Summary
This money mule scam (see sidebar for more information) is identical in all important respects to the Israeli Brokerage Services Ltd scam seen last month. It's reasonable to suppose it's exactly the same phishing/jobscam gang as usual operating under a new name. They seem to adopt a new name approximately monthly.
There does appear to be at least one genuine business called "Athens Financial", completely unrelated to this scam. Thanks to Candace for pointing this out.
The Spam
As in past cases, the message is presented in a GIF image, accompanied by "filter buster" text coloured to be invisible against the background.
Representative image
Names used as signature
- Miltiades Papanikoiaou
Sender names encountered
Capitalisation may vary.
- Athens Financial Group
- Athens Financial Group, Ltd
- Athens Financial Group ltd (AFG)
- AFG
Links encountered
Listed in order of encounter. If past experience is anything to go by, these scammers register a new domain name on an almost daily basis.
- http://afgltd.info/index.php?sect_id=6
- http://afglmtd.cn/index.php?sect_id=6
- http://afgltd.cn/index.php?sect_id=6
- http://afgl.mobi/index.php?sect_id=6
- http://afgl.cn/index.php?sect_id=6
- http://afg-ltd.cn/index.php?sect_id=6
Active but not yet encountered
Although I have not (yet) received spam advertising the following URLs, they have been discovered and verified as belonging to the same scam.
- http://afglmtd.org/
- http://afglmtd.biz/
- http://athens-fin-group.net/
Website
Here is a snapshot of their website, taken on receipt of the first instance of spam. Note the text at the bottom of the snapshot which clearly identifies the operation as a money mule scam.
Domain Information (for experts)
Limited WHOIS information is provided here, primarily for the purposes of trend analysis. I do not include most of the registrant details, since these are invariably false and may point to innocent third parties.
afgltd.info
Domain ID:D15154439-LRMS
Domain Name:AFGLTD.INFO
Created On:29-Oct-2006 15:07:28 UTC
Last Updated On:29-Oct-2006 20:58:47 UTC
Expiration Date:29-Oct-2007 15:07:28 UTC
Sponsoring Registrar:CSL Computer Service Langenbach GmbH (R161-LRMS)
Registrant Email:simonashamis@yahoo.com
Name Server:NS1.TTLOAD.COM
Name Server:NS2.TTLOAD.COM
afgltd.cn
Query at around 2006-11-03 00:51 UTC
Domain Name: afgltd.cn
ROID: 20061029s10001s89744889-cn
Administrative Email: catherinebird54@yahoo.com
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns2.ttload.com
Name Server:ns1.ttload.com
Registration Date: 2006-10-29 23:19
Expiration Date: 2007-10-29 23:19
afglmtd.cn
Query at around 2006-11-03 09:01 UTC
Domain Name: afglmtd.cn
ROID: 20061029s10001s89744910-cn
Administrative Email: jeffreybaum@mail.com
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns2.ttload.com
Name Server:ns1.ttload.com
Registration Date: 2006-10-29 23:31
Expiration Date: 2007-10-29 23:31
afglmtd.biz
Query at around 2006-11-03 09:01 UTC
Domain Name: AFGLMTD.BIZ
Domain ID: D15006412-BIZ
Sponsoring Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Sponsoring Registrar IANA ID: 113
Registrant Email: jamonandreasen@yahoo.com
Name Server: NS2.FURI-CURI.COM
Name Server: NS1.FURI-CURI.COM
Created by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Last Updated by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date: Sat Oct 28 11:18:56 GMT 2006
Domain Expiration Date: Sat Oct 27 23:59:59 GMT 2007
Domain Last Updated Date: Sat Oct 28 14:08:27 GMT 2006
afglmtd.org
Query at around 2006-11-03 09:01 UTC
Domain ID:D131725418-LROR
Domain Name:AFGLMTD.ORG
Created On:28-Oct-2006 11:44:52 UTC
Last Updated On:28-Oct-2006 14:15:55 UTC
Expiration Date:28-Oct-2007 11:44:52 UTC
Sponsoring Registrar:CSL Computer Service Langenbach GmbH (R25-LROR)
Registrant ID:CORG-168336
Registrant Email:charlesdphillipsss@yahoo.co.uk
Name Server:NS2.FURI-CURI.COM
Name Server:NS1.FURI-CURI.COM
afgl.mobi
Query at around 2006-11-23 02:40 UTC
Domain ID:D576910-MOBI
Domain Name:AFGL.MOBI
Created On:28-Oct-2006 13:50:04 UTC
Last Updated On:01-Nov-2006 07:03:20 UTC
Expiration Date:28-Oct-2008 13:50:04 UTC
Sponsoring Registrar:CSL GmbH Computer Service Langenbach d/b/a joker.com (113)
Created by Registrar:CSL GmbH Computer Service Langenbach d/b/a joker.com (113)
Last Updated by Registrar:CSL GmbH Computer Service Langenbach d/b/a joker.com (113)
Name Server:NS2.TTLOAD.COM
Name Server:NS1.TTLOAD.COM
afg-ltd.cn
Query at around 2006-11-26 14:34 UTC
Domain Name: afg-ltd.cn
ROID: 20061123s10001s97722169-cn
Administrative Email: darcyjacobus@yahoo.com
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns2.ttload.com
Name Server:ns1.ttload.com
Registration Date: 2006-11-23 06:03
Expiration Date: 2007-11-23 06:03
athens-fin-group.net
Query at around 2006-11-29 02:01 UTC
Domain Name: ATHENS-FIN-GROUP.NET
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Updated Date: 27-Oct-2006
Creation Date: 26-Oct-2006
Expiration Date: 26-Oct-2007
6 comments:
"Org" domains are for non-profits, so it should be easy to convince the registrar to take the domain down once it becomes active.
Did you notice that this scammer is now using a third set of servers? Just noticed it when you posted the Who Is information.
Actually the ".org" domain is a generic domain, meaning that there are no restrictions on the types of entities which may register names in it. I think the original intent was for it to be used by "everything else" (other than business, the US government, US education, the US military, and networks). The registrar will probably pay heed to the organised crime element, though.
Yes, I noticed the new nameservers.
In getting a large amount of spam over many months from domain names registered with CSL COMPUTER SERVICE (D.B.A. JOKER.COM).
I won't be suprised that joker.com are also part of the scam?
Joker.com is a well known domain name registrar: the scammers are simply using their service like any other customer. Whether or not Joker is doing enough to hinder these scams, ethically speaking, is a different question.
How funny... they try to make it sound like it is a genuine Greek company, but any Greek would recognise instantly the misspelling of the name... hate these evil wankers.
And even if you didn't recognise the typo, a Google search for the name makes it really obvious that it's a scam. Keep up the good shoot-self-in-foot work, scammers!
Post a Comment