Search Engine Optimization & Web Hosting Solution

TOKYO (MacHouse) - An organized scam group circulated a spam message a few hours ago to wrongly implicate the Federal Bureau of Investigation of the United States. The spam message goes






FEDERAL BUREAU OF INVESTIGATION SEEKING TO WIRETAP THE INTERNET

We sincerely apologize for sending you this sensitive information via e-mail instead of a certified mail, phone call or a face-to-face conversation, it is due to the urgency and importance of the security information involve. In the quest to cushion the effect of the global financial crisis, American government through the Federal Bureau of Investigation (FBI) Washington, DC and the Internet Crime Complaint Center (ic3) has signed an agreement with Nigeria for an immediate release of all overdue funds presently logged in their treasury and ensure it is disbursed to the rightful beneficiaries in any part of the world. If you the beneficiary would adhere to this notification it will help stabilize the various economies of the world and reduce the effect of this depressing recession.

Prior to this agreement our team of security experts has swung into action for transparency and accountability of this periodic project. The Federal Bureau of Investigation (Global Intelligence, Cyber Division) saddled with the responsibility of monitoring activities going on over the internet have discovered your name in the list of unpaid contractors and it might interest you to know that we have conducted a comprehensive investigation on this discovery as stipulated on our protocol of operation and have confirmed that the inheritance fund was endorsed in your favor and it is 100% genuine and hitch free from all facets. You have the lawful right to contact the appropriate authority to claim your payment without further delay.

Further findings revealed that some corrupt ex- government officials are conniving with some officials of Nigeria Federal Ministry of Finance to change your account and transfer your inheritance funds to a strange account in Canada through a man by the name Mr. Andrew Svenkeson who purported to be your cousin, he presented some necessary documentations evidencing your claim purported to have been signed by you for to the release of your contract fund valued USD $10,700,000.00 (Ten million seven hundred thousand United States dollars). (See Screenshot 01.)

Screenshot 01 - Source: MacHouse

We know that this subject is boring. Most recipients are likely to trash the message as it’s easy to tell that it’s a trivial spam message. Nonetheless, we will tell you in a minute why it’s worth spending several minutes analyzing this particular spam campaign.  






Sender’s name: AGENT SHAWN HENRY
Sender’s address: admin@fbi.org
Subject: FEDERAL BUREAU OF INVESTIGATION FBI.WASHINGTON DC.
Reply address: fbi.safetywatch@fedbureau-ofinvestigation.org
Return path: admin@fbi.org






There are a couple of e-mail addresses mentioned in the spam message. One is fbi.safetywatch@fedbureau-ofinvestigation.org. The other one is remittance-department@centbnkng.com. Let’s use VisualRoute 2008 to trace the servers possibly hosting websites that are associated with these spam domains. Screenshots 02-3 indicate that there is no website found at these domains. No, it’s not the matter of changing subdomains.

Screenshot 02 - Source: MacHouse

Screenshot 03 - Source: MacHouse

So why is the return e-mail address designated as fbi.safetywatch@fedbureau-ofinvestigation.org? The same e-mail address even appears in the body of the message. Anything about fedbureau-ofinvestigation.org may not be accessible through Port 80. That doesn’t mean there is no mail server associated with this domain. In fact, this spam domain does exist. Shown in Screenshot 04, it was registered about 11 months ago. Likewise, the domain of centbnkng.com also exists. Interestingly, these two domains were registered through the same company located in Melbourne, Australia. It’s Melbourne IT Ltd (www.melbourneit.com.au). (Screenshot 06 shows the index page of Melbourne IT’s website.)

Screenshot 04 - Source: MacHouse/The Open Rights Group

Screenshot 05 - Source: MacHouse/InterNIC

Screenshot 06 - Source: Melbourne IT

So two spam domains exist. And their mail servers are working. So what!? Well… Let’s find out where their mail servers are hosted. The domain of fedbureau-ofinvestigation.org points to two nameservers, which are ns1.officelive.com and ns2.officelive.com. One is traced to a server with the IP address of 65.55.194.71 and the other to 207.46.222.20. (See Screenshot 07.) According to ARIN, the latter IP address is assigned to Microsoft of One Microsoft Way, Redmond, WA, USA. (See Screenshot 08.) The other IP address is also assigned to world’s largest software company. Likewise, the domain of ofinvestigation.org points to the same pair of nameservers. (See Screenshot 09.) We might believe Microsoft doesn’t condone spammers. It’s not free Live.com or Hotmail accounts that we are talking about. An organized spammer has mail servers hosted by Microsoft.

Screenshot 07 - Source: MacHouse

Screenshot 08 - Source: MacHouse/ARIN

Screenshot 09 - Source: MacHouse

Where does this organized spam & scam group come from, anyway? Screenshot 10 shows the HTML source code of the spam message wrongly implicating the FBI. It indicates that the immediate source of the message is a server whose IP address is correctly recorded as 74.220.174.10. According to ARIN, this IP address is assigned to a Canadian network company called TDtech Solutions. (Screenshot 11 shows the index page of TDtech Solutions’ website.) Chances are that the spammer used their Webmail. Furthermore, the header also shows that spammer’s origin is traced to the IP address of 41.211.239.172. According to AfriNIC, this IP address is assigned to an organization in Lagos, Nigeria. (See Screenshot 12.) Again…

Screenshot 10 - Source: MacHouse

Screenshot 11 - Source: TDtech Solutions

Screenshot 12 - Source: MacHouse/AfriNIC

In summary, evidence suggests that this particular spam campaign wrongly implicating the Federal Bureau of Investigation of the United States involves two world’s powerful IT groups - Microsoft Corporation and the Nigerian scam group. We might believe Microsoft fights spammers. But it appears that the world’s largest software company actually works for the Nigerian scam group. Does it take a Ph.D. in rocket science to figure out that the domains of fedbureau-ofinvestigation.org and centbnkng.com are used to confuse careless people?






Related stories:

QuickTime Documentation Video: Microsoft Office Live Small Business Assists Nigerian Scam Group

********** ********** ********** ********** ********** ********** ********** **********

MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?