by ns1.transmo.net: walkeer.org.uk, walkeer.me.uk, walkeer.co.uk, walsoon.org.uk, walsoon.me.uk, walsoon.co.uk

Zombie Botnet DNS Data (Valid for domains walkeer.org.uk, walkeer.me.uk, walkeer.co.uk, walsoon.org.uk, walsoon.me.uk, walsoon.co.uk)

Looking up at the 2 walkeer.org.uk. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.transmo.net [89.46.37.173]	203.243.220.175 211.243.151.251 212.80.46.208 222.144.77.171 222.147.163.42 69.141.7.178 87.69.111.179
ns2.transmo.net [98.61.81.52]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.transmo.net hosted by PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) on IP 89.46.37.173 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Unfortunately the suspension of the initial 12 domains by GX Networks Ltd t/a 123-Reg.co.uk/Webfusion seems to have been a one-off event, perhaps an unauthorised action by an honest, decent and ethical employee. Subsequent reports have not only been ignored but summarily deleted from their ticketing system.

***Latest News*** 19th. September 2008
Both of the criminal's botnet nameserver domains transmo.net and worldinschool.com have been suspended by Network Solutions LLC - thank goodness for an ethical registrar. No doubt there will be two more along shortly. Watch this space... Please notify me of any active websites/domains.

***Latest News*** 20th. September 2008
The criminal is back using an old Sunreef Yachts nameserver domain, bmnpro.com with new domains wallkker.org.uk, wallkker.me.uk, wallkker.co.uk, all registered with GX Networks Ltd t/a 123-Reg.co.uk/Webfusion and hosted on the PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) zombie botnet as per usual.

Zombie Botnet DNS Data (Valid for domains wallkers.org.uk, wallkers.me.uk, wallkers.co.uk, wolkers.org.uk, wolkers.me.uk, wolkers.co.uk)

Looking up at the 2 wallkers.org.uk. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.bmnpro.com [89.46.37.173]	125.0.176.53 68.158.7.53 68.84.55.231 75.51.102.190 76.211.27.124 92.47.138.92 99.227.84.87
ns2.bmnpro.com [78.81.52.10]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.bmnpro.com hosted by PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) on IP 89.46.37.173 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

Later: Further domains discovered: walkker.org.uk, walkker.me.uk, walkker.co.uk.

Zombie Botnet DNS Data (Valid for domains)

Looking up at the 2 walkker.org.uk. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.globalthetrabel.com [69.162.118.75]	142.177.230.236 210.113.245.217 220.104.40.251 82.137.40.111 82.31.198.142 84.20.231.134 87.69.111.179
ns2.globalthetrabel.com [21.40.45.217]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.globalthetrabel.com hosted by Limestone Networks, Inc. on IP 69.162.118.75 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). The domain walkker.me.uk is currently on Yahoo nameservers, but they are refusing connections to it ATM.

***Latest News*** 21st. September 2008
New domains reported by site contact: wallkerr.org.uk, wallkerr.me.uk, wallkerr.co.uk, wakson.org.uk, wakson.me.uk, wakson.co.uk hosted on the two botnets as listed in above DNS data and in the current domain tables.
Later: The criminals hosting on 69.162.118.75 has been ceased and he is now up on 209.188.85.232

Zombie Botnet DNS Data (Valid for domains )

Looking up at the 2 walkker.org.uk. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.globalthetrabel.com [209.188.85.232]	210.205.208.199 58.91.28.37 84.236.116.10 85.186.178.162 85.250.77.88 86.126.206.36 87.69.111.179
ns2.globalthetrabel.com [21.40.45.217]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.globalthetrabel.com hosted by Cogswell Enterprises Inc. (Wiredtree)/ReadyWire on IP 209.188.85.232 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). The domain walkker.me.uk is currently on Yahoo nameservers, but they are refusing connections to it ATM.

***Latest News*** 22nd. September 2008
The Registrar GX Networks Ltd t/a 123-Reg.co.uk/Webfusion appears to have suspended the domains wakson.org.uk, wakson.me.uk, wakson.co.uk, wallkerr.org.uk, wallkerr.me.uk and wallkerr.co.uk but not the domains walkker.org.uk, walkker.me.uk, walkker.co.uk, wallkker.org.uk, wallkker.me.uk and wallkker.co.uk for some reason. As they never report back, it's difficult to know why....
Update (22-Sep-2008) - 123-reg.co.uk, (Webfusion) have suspended all of the remaining active domains and responded back. Hopefully this is a good sign that the registrar is willing to take prompt action against their criminal clients which is in the interest of everyone vulnerable to these criminals and suffering their spam. Thanks are due, especially to SV of their abuse team for kindly replying.

Later: Domains wallkers.org.uk, wallkers.me.uk, wallkers.co.uk discovered, all hosted on the PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) hosted zombie botnet. Please notify me of any active website domains.

***Latest News*** 23rd. September 2008
New domains notified by site contacts: wolkers.org.uk, wolkers.me.uk, wolkers.co.uk, allkers.org.uk, allkers.me.uk, allkers.co.uk
The first three are hosted on the PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) hosted zombie botnet, the rest on a new one on IP address 69.162.127.229.

Zombie Botnet DNS Data (Valid for domains wallkers.org.uk, wallkers.me.uk, wolkers.org.uk, wolkers.me.uk, wolkers.co.uk)

Looking up at the 2 wolkers.org.uk. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.bmnpro.com [89.46.37.173]	121.175.13.103 121.187.135.95 220.145.37.67 220.88.91.61 79.117.193.104 93.1.15.7 99.227.84.87
ns2.bmnpro.com [78.81.52.10]	Timeout - Fake nameserver, (never resolves).

Zombie Botnet DNS Data (Valid for domain was-inc.org, walern.org.uk, walern.me.uk, walern.co.uk)

Looking up at the 2 walkerandsons.org. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.globalthetrabel.com [69.162.127.229]	125.0.175.30 221.246.89.194 58.1.193.103 68.84.55.231 71.63.42.159 76.211.20.149 83.86.240.100
ns2.globalthetrabel.com [21.40.45.217]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.globalthetrabel.com hosted by Limestone Networks, Inc. on IP 69.162.127.229 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: GX Networks Ltd t/a 123-Reg.co.uk/Webfusion have suspended the latest nine domains very promptly indeed. Please notify me of any active domains for this criminal.
Later: Three further domains reported by a site contact: waleron.org.uk, waleron.me.uk and waleron.co.uk all hosted on the above Limestone Networks, Inc. zombie botnet.

***Latest News*** 24th. September 2008
It looks like the DNS now loops back to the root servers on the ns1.globalthetrabel.com controlled botnet and so the criminals domains waleron.org.uk, waleron.me.uk and waleron.co.uk are not currently resolving. Please notify me of any active domains for this criminal.
Later: New domain notified by site contact: walkerandsons.org, Registered with Internet Invest, Ltd. dba Imena.ua - 23-Sep-2008 and hosted on the above Limestone Networks, Inc. botnet.
Later: New domain notified by site contact: walker-and-sons.org, Registered with Internet Invest, Ltd. dba Imena.ua - 23-Sep-2008 and hosted on a new botnet hosted by the unresponsive host PFA-BOSTAN-TUDOR-TEODOR (Jump.ro):

Zombie Botnet DNS Data (Valid for domain was-inc.info)

Looking up at the 2 walker-and-sons.org. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mltime.net [89.46.37.173]	201.214.129.239 68.84.55.231 76.211.20.149 77.81.181.84 80.98.223.214 89.18.17.133 90.39.115.133
ns2.mltime.net [88.71.35.107]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.mltime.net hosted by PFA-BOSTAN-TUDOR-TEODOR (Jump.ro) on IP 89.46.37.173 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** 25th. September 2008
New domains reported by site contacts:
was-inc.info - PublicDomainRegistry.com - ns1.mltime.net [89.46.37.173]
was-inc.org - IARegistry/Spiritdomains - ns1.globalthetrabel.com [69.162.127.229]
walker-and-sons.com - INTERNET INVEST, LTD. DBA IMENA.UA - ns1.mltime.net [89.46.37.173]
walker-and-sons.net - INTERNET INVEST, LTD. DBA IMENA.UA - ns1.mltime.net [89.46.37.173]
wandsinc.com - INTERNET INVEST, LTD. DBA IMENA.UA - ns1.globalthetrabel.com [69.162.127.229]
wandsinc.net - INTERNET INVEST, LTD. DBA IMENA.UA - ns1.landvich.com [207.10.233.219]
wandsinc.org - INTERNET INVEST, LTD. DBA IMENA.UA - - ns1.mltime.net [89.46.37.173]

