The world has many scammers and our mailboxes are constantly flooded with their tactics. Sadly there are many people who fall for the trap.
We got an email titled “Attention Domain Expiration” from [email protected] today. Reading it carefully, it is a solicitation, but every effort is used to make it look like an INVOICE.
The email was sent from IP address 75.207.161.80 which is owned by Cellco Partnership DBA Verizon Wireless. The mail server that delivered the email is p3plsmtpa06-09.prod.phx3.secureserver.net (173.201.192.110) based in Phoenix, Arizona.
The email states that the hoodooguru.com domain expires on the 9th October and that we should urgently pay $75 to have it registered. The scam artists have brought forward the expiry date to 24th October so as to make you panic and send them your credit card for immediate processing.
The email requests that you proceed to their online payment system at http://domannual.com/order/xxxxxxxxxx. This domain is owned by a “Terry Jackson” of 1565 Benedict Canyon, Beverly Hills. After some further investigation we find that the domains urlannual.com and urldomannual.com are also owned by Mr Jackson. The site is hosted is hosted by Velocity Servers on Ethr.Net LLC network.
There are a couple of more interesting observations.
1) You have no idea about who you are dealing with. There is no company name, phone number or contact on the order form as well as the email. If you actually read the message, they are not even offering domain registration but rather, “search engine registration”, whatever that is.
2) The form claims Secure Online Payment yet the page is all unencrypted with no SSL/https connection.
3) It proudly displays a fraudulent TRUSTe logo to make you believe the site is trusted.
4) It proudly displays a fraudulent Comodo Secured icon to make you believe the connection is encrypted and secure.
5) It proudly displays Visa and Mastercard, American Express and Discover Network.
The form actually submits your your details to another site, iglobalmerchantservices.com.
iglobalmerchantservices.com
This is the main collection site. urlannual.com and urldomannual.com are also redirected to iglobalmerchantservices.com. This site is is owned by Moniker Privacy Services listed in Pompano Beach, Florida. This redirection takes you to an insecure page on port 80. Upon closer inspection, the site also runs an INVALID SSL certificate. This company has only one web page for their whole site. Their grammar is quite good, except on the Retrieve Account Information section they have a field called “Last 4 of Card”. I suspect this form is used to harvest credit card details.
The websites for these domains are hosted on Velocity Servers Inc (Aptos, California) servers at an IP address of 216.83.33.9. The web hosting company obviously is unaware of what their customers are hosting, or they don’t care.
Interestingly all these domains and others all use the same name servers and share the same contact details. cucpa.com admin is associated with monikaprivacy.net and share the Pompano Beach, Florida office. The admin of monikaprivacy.net is associated with oversee.net at 515 S. Flower Street, Suite 4400, Los Angeles who are all, interestingly enough, in the domain registration business.
So, you are probably asking, how is it that people are allowed to operate scams such as this?
I have let the hosting company know, so lets see if they take it down.
Hi,
You can also let TRUSTe know that their seal is being misused. Go to this URL http://watchdog.truste.com/pvr.php?page=complaint, enter the url of the domain misusing the seal. You’ll then get to select the option “Unauthorized use of the TRUSTe seal(s)”. Clicking on “finish” will submit the alert and TRUSTe will take care of the rest.
Hi Sandi,
That’s a very good point, I should have done that.
regards
Steven
They are still operating, and sending scam emails to Australia – how can we stop them?
As of March 13th 2012 they are still scamming!
Same lies and all
The domain has been changed to “urlannualdom.com”. And this Jackson moved to 3.5 miles away from the previous registration address…
I just received one of these scam emails. How can we shut them down?
this is from Hong Kong and i received it too.
and i wonder how did they locate my address and phone number!
Yes, the email from today relates the request to an order number, which increases the implied veracity. it also now refers to SE Services and adds a “Canadian unsubscribe address”: Po Box 5111 Astra, Ontario K0K 3W0
Received the same email today and all websites are still up on 4/9/12. I have sent a copy of all of this to the BH Police dept as well.
Just received one myself (11th April 2012), a pro-forma invoice for $75 for one year’s domain name renewal of my business domain which is not due to expire for two years and which is registered through NetSol. They have picked up the business address details from the public registration details of the domain name.
The small print clearly lies when it states “You have received this message because you elected to receive special notifications and offers for ” because I have made no such request.
Clearly an attempt at fraud and obtaining money by deception and false pretences.
Matt
I just received one
Re: Attn: chinaworks.biz Notice of Registration Soon from [email protected]
Payment at
http://ordertracking476475.com/order/****
takes to
iglobalmerchantservices
They are operating on the following domain now.
securetrans76439.com
As of January 2013, they are using the following domain:
securetrans24432.com
I just got 2 from them and they are now using securetrans08453.com
Amazing how these idiots manage to be smart enough to keep it going.
My client just received the email below. Upon investigating it leads back to Iglobal Merchant Services, which is what led me to this blog..
Thanks for all the confirmation on this page that this is a scam! I’ve already told my client to disregard this email..
Domain Name #############.ORG
Registration Jul 9, 2013 – Jul 9, 2014
Price $75.00
Term 1 Year
Domain: #############.ORG
To: ##############
Don’t miss out on this offer which includes search engine submission for ############.ORG for 12 months. There is no obligation to pay for this order unless you complete your payment by Jul 24, 2013. Our services provide submission and search engine ranking for domain owners. This offer for submission services is not required to renew your domain registration.
Failure to complete your search engine registration by Jul 24, 2013 may result in the cancellation of this order (making it difficult for your customers to locate you using search engines on the web).
Process Payment For
##############.ORG
http://securetransaction38934.com/
http://securetransaction38934.com/order/################
Hi,
They are still operating today just got an email and I knew straight away it was a scam. Unlucky motherfuckers all you got from me was a nice message in your db logs.