Job scam quick guide: it's a scam if...

  • they want you to collect and forward money in any way (a "money mule" job). You'll wind up engaged in money laundering, personally defrauded via expertly forged cheques, money orders, etc, or defrauding someone else who pays for goods that never arrive.
  • they want you to receive packages and reship them somewhere else. The goods will have been obtained fraudulently, and they're just using you to make the shipping address appear local. You will be aiding fraud.
  • they want up-front payment (either to them or someone else) of any sort for anything before you can get the job. This is advance fee fraud: there is no job -- it's just a big con to extract money from you.
  • they want you to buy any kind of "membership" or "kit" in order to start. Forget it -- it's not a real job at all: they're trying to sell you something, and they're probably making a bunch of other false claims about it if they're pitching it as a "job".
  • it's a job offer, and it's spam. There are LOTS of these scams about, as you can see.

Sunday, October 01, 2006

Norway Consulting Group

Detailed Report

This job scam is on-going: I last reported it here, but it has been arriving with great regularity. The government of the state of Western Australia also has a scam alert on the subject. I am reporting it again, and will continue to report it on a month by month basis.

The job scam itself is a money laundering or "money mule" job. It involves handling stolen money, and is illegal: the cover story about payment processing is just that -- a cover story. This particular scam seems to be targeting Australians, and appears to be happening in concert with a phishing campaign against Commonwealth Bank of Australia customers at the moment.

The Spam

This particular scammer currently prefers to send HTML email with the actual visible message encoded as an attached GIF graphic. Whatever actual text appears in the email is coloured so as to be indistinguishable from the background (effectively invisible), and is only present to confound spam filters. A representative sample of the image follows. I will not document all variations of this image: this is just the first one I received in the month. If it changes significantly, I will add further samples.

As mentioned, I believe that the same scammers are responsible for a parallel phishing campaign against Commonwealth Bank of Australia customers. This gives them access to the bank accounts from which they transfer the "payments" to the money mules. The mules are then expected to withdraw the cash and forward it (minus a cut) via Western Union or Money Gram. A sample of the phish (also distributed as a GIF encoded graphic) follows.

If you are a victim

If you have become involved, then the first thing to do is STOP. Don't send any money to the crims, or at least don't send them any more if they've conned you into sending some already. If you have received payments into your account, then you should contact your financial institution (as recommended by the Australian High Tech Crime Centre). Please share your experience here or via email, as the more information we have about this scam, the better we will be able to defend against it in future. I am particularly interested in knowing the NAME and LOCATION associated with any Western Union or Money Gram wire transfer. Please spill the beans on these crims.

Additional data

This is a very frequent spam, and I will not document all details of each copy received. The following is a summary of important details, and will be updated with additional data during October 2006, at the end of which it becomes historical. If you have seen a variant of this spam containing details not shown here, please forward it to me.

URLs encountered

Subjects encountered

Note that these subjects are sometimes suffixed with a timestamp, like "Sun, 01 Oct 2006 07:11:45 -0200".

  • Best job offer - don't miss your chance!
  • Got free time? Become richer!
  • Join us, earn extra cash with us and be prosperous!
  • Top vacancy of the month!

Sender names encountered

  • Norway Consulting
  • Norway Consulting 2006
  • Norway Consulting Group
  • Norway_Consulting_Group
  • Norway Consulting GROUP 2006

Names used as signature in image

  • Annette Nygardsmoen

No comments: