Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Research on a Fraudulent site - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Research on a Fraudulent site
A reader submitted to us his research on a spam email which contains a company called Bellford Trade & Investment (BTI) and its website (bellfordtrade.com). After some careful research, he concluded the company and website is fraudulent. Below is his findings that you may find it interesting and useful.

**********************
Below is the evidence that I use to support this:

1.  The domain (bellfordtrade.com) was registered very recently, and was only registered for 1 year:

Creation Date........ 2006-02-03
Registration Date.... 2006-02-03
Expiry Date.......... 2007-02-03

This is common for sites that are used for fraudulent purposes. Register the site, get the fraud up and running, and it will probably be shutdown soon thereafter. So, why pay for more than 1 year of registration?  It's a throwaway domain.

2.  The contact information for the domain is hidden behind "myprivateregistration.com", which is a service of Melbourne IT in Australia, dba Internet Names Worldwide. Although this can be used by legitimate websites, it is fraught with fraud.

Admin Name........... PrivateRegContact Admin
Admin Address........ P O Box 99800
Admin Address........
Admin Address........ EmeryVille
Admin Address........ 94662
Admin Address........ CA
Admin Address........ US
Admin Email.......... contact@myprivateregistration.com
Admin Phone.......... +1.5105952002

This PO box apparently belongs to a US office of Melbourne IT. This PO box and the whole My Private Registration service seems to be used by lots of fraudulent websites (spammers, phishers, etc.), although it is probably used by legitimate sites as well. Just doing some Google searches on this information pulls up all sorts of shady things.

3.  A google search of "Bellford Trade & Investment" hits on a craiglist ad (an unusual place for a legitimate trading company to advertise) and a Yahoo Local business listing in New York City. The phone number on this listing is no good. This listing claims "Member SIPC (1205-9847)". I checked the SIPC website, and they don't list BTI as a member. This listing also points to the bellfordtrade.com website (the same one that was in the Spam). The Spam also said that they are an SIPC member, which they aren't.

4.  The bellfordtrade.com website itself is suspicious (WARNING: I wouldn't visit this website with a PC you care about, since it might also be distributing malware/spyware/whatever -- I don't know if it is or not, but I'm paranoid about such things, so I used a throwaway VMWare session to view it.) First of all, the "Contact Us" page doesn't work, and I can't find any other contact information for BTI on their website (besides their e-mail address). Not good.

5.  On the "join" page on the website, which is where one would sign up for their service, they have an unsecured web form (it's not using SSL).

6.  On the "join" page, they have the "BBB Online Reliability" program seal. However, the seal doesn't have the required link to their membership entry on the BBB Online site. Also, a search of the BBB Online website shows that BTI is not a member. So this is a fraudulent claim.

7.  On the "join" page, they have the "Protected by Thawte" logo. However, the logo doesn't have the required link back to Thawte, and the form isn't even SSL protected (Thawte issues SSL certificates). So this is also a fraudulent claim.

8.  The whole website feels "icky" to me. It's using lots of Flash, the content seems questionable, and it just seems like a bunch of lies.

9.  BTI is not listed in Dunn and Bradstreet's business directory. Not all businesses are listed here, certainly, but I'd expect a legitimate financial trading company to be listed here.

10.  BTI sent Spam, and claimed an affiliation with XXXXX. These are both shady practices, and it's unlikely that a legitimate financial company would do this.

11.  The Spam claimed that they were an NASD member. I can't find them listed in the NASD directory, so this is also a fraudulent claim.

12.  The toll-free numbers listed in the Spam are no good.

**********************

Koon Yaw

68 Posts

Sign Up for Free or Log In to start participating in the conversation!