Job scam quick guide: it's a scam if...

  • they want you to collect and forward money in any way (a "money mule" job). You'll wind up engaged in money laundering, personally defrauded via expertly forged cheques, money orders, etc, or defrauding someone else who pays for goods that never arrive.
  • they want you to receive packages and reship them somewhere else. The goods will have been obtained fraudulently, and they're just using you to make the shipping address appear local. You will be aiding fraud.
  • they want up-front payment (either to them or someone else) of any sort for anything before you can get the job. This is advance fee fraud: there is no job -- it's just a big con to extract money from you.
  • they want you to buy any kind of "membership" or "kit" in order to start. Forget it -- it's not a real job at all: they're trying to sell you something, and they're probably making a bunch of other false claims about it if they're pitching it as a "job".
  • it's a job offer, and it's spam. There are LOTS of these scams about, as you can see.

Wednesday, October 04, 2006

Israeli Brokerage Services Ltd

Summary

This month is my first sighting of this new name. The scam itself is the same in all important respects as the Norway Consulting Group scam, and I see no reason to think that this is anything but the same phishing/jobscam gang operating under a new name. The name change may be motivated by the fact that "Norway Consulting Group" was becoming too easily uncovered as a scam, and the fact that all of their ".cn" domain names for Norway Consulting were recently suspended. The job is a money mule position.

The Spam

As usual, the message is presented in a GIF image, accompanied by "filter buster" text coloured to be invisible against the background.

Representative Images

Early instance.

Instance received on 2006-10-09, which (unlike its predecessors) was not hyperlinked to the website.

Names used as signature in image

  • Tal Alkobi

Subjects encountered

Subjects are often suffixed with a timestamp.

  • A real chance to raise much money
  • Good offer for those who are looking for a part time job
  • good part time job.
  • High salary part time job.
  • interesting part time job.
  • israeli brokerage calls your attention to the wonderful post!
  • offer for those who are looking for a part time job!!
  • part time job (2-3 hours a day)!!
  • part time job for you!!
  • Part time job with immediate payments.
  • Part time job with immediate salary payments!!
  • the best offer for those who are looking for a part time job!
  • very interesting part time job.
  • We Offer Part Time Job!
  • Work With Us! Earn More.
  • Work with us - part time job
  • Work With Us!

There may be others, but these are getting too tedious to document. I'm sure you get the idea.

Sender names encountered

Capitalisation may vary.

  • ISRAELI BROKERAGE services
  • ISRAELI BROKERAGE SERVICES Ltd

Links encountered

  • http://ibltd.biz
  • http://ibltd.hk
  • http://ibltd.org
  • http://ibsl.hk
  • http://ibsl.org
  • http://isbro.net
  • http://israelibrokeragelimiredservices.com/index.php?sect_id=6&lang=en
  • http://israelibrokerageservices.cn/index.php?sect_id=6
  • http://israelibrokerageserviceslimired.biz/index.php?sect_id=6&lang=en
  • http://israelibrokerageserviceslimired.com/index.php?sect_id=6&lang=en
  • http://israelibrokerageserviceslimired.net/index.php?sect_id=6&lang=en
  • http://israelibrokerageserviceslimired.org/index.php?sect_id=6&lang=en
  • http://israelibrokservices.hk/index.php?sect_id=6
  • http://israelibrokservicesltd.hk/index.php?sect_id=6
  • http://israelilimiredbrokerageservices.com/index.php?sect_id=6&lang=en
  • http://israelilimiredbrokerageservices.net/index.php?sect_id=6&lang=en
  • http://israelilimiredbrokerageservices.org/index.php?sect_id=6&lang=en
  • http://israeliltdbrokerageservices.cn/index.php?sect_id=6
  • http://israeliservicesbrokerage.cn/index.php?sect_id=6
  • http://israeliservicesbrokerageltd.cn/index.php?sect_id=6
  • http://ltdisraelibrokerageservices.cn/index.php?sect_id=6

Website

Domain information (for experts)

Due to the very large number and constantly changing nature of domains associated with this spam, not all domains are listed here. The sample presented should be taken as indicative of the modus operandi of the spammers; little more.

ibsl.org

WHOIS query at Mon Oct 9 15:48:38 UTC 2006

Connecting to whois.publicinterestregistry.net.

