A stolen identity from the real Waller
Truck Co is just the latest in a long line of criminal fraud
aliases from the same money laundering mule/phishing criminals, who are
also using a
website
stolen from the genuine American Waller Truck Company. Basically all
the
criminal has done is take the stolen Waller Truck Company site, alter
some text, (e.g. the location), and insert a money mule fraud job.
The genuine Waller Truck Company have
nothing whatsoever to do with this
fraud. Their genuine
website is here
and
the criminal's bogus website is currently here. The genuine
Waller Truck Company have posted a warning of this criminal's
activities on their contact
details page.
The
bogus Waller Truck Co. website
is generally zombie botnet hosted and the spam is zombie botnet
distributed. Some
of the criminal's current domain registrations are provided by the
internet domain registrar Nic.ac of Christchurch, Dorset, UK
who
has failed to respond to a single abuse report concerning these
criminals even though their activities are clearly precluded in the
Nic.ac 'Domain
Rules'.
This registrar also registered fraud domains for the Cronos Investment
fraudster and the Draper Investment fraudster before them and also
ignored abuse reports relating to those criminals. They are fully aware
of this criminality but, as they put it, "do not get involved".
Current
Zombie Botnet Host(s)
The
ethical majority of service providers, (all credit to them), act within
1-24 hours of being informed of the
criminal abuse of their system, (the
best in less than 1 hour), but there are unfortunately a
few that do not, for one reason or another.
Waller Truck Co :
Evidence
of Criminal Fraud
i) The Waller Truck Co.
criminal fraudsters
have stolen the website of the genuineWaller
Truck Company
as detailed above - this fraud is exactly the same as his original
Harvey Investment, Draper Investment, Cronos Investment frauds
etc with a new company as the victim.
ii)The genuine Waller Truck
Company have posted a warning of this criminal's activities on their contact details
page.
iii) The bogus Waller
Truck Co. website is zombie botnet hosted as demonstrated by the DNS
data below.
iv) The genuine
Waller Truck Co. location is in Excelsior Springs, MO, USA. The
criminals have a bogus address in Canberra Australia on their stolen
website. This address does not appear in a Google search.
v) The
criminal's site is spamvertising the following 'Regional
Sales Manager' money mule job under the Company - Job
Opportunities menu tab which does not appear on the genuine site: 1. Regional
Sales Manager
Status:
Part-time Job description:
Work
as a member of a group, helping to enlarge a base of customers in
countries all over the world and liaise with head office on a daily
basis;
Deliver high standards of
customer service ensuring high delivery speed and quality of orders;
Manage
a part of a sales cycle – ensure fast remittance of payments
through your bank account and then - through world wide Western Union
system and calculate fees at each step;
Create and maintain
positive relationships with
existing clients that result in new customers, lead to and maximise
opportunities for expansions and renewals to enhance revenue stream. Employees should be able to perform:
Excellent spoken English
& communication skills (oral and written).
Professional approach on
the phone conversations
PC literate: Microsoft
Outlook and Word as a minimum
Proven ability to
communicate effectively at all levels in a relaxed confident manner.
Extroverted and outgoing,
with a positive outlook.
Significant attention to
detail.
Excellent organisational
skills.
Customer focused.
Focused on own personal
goals, integrating the achievement of company objectives.
Ability to
work unsupervised No previous sale or accounting experience is
necessary, though it will be valued. Your Personal
situation must allow you to travel around your place 1-2
hours a day on company assignments( that would be particularly trips to
the bank and Western Union branches)
vi) If you
click on "Apply for this position" on the above page you eventually get
to an application
form page
which has a fake .gif Verisign certificate, ('Verify' doesn't work - it
just takes you to the Verisign non-SSL info. page). The application
form requests all your bank details.
vii) The Waller Truck Co. criminal
uses lots of recently registered domains, with newly
registered
ones appearing all the time as the spamvertized ones are suspended by
responsible registrars.
viii) All
domains have
totally different bogus whois data although they are used for
the same fraud website.
ix) The Waller
Truck Co. spam contains forged header information and the
usual bayesian
filter avoidance code that irrefutably link it to the Cronos
Investment, Draper
Investment, Harvey
Investment, Adamant Global, Sydney Car Centre and all this criminal's
many other aliases along with the 'rockphish' phishing criminals.
x) The
criminals prolific spam is zombie botnet distributed as is easily
demonstrated by the source IPs.
xi) The
criminal's spams are all signed by different random names - they appear
to have an infinite number of fake 'employees'.
The above
evidence clearly demonstrates beyond any doubt that this
stolen Waller Truck Co. website has been set up by money laundering
and phishing
criminals purely for
the
purpose of spamvertising an illegal money laundering 'mule' job and is
undoubtedly just a stolen copy of the genuine Waller Truck Co. site and is directly related
to Cronos Investment, Draper Investment, Harvey Investment, Adamant
Global, Sydney Car
Centre and the rest of the money
laundering/phishing criminal fraudsters' aliases
documented here. If you are an abuse team that has received an abuse
report regarding these fraudsters, please
consider immediate
termination of their services in view of the absolutely undeniable
evidence of
site theft, copyright offences, criminal money laundering activity
and
spamming -
please don't delay - these criminals will not
respond to any communication from you, (all their whois data is false),
but will simply take advantage of any attempt
at communication as a delaying tactic to allow them time to carry on
their criminal activity and prepare
their
next network.
Do
not
be misled -
these are professional criminals
with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering them and
aiding and abetting their criminal 'phishing' fraud activities.
Waller Truck
Co. Fraudsters -
current hosting details.
Current Main Domains, Hosts
and Registrars
Domain
watrco.ac
Registrar
Nic.ac
Host IP Network /Botnet Nameserver Host
Host
IP/Botnet Nameserver
IP
See table below for the full
list of known active & suspended main domains used by
this
criminal.
Current Zombie Botnet Nameserver
Domains
and
Registrars
regtoo.com
- REGISTER.COM,
INC. iprintworld.com - IA
Registry/Spiritdomains
Parked Parked Parked DNS Error Domain Unavailable DNS Looped Parked DNS Error Active DNS Error Parked Parked DNS Error DNS Error Suspended Suspended Suspended Suspended Suspended Suspended Suspended DNS Error DNS Looped DNS Error Suspended Suspended Suspended Suspended DNS Error Suspended Suspended Suspended Suspended Suspended Suspended Suspended DNS Error Suspended DNS Error DNS Error DNS Error Suspended Suspended Suspended Suspended DNS Error DNS Error Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Unhosted Unhosted Unhosted Suspended Suspended Suspended Unhosted Unhosted Unhosted Suspended Parked Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Active Active
Parked Parked Active Parked Active Suspended Suspended Active Active Active Active
Registrar
REGISTER.COM, INC.
REGISTER.COM, INC.
Nic.ac
Nic.ac
Nic.ac
REGISTER.COM,
INC.
Nic.ac
Nic.ac
Nic.ac
Nic.ac
Nic.ac
REGISTER.COM, INC.
Nic.ac
Nic.ac
Nic.nu
Nic.nu
Nic.nu www.la www.la domains.ph
domains.ph
domain.kg domain.kg domain.kg www.la
www.la domains.ph domains.ph domain.kg www.la www.la www.la
domains.ph
IA Registry/Spiritdomains
www.la IA Registry/Spiritdomains domain.kg
domains.ph domain.kg domain.kg domain.kg
IA Registry/Spiritdomains Nic.gs Nic.gs Nic.gs domains.ph domains.ph www.la www.la www.la www.la www.la www.la www.la domains.ph domains.ph IA Registry/Spiritdomains IA Registry/Spiritdomains domains.ph
Nic.tl Nic.tl domain.kg domain.kg domain.kg IA Registry/Spiritdomains COMPUTER SERVICES LANGENBACH
GMBH (JOKER.COM)
IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains
Nic.tl Nic.tl IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains IA Registry/Spiritdomains
REGISTER.COM,
INC.
IA
Registry/Spiritdomains
TODAYNIC.COM, INC
REGISTER.COM, INC.
IA
Registry/Spiritdomains
IA Registry/Spiritdomains
Estdomains
REGISTER.COM, INC.
REGISTER.COM, INC.
REGISTER.COM, INC.
IA Registry/Spiritdomains
Please notify me of any errors or domains not listed here.
Notes
for Registrars
i) The Waller Truck Co. criminal uses his own nameserver
domains
to control his zombie botnets or provide his DNS. By definition there
can be no legitimate
domains using his dedicated botnet nameservers & his
conventional nameserver domains are always very recently registered.
This
provides an ideal database search option for you to identify and delete
all of this criminal's fraud domains without
any risk of hurting an innocent domain. Current criminal's botnet
nameservers - ns1.regtoo.com
and ns1.iprintworld.com
ii) All of the criminal's domains have different false
whois registration data.
iii) The criminal will not respond to your challenge but will use the
notice to prepare a new network -
immediate suspension is preferred, please.The
Spam Headers
Return-Path: <ndvlwgdq@norika-fujiwara.com>
Received: from mwinf3106.me.freeserve.com (mwinf3106.me.freeserve.com)
by mwinb3406 (SMTP Server) with LMTP;
Tue, 27 Nov 2007 11:56:35 +0100
X-Sieve: Server Sieve 2.2
Envelope-to: xxxxxxx@xxxxxxxxx
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf3106.me.freeserve.com (SMTP
Server) with ESMTP id xxxxxxxxxxxxx
for <xxxxxxx@xxxxxxxxx>;
Tue, 27 Nov 2007 11:56:35 +0100 (CET) Received:
from e181068023.adsl.alicedsl.de (e181068023.adsl.alicedsl.de
[85.181.68.23])
by mwinf3106.me.freeserve.com (SMTP Server) with SMTP id xxxxxxxxxxxxx
for <xxxxxxx@xxxxxxxxx>; Tue, 27 Nov 2007 11:56:34 +0100
(CET) X-ME-UUID:
xxxxxxxxx@xxxxxxxxxxxxxxx Received:
from buydomains.com (EHLO pimpedhost.com.danga.com [108.45.115.102])
by logansvideos.com with SMTP id 9OICZN9FWY
for <xxxxxxx@xxxxxxxxx>; Tue, 27 Nov 2007 02:56:42 -0800 Received:
from purinmail.com [12.165.104.127]
by d21c.com with SMTP id A9W5DELW09
for <xxxxxxx@xxxxxxxxx>; Tue, 27 Nov 2007 13:47:42 +0300
From: "Waller Truck Co" <ndvlwgdq@norika-fujiwara.com>
To: "Bob" <xxxxxxx@xxxxxxxxx>
X-MSMail-Priority: 3 (Normal)
Subject: vacant position in the waller Truck Co.
User-Agent: MIME-tools 5.503 (Entity 5.501)
X-Mailer: MIME-tools 5.503 (Entity 5.501)
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--8JDQ.BSQ_AJ8WZ"
Message-Id: <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 27 Nov 2007 11:56:34 +0100 (CET)
Recipient
& message id munged.
The
first thing to notice is the spam source IP. Reading
from the bottom upwards, (following the routing as is the norm when
parsing headers), the
first two of the received
lines (red)
can be rejected as unsafe, almost certainly forged. The
actual trusted source IP that cannot be forged is the one
received by the recipients email provider (Freeserve) and that is in
this line (green):
Received:
from e181068023.adsl.alicedsl.de (e181068023.adsl.alicedsl.de
[85.181.68.23])
In
this received line the source IP address is 85.181.68.23 the reverse
DNS (RDNS) for which correctly indicates e181068023.adsl.alicedsl.de which confirms that the source
address is genuine.
In
the above RDNS sender identity note the letters adsl. These stand
for Asymmetric
Digital Subscriber Line
and tell you for sure that the spam has come from an end user's
computer on an ADSL network in Germany, (from the whois data for the IP
address). "Well", you say, "there's your criminal". Unfortunately not -
he or she may be guilty of criminal stupidity by not having a firewall
or clicking on the latest nude pictures of Britney Spears, but
unfortunately probably not criminal fraud - he/she is just one of tens
of thousands of 'zombies' - computers that have been infected with a
zombie virus or worm. What it does tell you for certain is that the
Waller Truck Co. spammer uses a zombie botnet to distribute his spam in
exactly the same way as Sydney Car Centre, Harvey Invest, Draper
Invest, Cronos Invest, Adamant Global and all the rest of these
criminals.
Lastly,
ndvlwgdq@norika-fujiwara.com is
not "Waller Truck Co."
& the spam has not come from that address -
this is just another forged email
address.
Incidentally, never 'bounce' spam back to the 'sender' as it only
bounces back to a forged address which, if real, will only belong to an
innocent third party who will understandably be a little peeved with
you and if you do it a lot you could get your ISP's SMTP IP range
blacklisted and they will be even more upset with you & could
justifiably close your account. The
Spam Content
The Waller
Truck Co. spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses.
This is the content of an actual Waller Truck Co.
scam spam:
Since its establishment in
1959, Waller Truck Co., Inc. has centered its family-owned trucking
business on : QUALITY, FAIRNESS, HONESTY and UNCOMPROMISING CUSTOMER
SERVICE.
Waller
Truck Co. is the largest provider of outsourced workplaces for
individuals all over the world. The company provides more than 100,000
clients with flexible and cost-effective range of goods and services
using help of regional associates at prestigious locations in business
hubs and capital cities around the globe.
The only
way that we can ensure our customers receive the highest standard of
quality and service is to hire individuals who share our vision,
dedication and entrepreneurial spirit. Due to our rapid expansion, we
are seeking Regional Sales Managers in the UK.
If you love hard work but hate routine, if you are adventurous but
responsible, if you have great communications skills, are interested in
international sales and like a challenge, this job is for you.
Vacancy
offered is a part-time or second employment. You'll be supposed to work
from home, but at the same time Your Personal situation must allow you
to travel around your place 1-2 hours a day on company assignments
(that would be particularly trips to the bank and Western Union
branches).
While implementing Company's assignments You shall be working as a
member of a group, helping to enlarge a base of our customers in
countries all over the world and liaise with head office on a daily
basis. You'll be responsible for delivering high standards of customer
service ensuring high delivery speed and quality of orders. That would
particularly be done through managing a part of a sales cycle -
ensuring fast remittance of payments through your bank account and then
- through world wide Western Union system and calculating fees at each
step.
To sum up - Your mission in the company would be to create and maintain
positive relationships with existing clients that result in new
customers, lead to and maximize opportunities for expansions and
renewals to enhance revenue stream.
To become
a Regional Sales Manager You should be able to perform: excellent
spoken English & communication skills, significant attention to
detail, excellent organizational skills and ability to work
unsupervised. You shall be extroverted and outgoing, with a positive
outlook, customer focused and focused on own personal goals,
integrating the achievement of company objectives.
Having joined in our team, You'll enjoy a wide range of benefits we can
offer! For example, a base salary with generous commissions (10% out of
each payment you've dealt with) and expenses, as well as flexible
timetable, that will allow you to chose the most suitable time to deal
with company assignments.
If You are interested in a position offered and for the rewards you
want, when you want them visit
our website to apply.
We are
waiting you hearing from you asap.
Any questions are welcome.
Yours sincerely, Susanne Park
Note
the usual Bayesian filter
avoidance 'code', commonly used by these criminals and the 'rockphish'
scammers alike.
The Zombie Botnet
How I am searching:
Searching for wtrc.cc A record at h.root-servers.net [128.63.2.53]: Got
referral to c3.nstld.com. (zone: cc.)
Searching for wtrc.cc A record at c3.nstld.com. [192.26.92.32]: Got
referral to NS2.BOX-PR.COM. (zone: wtrc.cc.)
Searching for wtrc.cc A record at NS2.BOX-PR.COM. [24.55.193.11]: Timed
out. Trying again.
Searching for wtrc.cc A record at NS1.BOX-PR.COM. [72.36.142.251]:
Reports wtrc.cc. Response:
The data shows a standard zombie botnet where the
nameserver ns1.box-pr.com hosted by Layered Technologies,
Inc., on
IP 72.36.142.251 is acting as a zombie botnet controller
'herding'
the rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). These
criminals are
experienced liars, thieves and professional confidence
tricksters. Do not be
fooled - do
not believe them. The evidence of criminal fraud is undeniable.
I'd
like to thank the many honest & ethical hosts who have
disconnected
these fraudsters within an hour of receiving an abuse report, (several
in c. 20 minutes). However, the zombie botnet controlling nameservers
seem to be occasionally hosted by Colocation/VPS service providers who
do not respond to criminal fraud abuse reports. The honest &
ethical SPs will respond with an immediate, (preferably not 24 hours or
48 hours & certainly not never...), disconnection on receipt of
a
criminal abuse
report,
having considered the evidence below & investigated, but more
and
more
frequently service providers stall or simply ignore abuse reports.
This latter minority of uncaring & unethical hosts are aiding
and
abetting criminal fraud
and
the victims suffer because of it. Blocking
The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use "Waller Truck Co."
as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams.
If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a>Fraud
BlogInitial
entry 27th. November 2007
Domains wtrc.cc and watrc.cc received in spams. Later
-
Domains wtrc.cc and watrc.cc
&
box-pr.com all parked by Register.com so unless the criminal has other
domains that I'm not aware of, he is off-line. Please let me
know
if you know of any
resolving domains for this criminal. Unfortunately the quick suspension
of the Register.com domains prevented Layeredtech seeing the zombie
botnet, but they'll be back.... 28th.
November 2007 ...and so they are -
three new domains received in spam
this morning - both on the Layeredtech hosted zombie botnet using a new
nameserver domain, (newlookgame.com - IA
Registry/Spiritdomains):
The data shows a standard zombie botnet where the
nameserver ns1.newlookgame.com hosted by Layered Technologies, Inc., on
IP 72.36.142.251 is acting as a zombie botnet controller
'herding'
the rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT).
The latest domains are registered with the registrar Nic.ac which has a
history of registering domains for the Draper Investment fraudster, the
Cronos Investment fraudster criminals and ignoring every single abuse
report.
Later
-
Layeredtech have disconnected the criminals nameserver
ns1.newlookgame.com [72.36.142.251] and the criminal has now set up a
new
botnet hosted by a UK company called No Wires Ltd of Nether Poppleton,
YORK on IP 193.33.179.162:
The data shows a standard zombie botnet where the
nameserver ns1.newlookgame.com hosted by No Wires Ltd of Nether Poppleton,
YORK, UK, on
IP 193.33.179.162 is acting as a zombie botnet controller 'herding'
the rotating zombies, (as evidenced by RDNS data), in the 'A' records
list
which are hosting the fraud site (as evidenced by TRACERT data), using
the listed domains. 29th. November 2007
New domain reported
by site contact - wallc.ac once again on the No Wires Ltd zombie botnet.
Later - new domain reported (trwa.ac)
on new network:
Looking up at the 2 trwa.ac. parent servers:
Server
Response
ns1.nsters.com
[200.72.139.67]
81.1.255.134
ns3.nsters.com
[202.74.32.13]
Timeout
The host on this one
is :
netname:
ZSTTK-NET
descr:
JSC "Zap-Sib TransTeleCom" Once again
this site thief, criminal fraudster and spammer
is registering his criminal domains with the Registrar Nic.ac, (aka nic.io, nic.sh,
nic.tm, UWhois.com, the Internet Computer Bureau and 'InOne' , a
'one-stop' networking business. Unfortunately
this company has failed to respond to any abuse
reports submitted.30th. November 2007
Another new domain received in this morning's spam - watrco.ac once
again registered with the criminal registrar Nic.ac on another 'new'
network:
Looking up at the 2 trwa.ac.
parent servers:
Server
Response
ns1.nsters.com
[200.72.139.67]
81.10.22.174
ns3.nsters.com
[202.74.32.13]
Timeout
The
host on this one is :
IP:
81.10.22.174
netname:
TEData-ADSL-Pool
descr: TE
Data ADSL Pool
RDNS: host-81.10.22.174.tedata.net
Which
is quite interesting - that data (ADSL) tells
me that the crook is now using individual zombied machines (81.10.22.174) as his site
host and the real villain in the piece is the zombie controller ns1.nsters.com
[200.72.139.67] which by definition is using a criminal registered
nameserver domain, (nsters.com - Todaynic), hosted
by:
The data shows a standard zombie botnet where the
nameserver ns1.newlookgame.com hosted by INTERNETONDEMAND-LTD,
on
IP 83.142.48.60 is acting as a zombie botnet controller 'herding'
the rotating zombies, (as evidenced by RDNS data), in the 'A' records
list
which are hosting the fraud site (as evidenced by TRACERT data), using
the listed domains.
Later
- New domains received in spam - watrco.ac
& waecom.ac,
trwa.ac and new domain wlertr.ac
notified to me by site contact.
