PDA

View Full Version : Profit From Home Academy Scam/Spam



JustTooMuchTime
04-13-2013, 05:52 PM
Got spammed with Profit From Home Academy the other day from somebody who had their account hacked. Looks like the countries involved are Ukraine, China, and Georgia. I've seen credit card theft rings from the countries that set up fake bizopp sites. I didn't catch anything like that with this one so far, but I'm still looking into it.

It's the usual bizopp scam-sales page used for boiler-room lead generation.
http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/profit-from-home-academy-header_zpsf54eeff6.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/profit-from-home-academy-header_zpsf54eeff6.png.html)

The site spammed to my email is hosted in Georgia (the country).
http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/maikaprint-ge_zpsa4bd88c4.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/maikaprint-ge_zpsa4bd88c4.png.html)

That site redirected to a fake news site which triggered an intrusion alert attempt from Norton...
http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/profit-from-home-academy-com-fake-survey_zpsc742006f.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/profit-from-home-academy-com-fake-survey_zpsc742006f.png.html)

The Profit-From-Home-Academy.com site ICANN registrar is the CENTER OF UKRAINIAN INTERNET NAMES
http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/profit-from-home-academy-ICANN-registrarPNG_zpsc0026c26.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/profit-from-home-academy-ICANN-registrarPNG_zpsc0026c26.png.html)

The Profit From Home Academy is listed with a fake U.S. address. The email address is associated with numerous other questionable sites (more on that later).
http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/Profit-From-Home-Academy-Com-Whois_zpsdcb7f127.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/Profit-From-Home-Academy-Com-Whois_zpsdcb7f127.png.html)

privacy protection for profit-from-home-academy.com's nameserver (webnsweb.com) is listed as being from China.
http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/webnsweb-com-whois_zps260bdb07.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/webnsweb-com-whois_zps260bdb07.png.html)

Profit-From-Home-Academy.com is using the site securely-checkout-now.com for its order page:
http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/securely-checkout-now-com-URL_zps421a54d5.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/securely-checkout-now-com-URL_zps421a54d5.png.html)

securely-checkout-now.com uses the same nameserver as profit-from-home-academy.com:
http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/profit-from-home-academy-ICANN-registrarPNG_zpsc0026c26.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/profit-from-home-academy-ICANN-registrarPNG_zpsc0026c26.png.html)

securely-checkout-now.com also moves through IPs from 3 different countries - German, Russia, & the Netherlands in under 30 days.
http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/webnsweb-com-ip-moving_zps5a230d6d.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/webnsweb-com-ip-moving_zps5a230d6d.png.html)

JustTooMuchTime
04-13-2013, 06:24 PM
Forgot to post the IPs associated with securely-checkout-now.com above. Here they are along with the country movement:
http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/securely-checkout-now-com-server-history_zps040a64c7.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/securely-checkout-now-com-server-history_zps040a64c7.png.html)

http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/webnsweb-com-ip-moving_zps5a230d6d.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/webnsweb-com-ip-moving_zps5a230d6d.png.html)

JustTooMuchTime
04-13-2013, 07:10 PM
The majority of the following sites hosted on IP 94.62.14.20 all use the same email address - edwardjohnson1908734@ymail.com - as profit-from-home-academy.com

I would assume many of the sites in the list are dangerous to visit.

12fxnws.com
12newcoffee.com
12nwspure.com
24foxnws.com
5newsfx.com
alertsfox.com
attsnews.com
berry-slim.com
berrydopbuy.com
berrygocce.com
berrygreats.com
berryraspfast.com
berrysuperslim.com
berrytopdrops.com
berrytrusts.com
berrytryrasp.com
berryultrasale.com
bigdietdrops.com
buyberrydiet.com
buyrasp-berry.com
c-foxnws.com
coffeedietpure.com
coffeediets.com
coffeenws.com
diet-berryrasp.com
dietasottile.com
dietberryplus.com
dietingrasp.com
dietrasps.com
drdropper.com
drdrops.com
dropslimberry.com
e-berryrasp.com
e-nwsfox.com
edrberry.com
ee-fxnws.com
efxblue.com
enwsfx.com
enwsgar.com
eraspdrops.com
eslimsplant.com
ex-fxnws.com
ezrasp.com
fastrasp.com
findnws.com
finenws.com
fixxnws.com
flashnws.com
foxnws12.com
foxnws24.com
foxroll.com
foxsops.com
foxtop5.com
foxxtime.com
foxynws.com
freshdropdiet.com
fruttigocce.com
fx-plus.com
fxnws24.com
fxnwsnow.com
fxonenws.com
fxs5nws.com
fxsenws.com
fxsnewer.com
fxsnwss.com
fxxmax.com
fxxsnws.com
garcidiet.com
garciniabuys.com
garciniashop.com
gazzettafx.com
giornonotizie.com
goccedibosco.com
gonewsfx.com
greatberryrasp.com
greatdropsberry.com
greenhotcoffee.com
hurryberryrasp.com
i-raspberrys.com
junofx.com
levelfxs.com
luxurytimers.com
mannyberrys.com
maxraspberry.com
mustraspberry.com
mxsfox.com
myberrytrim.com
myfoxs.com
mynws-fox.com
myraspberrys.com
myslimberrys.com
newberrysell.com
news5rep.com
newsfixs.com
notiziedieta.com
nuovafox.com
nws-alert.com
nws12rasp.com
nwsefx.com
nwsyear.com
nyfoxnws.com
onefxs.com
onesfxs.com
onlinefxs.com
onlynws.com
raspberryjem.com
raspbongberry.com
raspbuysberry.com
raspdropdiet.com
raspfastberry.com
raspketonediet.com
rasplossberry.com
raspproberry.com
raspseller.com
raspslimberry.com
raspsnewberry.com
rasptheberry.com
raspwowberry.com
roxfxs.com
sellergarcinia.com
sfx-news.com
shopdietberry.com
slimberrysuper.com
slimdietgarcinia.com
stopfxs.com
storeberrydiet.com
storyfx.com
supplyberry.com
therasp.com
thinedberry.com
thingarcinia.com
thinmeberry.com
timerfox.com
todayfxs.com
tofoxnws.com
tofxs.com
topdietrasp.com
topfoxnws.com
trimberrys.com
ultrarasp.com
unofxnws.com
veryberrydiet.com
weightloss-berry.com
woahdrop.com
wonberrydiet.com
worldfxs.com
worldnws12.com
wowfxs.com
yearfox.com
yearsnws.com
younws.com
yourberrys.com
zoneberrys.com

JustTooMuchTime
04-13-2013, 07:32 PM
2 more email addresses (in addition to edwardjohnson1908734@ymail.com) are associated with some of the domains on IP 94.62.14.20

http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/94621420-email-addresses_zpsd0167d59.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/94621420-email-addresses_zpsd0167d59.png.html)

It looks like the total number of connected domains so far here is 4167

JustTooMuchTime
04-16-2013, 11:26 AM
Another name - Victor Petrenko at altsrv@gmail.com has popped up with connections to hundreds of more domains:
VladislavPetrenko_zps188a915d.png Photo by Paul_Schlegel | Photobucket (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/VladislavPetrenko_zps188a915d.png.html?sort=3&o=0)

JustTooMuchTime
04-16-2013, 12:28 PM
Another name - Victor Petrenko at altsrv@gmail.com has popped up with connections to hundreds of more domains:

Fixing the embed:

http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/VladislavPetrenko_zps188a915d.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/VladislavPetrenko_zps188a915d.png.html)

JustTooMuchTime
04-16-2013, 12:31 PM
The altsrv@gmail.com has led to another name being used - Olga Golubeva - and another email address being used - o.golubewa2013@yanex.ru - and about 5,000 additional domains...

http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/Olga_zpsd04667f1.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/Olga_zpsd04667f1.png.html)

http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/olga-4525-domains_zps8a718614.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/olga-4525-domains_zps8a718614.png.html)

JustTooMuchTime
04-16-2013, 03:01 PM
The Arthor Brown email address mentioned earlier - arthor-brown289289@gmail.com - leads to another email address zenghai@hotmail.com and domains using the name zeng hai

http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/zenghai-at-hotmail-com_zps797286a3.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/zenghai-at-hotmail-com_zps797286a3.png.html)

scratchycat
05-09-2013, 10:41 AM
Some good research you have done on these articles, JTM!! With all those domains they can fill half the internet with bugs.

JustTooMuchTime
05-25-2013, 11:26 PM
And the Profit-From-Home-Academy.com website is officially gone...

http://i1242.photobucket.com/albums/gg536/Paul_Schlegel/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/Profit-From-Home-Academy-Com-Gone_zps54b97183.png (http://s1242.photobucket.com/user/Paul_Schlegel/media/Coaching%20Program%20Lead%20Gen%20Sites/Profit%20From%20Home%20Academy/Profit-From-Home-Academy-Com-Gone_zps54b97183.png.html)