Spyware Warrior

olliver

Social engineering is an essential part for scam artists to get people to do things they'd normally avoid. Spamvertised job offers, well as the distribution method implies, are seldom of a kosher nature. Nevertheless, there are despeate people looking for a job who'd fall for this. Greed may be another factor (sometimes amusing how the prospects of green papers can turn smart people into idiots, but that's a different subject).

My spamtrap got hold of this fine example of "job opportunity":

Subject line: Invitation to fill in the vacant position of an account manager in our company [letter id: JS2909676J]

Hmm, reminds me of trouble tickets when reporting spam to ISPs Wink

Except that I've never requested to receive such offers.

Body:

olliver · Posted: Tue Jun 12, 2007 1:37 pm Post subject:

Our "Sydney Car Centre" has moved to a different location:

evidence in NANAS:

the new url is at vacancy-7783802.sycarcentre.io/vacancies.php. Tamara Foreman has been replaced with Margaret Larsen, but the "offer" remains the same...

Olliver

suzi · Posted: Tue Jun 12, 2007 4:39 pm Post subject:

That's the first time I've seen a .io domain. I had to look it up.

IO - British Indian Ocean Territory

I don't see it here:

http://www.uwhois.com/domains.html

Domaintools returns some info:

http://whois.domaintools.com/sycarcentre.io

Address: 216.117.170.115
IP Location - North Carolina - Fayetteville - Advanced Internet Technologies Inc

But no whois information.

Found this:

http://www.nic.io/

When I put the domain in the whois search box, it returns this:

Domain Search

Domain Unavailable - SYCARCENTRE.IO

The application has been received. Now awaiting payment authorization.

Confused

Other domains on the IP, may or may not be related:

Search Results for 216.117.170.115 [reverse DNS - nameservices.net]
10 Results for 216.117.170.115 (Sycarcentre.io)

Website
1. Cti-investwebt.com
2. Jenny01.com
3. Jimmywalter.net
4. Realgerman.org
5. Realjapanese.org
6. Shop1000yen.com
7. Stormhold.com
8. Takehiro-net.com
9. Xn--y8ja2l3bb3c.com
10. Tghanaro.com
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile

olliver · Posted: Wed Jun 13, 2007 3:07 am Post subject:

thanks for that info.
Advanced Internet Technologies Inc has a less than stellar reputation:
http://www.google.com/search?q=aitcom.net+spam
http://groups.google.com/group/news.admin.net-abuse.email/search?q=aitcom.net&start=0&scoring=d&

They also happily register domains that are used for fastflux botnet hosting:
http://groups.google.com/group/news.admin.net-abuse.email/search?q=aitdomains&start=0&scoring=d&

Olliver

suzi · Posted: Wed Jun 13, 2007 7:51 am Post subject:

Interesting.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile

olliver · Posted: Thu Jun 14, 2007 10:27 am Post subject:

Another Car Centre update:

olliver · Posted: Mon Jun 18, 2007 3:14 am Post subject:

Sydney Car Centre is back again....
Just found a fresh turdlet in my spamtrap, this time sent from a compromised machine in Poland.

Headers:

camelride · Posted: Fri Jun 22, 2007 10:48 pm Post subject: New Spam

Ok, I get sydney car centre emails constantly. Also, received AEGIS, and LUX. Tonight I received a new one. Perhaps from the same people. LEADER COMPANY
Oleg Ezhov, wanting Wholesale Delivery Manager for global furniture company. Open since 2004. Same ruse just different company?

I am not internet savvy. Can you check this out?

leader.llc@gmail.com

olliver · Posted: Sat Jun 23, 2007 3:38 am Post subject: Re: New Spam

mike-sp · Posted: Wed Jun 27, 2007 6:34 am Post subject:

HERE'S JOHNNY. Suddenly seems to have got quite active. I got this three times today: BTW - if you look at SCC's home page www. sydneycarcentre.tw you will see half way through the text it refers to "Startford" car centre and the photo shows a sign saying Startford, not Sidney...

While we may have high expectations of our associates, we also give them high rewards. Imagine being part of a stable organization with a sterling reputation - a place where the Sydney Car Centre is an integral part of all that we do. With our car centre personality, you'll not just succeed - you'll thrive. And, with our strong commitment to promoting from within, you'll definitely enjoy your rise to the top.

Today the Sydney Car Centre is looking for an industrious regional assistant to fasten the process of the delivery of customer payments to the suppliers. The position offered is a part-time job, and will only require from you to be available for 1-2 hours a day.

As a regional assistant, you will be supposed to operate with the payments from those customers, based in your country. You will be expected to accept 2-3 transactions to your bank account every week, make certain calculations about every transaction (you will be precisely instructed about it), & transfer the funds to the suppliers by means of western Union/Money Gram less your fee & the charges of the Western Union/Money Gram. You will be continuously communicating with the manager from the head office, who will instruct you & give advice regarding every new payment.

The ideal candidate will be industrious, goal-oriented person, with the availability of a personal/business bank account suitable to be used for the company needs. Knowledge of English, computer literacy and sociability are appreciated.

The company guarantees to pay NET 10% fee out of the amount of every payment you dealt with and to provide you with the regular income & flexible schedule. All the related expenses you might have (like the Western Union/Money Gram chargers, related expenses on traveling) are covered by the company.

The more detailed information is available on our web-site http://vacancy-455727739.sydneycar.hk/vacancies.php, where you can fill in the on-line application form for this position.
We would be glad to welcome you in our team!
We are looking forward to hearing from you as soon as possible!
Yours sincerely, Jim Lancaster
source: 0x01, 0x5, 0x39562097, 0x5, 0x70, 0x47091480, 0x427, 0x3 FJS. EVNX: 0x8, 0x71 media: 0x12, 0x49574286, 0x57, 0x9, 0x940, 0x80, 0x659, 0x228, 0x58030791, 0x674, 0x758 0x95, 0x605, 0x3, 0x57438286, 0x0552, 0x12100646, 0x28670195 0x77, 0x4, 0x763, 0x7, 0x62193458, 0x427 FKGN: 0x73633410, 0x596, 0x482, 0x1 0x17948239, 0x350, 0x251, 0x20180297, 0x9, 0x2, 0x7356, 0x48542534, 0x735, 0x8, 0x068 0x5, 0x5495, 0x976, 0x6, 0x810, 0x1, 0x70, 0x1, 0x0302, 0x01831613, 0x1
common: 0x260 0x92, 0x5, 0x1690, 0x933, 0x89350720, 0x5 0x89, 0x2069, 0x44, 0x01399789, 0x8, 0x47, 0x5, 0x88115183, 0x2, 0x61966956, 0x04, 0x4, 0x345, 0x9, 0x0654 cvs, E7A, OAK, function, CMTD, update. 0x514, 0x85688453, 0x6, 0x99900741, 0x23, 0x3, 0x55, 0x1, 0x9, 0x8, 0x7999, 0x853, 0x3946, 0x88, 0x8923 0x2, 0x9504, 0x87, 0x28, 0x76243655 9WE, file, type, DLH, dec, A7UR, engine, engine, FY1. CX6X: 0x0984, 0x7, 0x4, 0x151, 0x64136256, 0x6 0x47945269, 0x80430320, 0x0129, 0x929, 0x32, 0x42589803, 0x3535, 0x1207, 0x5104, 0x1050, 0x11, 0x80, 0x8769, 0x5325 0x920, 0x455, 0x4684, 0x2947, 0x38, 0x9070, 0x132, 0x8, 0x7317, 0x3, 0x55, 0x022, 0x9071, 0x98950245, 0x2
start: 0x49463245, 0x85843275, 0x8 0x24165257, 0x446 0x89, 0x968, 0x378, 0x6, 0x39896262, 0x37, 0x6, 0x13095960, 0x841, 0x09617111, 0x609, 0x0656, 0x00391051, 0x898 0x7774, 0x4276, 0x45, 0x2342, 0x33024482, 0x987, 0x420, 0x4690, 0x65719665, 0x52672599, 0x47 type, exe, 705, 5RS, A2KC, exe.0x8577, 0x3805, 0x3454 0x8570, 0x13, 0x26403741 0x719, 0x5 ITSK dec X51 8OW 9YAO type start root. 0x10, 0x562, 0x33683330, 0x99, 0x72673245, 0x410, 0x100, 0x7, 0x96781310, 0x5499, 0x4476, 0x1, 0x865

__________ Èíôîðìàöèÿ NOD32 2358 (20070627) __________

Ýòî ñîîáùåíèå ïðîâåðåíî Àíòèâèðóñíîé ñèñòåìîé NOD32.
http://www.eset.com

Links disabled by admin

olliver · Posted: Wed Jun 27, 2007 12:17 pm Post subject: