Friday, August 31, 2007

Storm worms enters blogs

The BBC had a report that the Storm worm is now invading blogs. Messages are posted to blogs that link to web sites that try to inject the worm into your computer. Subject lines for these messages are for example:


are you kidding me? lol
Dude dont send that stuff to my home email...
Dude your gonna get caught, lol
HAHAHAHAHAHA, man your insane!
I cant belive you did this
LMAO, your crazy man
LOL, dude what are you doing
man, who filmed this thing?
oh man your nutz
OMG, what are you thinking


A search with, for example, "HAHAHAHAHAHA, man your insane!" turns up many google blogspot sites. Be extremely careful with such sites. Some of them are just full of Storm Worm spam messages.
However, some of the google sites have now been blocked, most likely by Google or the blog owners, and only registered users can log in.

In any case, this does not bode well at all. This hacker group has now a system of probably over 1 Million infected computers under their control, and I am sure in a short time there will attempts to flood other popular sites.

Tuesday, August 28, 2007

Insights into 419 advance fee frauds

Here is a Web site, scambusters419.co.uk, that will give you plenty of insights into the workings of 419 advance free fraudsters. If you have some spare time, read how the owner plays and fools with the scammers.

Another Web site with some hilarious pictures of scammers is at 419eater.com. Have a look at this site.

These sites are operated by "scambaiters". They respond to SPAM emails of the advance fee fraud (419) type and make fools of the scammers.
See for example this exchange between a scammer and a baiter, where the scammer claims to be Samuel Eze from a bible ministry. I don't want to give away the punch line, but the pictures the guy sends are hilarious.

Enjoy both sites!

Friday, August 24, 2007

More info on HYIPs and scams

Catty Shaq has more infos and discussions of HYIPs and other online money making scams. It also has information on the e-Gold court case.

Thursday, August 23, 2007

HYIPs are essentially scams.

Here is a nice explanation of how the HYIP (High Yield Investment Programs) scams (i.e. Colonyinvest, Wollenberg, SNGInvest, etc.) operate, see WorldLawdirect. It is similar to what you can find on HYIP in Wikipedia.
A simple fact is: "Warren Buffett, one of the world's most successful investors, made around 30% per year during his most successful period." So, any claims of higher profits by HYIPs cannot be real.

Very interesting is also the fact the e-gold, which is used by many HYIP programs as a way to transfer the funds is itself indicted on charges of money laundering, conspiracy, and operating an unlicensed money transmitting business, see WLD forum thread on e-gold.

Wednesday, August 22, 2007

postcard/e-card and "Membership" SPAM emails are STORM WORM

The Register had yesterday a report that the new series of SPAM emails - the recent "Welcome/Membership" emails - that try to lure you into clicking on a link are attempts to infect your computer with malicious software. They are new permutations of the previous ecard/postcard SPAM emails. If the reader goes to the web site, he is prompted that an applet (little program) needs to be installed for secure login. This program is called "applet.exe", runs on Windows machines (not Mac Os X or Linux), and creates a backdoor on the computer that allows hackers to take over the machine. This piece of malware or Trojan is known as "Storm", "Zhelatin" or W32/Newar. It changes and adapts rapidly, in fact so fast that many antivirus software packages do not yet recognize it intially. This is an extremely dangerous Trojan going around. Between January and May 2007 2817 infected hosts were detected, but this has skyrocketed to 1.7 million infected machines now. F-Secure has a list of Sender and Subject lines that the recent SPAMs use.

Tuesday, August 21, 2007

New phishing or virus attack by email SPAM

New variations of the postcard / e-card spam emails are showing up that try to lure you into clicking on a provided link. This time the spam emails pretend to be a confirmation for a membership registration, or something along those lines, and they try to trick you into clicking on the link. Most likely the given web site will inject a virus into your computer system. Here are some examples:


Subject: Membership Details
From: "Web Players"
Sender: User viqlpkkvxut

New Member,

Are you ready to have fun at Web Players.

Account Number: 828285335
Temorary Login: user3090
Password ID: yg141

For security purposes please login and change the temporary Login ID and Password.

Use this link to change your Login info: http://xxx.xxx.xxx.xx

Thank You,
Confirmation Dept.
Web Players


Subject: Member Confirm
From: "Free Ringtones"
Sender: User twcenwfunwi

Dear Member,

Thank You for Joining Free Ringtones.

Membership Number: 28189574868359
Temorary Login: user4810
Your Password ID: qu845

Please keep your account secure by logging in and changing your login info.

Follow this Link: http://xxx.xxx.xxx.xxx
Enjoy,
Confirmation Dept.
Free Ringtones


Subject: Registration Confirmation
From: "Office Antics"
Sender: User neojqgl

New Member,

We are glad you joined Office Antics.

Membership Number: 81718539734
Temp Login ID: user8300
Temorary Password: ch274

Please keep your account secure by logging in and changing your login info.

Use this link to change your Login info: http://xxx.xxx.xxx.xx
Thank You,
Membership Support Department
Office Antics


Subject: Dated Confirmation
From: "Online Hook-Up"
Sender: User wcrdzwrbl

Welcome Member,

Here is your membership info for Online Hook-Up.

Confirmation Number: 94429852
Login ID: user8191
Password ID: da684

Your temporary Login Info will expire in 24 hours. Please login and change it.

Use this link to change your Login info: http://xxx.xxx.xxx.xx
Enjoy,
Welcome Department
Online Hook-Up


Subject: Your Member Info
From: "Free Web Tools"
Sender: User fwunefx

Welcome,

Are you ready to have fun at Free Web Tools.

Account Number: 6179795186753
Your Temp. Login ID: user8774
Password ID: gl565

Please keep your account secure by logging in and changing your login info.

Click on the secure link or paste it to your browser: http://xxx.xxx.xxx.xx
Thank You,
Welcome Department
Free Web Tools

Thursday, August 16, 2007

Wollenberg International (www.wollenberginternational.com), part 2

Wollenberg International claims to be based in Panama. The address they give is (click for larger picture):



Searching with this address, one finds that this is exactly the same address used by another fraudulent investment web site: Scandinavian Networking Group (www.snginvest.com), which has been exposed at sng-scam.info. Here is an excerpt of the Panamanian documents of SNG (taken from moneymakergroup):


As one will notice, the address is the same as for Wollenberg. So, either Wollenberg ING copied it from SNG, or they are the same operation. In either case, this looks like a scam.

The same address is used by what looks like yet another dubious investment site, siaminvestcorp.com (Siam Gain S.A.):



Siaminvestcorp has links to Hatfield Oak International, which in turn had links with SNGinvest (see sng-scam.info).

Then there is a representative of the a3union.com based in this apartment:


Furthere, we find an application form under vmover.com listing Hatfield Oak's address in the same place:

although Hatfield seems to have another address:


Vmover.com itself is an advertisement board for such sites as AmityFunds, SNGInvest, A3Union, ExclusiveCircle, FantasticPay, FeederFund, FX Club and more.

Sewercash has previously exposed Amityfunds as also being located in the same place Findings on Amityfunds

And people involved in Amityfunds and SNGinvest are prosecuted:


If you look at the Torre Cosmos Floor plans, the apartment tower where the address is, you will find that it contains 2- and 3-bedroom apartments, and four 2-bedroom penthouses on top. Apartment A on the 13th floor is a 3-bedroom apartment.
Well, well, this little apartment in Panama is pretty crowded...

Hence, Wollenberg is lying about being in Panama, or it's part of the SNGinvest/Amityfunds circle of fraudulent companies.

Wednesday, August 15, 2007

Escrow fraud, modul-transport

I've come across two more useful web sites, scamfraudalert.com and escrow-fraud.com (see links on the side).

One example of a fraudulent escrow service is Modul Transport (modul-transport.com). They made the name very similar to another logistics company, www.modultransport.com. However, as their contact address they list yet another, legitimate logistics company (Pro-Logistics, daughter of AIRLOG GROUP) located in Helsingborg, Sweden. In their contact section they only modified the phone numbers slightly to some other phone number.



Further, modul-transport.com copied the CEO and employee images from the Contact section of the real company AIRLOG GROUP (http://www.airlog.se/), changed the names and put them on their web site. Here are the fake images (compare with the real ones
at Airlog:

Tuesday, August 14, 2007

New variants of the postcard/e-cards

New versions of the spam emails pretenting to be postcards/e-cards from friends/colleages etc. are spreading. Here are some examples:



Colleague(xxxx@xxxxx.org) has created Animated postcard for you at birthdaycards.com.

To see your custom Animated postcard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):

http://xxx.xxx.xxx.xxx (IP removed)

Send a FREE greeting card from birthdaycards.com whenever you want by visiting us at:
http://birthdaycards.com/
This service is provided and hosted by birthdaycards.com.




Colleague has created a greeting ecard for you at E-Cards.Com,
the Internet's most popular greeting card service.
Your greeting card ID is: xxxxxxxxxxxxx
To see your custom greeting card, simply click on the link below:
http://xxx.xxx.xxx.xxx (IP removed)

Send greeting cards from E-Cards.Com whenever you want by visiting us at: http://E-Cards.Com/
Copyright (c) 1996-2007 E-Cards.Com All Rights Reserved




The aim of these emails is to guide you to a web site that will infect your computer with a virus.
Particularly, if you use a version of the Windows operating system, it is highly recommended that you keep your computer updated with the latest patches and with the latest anti-virus and anti-spyware software.
It is also helpful to use alternative Web browsers, such as Firefox or Opera, instead of Internet Explorer.

Friday, August 10, 2007

Another fraudulent investment scheme: Wollenberg International

While looking at colonyinvest, I also came across another suspect site: www.wollenbergfunds.com. This "company" has now undergone a substantial overhaul and markets itself as Wollenberg International marketing group (ING) at www.wollenberginternational.com. In an "advertisement" on one of the quick money scheme web forums, they claim "new ceo, new staff, totally new concept":






Let's look at the whois data of the old site, pretty much all information about www.wollenbergfunds.com seems to have been erased, but the whois data is still available:





























The new whois entry for www.wollenberginternational.com is this:




As one can see, the first administrator was Krzysztof Giemza in Tarnow, Poland, who registered the web site in Australia??!
The second administrator is now an "Arnold Wollenberg". However, as you will notice, this person is also in Tarnow, Poland, and the telephone number (+48 502 683982) is the same. Arnold Wollenberg is Krzysztof Giemza! The overhauled domain is simply the attempt to hide who he really is.








Now, we can find out more about Mr Giemza. Using the phone number to search, we find that he posted an advertisement to do house sitting in London! So, the successful investement company CEO is looking for housesitting jobs?!!












He provides a client testimonial on the sitecube.com web site, the flash software he used to develop the new wollenberginternational web site:


Also, on a web site in Poland, he listed his credentials looking for jobs:


We can see he speaks English and German, was a fitness instructor for 12 years, and a martial arts instructor for 19 years, and insurance agent for 1 year, and working in trading/enterprise for 4 years. Worked as English translator for 15 years. He also had some computer courses. Now he is operating an investment company supposedly based in Panama, but all contacts are in Poland? This sounds all very fishy. This is all in line with someone trying to make some fast money, not through investment, but with other people's money. Stay away!

Thursday, August 9, 2007

More shady dealings of colonyinvest in Vietnam, part5

A Vietnamese newspaper tracked down the local representative of colonyinvest. See their article at
www.thanhniennews.com/features/?catid=10&newsid=30717.
How shady is it for a supposedly reputable business with investments yielding 100 percent gains per month to distribute info in a photocopy shop?! And to meet a representative of colony investment the newspaper had to go to a coffee shop. It is also very revealing that the colonyinvest representative claims that they get their money from investments in casinos, foreign exchange, and normal stock markets (high-tech/blue-chip). This clearly shows that this business cannot be legitimate, since, for example, no deals in foreign exchange currencies can yield such profits. It is very clear however, that the top colonyinvest representatives at this meeting get their money from the investment of other people. The normal “investor” is left with e-money that supposedly increases in a computer account. The real problem will start when they want to withdraw some real money… Tellingly, when the journalists wanted to borrow some e-money, the colonyinvest representatives said “no”. If Colony Invest can generate money so easily with their scheme, why can’t they lend a little e-money? Clearly, this is all about cheating people out of their real money. Stay away from this fraud!

Thursday, August 2, 2007

Several taken down schemes: Phoenixsurf.com, FrancSwiss, SwissCash

While fraudulent schemes pop up everywhere, government agencies are making progress to catch them. The more people report them, the faster they will fall.

Here is a report on Phoenixsurf.com:


SEC Charges Operators of Phoenixsurf.com Web Site With Conducting a Massive Internet Ponzi Scheme

FOR IMMEDIATE RELEASE
2007-141
Washington, D.C., July 24, 2007 - The Securities and Exchange Commission today filed securities fraud charges against the operators of an Internet-based Ponzi scheme that raised $41.9 million in just four months from more than 20,000 investors worldwide.


For the full report see www.sec.gov/news/press/2007/2007-141.htm

Or for FrancSwiss internet fraud see http://newsinfo.inquirer.net/breakingnews/infotech/view_article.php?article_id=75039

And for SwissCash or Swiss Mutual Fund Web frauds (www.swissmutualfund.biz.) see http://www.todayonline.com/articles/167644.asp . Of course, a Swiss company based in the Commonwealth of Dominica should have raised alarm bells with investors.

Also, check out the Web site of the Monetary AUthority of Singapore, the maintain a list of fraudulent sites:
http://www.moneysense.gov.sg/check_our_list/Consumer_Portal_IAL.html . But because of the fast changing nature of these fraud internet sites, such list will never be complete.

Colony Invest fraud moves around, part4

Colony Invest (colonyinvest) operates also at colonyinvest.net. Their other - identicial - web site, www.colonyinvest.com, is presently not responsive. No reputable company would keep their ".com" down or inactive. They could reroute to the other. Perhaps they are on the move to hide from old investors.
Also, it seems they moved their blog entry to colonythailand.blogspot.com to attract Thai people into their scam. Colonythailand is the same fraud! They also have a web site geared towards Vietnamese at http://music.easyvn.com/colonyinvest/. The contact person associated with this Web site is a Nguyen Kinh Luan. It has a nice description of their pyramid scheme:



As one can see, this is a rather overcomplicated scheme, nobody is really supposed to understand the details, all that matters is that it promises extra percentages of profit for each new member that you can recruit. No investment company would offer such a pyramid scheme. In fact Colony Invest is both a pyramid and Ponzi scheme. This is illegal and does not work (see for example the Wikipedia entries: http://en.wikipedia.org/wiki/Pyramid_scheme, http://en.wikipedia.org/wiki/Ponzi_scheme).

Perhaps some people will get some money, but most will loose. Do not invest!