Job scam quick guide: it's a scam if...

  • they want you to collect and forward money in any way (a "money mule" job). You'll wind up engaged in money laundering, personally defrauded via expertly forged cheques, money orders, etc, or defrauding someone else who pays for goods that never arrive.
  • they want you to receive packages and reship them somewhere else. The goods will have been obtained fraudulently, and they're just using you to make the shipping address appear local. You will be aiding fraud.
  • they want up-front payment (either to them or someone else) of any sort for anything before you can get the job. This is advance fee fraud: there is no job -- it's just a big con to extract money from you.
  • they want you to buy any kind of "membership" or "kit" in order to start. Forget it -- it's not a real job at all: they're trying to sell you something, and they're probably making a bunch of other false claims about it if they're pitching it as a "job".
  • it's a job offer, and it's spam. There are LOTS of these scams about, as you can see.

Monday, February 12, 2007

BBS Incorporated


Vague job offer sent via spam; the associated website makes it clear that the job is a money mule scam. There are probably many entities called "BBS Incorporated", but this particular scam just seems to have adopted the name arbitrarily, rather than impersonating anyone. The modus operandi strongly suggests that this is a reincarnation of the ITS Financial Corp scam: key phrases include "hope this message finds you in a great spirit" in the spam, and substantial overlap in the website text. The key difference in modus operandi is the use of image-as-text in this spam, although not all spams received to date are using this technique.

The Spam

The message is presented in a GIF image, accompanied by what appears to be garbled snatches of the Bible to confuse spam-detecting filters. The image is a hyperlink to a website.

Representative image

Links encountered

The following links have been encountered in spam, listed in order of encounter.


The above is not necessarily an exhaustive list of involved domains -- merely the ones we know about. The list is updated as new domains come to our attention. Please post comments below if you are aware of other domains involved in this scam.


Here is a snapshot of the website taken at around the time this blog entry was first posted.

The following is an excerpt from the website which clearly identifies the job as a money mule scam. (See the links in the left margin of this page for more information about money mule scams.)

Junior Financial Manager vacancy description

We are looking for HONEST and reliable people for this position.


  • AUSTRALIA RESIDENTS ONLY (no exceptions)
  • reliable Internet/e-mail access (must be able to check e-mail 2-3 times a day)
  • checking/savings bank account
  • 2-3 hours of free time a week (mainly in non-business hours) for communications
  • Adults only (21+)

Persons who are accepted for this position will follow these instructions:

  • Receive the funds from either our company or our partners to his/her designated bank account approved by our manager;
  • Withdraw the funds, keeping specified money transaction fee as a commission for your services (usually between $150 to $500, no less than $150 per transfer);
  • Send the rest of the money to our company and/or our partners via the specified transaction operator.
  • Report transaction details back to the manager.

Our preferred money transfer methods are personal/corporate checks, money orders and wire transfers.

Job description

We will send you the funds through one of our money transfer methods from our company and/or our partners directly to you.

Your part of the job is to ensure the clearing of funds, re-sending the money (less your commission) to us/our customers via one of chosen money transfer agencies. This should be done on the same or the next day when the funds are available for transfer (usually 2 business days).

Necessary transaction details will be sent to you via e-mail. You will have it as soon as you confirm availability of the funds. We will start with one transaction to gain the trust for both parties, after the first transfer is done you should express how many transfers you're able to handle every business day. If you're willing to try our program, fill out the form below with your personal information. Every completed form will be reviewed and our manager will contact you in 24 hours.

Domain Information (for experts)

Limited WHOIS information is provided here, primarily for the purposes of trend analysis. Registrant details are included only to the extent that I believe they are relevant and not misleading fabrications.

Query at around 2007-02-12 21:56 UTC

   Domain Name: RYECKLUNKD.COM
Whois Server:
Referral URL:
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Updated Date: 12-feb-2007
Creation Date: 08-feb-2007
Expiration Date: 08-feb-2008
Admin Email..........

Query at around 2007-02-15 02:47 UTC

Whois Server:
Referral URL:
Name Server: NS1.COMRUS.NET
Name Server: NS2.COMRUS.NET
Updated Date: 13-feb-2007
Creation Date: 13-feb-2007
Expiration Date: 13-feb-2008

Query at around 2007-02-17 21:22 UTC

   Domain Name: BBILAGODAY.NET
Whois Server:
Referral URL:
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Updated Date: 08-feb-2007
Creation Date: 08-feb-2007
Expiration Date: 08-feb-2008
Admin Email..........


Anonymous said...

We are very appreciated whether you can post the e-mail full headers for each case as evidences, it could help us to shut down the fake web sites quickly, Thanks.

Spotter said...

There are three issues I have with posting full headers.

1. It's more work than it's worth. If you look at my earlier reporting in the iDeceive blog, you'll see that I used to report originating IP addresses for spams. In this case, I could say that the spam originated in Brazil at (, but it's really not all that useful to know. Most spammers use botnets to distribute their spam, and this is probably one of those cases. That's the single most interesting piece of information in the headers, and it's not that interesting. That's why I don't bother anymore.

2. I don't want to compromise my sources. Many of the scams I post here are sent directly to my public email address, and I'm happy to make them public. When I post them, I only redact false information, such as when someone else's email address appears in the "from" or "to" fields. Some of the stuff I post, including this scam, is directed to me by outside sources. I'm considerably more reticent about posting identifying details in those cases, since I don't want the criminals who execute these scams to be able to identify my sources. I have good reason to believe that this may put them at risk of attack (such as DDoS or Joe Jobs). That's why I run this blog pseudonymously in the first place.

3. The bad guys read this blog. In fact, as far as I know, you are the bad guys. "Experts" indeed. If I post the full email headers here, bad guys can figure out which of the millions of addresses they spam are leaking the information to me, and remove those addresses from their list. The spam-scam continues, but I don't report it anymore.

So no, I won't post full headers here. I disclose information strategically in a way that I believe will maximise the chances of people being warned of scams. The information so disclosed should be enough for any conscientious service provider to pull the plug on the scammers, whether it's domain name service, web hosting, or whatever. If it's not sufficient, then that's not my fault: you're the ones aiding and abeting a crime, not I.

Anonymous said...


I just received the email below which leads to the BBS Inc web page. Note the 'new url

Hi there
An overseas business is seeking representatives in Australia.
Income is USD40'000. No fees asked, no marketing tricks.
Part time so it will not affect your current employment
Are you interested? Visit our one page, no fees asked application form
Take care

Anonymous said...

I got an e-mail recently with similar info but with a different company name: Co-Processing Pty Ltd. Definitely a scam but I think it comes across genuine for the unsuspecting.

Anonymous said...

I got the same one the co-processing pty ltd. March 17th, 2007.

Anonymous said...

The Co-Processing scam was sent to our entire district and possibly the entire state education system teacher's e-mail addresses...

Anonymous said...

I received the Co-processing Pty Ltd. version on 22 Mar 2007. I agree with previous post that it comes across as genuine to the unsuspecting.