Zales Corporation Fraud

Don't Bear Internet Fraud

This Zales (The jewellery store people) fraud is an interesting one and a slight departure from the norm. The criminals send out spam, (example below as received), with a response address of jobs@zalesworks.org. The domain zalesworks.org resolves to the above web page which, from the footer, purports to be Zales themselves. It's not, of course, (the genuine Zales domain is zales.com), the domain zalesworks.org has been registered by criminals with Enom Inc. (23-Jan-2008), for two purposes:
1) To use the MX (Mail Exchange) facility for the receipt of victim's mail from their spam, (sample below).
2) To serve as a log in facility when their money laundering fraud victims are ensnared.

This fraud is nothing to do with the genuine Zales Corporation. but is a criminal scam set up by Russian criminals for fraudulent purposes using the stolen identity of Zales.

Zales Corporation Identity fraud : Evidence of Criminal Fraud

i) This is a copy of the Zales fraudsters spam as received:

From : "Bryan Dean / ZALES Inc" <jobs@zalesworks.org>

Date : 26 January 2008 09:05:39

To : <xxxxxxxxx>

Subject : Job Offer

		WE HAVE A JOB FOR YOU!
		WE HAVE A JOB FOR YOU!

Leading international company is expanding! My name is Bryan and we have an exciting opening for a Company Representative. Please make an attention about position offered.

ZALES Jewelry International Network is looking for additional qualified Financial Representatives to serve people right here in our area.

You could be our ideal candidate. People from many different backgrounds - lawyers, accountants, sales personnel, perhaps some just like you - have successfully changed their careers to become a Financial Representative with ZALES.

In 2006, ZALES was recognized by Selling Power magazine as one of the "100 Best Companies to Sell For" in the US. ZALES is looking for good people who are thinking about a career change and have what it takes to become one of 'the best.'

If you're a top performer, want to be financially rewarded for hard work and have the desire to impact people's lives positively every day, you may be a candidate we want to speak with.

Financial Representatives with ZALES, which is part of the Jewelry International Network (JIN), provide expert guidance and innovative solutions for the needs of individuals and businesses in the areas of retirement solutions, insurance and investment services, estate analysis, business needs analysis, education funding, and employee benefits.

As a representative you are in business for yourself but you are not alone. Financial Representatives with ZALES are supported by a network of financial specialists, training programs and mentoring opportunities.

This position is limited, hurry-up and send your name, phone and contact time to us:

WE TREASURE YOUR PRIVACY AND PROTECTION
This email was sent by: www.zales.com
8420 W Bryn Mawr Ave, Chicago, IL, 60631 USA

ii) As you can see, the mail purports to have been sent from zales.com, but it hasn't - the response address is in fact jobs@zalesworks.org

iii) The domain zalesworks.org was only registered with Enom Inc. on 23rd. January 2008

iv) The criminally registered nameserver NS1.SGFORDNS.ORG (from the DNS data below), used by the above criminal's website confirms that these are the same criminals as the AceChecktronic, UltraGame, Prosoft, and Ace Global Inc. thieves and fraudsters and also the 'Pinch' trojan creator site ctrlalt.info among others.

v) They are hosted on the well known Russian RBN criminal AbdAllah Internet Hizmetleri network IP 88.255.94.88 as evidenced below.

The above evidence clearly demonstrates beyond any doubt that the zalesworks.org website has been set up by money laundering fraudsters purely for the purpose of spamvertising an illegal money laundering 'mule' job. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of criminal money laundering activity and spamming - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Zales Corporation Fraudsters - current hosting details [Updated 27th. January 2008]

Current Main Domains, Hosts and Registrars

Domain

zalesworks.org
zaleswork.org

Registrar

eNom, Inc. 23-Jan-2008
eNom, Inc. 24-Jan-2008

Host Network

AbdAllah Internet Hizmetleri
AbdAllah Internet Hizmetleri

Host IP

88.255.94.88
88.255.94.88

Suspended

Please notify me of any other current domains used by this criminal.

i) The criminal will not respond to your challenge, but will use the notice to prepare a new network - immediate suspension is requested please, if allowed for by your AUP.

Initial DNS Data (zalesworks.org)

How I am searching:

Searching for zalesworks.org A record at j.root-servers.net [192.58.128.30]: Got referral to C0.ORG.AFILIAS-NST.INFO. (zone: org.)
Searching for zalesworks.org A record at C0.ORG.AFILIAS-NST.INFO. [199.19.53.1]: Got referral to ns1.sgfordns.org. (zone: zalesworks.org.)
Searching for zalesworks.org A record at ns1.sgfordns.org. [88.255.94.82]: Reports zalesworks.org. Response:

Domain	Type	Class	TTL	Answer
zalesworks.org.	A	IN	60	88.255.94.88
zalesworks.org.	NS	IN	60	ns2.sgfordns.org.
zalesworks.org.	NS	IN	60	ns1.sgfordns.org.
ns1.sgfordns.org.	A	IN	60	88.255.94.82
ns2.sgfordns.org.	A	IN	60	88.255.94.83

Looking up at the 2 zalesworks.org. parent servers:

Server	Response
ns2.sgfordns.org [88.255.94.83]	88.255.94.88
ns1.sgfordns.org [88.255.94.82]	88.255.94.88

The IP 88.255.94.88 belongs to the well known Russian RBN criminal network AbdAllah Internet Hizmetleri

Fraud Blog

Initial entry 27th. January 2008

Later - (info from site contact) both domains suspended - no active domains known