The criminal also has a new botnet for wandsinc.net:

Zombie Botnet DNS Data (Valid for domain w-and-s.org, w-and-s.net, w-and-s.com)

Looking up at the 2 w-and-s.org. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.landvich.com [207.10.233.219]	69.243.52.253 69.42.17.90 71.234.23.110 71.239.31.56 74.137.18.17 82.47.181.250 89.45.15.6
ns2.landvich.com [41.214.213.151]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.landvich.com hosted by PaeTec Communications, Inc./SAID INC on IP 207.10.233.219 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: The domains walkerandsons.org and walker-and-sons.org have been suspended by Imena.ua
Later: Network Solutions have suspended the nameserver domain mltime.net. Imena.ua have suspended the domains walkerandsons.org, walker-and-sons.com, walker-and-sons.net, walker-and-sons.org, wandsinc.com, wandsinc.net and wandsinc.org

***Latest News*** 26th. September 2008
New domains notified by site contact:
w-and-s.org
w-and-s.net
w-and-s.com

All registered with Imena.ua (25th. Sept) and all hosted on the above botnet.

***Latest News*** 28th. September 2008
New domains notified by site contact:
walern.org.uk
walern.me.uk
walern.co.uk
All registered with GX Networks Ltd t/a 123-Reg.co.uk/Webfusion, (21-Sep-2008) and all hosted on the Limestone Networks, Inc. zombie botnet.

***Latest News*** 29th. September 2008
Response from Imena.ua - domains w-and-s.org, w-and-s.net, w-and-s.com suspended. In contrast, no response from GX Networks Ltd t/a 123-Reg.co.uk/Webfusion and domains walern.org.uk, walern.me.uk, walern.co.uk are all still active.
Later: It would appear that GX Networks Ltd t/a 123-Reg.co.uk/Webfusion are once again aiding and abetting these fraudsters by marking tickets as 'Solved' but not disabling the domains.
New domain notified by site contact - walker-and-sons.net.kg registered with domain.kg - at the moment it is parked.

***Latest News*** 30th. September 2008
Info. & new domains notified by site contact: walker-and-sons.com.kg, walker-and-sons.org.kg. Both of those domains along with walker-and-sons.net.kg are parked due to the nameserver domain landvich.com having been parked by Register.com.
All three of the GX Networks Ltd t/a 123-Reg.co.uk/Webfusion domains walern.org.uk, walern.me.uk, walern.co.uk are all still active despite being reported & acknowledged on the 28th.
Later: The criminal's nameserver ns1.globalthetrabel.com [69.162.127.229] has been shut down by Limestone Networks and has now been moved by the crooks to the IP 64.86.28.14 (Teleglobe/Velcom)
Later: GX Networks Ltd t/a 123-Reg.co.uk/Webfusion have now suspended the domains walern.org.uk, walern.me.uk, walern.co.uk

Zombie Botnet DNS Data (Valid for domain was-inc.org, walker-and-sons.net.kg, walker-and-sons.org.kg)

Looking up at the 2 was-inc.org. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.globalthetrabel.com [64.86.28.14]	121.148.54.74 121.175.13.103 24.129.78.160 60.41.180.198 64.231.60.76 65.91.73.62 89.45.15.6
ns2.globalthetrabel.com [21.40.45.217]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.globalthetrabel.com hosted by Teleglobe Inc./Velcom on IP 64.86.28.14 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** 1st. October 2008
News from site contacts - the .kg domains (walker-and-sons.com.kg, walker-and-sons.net.kg and walker-and-sons.org.kg) that were parked due to the nameserver domain landvich.com having been parked by Register.com are now hosted on a new botnet and being used in spams, walker-and-sons.net.kg, walker-and-sons.org.kg on the above Teleglobe Inc./Velcom botnet and walker-and-sons.com.kg on the following 'new' botnet:

