Job scam quick guide: it's a scam if...

  • they want you to collect and forward money in any way (a "money mule" job). You'll wind up engaged in money laundering, personally defrauded via expertly forged cheques, money orders, etc, or defrauding someone else who pays for goods that never arrive.
  • they want you to receive packages and reship them somewhere else. The goods will have been obtained fraudulently, and they're just using you to make the shipping address appear local. You will be aiding fraud.
  • they want up-front payment (either to them or someone else) of any sort for anything before you can get the job. This is advance fee fraud: there is no job -- it's just a big con to extract money from you.
  • they want you to buy any kind of "membership" or "kit" in order to start. Forget it -- it's not a real job at all: they're trying to sell you something, and they're probably making a bunch of other false claims about it if they're pitching it as a "job".
  • it's a job offer, and it's spam. There are LOTS of these scams about, as you can see.

Thursday, November 02, 2006

Athens Financial Group Ltd

Summary

This money mule scam (see sidebar for more information) is identical in all important respects to the Israeli Brokerage Services Ltd scam seen last month. It's reasonable to suppose it's exactly the same phishing/jobscam gang as usual operating under a new name. They seem to adopt a new name approximately monthly.

There does appear to be at least one genuine business called "Athens Financial", completely unrelated to this scam. Thanks to Candace for pointing this out.

The Spam

As in past cases, the message is presented in a GIF image, accompanied by "filter buster" text coloured to be invisible against the background.

Representative image

spam

Names used as signature

  • Miltiades Papanikoiaou

Sender names encountered

Capitalisation may vary.

  • Athens Financial Group
  • Athens Financial Group, Ltd
  • Athens Financial Group ltd (AFG)
  • AFG

Links encountered

Listed in order of encounter. If past experience is anything to go by, these scammers register a new domain name on an almost daily basis.

  1. http://afgltd.info/index.php?sect_id=6
  2. http://afglmtd.cn/index.php?sect_id=6
  3. http://afgltd.cn/index.php?sect_id=6
  4. http://afgl.mobi/index.php?sect_id=6
  5. http://afgl.cn/index.php?sect_id=6
  6. http://afg-ltd.cn/index.php?sect_id=6

Active but not yet encountered

Although I have not (yet) received spam advertising the following URLs, they have been discovered and verified as belonging to the same scam.

  • http://afglmtd.org/
  • http://afglmtd.biz/
  • http://athens-fin-group.net/

Website

Here is a snapshot of their website, taken on receipt of the first instance of spam. Note the text at the bottom of the snapshot which clearly identifies the operation as a money mule scam.

website snapshot

Domain Information (for experts)

Limited WHOIS information is provided here, primarily for the purposes of trend analysis. I do not include most of the registrant details, since these are invariably false and may point to innocent third parties.

afgltd.info

Domain ID:D15154439-LRMS
Domain Name:AFGLTD.INFO
Created On:29-Oct-2006 15:07:28 UTC
Last Updated On:29-Oct-2006 20:58:47 UTC
Expiration Date:29-Oct-2007 15:07:28 UTC
Sponsoring Registrar:CSL Computer Service Langenbach GmbH (R161-LRMS)
Registrant Email:simonashamis@yahoo.com
Name Server:NS1.TTLOAD.COM
Name Server:NS2.TTLOAD.COM

afgltd.cn

Query at around 2006-11-03 00:51 UTC

Domain Name: afgltd.cn
ROID: 20061029s10001s89744889-cn
Administrative Email: catherinebird54@yahoo.com
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns2.ttload.com
Name Server:ns1.ttload.com
Registration Date: 2006-10-29 23:19
Expiration Date: 2007-10-29 23:19

afglmtd.cn

Query at around 2006-11-03 09:01 UTC

Domain Name: afglmtd.cn
ROID: 20061029s10001s89744910-cn
Administrative Email: jeffreybaum@mail.com
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns2.ttload.com
Name Server:ns1.ttload.com
Registration Date: 2006-10-29 23:31
Expiration Date: 2007-10-29 23:31

