Spam 419/Nigeria Online fraud jwSpamSpy Contact
Email Spam Filter: |
|
|
419 Scam – "GOLDEN REEF LOTTERY / SOUTHTRUST INVESTMENT PTY. / Harry Robben"
- About the 419 (Advance Fee) scam
- Email addresses used by 419 scammers
- Phone numbers used by 419 scammers
- How to report 419 spam to us
- Domains registered by 419 scammers
- Company names mentioned in 419 spam
- What can you do when you receive 419 spam
- Google search: "SOUTHTRUST INVESTMENT"
"SOUTHTRUST INVESTMENT PTY." is the fake identity used by a gang of advance fee fraud ("419") scammers operating in Nigeria and South Africa. It's a fraud. (see one example scam email here).
The three scam operations "HERITAGE FINANCE LTD / NATIONWIDE LOTTO UK", "WORLD WIDE CASH CHANGE / PRESTIGIOUS LOTTO UK" and "SOUTHTRUST INVESTMENT PTY. / GOLDEN REEF LOTTERY" are probably closely related. All three scams use websites of fake security companies, email from which is sent from Nigeria. They all send similarly worded money demands involving Word documents. A further scam in this series is "BOND TRUST LIMITED".
|
The scammers have registered websites for the fake lottery and fake claims agent:
- southtrustltd.net (complaints to: abuse@msn.com)
- southtrustltd.com (complaints to: abuse@msn.com)
- southtrust.co.za (hosted by webonline.biz, complaints to: abuse@za.uu.net)
- southtrustinvestment.com (complaints to: abuse@covad.net)
Email addresses used for the scam:
- claimsmanager@southtrustltd.net
- deptmanager@southtrustltd.com
- harry@southtrustltd.com
- harryrobben@southtrustltd.net
- hrobben@southtrustltd.com
- mrharry@southtrustltd.net
- mrharryrobben@southtrustltd.com
- mrharryrobben@southtrustltd.net
- mrhrobben@southtrustltd.com
- mrrobben@southtrustltd.net
Sample email from "Mr Harry Robben":
Return-Path: <mrrobben@southtrustltd.net> Received: from hotmail.com (bay23-f22.bay23.hotmail.com [64.4.22.72]) by rly-xh01.mx.aol.com (v104.17) with ESMTP id MAILRELAYINXH18-48641f0020a37b; Thu, 20 Jan 2005 14:10:03 -0500 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 19 Jan 2005 07:48:07 -0800 Message-ID: <BAY23-F2264142CBAE7EAAFB576ABDF800@phx.gbl> Received: from 165.146.71.161 by by23fd.bay23.hotmail.msn.com with HTTP; Wed, 19 Jan 2005 15:47:18 GMT X-Originating-IP: [165.146.71.161] X-Originating-Email: [mrrobben@southtrustltd.net] X-Sender: mrrobben@southtrustltd.net In-Reply-To: <MazUSxvjP0004181e@hotmail.com> From: "Harry Robben" <mrrobben@southtrustltd.net> To: ################# Subject: Requirements Date: Wed, 19 Jan 2005 15:47:18 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 19 Jan 2005 15:48:07.0060 (UTC) FILETIME=[44E67D40:01C4FE3E] X-AOL-IP: 64.4.22.72 X-Mailer: Unknown (No Version) Dear Firstname Lastname, We are in receipt of your claims file, from GOLDEN REEF LOTTERY with ticket number, 125-75-7849 with a serial number of 69-66, which drew lucky numbers, 09, 10, 22, 32, 35,44, (05). reference Number REFERENCE NO: ST-A542-9 and BATCH NO: 228-GP. Be informed that we have in our possession instruments of payment for the sum of US$2,000,000.00 to you. You will be required to fill the attached "Lottery Winnings Claim Form" with all necessary details, after download, kindly print, fill, and send back either by fax or as an email attachment.Please follow the link below to download the lottery claims form from our website http://www.southtrust.co.za/lottery.htm You will also be required to pay a fee of USD6,500.00 (Six thousand five hundred United States dollars only), or it’s equivalent in your local currency. This payment is to cover transfer charges, Insurance of vital documents like prize claim certificate and other transfer documents, handling and opening of account charges. Note that your total prize claim of US$2,000,000.00 has been insured to it's value and as such cannot be deducted from.This is in accordance with section 13(1)(n) of the national gambling act as adopted in 1993 and amended on 3rd July 1996 by the constitutional assembly. This is to protect winners and to avoid misappropriation of funds. A certificate of prize claim along side other vital documents will be sent to you via Courier service immediately transfer of your winnings is effected. Note that your winnings will be transferred within 24hours after the receipt of all the requirements. I shall be awaiting your response. Truly yours, Harry Robben. CLAIMS DEPT. MANAGER, SOUTHTRUST INVESTMENT PTY. PHONE: +27 838919033 FAX: +27 115076331 EMAIL: mrrobben@southtrustltd.net
The email above was sent from South Africa.
