Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Another serious "bidniz" job offer....

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Sat Jun 09, 2007 11:14 am    Post subject: Another serious "bidniz" job offer.... Reply with quote

Social engineering is an essential part for scam artists to get people to do things they'd normally avoid. Spamvertised job offers, well as the distribution method implies, are seldom of a kosher nature. Nevertheless, there are despeate people looking for a job who'd fall for this. Greed may be another factor (sometimes amusing how the prospects of green papers can turn smart people into idiots, but that's a different subject).

My spamtrap got hold of this fine example of "job opportunity":

Subject line: Invitation to fill in the vacant position of an account manager in our company [letter id: JS2909676J]

Hmm, reminds me of trouble tickets when reporting spam to ISPs Wink Except that I've never requested to receive such offers.

Body:

Quote:
While we may have high expectations of our associates, we also give them high rewards. Imagine being part of a stable organization with a sterling reputation - a place where the Sydney Car Centre is an integral part of all that we do. With our car centre personality, you'll not just succeed - you'll thrive. And, with our strong commitment to promoting from within, you'll definitely enjoy your rise to the top.

Today the Sydney Car Centre is looking for an industrious regional assistant to fasten the process of the delivery of customer payments to the suppliers. The position offered is a part-time job, and will only require from you to be available for 1-2 hours a day.

As a regional assistant, you will be supposed to operate with the payments from those customers, based in your country. You will be expected to accept 2-3 transactions to your bank account every week, make certain calculations about every transaction (you will be precisely instructed about it), & transfer the funds to the suppliers by means of western Union/Money Gram less your fee & the charges of the Western Union/Money Gram. You will be continuously communicating with the manager from the head office, who will instruct you & give advice regarding every new payment.

The ideal candidate will be industrious, goal-oriented person, with the availability of a personal/business bank account suitable to be used for the company needs. Knowledge of English, computer literacy and sociability are appreciated.

The company guarantees to pay NET 10% fee out of the amount of every payment you dealt with and to provide you with the regular income & flexible schedule. All the related expenses you might have (like the Western Union/Money Gram chargers, related expenses on traveling) are covered by the company.

The more detailed information is available on our web-site http ://vacancy-29898.SYDNEYCC.HK/vacancies.php, where you can fill in the on-line application form for this position.

We would be glad to welcome you in our team!

We are looking forward to hearing from you as soon as possible!

Yours sincerely, Tamera Foreman


Note the lack of an opening, definetely a "no-go" for official correspondence. Next signs of doubt are located in the "bidniz" url, one of those spammy *.hk domains our buddies Kuvayev, Polyakov and Yambo seem to love so much....

Let's look at the headers:
Quote:
Return-Path: <Juliet353@grungecafe.com>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 09 Jun 2007 00:16:10 -0000
Received: from 236.red-82-159-77.user.auna.net (HELO 236.red-82-159-77.user.auna.net) [82.159.77.236]
by mx0.gmx.net (mx006) with SMTP; 09 Jun 2007 02:16:10 +0200


Received: from ghisler.com (unknown [30.14.84.119])
by ifg.com with SMTP id A6GEE48UMQ
for <BCC screed>; Fri, 08 Jun 2007 17:16:07 -0800
Received: from free.fr (cyanic.free.fr [54.98.248.234])
by jam-data.com with SMTP id FWNPKD2J7D
for <BCC screed>; Sat, 09 Jun 2007 04:12:07 +0300
XAuthentication-Warning: P98-monomeric6.AZL61dtji.cornelius.autodesk.com (onemotion.com.ass-pimps.com [58.240.37.48]): si31patsy set sender to gcuzyobyj@norika-fujiwara.com using -b
From: "SCC" <Juliet353@grungecafe.com>
To: <BCC screed>
Subject: Invitation to fill in the vacant position of an account manager in our company [letter id: JS2909676J]
XAuthentication-Warning: P98-monomeric6.AZL61dtji.cornelius.autodesk.com (onemotion.com.ass-pimps.com [58.240.37.48]): si31patsy set sender to gcuzyobyj@norika-fujiwara.com using -b
User-Agent: MIME-tools 5.503 (Entity 5.501)
X-Mailer: MIME-tools 5.503 (Entity 5.501)
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--8K2NID1ZVWB2TNI.Q16HUQ"


<BCC screed> denotes a different email address showing up as recipient, which is a clear sign of a BCC list the spammer used. So the "personal" offer was in fact sent to many many people more... Most of the headers are completely bullocks and probably have been added by the spamware. The only address that can be trusted (marked in italic) is the one containing:
236.red-82-159-77.user.auna.net (82.159.77.236)
This is a Spanish ISP so the sender was yet another b0tted Windoze machine running on autopilot.