Domain ID:D130222226-LROR
Domain Name:IBSL.ORG
Created On:07-Oct-2006 10:46:34 UTC
Last Updated On:07-Oct-2006 10:49:37 UTC
Expiration Date:07-Oct-2007 10:46:34 UTC
Sponsoring Registrar:Register.com Inc. (R71-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:0695129619b87810
Registrant Name:George Gwaltney
Registrant Street1:522 Shin Oak
Registrant Street2:
Registrant Street3:
Registrant City:San Antonio
Registrant State/Province:TX
Registrant Postal Code:78233
Registrant Country:US
Registrant Phone:+1.2106566654
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:georgegwaltneyuu@yahoo.com
Admin ID:7267727618458145
Admin Name:George Gwaltney
Admin Street1:522 Shin Oak
Admin Street2:
Admin Street3:
Admin City:San Antonio
Admin State/Province:TX
Admin Postal Code:78233
Admin Country:US
Admin Phone:+1.2106566654
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:georgegwaltneyuu@yahoo.com
Tech ID:4390988619c35255
Tech Name:Domain Registrar
Tech Organization:Registercom
Tech Street1:575 8th Avenue
Tech Street2:
Tech Street3:
Tech City:New York
Tech State/Province:NY
Tech Postal Code:10018
Tech Country:US
Tech Phone:+1.9027492701
Tech Phone Ext.:
Tech FAX:+1.9027492701
Tech FAX Ext.:
Tech Email:domainregistrar@register.com
Name Server:NS1.TEAMS-CS.COM
Name Server:NS2.TEAMS-CS.COM

DNS query

Trying "ibsl.org"
host: Couldn't find server 'NS1.TEAMS-CS.COM': Name or service not known

Trying "ibsl.org"
host: Couldn't find server 'NS2.TEAMS-CS.COM': Name or service not known

WHOIS query for nameserver domain "teams-cs.com" at Mon Oct 9 15:54:56 UTC 2006

Connecting to whois.crsnic.net.

Domain Name: TEAMS-CS.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS2.TEAMS-CS.COM
Name Server: NS1.TEAMS-CS.COM
Status: REGISTRAR-HOLD
Status: REGISTRAR-LOCK
EPP Status: clientHold
EPP Status: clientDeleteProhibited
EPP Status: clientTransferProhibited
EPP Status: clientUpdateProhibited
Updated Date: 25-Sep-2006
Creation Date: 30-Jul-2006
Expiration Date: 30-Jul-2008

israelibrokeragelimiredservices.com

WHOIS query at Tue Oct 10 12:50:05 UTC 2006

Connecting to whois.crsnic.net.

Domain Name: ISRAELIBROKERAGELIMIREDSERVICES.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Name Server: NS2.MB2GB.COM
Name Server: NS1.MB2GB.COM
Status: REGISTRAR-LOCK
EPP Status: clientTransferProhibited
Updated Date: 08-Oct-2006
Creation Date: 08-Oct-2006
Expiration Date: 08-Oct-2007

DNS query

Trying "israelibrokeragelimiredservices.com"
Using domain server:
Name: NS1.MB2GB.COM
Address: 72.29.93.95#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41727
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;israelibrokeragelimiredservices.com. IN A

;; ANSWER SECTION:
israelibrokeragelimiredservices.com. 1800 IN A 84.254.20.235
israelibrokeragelimiredservices.com. 1800 IN A 85.176.81.251
israelibrokeragelimiredservices.com. 1800 IN A 88.72.214.124
israelibrokeragelimiredservices.com. 1800 IN A 62.227.236.32
israelibrokeragelimiredservices.com. 1800 IN A 82.83.123.156

;; AUTHORITY SECTION:
israelibrokeragelimiredservices.com. 1800 IN NS ns2.mb2gb.com.
israelibrokeragelimiredservices.com. 1800 IN NS ns1.mb2gb.com.

Received 175 bytes from 72.29.93.95#53 in 91 ms

israelibrokerageservices.cn

WHOIS query at Sat Oct 7 08:05:57 UTC 2006

Using server whois.cnnic.net.cn.
Query string: "israelibrokerageservices.cn"

Domain Name: israelibrokerageservices.cn
ROID: 20060908s10001s79119686-cn
Domain Status: clientHold
Domain Status: clientDeleteProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientTransferProhibited
Domain Status: clientRenewProhibited
Registrant Organization: LOWRIE
Registrant Name: NATHAN
Administrative Email: nathanlowrie@mail.com
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns1.fopen-ph.com
Name Server:ns2.fopen-ph.com
Registration Date: 2006-09-08 20:22
Expiration Date: 2007-09-08 20:22

DNS query

dig: Couldn't find server 'ns1.fopen-ph.com': Name or service not known

DNS query for nameserver

; <<>> DiG 9.2.4 <<>> NS fopen-ph.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6676
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fopen-ph.com. IN NS

;; Query time: 142 msec
;; SERVER: 207.99.0.2#53(207.99.0.2)
;; WHEN: Sat Oct 7 08:11:59 2006
;; MSG SIZE rcvd: 30

Summary: this domain refers to nameservers which do not exist, and therefore will not work at this time.

israelibrokerageserviceslimired.biz

WHOIS query at Tue Oct 10 13:02:34 UTC 2006

Using server whois.nic.biz.
Query string: "israelibrokerageserviceslimired.biz"

Domain Name: ISRAELIBROKERAGESERVICESLIMIRED.BIZ
Domain ID: D14799278-BIZ
Sponsoring Registrar: REGISTER.COM
Sponsoring Registrar IANA ID: 9
Domain Status: clientTransferProhibited
Registrant ID: 0163074592D33616
Registrant Name: David DeBoer
Registrant Address1: 3489 West Minster Way
Registrant City: Napa
Registrant State/Province: CA
Registrant Postal Code: 94558
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.7072544910
Registrant Email: daviddeboerrr@yahoo.com
Administrative Contact ID: 4984917592AB5044
Administrative Contact Name: David DeBoer
Administrative Contact Address1: 3489 West Minster Way
Administrative Contact City: Napa
Administrative Contact State/Province: CA
Administrative Contact Postal Code: 94558
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.7072544910
Administrative Contact Email: daviddeboerrr@yahoo.com
Billing Contact ID: 6760068592C33115
Billing Contact Name: Domain Registrar
Billing Contact Organization: Registercom
Billing Contact Address1: 575 8th Avenue
Billing Contact City: New York
Billing Contact State/Province: NY
Billing Contact Postal Code: 10018
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.9027492701
Billing Contact Facsimile Number: +1.9027492701
Billing Contact Email: domainregistrar@register.com
Technical Contact ID: 9869455592E3D119
Technical Contact Name: Domain Registrar
Technical Contact Organization: Registercom
Technical Contact Address1: 575 8th Avenue
Technical Contact City: New York
Technical Contact State/Province: NY
Technical Contact Postal Code: 10018
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.9027492701
Technical Contact Facsimile Number: +1.9027492701
Technical Contact Email: domainregistrar@register.com
Name Server: NS1.MB2GB.COM
Name Server: NS2.MB2GB.COM
Created by Registrar: REGISTER.COM
Last Updated by Registrar: REGISTER.COM
Domain Registration Date: Sun Oct 08 14:35:04 GMT 2006
Domain Expiration Date: Sun Oct 07 23:59:59 GMT 2007
Domain Last Updated Date: Sun Oct 08 14:37:34 GMT 2006

DNS query

Trying "israelibrokerageserviceslimired.biz"
Using domain server:
Name: NS1.MB2GB.COM
Address: 72.29.93.95#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11242
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;israelibrokerageserviceslimired.biz. IN A

;; ANSWER SECTION:
israelibrokerageserviceslimired.biz. 1800 IN A 84.176.206.81
israelibrokerageserviceslimired.biz. 1800 IN A 84.254.20.235
israelibrokerageserviceslimired.biz. 1800 IN A 62.227.236.32
israelibrokerageserviceslimired.biz. 1800 IN A 68.53.173.12
israelibrokerageserviceslimired.biz. 1800 IN A 82.49.126.12

;; AUTHORITY SECTION:
israelibrokerageserviceslimired.biz. 1800 IN NS ns2.mb2gb.com.
israelibrokerageserviceslimired.biz. 1800 IN NS ns1.mb2gb.com.