Looking up at the 2 watrco.ac. parent servers:
Server
Response
ns1.nsters.com
[200.72.139.67]
81.3.139.250
ns3.nsters.com
[202.74.32.13]
Timeout
The host on this one (IP: 81.3.139.250) is :
org:
ORG-ZP1-RIPE 81.3.139.250
netname:
RU-PETERSTAR-20020419
descr:
ZAO PeterStar
Later - new domain notified by site
contact - wallt.ac on the INTERNETONDEMAND-LTD zombie botnet. Later
- New domain noticed in the wild - wallco.ccon the INTERNETONDEMAND-LTD zombie botnet. 1st. December 2007
Another month and the registrar Nic.ac is still making money from
spammers and criminal fraudsters - new .ac domain received in spam this
morning - waecom.ac on the ZAO PeterStar network above.
The criminal has ten known active domains at the moment, nine of them
registered with nic.ac - he simply doesn't need another registrar when
he's found one that appears to be quite happy to aid and abet his
criminal activities by ignoring all abuse reports. 4th. December
2007 The criminal has a new
nameserver domain, but the same host in INTERNETONDEMAND-LTD
Looking up at the 2 walltr.ac, walltrco.ac, walltco.ac, wallt.ac , & wallc.ac parent servers:
The data shows a standard zombie botnet where the
nameserver ns1.vip73.com hosted by
INTERNETONDEMAND-LTD of Unit 18 Liversedge West
Yorkshire, on
IP 83.142.48.60 is acting as a zombie botnet controller 'herding'
the rotating zombies, (as evidenced by RDNS data), in the 'A' records
list
which are hosting the fraud site (as evidenced by TRACERT data), using
the listed domains. 6th. December
2007 Another .ac domain received in
spam - wtrco.ac.
I'm not going to waste my time reporting it - the owner of Nic.ac, Paul M Kane,
is apparently happy to continue to make money out of criminal
fraudsters and spammers with seemingly no regard for the victims of
this criminal fraudster.
The IP
81.16.94.132 belongs
to Novgorod ADSL Network so it looks like another single zombie as it
has an RDNS of xdsl-94-ppp132.tts.nov.ru. It's being controlled by the
controller ns1.nsters.com on 200.72.139.67 which is an ENTEL CHILE S.A.
IP who ignore abuse reports so it's a complete waste of time
reporting to them. The same seems to be true for INTERNETONDEMAND-LTD
of Unit 18 Liversedge West Yorkshire who have also ignored
all abuse
reports so far. The criminal has chosen his suppliers wisely,
especially
with the UK registrar Nic.ac who has a full house of the criminals
active domains, (the first time I've known that happen - a shameful
record, I think).
I am ashamed to say that it is both a UK registrar
and a UK ISP that are the main sponsors of these criminals at the
moment and I apologise to their victims. 8th. December 2007
The zombie botnet host IP 83.142.48.60 appears to be dead this morning,
so perhaps someone finally got through
to INTERNETONDEMAND-LTD. Needless
to say, all of the criminal's .ac domain registrations are still active. 9th. December 2007
It looks as though INTERNETONDEMAND-LTD.are
still hosting this criminal fraudster - it's just the nameserver domain
vip73.com
that has been parked by Register.com. Thanks guys for being one of the
few ethical bright spots in the current list of this criminal's
suppliers. The criminal's zombie botnet
is now back up using the newly registered nameserver domain imaxq.com
(Spiritdomains - 03-dec-2007).
The data shows a standard zombie botnet where the
nameserver ns1.imaxq.com hosted by
INTERNETONDEMAND-LTD of Unit 18 Liversedge West
Yorkshire, on
IP 83.142.48.60 is acting as a zombie botnet controller 'herding'
the rotating zombies, (as evidenced by IP RDNS data), in the 'A'
records list
which are hosting the fraud site (as evidenced by domain TRACERT data),
using the listed domains.
The domains wtrco.ac,
watrco.ac,
waecom.ac, trwa.ac & wlertr.ac are all timing out ATM which
is a little odd as the ENTEL CHILE S.A./Novgorod ADSL network appears to be intact
from the DNS inf.
Spam received using domain walltrco.ac - he's got plenty of
choice from his .ac domains... 11th. December
2007 The criminal's .ac domains are
all still all resolving despite numerous notifications
of the abuse to Nic.ac. It has been determined by a
challenge-response method that Nic.ac undoubtedly do receive the
communications addressed to them so there is no doubt that they are
fully aware of these criminals and their activity but continue to
provide them with .ac domains as they previously did for the Cronos
Investment and Draper Investment money laundering & phishing
criminals before them and continue to ignore all requests for
suspension. It should be borne in mind that the evidence from the
zombie botnet distributed spam suggests that these criminals are also
the 'rockphish' phishing criminals.
The zombie botnet
controller ns1.imaxq.com [83.142.48.60] is still operating courtesy of
INTERNETONDEMAND-LTD
and no response has been received from the company, but hopefully there
should be some response soon as some very welcome help has been kindly
offered from the side of UK law enforcement to
resolve this issue.
Confirmation
of Nic.ac's position on abuse has been received from them by a friend.
To sum up they have no enforced Acceptable Use Policy or Abuse Policy
of their own - to use their own words: "we do not get involved at all".
Their abuse policy is administered solely by WIPO, and appears to be
limited to intellectual property issues only, and in any event a
complaint to WIPO under the procedure regarding a .ac domain has to be
accompanied by a $500 initial fee, which is obviously effectively going
to prohibit the normal reporting of fraud, spam etc domains.
12th. December
2007
The INTERNETONDEMAND-LTD
IP has now been shut down and the criminal has moved his botnet to 66.79.171.146
Searching for walltr.ac A record at m.root-servers.net [202.12.27.33]:
Got referral to NS3.ICB.CO.UK. (zone: ac.)
Searching for walltr.ac A record at NS3.ICB.CO.UK.
[217.199.188.61]: Got referral to NS1.IMAXQ.COM. (zone: walltr.ac.)
Searching for walltr.ac A record at NS1.IMAXQ.COM. [66.79.171.146]:
Reports walltr.ac. Response:
Domain
Type
Class
TTL
Answer
walltr.ac.
A
IN
1800
89.34.222.4
walltr.ac.
A
IN
1800
89.136.176.120
walltr.ac.
A
IN
1800
75.181.12.180
walltr.ac.
A
IN
1800
86.105.153.174
walltr.ac.
A
IN
1800
86.107.101.225
walltr.ac.
NS
IN
1800
ns2.imaxq.com.
walltr.ac.
NS
IN
1800
ns1.imaxq.com.
ns1.imaxq.com.
A
IN
1800
66.79.171.146
ns2.imaxq.com.
A
IN
1800
20.31.85.15
Looking up at the 2 walltr.ac. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The IP belongs to Managed
Solutions Group, Inc. of Fremont CA
The data
shows a standard zombie botnet where the
nameserver ns1.imaxq.com hosted byManaged Solutions Group,
Inc. of Fremont CA on
IP
66.79.171.146 is acting as a zombie botnet
controller 'herding'
the rotating zombies, (as evidenced by IP RDNS data), in the 'A'
records list
which are hosting the fraud site (as evidenced by domain TRACERT data),
using the listed domains. The nameserver domain imaxq.com has been registered
by the criminals with SPIRITDOMAINS/IAREGISTRY13th. December
2007 The above
Managed
Solutions Group, Inc. zombie botnet is still functional,
hosting domains walltr.ac, walltrco.ac, walltco.ac &wallc.ac For some reason he's split off
domain wallt.ac
on to its own network, although it's showing a Nownet login/parking
page at the moment:
Looking up at the 2 wallt.ac
parent servers:
Server
Response
ns7.01isp.com
[218.16.121.3]
61.238.149.50
ns8.01isp.net
[203.169.164.16]
61.238.149.50
The IP 61.238.149.50 belongs to City Telecom (H.K.) Ltd. The five
domains wtrco.ac,waecom.ac, trwa.ac & wlertr.ac are
now on a new network as follows:
Looking up at the 2 wlertr.ac. parent servers:
Server
Response
ns1.yesnsok.com [200.72.139.67]
202.103.49.198
ns5.yesnsok.com [0.0.0.0]
Timeout
The
IP 202.103.49.198 belongs to The Dongpu Information
Technology
Company, in ShiYan city Hubei Province. The nameserver IP 200.72.139.67
is the usual ENTEL CHILE S.A. IP - they have not responded to abuse
reports. 15th. December
2007
New domains reported to me by site contact: waco.nu and waltr.nu Looks
like the criminal is branching out to Niue domains. For these
two
domains he's using his old Cronos botnet, albeit on a new IP:
Searching for waco.nu A record at c.root-servers.net [192.33.4.12]: Got
referral to NS0.TELIA.NIC.nu. (zone: nu.)