Zombie Botnet DNS Data (Valid for domain walker-and-sons.com.kg, w-inc.eu)

Looking up at the 2 walker-and-sons.com.kg/w-inc.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.minicroun.com [207.10.233.219]	121.175.13.103 125.177.132.141 125.177.201.102 203.243.220.175 220.105.163.193 89.137.210.212 91.90.229.209
ns2.minicroun.com [17.135.21.35]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.minicroun.com hosted by PaeTec Communications, Inc./SAID INC on IP 207.10.233.219 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** 2nd. October 2008
New domain reported by site contact: w-inc.eu, registered with GX Networks Ltd t/a 123-Reg.co.uk/Webfusion and hosted on the PaeTec Communications, Inc./SAID INC zombie botnet.

***Latest News*** 3rd. October 2008
New domain reported by site contact - was-inc.eu, registered with GX Networks Ltd t/a 123-Reg.co.uk/Webfusion. The previously reported domain of w-inc.eu is still active although the abuse ticket has been marked 'solved', so it looks as though GX Networks Ltd t/a 123-Reg.co.uk/Webfusion are still up to their old tricks.

The criminal has lost his PaeTec Communications, Inc./SAID INC hosting for his zombie botnet and has two new networks as follows:

Zombie Botnet DNS Data (Valid for domains walker-and-sons.com.kg, w-inc.eu, was-inc.eu, wandsinc.eu)

Looking up at the 2 was-inc.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.minicroun.com [69.162.118.75]	61.252.186.218 69.248.107.241 71.203.121.243 75.95.87.65 76.127.216.196 79.114.197.211 91.90.229.209
ns2.minicroun.com [17.135.21.35]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.minicroun.com hosted by Limestone Networks, Inc./norted.com on IP 69.162.118.75 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

Zombie Botnet DNS Data (Valid for domains was-inc.org, walker-and-sons.net.kg, walker-and-sons.org.kg)

Looking up at the 2 was-inc.org. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.globalthetrabel.com [204.14.193.174]	61.252.186.218 69.248.107.241 71.203.121.243 75.95.87.65 76.127.216.196 79.114.197.211 91.90.229.209
ns2.globalthetrabel.com [21.40.45.217]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.globalthetrabel.com hosted by SYSTEMS SOLUTIONS INC/boxVPS LLC on IP 204.14.193.174 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: New domain notified by site contact - wandsinc.eu registered with GX Networks Ltd t/a 123-Reg.co.uk/Webfusion and hosted on the Limestone Networks, Inc./norted.com zombie botnet.
Later: The above SYSTEMS SOLUTIONS INC/boxVPS LLC botnet has been disconnected and the criminal has moved his botnet to a new IP: 206.212.240.202

Zombie Botnet DNS Data (Valid for domains was-inc.org, walker-and-sons.net.kg, walker-and-sons.org.kg)

Looking up at the 2 was-inc.org. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.globalthetrabel.com [206.212.240.202]	12.219.79.101 69.248.107.241 71.203.121.243 71.239.31.56 74.137.18.17 76.19.165.163 88.165.246.17
ns2.globalthetrabel.com [21.40.45.217]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.globalthetrabel.com hosted by Colostore.com on IP 206.212.240.202 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News***4th. October 2008
The Limestone Networks guys have disconnected the criminal's botnet on 69.162.118.75 and the crook's Colostore.com botnet on 204.14.193.174 also seems to be down this morning.
Later: The criminals have moved their ns1.globalthetrabel.com controlled botnet from Colostore.com to the Layered Technologies, Inc. IP address 72.232.5.220:

Zombie Botnet DNS Data (Valid for domains was-inc.org, walker-and-sons.net.kg, walker-and-sons.org.kg)

Looking up at the 2 walker-and-sons.net.kg parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.globalthetrabel.com [72.232.5.220]	211.243.151.251 24.176.141.236 61.252.186.218 74.137.18.17 74.160.228.87 88.165.246.17 210.106.46.107
ns2.globalthetrabel.com [21.40.45.217]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.globalthetrabel.com hosted by Layered Technologies, Inc. on IP 72.232.5.220 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: Layeredtech appear to have disconnected the above ns1.globalthetrabel.com controlled botnet

***Latest News***6th. October 2008
The criminal has not reinstated either of his two botnets illustrated above, but he has new domains and a new botnet, (information from site contact):
New Domains:

waalker.eu
wallker.eu
walkeer.eu
walkker.eu

All registered on October the 1st. with GX Networks Ltd t/a 123-Reg.co.uk/Webfusion as a reseller of TUCOWS and hosted on the following botnet:

New Botnet(s):

Zombie Botnet DNS Data (Valid for domains waalker.eu, wallker.eu, walkeer.eu, walkker.eu)

Looking up at the 2 waalker.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.paradiserouse.com [216.245.209.246]	24.176.141.236 24.19.132.45 68.158.40.204 74.133.11.111 74.137.18.17 76.30.187.121 99.137.86.223
ns2.paradiserouse.com [55.115.79.23]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.paradiserouse.com hosted by Limestone Networks, Inc. on IP 216.245.209.246 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: GX Networks Ltd t/a 123-Reg.co.uk/Webfusion have suspended the domains waalker.eu, wallker.eu, walkeer.eu, walkker.eu. Please let me know of any resolving URLs/domains.
Later: Information from site contacts - new domains waksson.eu and waklson.eu hosted on the following botnet:

Zombie Botnet DNS Data (Valid for domains wallson.eu)

Looking up at the 2 wallson.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.netvorkdiscover.com [69.162.109.68]	125.175.142.145 69.14.43.54 81.95.181.153 85.178.248.175 88.178.89.6 89.137.210.212 89.39.205.96
ns2.netvorkdiscover.com [65.135.99.23]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.netvorkdiscover.com hosted by Limestone Networks, Inc. on IP 69.162.109.68 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News***7th. October 2008
GX Networks Ltd t/a 123-Reg.co.uk/Webfusion have suspended the domains waksson.eu, waklson.eu. Until the TTL times out, they may still resolve due to cached DNS data as the Limestone Networks hosting of the criminal owned botnet controller/nameserver ns1.netvorkdiscover.com appears to be still intact on IP 69.162.109.68 as is their hosting of the criminal's botnet controller/nameserver ns1.paradiserouse.com on IP address 216.245.209.246.

***Latest News*** 8th. October 2008
New domain notified by site contact - wallson.eu registered with GX Networks Ltd t/a 123-Reg.co.uk/Webfusion and hosted on the above ns1.netvorkdiscover.com [69.162.109.68] controlled Limestone Networks hosted zombie botnet.
Later: The Limestone Networks guys have shut down the above botnet and the crooks have moved it to the Hostnoc/Burst/net IP 66.197.241.15:

Zombie Botnet DNS Data (Valid for domains wallson.eu)

Looking up at the 2 wallson.eu. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.netvorkdiscover.com [66.197.241.15]	69.14.43.54 76.30.187.121 81.64.100.86 88.178.89.6 89.39.205.96 89.137.210.212 91.66.22.238
ns2.netvorkdiscover.com [65.135.99.23]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.netvorkdiscover.com hosted by Hostnoc/Burst.net on IP 66.197.241.15 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: GX Networks Ltd t/a 123-Reg.co.uk/Webfusion have suspended the domain wallson.eu

***Latest News*** 9th. October 2008
New domains reported by site contacts - looks like the criminals are spreading the joy about a bit, oh, and a new botnet. First the domains:

wallson.tk - Registered with dot.tk
waalke.eu - suspended
wallson.ph - Registered with Domains.ph

Then the new botnet host of the two above domains:

Zombie Botnet DNS Data (Valid for domain wallson.tk)

Looking up at the 2 wallson.tk parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.americanstool.com [69.162.108.85]	211.224.159.254 219.114.246.167 76.127.216.196 85.186.178.162 88.178.89.6 99.139.252.252 125.177.201.102
ns2.americanstool.com [45.125.59.23]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.americanstool.com hosted by Limestone Networks, Inc. on IP 69.162.108.85 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: Domains.ph have suspended & parked the criminal's fraud domain wallson.ph. No response received from dot.tk re: wallson.tk. Limestone Networks appear to have disconnected ns1.americanstool.com [69.162.108.85]. Please notify me of any active domains for this criminal.

