Victims of internet fraud are not the only ones who lose money because of internet scams. Registars and hosters also have losses when domains used in the scams are registered using their services. Many scammers pay for domains using stolen credit cards which can result in charge backs. Registrars and hosters should therefore be looking at ways to control these losses.

It was for this reason that Prabhat Kamat, head of the Directi (PDR) abuse team, approached aa419.org. Prabhat was looking for a way to reduce their losses suffered because of these fraud related domains.

It would be naive to believe that the efforts of the anti-scam community will stop internet fraud but hopefully by identifying, listing and suspending these domains we can prevent potential victims from losing their money. Prabhat recognized that our efforts could also help them to control losses.

Together we decided that if we could detect the scam domains with in the 5 day grace period after registration and delete the domains there would be nothing lost on these domain registrations. The second consideration was to identify the scammer registrants and scammer friendly hosters. Together we could find their domains and suspend them. Our aim was to get them to move to a different registrar and stop using Directi (and therefore avoiding charge backs).

A member of aa419.org wrote a program for Directi that keeps a mirror of the aa419.org database. As domains are entered into the database, the Directi abuse team can immediately investigate and take the necessary action. aa419.org watches for new scam registrations, enters then in the database and Directi suspend them shortly afterwards (sometimes within minutes). If Directi or aa419.org identify a scam friendly hoster or a regular scam domain registrant, lists are extracted from the register and investigated by aa419.org and the scam domains entered in the database.

This co-operative effort is beginning to show results. This week we identified that two scam friendly hosters had started to use a different registrar for their scam domains. It has not stopped the scams but it has chased them away from Directi. Prabhat is sure that this will result in lower charge backs.

aa419.org and Directi are now looking into other ways to even further improve the effectiveness of the abuse team.

Many registrars do respond to abuse reports and take action against them. However none do it as quickly and efficiently as Directi. If all registrars and hosters take this approach, it might then be possible to reduce internet fraud.

More hilarity from our scamming friend, who now positions himself as a super skilled Internet ninja

Just as i PREDICTED { yeah – my note got posted in the BLOG section of ur Website, Like i said – i followup every article about scams. Since it’s a voluntary project: I would still like to help – my skills are PHP(expert), .NET(little), Python PERL, SEO, Mass Mailing, BANK TRACKING and one more thing i would like to say is “THANK A LOT”, The last MUGU i got was from a site u reported that was encoded with JAVASCRIPT, I KNOW ALMOST ALL THE LOGIN SYSTEM FOR FAKE BANKS – I BELIVE I CAN BE OF TREMENDOUS HELP, I DON’T SCAM BUT I BUILD SITES. THIS WAS ONE OF MY MESSAGES AND I OWN THE DOMAINS “[redacted]”

Of course, if he were actually serious, he’d jump right in and help. Our forums are open to all to see and contribute, and surely someone with his superb skills would have no problem effecting a takedown. But do you need such an impressive CV to be a bank killer? Not at all! We’ve posted a simple checklist you can follow to send your own complaint letters. You don’t need any fancy technical skills at all, just be able to use a web browser and send email. Sadly, this detail, like so many others, is lost on our scamming pen-pal. He continues, and makes his motivations clear:

Hey: no need reporting the email used to send u this but am too busy to open another email that even if u report: wont’t affect me……..

U know, I now appreciate what u’re doing, It’s like this – i am a security expert so i profit a lot by exploiting the badly designed sites of this scammers – I have every database files and am a scammer too no doubt but still:: i wan’t other dead so mine can be alive.

And it’s a waste killing my domains cos they are Vampires: BACK UP AFTER 2 weeks or i simply change the directory on a HOST like limedomains.com who are very stupid and don’t kill sites quickly.

Here: [redacted]

That’s one of the STUPID sites u guys reported:: Have fund donwloading the ZIP files that are full of security holes.

Maybe PUTTING SOMETHING LIKE “THIS SITE IS A SCAM RUN” on the Victims Account page would be better than killing the site first OFFF, also i now limit the number of connections pat second on my sites cos i know u IDIOTS still use the MUGU MARAUDER or maybe a better version: It seems you guys got some funding recently and now have a complete server house…. That’s real GOOD but nice try { even if u try to encrypt the connection, my program will still detect it and re-direct u to Google instead.

Well – it now comes to my STUPID HOST and FIREFOX fake Site notification.. what do i do about those ?, I still don’t know but u guys will give me an Idea pretty soon without even realizing it, and my IP is GHANA, the shit is not/was never encrypted, and it’s funny hw u guys WORK – pls delete my POST from the BLOG section and i also think u guys Instigated GOOGLE to manually review suspicious Domains but u’re FORGETTING ONE THING {{{{{{{{ There’s always Window’s Live. }}}}}}}}}} even though if has certain limitation.

BLESS U.
{and don’t say BLESS ME TOO WHEN READING THIS}
my site aaaa419.org (Artist against Artist Against 419 will soon be up and am not gonna cos some smalltime Rucus, NO: A real big time PROBLEM, First. Am gonna start by distributing my simple HTTP Server Clone and WINDOWS HOST FILE Replacer so most people can’t access aa419.org (Awful right ? )……..Boom! – and i was born in 1993(am a CHAIRMAN too, SMALL CHAIRMAN right ?)
Leave my domain ohhh: [redacted] ( UNKILLABLE )

So talkative! We love letters like this, since most of the contact we get from fake-makers is the angry-frothing kind. Of course his motivations are pure: he wants us to leave his sites alone, but he’ll gladly sell out his fellow guymen. Nice! But our “chairman” here is sadly misinformed. The Artists haven’t used the Mugu Marauder in over three years, and we don’t plan to bring it back, either. Why bother? We’ve already proven how effective a simple email notification can be, and most hosts respond very quickly, even the “stupid” ones. Checking our own records, Lime has a better than 90% rate of kills. And speaking of kills, the host of his UNKILLABLE domain has proven to be one of the fastest ones yet, and is on our “top cooperative hosts” for this month. Like us, they hate fraud, and want to see scammer scum like this wiped off the Internet completely.

But hey, no hard feelings! You keep sending us fraud domains, and we’ll keep sharing your genius with the world, OK? And when you get aaaa419.org or aaaaaaaaaaaaa419.org online, you can be sure we’ll take a look at it.

And laugh.

As you might expect, the Artists get a lot of fan mail from the scammers that we shut down. All our work is in the open, and even those fake-makers with half a brain soon learn that search engines and our fake site database make their criminal lives very hard. We love hearing from them, especially the ones that are so frothing mad that they make no sense at all, so it’s a special day when we get a letter that’s written well (for a scammer.) We received some recently from someone who keeps somehow showing up in our database. As a service, we’ve provided a helpful translation for those of you who do not speak scam-artist:

Original:

I have a very important Situation with the aa419, For 5 months now i have been visiting aa419 and i am really interested in ur work, I am member to a couple of ScamBaiting sites and others.. my domain [redacted] which was hacked a while back was used for spamming by the notorious hackers who gained access to my box but i receovered it through the help of Google, I am a Nigerian by Nationality and i know that my country is basically the people being held responsible for the scams on the internet but NOT everyone here is a scammer.

Translation:

Oh my God! I just learned how to use Google and I found my email address in your database. Please believe my sad story, you are hurting my business.

Original:

You site seems very much like a scam too. Now the idea of using the activities of scammers to get money from unsuspecting victims is the new trend now. Many websites are coming up claiming to be fighting scams. but they are trying to make money from people too just like you. So i dont believe you. You site do not have a contact phone number should i want to call you or a physical address.

I will be blogging about this site being a scam and also will have some hackers get into your data base to mess it up and then have your site closed down just like you do.

You do not need to claim to fight scam, let the fight be done by individuals. Fake Scammer website. look out for that over the website. lets see who get to believe you again.

Translation:

Why don’t you answer my email? I want to call you and pretend to be the FBI and Notorious Hacker and Google to shut you down. I don’t know what to do. My chairman is angry because I told him his sites would be up and you closed them down in a day, you bastards. I hate you.

Original:

Please……….. You guys should @ least limit the average number of sites you kill daily, We scammers do know that we cannot get away with everything we do but try going to school when you’re from Nigeria and can’t even afford the tuition fees. For Christ sake’s you guys should get a real Job.

You’ll be hearing from me soon enough || I am now setting up a Forum aaa419.org, The Artist against Artist Against 419.org, Trust me – You’ll see whats coming soon, I think the last DOS attack didn’t affect you @ all.

and don’t worry about my IP, Its encrypted(hidden).

Your Scammer Friend,
[redacted](and why did you guys close my domain ?, Ohh i forgot – its a Catchall email which i used to register most of my domains… I see! – u guys are pretty GOOD but that wont stop me.
Bless You! – and if aa419 pays well .. i would like to leave the scamming and do some scam-hunting.. i got all the resources…Just asking cos you guys are making life harder as a scammer.

Translation:

This Internet cafe is very hot and expensive and these chairs are uncomfortable and I can only afford free domains and I do not have a nice car like my chairman. I thought I was smart by registering my fake sites with the same fake domain as my own fraudulent site. You have made me look like a fool and even the ugly girls call me a small boy. I will try to spread lies about you because that is all I have left.

You may want to ask the Romanians about their campaign to smear the good name of aa419. We’ve seen it before.

aa419 charges no money for our service, and pays nothing to the members: we are all volunteers, doing this for free on our own time. Sometimes it is a thankless job, but when we hear from people like you, it makes it all worthwhile.

Bless you too, Scammer Friend.

Google’s famous unofficial motto is “Don’t Be Evil,” and as a group that fights evil on the Internet, we like that. Google and the other search engines regularly index our site and our database, because if there’s one thing that defeats fraud, it’s exposure. Once a scam domain starts showing up in search results and browser warnings, the scammers have to find a new rock to crawl under. That’s why scammers hate us so much, and try to shut us down whenever they can. We’re shining a very bright light on them, and they hate it.

We’re so effective that now sammers aren’t even bothering to set up web sites, because we’ll just knock them right down. One of the newest slimy places for scammers to hide is the email-only domain. It makes their emails look legitimate, and the scammer can just send victims to the real web site if there are any questions. Of course, they will also give lots of excuses about transferring funds by Western Union or into a private bank account in China, or some other story. The hiding places may be different, but the lies are the same.

Sadly, for all its don’t-be-evil talk, Google is home to a lot of these email-only domains. We estimate over 1,000 active scam domains are sitting on Google’s servers right now: domains established with fake WHOIS details and using the brand name of legitimate companies. But Google doesn’t seem to be in any hurry to shut them down even when we supply them with copies of the fraudulent email with full headers. Even more frustrating is the fact that don’t make it clear when they finally do shut down one of the domains. Even Microsoft is more responsive, and they clearly mark a closed domain so we know to stop alerting them.

Experienced Artists have made connections with Google, and for a while they were responsive, but now… nothing. Hey Google, you might want to check your email: you’ve got a scammer infestation problem. But don’t worry, the Artists are happy to help you root it out. And for everybody else: if you get a scammy email from a real-looking address, go ahead and post it with the full headers in our forums, after you edit out your name and email address. We’ll be happy to strap on the extra-bright headlamps and shine it on the roaches hiding there.

Another grateful member of the public…

thank you for watching out for us
good people who only try to do the right thing by not getting rip off

The first step to avoiding fraud is asking questions — does this deal sound too good to be true? If a little voice is telling you something might be wrong, pay attention! There’s nothing silly about checking into a company’s claims; it’s certainly easier than learning the truth only after you’ve lost money.

There are lots of ways to research online transactions or offers, including asking aa419 for advice. (Never just take the company’s word for it that they’ve been in business for twenty years and are the #1 trusted source online… find an independent source to verify!)