Summary
Vague job offer sent via spam; the associated website makes it clear that the job is a money mule scam. There are probably many entities called "BBS Incorporated", but this particular scam just seems to have adopted the name arbitrarily, rather than impersonating anyone. The modus operandi strongly suggests that this is a reincarnation of the ITS Financial Corp scam: key phrases include "hope this message finds you in a great spirit" in the spam, and substantial overlap in the website text. The key difference in modus operandi is the use of image-as-text in this spam, although not all spams received to date are using this technique.
The Spam
The message is presented in a GIF image, accompanied by what appears to be garbled snatches of the Bible to confuse spam-detecting filters. The image is a hyperlink to a website.
Representative image
Links encountered
The following links have been encountered in spam, listed in order of encounter.
- http://www.ryecklunkd.com/index.html
- http://www.bbs-application.net/
- http://bbilagoday.net/index.html
The above is not necessarily an exhaustive list of involved domains -- merely the ones we know about. The list is updated as new domains come to our attention. Please post comments below if you are aware of other domains involved in this scam.
Website
Here is a snapshot of the website taken at around the time this blog entry was first posted.
The following is an excerpt from the website which clearly identifies the job as a money mule scam. (See the links in the left margin of this page for more information about money mule scams.)
Junior Financial Manager vacancy description
We are looking for HONEST and reliable people for this position.
Requirements:
- AUSTRALIA RESIDENTS ONLY (no exceptions)
- reliable Internet/e-mail access (must be able to check e-mail 2-3 times a day)
- checking/savings bank account
- 2-3 hours of free time a week (mainly in non-business hours) for communications
- Adults only (21+)
Persons who are accepted for this position will follow these instructions:
- Receive the funds from either our company or our partners to his/her designated bank account approved by our manager;
- Withdraw the funds, keeping specified money transaction fee as a commission for your services (usually between $150 to $500, no less than $150 per transfer);
- Send the rest of the money to our company and/or our partners via the specified transaction operator.
- Report transaction details back to the manager.
Our preferred money transfer methods are personal/corporate checks, money orders and wire transfers.
Job description
We will send you the funds through one of our money transfer methods from our company and/or our partners directly to you.
Your part of the job is to ensure the clearing of funds, re-sending the money (less your commission) to us/our customers via one of chosen money transfer agencies. This should be done on the same or the next day when the funds are available for transfer (usually 2 business days).
Necessary transaction details will be sent to you via e-mail. You will have it as soon as you confirm availability of the funds. We will start with one transaction to gain the trust for both parties, after the first transfer is done you should express how many transfers you're able to handle every business day. If you're willing to try our program, fill out the form below with your personal information. Every completed form will be reviewed and our manager will contact you in 24 hours.
Domain Information (for experts)
Limited WHOIS information is provided here, primarily for the purposes of trend analysis. Registrant details are included only to the extent that I believe they are relevant and not misleading fabrications.
ryecklunkd.com
Query at around 2007-02-12 21:56 UTC
Domain Name: RYECKLUNKD.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Updated Date: 12-feb-2007
Creation Date: 08-feb-2007
Expiration Date: 08-feb-2008
Admin Email.......... usnoninterd86@yahoo.com
bbs-application.net
Query at around 2007-02-15 02:47 UTC
Domain Name: BBS-APPLICATION.NET
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.COMRUS.NET
Name Server: NS2.COMRUS.NET
Updated Date: 13-feb-2007
Creation Date: 13-feb-2007
Expiration Date: 13-feb-2008
bbilagoday.net
Query at around 2007-02-17 21:22 UTC
Domain Name: BBILAGODAY.NET
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Updated Date: 08-feb-2007
Creation Date: 08-feb-2007
Expiration Date: 08-feb-2008
Admin Email.......... cgsquallhzj@yahoo.com
7 comments:
We are very appreciated whether you can post the e-mail full headers for each case as evidences, it could help us to shut down the fake web sites quickly, Thanks.
Experts
There are three issues I have with posting full headers.
1. It's more work than it's worth. If you look at my earlier reporting in the iDeceive blog, you'll see that I used to report originating IP addresses for spams. In this case, I could say that the spam originated in Brazil at 201.8.66.222 (201008066222.user.veloxzone.com.br), but it's really not all that useful to know. Most spammers use botnets to distribute their spam, and this is probably one of those cases. That's the single most interesting piece of information in the headers, and it's not that interesting. That's why I don't bother anymore.
2. I don't want to compromise my sources. Many of the scams I post here are sent directly to my public email address, and I'm happy to make them public. When I post them, I only redact false information, such as when someone else's email address appears in the "from" or "to" fields. Some of the stuff I post, including this scam, is directed to me by outside sources. I'm considerably more reticent about posting identifying details in those cases, since I don't want the criminals who execute these scams to be able to identify my sources. I have good reason to believe that this may put them at risk of attack (such as DDoS or Joe Jobs). That's why I run this blog pseudonymously in the first place.
3. The bad guys read this blog. In fact, as far as I know, you are the bad guys. "Experts" indeed. If I post the full email headers here, bad guys can figure out which of the millions of addresses they spam are leaking the information to me, and remove those addresses from their list. The spam-scam continues, but I don't report it anymore.
So no, I won't post full headers here. I disclose information strategically in a way that I believe will maximise the chances of people being warned of scams. The information so disclosed should be enough for any conscientious service provider to pull the plug on the scammers, whether it's domain name service, web hosting, or whatever. If it's not sufficient, then that's not my fault: you're the ones aiding and abeting a crime, not I.
Hello.
I just received the email below which leads to the BBS Inc web page. Note the 'new url http://secretarey.com
Hi there
An overseas business is seeking representatives in Australia.
Income is USD40'000. No fees asked, no marketing tricks.
Part time so it will not affect your current employment
Are you interested? Visit our one page, no fees asked application form http://secretarey.com
Take care
I got an e-mail recently with similar info but with a different company name: Co-Processing Pty Ltd. Definitely a scam but I think it comes across genuine for the unsuspecting.
I got the same one the co-processing pty ltd. March 17th, 2007.
The Co-Processing scam was sent to our entire district and possibly the entire state education system teacher's e-mail addresses...
I received the Co-processing Pty Ltd. version on 22 Mar 2007. I agree with previous post that it comes across as genuine to the unsuspecting.
Post a Comment