***Latest News*** 10th. October 2008
The Limestone Networks guys have shut down the criminals botnet once again and he is now up on a new host for his nameserver/botnet controller on the DARREN SLADE IP RANGE 2(UKServers.com) IP address 77.74.197.50:

Zombie Botnet DNS Data (Valid for domain wallson.tk)

Looking up at the 2 wallson.tk parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.americanstool.com [77.74.197.50]	222.158.172.133 71.239.31.56 72.253.196.243 76.19.165.101 77.81.147.22 91.66.22.238 99.139.252.252
ns2.americanstool.com [45.125.59.23]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.americanstool.com hosted by DARREN SLADE IP RANGE 2(UKServers.com) on IP 77.74.197.50 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Please notify me of any active domains for this criminal.

***Latest News*** 11th. October 2008
UKServers have disabled the above botnet hosting. Please notify me of any active domains for this criminal
Later: The crooks are back up on a new botnet with Limestone Networks (69.162.117.87) once again:

Zombie Botnet DNS Data (Valid for domain wallson.tk, walkons.tk, wallker.tk, waalker.tk, walers.tk)

Looking up at the 2 wallson.tk parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.americanstool.com [69.162.117.87]	125.0.176.237 60.44.253.235 65.34.190.106 69.14.43.54 76.127.216.196 98.227.153.122 99.254.25.39
ns2.americanstool.com [45.125.59.23]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.americanstool.com hosted by Limestone Networks, Inc. on IP 69.162.117.87 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: New domains reported by site contacts - walkons.tk, wallker.tk, waalker.tk all hosted on the aboveLimestone Networks hosted zombie botnet.

***Latest News*** 13th. October 2008
New domain notified by site contact - walers.tk hosted on the above Limestone Networks, Inc. hosted zombie botnet.

***Latest News*** 14th. October 2008
The Limestone Networks guys have disconnected the above crooks botnet once again.
Later: The crooks have moved their botnet to an FDC Servers IP: 66.90.65.4

Zombie Botnet DNS Data (Valid for domain wallson.tk, walkons.tk, wallker.tk, waalker.tk, walers.tk)

Looking up at the 2 wallson.tk. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.americanstool.com [66.90.65.4]	114.145.142.92 24.193.179.238 70.51.44.148 78.84.11.145 85.178.207.156 89.18.17.133 89.41.45.39
ns2.americanstool.com [45.125.59.23]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.americanstool.com hosted by FDC Servers, Inc. on IP 66.90.65.4 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** 16th. October 2008
No change to the above situation - the registrar dot.tk does not respond to abuse reports, and information received, along with their website documentation, indicates that this registrar does not take action against its criminal clients. Unfortunately, the host of this criminal's zombie botnet, FDC Servers of Chicago has also not responded to abuse reports first sent 14-Oct-2008, so the criminals appear to have found a couple of 'criminal friendly' suppliers of services.

***Latest News*** 17th. October 2008
The registrar dot.tk has finally responded and taken action against the above five Walker & Sons criminal fraud domains.
Please let me know of any active website links for this criminal. No response received from FDC Servers of Chicago.

Latest News 22nd. October 2008

A new Walkers domain has been reported by a site contact, wallkers.tk, hosted on the following zombie botnet:

Zombie Botnet DNS Data (Valid for domain wallkers.tk)

Looking up at the 2 wallkers.tk. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.paradiserouse.com [24.213.90.172]	75.23.121.239 78.84.175.11 79.117.194.187 83.103.179.112 89.137.210.212 89.34.210.201 92.237.57.30
ns2.paradiserouse.com [55.115.79.23]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.paradiserouse.com hosted by Mountain Cablevision LTD./Clearance Rack Inc on IP 24.213.90.172 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: New domain reported by site contact - walerson.tk

Zombie Botnet DNS Data (Valid for domain walerson.tk)

Looking up at the 2 walerson.tk. parent servers:

Zombie Botnet Nameserver	Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.americanstool.com [69.162.111.227]	77.126.38.28 79.112.195.119 79.177.165.28 83.20.86.59 83.54.192.180 88.240.42.17 89.168.237.113
ns2.americanstool.com [45.125.59.23]	Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.americanstool.com hosted by Limestone Networks, Inc. on IP 69.162.111.227 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** 23nd. October 2008
Dot.tk have parked the two domains wallkers.tk and walerson.tk. The criminal's nameserver ns1.americanstool.com appears to have been moved to IP address 208.110.88.88 (WholeSale Internet, Inc./Webhostone) and the crooks botnet nameserver ns1.paradiserouse.com is still active on IP address 24.213.90.172 (Mountain Cablevision LTD./Clearance Rack Inc), but no active domains are presently known for the crooks - please notify me if you know of any.

***Latest News*** 27th. October 2008
It appears that the criminals have now moved on from this fraud - their new identical replacement scam is Bullet Motorsports Speedlab (BMS)
If you know of any active Walker & Sons domains, please let me know. In the meantime I will move this to the archive.

Walker and Sons Inc Fraud

Walker & Sons Inc (Walker&Sons) : Evidence of Site Theft and Criminal Fraud

Walker & Sons Inc Fraudsters - current hosting details.

The Zombie Botnet

The Zombie Botnet DNS Data (Valid for domains wallker.org.uk, wallker.me.uk, wallker.co.uk)

The Zombie Botnet DNS Data (Valid for domain wolkeson.org.uk, wolkeson.me.uk, wolkeson.co.uk, waalker.org.uk, waalker.me.uk, waalker.co.uk)

Zombie Botnet DNS Data (Valid for domains walkeer.org.uk, walkeer.me.uk, walkeer.co.uk, walsoon.org.uk, walsoon.me.uk, walsoon.co.uk)

Zombie Botnet DNS Data (Valid for domains wallkers.org.uk, wallkers.me.uk, wallkers.co.uk, wolkers.org.uk, wolkers.me.uk, wolkers.co.uk)

Zombie Botnet DNS Data (Valid for domains)

Zombie Botnet DNS Data (Valid for domains )

Zombie Botnet DNS Data (Valid for domains wallkers.org.uk, wallkers.me.uk, wolkers.org.uk, wolkers.me.uk, wolkers.co.uk)

Zombie Botnet DNS Data (Valid for domain was-inc.org, walern.org.uk, walern.me.uk, walern.co.uk)

Zombie Botnet DNS Data (Valid for domain was-inc.info)

Zombie Botnet DNS Data (Valid for domain w-and-s.org, w-and-s.net, w-and-s.com)

Zombie Botnet DNS Data (Valid for domain was-inc.org, walker-and-sons.net.kg, walker-and-sons.org.kg)

Zombie Botnet DNS Data (Valid for domain walker-and-sons.com.kg, w-inc.eu)

Zombie Botnet DNS Data (Valid for domains walker-and-sons.com.kg, w-inc.eu, was-inc.eu, wandsinc.eu)

Zombie Botnet DNS Data (Valid for domains was-inc.org, walker-and-sons.net.kg, walker-and-sons.org.kg)

Zombie Botnet DNS Data (Valid for domains was-inc.org, walker-and-sons.net.kg, walker-and-sons.org.kg)

Zombie Botnet DNS Data (Valid for domains was-inc.org, walker-and-sons.net.kg, walker-and-sons.org.kg)

Zombie Botnet DNS Data (Valid for domains waalker.eu, wallker.eu, walkeer.eu, walkker.eu)

Zombie Botnet DNS Data (Valid for domains wallson.eu)

Zombie Botnet DNS Data (Valid for domains wallson.eu)

Zombie Botnet DNS Data (Valid for domain wallson.tk)

Zombie Botnet DNS Data (Valid for domain wallson.tk)

Zombie Botnet DNS Data (Valid for domain wallson.tk, walkons.tk, wallker.tk, waalker.tk, walers.tk)

Zombie Botnet DNS Data (Valid for domain wallson.tk, walkons.tk, wallker.tk, waalker.tk, walers.tk)

***Latest News*** 22nd. October 2008

Zombie Botnet DNS Data (Valid for domain wallkers.tk)

Zombie Botnet DNS Data (Valid for domain walerson.tk)

Latest News 22nd. October 2008