Okay, so I completely ruined what used to be a great Rod Stewart song - but it's been worth it. I was alerted by my friend Dee Hughes over at Freeware Home, of a rogue domain one of her visitors came across during a Google search for Outlook Express that led via the Sponsored results (surprise surprise) to expressdownloadz.com (see left).
She asked if I could dig up anything on this domain as she'd not found any contact information or anything that would help her take it down. Naturally I offered to help (I do love exposing these scheming wan**rs). Off I trotted to expressdownloadz.com, and low and behold, instantly identified the type of scam, and thus, how to track it.
expressdownloadz.com is identical to thousands of other itty bitty phishy sites out there, and it's stats are as follows;
IP PTR: Resolution failed
ASN: 36666 184.108.40.206/22 GTCOMM - GloboTech Communications
Created: October 19th 2009
It's WhoIs record is hidden, but I doubt it's actually accurate either way (impossible to tell obviously, as Domains By Proxy aren't exactly going to hand over the information without a court order).
There are a plethora of other malicious domains within this /24, and given how long some of them have been there, I'm guessing GloboTech couldn't give a hoot aslong as they keep paying their bills;
If you're unlucky enough to believe what expressdownloadz.com are "offering", then you're taken from there, to;
freedownloadzone.com/join.php?s=Outlook Express&kw=outlook express&t=outlook-express_w2&si=index.php&ml=12&d=Expressdownloadz.Com&dn=Expressdownloadz.Com&TargetSite=FDZ&lp=default
freedownloadzone.com is the site that asks you to create an "account", and asks for your payment information, entering this of course is a majorly bad idea, but lets carry on regardless.
Notice where you are yet? That's right folks .... you're now at;
secure.cardtransaction.com has a DCV certificate from RapidSSL. Both this domain, and freedownloadzone.com are located on the same IP block, 220.127.116.11/24, which is owned by Peer1. Not surprisingly, this also houses a plethora of other similar domains, including;
Getting on. The addresses you'll notice at the bottom of these sites, is;
Third Floor, Conway House
7-9 Conway Street
Jersey, JE2 3NT
What you'll not know, is that this address is NOT the actual address for Saphie Number1. It's a "drop box" of sorts. It works by having someone in Jersey, allow companies to have mail sent to their address (saving their having to pay UK tax from what I've been told). These people are then paid by the companies, a percentage, to forward the mail to the company, once it arrives.
However, there's another address involved. The "company" that appears on your bill when you've handed over your payment information, is helpmedownload.com. Popping over there, the address they provide as their "Correspondence address" is;
Saphie Number One Limited
26 York Street
London W1U 6PZ, UK
This is the same address as is provided in the cardtransaction.com WhoIs records, but nope - it's not their real address either. This address belongs to, how did he put it, a "call answering service", run by a company called "Sage Systems" (26 York Street is Sage Systems HQ). Interestingly, I couldn't find anything on Sage Systems at that address, but did find a Virtual Office company called W1Office at that address.
I called them up to ask about Sage Systems and was told;
"it may be one of our clients"
I told W1Office what was going on, and they're apparently going to look into it. They also provided me with the number of the person that created the account with them but unfortunately, it turned out to be a fax number, not a telephone number (0207 068 5500).
Helpmedownload.com have their own "main" website too (Saphie Number1 = Helpmedownload.com), which provides the following contact information;
I've now been on the phone with one of their reps for around 30 mins or so, and they're still trying to tell me the process is simple, easy to understand, clear as far as what they're charging for, and they're thus, not scamming people. Couldn't explain however, why for example, the "3 step process", tries to charge for support and such TWICE.
Alas, she's not been through the process herself apparently as she "doesn't need help downloading software", so as I pointed out - she can't tell me about something she's not been through herself - which is why I'm on hold now. She's now going through the process herself apparently (personally I think she's gone for a smoke/drink/toilet break, but it's an 0808 number, so their bill, so I don't care).
.... sorry folks, was on the phone.
Okie, so here's where we are. The person I spoke to on the phone passed me to her supervisor who advised me;
1. He is not authorized to tell me WHO is in charge in his company
2. He CAN NOT pass me to a manager so we can get this cleared up
3. His manager monitors the email@example.com inbox, but REFUSED to tell me HOW I am supposed to know it is a manager responding via e-mail, given he couldn't provide me with so much as his managers name
4. His name is "Murphy" (he has no surname apparently), and the location of the place he is currently at (woops, he let that slip!), is in the Philippines (he would not tell me if that was the main helpmedownload.com address, if not, what address it was, or indeed, provide ANY address related to the company!!!!!)
5. Their e-mail address is firstname.lastname@example.org and that is the ONLY way in which we can get answers (yes, of course it is Murphy!!!).
... and that's just the parts of the phone call I can remember (sorry folks, was getting very frustrated). In the end, he simply said he would not answer any more of my questions as he was not authorized to speak to me (err, that part is confusing).
After being on the phone with them for over an hour, I ended up getting far too frustrated to continue, given they refused to answer any of my questions, and refused to put me on to anyone that could answer any of my questions, and refused to tell me so much as the name of the person within the company (i.e. a manager, director etc), that was authorized to speak to me on the subject of such.
I urge you to call one of the numbers above (they're toll free/freephone, so won't cost you anything, but you'll get to have so much fun (sic)). Try getting a straight answer from them, try getting to speak to someone in charge of this scam err, company.
If you've been scammed by any of the domains listed above, first things first, contact your credit card company and ask them for a charge back!!!. Next, inform the UK Watchdog (if UK based), or your countries equivalent.
I'd also urge you to contact W1Office with your complaints. Hopefully, the more people that do, the sooner W1Office will boot the company.
It should be noted, the above are by no means the only domains involved in this scam, or other scams similar to this one. There are thousands of them out there, so be careful folks! (and if you find one that's not listed in hpHosts already, feel free to drop me a note!).
In the meantime, if I've forgotten to mention anything (been one of those err, couple hours or so, hehe), do let me know.