Offshore Outsourcing & Scammer

Blog about offshore outsourcing and scammer in the outsourcing industry

Email Scammer: theglobalconsultantus.com from China

Recently I got forwarded an email with an universal job offer. Such an universal job offer without any specifications and requirements for the offered job is every time suspect. Companies are searching people with special abilities. Only scammer are too lazy to inform themselves and write emails like the following one:

From: GLOBAL EDGE CONSULTANTS [mailto:wang@bmedi.cn]
Sent: Wednesday, May 20, 2015 5:43 PM
Subject: SUBMIT YOUR CV

GLOBAL EDGE CONSULTANTS
6200 Lake Otis Parkway
Suite 201
Anchorage, AK 99507
ALASKA, UNITED STATES OF AMERICA
Email: jobs@theglobalconsultantus.com

ATTN:
We are Job recruitment consultants for SHELL, EXXON MOBIL,CONOCOPHILLIPS OIL & GAS and CHEVRON,We are well known in United States Of America and across Europe,This is to notify you that your qualifications and experiences which you submitted at a job finding site were found suitable for the requirements of CONOCOPHILLIPS OIL & GAS US LIMITED. For verification and screening you are to submit your most recent resume through our e-mail: jobs@theglobalconsultantus.com

Best Regard,
Craig Gormus
Recruitment Manager

If we take a look at the sender domain we get the useless domain registry from China:

Domain Name: bmedi.cn
ROID: 20040810s10001s02671102-cn
Domain Status: ok
Registrant ID: hc557836351-cn
Registrant: 北京市市政工程设计研究总院
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server: dns7.hichina.com
Name Server: dns8.hichina.com
Registration Time: 2004-08-10 17:58:55
Expiration Time: 2024-08-10 17:58:55
DNSSEC: unsigned

If we take a look at the date when the domain got registered and the expiration date, then it can be an Internet Service Provider from China.

More interesting is the domain of the provided answering address - theglobalconsultantus.com:

Domain Name: THEGLOBALCONSULTANTUS.COM
Registry Domain ID: 1901042750_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.publicdomainregistry.com
Registrar URL: www.publicdomainregistry.com
Updated Date: 2015-04-07T02:32:43Z
Creation Date: 2015-02-05T20:30:32Z
Registrar Registration Expiration Date: 2016-02-05T20:30:32Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Domain Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: 
Registrant Name: Tomorrow
Registrant Organization: TC Ltd
Registrant Street: NO.515, Shenfu Rd, XinZhuang   
Registrant City: Shanghai
Registrant State/Province: Shanghai
Registrant Postal Code: 201108
Registrant Country: CN
Registrant Phone: +86.2154424443
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: mukuji@mailpick.biz
Registry Admin ID: 
Admin Name: Tomorrow
Admin Organization: TC Ltd
Admin Street: NO.515, Shenfu Rd, XinZhuang  
Admin City: Shanghai
Admin State/Province: Shanghai
Admin Postal Code: 201108
Admin Country: CN
Admin Phone: +86.2154424443
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: mukuji@mailpick.biz
Registry Tech ID: 
Tech Name: Tomorrow
Tech Organization: TC Ltd
Tech Street: NO.515, Shenfu Rd, XinZhuang  
Tech City: Shanghai
Tech State/Province: Shanghai
Tech Postal Code: 201108
Tech Country: CN
Tech Phone: +86.2154424443
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: mukuji@mailpick.biz
Name Server: ns1.oworested.com
Name Server: ns2.oworested.com
Name Server: ns3.oworested.com
Name Server: ns4.oworested.com
DNSSEC:Unsigned
Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
Registrar Abuse Contact Phone: +1-2013775952
URL of the ICANN WHOIS Data Problem Reporting System: 
http://wdprs.internic.net/
>>>Last update of WHOIS database: 2015-05-20T16:18:14+0000Z<<<
For more information on Whois status codes, please visit https://icann.org/epp

Here we see that the domain got registered on February 2015 for a fake company with the name TC Ltd. from a person with the name Tomorrow in Shanghai. As the registration data are already a fake, who can believe in such a case to the offer, which even does not describe anything from a job?

Just for fun, let us take a look at the email headers:

Return-path: <wang@bmedi.cn>
Envelope-to: campaigns@deepbluem.com
Delivery-date: Wed, 20 May 2015 12:01:42 -0400
Received: from webmail.bmedi.cn ([211.103.187.179]:34475 helo=bmedi.cn)
                by wdc003.hawkhost.com with esmtp (Exim 4.85)
                (envelope-from <wang@bmedi.cn>)
                id 1Yv6RC-000LXl-8p
                for campaigns@deepbluem.com; Wed, 20 May 2015 12:01:42 -0400
Received: from User (unknown [77.106.163.203])
                by localhost.localdomain (Coremail) with SMTP id fwD__pAbbq7qkFxVQIr3AQ--.1815S3;
                Wed, 20 May 2015 21:50:32 +0800 (CST)
Reply-To: <jobs@theglobalconsultantus.com>
From: "GLOBAL EDGE CONSULTANTS"<wang@bmedi.cn>
Subject: SUBMIT YOUR CV
Date: Wed, 20 May 2015 16:42:40 +0100
MIME-Version: 1.0
Content-Type: text/plain;
                charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-CM-TRANSID:fwD__pAbbq7qkFxVQIr3AQ--.1815S3
X-Coremail-Antispam: 1UD129KBjvdXoWrKF4rKFy3WrW5uw18tr1UKFg_yoWxurg_WF
                sYvrsxtFW2vFZ7GrsxtF1qk3ZY9ayxZr1DCw1jqF1UAFZ5WF4Sgrsaqr4fur45X3WrWFnY
                gFZavrWrKF9agjkaLaAFLSUrUUUjtb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAU7a7-sFnT
                9fnUUIcSsGvfJTRUUUbzxYjsxI4VWDJwAYFVCjjxCrM7AC8VAFwI0_Wr0E3s1l1xkIjI8I
                6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AEw4v_JrI_Jryl84ACjcxK6xIIjxv20x
                vE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26rxl6s0DM28EF7xvwVC2z280
                aVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s1ln4kS14v26Fy26r
                43JwAqjxCEc2xF0cIa020Ex4CE44I27wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E2Ix0
                cI8IcVAFwI0_Wrv_ZF1lYx0Ex4A2jsIE14v26r4UJVWxJr1lF7xvr2IYc2Ij64vIr41lF7
                xvrVCFI7AF6II2Y40_Zr0_Gr1UM4IIrI8v6xkF7I0E4cxCY480cwAKzVAC0xCFj2AI6cx7
                MxkF7I0En4kS14v26F1UJr0E3s0q3wCY1x0264kExVAvwVAq07x20xyl42xK82IYc2Ij64
                vIr41l4IxYO2xFxVAFwI0_ZF0_GFyUMI8E67AF67kF1VAFwI0_Wrv_Gr1UMIIF0xvE2Ix0
                cI8IcVAFwI0_Ar0_tr1lIxAIcVC0I7IYx2IY6xkF7I0E14v26rxl6s0DMIIF0xvE42xK8V
                AvwI8IcIk0rVWUCVW8JwCI42IY6I8E87Iv67AKxVW8Jr0_Cr1UMIIF0xvEx4A2jsIEc7Cj
                xVAFwI0_GcCE3sUvcSsGvfC2KfnxnUUI43ZEXa7xR_UUUUUUUUU==
Message-Id: <555C9577.0AC3C9.03321@bmedi.cn>
X-CM-SenderInfo: pzdqwqxephvxgofq/
X-EsetId: 37303A296EDFC3676C766A

I have marked in the above quote the sender IP red. If we search the geolocation of the IP address then we get a result Norway, Oppland, Lillehammer and the ISP is Eidsiva Bredband As.

Such a "multinational company" Alaska, China, Norway, etc. cannot take the afford for an own website? That show that the scammer are simple too lazy, because a website takes at least a few minutes of work.

As the domain theglobalconsultantus.com got registered during February this year, we should not find some scam entries in Google. In any case we try it and get surprised:

Google search result for theglobalconsultantus.com

 

In such a short time, they got already 10 fraud entries. The same text only from different sender. That shows us again that the scammer are very lazy. They even don't like to use their brain.

 

Scammer: solidclix.com - advertchina.com - idvert.com - Latest Mailing Database - e-Market Guruz

SolidClixSilvia Beri from Italy has been thinking that she can save something by buying data from Asia. She did not think about the European Data protection law and as a result of this she could only get some heavy used data if the data even are not a fake. We have in Austria a proverb: "Who buys cheap, buys most expensive!". As a result I found a posting at LinkedIn:

Silvia Beri

Silvia Beri Affiliate Marketing Manager at Supermoney.eu

Latest Mailing Database and e-Market Guruz total SCAM!

Don't trust these two companies if you have to buy data, they're total scam! 

We asked them for very specific data, they gave us total fake numbers or data which did not correspond to what we asked for, they denied us a refund or never gave it even though they promised it and they accused me of not knowing the format of mobile numbers in Italy (I've been living in Italy since I was born, FYI). You'll lose money and won't get anything good, beware!!!
Vishal Mehta commented the posting with:
Vishal Mehta
Silvia: thanks for the awaring people.
Don't Trust these comapnies (solidclix.com, idvert.com, advertchina.com) because they are total scam. They are buying traffics but doesn't pay to publishers their money. They signed contract, update credit-apps but they all are dummy. so beware of this and we have uploaded all proofs @ https://www.linkedin.com/pulse/announcement-how-solidclix-malicious-time-payment-vishal-mehta

If we follow the LinkedIn Pulse link then we will find that Vishal Mehta has published on April 19, 2015:

Announcement: How Solidclix malicious at time of payment
  1. There is a below retention rate report which forwarded by Solidclix to ZoomTraffics and Solidclix has confirmed it. zoomtraffics aff_id is 1770 which is point out into sheet.
    retention rate report which forwarded by Solidclix to ZoomTraffics and Solidclix has confirmed it

  2. There is no contract of 20% retention rate between solidclix media ltd., and zoomtraffics for clash of king offer and zoomtraffics hasn't ever agreed on 0.1$ incent basis payment if zoomtraffics doesn't reach 20% retention rate. There is a below chat discussion which is point out Date and time and AM of solidclix.

    [27-01-2015 13:28:58] Shirley Wang | Solidclix Media LTD: Fine , I can make it open , but the retention rate if under 20 % , we can only pay you as USD 0.10 per installation.

    [27-01-2015 13:29:01] Shirley Wang | Solidclix Media LTD: Is it ok ?

    [27-01-2015 13:29:22] Vishal Mehta: sorry we don't work on terms of retention rate. We only agreed $2.80 payout for each conversion for clash of king.

  3. Zoomtraffics did 15362 conversions for clash of king and the total commission is $43103.60 and solidclix didn't pay to us for clash of king and other offers too. if zoomtraffics quality is not good enough then why kept buying traffics from zoomtraffics till commission did reach $43000. solidclix had to pause the traffics without any confirmation to zoomtraffics but they didn't do that. but at time of payment they didn't reply and didn't confirm but when we are awaring to people about this then they are realized this things and now claiming ZoomTraffics is doing malicious.

    Such kind of things badly disturbs the balance of the industry. There is a below printscreen of solidclix's system report as per zoomtraffics aff_id (1770) related.

    printscreen of solidclix's system report as per zoomtraffics aff_id (1770)
Just wants to aware publishers, agencies, affiliate marketing how solidclix is doing fraud with publisher at time of payment.

We have discussed internally and legal department, would like to take the legal action against dishonest and wrong doing advertisers and affiliate marketing companies.

ZoomTraffics is working with more than +12000 publishers and +400 advertisers and don't need to prove the reality of our traffic's quality because there are above printscreens and our advertisers are also awaring about our quality and reputation.

Just wants to ask people if zoomtraffics is doing malicious then how we can claim our loss because solidclix didn't pay $43000 commission yet that's why we took this steps. we are keen to aware people about this issue. So don't business with them and Be Safe...

A look at the LinkedIn company site of solidclix.com shows us that Zoom Traffic has offered the half amount to solidclix.com, which they did not accept. That shows that solidclix.com is really a fraud company, because sales have been done by using the data and the result got confirmed by both sites:

SolidClix Media Ltd. Regarding ZOOMTRAFFICS’s spreading rumors online against Solidclix Media Ltd , please find the attached evidence file that Mr. Vishal and ZOOMTRAFFICS are keeping sending us the threatening emails and messages all the time, even now . We announce hereby that Solidclix completely respect the judgement of readers but we are a professional network which works in transparent and fair way with our cooperators. We always remain modest and prudent. Thank you very much for taking time reading it

Screenshot email from Zoom Traffic to SolidClix

This message got commented from Vishal Mehta:

Beware of Idvert, Solidclix and Advertchina They are fraud so don't business with them.... ZoomTraffics owns $43000 commissions and other 39 publishers owns $40000 commission but they aren't pay to any publishers after buying volume traffics. We have got more than 45 posts from different agencies, publishers and networks and they have confirmed solidclix is doing fraud with publishers on terms of retention rate or weekly payment terms basis. We have uploaded each linkedin profile of solidclix and idvert's emplyess basis so don't business with them, follow it. https://www.linkedin.com/pulse/announcement-beware-fraud-companies-vishal-mehta

This case shows us how important a background check before making business is. If we take a look at the domain registry of solidclix.com then we see that they are hiding themselves behind a Privacy Protection Service. Such services are normally only used from private people. It does even not make any sense to use a Privacy Protection Service for registering the domain and write afterwards the full address on their website:

SolidClix Media Ltd,.
Address: Room.905 Workingberg Commercial Building, 41-47 Marble Road Hongkong
Email: Team@SolidClix.com

The only sense is in this case a planned fraud. The address seems to be wrong, because if the use this address then the bill of the domain will never arrive in their office.

Some other comments:

https://www.linkedin.com/pulse/announcement-solidclix-wwwsolidclixcom-fraud-company-vishal-mehta?trk=mp-reader-card

Alexander Korolev
BD Pay Per Install / Mobile SDK Solutions – Epom.com

Indeed. I've never heard of retention rate sensitive deals on CPI\CPA stuff, because of unpredictable and unclear performance gauge and metrics on advertiser side.

What if I tell my pubs: "Thanks for theese installs guys, but our crew sat down with some beers and we thought that retention rate was uncool for us, so I'm not gonna pay you what you've earned".

Thus, I have a one good rule: always to run a strict and transparent PPI campaigns. No additional deals, tricky "but's" and shady amendments.

I can't say something bad about Solidclix in general, hope that you guys figure out how to get dry of the water.

 

Additional are a few negative comments about solidclix.com available:

https://www.linkedin.com/pulse/scam-wwwsolidclixcom-vishal-mehta?trk=mp-reader-card:

Dmitry Kuplevatsky
Entrepreneur, Co-Founder of several online projects

@Vishal, I don't want to escalate this issue, I have signed the agreement and can't disclose the details. The only thing that I can say that I have not received my money in full amount and have not got intime feedback regarding traffic I sent.

 

https://www.linkedin.com/pulse/scam-wwwsolidclixcom-vishal-mehta?trk=mp-reader-card:

Julia Semenova
WapEmpire.com is looking for direct mobile Advertisers

Got in the same situation. They told us the leads have 0% retention rate 2 monts after we were running their CPI campaign. Don't know was it true or not, but either way we lost money because of them.

Dmitry Kuplevatsky

Entrepreneur, Co-Founder of several online projects

@Vishal, I don't want to escalate this issue, I have signed the agreement and can't disclose the details. The only thing that I can say that I have not received my money in full amount and have not got intime feedback regarding traffic I sent.
Fully agree with Vishal Mehta! Unfortunately, got the same issue with solidclicks
Some others, which like to protect solidclix, writing that they are working already a "long time" together with solidclix.

This can be only fake comments, because the domain got registered March 22, 2013 - a little bit more than 2 years ago. It is different what some people understand about a "long time"!

 

About idvert.com says scamadviser:

This Site Involves A High Risk Country
Site is Hong Kong based, but may also be from China
Alert Result: This website setup involves countries known to be high risk
Alert Result: This website is likely to be operating from a high risk country
 

Domain register data from solidclix.com:

Domain Name: SOLIDCLIX.COM 
Registry Domain ID: 1788066585_DOMAIN_COM-VRSN 
Registrar WHOIS Server: whois.name.com 
Registrar URL: http://www.name.com 
Updated Date: 2015-03-20T16:06:15-06:00Z
Creation Date: 2013-03-22T07:14:18-06:00Z
Registrar Registration Expiration Date: 2016-03-22T07:14:18-06:00Z
Registrar: Name.com, Inc. 
Registrar IANA ID: 625 
Registrar Abuse Contact Email: abuse@name.com 
Registrar Abuse Contact Phone: +1.17203101849 
Reseller: 
Domain Status: clientTransferProhibited 
Registry Registrant ID: 
Registrant Name: Whois Agent 
Registrant Organization: Whois Privacy Protection Service, Inc. 
Registrant Street: PO Box 639 
Registrant City: Kirkland 
Registrant State/Province: WA 
Registrant Postal Code: 98083 
Registrant Country: US 
Registrant Phone: +1.4252740657 
Registrant Fax: +1.4259744730 
Registrant Email: solidclix.com@protecteddomainservices.com 
Registry Admin ID: 
Admin Name: Whois Agent 
Admin Organization: Whois Privacy Protection Service, Inc. 
Admin Street: PO Box 639 
Admin City: Kirkland 
Admin State/Province: WA 
Admin Postal Code: 98083 
Admin Country: US 
Admin Phone: +1.4252740657 
Admin Fax: +1.4259744730 
Admin Email: solidclix.com@protecteddomainservices.com 
Registry Tech ID: 
Tech Name: Whois Agent 
Tech Organization: Whois Privacy Protection Service, Inc. 
Tech Street: PO Box 639 
Tech City: Kirkland 
Tech State/Province: WA 
Tech Postal Code: 98083 
Tech Country: US 
Tech Phone: +1.4252740657 
Tech Fax: +1.4259744730 
Tech Email: solidclix.com@protecteddomainservices.com 
Name Server: ns3cna.domain-resolution.net 
Name Server: ns2dfg.domain-resolution.net 
Name Server: ns4lrt.domain-resolution.net 
Name Server: ns1cnb.domain-resolution.net 
DNSSEC: Unsigned Delegation 
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-05-12T22:56:47-06:00 <<< 
 

Domain register data from idvert.com:

Domain Name: IDVERT.COM
Registry Domain ID: 3509791_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.name.com
Registrar URL: [link removed] Date: 2015-01-19T07:19:18-07:00Z
Creation Date: 1998-07-10T04:00:00-06:00Z
Registrar Registration Expiration Date: 2016-07-09T04:00:00-06:00Z
Registrar: Name.com, Inc.
Registrar IANA ID: 625
Registrar Abuse Contact Phone: +1.17203101849
Reseller:
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Liyao Zhang
Registrant Organization: Social Organization
Registrant Street: Shuyuan South RD Tianxinqu Changsha Hunan
Registrant City: Changsha
Registrant State/Province: Hunan
Registrant Postal Code: 411105
Registrant Country: CN
Registrant Phone: +86.18873352333
Registry Admin ID:
Admin Name: Liyao Zhang
Admin Organization: Social Organization
Admin Street: Shuyuan South RD Tianxinqu Changsha Hunan
Admin City: Changsha
Admin State/Province: Hunan
Admin Postal Code: 411105
Admin Country: CN
Admin Phone: +86.18873352333
Registry Tech ID:
Tech Name: Liyao Zhang
Tech Organization: Social Organization
Tech Street: Shuyuan South RD Tianxinqu Changsha Hunan
Tech City: Changsha
Tech State/Province: Hunan
Tech Postal Code: 411105
Tech Country: CN
Tech Phone: +86.18873352333
Name Server: ns3cna.domain-resolution.net
Name Server: ns2dfg.domain-resolution.net
Name Server: ns4lrt.domain-resolution.net
Name Server: ns1cnb.domain-resolution.net
DNSSEC: Unsigned Delegation
URL of the ICANN WHOIS Data Problem Reporting System: [link removed] Last update of WHOIS database: 2015-05-11T08:41:56-06:00
 

Domain register data from advertchina.com:

Domain Name: ADVERTCHINA.COM 
Registry Domain ID: 1831007901_DOMAIN_COM-VRSN 
Registrar WHOIS Server: whois.name.com 
Registrar URL: http://www.name.com 
Updated Date: 2014-09-22T16:37:55-06:00Z
Creation Date: 2013-10-14T02:54:18-06:00Z
Registrar Registration Expiration Date: 2015-10-14T02:54:18-06:00Z
Registrar: Name.com, Inc. 
Registrar IANA ID: 625 
Registrar Abuse Contact Email: abuse@name.com 
Registrar Abuse Contact Phone: +1.17203101849 
Reseller: 
Domain Status: clientTransferProhibited 
Registry Registrant ID: 
Registrant Name: Whois Agent 
Registrant Organization: Whois Privacy Protection Service, Inc. 
Registrant Street: PO Box 639 
Registrant City: Kirkland 
Registrant State/Province: WA 
Registrant Postal Code: 98083 
Registrant Country: US 
Registrant Phone: +1.4252740657 
Registrant Fax: +1.4259744730 
Registrant Email: advertchina.com@protecteddomainservices.com 
Registry Admin ID: 
Admin Name: Whois Agent 
Admin Organization: Whois Privacy Protection Service, Inc. 
Admin Street: PO Box 639 
Admin City: Kirkland 
Admin State/Province: WA 
Admin Postal Code: 98083 
Admin Country: US 
Admin Phone: +1.4252740657 
Admin Fax: +1.4259744730 
Admin Email: advertchina.com@protecteddomainservices.com 
Registry Tech ID: 
Tech Name: Whois Agent 
Tech Organization: Whois Privacy Protection Service, Inc. 
Tech Street: PO Box 639 
Tech City: Kirkland 
Tech State/Province: WA 
Tech Postal Code: 98083 
Tech Country: US 
Tech Phone: +1.4252740657 
Tech Fax: +1.4259744730 
Tech Email: advertchina.com@protecteddomainservices.com 
Name Server: ns3cna.domain-resolution.net 
Name Server: ns2dfg.domain-resolution.net 
Name Server: ns4lrt.domain-resolution.net 
Name Server: ns1cnb.domain-resolution.net 
DNSSEC: Unsigned Delegation 
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-05-12T23:12:26-06:00 <<<

Announcement_ How Solidc...Vishal Mehta _ LinkedIn.pdf (942.19 kb)

SolidClix Media Ltd._ Übersicht _ LinkedIn.pdf (2.06 mb)

Vishal Mehta _ LinkedIn.pdf (8.12 mb)

 

SPAM from an anti email spammer tool: boxbe.com

A LinkedIn member has asked me to reply to his email address. I have sent an email to him and got immediately a reply from boxbe-notifications@boxbe.com with the following content:

Hello Rudolf Faix,
Your message about "RE: NEW DEFENCE RESEARCH PAPER & BOOK" was waitlisted.
Please add yourself to my Guest List so your messages will be delivered to my Inbox. Use the link below.

Click here to deliver your message

Thank you,
china.research.team@gmail.com
boxbe
Powered by Boxbe -- "End Email Overload"
Boxbe, Inc. | 65 Broadway, Suite 601 | New York, NY 10006
Privacy Policy | Unsubscribe

Final-Recipient: rfc822; china.research.team@gmail.com
Diagnostic-Code: X-Boxbe-Notice; message given low priority. To fix, see accompanying notice.
Status: 4.7.0

As I did not send any message to somebody from the domain @boxbe.com and I did not subscribe somewhere (see the unsubscribe link under their signature) is this email nothing else than SPAM. Following a link in an unsolicitous email will result in more spam, because with this you'll verify that your email exists. For this I did not press the "Click here to deliver your message" and the "Unsubscribe" link. I simple reported this e-mail as spam. In future, I'll not receive any message from them.

Don't expect any answer from me if you like to communicate with me per e-mail and use a similar service like boxbe.com. I'll even will not see in future a confirmation link from boxbe.com. If you are too lazy to filter out a few spam messages a week, then it would be better use snail mail instead of e-mail.

The full email headers:

Delivered-To: rudolffaix@gmail.com
Received: by 10.36.40.144 with SMTP id h138csp1291074ith;
        Thu, 2 Apr 2015 03:16:40 -0700 (PDT)
X-Received: by 10.140.216.67 with SMTP id m64mr40519897qhb.6.1427969800053;
        Thu, 02 Apr 2015 03:16:40 -0700 (PDT)
Return-Path: <bounces+rudolffaix=gmail.com@dynect-mailer.net>
Received: from mtaout-204-ewr.sendlabs.com (mtaout-204-ewr.sendlabs.com. [216.146.33.204])
        by mx.google.com with ESMTPS id v32si4526164qge.71.2015.04.02.03.16.39
        for <rudolffaix@gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 02 Apr 2015 03:16:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounces+rudolffaix=gmail.com@dynect-mailer.net designates 216.146.33.204 as permitted sender) client-ip=216.146.33.204;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of bounces+rudolffaix=gmail.com@dynect-mailer.net designates 216.146.33.204 as permitted sender) smtp.mail=bounces+rudolffaix=gmail.com@dynect-mailer.net;
       dkim=pass (test mode) header.i=@boxbe.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dyn; d=boxbe.com;
 h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Sender:List-Unsubscribe; i=boxbe-notifications@boxbe.com;
 bh=nKDuo8pxB1J4J6hCaChvgnPI9C4=;
 b=cdwtGiTRGvon01+RJCS+dqntHGWxAp+v8N25wdwkhCu3IuepUzdikg/rUzrbQSEH3lpTqzY3cS24
   3STK+6Eok+6MYxzhQnDk7wJAptLSKxPamb4JHOfmNfDaOoQarlZvGq//UfWxY1s/fZITgFSHevjs
   lKI7t3v+B6M1NcupcJs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dynect1213; d=dynect.net;
 h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Sender:List-Unsubscribe;
 bh=nKDuo8pxB1J4J6hCaChvgnPI9C4=;
 b=Yq4bM7gFViIQ0I7Ub0ED+6h2kQ8Dk+peB+OYSYkAW25NIRT5PGfTIs+zevzZNgg525KpuH/qCs2a
   iccS1xHvPSQwkpl35PxT8X9jwmoSfyIrRQMkRHWqWMmvOVGZB3rQYZJGe94Z6vzLTnVrY3IbnB4U
   MIDMlUodQ12ATNPo278=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dyn; d=boxbe.com;
 b=LjLN4/7AG2VUDIpuyB+Xj+SJjgwdfWYOBXUD2t/21Y13rlpJmJYvPR//x2njCz0rQtNk63YbDSZf
   TeXc7Lqy036LOHGYgbZ40cFkWBGah/WeSjYlF611QMWNkK63ppfLfeO9meAm/Ny21o8oSFxAIBsA
   ALsgoHYNecI2y38SZ/c=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=boxbe.com; s=s1;
	t=1427969796; bh=MFvOv6JBBu06WCfwdUusWnzQxr+9B12zOnpolDxkvgs=;
	h=Date:From:Reply-To:To:Subject;
	b=VB2Ib/ijqsmnu3HWvPs+VSrnkxCsXRIMtEfk3M4GeS9fQziNdDiLy6caO4euHEVcF
	 tIQC3HX2Igt0dP9IVVkx8vka2N7xmeKZXpB5Elvc2GV6z7KSLASdaZBFFb28dxe/TX
	 rGnLaj9kpk9YE6pTfOqvHw4Gw8KLaPXJd76DBikc=
Date: Thu, 2 Apr 2015 03:16:36 -0700 (PDT)
From: boxbe-notifications@boxbe.com
Reply-To: china.research.team@gmail.com
To: Rudolf Faix <rudolffaix@gmail.com>
X-DynectEmail-Msg-Key: 20150402101637.07640F0F2130@mail6-01-pao.dynback.net
Message-ID: <977552929.15870.1427969796453.JavaMail.prod@ems-imap01.ny3>
Subject: Re: RE: NEW DEFENCE RESEARCH PAPER & BOOK (Action Requested)
MIME-Version: 1.0
Content-Type: multipart/report; 
	boundary="----=_Part_15869_1801915389.1427969796448"; 
	report-type=delivery-status
Envelope-From: <>
Auto-Submitted: auto-replied
Sender: boxbe-notifications@boxbe.com
X-DynectEmail-Msg-Hash: fRSspyRTfXPA1bNH7n3imVZvebSdS9eyc4kWgmyq9SLBoK2B0cDq/sP+lmBC1F3v2eCnejSeu4OeejcjA6Fc96K38r8qii2AqNEEGQbgd3I=
X-DynectEmail-X-Headers: 
X-Feedback-ID: R29sZFRyYW5WTVRBcw==:477795:315291:dyn06
List-Unsubscribe: <http://unsub.email.dynect.net/unsub??h=fRSspyRTfXPA1bNH7n3imVZvebSdS9eyc4kWgmyq9SLBoK2B0cDq%2FsP%2BlmBC1F3v2eCnejSeu4OeejcjA6Fc96K38r8qii2AqNEEGQbgd3I%3Di=20150402101637.07640F0F2130%40mail6-01-pao.dynback.netx=>, <mailto:unsubscribe@dynect-email.com?subject=fRSspyRTfXPA1bNH7n3imVZvebSdS9eyc4kWgmyq9SLBoK2B0cDq%2FsP%2BlmBC1F3v2eCnejSeu4OeejcjA6Fc96K38r8qii2AqNEEGQbgd3I%3D&message_id=20150402101637.07640F0F2130%40mail6-01-pao.dynback.net&x_headers==>

------=_Part_15869_1801915389.1427969796448
Content-Type: multipart/alternative; 
	boundary="----=_Part_15868_923012810.1427969796447"
Content-Disposition: inline
Content-Description: Notification

The contents of this message require a modern email client
for correct display.  If you are reading this message, it may
be because your reader is without MIME support.
------=_Part_15868_923012810.1427969796447
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
 

 

360 Total Security - powerful and free of charge

"360 Total Security" is a free security suite of China company Qihu (also called Qihoo), which will protect your PC from viruses, trojans, other emerging threats from the network and ensures better performance of your system.

QihooThe essential component is the virus scanner: With up to five different engines - including the Bitdefender and Avira. Real-time protection ensures that harmful files not reach your computer.

Whether you are shopping online, downloading files or chatting with your friends you can be sure that 360 Total Security is there to keep you safe and your computer optimized. Clean-up utility is just one click away to keep your PC in optimal condition.

 

  • Virus Scan
    Integrating award winning antivirus engines from 360 Cloud Engine,360 QVMII, Avira and Bitdefender to provide you with the ultimate in Virus detection and protection capabilities.

  • Protection
    Protection offers 4 different user selectable modes - Performance/Balanced/Security and Custom. Each mode offers a different level of protection from malware, phishing attacks and backdoors.

  • Cleanup
    Cleanup frees your disk space by removing junk files and plugin which can improve system performance - With cleanup you can decide which areas and files to clean.

  • Speedup
    Manage and optimize your system services, boot up items and plugins - Shorten your boot time and get going sooner!

 

You can download 360 Total Security from http://www.360totalsecurity.com/en/download-free-antivirus/360-total-security/

 

 

NSA Planted Stuxnet-Type Malware Deep Within Hard Drive Firmware

The U.S. National Security Agency (NSA) may be hiding highly-sophisticated hacking payloads in the firmware of consumer hard drives over the last 15 to 20 years in a campaign, giving the agency the means to eavesdrop on thousands of targets’ computers, according to an analysis by Kaspersky labs and subsequent reports.

 

'EQUATION GROUP' BEHIND THE MALWARE

The team of malicious actors is dubbed the the "Equation Group" by researchers from Moscow-based Kaspersky Lab, and describes them as "probably one of the most sophisticated cyber attack groups in the world," and "the most advanced threat actor we have seen."

The security researchers have documented 500 infections by Equation Group and believes that the actual number of victims likely reaches into the tens of thousands because of a self-destruct mechanism built into the malware.

 

TOP MANUFACTURERS' HARD DRIVES ARE INFECTED

Russian security experts reportedly uncovered state-created spyware hidden in the hard drive firmware of more than dozen of the largest manufacturers brands in the industry, including Samsung, Western Digital, Seagate, Maxtor, Toshiba and Hitachi.

These infected hard drives would have given the cyber criminals persistence on victims' computers and allowed them to set up secret data stores on the machines, which is only accessible to the malicious hackers.

 

UNABLE TO REMOVE THE INFECTION

One of the most sophisticated features of these notorious piece of hacking tools is the ability to infect not just the files stored on a hard drive, but also the firmware controlling the hard drive itself. The malware is hidden deep within hard drives in such a way that it is difficult to detect or remove it.

If present, once the victim insert that infected storage (such as a CD or USB drive) into an internet-connected PC, the malicious code allows hackers to snoop victims' data and map their networks that would otherwise be inaccessible.

Because the malware isn't sitting in regular storage, so it is almost impossible for a victim to get rid of it or even detect it. Such an exploit could survive a complete hard drive wipe, or the re-installation of an operating system, and "exceeds anything we have ever seen before," the company's researchers wrote in a report.

 

MORE ADVANCED TECHNIQUES USED BY EQUATION GROUP

The firm recovered two modules belonging to Equation group, dubbed EquationDrug and GrayFish. Both were used to reprogram hard drives to give the malicious hackers ability to persistently control over a target machine.

GrayFish can install itself into computer's boot record — a software code that loads before the operating system itself — and stores all of its data inside a portion of the operating system known as the registry, where configuration data is normally stored.

 GrayFish architecture - Kaspersky Labs

EquationDrug, on the other hand, was designed to be used on older versions of Windows operating systems, and "some of the plugins were designed originally for use on Windows 95/98/ME" - very old versions of Windows OS that they offer a good indication of the Equation Group's age.

 

TARGETED COUNTRIES AND ORGANISATIONS

The campaign infected tens of thousands of personal computers with one or more of the spying programs in more than 30 countries, with most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

The targets included government and military institutions, telecommunication providers, banks and financial institutions, energy companies, nuclear researchers, mass media organisations, and Islamic activists among others.

Equation Group Victims Map - Kaspersky Labs 

'ANCESTOR' OF STUXNET & FLAME

Security researchers are calling the malware as the "ancestor" of Stuxnet and Flame, the most sophisticated and powerful threats that were specially designed to spy and sabotage ICS and SCADA systems.

 

LINKS TO NSA

Kaspersky declined to publicly name the country or agency behind the spying campaign, but said it was closely linked to Stuxnet — the NSA-led cyberweapon that was used to sabotage the Iran's uranium enrichment facility.

Also, the similarities when combined with previously published NSA hard drive exploits have led many to speculate that the campaign may be part of the NSA program. NSA is the agency responsible for global surveillance program uncovered by Whistleblower Edward Snowden.

Another reason is that most of the infections discovered by the Moscow-based security firm have occurred in countries that are frequently US spying targets, such as China, Iran, Pakistan and Russia.

Meanwhile, Reuters reported sources formerly working with the NSA confirmed the agency was responsible for the attacks and developed espionage techniques on this level.

 

NSA INVOLVEMENT COULD BE RISKY

In case, if NSA found to be involved, the malicious program would have given the NSA unprecedented access to the world's computers, even when the computers are disconnected from the outer web. Computer viruses typically get activated as soon as a device is plugged in, with no further action required, and this because the viruses are stored on a hard drive's firmware.

Back in July, independent security researchers discovered a similar exploit targeting USB firmware — dubbed BadUSB — however there was no indication of the bugs being developed and deployed by Equation Group at this scale.

The issue once again raises the questions about the device manufacturers' complicity in the program. They should take extensive and sustained reverse engineering in order to successfully rewrite a hard drive's firmware.

For its part, the NSA declined to comment on the report.