WHOIS details for sending IP address 165.146.71.161:
OrgName: Telkom SA Limited
OrgID: TSL
Address: PO Box 2753
Address: Pretoria
Address: 0001
City:
StateProv:
PostalCode:
Country: ZA
NetRange: 165.146.0.0 - 165.146.255.255
CIDR: 165.146.0.0/16
NetName: TELKOMNET-B4
NetHandle: NET-165-146-0-0-1
Parent: NET-165-143-0-0-1
NetType: Reassigned
NameServer: NS1.TELKOM.CO.ZA
NameServer: NS1.IAFRICA.COM
NameServer: RIP.PSG.COM
Comment:
RegDate: 1993-06-16
Updated: 1995-02-27
TechHandle: VW4-ARIN
TechName: Wilson, Victor
TechPhone: 12-311-2988
TechEmail: wilsonvm@telkom.co.za
Example of money demand:
Return-Path: <mrhrobben@southtrustltd.com> Received: from rly-yi04.mx.aol.com (rly-yi04.mail.aol.com [172.18.180.132]) by ################# (v#####) with ESMTP id MAILINYI14-7c941bd9f1d247; Mon, 13 Dec 2004 08:55:01 -0500 Received: from hotmail.com (bay23-f15.bay23.hotmail.com [64.4.22.65]) by rly-yi04.mx.aol.com (v103.7) with ESMTP id MAILRELAYINYI47-7c941bd9f1d247; Mon, 13 Dec 2004 08:54:37 -0500 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 13 Dec 2004 03:18:07 -0800 Message-ID: <BAY23-F1583CC4DC5F4DB065EDC12A9AB0@phx.gbl> Received: from 81.199.85.129 by by23fd.bay23.hotmail.msn.com with HTTP; Mon, 13 Dec 2004 07:58:20 GMT X-Originating-IP: [81.199.85.129] X-Originating-Email: [mrhrobben@southtrustltd.com] X-Sender: mrhrobben@southtrustltd.com From: "Harry Robben" <mrhrobben@southtrustltd.com> To: ################# Subject: CLAIMS REQUIREMENT/PROCESSING FORM Date: Mon, 13 Dec 2004 07:58:20 +0000 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_3e16_65d8_51ad" X-OriginalArrivalTime: 13 Dec 2004 11:18:07.0085 (UTC) FILETIME=[6BADB9D0:01C4E105] X-Mailer: Unknown (No Version) ------=_NextPart_000_3e16_65d8_51ad Content-Type: text/plain; format=flowed ATTN: THIRD CATEGORY WINNER We are in receipt of your claims file, from GOLDEN REEF LOTTERY with reference Number REFERENCE NO: ST-A542-5 and BATCH NO: 228-GP. Be informed that we have in our possession instruments of payment for the sum of US$2,000,000.00 to you. You will be required to fill the "Lottery Winnings Claim Form" with all necessary details, after download, kindly print, fill, and send back either by fax or as an email attachment. Please find attacted Lottery Winnings Claim Form (LWCF) You will also be required to pay a fee of USD6,500.00 (Six thousand five hundred United States dollars only), or it’s equivalent in your local currency. This payment is to cover transfer charges, Insurance of vital documents like prize claim certificate and other transfer documents, handling and opening of account charges. Note that your total prize claim of US$2,000,000.00 has been insured to it's value and as such cannot be deducted from.This is in accordance with section 13(1)(n) of the national gambling act as adopted in 1993 and amended on 3rd July 1996 by the constitutional assembly. This is to protect winners and to avoid misappropriation of funds. A certificate of prize claim along side other vital documents will be sent to you via Courier service immediately transfer of your winnings is effected. Note that your winnings will be transferred within 24hours after the receipt of all the requirements. I shall be awaiting your response. Truly yours, Mr. Harry Robben. CLAIMS DEPT. MANAGER, SOUTHTRUST INVESTMENT PTY. PHONE: +27 838 919033 FAX: +27 115 076331 EMAIL: mrhrobben@southtrustltd.com www.southtrust.co.za ------=_NextPart_000_3e16_65d8_51ad Content-Type: application/msword; name="LWCF.doc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="LWCF.doc" 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAATwAAAAAA AAAAEAAAUQAAAAEAAAD+////AAAAAE4AAAD///////////////////////////////////// .... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ------=_NextPart_000_3e16_65d8_51ad--
This email from a supposedly South African lottery was sent from Nigeria (IP 81.199.85.129)
inetnum: 81.199.84.0 - 81.199.87.255
netname: CIDR-COMMUNICATION-01
descr: Internet service provider
country: NG
admin-c: TECH7-RIPE
tech-c: TECH7-RIPE
status: ASSIGNED PA
notify: lir@ipplanet.net
mnt-by: AS12491-MNT
changed: lir@ipplanet.net 20040902
source: RIPE
person: Tech Supernet300
address: 21 Mobolaji Bank
address: Anthony Way Ikeja
address: Lagos
address: Nigeria
phone: + 234 1 4976493
e-mail: admin@supernet300.com
nic-hdl: TECH7-RIPE
changed: lir@ipplanet.net 20040902
source: RIPE
This is the same provider as used by the "HERITAGE FINANCE LTD" scammers and in the "Mr. Chen Chun-Hwa" dead foreigner scam. It could be the same gang or they could be using internet cafes sharing the same provider.
The claims form (LWCF.doc) was created by someone using the user name "GUNIT". The document was last printed out on 2004-10-29.
"southtrustltd.net" (complaints to: abuse@msn.com)
As you can see from the record below, this supposedly South African company is registered using a (probably bogus) residential address in the USA only about three months ago. The administrative contact email address for the domain is none other than the address of the "claims manager", i.e. "Mr Harry Robben" himself. The Admin phone number is too long by 2 digits.
WHOIS record for 419-scam domain "southtrustltd.net"
Domain Name.......... southtrustltd.net Creation Date........ 2004-10-28 Registration Date.... 2004-10-28 Expiry Date.......... 2005-10-28 Organisation Name.... Edith D Levine Organisation Address. Apt 3b 301 E. 111th st. Organisation Address. Organisation Address. New-York Organisation Address. 10029 Organisation Address. NY Organisation Address. UNITED STATES Admin Name........... Edith D Levine Admin Address........ Apt 3b 301 E. 111th st. Admin Address........ Admin Address........ New-York Admin Address........ 10029 Admin Address........ NY Admin Address........ UNITED STATES Admin Email.......... claimsmanager@southtrustltd.net Admin Phone.......... +1.212722139087 Admin Fax............ Tech Name............ MSN NOC Tech Address......... One Microsoft Way Tech Address......... Tech Address......... Redmond Tech Address......... 98052 Tech Address......... WA Tech Address......... UNITED STATES Tech Email........... MSN-PA-TECH@msn.com Tech Phone........... +1.4258828080 Tech Fax............. Name Server.......... pdomns1.msn.com Name Server.......... pdomns2.msn.com
"southtrustltd.com" (complaints to: abuse@msn.com)
The .com version of the domain was created on the same day as its .net sibling using the same probably bogus street address in the USA. The Admin phone number is too long by 2 digits.
