Friday, April 1, 2011

Yet Another Text Spammer (Part Two)

Here is the original post on the topic of this text spammer.


Until recently, the email address where you were supposed to send your personal information - market.dir@o2.co.uk - did not respond to inquiries. Only the original contact email - 4882@o2.co.uk - replied to any questions.


However, that has changed with a name and a new phone number added to this story. Several days ago, a friend sent an email to market.dir@o2.co.uk with a question regarding sending his details and received a reply from a person using the name Basil Al-Haddad. "Basil" also gave a new phone number by which he could be contacted: 
 011 (44) 787-228-2424 which is also a number from the United Kingdom.
Basil Al-Haddad
Marketing Director
TELEFONICA O2 UK LIMITED
260 Bath Road Slough Berkshire SL1 4DX
England, United Kingdom.
Phone: 011 (44) 787-228 -2424
Email: market.dir@o2.co.uk
According to information I received, this new number is a cellphone. If this number is correct, you can SMS this person via one of these addresses
  • 07872282424@mmail.co.uk
  • 07872282424@o2.co.uk
  • 07872282424@mmsc.mms.o2.co.uk
Due to my ignorance of dialing phone numbers in the UK, these addresses may not be entirely accurate. So, be careful.

Once again, an IP trace was done and surprisingly the result was the same as the email received from 4882@o2.co.uk in that the IP was out of the USA. So, my initial assumption of a ringleader being in the UK was incorrect. Either that or they are using a proxy, but I had always thought that a proxy would give a different IP every time you used it.


Examining the headers of both emails, I found this in the first
Return-Path: info3@telefonicamail.net
and this in the second
Return-Path: veunit@telefonicamail.net
I didn't think much of it, at first. But, curiosity got hold of me and I did a WHOIS on telefonicamail.net and received this result
WHOIS information for telefonicamail.net :[Querying whois.verisign-grs.com]
[Redirected to whois.melbourneit.com]
[Querying whois.melbourneit.com]
[whois.melbourneit.com]
Domain Name.......... telefonicamail.net
Creation Date........ 2010-04-29
Registration Date.... 2010-04-29
Expiry Date.......... 2011-04-29
Organisation Name.... John Russell
Organisation Address. PO Box 61359
Organisation Address.
Organisation Address. Sunnyvale
Organisation Address. 94088
Organisation Address. CA
Organisation Address. US
Admin Name........... Admin PrivateRegContact
Admin Address........ PO Box 61359
Admin Address........ registered post accepted only
Admin Address........ Sunnyvale
Admin Address........ 94088
Admin Address........ CA
Admin Address........ US
Admin Email.......... contact@myprivateregistration.com
Admin Phone.......... +1.5105952002
Admin Fax............
Tech Name............ TECH PrivateRegContact
Tech Address......... PO Box 61359
Tech Address......... registered post accepted only
Tech Address......... Sunnyvale
Tech Address......... 94088
Tech Address......... CA
Tech Address......... US
Tech Email........... contact@myprivateregistration.com
Tech Phone........... +1.5105952002
Tech Fax.............
Name Server.......... ns1.officelive.com
Name Server.......... ns2.officelive.com

Doing a reverse WHOIS reveals that "John Russell" owns hundreds of other domains. However, it would cost me a lot of money to find-out which domains they are and I do not care about it that much to spend money on this. So, it seems that "John Russell" is behind this whole thing.


Other email addresses used in the past with this scam:
  • veunit@o2.co.uk
  • inquiry@o2.co.uk
  • query1@o2.co.uk
  • info@o2mobile-uk.com
I'm sure that I could find more addresses, if I was inclined to keep looking.

Apparently, the scam got started in Nigeria with these text messages being sent out randomly with all correspondences being done by email. The addition of real telephone/fax numbers shows that it is possible they have confederates in the UK working as part of the scam.


Duane Browning
Post a Comment