Confirmed Kill on "giftbounty.net"

[DavidT]

I decided to look into a spam that slipped past my SpamCop SA and BL settings yesterday, not only reporting it to the hosts of the sending and website IP's but also doing a little detective work...here's a summary (sorry, but I didn't save the Tracking URL).

From: "GiftBounty" <admin[at]giftbounty.net>

Subject: You've won a Microsoft X-Box (This is not spam)

X-spam-Status: hits=2.3

sent from: me-rockland-tera1a-a-84.mint.adelphia.net [24.153.102.84]

The spam contained a long CGI-based URL to login to claim the X-Box (with 5 games), and a "pass code number" to enter on the page. I didn't want to go to the URL (which contained my address) so I googled the Subject line of the spam and came up with an "Urban Legends / Folklore" article at About.com on the MO of this scam:

http://urbanlegends.about.com/library/bl_xbox_giveaway.htm

The details on that page matched the spam and the scam is that in order to receive your "prize," you have to pay shipping, and they only accept debit cards, complete with your PIN!

I scrambled the URL a bit, substituting the scammer's own address, entered the "pass code" and came up with a page asking for name, address, debit card number, PIN, etc., so, with that information in hand, I started looking into their domain and website hosting.

1. The domain (giftbounty.net), although registered at GoDaddy.com, was registered by an anonymizing service in Tucson AZ -- the "Katz Global Domain Name Trust" -- and they don't collect or display any information on the registrants...they simply take money and make the registrations.

2. The domain was resolving to a Comcast broadband IP address in Minnesota (someone's home PC, no doubt).

The SC report I filed had already sent notices to Comcast and Adelphia (the source of the email), but hadn't addressed the domain registration, and so even if Comcast took quick action, the scammers could simply re-point the domain somewhere else....more agressive action was necessary.

So, I looked up the Katz folks (www.katzglobal.com), picked up the phone and gave them a friendly call. They agreed that this would be a serious violation of their TOS and so I sent them a detailed report and CC'ed it to GoDaddy. As a result, the domain is now "parked" today, and so they can't collect any more bank account information...until they move on to their next domain name, that is.

Here's an odd thing, although I found that other SC users had recently reported this same spam (by searching on "http://www.giftbounty.net" in the manual reporting box), I searched for reports about these scams in "news.admin.net-abuse.sightings" and didn't find a single report on this most recent run. I did find reports of the same scam from the following domains:

saprize.com

gift-winner.com

PikaPrize.net

Prize-Giveaway.com (the one cited in the About.com article)

dream-giveaway.com

But out on the web, I also found mention of identical scams from:

pikoprizo.com

prize-station.net

neither of which have shown up in the "sightings" newsgroup reports, so these scammers are managing to fly a bit "under the radar" and won't be stopped until they're physically apprehended by law enforcement. But at least I helped take them down temporarily.

DT

[turetzsr]

...Great job, DT! A win for the good guys! <big g>

[Guest art101]

I love hearing about a good win now and then. Helps me know that I'm not just banging my head against a big brick wall. Thanks for fighting the good fight.

[btech]

Now if we can only get Gratis and it's FreeiPod, FreeLatptop... etc network off the web.