August 2007 Archives

The money transfer scammer behind the so-called Sydney Car Centre has finally dropped the 'Sydney Car Centre' name (after 26 fake domains) and is now sending spam offering 'vacancies' with The Harvey Investment Company. Note that — as usual — there is a real Harvey Investment Company, which almost certainly has nothing whatsoever to do with this scammer: the scammer's usual practice is to steal the name (and the website design) of a real company, and then reproduce it on multiple, botnet-hosted domains over a period of several weeks.

The 'domain renewal' scam has a long — by the standards of the Internet — and dishonorable history. The way that it works is as follows: shortly before one of your Internet domains is due to expire, you get an email message or a letter that looks like a renewal reminder, or even an invoice. Without thinking too much about it, you click the link and pay the bill. What you didn't notice in your hurry is that the sender wasn't actually your current registrar and by falling into the trap you have, at best, paid over the odds and, at worst, put your domain or your credit card at risk.

A few weeks back, we started seeing a lot of spam promoting sites selling 'Russian art' under the name GorgeousArt. The names of the sites changed from day to day — bodycomponent.com, bodypreparation.com, componentunique.com etc — but all shared the same IP address and content. Each site also referred to a payment processing site called active-bill.com. Both the 'art' sites and the payment processor were covered with not-quite-convincing messages designed to convince visitors of their trustworthiness, but they had something else in common as well: the so-called payment processor was hosted at the same IP address as the 'art' sites.

An Australian farmer named Des Gregor is lucky to be alive, after flying to Mali to meet his future 'bride' and collect a handsome dowry in gold. To no one's surprise but his, the beautiful 'Natacha from Liberia' turned out to be four big men with machetes who wanted a dowry of their own.

There's no word on whether the initial contact was made via spam emails, but it's a strong possibility. What's interesting is the way that the scam combined features of two classic scams — 'Russian bride' and 419 — thus playing on both greed and lust. The inclusion of the Russian (or rather Liberian) bride meant that the scammers could get the mark on their home territory and make their play for the big money, rather than having to coax it out of him one pretext at a time.

The story has a happy ending because the Australian police proved to be smarter than both Mr Gregor and his captors, but it could easily have ended up as the ultimate Don't buy from spammers cautionary tale.