Now what job offer would be sent via b0tnets, except for ones involving criminal activities. The described scheme pretty much sounds like money laundering.

A search for sydneycc.hk leads us to the following article:
http://db.aa419.org/fakebanksview.php?key=15605
Or look at this thread:
http://www.phishtank.com/lists/users/msg01946.html

So it clearly is a fraud. Those who received that spam should not under any circumstances reveal their personal data to these criminals.

Olliver
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Tue Jun 12, 2007 1:37 pm    Post subject: Reply with quote

Our "Sydney Car Centre" has moved to a different location:

evidence in NANAS:

the new url is at vacancy-7783802.sycarcentre.io/vacancies.php. Tamara Foreman has been replaced with Margaret Larsen, but the "offer" remains the same...

Olliver
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 29 Aug 2014
Posts: 10324
Location: sunny California

PostPosted: Tue Jun 12, 2007 4:39 pm    Post subject: Reply with quote

That's the first time I've seen a .io domain. I had to look it up.

IO - British Indian Ocean Territory

I don't see it here:

http://www.uwhois.com/domains.html

Domaintools returns some info:

http://whois.domaintools.com/sycarcentre.io

Address: 216.117.170.115
IP Location - North Carolina - Fayetteville - Advanced Internet Technologies Inc

But no whois information.

Found this:

http://www.nic.io/

When I put the domain in the whois search box, it returns this:

Domain Search

Domain Unavailable - SYCARCENTRE.IO

The application has been received. Now awaiting payment authorization.

Confused


Other domains on the IP, may or may not be related:

Search Results for 216.117.170.115 [reverse DNS - nameservices.net]
10 Results for 216.117.170.115 (Sycarcentre.io)

Website
1. Cti-investwebt.com
2. Jenny01.com
3. Jimmywalter.net
4. Realgerman.org
5. Realjapanese.org
6. Shop1000yen.com
7. Stormhold.com
8. Takehiro-net.com
9. Xn--y8ja2l3bb3c.com
10. Tghanaro.com
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Wed Jun 13, 2007 3:07 am    Post subject: Reply with quote

thanks for that info.
Advanced Internet Technologies Inc has a less than stellar reputation:
http://www.google.com/search?q=aitcom.net+spam
http://groups.google.com/group/news.admin.net-abuse.email/search?q=aitcom.net&start=0&scoring=d&

They also happily register domains that are used for fastflux botnet hosting:
http://groups.google.com/group/news.admin.net-abuse.email/search?q=aitdomains&start=0&scoring=d&

Olliver
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 29 Aug 2014
Posts: 10324
Location: sunny California

PostPosted: Wed Jun 13, 2007 7:51 am    Post subject: Reply with quote

Interesting.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Thu Jun 14, 2007 10:27 am    Post subject: Reply with quote

Another Car Centre update:
Quote:
Sydney Car Centre is the replacement fraud site for The Lux Capital money laundering fraudsters - exactly the same nameserver, exactly the same modus operandi, i.e. offering an illegal 'Regional Assistant' so- called 'job' as a money laundering mule and frequently hosting the site using zombie botnets

http://groups.google.com/group/news.admin.net-abuse.email/msg/61cd044afcb20e87

Blogger James Miller noticed them as well, each spam he received signed by a different person:
http://www.jamesmiller.com/mtmblog/2007/06/sydney-car-centre.html
The Sydney Car Centre is a rip off from a legit UK site:
http://www.jamesmiller.com/mtmblog/2007/06/sydney-car-centre-2.html

Olliver
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Mon Jun 18, 2007 3:14 am    Post subject: Reply with quote

Sydney Car Centre is back again....
Just found a fresh turdlet in my spamtrap, this time sent from a compromised machine in Poland.

Headers:
Quote:
Return-Path: <kzrvketlv@smapxsmap.net>
X-Flags: 1001
Delivered-To: <trapspam>
Received: (qmail invoked by alias); 17 Jun 2007 00:23:15 -0000
Received: from 47-tor-2.acn.waw.pl (HELO 47-tor-2.acn.waw.pl) [62.121.69.47]
by mx0.gmx.net (mx083) with SMTP; 17 Jun 2007 02:23:15 +0200

Received: from arginine.tenchiclub.com (unknown [99.88.66.141])
by bdsmtales.com with SMTP id IP5LY8EVVP
for <BCC-screed>; Sat, 16 Jun 2007 17:23:15 -0800
From: "Sydney Car Centre" <kzrvketlv@smapxsmap.net>
To: <BCC-screed>
Subject: due to expansion of activities our company is looking for new employees to fill in the vacancies of account managers
In-Reply-To: "Sydney Car Centre" <xilogsmhjirnhl@altern.org>
User-Agent: Mutt/1.5.1i
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--IHFSM73361OYYQ"
Date: Sun, 17 Jun 2007 02:23:16 +0200


Body:
Quote:
While we may have high expectations of our associates, we also give them high rewards. Imagine being part of a stable organization with a sterling reputation - a place where the Sydney Car Centre is an integral part of all that we do. With our car centre personality, you'll not just succeed - you'll thrive. And, with our strong commitment to promoting from within, you'll definitely enjoy your rise to the top.

Today the Sydney Car Centre is looking for an industrious regional assistant to fasten the process of the delivery of customer payments to the suppliers. The position offered is a part-time job, and will only require from you to be available for 1-2 hours a day.

As a regional assistant, you will be supposed to operate with the payments from those customers, based in your country. You will be expected to accept 2-3 transactions to your bank account every week, make certain calculations about every transaction (you will be precisely instructed about it), & transfer the funds to the suppliers by means of western Union/Money Gram less your fee & the charges of the Western Union/Money Gram. You will be continuously communicating with the manager from the head office, who will instruct you & give advice regarding every new payment.

The ideal candidate will be industrious, goal-oriented person, with the availability of a personal/business bank account suitable to be used for the company needs. Knowledge of English, computer literacy and sociability are appreciated.

The company guarantees to pay NET 10% fee out of the amount of every payment you dealt with and to provide you with the regular income & flexible schedule. All the related expenses you might have (like the Western Union/Money Gram chargers, related expenses on traveling) are covered by the company.

The more detailed information is available on our web-site http:// vacancy-53744923.sydneycar.hk/vacancies.php, where you can fill in the on-line application form for this position.

We would be glad to welcome you in our team!

We are looking forward to hearing from you as soon as possible!

Yours sincerely, Kasey Pacheco


So this time it's sydneycar.hk. Let's dig this source:

Quote:
sydneycar.hk. 28800 IN NS NS2.SEARCH-PND.COM.
sydneycar.hk. 28800 IN NS NS1.SEARCH-PND.COM.
;; Received 80 bytes from 128.32.136.14#53(ADNS2.BERKELEY.EDU) in 190 ms

sydneycar.hk. 1800 IN A 69.154.34.208
sydneycar.hk. 1800 IN A 82.60.116.6
sydneycar.hk. 1800 IN A 85.178.62.218
sydneycar.hk. 1800 IN A 221.151.155.44
sydneycar.hk. 1800 IN A 24.137.71.198
sydneycar.hk. 1800 IN NS ns1.search-pnd.com.
sydneycar.hk. 1800 IN NS ns2.search-pnd.com.
;; Received 192 bytes from 66.196.43.228#53(NS1.SEARCH-PND.COM) in 180 ms


Voila, we've got another b0tnet hosted domain with a rotation interval of 30 minutes. The nameservers:

ns1.search-pnd.com -> 66.196.43.228

Whois:
Quote:
OrgName: Eonix Corporation
OrgID: EONIX
Address: 3155 East Patrick Lane
City: Las Vegas
StateProv: NV
PostalCode: 89120
Country: US

NetRange: 66.196.43.0 - 66.196.43.255
CIDR: 66.196.43.0/24
NetName: SN-EONIX-01
NetHandle: NET-66-196-43-0-1
Parent: NET-66-196-32-0-1
NetType: Reallocated
NameServer: NS.INFINITIE.NET
NameServer: NS2.INFINITIE.NET
Comment:
RegDate: 2006-05-31
Updated: 2006-05-31

OrgTechHandle: ADMIN839-ARIN
OrgTechName: Administrator
OrgTechPhone: +1-310-469-1967
OrgTechEmail: admin at infinitie.net


ns2.search-pnd.com -> 26.81.81.101

the second ip address is bogus, as it's not routed to anywhere

Turns out the criminals are hiding behind an anonymous domain registration:
Quote:
Registrant:
Domain Discreet
ATTN: search-pnd.com
P.O. Box 278
Yarmouth, NS B5A 4B2
CA
Email: 225840510a1e672901efa7ba4f95e208 @ domaindiscreet.com

Registrar Name....: REGISTER.COM, INC.
Registrar Whois...: whois.register.com
Registrar Homepage: www .register.com

Domain Name: search-pnd.com

Created on..............: Sat, Apr 14, 2007
Expires on..............: Mon, Apr 14, 2008
Record last updated on..: Tue, Jun 05, 2007

Administrative Contact:
Domain Discreet
ATTN: search-pnd.com
P.O. Box 278
Yarmouth, NS B5A 4B2
CA
Phone: 1-902-7495331
Email: 225840500a1e67290137172f8cca830c @ domaindiscreet.com

Technical Contact:
Domain Discreet
ATTN: search-pnd.com
P.O. Box 278
Yarmouth, NS B5A 4B2
CA
Phone: 1-902-7495331
Email: 225840510a1e672901e0b956203a412d @ domaindiscreet.com

DNS Servers:

ns1.search-pnd.com
ns2.search-pnd.com


So again:
What legit job offer would be promoted via spam, sent through a compromised machine and would be hosted on a b0tnet to circumvent termination of the hosting account? Can't think of any...

Olliver
Back to top
View user's profile Send private message
camelride
Newbie


Joined: 22 Jun 2007
Last Visit: 23 Jun 2007
Posts: 1

PostPosted: Fri Jun 22, 2007 10:48 pm    Post subject: New Spam Reply with quote

Ok, I get sydney car centre emails constantly. Also, received AEGIS, and LUX. Tonight I received a new one. Perhaps from the same people. LEADER COMPANY
Oleg Ezhov, wanting Wholesale Delivery Manager for global furniture company. Open since 2004. Same ruse just different company?

I am not internet savvy. Can you check this out?

leader.llc@gmail.com
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Sat Jun 23, 2007 3:38 am    Post subject: Re: New Spam Reply with quote

camelride wrote:
Tonight I received a new one. Perhaps from the same people. LEADER COMPANY
Oleg Ezhov, wanting Wholesale Delivery Manager for global furniture company. Open since 2004. Same ruse just different company?


There are several money laundering operations that make use of botnets. Sydney Car Centre probably originates from Nigerian 419er scam criminals, while yours sounds like a Russian operation.

Quote:
I am not internet savvy. Can you check this out?

leader.llc@gmail.com

I can look into this, but I suggest opening up a separate thread for it. The email may already provide a pointer for searching the NANAS archive.

Olliver
Back to top
View user's profile Send private message
mike-sp
Newbie


Joined: 27 Jun 2007
Last Visit: 27 Jun 2007
Posts: 1

PostPosted: Wed Jun 27, 2007 6:34 am    Post subject: Reply with quote

HERE'S JOHNNY. Suddenly seems to have got quite active. I got this three times today: BTW - if you look at SCC's home page www. sydneycarcentre.tw you will see half way through the text it refers to "Startford" car centre and the photo shows a sign saying Startford, not Sidney...


While we may have high expectations of our associates, we also give them high rewards. Imagine being part of a stable organization with a sterling reputation - a place where the Sydney Car Centre is an integral part of all that we do. With our car centre personality, you'll not just succeed - you'll thrive. And, with our strong commitment to promoting from within, you'll definitely enjoy your rise to the top.

Today the Sydney Car Centre is looking for an industrious regional assistant to fasten the process of the delivery of customer payments to the suppliers. The position offered is a part-time job, and will only require from you to be available for 1-2 hours a day.

As a regional assistant, you will be supposed to operate with the payments from those customers, based in your country. You will be expected to accept 2-3 transactions to your bank account every week, make certain calculations about every transaction (you will be precisely instructed about it), & transfer the funds to the suppliers by means of western Union/Money Gram less your fee & the charges of the Western Union/Money Gram. You will be continuously communicating with the manager from the head office, who will instruct you & give advice regarding every new payment.

The ideal candidate will be industrious, goal-oriented person, with the availability of a personal/business bank account suitable to be used for the company needs. Knowledge of English, computer literacy and sociability are appreciated.

The company guarantees to pay NET 10% fee out of the amount of every payment you dealt with and to provide you with the regular income & flexible schedule. All the related expenses you might have (like the Western Union/Money Gram chargers, related expenses on traveling) are covered by the company.

The more detailed information is available on our web-site http://vacancy-455727739.sydneycar.hk/vacancies.php, where you can fill in the on-line application form for this position.
We would be glad to welcome you in our team!
We are looking forward to hearing from you as soon as possible!
Yours sincerely, Jim Lancaster
source: 0x01, 0x5, 0x39562097, 0x5, 0x70, 0x47091480, 0x427, 0x3 FJS. EVNX: 0x8, 0x71 media: 0x12, 0x49574286, 0x57, 0x9, 0x940, 0x80, 0x659, 0x228, 0x58030791, 0x674, 0x758 0x95, 0x605, 0x3, 0x57438286, 0x0552, 0x12100646, 0x28670195 0x77, 0x4, 0x763, 0x7, 0x62193458, 0x427 FKGN: 0x73633410, 0x596, 0x482, 0x1 0x17948239, 0x350, 0x251, 0x20180297, 0x9, 0x2, 0x7356, 0x48542534, 0x735, 0x8, 0x068 0x5, 0x5495, 0x976, 0x6, 0x810, 0x1, 0x70, 0x1, 0x0302, 0x01831613, 0x1
common: 0x260 0x92, 0x5, 0x1690, 0x933, 0x89350720, 0x5 0x89, 0x2069, 0x44, 0x01399789, 0x8, 0x47, 0x5, 0x88115183, 0x2, 0x61966956, 0x04, 0x4, 0x345, 0x9, 0x0654 cvs, E7A, OAK, function, CMTD, update. 0x514, 0x85688453, 0x6, 0x99900741, 0x23, 0x3, 0x55, 0x1, 0x9, 0x8, 0x7999, 0x853, 0x3946, 0x88, 0x8923 0x2, 0x9504, 0x87, 0x28, 0x76243655 9WE, file, type, DLH, dec, A7UR, engine, engine, FY1. CX6X: 0x0984, 0x7, 0x4, 0x151, 0x64136256, 0x6 0x47945269, 0x80430320, 0x0129, 0x929, 0x32, 0x42589803, 0x3535, 0x1207, 0x5104, 0x1050, 0x11, 0x80, 0x8769, 0x5325 0x920, 0x455, 0x4684, 0x2947, 0x38, 0x9070, 0x132, 0x8, 0x7317, 0x3, 0x55, 0x022, 0x9071, 0x98950245, 0x2
start: 0x49463245, 0x85843275, 0x8 0x24165257, 0x446 0x89, 0x968, 0x378, 0x6, 0x39896262, 0x37, 0x6, 0x13095960, 0x841, 0x09617111, 0x609, 0x0656, 0x00391051, 0x898 0x7774, 0x4276, 0x45, 0x2342, 0x33024482, 0x987, 0x420, 0x4690, 0x65719665, 0x52672599, 0x47 type, exe, 705, 5RS, A2KC, exe.0x8577, 0x3805, 0x3454 0x8570, 0x13, 0x26403741 0x719, 0x5 ITSK dec X51 8OW 9YAO type start root. 0x10, 0x562, 0x33683330, 0x99, 0x72673245, 0x410, 0x100, 0x7, 0x96781310, 0x5499, 0x4476, 0x1, 0x865


__________ Информация NOD32 2358 (20070627) __________

Это сообщение проверено Антивирусной системой NOD32.
http://www.eset.com

Links disabled by admin
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Wed Jun 27, 2007 12:17 pm    Post subject: Reply with quote

mike-sp wrote:
HERE'S JOHNNY. Suddenly seems to have got quite active. I got this three times today:


I'm surprised they still have a go at it, though the scam has already attracted enough attention in Usenet and forums.

Quote:
BTW - if you look at SCC's home page www. sydneycarcentre.tw you will see half way through the text it refers to "Startford" car centre and the photo shows a sign saying Startford, not Sidney...


Yes I know Smile. There's a simple explanation for it: The original site www.stratfordcarcentre.co.uk has this "Startford" typo at exactly the same line in the text. The scammers had searched/replaced all instances of Stratford with Sydney and - due to the nature of string comparisons - missed out on "Startford". That's how the original site could be identified Smile

Olliver
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group