Searching for waco.nu A record at NS0.TELIA.NIC.nu. [212.181.91.4]:
Got referral to ns1.thelastwall.com. (zone: waco.nu.)
Searching for waco.nu A record at ns1.thelastwall.com. [65.38.67.41]:
Reports waco.nu. Response:
Domain
Type
Class
TTL
Answer
waco.nu.
A
IN
1800
78.88.96.150
waco.nu.
A
IN
1800
78.96.20.179
waco.nu.
A
IN
1800
79.176.233.30
waco.nu.
A
IN
1800
85.204.210.35
waco.nu.
A
IN
1800
89.137.159.82
waco.nu.
NS
IN
1800
ns2.thelastwall.com.
waco.nu.
NS
IN
1800
ns1.thelastwall.com.
ns1.thelastwall.com.
A
IN
1800
65.38.67.41
ns2.thelastwall.com.
A
IN
1800
67.82.17.59
Looking up at the 2 waco.nu. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard zombie botnet where the nameserver
ns1.thelastwall.com hosted by Globale
Internet InfoAccess of Mont-Royal, Canada, on IP 65.38.67.41
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as evidenced by IP RDNS data), in the 'A' records list which are
hosting the fraud site (as evidenced by domain TRACERT data), using the
listed domains. The five
domains wtrco.ac, watrco.ac,
waecom.ac, trwa.ac & wlertr.ac are
now on a new network as follows:
Looking up at the 2 wlertr.ac. parent servers:
Server
Response
ns1.yesnsok.com
[200.72.139.67]
81.16.94.132
ns5.yesnsok.com
[85.11.183.83]
[Reports no A record
(NXDOMAIN)]
The
IP 81.16.94.132 belongs to The Novgorod ADSL Network. The nameserver IP
200.72.139.67
is the usual ENTEL CHILE S.A. IP - they have not responded to abuse
reports. 16th. December
2007
Two new domains notified to me by a site contact - walc.nu and wal.la,
(both on the Globale
Internet InfoAccess zombie
botnet),
so the criminal is branching out to .la domains. At $200 a punt, he's
not ordering these for the beauty of the city... Still, when you're
using stolen funds to buy them, the cost doesn't matter, I guess... 17th. December
2007
New .la domain notified to me by site contact - wtr.la Globale
Internet InfoAccess must have taken action asthere is a new botnet host -
(74.62.155.11). Network details:
DNS Data for wal.ph,
wa.kg,
wal.kg,
wtrc.la,
walc.la
How I am searching:
Searching for wa.kg A record at l.root-servers.net [199.7.83.42]: Got
referral to ns.kg. (zone: kg.)
Searching for wa.kg A record at ns.kg. [195.38.160.36]: Got referral to
NS2.THELASTWALL.COM. (zone: wa.kg.)
Searching for wa.kg A record at NS2.THELASTWALL.COM. [67.82.17.59]:
Timed out. Trying again.
Searching for wa.kg A record at NS1.THELASTWALL.COM. [74.62.155.11]:
Reports wa.kg. Response:
Domain
Type
Class
TTL
Answer
wa.kg.
A
IN
1800
77.81.74.80
wa.kg.
A
IN
1800
80.98.118.108
wa.kg.
A
IN
1800
80.98.250.13
wa.kg.
A
IN
1800
82.30.9.238
wa.kg.
A
IN
1800
82.36.215.196
wa.kg.
A
IN
1800
85.66.49.199
wa.kg.
A
IN
1800
85.66.183.180
wa.kg.
NS
IN
1800
ns2.thelastwall.com.
wa.kg.
NS
IN
1800
ns1.thelastwall.com.
ns1.thelastwall.com.
A
IN
1800
74.62.155.11
ns2.thelastwall.com.
A
IN
1800
67.82.17.59
Looking up at the 2 wa.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
