More scams, this time from Europe!

[Colonel Panic]

OK in the Nigerian Scammers thread I posted about a job offer I came across on a major internet employment service website:

I've been doing a bit of freelance web development work lately, so I often check on the major employment-related websites looking for new opportunities. It was on one of these sites yesterday that I came across a posting that claims I need no prior experience for a suspiciously lucrative position called "Transfer agent."

What's worse, when I visited their webpage, I saw: http://www.hc-invests.com

Obviously a scam. I fired off a quick email expressing my avid interest in the position:

Dear Hiring Manager,

I am responding to your Help Wanted ad, dated June 19, 2006:

    Job Type: Full-time and Part-time
    Salary: 50/hour
    Transfer Agent
    posted 06/19/2006

    An international financial institution is looking for a Transfer Agent.
    Your main role: Processing deal instructions.
    Set up new accounts.
    Maintenance of shareholder accounts.
    Query handling.
    Intermediary
    commissions and trailer fees.
    Job Requirements:
    Your profile: A first experience in the financial services sector. Initiative taker.
    Send your CV to thorst@hc-invests.com

Attached is my resume, in both Microsoft Word and Adobe Acrobat formats.

I would like some more detailed information about this position. I tried to visit your webpage,  but it appears to have been disabled.

I am looking forward to hearing from you.

Sincerely,

******** ********

This morning I received this reply, from a different  email address (thorst@lvfinance.info) than the one I'd sent my original email to:

Dear ******** ********,

Thanks for your interest to our company.

The new recruitment program has been started recently and we are in need of regional Transfer Agents whoes work consist of distributing funds received from our customers. You are not required to have any extra knowledge or to be experienced in this business. This job can endow additional income to you and your family as it will not require more then few hours a day.

LV Finance Ltd. is an International Limited Latvian financial company. After 8 years of presence in the world stock market the Company has become one of the leading investment programs developers. We offer top-tier service level, whilst the number of services in the field of investments and investment management is ever
growing. No matter how big our customers are, they can benefit from our full attention and consistent operating performance in any corner of the globe. Partnership with the biggest world corporations has enabled us to respond effectively to the customers' needs even more since we joined our forces. According to the leading financial periodicals and rigorous professionals we are among the top financial institutions, which managed to steal a match on the competition.

*WHAT YOU NEED TO DO FOR US?*
The international money transfer tax for legal entities (companies) in Latvia is 25%, whereas for the individual it is only 7%. There is no sense for us to work this way, while tax for international money transfer made by a private individual is 7% . That's why we need you. We need agents to receive payments (bank transfers).
This way we will save money because of tax decreasing.

Agent's work consists in receiving payments from our customers and making further payments to our main office or to one of our regional affiliate departments.
Being a part- time job, it should not take more than 2-4 hours per day. We pay weekly. Your starting salary will be 1000 USD each week. All money transfer charges and fees are covered by our company. So you will be responsible just for making proper payments in time. Each transaction will be made only after prior notification by phone call or e-mail.

We hope to hear back from you.

NOTE: PLEASE ALL REPLIES MUST BE MADE TO THE FOLLOWING EMAIL ADDRESS: thorst@lvfinance.info



Respectfully,
Thomas Horst
Senior Manager,
LV Finance Ltd.

This bears a close resemblance to the scam posted in the Nigerian scammers thread, doesn't it? Receiving payment checks from clients, then forwarding it on to their company in an effort to evade taxation?

Well, I decided to find out where these assholes are operating from. So first I checked the header of the reply email I received from "thorst" (I blocked out all references to myself and my email address ):

X-********-Received: 0fe38d99d1c479c0b01bbd012fcbf142892383f4
Delivered-To: ********@********.***
Received: by 10.70.54.4 with SMTP id c4cs70759wxa;
        Fri, 23 Jun 2006 10:32:44 -0700 (PDT)
Received: by 10.67.29.12 with SMTP id g12mr2464668ugj;
        Fri, 23 Jun 2006 10:32:44 -0700 (PDT)
Return-Path: <thorst@lvfinance.info>
Received: from aibo.runbox.com (aibo.runbox.com [193.71.199.94])
        by mx.********.*** with ESMTP id j1si623902ugf.2006.06.23.10.32.43;
        Fri, 23 Jun 2006 10:32:44 -0700 (PDT)
Received-SPF: neutral (********.***: 193.71.199.94 is neither permitted nor denied by best guess record for domain of thorst@lvfinance.info)
Received: from [10.9.9.130] (helo=fenris.runbox.com)
   by greyhound.runbox.com with esmtp (Exim 4.34)
   id 1FtpWN-0004uH-S7
   for ********@********.***; Fri, 23 Jun 2006 19:32:43 +0200
Received: from mail by fenris.runbox.com with local  (Exim 4.50)
   id 1FtpWN-0001bV-Qn
   for ********@********.***; Fri, 23 Jun 2006 19:32:43 +0200
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received: from [213.239.210.120] by www.runbox.com with http (uid:592440)
 (RMM 4.0); for <********@********.***>; Fri, 23 Jun 2006 17:32:43 GMT
From: <thorst@lvfinance.info>
To: ********@********.***
Subject: Transfer Agent Position
Date: Fri, 23 Jun 2006 13:32:43 -0400 (EDT)
X-Sender: 592440
X-Mailer: RMM
Message-Id: <E1FtpWN-0001bV-Qn@fenris.runbox.com>

Though his return email address is shown as "thorst@lvfinance.info" the message originated from a host called "aibo" at runbox.com with the IP address 193.71.199.94.

Now I want to find out some more info on just who these guys are, so I did a little bit of digging on teh Interweb.

I went to DomainTools.com and whois'd the domain lvfinance.info.

The whois report looked something like this:

Website Title:      lvfinance.com
Record Type:    Domain Name
Meta Description:    lvfinance.com
Meta Keywords:    Finance, Trade, Broker, Investment

Server Data:
Server Type:    Apache/2.0.52 (CentOS)
(Spry.com also uses Apache)
IP Address:    69.25.142.3 [Whois] [Ping] [DNS Lookup] [Traceroute]
IP Location:    United States - Washington - Bellevue - Enom
Response Code:    200
Blacklist Status:    Currently Listed (history)
SSL Cert:    No valid SSL on this Host
Website Status:    Active
Reverse IP:    317,295 other sites hosted on this server

Registry Data:
Whois Server:    whois.afilias.net
Whois RecordDomain ID:D13675472-LRMS
Domain Name:LVFINANCE.INFO
Created On:04-Jun-2006 18:51:59 UTC
Last Updated On:04-Jun-2006 19:46:47 UTC
Expiration Date:04-Jun-2007 18:51:59 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:TRANSFER PROHIBITED

Registrant ID:49FA9A85304500A5
Registrant Name:WhoisGuard Protected
Registrant Organization:WhoisGuard
Registrant Street1:---- S. Sepulveda Blvd
Registrant Street2:---- S. Sepulveda Blvd
Registrant Street3:
Registrant City:Westchester
Registrant State/Province:CA
Registrant Postal Code:90045
Registrant Country:US
Registrant Phone:+1.66131021--
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:Whois Privacy and Spam Prevention by Whois Source

Admin ID:49FA9A85304500A5
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard
Admin Street1:---- S. Sepulveda Blvd
Admin Street2:---- S. Sepulveda Blvd
Admin Street3:
Admin City:Westchester
Admin State/Province:CA
Admin Postal Code:90045
Admin Country:US
Admin Phone:+1.66131021--
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:Whois Privacy and Spam Prevention by Whois Source

Billing ID:49FA9A85304500A5
Billing Name:WhoisGuard Protected
Billing Organization:WhoisGuard
Billing Street1:---- S. Sepulveda Blvd
Billing Street2:---- S. Sepulveda Blvd
Billing Street3:
Billing City:Westchester
Billing State/Province:CA
Billing Postal Code:90045
Billing Country:US
Billing Phone:+1.66131021--
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:Whois Privacy and Spam Prevention by Whois Source

Tech ID:49FA9A85304500A5
Tech Name:WhoisGuard Protected
Tech Organization:WhoisGuard
Tech Street1:---- S. Sepulveda Blvd
Tech Street2:---- S. Sepulveda Blvd
Tech Street3:
Tech City:Westchester
Tech State/Province:CA
Tech Postal Code:90045
Tech Country:US
Tech Phone:+1.66131021--
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:Whois Privacy and Spam Prevention by Whois Source

Name Server:DNS1.NAME-SERVICES.COM
Name Server:DNS2.NAME-SERVICES.COM
Name Server:DNS3.NAME-SERVICES.COM
Name Server:DNS4.NAME-SERVICES.COM
Name Server:DNS5.NAME-SERVICES.COM

Yeah, I dashed out all the phone numbers and street address numbers to avoid breaking forum rules, but you can easily use DomainTools.com to find them yourself.