WHOIS record for 419-scam domain "southtrustltd.com"
Domain name: southtrustltd.com Registrant Contact: Edith D Levine Edith D Levine (deptmanager@southtrustltd.com) +1.212722139087 Fax: none Apt 3b 301 E. 111th st. new-york, NY 10029 US Administrative Contact: Edith D Levine Edith D Levine (deptmanager@southtrustltd.com) +1.212722139087 Fax: none Apt 3b 301 E. 111th st. new-york, NY 10029 US Technical Contact: NOC MSN NOC MSN (MSN-PA-TECH@msn.com) +1.4258828080 Fax: none One Microsoft Way Redmond, WA 98052 US Billing Contact: NOC MSN NOC MSN (MSN-PA-BILL@MSN.COM) +1.4258828080 Fax: none One Microsoft Way Redmond, WA 98052 US Status: Locked Name Servers: pdomns1.msn.com pdomns2.msn.com Creation date: 28 Oct 2004 06:57:32 Expiration date: 28 Oct 2005 06:57:32
The South African domain "southtrust.co.za" is registered using an African name and a South African postal address. The contact email address uses a Chinese name and the webmailer tiscali.co.uk, which is one of the most popular webmailers amongst "419" scammers.
WHOIS record for 419-scam domain "southtrust.co.za"
0a. Last Update: Tue Oct 26 16:06:52 SAST 2004 0b. Sender: accounts@webonline.biz 0c. Posted: 26 Oct 2004 14:06:15 -0000 0d. Subject: southtrust.co.za 0g. Hist Cnt: 1 0h. Inv Number: 398495 0i. Contract: NEW 0j. Coza Version: $Revision: 1.105 $ $Date: 2004/07/08 13:12:58 $ 1a. Domain: southtrust.co.za 1b. Action: N 2a. Domain Owner: Tabu Kalimbuka 2b. Owner Postal: PO Box 1253, PO Box 1253, Buccluech, Johannesburg, Gauteng, 2066 2c. Owner StAddr: 10 Heronshaw , Gibson drive, Buccluech, Johannesburg, Gauteng, 2d. Payment: 150 2e. Ac/Inv/Chqe: I 2f. Bill/Acct: WebOnline 2g. Mail Bill to: accounts@webonline.biz 2h. NoDelayWord: **set** 2i. Invoice Addr: P.O. Box 1264, Wingate Park, 0153 2j. Owner Phone: 0115076315 2k. Owner Fax: 0115076315 2l. Owner E-Mail: jinging@tiscali.co.uk 3a. Opp Date: 2004/10/26 16:06:39 3b. CNAME Base: 3c. CNAME sub1: 3d. CNAME sub2: 4a. Adm Contact: Web Online, Accounts 4b. Adm Title: Accounts Department 4c. Adm Company: Web Online 4d. Adm Postal: P.O. Box 1264, Wingate Park, 0153 4e. Adm Phone: +27.0861666555 4f. Adm Fax: +27.0866801585 4g. Adm E-Mail: accounts@webonline.biz 4h. Adm Nic: 5a. Tec Contact: Web Online, Support 5b. Tec Title: Support Department 5c. Tec Company: Web Online 5d. Tec Postal: P.O. Box 1264, Wingate Park, 0153 5e. Tec Phone: +27.0861666555 5f. Tec Fax: +27.0866801585 5g. Tec E-Mail: support@webonline.biz 5h. Tec Nic: 6a. Prim NS FQDN: dns10.webonline.biz 6b. Prim NS IP: 196.30.15.157 6e. Sec NS1 FQDN: dns2.webonline.biz 6f. Sec NS1 IP: 216.127.84.49 6i. Sec NS2 FQDN: 6j. Sec NS2 IP: 6m. Sec NS3 FQDN: 6n. Sec NS3 IP: 6q. Sec NS4 FQDN: 6r. Sec NS4 IP: 7a. Prim MX FQDN: 7b. Prim MX IP: 7c. Prim MX Cost: 7d. Sec MX FQDN: 7e. Sec MX IP: 7f. Sec MX Cost: 8a. Net bk Start: 8b. Net bk End: 8c. Net bk Start: 8d. Net bk End: 8e. Net bk Start: 8f. Net bk End: 9a. Description1: 9b. Description2: 9c. Description3: 9d. Description4: 9e. Description5: 9f. Description6: