Chinese domain scam - revisited

Wednesday, February 20. 2013

Earlier I wrote about elaborate Chinese scam to shake down money from unsuspecting corporate domain owners.

This time the e-mail really didn't specify any URLs to fake companies, nor really specify any fake company names. The e-mail was sent by clark.yang@picweb.net. There is a web site http://www.picweb.net/, which is located in Los Angeles, USA. The content has lot of references to China. Un-surprisingly, most of the links are either non-existent or actually are not links. Especially the top menu for "Products and Services" is not a link, so they actually don't sell anything. The web site looked like this:

The e-mail for picweb.net is handled by mx168.cn4e.com which is in CHINANET Fujian province network. There actually is a mail server in the address, but I don't know if they handle any e-mail for picweb.net. In the e-mail headers they tried to fake SMTP-route and point finger to a most likely innocent Chinese IP-address. They are not very good in forging headers and the attempt is rather childish.

Also un-surprisingly, the e-mail arrived to Google via IP-address 117.27.141.168, which is in same network as the previous domain scam e-mail. Also the above mail server is in the same ISP's block. They still don't care what kind of crybercrime is going on on their wire.

I'll post the contents of the e-mail here:

(Mail to the brand holder, thanks)

Dear Brand Holder,
We are the department of Asian Domain Registration Service in China. I have something to confirm with you. We formally received an application on February 20, 2013 that a company which self-styled "HongDa International Co.,Ltd" were applying to register "hqcodeshop" as their Net Brand and some domain names through our firm.

Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we will finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we will handle this issue better. Out of the time limit we will unconditionally finish the registration for "HongDa International Co.,Ltd". Looking forward to your prompt reply.

Best Regards,
Clark Yang
Regional Manager

AnHui Office:
Phone: +86-551 6512 0117      
    Fax: +86-551 6512 3308
Postal Code:230022

Address:AnGao World Cities,No. 99,WangJiang West Road,HeFei,AnHui Province,China

ShangHai Headquarters:
Postal Code:201315
Address:No.11,Lane 788,Xiupu Road,Nanhui District,ShangHai,China

The e-mail headers are here:

Delivered-To: jatu@hqcodeshop.fi
Received: by 10.64.148.67 with SMTP id tq3csp180927ieb;
        Wed, 20 Feb 2013 00:58:50 -0800 (PST)
X-Received: by 10.66.243.169 with SMTP id wz9mr52609194pac.34.1361350730222;
        Wed, 20 Feb 2013 00:58:50 -0800 (PST)
Return-Path: <clark.yang@picweb.net>
Received: from mail.umail168.cn4e.com (mail.umail168.cn4e.com. [117.27.141.168])
        by mx.google.com with ESMTP id o4si27012995paw.72.2013.02.20.00.58.48;
        Wed, 20 Feb 2013 00:58:50 -0800 (PST)
Received-SPF: neutral (google.com: 117.27.141.168 is neither permitted nor denied by best guess record for domain of clark.yang@picweb.net) client-ip=117.27.141.168;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 117.27.141.168 is neither permitted nor denied by best guess record for domain of clark.yang@picweb.net) smtp.mail=clark.yang@picweb.net
Received: from clarkyangpc (localhost.localdomain [127.0.0.1])
    by mail.umail168.cn4e.com (Postfix) with SMTP id 9B02BA28004;
    Wed, 20 Feb 2013 16:58:46 +0800 (CST)
Received: from clarkyangpc (unknown [124.73.90.238])
    by mail.umail168.cn4e.com (Postfix) with ESMTPA;
    Wed, 20 Feb 2013 16:58:46 +0800 (CST)
From: "Clark Yang"<clark.yang@picweb.net>
To:
Subject: "hqcodeshop" Net Brand and domain name registration
Date: Wed, 20 Feb 2013 17:00:53 +0800
Message-Id: <DM__130220165401_37568426463@mail.picweb.net>
MIME-Version: 1.0
Content-Type: multipart/related;
    boundary="----=_NextPart_13022017005237571425618_001"
X-Priority: 1
X-Mailer: DreamMail 4.6.9.2
Disposition-Notification-To: clark.yang@picweb.net

Yet again I did report this scam to Google. Looks like they are powerless with these ones.

by Jari Turkia in Security at 22:03 | Comment (1) | Share in LinkedIn

Comments
Display comments as (Linear | Threaded)

Andy on :

Hi, I just got a similar email, and found your site when researching the email.

My email is identical to yours, except it's from "Alice Yang" at picweb.net. As is typical of many scam emails, the date sent was spoofed, to 2/26/2012. I gues they don't know what year it is...

I looked at their website at picweb.net, then googled some text from the About Us page at picweb.net/About us.html. I found a nearly identical page and site at pecnetwork.org, where the only things that are different are the "company" name and the graphic on the top left.

If you google some of the text from their About Us page ("was established in 2008, as a leading provider of services in domain ") you'll find many references to the company in various Chinese directories

The text from these websites is also identical to that found on ZoomInfo (zoominfo.com/#!search/profile/person?personId=84425907&targetid=profile), and associated with "Rev. Dr. Peter K.H. Wong" who seems to have had an interesting career, going from "Program Coordinator" at Crosstown Camera Club in Minnesota to Pastor in Honolulu, Cleveland and San Francisco to "Country Manager , Enterprise Sales" at Verizon Enterprise Solutions.

(As a side note, I now know that in order to have advanced farther in my career I apparently should have gone to divinity school instead of majoring in engineering.)

Rev. Dr. Wong is now listed as "Senior Consultant" at "PC Solutions Limited" (p-cn.org) in China which, to complete the circle, has the same company description text as pecnetwork.org and picweb.net. There is no website at p-cn.org. (See zoominfo.com/#!search/profile/company?companyId=355933613&targetid=profile)

Rev. Dr. Wong has what appears to be a current profile at San Francisco Chinese Alliance Church english.sfcac.org/index.php/about-us/our-staff but it doesn't mention his IT achievements.

I'm wondering if the Rev. Dr. is the one at the heart of this scam? Or possibly his biography and photo were hijacked by the scammers?

Unfortunately I have to do some "real" engineering work today, so I can't research this further...
Comment (1)

Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

Submitted comments will be subject to moderation before being displayed.

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back November '24 Forward
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License