BTW, the phone numbers and street addresses for all the contacts were the same.

So this domain is registered to a California address and phone number.

A whois of  hc-invests.com, (the domain of the email address posted on the job board, the one with the cancelled webpage) reveals:

Page Information:
Website Title:    
Record Type:    Domain Name

Server Data:
Server Type:      Microsoft-IIS/5.0
IP Address:    217.70.178.17 [Whois] [Ping] [DNS Lookup] [Traceroute]
IP Location:    France - Gandi-net
Response Code:    200
Blacklist Status:    Clear (history)
SSL Cert:    No valid SSL on this Host
Website Status:    DNS Hosted
Visit Website:    hc-invests.com
Reverse IP:    149,562 other sites hosted on this server

Registry Data:
ICANN Registrar:    GANDI
Created:    30-Jan-2006
Expires:    30-Jan-2007
Registrar Status:    REGISTRAR-LOCK
Whois Server:    whois.gandi.net
Name Server:    FULL2.GANDI.NET

Whois Record:
domain:           HC-INVESTS.COM
owner-name:      Home Collect,Inc
owner-address:      --- Rietumi street
owner-address:      34467
owner-address:      Riga
owner-address:      Latvia

admin-c:      KH373-GANDI
tech-c:           AR41-GANDI
bill-c:           KH373-GANDI

nserver:      full1.gandi.net 217.70.177.42
nserver:      full2.gandi.net 217.70.179.34

reg_created:      2006-01-31 09:18:19
expires:      2007-01-31 09:18:19
created:      2006-01-31 10:18:20
changed:      2006-05-18 15:36:29

web_redirection:      http://www.investments.tictacwebsites.com

person:           Keri Hoy
nic-hdl:      KH373-GANDI
address:      Home Collect,Inc
address:      --- Rietumi street
address:      34467
address:      Riga
address:      Latvia
phone:           +371.4945669278--
fax:           +371.4945669278--
e-mail:           Whois Privacy and Spam Prevention by Whois Source
lastupdated:      2006-06-01 03:52:00

person:           GANDI Auto Register 4.1
nic-hdl:      AR41-GANDI
address:      GANDI
address:      15 place de la Nation
address:      F-75011
address:      Paris
address:      France
phone:           N/A
e-mail:           Whois Privacy and Spam Prevention by Whois Source
lastupdated:      2006-06-01 03:47:12

The domain hc-invests.com is registered to names and addresses in Riga, Latvia and Paris, France.

This internet domain is set up to redirect to that crappy fake website: http://www.investments.tictacwebsites.com. I got a whois report of tictacwebsites.com and it's just a cheap webhost based in Vancouver, BC Canada.

I also got a whois on runbox.com (the domain name of the real network that the reply email was sent from) and it was another cheap webhosting company based in Oslo, Norway.

So now we have names, addresses and phone numbers for these bozos. They may or may not be Nigerian, but it's obviously some sort of scam.

So that's how easy it is to find contact info (and a limited degree of technical info) for any domain on the internet. There are other ways of finding more in-depth technical info about their servers, but I won't deal with that now.

[Colonel Panic]

I hope that wasn't too difficult to follow.

I was thinking, maybe it should be put into the Phreaking, Hacking and Social Engineering section, instead of General Discussion?

[warken]

Same Speech to me as well but i kinda got him to spill some crap

Session Start (jdwills85:lynngent10): Sun Jun 25 00:54:29 2006
[00:54] lynngent10: Hello,Am Lynn,am from England and am looking for a representative in the states who will be working for us as a partime worker and we are willing to pay 300 dollas for every transaction,which wouldnt affect ur present state of work,if u are interested  pls am online u can chat with me.
[00:55] jdwills85: hi
[00:55] lynngent10: We are looking for a representatives who is based in United States, Someone who his Faithful and Honest  who will be helping us recieving payments from our customers based in the states. We are willing to pay $400 or 10%  per everypayment you recieve from our clients on our behalf and you  can still keep ur regular job while you work as it wouldn't affect your present state of job.   
[00:56] jdwills85: is this Legal? im a Police officer.
[00:56] lynngent10: Yes ...This is ligit biz
[00:56] lynngent10: Okay
[00:56] lynngent10: first off all i will like to know ur asl and what u do for a living 
[00:57] jdwills85: 21/m/ Florida / Police officer.
[00:57] lynngent10: Good
[00:58] lynngent10: Are you intrested in the part time job offer
[00:58] jdwills85: what will i need to supply.
[00:58] jdwills85: and why cant you use a service like Paypal.
[00:58] jdwills85: or a broker Service.
[00:59] jdwills85: and what do you receive payments for?
[00:59] lynngent10: The only way ...our cleint pay us is via casher's check or money order
[01:02] jdwills85: or should i be asking that question?
[01:02] lynngent10: This rural based Company and it's directors are involved in a number of activities, from I.T. to engineering to agriculture to Lifestyle (Luggage and Clothing) and Tourism. The challenges are:  working with small companies and individuals in the 'rural areas' of Northumberland and Cumbria - offering marketing assistance, management advice and support or, linkage with other UK or International companies, finance and sometimes ...... a life-line!   
[01:02] lynngent10: Sure
[01:03] jdwills85: do you guys work out of a call center?
[01:04] jdwills85: do you work for HC Investments?
[01:05] lynngent10: This company has produced award winning Luggage and Sporting Bags at it's factory in Cumbria for very many years using British materials and still produces their classical range in rugged cotton canvas and leather.   
[01:05] jdwills85: so you need me to receive payment checks from clients then forward it to your company to avoid Taxation correct?
[01:06] lynngent10: Nope
[01:06] lynngent10: cause the cost of coming to the state and getting payments is very expensive, we can spend up 1,300 dollas only in buying tickets,so we need a representative in the united state who willbe handling that aspect,
[01:07] lynngent10: Okay
[01:07] jdwills85: whats the lugage company name?
[01:07] lynngent10: I want you to be rest assured that this transaction wouldn't cost you any amount and no tax involved in  it.All you have to do is just to receive payments which will be sent to you through Fedex or UPS courier services from our clients and this doesn't entails any money from you for everything will be arranged by  our clients
[01:07] lynngent10: Okay
[01:08] jdwills85: your out of California right?
[01:08] lynngent10: Yes
[01:08] jdwills85: "thought you were from the uk" ?
[01:09] jdwills85:
[01:09] lynngent10: Yes
[01:10] lynngent10: If you are interested i would send you an employment letter which you are to sign and send back to me as soon as possibleand i would need you to give me your  full name ,home address e-mail address and your phone number for me to get in contact withyou.
[01:10] jdwills85: how many other people are operating for your company in the states?
[01:11] lynngent10: Just one but he out of the state now
[01:11] jdwills85: then theres other companies that are doing the same thing?
[01:12] jdwills85: your out in cali on S. Sepulveda Blvd
[01:12] jdwills85: or :Westchester
[01:12] lynngent10: i can't understand what you mean./
[01:12] lynngent10: ?
[01:13] jdwills85: just saying your business is all over the internet.
[01:13] jdwills85: (Link: http://www.phonelosers.org/community/index.php?topic=148.msg1527;topicseen)http://www.phonelosers.org/community/index.php?topic=148.msg1527;topicseen
[01:14] jdwills85: so im kinda hestiant to go further.
[01:14] jdwills85: this sounds kinda like Laundering of Funds
[01:15] lynngent10: Oh what ?
[01:15] lynngent10: Come again
[01:15] jdwills85: I said this sounds kinda like Laundering of Funds
[01:16] jdwills85: but its not is it.
[01:18] jdwills85: well I got to go on Duty now hope you dont get shut down or anything else bad comes out of this for you.
[01:18] jdwills85: I would hate for you to get Computer Crimes charged against you.
[01:19] jdwills85: Communication Fraud is a B***& to take down.

[Colonel Panic]

Heh yeah I bet it's a pretty standard scam that they're operating, since there seem to be a multipicity of companies recruiting random people on the internet using very similar pitches.

Seemingly different groups with nearly identical operations targeting marks using job boards as well as email spaming... I'd like to find out exactly what they're up to.