Received 178 bytes from 72.29.93.95#53 in 36 ms

israeliltdbrokerageservices.cn

WHOIS query at Wed Oct 4 17:54:22 UTC 2006

Using server whois.cnnic.net.cn.
Query string: "israeliltdbrokerageservices.cn"

Domain Name: israeliltdbrokerageservices.cn
ROID: 20060908s10001s79119933-cn
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientRenewProhibited
Domain Status: clientUpdateProhibited
Registrant Name: Bridgette T. Rodgers
Administrative Email: bridgettetrodgers@yahoo.co.uk
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns1.gwjirr.com
Name Server:ns2.gwjirr.com
Registration Date: 2006-09-08 20:56
Expiration Date: 2007-09-08 20:56

DNS Query

; <<>> DiG 9.2.4 <<>> A israeliltdbrokerageservices.cn @ns1.gwjirr.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49643
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;israeliltdbrokerageservices.cn. IN A

;; ANSWER SECTION:
israeliltdbrokerageservices.cn. 1800 IN A 85.181.6.194
israeliltdbrokerageservices.cn. 1800 IN A 172.186.187.219
israeliltdbrokerageservices.cn. 1800 IN A 69.37.180.207
israeliltdbrokerageservices.cn. 1800 IN A 82.240.104.190
israeliltdbrokerageservices.cn. 1800 IN A 85.176.17.33

;; AUTHORITY SECTION:
israeliltdbrokerageservices.cn. 1800 IN NS ns2.gwjirr.com.
israeliltdbrokerageservices.cn. 1800 IN NS ns1.gwjirr.com.

;; ADDITIONAL SECTION:
ns1.gwjirr.com. 1800 IN A 195.170.173.8
ns2.gwjirr.com. 1800 IN A 66.78.51.10

;; Query time: 110 msec
;; SERVER: 195.170.173.8#53(ns1.gwjirr.com)
;; WHEN: Wed Oct 4 18:02:13 2006
;; MSG SIZE rcvd: 206

israeliservicesbrokerage.cn

WHOIS query at Thu Oct 5 09:31:29 UTC 2006

Using server whois.cnnic.net.cn.
Query string: "israeliservicesbrokerage.cn"

Domain Name: israeliservicesbrokerage.cn
ROID: 20060908s10001s79120051-cn
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientTransferProhibited
Registrant Name: Debra Salerno
Administrative Email: debrasalerno@usa.com
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns1.gwjirr.com
Name Server:ns2.gwjirr.com
Registration Date: 2006-09-08 21:13
Expiration Date: 2007-09-08 21:13

DNS query

; <<>> DiG 9.2.4 <<>> A israeliservicesbrokerage.cn @ns1.gwjirr.com
;; global options: printcmd
;; connection timed out; no servers could be reached

; <<>> DiG 9.2.4 <<>> A israeliservicesbrokerage.cn @ns2.gwjirr.com
;; global options: printcmd
;; connection timed out; no servers could be reached

israeliservicesbrokerageltd.cn

WHOIS query at Wed Oct 4 18:53:56 UTC 2006

Using server whois.cnnic.net.cn.
Query string: "israeliservicesbrokerageltd.cn"

Domain Name: israeliservicesbrokerageltd.cn
ROID: 20060908s10001s79120148-cn
Domain Status: clientDeleteProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientTransferProhibited
Domain Status: clientRenewProhibited
Registrant Name: Joseph Fix
Administrative Email: josephfixxx@yahoo.com
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns1.gwjirr.com
Name Server:ns2.gwjirr.com
Registration Date: 2006-09-08 21:26
Expiration Date: 2007-09-08 21:26

DNS query

; <<>> DiG 9.2.4 <<>> A israeliservicesbrokerageltd.cn @ns1.gwjirr.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11621
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;israeliservicesbrokerageltd.cn. IN A

;; ANSWER SECTION:
israeliservicesbrokerageltd.cn. 1800 IN A 84.171.84.224
israeliservicesbrokerageltd.cn. 1800 IN A 85.181.6.194
israeliservicesbrokerageltd.cn. 1800 IN A 172.174.230.56
israeliservicesbrokerageltd.cn. 1800 IN A 69.37.180.207
israeliservicesbrokerageltd.cn. 1800 IN A 82.240.104.190

;; AUTHORITY SECTION:
israeliservicesbrokerageltd.cn. 1800 IN NS ns1.gwjirr.com.
israeliservicesbrokerageltd.cn. 1800 IN NS ns2.gwjirr.com.

;; ADDITIONAL SECTION:
ns1.gwjirr.com. 1800 IN A 195.170.173.8
ns2.gwjirr.com. 1800 IN A 66.78.51.10

;; Query time: 110 msec
;; SERVER: 195.170.173.8#53(ns1.gwjirr.com)
;; WHEN: Wed Oct 4 18:55:28 2006
;; MSG SIZE rcvd: 206

ltdisraelibrokerageservices.cn

WHOIS query at Thu Oct 5 23:21:54 UTC 2006

Using server whois.cnnic.net.cn.
Query string: "ltdisraelibrokerageservices.cn"

Domain Name: ltdisraelibrokerageservices.cn
ROID: 20060908s10001s79119801-cn
Domain Status: clientUpdateProhibited
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientRenewProhibited
Registrant Name: DAVID STONE
Administrative Email: davidstoneee@yahoo.com
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns1.fopen-ph.com
Name Server:ns2.fopen-ph.com
Registration Date: 2006-09-08 20:37
Expiration Date: 2007-09-08 20:37

DNS Query

; <<>> DiG 9.2.4 <<>> A ltdisraelibrokerageservices.cn @ns1.fopen-ph.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3186
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;ltdisraelibrokerageservices.cn. IN A

;; ANSWER SECTION:
ltdisraelibrokerageservices.cn. 1800 IN A 68.249.103.227
ltdisraelibrokerageservices.cn. 1800 IN A 83.93.28.2
ltdisraelibrokerageservices.cn. 1800 IN A 84.56.61.26
ltdisraelibrokerageservices.cn. 1800 IN A 84.162.251.108
ltdisraelibrokerageservices.cn. 1800 IN A 172.164.182.69

;; AUTHORITY SECTION:
ltdisraelibrokerageservices.cn. 1800 IN NS ns1.fopen-ph.com.
ltdisraelibrokerageservices.cn. 1800 IN NS ns2.fopen-ph.com.

;; Query time: 36 msec
;; SERVER: 72.29.93.95#53(ns1.fopen-ph.com)
;; WHEN: Thu Oct 5 23:24:32 2006
;; MSG SIZE rcvd: 176

6 comments:

Anonymous said...

These bozos also have the domain www.isbl.org it's about a week old, as I noticed the change in the body of the emails I was receiving. I think a couple of the other sites were taken down because the links were not working.

I must be getting 15 email offers a day from Israeli Brokerage Services and Bronsard Advantage.

I've also noticed that all of the email addresses bounce back and they are from all over. Traced one this morning to Italy.

I think the Norway Group must have been taken down, as I haven't received any email from it in a few weeks.

Anonymous said...

Great Job . Thank you for all the time spend on publishing these phony job offers.

This nonsense have to stop. The sooner the better.

Anonymous said...

i thougt it was good ,i didnt know that was that bad.what can i do?i have already made two transactions for them , so now what?who do i get rid off of this, imrelally worried , someone help me.

Spotter said...

First up, don't send them any more money. Next up, most places advise that you should contact your bank.

"Anyone who has disclosed their bank account details or received funds into their account for what they think could be a money mule scam should contact their bank immediately." (Source: Bank Safe Online UK: Money Mules Explained)

"If you have received money in your bank account, transferred or attempted to transfer money overseas in these circumstances, please contact your financial institution immediately." (Source: Australian High Tech Crime Centre FAQ)

Anonymous said...

The website ibsl.hk, is hosted at 80.98.110.209, but ping - a 80.98.110.209 returns catv-50626ed1.catv.broadband.hu so perhaps they are using dynamic dns and hosting on zombie pc's off cable modems rather than actual servers.

Spotter said...

Absolutely -- the modus operandi of these guys includes the use of zombie computers both to send the spam and host (or proxy) their websites. One of the reasons I don't usually bother reporting the IP addresses associated with the scam is that it's a pool of five zombies from all around the world which can change every thirty minutes.