afglmtd.biz

Query at around 2006-11-03 09:01 UTC

Domain Name:                                 AFGLMTD.BIZ
Domain ID:                                   D15006412-BIZ
Sponsoring Registrar:                        CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Sponsoring Registrar IANA ID:                113
Registrant Email:                            jamonandreasen@yahoo.com
Name Server:                                 NS2.FURI-CURI.COM
Name Server:                                 NS1.FURI-CURI.COM
Created by Registrar:                        CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Last Updated by Registrar:                   CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date:                    Sat Oct 28 11:18:56 GMT 2006
Domain Expiration Date:                      Sat Oct 27 23:59:59 GMT 2007
Domain Last Updated Date:                    Sat Oct 28 14:08:27 GMT 2006

afglmtd.org

Query at around 2006-11-03 09:01 UTC

Domain ID:D131725418-LROR
Domain Name:AFGLMTD.ORG
Created On:28-Oct-2006 11:44:52 UTC
Last Updated On:28-Oct-2006 14:15:55 UTC
Expiration Date:28-Oct-2007 11:44:52 UTC
Sponsoring Registrar:CSL Computer Service Langenbach GmbH (R25-LROR)
Registrant ID:CORG-168336
Registrant Email:charlesdphillipsss@yahoo.co.uk
Name Server:NS2.FURI-CURI.COM
Name Server:NS1.FURI-CURI.COM

afgl.mobi

Query at around 2006-11-23 02:40 UTC

Domain ID:D576910-MOBI
Domain Name:AFGL.MOBI
Created On:28-Oct-2006 13:50:04 UTC
Last Updated On:01-Nov-2006 07:03:20 UTC
Expiration Date:28-Oct-2008 13:50:04 UTC
Sponsoring Registrar:CSL GmbH Computer Service Langenbach d/b/a joker.com (113)
Created by Registrar:CSL GmbH Computer Service Langenbach d/b/a joker.com (113)
Last Updated by Registrar:CSL GmbH Computer Service Langenbach d/b/a joker.com (113)
Name Server:NS2.TTLOAD.COM
Name Server:NS1.TTLOAD.COM

afg-ltd.cn

Query at around 2006-11-26 14:34 UTC

Domain Name: afg-ltd.cn
ROID: 20061123s10001s97722169-cn
Administrative Email: darcyjacobus@yahoo.com
Sponsoring Registrar: CSL Computer Service (d.b.a. Joker.com)
Name Server:ns2.ttload.com
Name Server:ns1.ttload.com
Registration Date: 2006-11-23 06:03
Expiration Date: 2007-11-23 06:03

athens-fin-group.net

Query at around 2006-11-29 02:01 UTC

   Domain Name: ATHENS-FIN-GROUP.NET
   Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
   Whois Server: whois.joker.com
   Referral URL: http://www.joker.com
   Name Server: YNS1.YAHOO.COM
   Name Server: YNS2.YAHOO.COM
   Updated Date: 27-Oct-2006
   Creation Date: 26-Oct-2006
   Expiration Date: 26-Oct-2007
Posted by Spotter at 07:27

6 comments:

Unknown said...

"Org" domains are for non-profits, so it should be easy to convince the registrar to take the domain down once it becomes active.

Did you notice that this scammer is now using a third set of servers? Just noticed it when you posted the Who Is information.

3:18 pm, November 03, 2006
Spotter said...

Actually the ".org" domain is a generic domain, meaning that there are no restrictions on the types of entities which may register names in it. I think the original intent was for it to be used by "everything else" (other than business, the US government, US education, the US military, and networks). The registrar will probably pay heed to the organised crime element, though.

Yes, I noticed the new nameservers.

4:14 pm, November 03, 2006
Anonymous said...

In getting a large amount of spam over many months from domain names registered with CSL COMPUTER SERVICE (D.B.A. JOKER.COM).

I won't be suprised that joker.com are also part of the scam?

3:51 am, November 14, 2006
Spotter said...

Joker.com is a well known domain name registrar: the scammers are simply using their service like any other customer. Whether or not Joker is doing enough to hinder these scams, ethically speaking, is a different question.

7:41 am, November 14, 2006
Anonymous said...

How funny... they try to make it sound like it is a genuine Greek company, but any Greek would recognise instantly the misspelling of the name... hate these evil wankers.

3:44 pm, November 26, 2006
Spotter said...

And even if you didn't recognise the typo, a Google search for the name makes it really obvious that it's a scam. Keep up the good shoot-self-in-foot work, scammers!

6:22 pm, November 26, 2006

Post a Comment

Subscribe to: Post Comments (Atom)