The Latest in IT Security

Fake jobs: hire-position.com and work-position.net

25
Sep
2011

Two new fake job domains with a twist, possibly the same scammers who are behind this long-running spam/scam campaign.

hire-position.com
work-position.net

Domains were registered just yesterday via a Russian registrar to an address in Spain which is most likely fake:

    Ivan Gonsalez
    Email: [email protected]
    Organization: Ivan Gonsalez
    Address: P. de Extremadura 151
    City: Madrid
    State: Madrid
    ZIP: 28011
    Country: ES
    Phone: +34.914641145 
This rabbit hole goes a bit deeper than usual, because the [email protected] email address has been used before, for the domain girsland.ru

domain: GIRSLAND.RUnserver: ns1.strategy-recruiting.org.nserver: ns2.strategy-recruiting.org.state: REGISTERED, DELEGATED, UNVERIFIEDperson: Private Persone-mail: [email protected]: REGTIME-REG-RIPNcreated: 2011.07.26paid-till: 2012.07.26source: TCI
Girsland.ru has a reputation for being spammy and it looks like a typical romance scam site. As with hire-position.com and work-position.net, it’s odd that a Spanish address is being used for domains that are either Russian TLD or are being registered through a Russian registrar.

Girsland.ru is hosted on 173.234.8.215 at Ubiquity Server Solutions Atlanta, although it looks like the IP block might be rented out to a company called Nobis Technology Group LLC in Arizona.There are some nasty things going on in that IP neighbourhood according to SiteVet.

What else can we find on 173.234.8.215? It turns out that there’s a rich vein of nastiness here.

actionfg.com – “Action Financial. All of your financial services in one place.”
Chinese registrar, fake WHOIS details. Fake check scam. [1] [2]
Michael L. WalterMichael Walter [email protected] fax: 314-849-70112523 Ash AvenueSaint Louis MO 63126usNS: ns1.wapcco.net and ns2.wapcco.net

adena-job.com.
Chinese registrar, fake WHOIS details. Fake job offers. [3]
Name: Ana BatesOrganization: Ana N. BatesAddress: 789 Pinchelone StreetCity: HerndonProvince/state: VACountry: usPostal Code: 22090Email: [email protected]: ns1.needafishingboat.net and ns2.needafishingboat.net

adenafinance.com – “Adena Finance. All of your financial services in one place.”
Chinese registrar, fake WHOIS details.

Eric M. DillingerEric Dillinger [email protected]+1.5305125808 fax: +1.53051258081467 Hill Croft Farm RoadSacramento CA 95814usNS: ns1.needafishingboat.net and ns2.needafishingboat.net

arrowfg.com – “Arrow Financial Group”
Chinese registrar, fake WHOIS details. Money mule scam [4] [5]
William K. BreenWilliam Breen [email protected] fax: 606-542-392262 Meadowcrest LaneFlat Lick KY 40982usNS: ns1.careerhiring-solutions.org and ns2.careerhiring-solutions.org

freeblogpro.org – “Surprise!!!”
Chinese registrar, fake WHOIS details. Malware distribution. [6] [7]
Registrant ID:TOD-42629838Registrant Name:Gertrude McmillanRegistrant Organization:Gertrude D. McmillanRegistrant Street1:250 Reynolds AlleyRegistrant Street2:Registrant Street3:Registrant City:Long BeachRegistrant State/Province:CARegistrant Postal Code:90808Registrant Country:USRegistrant Phone:+1.5623772946Registrant Phone Ext.:Registrant FAX:+1.5623772946Registrant FAX Ext.:Registrant Email:[email protected]: NS1.SLOWSTATUS.NET and NS2.SLOWSTATUS.NET

krokodilius8.com
Chinese registrar, fake WHOIS details. Malware distribution. [8]

Richard J. AguilarRichard Aguilar [email protected]+1.2523933705 fax: +1.25239337053458 Green Acres RoadSwansboro NC 28584usNS: ns1.barcellons.com and ns2.barcellons.com

rdm-gool.net – “Surprise!!!”
Chinese registrar, fake WHOIS details. Probably malware distribution.
Lincoln P. MillerLincoln Miller [email protected]+1.4156774378 fax: +1.4156774378813 Boring LaneSan Francisco CA 94108usNS: ns1.slowstatus.net and ns2.slowstatus.net

recruitarrowfg.com
Chinese registrar, fake WHOIS details. Fake job offers [9] [10]
Name: Fletcher LeachOrganization: Fletcher C. LeachAddress: 180 Deer Ridge DriveCity: MillburnProvince/state: NJCountry: usPostal Code: 07041Email: [email protected]: ns1.careerhiring-solutions.org and ns2.careerhiring-solutions.org

superblogonline.org – “Surprise!!!”
Chinese registrar, fake WHOIS details. Malware distribution [11] [12]
Registrant ID:TOD-42637428Registrant Name:Ernest ThomasRegistrant Organization:Ernest R. ThomasRegistrant Street1:228 Riverside DriveRegistrant Street2:Registrant Street3:Registrant City:AthensRegistrant State/Province:GARegistrant Postal Code:30606Registrant Country:USRegistrant Phone:+1.7068186834Registrant Phone Ext.:Registrant FAX:+1.7068186834Registrant FAX Ext.:Registrant Email:[email protected]: NS1.SLOWSTATUS.NET and NS2.SLOWSTATUS.NET

thebloggin.net – “Surprise!!!”
Chinese registrar, fake WHOIS details. Malware distribution [13] [14]
Justin R. MartinezJustin Martinez [email protected]+1.3235224026 fax: +1.32352240262898 Evergreen LanePomona CA 91766usNS: ns1.slowstatus.net and ns2.slowstatus.net

yourtraveldiary.net – “Surprise!!!”
Chinese registrar, fake WHOIS details. Malware distribution [15]
Name: Paula HuertaOrganization: Paula A. HuertaAddress: 3993 Payne StreetCity: HillsvilleProvince/state: VACountry: usPostal Code: 24343Email: [email protected]: ns1.slowstatus.net and ns2.slowstatus.net

Querying the namesevers reveals some more domains that look worth blocking as well. In total, blocking the following related domains will probably be a very good thing to do.

actionfg.com
adenafinance.com
adena-job.com
admnxm.com
adxreport.com
arrowfg.com
barcellons.com
betononasos228.net
careerhiring-solutions.org
club-bork.com
computer-giga.net
com-watch-id2181222ooo.info
dramchinatea.net
estatediary.com
findepotdirect.com
finwizonline.com
forfreeblog.net
freebloghub.com
freeblogpro.org
freetrialmail.com
friendsadirect.com
fun-bork.com
generalcreate.net
girsland.ru
hire-position.com
hostfrontpage.com
krokodilius8.com
latinitjobs.com
needafishingboat.net
obellisk.com
ouroldfriends.com
recruitarrowfg.com
slowstatus.net
superblogonline.org
thebloggin.net
trialreg.com
wapcco.net
workasite.com
work-position.net
yourtraveldiary.net

Leave a reply


Categories

SATURDAY, SEPTEMBER 21, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks